Cohesity DataProtect Delivered-as-a-

Service User Guide

October 03, 2022
Copyright © 2022 Cohesity, Inc. All rights reserved. Product specifications, release dates,
prices, and all other documentation are subject to change without notice. Cohesity, Inc.
makes no warranties, express or implied, with regards to this documentation, all of which is
provided “AS IS”.
No part of this documentation or any related software may be reproduced, stored,
transmitted, or otherwise distributed in any form or by any means (electronic or otherwise)
for any purpose other than the purchaser's personal use without the prior written consent of
Cohesity, Inc. You may not use, modify, perform or display this documentation or any
related software for any purpose except as expressly set forth in a separate written
agreement executed by Cohesity, Inc., and any other use (including without limitation for
the reverse engineering of such software or creating compatible software or derivative
works) is prohibited, except to the extent such restrictions are prohibited by applicable law.

Published on October 03, 2022

Trademarks
Cohesity, SpanFS, SnapTree and ActiveRx are registered trademarks of Cohesity and/or its
affiliates. Other names may be trademarks of their respective owners.

Cohesity DataProtect Delivered-as-a-Service User Guide 2

Contents
Overview 6
What's New 7
August 2022 7
July 2022 7
March 2022 8
February 2022 8
October 2021 9
September 2021 9
August 2021 9
July 2021 9
June 2021 9
May 2021 10
April 2021 10
March 2021 10

Get Started 12
Sign in to Cohesity DataProtect 12
Select Regions and Encryption Key Management System 13
Register a Source 14
Protect a Source 15
Recover Protected Objects & Files 15

Deploy SaaS Connector 21

SaaS Connection Requirements 21
Deploy VMware SaaS Connectors 22
Deploy AWS SaaS Connectors 28
Deploy Hyper-V SaaS Connectors 29
Manage Your SaaS Connections 31

Access Management 34
Manage Users & Groups 34
Add a Single Sign-on Provider 35
Add API Keys 63

Policies 65
Create a Policy 65

Virtual Machines 67
VMware 67
Hyper-V 79

Cohesity DataProtect Delivered-as-a-Service User Guide 3

 Physical Servers 90
Physical Server Requirements 90
Register Physical Server Sources 96
Protect Physical Servers 97
Recover Physical Servers 101

NAS 103
Register Generic NAS Sources 103
Configure and Register Isilon NAS 104
Configure and Register NetApp ONTAP 107
Protect NAS Sources 113
Recover NAS Data 117

Microsoft 365 120

Microsoft 365 Requirements 120
Register Microsoft 365 Sources 139
Explore Microsoft 365 Sources 141
Exchange Online Mailboxes 143
OneDrive for Business 158
SharePoint Online 167
Microsoft Teams 176
Microsoft Groups 184

Amazon Web Services 192

AWS Account Requirements 192
Register Your AWS Account 203
Amazon EC2 Instances 205
Amazon RDS Databases 221

Databases 228
MS SQL 228
Oracle 233

Monitoring 246
Reporting 246
Detect Ransomware Attacks 266
Audit Logs 267

How-To Videos 274

Cohesity Support 275
Reach Cohesity Support 275
Reach Cohesity Support by Email 275
Support/Service Assistance 275

Cohesity DataProtect Delivered-as-a-Service User Guide 4

 Cohesity Software Running on Partner Hardware 275

Cohesity DataProtect Delivered-as-a-Service User Guide 5

Overview

Overview

Today’s companies and organizations are overwhelmed with the exponential growth in the
amount of data they collect, manage, and store. You need to be able to focus on managing
your data without worrying about additional hardware in your data center.
We designed Cohesity Helios as a platform to provide enterprise-ready Data Management-
as-a-Service (DMaaS) by hosting a series of Software-as-a-Service (SaaS) applications for
data management. The first in the series is Cohesity DataProtect, Cohesity’s SaaS offering
that provides protection for your virtual and physical workloads, databases, and
applications. You can sign up and start backing up your data today.
Log in to Cohesity DataProtect to protect data sources from your data center and SaaS
applications in just a few steps:

1. Select a cloud region for your backups.

2. Register a source.
3. Select the objects on that source to protect.
4. Protect those objects.

Ready? > Get started!

Cohesity DataProtect Delivered-as-a-Service User Guide 6

What's New August 2022

What's New
Cohesity DataProtect delivered as a Service keeps evolving. Every month, we're adding
new features and supporting additional types of sources that you can protect in the service.

August 2022
Audit Logs. DataProtect now provides audit information for the events generated on the
registered regions through DataProtect. For more information, see Audit Logs.

July 2022
l SaaS Connector Groups. If you use one vCenter to manage multiple ESXi clusters
in different geographic locations, you can group the local SaaS connectors at each
location into SaaS Connector Groups, followed by associating these Connector Groups
to vCenter resources in that location. It helps you ensure efficient routing of your
backup and recovery data traffic through SaaS Connectors that operate in that same
location.
l SaaS Connector Alert. A Critical alert, SaaSConnectorStatusAlert is triggered
when the SaaS connector is not reachable due to a network connection issue or is
down. You can configure alert email notifications in DataProtect to receive this alert
and take appropriate action.
l Granular Recovery for Amazon EC2. You can now perform a granular file and
folder recovery for Amazon EC2. This feature is available for Cohesity snapshots and
not AWS snapshots.
l Recover Mailbox items. In addition to recovering individual emails and folders,
you can now recover calendar invites, contacts, notes, or tasks.
l Add Multiple Microsoft 365 Service Accounts. To manage Exchange Online
throttling mailbox protection on tenants where OAuth is not enabled, you can add
multiple Microsoft 365 service accounts during the source registration or edit the
source configuration and add multiple Microsoft 365 Service User Accounts.
l Download multiple OneDrive or SharePoint Site files and folders. As part of
the recovery workflow, you can now download multiple files and folders from a user's
OneDrive backup or document libraries and files from the SharePoint site backup.
l Microsoft 365 Protection for Groups. In addition to protecting M365 user
Mailboxes, OneDrives, SharePoint Online Sites, and Teams, you can now protect your
Groups data as well.

Cohesity DataProtect Delivered-as-a-Service User Guide 7

What's New March 2022

Note: This is an Early Access feature. Contact your Cohesity account team
to enable the feature for your tenant.

March 2022
l M365 Mailboxes and OneDrives. UI enhancements:
l Global search for a Microsoft 365 User now correctly displays the matching
Mailbox and OneDrive objects separately using the correct Icons. (Earlier, M365
User icon was incorrectly displayed for both Mailbox and OneDrive objects,
making it difficult to interpret search results.)
l Protection Coverage, Status, and Last Backup widgets on the Dashboard now
treat M365 Mailboxes and OneDrives as separate objects.
l Sources page now treats M365 Mailboxes and OneDrives as separate objects
when displaying Protected and Unprotect Object counts.
l Protected Objects Report now lists Mailbox and OneDrive objects separately.
l Video Examples. We've recorded several how-to videos to help you learn some of
the key DataProtect tasks in step-by-step examples.

February 2022
l Granular M365 Teams Recovery. You can now recover specific Teams content
items, in addition to whole Teams.

l M365 Express Registration. You can now let Cohesity create the Azure application
you need to register your M365 sources. And if your business requires it, you can still
enter your specific Azure application details manually as well.
l Ransomware Detection for More Workloads. During protection runs, the
Cohesity DataProtect service detects anomalies in your data and triggers a specific
critical alert, DataIngestAnomalyAlert. You can now check for these anomalies,
inspect any that occur, and when necessary, recover the object from the latest clean
backup.

Note: This feature is now available for all workloads supported in Cohesity
DataProtect delivered as a Service, except for Microsoft 365 workloads.

l Streamlined SaaS Connector Firewall Port Requirements. You no longer need

to open outgoing firewall ports 11117 and 29991 for your SaaS Connectors.

Cohesity DataProtect Delivered-as-a-Service User Guide 8

What's New October 2021

October 2021
l Granular M365 OneDrive Recovery. You can now recover specific contents from a
user's OneDrive, in addition to whole OneDrives.

September 2021
l Granular M365 SharePoint Sites Recovery. When recovering Microsoft 365
SharePoint Online sites, you can now recover specific document library items as well
as whole sites.

August 2021
l Amazon RDS Protection. You can now protect the Amazon RDS databases in your
AWS account, in addition to protecting your Amazon EC2 instances.

July 2021
l Cohesity DataProtect now supports this additional cloud region to store your data:
l Europe (London)
l Cohesity DataProtect delivered as a Service is now SOC 2 Type II certified.

June 2021
l Granular M365 Mailbox Recovery. We've added indexing to Microsoft 365 Mailbox
protection, so that you can recover individual emails and folders, in addition to whole
Mailboxes.
l Hyper-V Protection. You can now register your SCVMM server and Hyper-V hosts to
protect your Hyper-V VMs.

Note: The Hyper-V recovery workflow currently only supports granular

(file- & folder-level) recovery. VM-level recovery is coming soon.

l AWS EC2 Data Ingest. Now you have two options for protecting your AWS EC2
instances: AWS snapshots are saved to the same account and region as your EC2
instances, while Cohesity snapshots are saved to your DataProtect service cloud
region.
l Oracle Database Protection. Register your Oracle servers and hosts to protect your
Oracle Databases.

Cohesity DataProtect Delivered-as-a-Service User Guide 9

What's New May 2021

l Source-Specific SaaS Connectors. We've updated our SaaS Connectors with specific
choices for your data source types: VMware, AWS, and Hyper-V.
l Cohesity DataProtect now supports this additional cloud region to store your data:
l Europe (Frankfurt)

May 2021
l Microsoft 365 Protection for OneDrives, SharePoint Online Sites, and
Teams. Now, in addition to protecting M365 user Mailboxes, you can protect your
M365 OneDrives, SharePoint Online Sites, and Teams.
l Physical Server Protection. Use the DataProtect service to protect your Linux and
Windows servers.
l AWS EC2 Instances. You can now protect the EC2 instances in your AWS account.

