VB365 RESTful API / Restore Portal

The RESTful API service and the Restore Portal are tightly coupled as they are within one and the same service. Therefore you cannot separate them onto different machines.

Deploy the RESTful API service (with the Restore Portal) onto a dedicated machine instead of on the VB365 Server:

• to offload all the API requests.
• decrease the load on the VB365 Server.

• increase the performance of the service.

  This way, other solutions (e.g. billing and reporting) can be pointed to talk directly and only to the API server, increasing security and unused ports can be closed on either server.

Configuring the API/Portal onto a dedicated server requires several steps. It is important that these steps are followed in order:

1. Prepare the certificate
2. Create the Enterprise application
3. Configure the VB365 API/Portal server
4. Enable tenant authentication and integration with VSPC
5. Steps to perform in the Customer’s Microsoft 365 tenant

Sizing

1. Prepare the certificate

1.1 Create a self-signed certificate (on the VB365 management server)

This step can be executed on any Windows machine, but to limit the amount of steps, run the script below on the VB365 management server.

As we will use a dedicated server for the Restore Portal, we need to create a self-signed certificate that will be used in the following places:

• VB365 Management server
• VB365 API/Portal server
• Microsoft Entra ID Enterprise application

The thumbprint of the certificate will be used as a kind of token to permit communication between these components. For this use case, a self-signed certificate is perfectly fine. Additionally, the expiration date by default is 10 years, meaning it does not need to be replaced every now and then.

Logon to the VB365 Management server and run the following PowerShell script to create a new self-signed certificate, imports it to the Trusted Root Certificates authority, and exports it so you can copy it to the VB365 API/Portal server:

# Set new certificate details
$name = Read-Host "Set cert friendly name"
$securestring = Read-Host "Set cert password" -AsSecureString  # Always secure private key with password
$cn = ([System.Net.Dns]::GetHostByName($env:computerName)).HostName  # FQDN of server

# Create the certificate
$cert = New-SelfSignedCertificate -Type Custom -KeyExportPolicy Exportable -KeyUsage None -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm SHA1 -NotAfter (Get-Date).AddYears(10) -Subject "CN=$cn" -FriendlyName $name

# Export the certificate
Export-PfxCertificate -Cert $cert -FilePath "vb365-restore-portal.pfx" -Password $securestring | Out-Null

# Import the certificate into Trusted Root Certification Authorities
Import-PfxCertificate -FilePath "vb365-restore-portal.pfx" -Password $securestring -CertStoreLocation "Cert:\LocalMachine\Root" -Exportable | Out-Null

Write-Host "Certificate location: $((Get-Item "vb365-restore-portal.pfx").FullName)" -ForegroundColor Green

Important The certificate must be exported with private keys, otherwise the restore portal will not work!

1.2 Import the certificate (on the VB365 API/Portal server)

Copy the created .PFX certificate from the VB365 management server to the VB365 API/Portal server.

Import the certificate:

• Open the Certificates MMC
• Go to Trusted Root Certification Authorities -> Certificates
• Import the .PFX certificate

The result should look like this:

Important The result should look like the screenshot above on both VB365 management server and VB365 API/Portal server.

2. Create the Enterprise application

2.1 Create the Enterprise application

To set up the Restore Portal we need to create an Enterprise application in Microsoft Entra ID with the correct permission.

There are several ways of creating this application:

• Automatic (Recommended), by adding your own service provider Microsoft 365 tenant to the backup server via the wizard. This will create the Microsoft Entra ID application, allow us to import the self-signed .PFX certificate and set up the required permissions.
• Manual, by going into Microsoft Entra ID and manually perform the setup. Please check out this Veeam blog post on how to manually perform the setup.

• External scripts, by using a collection of scripts to automate the setup and configuration of the Restore Portal. Examples of such scripts are available on our VeeamHub.

  Please always carefully inspect each of the scripts and carefully test in a non-production environment.

Important: Take note of the Application ID as it is needed to set up the dedicated VB365 API/Portal server as well as each customer’s Microsoft 365 tenant.

2.2 Retrieve the Application ID

There are two ways of retrieving the Application ID:

• Option 1: via VB365 Server -> Options -> Restore Portal

  

• Option 2: via Microsoft Entra ID -> Manage -> Enterprise applications

  

2.3 Verify the certificate

1. Go to Microsoft Entra ID -> Manage -> App registrations -> All applications

   

2. Click on the App registration -> Manage -> Certificates & secrets and verify the thumbprint of the certificate matches with the earlier created .PFX certificate.

   

3. Configure the VB365 API/Portal server

1. Open C:\Program Files\Veeam\Backup365\Veeam.Archiver.REST.Configurator.exe

2. On the REST API tab:

   • Enable REST service
   • Set the controller host (=VB365 Management server)
   • Install the certificate
   • Apply

   

3. On the Restore Portal tab:

   • Enable Restore Portal
   • Set the Application ID
   • Set the Restore Portal URL
   • Install the self-signed .PFX certificate
   • Apply

   

4. Enable tenant authentication and integration with VSPC

Restore Operators

This step is optional and only required when you want to enable Restore Operators:

In some cases, the tenant can prefer to delegate restore operations on behalf of users or groups to Restore Operators, such as: - IT administrator at the client - Service Desk at the service provider

It is important to know that the restore operator can never access any of the data. They can only perform restore to the original location and for the scope they have access to.

On the VB365 management server:

1. Go to Options -> Authentication

   • Enable restore operator authentication with Microsoft credentials
   • Install the self-signed .PFX certificate
   • Apply

   

2. Add the restore operator(s) and configure the scope.

Integrate with VSPC

When integrating VB365 with VSPC, make sure that the REST API service is enabled on the VB365 Management server. The VSPC will always directly connect to the VB365 Management server over this port (4443).

On the VB365 management server:

1. Go to Options -> REST API

   • Enable REST service
   • Install the self-signed .PFX certificate
   • Apply

   

5. Steps to perform in the Customer’s Microsoft 365 tenant

Once the Restore Portal is set up, tenants can be given access to perform restore operations. However, before any tenant can do this, each tenant is required to add the Restore Portal Enterprise Application to their Azure AD.

1. Run the New-AzureADServicePrincipal PowerShell cmdlet to make the Restore Portal’s Application ID show up in the list of Integrated Applications in the Admin Portal of your customer’s Microsoft 365 organisation. Use the tenant admin credentials.

  # Script example

  # Install the required PowerShell module
  Install-Module AzureAD
  
  # Authenticate to Azure
  Connect-AzureAD
  
  # Add the Enterprise application
  New-AzureADServicePrincipal -AppId "00000000-0000-0000-0000-000000000000" # Replace with your Application ID

1. Go to the Azure portal and sign into the tenant organisation.

2. Go to Microsoft Entra ID -> Enterprise applications -> Overview

3. Enter the Application ID from step 1 into the search your tenant field -> Click it to open the Enterprise application.

   

4. Go to Security -> Permissions -> Click on the blue bar *Grant admin consent for ….

   

5. A new window will open to login -> Accept the permissions

   

Access the Restore Portal

At this moment, the customer’s users can log on to the Restore Portal and browse their backup data for restore.