5. Maintenance

License Management


Licensing Scheme

At the moment SafeUTM license has two types of licenses:

Both types of licenses can be acquired by contacting your SafeDNS manager.


Viewing license information

A detailed view of the server and license information is available by clicking on the eye icon in the Operations column of the Server + License table.

 

Detailed information about the license contains data about the license validity period, number of users, expiration date of updates, and technical support of the product.

Server Update

Updating the server is possible exclusively over the network. It is not possible to upgrade using an installation disk or USB flash drive.


Automatic Update

Automatic update parameters are configured in Server Management -> Automatic update.

When initiating a forced update, the update will be downloaded, after which a full reboot of the server will be required.

1. Server Update.png

After the update procedure, the new version will be displayed in the upper-left corner of the local console and the administrator web interface.

Server Registration

It is necessary for the full operation of SafeUTM after installation.


To register a server, the Internet must be available on it (be sure to set up a connection to the Internet provider before registration).

After that, please contact your manager or technical support engineer to receive the registration link.

After registration, the server will automatically receive a license (if it has access to the Internet). Click Update license information, after which you will see the license status.

Data Backup and Recovery

Backup

Providing users with stable access to the Internet is the main task solved by the Internet gateway. However, sometimes there are situations that lead to system failures and subsequent disruption of Internet access. Depending on the complexity of the failure, it may be necessary to completely reinstall the Internet gateway and restore data from backups. In this section, you will find a description of the backup-creating process for the SafeUTM Internet gateway.

The Internet gateway supports the following types of automatic backups:

To set up automatic backups, go to Server Management -> Backup -> Settings. A backup copy is created every day at the hour specified in the settings (it is recommended to choose the nighttime to create a backup).

You can store backups for a week or a month.
1. Data Backup and Recovery.png


Backup to Remote File Storage via FTP or to Network File Storage using NetBIOS Protocol (CIFS)

To create a setting, go to Server Management -> Backup -> Upload to FTP server/Upload to CIFS shared folder, check the box Enable uploading to FTP server/to CIFS shared folder, and fill in the appropriate fields.

The Server Address line specifies the IP address or domain of the remote FTP/NetBIOS server that will host the database copies.

The path to the directory must be specified in UNIX format.
For example, in Windows OS, the directory is opened by the following path \\192.168.1.1\dir_1\dir_2\backup, so you need to enter dir_1/dir_2/backup in the Directory path field.

Using the FTP and NetBIOS(CIFS) protocols, only automatically created backups are uploaded at the frequency specified in the Settings tab.


Backup to Local Hard Drive

It is possible to upload a backup copy from the server or from a computer to the server using the web interface or the local menu.

The backup management interface in the web interface is shown in the screenshot below.
2. Data Backup and Recovery.png

Managing backups via the local menu

An example of creating a backup via the local menu is shown in the screenshot below:
3. Data Backup and Recovery.png

An example of restoring from a backup via the local menu is shown in the screenshot below:
4. Data Backup and Recovery.png

When migrating UTM from one physical machine to another (disk transfer or backup restore on new hardware), the settings of all network interfaces specified before the migration will be restored. Use the trash button to remove unnecessary interfaces.

Example: the original version of UTM 13.X -> migrated UTM to new hardware -> configured new hardware -> upgraded -> in the Network interfaces section, old (before migration) and new (after migration and configuration) network interfaces will be displayed.

Remote Assistant Mode


In order for the technical support service to connect to your server remotely, you need to enable the remote assistant mode. Operation of the server in this mode does not affect users' work.

To enable the remote assistant mode, click on the assistant icon in the upper right corner of the screen and drag the slider near Remote Assistant to Enabled.
1. Remote Assistant Mode.png


Enabling Remote Assistant Mode from Web Interface

To connect with a technical support specialist, provide them with Information for technical support by clicking Copy. You also need to send the server’s public IP address separately. If the server is not connected directly to SafeUTM, then forward TCP port 22 to SafeUTM from an external router.

The Remote Assistant mode remains enabled even when the server is rebooted. Disable this mode when it is not necessary to use it. Continuous operation of the SafeUTM server in this mode is highly discouraged.


Enabling Remote Assistant Mode from the Local Server Menu

To enable the Remote Assistant mode in the SafeUTM local menu, select Enable Remote Assistant Access by typing 11 and pressing Enter.
A password will be generated, which must be reported to technical support for an SSH connection.
2. Remote Assistant Mode.png


Working with Server via SSH Protocol in Remote Assistant Mode

To organize work with the local server console remotely via SSH protocol from the root user in the remote assistant mode, you must perform the following actions:

1. Connect to the server using the PuTTY SSH client. The program is free and you can download it from the developers' website (https://www.putty.org).

2. When connecting from a LAN, use the address that is configured on the UTM LAN card. Enter the necessary parameters to connect:

The "#" symbol indicates that you are working as the superuser.

Allow Internet to Everyone

This mode is used to diagnose problems.

Active Allow Internet to everyone mode does not automatically turn off and works until you turn it off.

In this case:

There are two ways to enable this mode:

1. In the web interface.

To do this, click on the technical support icon in the upper right part of the window, and in the window that opens, drag the mode activation slider to the Active position.
1. Allow Internet to All.png

2. In the local menu.

To do this, enter number 6. Enable 'Allow Internet to all’ mode and press Enter to apply the setting.
2. Allow Internet to All.png

Remote Access for Server Management


SSH Connection from Local Network

To connect to the server's local menu from a local network via SSH, you must:

1. Allow SSH connection. To do this, go to Server Management -> Administrators and activate item Access via SSH from the local network.
2. Connect to the server using any SSH client (for example, PuTTY) using port 22. You can download the PuTTY SSH client from https://www.putty.org/. It is necessary to specify the Administrator’s login and password.


SSH Connection from the Internet

To connect via SSH from the Internet to the local server menu, you must:

1. Allow SSH connection from the Internet. To do this, go to Server Management -> Administrators and activate item Access via SSH from the external network.
2. Connect to the server using any SSH client (for example, PuTTY) using port 22. It is necessary to specify the Administrator’s login and password.


Access to Server Management Web Interface from the Internet

Direct access to the SafeUTM web interface from the Internet is prohibited by default. You can use one of the methods listed below:

1. Enable the function Access to the web interface from external network in Server Management -> Administrators (this will only allow access by IP address with port 8443).
2. Create a VPN connection to the server, for example, via IPsec, IKEv2, or SSTP. After connecting, you can go to the web interface with the IP address of any local interface (including the IP address from the range for VPN connections. The default address is 10.128.0.1).
3. Create a rule in the reverse proxy for publishing the web interface:

3.1. Go to Services -> Reverse Proxy.
3.2. Add a new rule by filling in the fields as follows:
1. Remote Access for Server Management.png

As the requested address, specify the IP address or domain name assigned to SafeUTM external interface.
3.3. Click Save.
3.4. Go to one of the addresses that you specified in the requested addresses.