April 2021
l Bandwidth Throttling. If you need to manage the network bandwidth consumption
of your backup and recovery tasks, you can now schedule bandwidth usage limits in
your SaaS Connections.
l Differential Restores for VMware VMs. When time is of the essence when you're
recovering VMs, you can now take advantage of VMware differential restores when
recovering VMs to their original locations.
l Ransomware Detection. During protection runs, the Cohesity DataProtect service
detects anomalies in your data and triggers a specific critical alert,
DataIngestAnomalyAlert. You can now check for these anomalies, inspect any that
occur, and when necessary, recover the object from the latest clean backup.
l Cohesity DataProtect now supports these additional cloud regions to store your data:
l US East (N. Virginia)
l US West (N. California)
l Asia Pacific (Sydney)

March 2021
l Microsoft 365 Mailbox Protection. You can now protect your M365 user
Mailboxes. Check the requirements, register your M365 sources, and start protecting
user Mailboxes!
l SQL Server Protection. Now you can protect your SQL databases with Cohesity
DataProtect delivered as a Service. Make sure you meet the SQL requirements,

Cohesity DataProtect Delivered-as-a-Service User Guide 10

What's New March 2021

register your SQL Server sources, and get started protecting your SQL databases!
l Reporting. Cohesity DataProtect delivered as a Service reports give you useful
insights on your data protection trends. Inspect and share your data protection and
recovery results.

Cohesity DataProtect Delivered-as-a-Service User Guide 11

Get Started Sign in to Cohesity DataProtect

Get Started
To get started:

1. Sign in to the Helios account that has Cohesity DataProtect enabled.

2. Select a cloud region for your backups and choose a Key Management System for
your data encryption.
3. Register your source.
4. Select the objects on that source to protect.
5. Protect those objects.

Sign in to Cohesity DataProtect

To access the Cohesity DataProtect service, you'll need the Helios username from the
welcome email and the password you set when you activated your Helios account.
To sign in to Cohesity DataProtect, go to the Cohesity Helios home page.

To sign out, click the User icon in the top right and select Log Out.

Note: You can change your password at any time.

Next > If this is your first time logging in, you will be prompted to select your region and
Encryption Mode.

Cohesity DataProtect Delivered-as-a-Service User Guide 12

Get Started Select Regions and Encryption Key Management System

Select Regions and Encryption Key Management System

Before you can use Cohesity DataProtect, you need to choose at least one cloud region for
your data backups.
For a current list of supported regions and countries, see the FAQ.

Important: Once data is backed up to one region, you cannot move it to another.
To back your data up in another region, you can add that region and start
protecting your data there.

Choose Key Management System (KMS)

In Cohesity DataProtect, all the data is encrypted both in flight and at rest. Cohesity uses
AWS Key Management System for at-rest data encryption and provides customers a choice
between Cohesity- and self-managed keys:

l Cohesity KMS. Cohesity generates and uses unique AWS encryption keys (known as
Customer Master Keys in AWS) for each customer to encrypt their data.
l Self-Managed KMS. You can also use your own AWS encryption keys (Customer
Master Keys) instead. To use your own AWS KMS:
1. You provide the CMK Amazon Resource Name (ARN) for the cloud region you
selected.
2. Cohesity generates the JSON for a key policy document that allows the
DataProtect service to make API calls to your CMK.
3. You add the generated JSON contents to your AWS CMK's Policy in your AWS
account.
The permissions required by the Cohesity DataProtect service are:
l kms:Encrypt
l kms:Decrypt
l kms:ReEncrypt*
l kms:GenerateDataKey*
l kms:DescribeKey

Important: If you choose this option, you are responsible for

ensuring that your CMK is not deleted, as that would lead to data
stored in Cohesity DataProtect to become unrecoverable.

Cohesity DataProtect Delivered-as-a-Service User Guide 13

Get Started Register a Source

With this option, you can audit the access calls made to your CMK to find
important information, including when the CMK was used, the operation that
was requested, the identity of the requester, and the source IP address. For
more, see Logging AWS KMS API calls with AWS CloudTrail and What Is AWS
CloudTrail? in the AWS documentation.
Note that you can also revoke CMK access to Cohesity at any time, after which
Cohesity cannot decrypt the data stored in Cohesity DataProtect and all backup
& recovery operations will fail.

In both options, Cohesity uses AES-256 encryption keys called DEKs (Data Encryption Keys)
to encrypt the data at rest. DEKs are generated using the AWS CMK and rotated every 4
hours. The Data Encryption Key is encrypted with AWS CMK and stored along with the data
— it is never stored in plain text.

Note: Once you choose a KMS, you cannot change that choice.

Next > You're all set up and ready to register your sources!

Register a Source
To start protecting your data, register your data sources. The process for registering each
source is unique to the type of source. See the registration steps for:

l VMware
l Generic NAS
l Isilon NAS
l NetApp ONTAP
l MS SQL
l Microsoft 365
l Physical Servers
l AWS Account
l Hyper-V
l Oracle

If your source data is in your data center (and for better performance with AWS sources),
you'll need to create a SaaS Connection (or use an existing one) to establish connectivity
between the sources and the Cohesity DataProtect service. You can create a SaaS
Connection while registering your source, or you can create a SaaS Connection in advance.
Next > Learn how to protect the objects in your source, or start by registering one of the
sources above.

Cohesity DataProtect Delivered-as-a-Service User Guide 14

Get Started Protect a Source

Protect a Source
Once you have registered a source in Cohesity DataProtect, you can start protecting the
objects, volumes, and files in that source. For detailed instructions, see the respective
Workload Types:

l Protect VMware VMs

l Protect Hyper-V VMs
l Protect NAS Sources
l Protect Oracle Databases
l Protect Physical Servers
l Protect MS SQL Databases
l Protect Your Amazon EC2 Instances
l Protect Your Amazon RDS Databases

Next > When the first protection run completes, you will be ready to recover your
protected objects when and if you need to.

Recover Protected Objects & Files

After you protect a source, you can recover the objects and files from your backups, to their
original or a new location. To get started:

l Set Up Recovery
l Recover Objects & Volumes
l Recover Files & Folders

Note: The steps in this article comprise the general recovery process. For
workload-specific details, see Supported Workload Types below.

Cohesity DataProtect Delivered-as-a-Service User Guide 15

Get Started Recover Protected Objects & Files

Set Up Recovery

To recover protected objects & volumes or files & folders:

1. Navigate to Sources.
2. Click into the Source name.
3. Above the tree, select Object Protection > Protected.
4. Use the filters, search box, and views to locate the objects or files you need.
5. To recover:
l Objects (VMs) or NAS volumes, continue with Recover Objects & Volumes
below.
l Files and folders, continue with Recover Files & Folders below.

Tip: You can also use Global Search to locate, filter, and select the objects you
need. Click the Global Search box at the top or type slash (/) anywhere to start
your search.

Recover Objects & Volumes

To recover protected objects (VMs or NAS volumes):

Cohesity DataProtect Delivered-as-a-Service User Guide 16

Get Started Recover Protected Objects & Files

1. Locate and select them, and then click Recover at the top to open the New
Recovery form with the Latest snapshot (protection run).
2. If you need to recover from an earlier snapshot, click the Edit icon to select a new
recovery point.
l For each object under Selected, you can click the Edit icon to open the
Recovery Point calendar. Click List to view the available recovery points by
timestamp and click one.
l Click Select Recovery Point.
l Click Next: Recover Options to return to the form.
3. Under Recover To, select Original Location or New Location.
l For VMs: If you choose New Location, select a Registered Source,
Resource Pool, Datastores, and the VM Folder.
l For NAS volumes: If you choose New Location, select a Registered
Source and the Volume.
4. Select your Recovery Options.
5. Click Start Recovery.

Cohesity DataProtect opens the Activity page, showing your file recovery task as it runs,
along with the recovery progress on the right.

Tip: The Activity page also shows the entire history of all protection runs and
recovery tasks, including any that are in progress.

Recover Files & Folders

To recover a specific file or files (or the folders containing them) from a protected source:

Cohesity DataProtect Delivered-as-a-Service User Guide 17

Get Started Recover Protected Objects & Files

1. Locate the source object you containing the files and click Recover Files on the row
for that object to open the Select Files form.
2. If you need to recover from an earlier snapshot, click the Recovery Point calendar
drop-down to select the recovery point.
l Click List to view the available recovery points by timestamp and click one.
l Click Apply.
3. Click into the path to find the files and add them to the Selected Items list.
4. Choose how to recover your files: download locally or recover.
l Click Download Files to open the Activity page, showing your file recovery
task. Click into the recovery task and click Download Files a second time to
save them to your local system.
l Click Save to open the New Recovery form. Under Recover To, select
Original Location or New Location.
l If you choose Original Location, enter a Username and Password that has
access to the original server. You can also enable Recover to Alternate Path
to enter a new path on the original server.
l If you choose New Location, select a registered Source and a Target (VM) or
Volume (NAS). Enter a Username and Password that has access to that
server and enter a Recover To path.
5. Select your Recovery Options.
6. Click Start Recovery.

Cohesity DataProtect opens the Activity page, showing your file recovery task as it runs,
along with the recovery progress on the right.

Tip: The Activity page also shows the entire history of all protection runs and
recovery tasks, including any that are in progress.

Supported Workload Types

While the recovery steps outlined above are generally the same for each workload type,
there are differences. For recovery details that are specific to each workload type, see:

l Recover VMware VMs & Files

l Recover NAS Data
l Recover SQL Databases
l Recover Microsoft 365:

Cohesity DataProtect Delivered-as-a-Service User Guide 18

Get Started Recover Protected Objects & Files

l Mailboxes, Emails, & Folders

l OneDrives & OneDrive Contents
l SharePoint Online Sites & Items
l Teams
l Recover Physical Servers
l Recover Amazon
l EC2 Instances
l RDS Databases
l Recover Files Hyper-V VMs & Files
l Recover Oracle Databases

Recovery Options
When you recover objects & volumes or files & folders in Cohesity DataProtect, you can
configure many additional options. While the options differ among object types and files,
they often include the options below, for:

l Objects (VMs & Volumes) Options

l Files & Folders Options
l General Recovery Options

Recovery Options for Objects (VMs & Volumes)

l Overwrite Existing VM. (Applies when recovering to the original location) Enable
this option to recover the VM by deleting the original VM. The recovered VM will have
the original VM name.

