x360Recover Direct-to-Cloud now supports an optional local cache repository.
Enabling local cache directs the agent to maintain a local datastore of backup block data that can be used to accelerate recovery of Cloud backups.
- The local cache repository may be stored on directly-attached media (like a USB drive) or on a network accessible file share location (like a NAS unit.)
- The local cache is automatically encrypted using our Cloud Key Management System (CKMS).
- A single repository may be shared by multiple protected systems and all unique block data will be globally deduplicated.
What is local cache?
Local cache is purely an acceleration layer, designed to reduce the time needed for recovering data or entire protected systems from a Cloud vault. The local cache contains only block data, stored in an efficient deduplicated storage database, and does not contain any metadata pertaining to recovery points or backup jobs.
What local cache is not
- Local cache is not an independent local backup of your protected system.
- The Direct-to-Cloud recovery tools for bare metal recovery (and for our upcoming Recovery Center utility) rely exclusively on the Cloud vault for authentication, identification, backup recovery point metadata and other information necessary to perform a recovery.
- Performing a recovery with or without local cache requires internet access to the Cloud vault and x360Recover Manager.
X360Recover Direct-to-Cloud local cache requires extended hardware CPU instruction set support for encryption and hashing functionality.
To support these instructions, your CPU must be an Intel Sandy Bridge design or newer, or the AMD equivalent, circa 2011
Local cache is enabled by adding optional parameters to the agent configuration file aristos.cfg in the agent installation directory.
How to exclude local cache devices from backup
When configuring local cache to a locally-attached device, this device should be excluded from the backup.
- Set the drives to be included in the backup explicitly by setting the BACKUP_VOLUMES= parameter in aristos.cfg.
- By default BACKUP_VOLUMES= is blank, indicating that the agent is to backup all volumes, including the local cache data.
For example, if your system has drives C: and E: and you have attached a new USB disk F: to hold the local cache data, set BACKUP_VOLUMES=C,E.
If you intend to use a network storage location for your local cache database, the agent service configuration must be modified.
By default, the agent runs as the local system account, which (as designed by Microsoft security policy ) is specifically prevented from accessing network resources. The agent must be reconfigured to run as a user on the protected system. (This user account may be a local Windows user or a domain user, but the account selected should be assigned read/write permissions on the network storage share point.)
STEP 1. From Control Panel -> Administrative Tools open Computer Management
STEP 2. Expand Local Users and Groups -> Users
(If you intend to use an existing domain user, skip to the next step).
STEP 3. Right click in the right Actions window and select New User.
STEP 4. When the New User popup appears:
- Fill in the User name, Full name, and Password fields.
- Uncheck the User must change password at next login box.
- Check the Password never expires box.
- Click Create to continue.
Click Close to close the New User window.
STEP 5. Select Groups from the left pane of Computer Management.
- Double-click on Administrators to open the group.
STEP 6. Click Add.
- Enter the user name.
- Then, click Check Names to make sure the name has been resolved correctly.
- To enter a domain user, enter <Domain>\<User> and click Check Names.
|Note: When the agent is on a domain controller, the user account must be a member of the Domain Admins group. (The local administrators group does not apply to domain controllers.)|
Click OK to close the edit dialog, then click OK again to close the Administrators group.
STEP 7. Return to Computer Management and expand Services and Applications from the left-pane.
- Select Services.
- Locate the Replibit Agent Service in the right-pane.
- Right-click the Replibit Agent Service and select Stop.
- Then, right-click again and select Properties.
STEP 8. Select the Log On tab.
- Click to select This account then click Browse.
- Enter the user name configured above and click Check Names to ensure it resolves correctly.
- Click OK to close the dialog and OK again to save the Service logon properties.
Click OK to save the service configuration settings
STEP 9. Return to the right Actions pane of Computer Management.
- Right click on Replibit Agent Service.
- Click Start to restart the agent services.
The agent should now be configured to run as a user with network access privileges.
Adding a local cache path directs the agent to generate and maintain a local cache repository at the specified local or network path.
Paths can be expressed as local drive and folder (i.e. E:\LocalCache) or network share UNC paths (i.e. \\MyNas\Shared\LocalCache.)
Optional: LOCAL_CACHE_MODE=<fail_backup | continue_with_error (default) | continue_with_warning | continue_and_ignore>
Specify how to proceed if problems are encountered accessing or writing to the local cache during the backup. Choosing fail_backup will fail the cloud backup if local cache errors occur.
The other options will log failures as errors, warnings, or not log errors at all, respectively, while continuing to complete the backup to the Cloud uninterrupted.
How to use custom user credentials
Custom user credentials can be used for accessing a network shared path to override the default service account user.
NOTE: User credentials (user name and password) are stored in the permid.cfg file in the agent installation directory. This configuration file has elevated access permissions and requires administrative privileges to access or modify. (Other configuration parameters shown above are stored in aristos.cfg as usual.)
Specify the user credential to be used for accessing the network share. Format may be specified as either <username> or <domain\username>
Specify password credential to be used for accessing network share.
Note: We recommend a dedicated user account with limited access permissions outside of the local cache location when using a network shared path.
Why do I need this?
It's possible to skip using these customized user settings and just rely on permissions available to the user account assigned to the agent service account above - so why do you need this?
The user account accessed by the agent service must have local administrator rights to the machine it is running on. (For domain controllers, this means the account must be a Domain Admin.)
You may wish to limit the network-wide permissions available to the agent for accessing data.
To do this, you may opt to
- configure the agent service to run as a local machine user account, with admin rights to the machine, and then
- apply the custom user credentials to specify a user with limited network access, for reading and writing to a local cache repository residing on a network share.
Configuring custom user settings is optional and is provided to separate local agent user permissions from network share access permissions.
When enabling local cache on existing endpoints, it is important to fully populate the cache with protected system data. (During incremental backups, only newly-changed blocks are sent to the cache.)
To fully populate the cache, trigger a full backup from the protected system Details page on the vault by clicking Schedule Now and selecting Full Backup.
After the initial full backup image has been sent to the cloud, any new full backup will be deduplicated based on the data already present on the vault, so the agent will not resend any duplicate data over the WAN.
The entire contents of the protected system will be read during the full backup and pushed to the local cache, ensuring that all block data will be present in the cache for local recovery.