Important: The original VM is deleted before the recovery. Therefore a

recovery failure will also lead to the loss of the original VM.

l Attempt Differential Recovery. By enabling this option, Cohesity DataProtect

attempts to recover the VM by overwriting only the difference between the original
VM and the snapshot selected for recovery. Any newly added data in the original VM is
deleted. This option is available only if you have selected Overwrite Existing VM, and
you can learn more about its pros and cons in Recover VMware VMs & Files.
l Network. By default, the VMs that are to be recovered do not have a virtual Network
Interface Card (vNIC) attached. Enable the Attach option to attach a virtual Network
Interface Card (vNIC) to each VM that is to be recovered.
With the Attach option enabled, the following options are displayed:

Cohesity DataProtect Delivered-as-a-Service User Guide 19

Get Started Recover Protected Objects & Files

l Network. From the drop-down menu, select a network to attach the virtual
Network Interface Card (vNIC) to a new network.
l Start Connected. Enable this option to connect to the new network when the
VM reboots for each recovered VM. If this option is not selected, the VMs are
not connected to any network on reboot.
l Preserver MAC Address. Enable this option to preserve the MAC address
when recovering to an alternate location.
l Rename. Add Prefix and/or Suffix strings to the names of the new VMs created by
this task.
l Power State. Disable Power On if you want the recovered VMs to remain powered
off after they are created.
l Continue on Error. Enable Continue recovery even if errors occur when
recovering VMs if you want the recovery task to continue even if errors occur when
recovering the VMs. For example, if one of the VMs cannot be created, Cohesity
DataProtect will still attempt to create the other VMs.

Recovery Options for Files & Folders

l Overwrite Existing File/Folder. By default, this option is enabled to overwrite the

existing files and folders. Disable this option to create the files and folders in the
specified location. Any duplicate files are skipped.
l Preserve File/Folder Attributes. By default, this option is enabled and the ACLs,
permissions, and timestamps are preserved for all files and folders. If you disable
this option, then ACLs and permissions are not preserved. If you are recovering both
folders and files, then folders will receive the new timestamps, but files retain their
original timestamps. If recovering only files, then files will receive the new
timestamps.

General Recovery Options

l Continue on Error. Enable this option if you want to continue the recovery even if
one of the objects encounters an error. By default, this option is disabled and the
recovery operation will fail if one of the objects encounters an error.

l Task Name. Change the default name of the recovery task.

Next > When you've made your choices, click Start Recovery to recover the objects or
files to the selected location.

Cohesity DataProtect Delivered-as-a-Service User Guide 20

Deploy SaaS Connector SaaS Connection Requirements

Deploy SaaS Connector

To register on-premises or cloud-based data sources with Cohesity DataProtect, you need
to use a SaaS Connection to establish connectivity between your source and the service. A
SaaS Connection consists of one or more SaaS Connectors, which are VMs that act as data
movers between your data sources and the Cohesity DataProtect service.
To create a SaaS Connection, you deploy one or more SaaS Connector VMs. Depending on
the data source that you want to protect, you will deploy SaaS Connectors for:

l VMware
l AWS
l Hyper-V

Next > You're all set up and ready to register your sources!

SaaS Connection Requirements

Before deploying the SaaS Connector, review and understand the following requirements:

l SaaS Connector System Prerequisites

l SaaS Connector Sizing Recommendations
l Check Firewall Ports

SaaS Connector System Prerequisites

Ensure that the SaaS Connector VM that you deploy for your SaaS Connection meets the
following system requirements:

l 4 CPUs
l 10 GB RAM
l 20 GB disk space (100 MB throughput, 100 IOPs)
l Outbound Internet connection

SaaS Connector Sizing Recommendations

We recommend that you have one SaaS Connector for each 160 VMs or 16 TB of source
data. If you have more data, we recommend that you stagger their first full backups.

Note: These requirements are subject to change.

Cohesity DataProtect Delivered-as-a-Service User Guide 21

Deploy SaaS Connector Deploy VMware SaaS Connectors

Check Firewall Ports

Ensure that the following ports are open for Cohesity DataProtect in your firewall:

Direction (from
Port Protocol Target Purpose
Connector)

443 TCP helios.cohesity.com Outgoing Connection used for control

path

443 TCP helios-data.cohesity.com Outgoing Used to send telemetry data

22, 443 TCP rt.cohesity.com Outgoing Support channel

443 TCP *.dmaas.helios.cohesity.com Outgoing Connection used for data

path

443 TCP *.cloudfront.net Outgoing To download upgrade

packages

443 TCP *.amazonaws.com Outgoing For S3 data traffic

123, UDP ntp.google.com or internal NTP Outgoing Clock sync

323

53 TCP & UDP 8.8.8.8 or internal DNS Bidirectional Host resolution

Note: For backup & recovery operations to function, ensure that SSL
communication for TCP port 443 is enabled in your firewall.

These firewall rules allow outgoing traffic from a SaaS Connector to the DataProtect service
endpoint. The SaaS Connector opens a secure encrypted gRPC tunnel to the endpoint and
uses it for both backup and recovery traffic.
The connectivity status between a SaaS Connection and the DataProtect service is displayed
both in the SaaS Connection and the DataProtect dashboard.
Next > Return to creating the SaaS Connection or add more SaaS Connectors to existing
SaaS Connections.

Deploy VMware SaaS Connectors

You can install a VMware SaaS Connector using an installer OVA in your VMware
environment, on a vCenter or ESXi host in your data center that has access to your data

Cohesity DataProtect Delivered-as-a-Service User Guide 22

Deploy SaaS Connector Deploy VMware SaaS Connectors

sources and meets the SaaS Connection system and firewall requirements.Once deployed,
each SaaS Connector is a virtual machine that runs on a vCenter or ESXi host in your data
center.

Tip: For better performance and redundancy, we recommend that you deploy at
least two SaaS Connectors for each SaaS Connection in your data center. To add
(or remove) a SaaS Connector, see Manage Your SaaS Connections.

All the data that a SaaS Connection handles, from your sources to the cloud storage where
your backups reside, is encrypted in flight and at rest.

Create VMware SaaS Connection

To create a VMware SaaS Connection:

1. Navigate to Sources and click Register Source.

2. Select any workload type.
3. In the form, click Create New Connection.
4. Under Deployment Platform, select VMware, then select a Connection Region
for your data backups.
5. Prepare to deploy the SaaS Connector in your data center:
l Copy the OVA URL or Download the OVA file.
l Copy or Download the Connection Token.
6. To deploy the SaaS Connector OVA in your data center:
1. Log in to your vCenter host.
2. Right-click an inventory object and select Deploy OVF Template.
3. In the Deploy OVF Template wizard, enter the OVA URL or specify the
location of the OVA you downloaded. Then configure more settings in the next
few screens:
1. Select a compute resource for the SaaS Connector VM and click Next.
2. Review details. Verify the SaaS Connector information.
3. Configuration. Select the SaaS Connection configuration.
4. Select storage. Select a datastore with at least 20 GB disk space.
5. Select networks page. Select a network.
6. Customize template. Enter the Network IP Address, Network Netmask,
and Default Gateway.

Cohesity DataProtect Delivered-as-a-Service User Guide 23

Deploy SaaS Connector Deploy VMware SaaS Connectors

7. Ready to complete. Review the summary and click Finish.

8. Once the VM is created, power it on.

Note: After it boots, the services in the SaaS Connector VM (including the
UI) can take 4-5 minutes to start.

7. Browse to the SaaS Connector VM IP address that you entered in the previous step
and log in as admin/admin. On initial login, change the default password and log in
again with your new password. Enter the Connection Token and common
configuration settings and click Save.

Note: It can take another few minutes for the SaaS Connector to
authenticate to the Cohesity DataProtect service.

8. Once the SaaS Connector authenticates successfully, return to the Create New
Connection dialog and click Verify Connection.

Next > Your new VMware SaaS Connection is available under Use Existing Connection
to register your VMware sources.

Connector Groups
If you use one vCenter to manage multiple ESXi clusters in different geographic locations,
you can group the local SaaS Connectors at each location into SaaS Connector Groups, and
then associate these Connector Groups to vCenter resources in that location. SaaS
Connector Groups help you ensure efficient routing of your backup and recovery data traffic
through SaaS Connectors that operate in the same location as the data sources.
For example, if your vCenter manages two data centers, one in New York and another in
San Francisco, the SaaS Connectors in both locations can be grouped into two separate
Connector Groups. These Connector Groups can then be associated with the respective data
centers in each of those regions.

Note: You can only group SaaS Connectors in a VMware SaaS Connection.

Cohesity DataProtect Delivered-as-a-Service User Guide 24

Deploy SaaS Connector Deploy VMware SaaS Connectors

Create Connector Groups

To create and manage Connector Groups in a SaaS Connection:

1. From the Dashboard, select SaaS Connections.

2. From the Actions menu (⋮) of a SaaS Connection, select Manage Connectors.
3. Select Group Connectors. The Group Connectors page displays all SaaS
Connectors under Ungrouped.
4. Click New Group.
5. In the Edit SaaS Connector Group dialog, enter a name for the new Connector
Group and click Update. The new Connector Group is displayed on the Manage
Connectors page.
6. Drag a SaaS Connector from Ungrouped to the new Connector Group. You can add
more SaaS Connectors until you have all of the Connectors you want in that Connector
Group.
7. Click Done to save your changes.

To create more Connector Groups, repeat steps 3 to 7.

Once you’ve created a Connector Group, you’re ready to associate the Connector Group to
the data center or ESXi host of a specific geographic region. For details, see Manage
Network Traffic.

Manage Connector Groups

To view the details of an existing Connector Group:

Cohesity DataProtect Delivered-as-a-Service User Guide 25

Deploy SaaS Connector Deploy VMware SaaS Connectors

1. From the Dashboard, select SaaS Connections.

2. Click the name of a SaaS Connection you need to explore. All the Connector Groups in
that SaaS Connection are displayed under Connector Details.
3. To rename a Connector Group, click the Actions menu (⋮) and select Rename.
4. To adjust a Connector Group’s bandwidth usage, click the Actions menu (⋮) and
select Bandwidth Usage.

Note: Ungrouped SaaS Connectors inherit the bandwidth settings of the

SaaS Connection.

5. To remove a SaaS Connector from the Connector Group, click the Actions menu (⋮)
and select Ungroup.

Edit SaaS Connectors

A SaaS Connector can belong to only one Connector Group. To move a SaaS Connector to
another Connector Group:

1. From the Dashboard, select SaaS Connections.

2. From the Actions menu (⋮) of a SaaS Connection, select Manage Connectors.
3. To move a single SaaS Connector to another Connector Group, perform one of the
following:
1. Drag the SaaS Connector to the other Connector Group.

2. Click the Move ( ) icon and select a Connector Group from the list.

The SaaS Connector is moved to the selected Connector Group.

4. To move all the SaaS Connectors from one Connector Group to another, click the
Actions menu (⋮) and select a Connector Group from the list.
The SaaS Connectors are moved to the selected Connector Group.
5. Click Done to save your changes.

Ungroup SaaS Connectors

To remove all the SaaS Connectors from a Connector Group:

1. From the Dashboard, select SaaS Connections.

2. From the Actions menu (⋮) of a SaaS Connection, select Manage Connectors.
3. From the Actions menu (⋮) of that Connector Group, select Ungroup.
The removed SaaS Connectors are displayed under Ungroup.
4. Click Done to save your changes.

Cohesity DataProtect Delivered-as-a-Service User Guide 26

Deploy SaaS Connector Deploy VMware SaaS Connectors

Delete Connector Groups

You can only delete Connector Groups that do not have any SaaS Connectors and are not
associated with a vCenter source.
To delete a Connector Group:

1. From the Dashboard, select SaaS Connections.

2. From the Actions menu (⋮) of a VMware SaaS Connector, select Manage
Connectors.
3. From the Actions menu (⋮) of the Connector Group, select Delete.
4. Click Done to save your changes.

Manage Network Traffic

After you create Connector Groups, you can associate them with specific data centers or
ESXi clusters.
To associate a Connector Group with the desired vCenter resources:

1. From the Dashboard, select SaaS Connections.

2. Select a VMware SaaS Connection.
3. Click the Linked Sources tab.
4. Click Get Started.
5. Select Manage Network Traffic from the Actions menu (⋮) of a VMware source.
The Manage Traffic Sources page displays the Connector Groups you have created
and the hierarchy of the data centers, clusters, ESXi hosts, and folders in that
vCenter.
6. Drag the data center or ESXi host of a specific geographic region to the Connector
Group. The Cohesity cluster chooses the Connector Group associated with the vCenter
source closest to the VM in the vCenter hierarchy.
For example, if CG1 is connected to the ESXi host A and CG2 is connected to a folder
inside ESXi host A, Cohesity will choose CG2 to protect a VM inside that folder. For
this reason, Cohesity recommends that you associate Connector Groups with data
centers or ESXi hosts.

Note: Protection runs fail if Connector Groups with no SaaS Connectors are
added to the SaaS Connection.

7. Enter your credentials in the Username and Password fields and click Save. The
Connector Group is displayed on the Manage Traffic Routes page.

Cohesity DataProtect Delivered-as-a-Service User Guide 27

Deploy SaaS Connector Deploy AWS SaaS Connectors

Once a Connector Group is successfully associated with a vCenter source, network traffic
for future VMware VM protection runs (in-progress protection runs, if any, are not affected)
is steered through the Connector Group to the SaaS Connectors, thereby containing the
traffic within a data center or geographical area.

Deploy AWS SaaS Connectors

If you want Cohesity DataProtect to protect your AWS EC2 instances using Cohesity
Snapshots, you need to set up a SaaS Connection for each AWS region where you have EC2
instances to protect. Each SaaS Connector is an m5.xlarge AWS EC2 instance.

Note: To prepare your AWS account for Cohesity SaaS Connector deployment in a
Public or Private subnet, see AWS SaaS Connector Deployment Guide.

Create AWS SaaS Connector

To create an AWS SaaS Connector:

1. Navigate to Sources.
2. Click the Actions menu (⋮) next to the AWS account and select Setup SaaS
Connection.
3. In the Configure SaaS Connection for AWS dialog, provide:

Cohesity DataProtect Delivered-as-a-Service User Guide 28

Deploy SaaS Connector Deploy Hyper-V SaaS Connectors

1. Region. Select the AWS region where you have EC2 instances to protect.
2. Number of Connectors. Enter the number of SaaS Connectors you want to
deploy in the region.

Tip: For better performance and redundancy, we recommend that you

deploy at least two SaaS Connectors for each SaaS Connection. To add
(or remove) a SaaS Connector, see Manage Your SaaS Connections.

3. Subnet. Select the subnet where you want the SaaS Connectors to be launched.
Using a secured public subnet is more cost-efficient than a private subnet.
4. Network Security Groups. Select the network security group to be
associated with SaaS Connectors. Make sure the network security group follows
the firewall rules.
5. Tags. Specify the tags to be used for your SaaS Connectors. (Optional)
6. To create a SaaS connection for each region in your AWS account, click Add
another SaaS Connection and provide the above details.
4. Click Create Connections.

Next > Your new AWS SaaS Connection is now available to use when you protect your AWS
EC2 instances.

Deploy Hyper-V SaaS Connectors

You can deploy a Hyper-V SaaS Connector using a template VHD in your Hyper-V data
center environment that has access to your data sources and meets the SaaS Connection
system and firewall requirements.
Once deployed, each SaaS Connector is a virtual machine that runs on a Hyper-V host in
your data center.

Tip: For better performance and redundancy, we recommend that you deploy at
least two SaaS Connectors for each SaaS Connection in your data center. To add
(or remove) a SaaS Connector, see Manage Your SaaS Connections.

All the data that a SaaS Connection handles, from your sources to the cloud storage where
your backups reside, is encrypted in flight and at rest.

Create Hyper-V SaaS Connection

To create a Hyper-V SaaS Connection:

Cohesity DataProtect Delivered-as-a-Service User Guide 29

Deploy SaaS Connector Deploy Hyper-V SaaS Connectors

1. Navigate to Sources and click Register Source.

2. Select any workload type.
3. In the form, click Create New Connection.
4. Under Deployment Platform and select Hyper-V, then select a Connection
Region for your data backups.
5. Prepare to deploy the SaaS Connector in your data center:
l Copy the VHD URL.
l Copy or Download the Connection Token.
6. To deploy the SaaS Connector VHD in your data center:
1. Log in to your SCVMM server or Hyper-V host.
2. Download the VHD file to the SCVMM server or Hyper-V host using the VHD
URL.
3. From the Hyper-V Manager, open the New (Create) Virtual Machine wizard.
(For detailed instructions, see Create a virtual machine in Hyper-V in the
Microsoft documentation.)
1. Configure the name, location, generation, hardware for the VM.
2. Select Virtual Hard Disk. Select ‘Use existing virtual hard disk’ and
choose the downloaded VHD file.
3. Configure Networking. Select an operational Virtual Switch to connect
the VM to.
4. Review. Review the configuration from the Summary section and click
Finish.

Note: After it boots, the services in the SaaS Connector VM

(including the UI) can take 4-5 minutes to start.

7. Browse to the SaaS Connector IP address that is assigned to the SaaS Connector VM.
On initial login, change the default password and log in again with your new
password. Enter the Connection Token and common configuration settings and click
Save.

Note: It can take another few minutes for the SaaS Connector to
authenticate to the Cohesity DataProtect service.

8. Once the SaaS Connector authenticates successfully, return to the Create New
Connection dialog and click Verify Connection.

Next > Your new Hyper-V SaaS Connection is available under Use Existing Connection
to register your Hyper-V sources.

Cohesity DataProtect Delivered-as-a-Service User Guide 30

Deploy SaaS Connector Manage Your SaaS Connections

Manage Your SaaS Connections

To optimize performance, we recommend that you use at least two SaaS Connectors in
each SaaS Connection you create, and that you have one SaaS Connector for each 160 VMs
or 16 TB of source data. (If you have more VMs, we recommend that you stagger their first
full backups.)
You can also manage the network bandwidth consumption of your backup and recovery
tasks in your SaaS Connections.

Add SaaS Connector

To add a SaaS Connector to an existing SaaS Connection:

1. From the Dashboard, click the tiles under SaaS Connections.

2. Click the Actions menu (⋮) next to the SaaS Connection and select Download
Installer to save the OVA to your data center.
3. To deploy the OVA or VHD, follow the instructions in Step 6 in respective SaaS
connector topics for VMware and HyperV.
4. Back in the SaaS Connections page, click the Actions menu (⋮) next to the SaaS
Connection again and select Connection Token. In the dialogue, click the Copy to
Clipboard button.
5. Browse to the SaaS Connector IP and log in as admin/admin. On initial login, change
the default password and log in again with your new password. Enter the Connection
Token and common configuration settings and click Save.
6. Once the SaaS Connector authenticates successfully to the Cohesity DataProtect
service, click the Expand (v) button next to the SaaS Connection to confirm that the
new SaaS Connector is listed.

To add more SaaS Connectors to the same SaaS Connection, repeat the steps above.

Remove SaaS Connector

To remove a SaaS Connector from one of your SaaS Connections:

1. Navigate to Sources and click into a source that uses the SaaS Connection.
2. Click the Connection tab.
3. Under Connection Details, click the Actions menu (⋮) next to the SaaS Connector
and select Remove from Connection.

The SaaS Connector is removed from the SaaS Connection. If other healthy Connectors
remain in the SaaS Connection, it will continue to function over those Connectors.

Cohesity DataProtect Delivered-as-a-Service User Guide 31

Deploy SaaS Connector Manage Your SaaS Connections

Manage Network Bandwidth Usage

In Cohesity DataProtect, network bandwidth usage is automatically balanced among the
SaaS Connectors within each SaaS Connection. However, if you need to contain the amount
of network bandwidth consumed by your backup and recovery tasks at different times and
days of the week, the Cohesity DataProtect service allows you to throttle your bandwidth
consumption in your SaaS Connections.
The bandwidth usage options in each SaaS Connection allow you to choose the days of the
week and set the start and end times to limit bandwidth usage to a specific value in bytes
per second.

Important:
l If the defined start time and end time are the same, then the bandwidth
limit is applied for the day from 12:00 AM till 11:59 PM.

l If the defined start time is greater than the end time, then the interval is
split across days. For example, if 9:00 PM and 5:00 AM are set as the start
and end times on Monday, then two intervals are set: 9 PM-11:59 PM on
Monday and 12:00 AM-5 PM on Tuesday.

l When time intervals overlap, each new interval overrides the one above it
in the list.

l Bandwidth usage limits are only applicable for backup and volume-level
recovery tasks and are not applicable for file-level recovery.

To configure a bandwidth usage limit:

1. Navigate to Dashboard and click the Healthy tile under SaaS Connections.
2. Click the Actions menu (⋮) next to the SaaS connection and select Bandwidth
Usage Options.
or
Under Sources, click into a source. In the Connections tab, click the Actions menu
(⋮) in the top-right corner of the page and select SaaS Connection > Bandwidth
Usage Options.
3. In the Bandwidth Usage Options dialog:
1. From the drop-down list, select Upload (for backup traffic) or Download (for
recovery traffic)
2. Select the Days of the week.
3. Set the Start Time and End Time.

Cohesity DataProtect Delivered-as-a-Service User Guide 32

Deploy SaaS Connector Manage Your SaaS Connections

4. Specify the bandwidth usage limit.

Tip: Click the plus (+) to add multiple schedules.

4. Click Save.

Configure SaaS Connector Alert Notifications

Cohesity DataProtect creates a Critical alert, SaaSConnectorStatusAlert, when the
SaaS connector is not reachable due to a network connection issue or is down. A critical
alert signifies that immediate action is required because DataProtect detected a severe
problem that might be imminent or major functionality is not working.
You can configure alert email notifications in DataProtect to receive the alerts you need.

Note: The alert, SaaSConnectorStatusAlert, is not displayed in the Alerts tab

on the Alerts Dashboard.

To configure email notification for SaaS Connector alerts:

1. Navigate to Alerts > Notification.

2. Select Create > New Alert Notification Rule.
3. In the Create Alert Notification Rule dialog, enter:
1. Notification Name. The name for the notification, for example, SaaS
Connection Failure.
2. Alert Source. The source of the Alert.
3. Alert Severity. Select Critical from the drop-down.
4. Alert Type. Select Maintenance from the drop-down.
5. Alert Category. Optional. Select one or more categories from the drop-down.
Otherwise, all alerts in any category trigger the notification.
6. Alert Name. Optional. Select one or more names from the drop-down.
Otherwise, any Alert name will trigger the notification.
7. In the Create Notifications via section, select Email.
1. Select To and type an email address or distribution list of the recipients
who need to receive the email notifications.
2. Select CC and type an email address or distribution list of the recipients
who need to be copied on the email notifications.
4. Click Create.

Cohesity DataProtect Delivered-as-a-Service User Guide 33

Access Management Manage Users & Groups

Access Management
On logging into Helios, the admin can add other users, define roles, specify cluster access,
and generate API keys to access Helios. To manage users, roles, and define their access, in
the Helios dashboard, navigate to Settings > Access Management.

Manage Users & Groups

To manage user access to your Cohesity DataProtect service, we recommend that you add
users and groups. Once you create them, your users can start using your Cohesity
DataProtect service with their own logins.

Add Users
To add a user:

1. Navigate to Settings > Access Management and click the Users tab.
2. Click Add User.
3. In the dialog, select Add User and enter:
l Username. The user's email address.
l Email Address. The user's email address again.
l First Name. The user's first name in Cohesity DataProtect.
l Last Name. Typically, the domain of your email address.
4. Click Save.

The new user receives a welcome email with a link to reset their password, and appears in
the list on the Users tab. From there, you can edit or delete the user, or prompt them to
reset their password.

Manage Users

To change a user's settings, click the Actions menu (⋮) next to the user and select:

l Edit. To update their Email Address, First Name, and/or Last Name.
l Delete. To delete the user from your Cohesity DataProtect service.
l Reset Password. To send the user an email with a link to reset their password.

Change Password

To change your Cohesity DataProtect password:

Cohesity DataProtect Delivered-as-a-Service User Guide 34

Access Management Add a Single Sign-on Provider

1. Navigate to Settings > Access Management and click the user to open the User
Details page.
2. Click Reset Password and follow the prompts.

Add SSO Users & Groups

If you have added Single Sign-on (SSO) to Cohesity DataProtect, you can add users and
groups from your SSO domain for additional user management.
To add SSO users and groups:

1. Click Add User on the Users tab.

2. In the dialog, select Add SSO Users & Groups and enter:
l SSO Domain. The domain you used to add SSO.
l SSO Users. The users in your SSO domain who need access to Cohesity
DataProtect.
l SSO Groups. The groups in your SSO domain who need access Cohesity
DataProtect.
3. Click Save.

The new SSO users and groups you entered appear in the list on the Users tab. To group
them, click the Domain column sort them by your SSO domain.
Click the Actions menu (⋮) next to the SSO user or group to Edit or Delete them.

Add a Single Sign-on Provider

You can now configure Helios to use an Identity Provider (IdP), such as Okta, for single
sign-on (SSO) access. Cohesity Helios must be added as an application to your IdP such as
Okta. The SSO must then be configured along with the SSO URL and certificate file in Helios.
After the integration, users can sign in to Helios using either the IdP sign in page or sign in
with the SSO link in Helios login page.
The following identity providers are supported:

Identity Provider Documentation Link

Active Directory Federation Services (AD Configure SSO with Active Directory Federation Services (AD
FS) FS)

Azure Configure SSO with Azure

Duo Single Sign-on Integration with Duo for SSO

Cohesity DataProtect Delivered-as-a-Service User Guide 35

Access Management Add a Single Sign-on Provider

Identity Provider Documentation Link

Ping Identity Integration with Ping Identity for SSO

Okta Single Sign-on Configure SSO with Okta

Configure Helios for SSO via IdP

To configure Helios for SSO via IdP:

1. Navigate to Settings > Access Management and select the Single Sign-On tab.
2. Click Configure SSO.
3. Provide the following information:
l SSO Domain: Unique domain name that will differentiate this IdP from others.
As Helios supports multiple IdPs, this has to be a unique string (usually
company domain). For a user to be redirected to this IdP, the user will need to
log in via SSO using username@SSO_DOMAIN.
When a user logs in to Helios using SSO and enters the email address as
[email protected], Helios looks for the IdP that has the SSO Domain configured as
bar.com and redirects this user foo to the matching IdP. This is how Helios
determines which IdP the user needs to be forwarded to.
l SSO Provider: From the drop-down, select the SSO provider name of your
choice, such as Okta. Select the I have read the SSO documentation
provided by <SSO provider name> check box.

Note: Cohesity recommends reading the SSO documentation before

proceeding to the next step.

l Single Sign-on URL: Paste the entire URL that you copied from your IdP. For
example:
https://mycompany.okta.com/app/cohesitymycompany_
heliosapp/exkhhbyzrgu0YvJFk0h7/sso/saml
l Provider Issuer ID: Paste the issuer ID that you copied form your IdP. For
example:
http://okta.com/exkhhbyzrgu0YvJFk0h7
l X.509 Certificate: Click Select File and browse to the location to select the
file that you downloaded and renamed previously. For example, okta.pem.

Cohesity DataProtect Delivered-as-a-Service User Guide 36

Access Management Add a Single Sign-on Provider

l Default Roles for all SSO Users: Select a Helios role to use as the default
role for users signing on with SSO. Typically, you would select this option only
during the initial SSO configuration. You can change this option later.
l Access to All Clusters or Limited Clusters: Select if the Okta users can
have access to all clusters or limited clusters.
l Sign Auth Request: Optional. Enable this option if you want authorization
requests to be signed with the Helios public key. The Helios public key must be
uploaded to the IdP site.
Perform the following steps to obtain the Helios public certificate:
1. Log in to Helios.
2. Start a browser and enter
https://helios.cohesity.com/v2/mcm/sslCertificate in the
browser address bar.
3. Copy-paste the certificate to Notepad or Word Processor.
4. In the copied certificate, replace \n with a new line.
Click to view a sample of the Helios public certificate

-----BEGIN CERTIFICATE-----

MIIG1zCCBb+gAwIBAgIJAIuZz4iuB+NVMA0GCSqGSIb3DQEBCwUAMIG0MQswC
QYD

VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZ
TEa

MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZ
XJ0

cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU
2Vj

dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMDcyOTIwMzYzN
FoX

DTIyMDcyOTIwMzYzNFowRjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsa
WRh

dGVkMSEwHwYDVQQDExhoZWxpb3MtZGF0YS5jb2hlc2l0eS5jb20wggEiMA0GC
SqG

SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSToInp3D+wBCvJuHfhQwfl8qFr2aWe
5rA

tu6TV5udPCq+ORqC2UZ05HtLnv9NTXLJtISpH208fJmMBIsmQL6u6LgQ3bA7B
3w5

Cohesity DataProtect Delivered-as-a-Service User Guide 37

Access Management Add a Single Sign-on Provider

q9e+Q/nsvDUS1MI0wjJsdVb96UZJHU4hRFeFm2seMB1jhscOOaWBdcP3wEaSu
m8O

oSqc7Gs1UGZImxJrNmC0ikCOH9kDK8qj9Bie05CQUM4nGhpzjr3zgGte1MvGB
xji

GOOW/dW/qB5lmScndAoXMmzwytQVWxHasXRpYCawGEuG0+V4iGVJs14dSvKT8
o4b

JOHFwXHcU8mesdfPvq9YTkH6TkYdl5S4WFYygR5rltwzDCc4NmH/AgMBAAGjg
gNX

MIIDUzAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFB
QcD

AjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2Nyb
C5n

b2RhZGR5LmNvbS9nZGlnMnMxLTIxNjcuY3JsMF0GA1UdIARWMFQwSAYLYIZIA
Yb9

bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZ
GR5

LmNvbS9yZXBvc2l0b3J5LzAIBgZngQw

-----END CERTIFICATE-----

5. Save the Notepad or Word Processor as .pem or .crt format.

6. The Helios public key must be uploaded to the IdP site.
4. Click Save.
Helios validates the connection to the IdP. If the connection succeeds, the SSO
provider is added to the provider list and you can edit, delete or deactivate the
provider. Users can start accessing Helios via their IdP home page or the Helios sign-
in page by clicking the Sign in with SSO link.

Considerations

l If you have logged into Helios using Okta credentials (or any other IdP), you will not
be able to directly access some of the portals in the Help Center such as Claim a
Cluster, Get Support, and Read the Docs as these portals require Cohesity Support
portal credentials to log in.

Cohesity DataProtect Delivered-as-a-Service User Guide 38

Access Management Add a Single Sign-on Provider

l If no default role is assigned to a user in the IdP entry, then such users will be
rejected. Users will need to have an explicit entry.
l If the SAML assertions are to be signed and encrypted, then the Helios certificate
must be used.
l SSO is currently not supported for Cohesity Helios - Premises Edition App.

Next > Add Cohesity DataProtect users and groups from your SSO domain.

Configure SSO with Active Directory Federation Services (AD FS)

This topic provides step-by-step instructions on configuring and using Active Directory
Federation Services (AD FS) on Cohesity SSO.

Prerequisites

l Install AD FS on the server. For more information, see Deploy and configure AD FS.

l An Active Directory instance where all users have an email address attribute.

l A server running Microsoft Server 2016, 2012, or 2008.

l An SSL certificate to sign your AD FS login page and the Signing Certificate for that
certificate.

l An installed certificate for hosted SSL.

Add a Relying Party Trust (RPT)

Perform the following steps to add a Relying Party Trust (RPT) to enter the Cohesity SSO
authenticate URL via the SAML 2.0 WebSSO protocol.

Cohesity DataProtect Delivered-as-a-Service User Guide 39

Access Management Add a Single Sign-on Provider

1. Log in to the server and open AD FS.

2. Under AD FS, right-click Relying Party Trusts and select Add Relying Party
Trust.
The Add Relying Trust Party Wizard page is displayed.

3. Select Welcome and then select Claims aware and click Start.

4. Under Select Data Source, select Enter data about the relying party manually
and click Next.

Cohesity DataProtect Delivered-as-a-Service User Guide 40

Access Management Add a Single Sign-on Provider

5. Under Specify Display Name, in the Display name field, enter a display name and
click Next.

6. Under Configure Certificate, leave the default certificate settings and click Next.
7. Under Configure URL, do the following:
1. Select the Enable Support for the SAML 2.0 WebSSO protocol check box.
2. In the Relying party SAML 2.0 SSO service URL field, enter :

Cohesity DataProtect Delivered-as-a-Service User Guide 41

Access Management Add a Single Sign-on Provider

https://helios.cohesity.com/v2/mcm/idp/authenticate

8. Under Configure Identifiers, do the following:

1. In the Relying party trust identifier field, enter
https://helios.cohesity.com/v2/mcm/idp/authenticate
2. Click Add and then click Next.

9. Under Choose Access Control Policy, you can optionally configure multi-factor
authentication (MFA) and click Next. For more information, see Configure Additional
Authentication Methods for AD FS.

Cohesity DataProtect Delivered-as-a-Service User Guide 42

Access Management Add a Single Sign-on Provider

10. Under Ready to Add Trust, see an overview of the settings and click Next.
11. Under Finish, click Close.

Create Claim Rules

Cohesity looks for SAML attributes to identify users and assign roles.
Perform the following steps to pass SAML attributes:

1. Log in to the server and open AD FS.

2. Under AD FS, select Relying Party Trusts and select the RPT that you added.
3. On the right, click Edit Claim Issuance Policy.

4. Click Add Rule.

The Add Transform Claim Rule Wizard page is displayed.
5. Under Select Rule Template, do the following:
1. From the Claim rule template drop-down, select Send LDAP Attributes as
Claims.

Cohesity DataProtect Delivered-as-a-Service User Guide 43

Access Management Add a Single Sign-on Provider

2. Click Next.

6. Under Edit Rule, do the following:

1. In the Claim rule name field, enter a name.
2. From the Attribute store drop-down, select Active Directory.
3. In the Mapping of LDAP attributes to outgoing claim types table:
1. Under LDAP Attribute (Select or type to add more), from the drop-
down, select User-Principal-Name.
2. Under Outgoing Claim Type, from the drop-down, select E-Mail
Address.

Cohesity DataProtect Delivered-as-a-Service User Guide 44

Access Management Add a Single Sign-on Provider

3. Click OK.

7. Click Add Rule to create another rule.

8. From the Claim rule template drop-down, select Transform an Incoming
Claim.
9. Click Next.
10. Under Edit rule, do the following:
1. In the Claim rule name field, enter a name.
2. From the Incoming claim type drop-down, select E-Mail Address.
3. From the Outgoing claim type drop-down, select email.

Cohesity DataProtect Delivered-as-a-Service User Guide 45

Access Management Add a Single Sign-on Provider

4. Click OK.

11. Follow the steps above to pass group SAML attributes.

12. To extract the user group name and send it to Cohesity, you need to create a custom
rule in AD FS:
1. Click Add Rule to create the custom rule.
2. From the Claim rule template drop-down, select Send Claims Using a
Custom Rule.
3. Click Next.

Cohesity DataProtect Delivered-as-a-Service User Guide 46

Access Management Add a Single Sign-on Provider

4. Under Edit rule, do the following:

1. In the Claim rule name field, enter a name.
2. In the Custom rule field, create and enter a custom rule. For more
information, see Understanding Claim Rule Language in AD FS.
3. Click OK.

Cohesity DataProtect Delivered-as-a-Service User Guide 47

Access Management Add a Single Sign-on Provider

Note: This rule might be different for different AD FS

configurations. Make sure to edit the custom rule accordingly.
For more information, see When to Use a Custom Claim Rule.

Retrieve the SSO URL, Provider Issuer ID, and Certificate

You need to retrieve the Federation Service name and Federation Service Identifier which is
required when adding AD FS as an SSO provider to Cohesity.
Perform the following steps to retrieve the Federation Service name and Federation Service
Identifier:

1. Log in to the server and open AD FS.

2. Right-click AD FS and select Edit Federation Service Properties.

Cohesity DataProtect Delivered-as-a-Service User Guide 48

Access Management Add a Single Sign-on Provider

3. Copy the Federation Service name and the Federation Service Identifier and
save it for later use. You will need these when you Configure Helios for SSO via IdP to
Cohesity.
4. To download the certificate, navigate to AD FS > Service > Certificates.
5. Under Token-signing, right-click the certificate and select View Certificate.

6. Click the Details tab and then click Copy to File.

The Certificate Export Wizard page is displayed.

Cohesity DataProtect Delivered-as-a-Service User Guide 49

Access Management Add a Single Sign-on Provider

7. Select Base-64 encoded X.509 (.CER), click Next, and follow the instructions to
download the certificate (.cer).
8. Convert certificate file from the .cer to the .pem format.
To convert the file:
l On Mac/Linux, rename the file with the .pem filename extension.
l On Windows, run the following command:

openssl x509 -in mycert.crt -out mycert.pem -outform PEM

You need to add the SSO provider in Helios. For more information, see Configure Helios for
SSO via IdP.

Consideration

Helios does not support Sign Auth Requests to sign the SAML requests to the ADFS
server.

Configure SSO with Azure

This topic provides step-by-step instructions on creating an Azure Active Directory
application.
Perform the following steps to create an Azure AD SSO:

Cohesity DataProtect Delivered-as-a-Service User Guide 50

Access Management Add a Single Sign-on Provider

1. Log in to Azure portal.

2. Under Azure services, click Azure Active Directory. If Azure Active Directory is
not listed, click More Services and select Azure Active Directory.

3. On the left, click Enterprise applications.

4. Under All applications, click New Application.

5. On the Browse Azure AD Gallery page, click Create your own application.

6. In the What’s the name of your app, enter a display name for your application.
7. Select Integrate any other application you don’t find in the gallery (Non-
gallery) and click Create.

Cohesity DataProtect Delivered-as-a-Service User Guide 51

Access Management Add a Single Sign-on Provider

8. On the <app> Overview page, under General Settings, on the Set up single
sign on tile, click Get Started.

Cohesity DataProtect Delivered-as-a-Service User Guide 52

Access Management Add a Single Sign-on Provider

9. Under Select a single sign-on method, click the SAML tile.

10. Under Set up Single Sign-On with SAML, do the following:

1. In the Basic SAML Configuration section, click the edit icon and do the
following:
1. Under Identifier (Entity ID), click Add identifier.
For example,
https://helios.cohesity.com/v2/mcm/idp/authenticate

2. Under Reply URL (Assertion Consumer Service URL), click Add

reply URL.
For example,
https://helios.cohesity.com/v2/mcm/idp/authenticate

3. Click Save.

Note: If you have multiple Cohesity clusters and you want to use
this Azure AD application for all of them, you can use the
additional cluster FQDNs to enter multiple Identifiers and

Cohesity DataProtect Delivered-as-a-Service User Guide 53

Access Management Add a Single Sign-on Provider

Reply URLs in this step.

2. In the Attributes & Claims section, click the edit icon and do the
following:
1. Click Add new claim.
The Manage claim page is displayed.
2. Name: Enter a name for the attribute.
3. Source: Select Attribute.
4. Namespace: Optional. Enter a namespace URI.
5. Source attribute: From the drop-down, select the source attribute.
6. Click Save.

3. If you plan to use user groups-based RBAC, you need to pass the “Groups”
SAML attribute to Cohesity. Perform the following steps:
1. Under User Attributes & Claims, click Add a group claim.
2. For Which groups associated with the user should be returned in
the claim?, select Groups assigned to the application.

Cohesity DataProtect Delivered-as-a-Service User Guide 54

Access Management Add a Single Sign-on Provider

Note: Groups must be directly assigned to the application. Azure

will not send the groups attribute that are a subgroup of a group
which is assigned to the application.

3. From the Source attribute drop-down, select the source attribute.

4. Under Advanced options:

a. Select the Customize the name of the group claim check box.
b. Name: Enter a name as groups.
c. Namespace: Enter the namespace URI. This is optional.

Cohesity DataProtect Delivered-as-a-Service User Guide 55

Access Management Add a Single Sign-on Provider

d. Click Save.

Note: To use source attributes like sAMAccountName to pass the

user group name in the “Groups” SAML attribute make sure that
Azure AD groups are synchronized from an on-premises Active
Directory using Azure AD Connect Sync 1.2.70.0 or above. For
more information, see Azure AD Connect: Upgrade from a
previous version to the latest.

If you don’t have an on-prem Active Directory synced with Azure AD, in
the Source attribute drop-down, select Group ID.
4. Depending on the value of the Source attribute you selected, you need to create
the corresponding users and groups. If you used:
1. sAMAccountName, you need to create groups with the SSO Group value
as the AD groups name.
2. Group ID, you need to create SSO groups using Azure AD’s Group ID.
To obtain the Azure AD’s Group ID:

Cohesity DataProtect Delivered-as-a-Service User Guide 56

Access Management Add a Single Sign-on Provider

a. Click the application name

b. Under Manage, click Groups.

c. From the list of users, click a user.

d. The value in the Object Id field is the Azure AD’s Group ID.
11. Under Manage, click Users and then click New User to assign the users who should
be able to access Cohesity Helios using this Azure AD application.
12. Under Manage, click Groups and then click New Group to assign the groups who
should be able to access Helios using this Azure AD application.

Note: Nested groups are not supported and will not be passed under the
Groups SAML attributes

Retrieve the SSO URL, Provider Issuer ID, and Certificate

You need to retrieve Azure AD information to configure SSO on Helios for the IdP (Azure
AD).
Perform the following steps to retrieve the SSO URL, Entity ID, and certificate from the
Azure AD application:

1. Log in to Azure portal.

2. Under Azure services, click Azure Active Directory. If Azure Active Directory is
not listed, click More Services and select Azure Active Directory.
3. On the left, click Enterprise applications.
4. Click the application name and under Manage, click Single sign-on.
5. Under Set up Single Sign-On with SAML, in the SAML Signing Certificate

section, click the edit icon.

6. On the SAML Signing Certificate, click the ellipsis (...) icon and select PEM
certificate download.

Cohesity DataProtect Delivered-as-a-Service User Guide 57

Access Management Add a Single Sign-on Provider

Note: Cohesity SSO only accepts *.pem format certificate.

7. Under Manage, click Single sign-on.

8. Under Set up Single Sign-On with SAML, in the Set up <application name>
section, do the following:
1. Copy the Login URL and save it for later use. You will use this URL to enter the
Cohesity Single-Sign-On URL when you Configure Helios for SSO via IdP to
Cohesity.

Cohesity DataProtect Delivered-as-a-Service User Guide 58

Access Management Add a Single Sign-on Provider

2. Copy the Azure AD Identifier URL and save it for later use. You will use this
URL to enter the Cohesity Provider Issuer ID when you Configure Helios for SSO
via IdP to Cohesity.

You need to add the SSO provider in Helios. For more information, see Configure Helios for
SSO via IdP.

Configure SSO with Okta

This topic provides step-by-step instructions on adding Helios as an application to Okta.
Perform the following steps to add Helios as an application to Okta:

1. Log in to Okta as an Okta administrator.

2. Navigate to Applications > Applications and click Create App Integration.
The Create a New Application Integration page is displayed.

3. For the Sign on method, select SAML 2.0 and click Next.
The Create SAML Integration page is displayed.
4. Click the General tab and for General Settings do the following:
1. App Name: Specify an app name of your choice to display in the Helios tile on
the SSO page.

2. App logo (optional): Click > Browse files and navigate to the location

of the logo and select the logo. Click Apply to upload the logo. Click to

Cohesity DataProtect Delivered-as-a-Service User Guide 59

Access Management Add a Single Sign-on Provider

delete the logo.

3. App Visibility: Leave the default settings for Do not display application
icon for users and Do not display application icon in the Okta Mobile
app.
4. Click Next.

5. Click the Configure SAML tab and for SAML Settings do the following:
1. Single sign on URL: Specify the application url followed by
/idps/authenticate.
For example: https://<cluster_fqdn>/idps/authenticate.
For Helios use, https://helios.cohesity.com/v2/mcm/idp/authenticate.

Note: To find the FQDN and VIP address, log in to Cohesity Platform
and navigate to Settings > Cluster > Networking > VIPs.

The Use this for Recipient URL and Destination URL check box is selected
by default.
2. Audience URI (SP Entity ID): Specify the same URL as above.
3. Application username: Select your preference.

Cohesity DataProtect Delivered-as-a-Service User Guide 60

Access Management Add a Single Sign-on Provider

4. Under Attribute Statements, map the Email and/or Login SAML attributes to
the Okta user profile attributes. If the value is not available in the drop-down
list, type it as shown in the table. You can map either or both attributes.

SAML Attribute Okta User Profile Attribute Value

Email user.email

Login user.login

5. Under Group Attribute Statements (Optional), map the groups attribute to

the Okta Filter attribute. (For example, select Starts with and enter
cohesity_ to pass any group name that starts with ‘cohesity_’ to Cohesity.)

Cohesity DataProtect Delivered-as-a-Service User Guide 61

Access Management Add a Single Sign-on Provider

If you want to use an existing group, use a regex to pass all groups.

6. Click Next.
7. Click Finish to add the application.
6. Click the Sign On tab and do the following:
1. Under SAML Setup, located at the right side, click View SAML setup
instructions.
The How to Configure SAML 2.0 for <application name> page is
displayed.

2. Copy the Identity Provider Single Sign On URL and save it for later use.
You will use this URL to enter the Cohesity Single Sign-On URL when you
Configure Helios for SSO via IdP to Cohesity.
A sample URL is shown below.
https://mycompany.okta.com/app/cohesitymycompany_
heliosapp/exkhhbyzrgu0YvJFk0h7/sso/saml

3. Copy the Identity Provider Issuer and save it for later use. You will use this
URL to enter the Cohesity Provider Issuer ID when you Configure Helios for SSO
via IdP to Cohesity.
A sample URL is shown below.
http://okta.com/exkhhbyzrgu0YvJFk0h7

4. Click Download certificate to download the okta.cert file and note its
download location.

Cohesity DataProtect Delivered-as-a-Service User Guide 62

Access Management Add API Keys

5. Convert the downloaded okta.cert file to okta.pem. You will upload this file to
Helios later.
7. Click the Assignments tab and do the following:
1. From the Assign drop-down, select Assign to People to assign users to your
Cohesity Okta application.
2. From the Assign drop-down, select Assign to Groups to assign groups to the
app.

You have now configured the Okta application for Cohesity. You need to add the SSO
provider in Helios. For more information, see Configure Helios for SSO via IdP.

Add API Keys

You can add your Cohesity API keys to your Cohesity DataProtect service to:

l Authenticate an application or script for reporting and workflow automation via

Cohesity's REST API calls for Cohesity DataProtect.
l Use the Helios Mobile App to monitor your Cohesity DataProtect service.

To add your API key:

1. Navigate to Settings > Access Management and click the API Keys tab.
2. Click Add API Key.
3. Enter a Name for the API key.
4. Click Save to advance to the API Key Details page, where you can:
l View or Copy API Key Token. To use with the application or script you wish
to authenticate.
l Scan QR Code. Scan the QR code that is displayed with your Helios Mobile App
to monitor your Cohesity DataProtect service in the mobile app.

When you return to the API Keys tab, your new key appears in the list.

Cohesity DataProtect Delivered-as-a-Service User Guide 63

Access Management Add API Keys

Note: The API keys you add are available only to you.

Click the Actions menu (⋮) next to the API key to Delete it.
Next > See sample API calls for register, protect, restore, and list!

Sample API Keys

Once you have added an API Key, you can start making API calls. For the detailed list of
APIs, see https://api.cohesity.com.

Cohesity DataProtect Delivered-as-a-Service User Guide 64

Policies Create a Policy

Policies
In Cohesity DataProtect, a policy is a reusable collection of settings that define how and
when the objects & files in a source are protected. You can create as many policies with
specific settings for different use cases as you need.
In a policy, you set the frequency (Backup every) and retention period (Keep on Helios)
for each protection run. You can also add a Periodic Full Backup, Quiet Times, and Log
Backup schedules — see More Options.

Create a Policy
To create a policy:

1. Navigate to Policies.
2. Click Create Policy.
3. Enter a Policy Name, choose a Backup every interval and a Keep for retention
period.
4. If you wish to add a DataLock, Periodic Full Backup, Quiet Times, or schedule
database Log Backups, click More Options.
5. Click Create.

More Options

Settings Descriptions

DataLock Typically used for compliance and regulatory purposes, DataLock is a protection policy option that can
only be enabled by a user with the Data Security role. Use it when you need to prevent the deletion of
backup snapshots for a specified duration. You can set the DataLock duration to the same period as
your backup retention, or to a shorter period.

Note: Only a user with the Data Security role can enable or disable DataLock on a policy,
or delete or edit a DataLocked policy. Disabling a DataLock does not unlock any previously
DataLocked snapshots.

Periodic Full After the first Protection Run, Cohesity DataProtect backs up only the data that changed with
Backup incremental backups. Use this option to add a full backup run at regular intervals.

Cohesity DataProtect Delivered-as-a-Service User Guide 65

Policies Create a Policy

Settings Descriptions

Quiet Times If there are times you need to protect your network from too much traffic, add a Quiet Time period to
define the times when new Protection Runs do not start. (Note that those already running at the
beginning of a Quiet Time will still complete the run.) By default, a Quiet Time period is set in your
browser's time zone.

Tip: To add more Quiet Time periods, click Quiet Times again.

Log Backup If you are protecting databases, you can set a separate frequency and retention period for your log
backups.

Next > Your policy is now available to choose when you protect a source.

Cohesity DataProtect Delivered-as-a-Service User Guide 66

Virtual Machines VMware

Virtual Machines
Cohesity DataProtect unifies fragmented data protection solutions for virtualized
environments. With Cohesity DataProtect, organizations no longer need to deal with
complex and expensive protection solutions that result in multiple infrastructure silos and
copies of data.

VMware
Cohesity DataProtect provides a simple, fast, cost-effective backup, recovery, and data
management solution for VMware environments.

VMware Requirements
To register VMware VMs, ensure your vCenter or standalone ESXi host meets these
software versions and user privilege requirements.
Check your software versions and the user role privileges you'll need on vCenter or
standalone ESXi below.

Note: Ensure that TCP ports 22, 80, 111, 443, 445, 902, 2049, 3260, 5986, and
8080 are open for communication between your data sources and the service's
SaaS Connectors.

Check VMware Supported Software Matrix

Before you register your VMware sources, confirm that you have one of the supported
VMware environments listed in the table below.

vCenter, vSphere, ESXi

Virtual Machine Hardware
versions

7.0 U3 9, 10, 11, 13, 14, 15, 17, 18, 19

7.0 U2 9, 10, 11, 13, 14, 15, 17, 18, 19

7.0 U1 9, 10, 11, 13, 14, 15, 17, 18

7.0 9, 10, 11, 13, 14, 15, 17

Cohesity DataProtect Delivered-as-a-Service User Guide 67

Virtual Machines VMware

vCenter, vSphere, ESXi

Virtual Machine Hardware
versions

6.7 U3 9, 10, 11, 13, 14, 15

6.7 U2 9, 10, 11, 13, 14, 15

6.7 9, 10, 11, 13, 14

6.5 9, 10, 11, 13

6.0 9, 10, 11

Supported guest operating system versions are:

l AIX 6.1 TL8 and TL9, 7.1 TL3 SP0 or later, 7.2
l CentOS 5.10, 6.6+, 7.0 - 7.9, 8.0, 8.3
l Debian 9.6, 10, 11.x
l openSUSE 15.1
l Oracle Linux (OEL) 5.8 - 5.11, 6.x, 7.0 - 7.9, 8.0, 8.1, 8.2 - 8.4, 8.5
l Red Hat Enterprise Linux (RHEL) 6.6+, 7.0 - 7.9, 8.0 - 8.2
l Solaris 10, 11
l SUSE Linux Enterprise Server 11 SP4,12 SP4, 12.3, 15.0, 15.3
l Ubuntu 14.x, 16.x, 18, 19.x, 20.x,22.04
l Windows 7, 8, 10
l Windows 2008 R2
l Windows 2012, 2012 R2
l Windows 2016
l Windows Server 2016 Core
l Windows 2019
l Windows Server 2019 Core
l Windows 2022
l Windows Server 2022 Core

Add User Privileges for vCenter Sources

If the VMware source is vCenter, ensure that the user account has the role privileges listed
for each category below.

Cohesity DataProtect Delivered-as-a-Service User Guide 68

Virtual Machines VMware

Category Privileges Notes

Cryptographic Operations* l Add Disk * Required only for encrypted VMs

l Direct Access

Datastore l Allocate space * Required only if Source Datastore

throttling is enabled.
l Browse datastore

l Low level file operations

l Remove file

l Move datastore

l Configure datastore*

Folder l Create folder

l Delete folder

Global l Log event

l Manage custom attributes

l Set custom attribute

l Licenses

l Enable Methods

l Disable Methods

Host > Configuration l Maintenance

l Query patch

l Storage partition
configuration

Host > Local operations N/A

Host > Configuration Local operations l Reconfigure virtual

machine

l Storage partition
configuration

Network l Assign network

Cohesity DataProtect Delivered-as-a-Service User Guide 69

Virtual Machines VMware

Category Privileges Notes

Resource l Assign virtual machine to

resource pool

l Migrate powered off virtual

machine

l Migrate powered on virtual

machine

Session l View and stop sessions

vApp l Add virtual machine

l Assign resource pool

l Unregister

Virtual Machine > Configuration l Acquire disk lease

l Add existing disk

l Add new disk

l Add or remove device

l Advanced configuration

l Change Settings

l Change Swapfile
placement

l Configure Raw device

l Remove disk

l Rename

l Toggle disk change

tracking

Virtual Machine > Change Operations l Change CPU count * Rename permission is required for a
(For Runbook) copy recovery.
l Change Memory

l Change Settings

l Change resource

l Modify device settings

l Rename*

Cohesity DataProtect Delivered-as-a-Service User Guide 70

Virtual Machines VMware

Category Privileges Notes

Virtual Machine > Guest Operations l Guest operation

modifications

l Guest operation program

execution

l Guest operation queries

Virtual Machine > Edit Inventory l Create new

l Register

l Remove

l Unregister

Virtual Machine > Interaction l Guest operating system

management by VIX API

l Power on

l Power off

Virtual Machine > Provisioning l Allow Disk Access

l Allow read-only disk

access

l Allow virtual machine

download

l Customize (For Runbook)

Virtual Machine > Snapshot l Create snapshot

Management
l Remove snapshot

l Revert snapshot

vSphere Tagging Assign or unassign tag

Profile-driven Storage l Profile-driven storage

update

l Profile-driven storage view

Add User Privileges for Standalone ESXi Sources

If the VMware source is standalone ESXi, ensure that the user account has the role
privileges listed for each category below.

Cohesity DataProtect Delivered-as-a-Service User Guide 71

Virtual Machines VMware

Category Privileges Notes

dvPort Group l Create

l Modify

dvSwitch l Create

l Delete

Datastore l AllocateSpace * Required only if Source Datastore

throttling is enabled
l Browse

l Config*

l Delete*

l DeleteFile

l FileManagement

l Move*

l Rename*

l UpdateVirtualMachineFiles*

l UpdateVirtualMachineMetadata*

Folder l Create

l Delete

Global l DisableMethods

l EnableMethods

l Licenses

l LogEvent

l Manage custom attributes

l Set custom attribute

Host > Configuration Storage

Host > Local operations Delete virtual machine

Network Assign

Cohesity DataProtect Delivered-as-a-Service User Guide 72

Virtual Machines VMware

Category Privileges Notes

Resource l AssignVMToPool

l ColdMigrate

l HotMigrate

System l Anonymous

l Read

l View

vApp l AssignResourcePool

l AssignVM

l Unregister

Session View and stop sessions

Cohesity DataProtect Delivered-as-a-Service User Guide 73

Virtual Machines VMware

Category Privileges Notes

Virtual machine > l AddExistingDisk

Configuration
l AddNewDisk

l AddRemoveDevice

l AdvancedConfig

l CPUCount

l ChangeTracking

l DiskLease

l EditDevice

l HostUSBDevice

l RawDevice

l ReloadFromPath

l RemoveDisk

l Rename

l ResetGuestInfo

l Resource

l Settings

l SwapPlacement

l UpgradeVirtualHardware

Virtual machine > Guest l Execute

Operations
l Modify

l Query

Virtual machine > Interact l GuestControl

l PowerOff

l PowerOn

Virtual machine > Inventory l Create

l Delete

l Register

l Unregister

Cohesity DataProtect Delivered-as-a-Service User Guide 74

Virtual Machines VMware

Category Privileges Notes

Virtual machine > l DiskRandomRead

Provisioning
l GetVmFiles

Virtual Machine > State l Create snapshot

l Remove snapshot

l Revert to snapshot

Cryptographic Operations l Add Disk

l Direct Access

l Encrypt

l Migrate

Next > Register your VMware source to protect it!

Register VMware Sources

To start protecting your VMware VMs, you need to register your data sources.

Note: To connect with sources in your data center, you'll need to use a SaaS
Connection (or create one) to establish connectivity between the sources and the
Cohesity DataProtect service.

To register your VMware sources:

1. Confirm that you meet the VMware requirements for software version and user
account role privileges.
2. Navigate to Sources and click Register Source.
3. Select workload type Hypervisor.
4. In the form, choose Use Existing Connection and select one that is marked
Healthy, or click Create New Connection and follow the instructions in Create a
SaaS Connection.
5. Select the Hypervisor Source Type: vCenter or Standalone ESXi Host.
6. Enter the hypervisor's Hostname or IP Address.
7. Enter the Username and Password.
8. Click Save.

Next > You are now ready to protect your VMs.

Cohesity DataProtect Delivered-as-a-Service User Guide 75

Virtual Machines VMware

Protect VMware VMs

Once you have registered vCenter Server or ESXi host as sources, you're ready to use
DataProtect to protect the VMs on those ESXi hosts.
To protect a VMware source:

1. Under Sources, find the VMware source name and click into it.
2. Use the filters and search box at the top to narrow your search.
3. Use the checkboxes to select the objects for protection. To protect the whole source,
click the checkbox above the column.
4. Click the Protect icon above the checkboxes.
5. In the New Protection dialog, select a Policy that matches the schedule and
retention period you need. If the existing policies do not meet your needs, you can
create a new policy with the settings you need. with the settings you need.
6. If you wish to configure a specific Start Time, End Date, Alerts, and other
additional settings, click Additional Settings.
7. Click Protect.

Cohesity DataProtect starts backing up the VMs you selected. You can monitor the status of
the backup on the Activity page.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Also, the Activity tab of a specific VM instance shows the history of all protection runs,
including the one in progress.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 76

Virtual Machines VMware

Advance
Description
Settings

App Enable App Consistent backups if you want the guest operating systems of all the protected VMs to
Consistent be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Next > When the first protection run completes, you will be ready to recover the protected
VMs and files when and if you need to.

Recover VMware VMs & Files

After you protect your VMware sources, you can recover VMs and files from your backups,
to their original or a new location.

Cohesity DataProtect Delivered-as-a-Service User Guide 77

Virtual Machines VMware

To recover VMware VMs or files:

1. Go to Sources to set up your recovery task.

2. Click into the Source name.
3. Above the tree, select Protection Status > Protected.
4. Use the filters, search box, and views to locate the objects or files you need.
5. To recover:
o VMs, continue with the Recover Objects & Volumes procedure in Recover
Protected Objects & Files.
o Files and folders, continue with the Recover Files & Folders procedure in
Recover Protected Objects & Files.
6. Select your Recovery Options and click Start Recovery.

Note: If you are recovering a VM to the original location and enable

Overwrite Existing VM, you can choose to take advantage of Attempt
Differential Recovery to shorten your recovery time, after considering
the implications below.

Cohesity DataProtect begins to restore the selected VMs or files to the selected location.

Cohesity DataProtect Delivered-as-a-Service User Guide 78

Virtual Machines Hyper-V

Accelerate VM Recoveries with Differential Restore

In Cohesity DataProtect delivered as a Service, you can recover the VM by overwriting only
the difference between the original VM and the snapshot selected for recovery. This option
is available only if you have selected to recover to the original location and enabled
Overwrite Existing VM in the VM recovery options in your recovery task.
Differential recovery substantially reduces the amount of data transfer in a recovery
process. In the task activity log (under Activity), you can view the amount of data transfer
saved by selecting differential recovery.
However, there are several important implications to consider before choosing to Attempt
Differential Recovery:

l Any newly added data in the original VM is deleted.

l The recovered VM will have the existing VM name.
l You can choose this option if there are no hardware configuration changes involved in
the original VM.
l If you want to reclaim free space for thin-provisioned disks, then Cohesity
recommends not to attempt differential recovery and only perform Overwrite
Existing VM recovery.
l If the original VM is not present or if the attempt at differential recovery fails, then
Cohesity DataProtect will perform an Overwrite Existing VM recovery.
l In the original VM, if there are any newly added disks or any disks that were excluded
during backup, then the recovered VM will not have these newly added disks, nor any
disks excluded during backup.
l All the snapshots present on the original VM are consolidated and removed as part of
differential recovery.

Hyper-V
Cohesity DataProtect provides a simple, fast, cost-effective backup, recovery, and data
management solution for Hyper-V environments.

Hyper-V Requirements
To register your Hyper-V sources, ensure you meet the requirements and install the
Cohesity Agents on your SCVMM server and Hyper-V hosts.
Before you register your Hyper-V sources, confirm that you meet the software version,
firewall, and permissions requirements below, install the Cohesity Agent on your SCVMM
server, and then install it on your Hyper-V hosts.
Also, be sure to review the best practice recommended below.

Cohesity DataProtect Delivered-as-a-Service User Guide 79

Virtual Machines Hyper-V

Software Version Requirements

Cohesity DataProtect delivered as a Service supports Hyper-V VM protection for:

l Hyper-V Standalone (versions 2016 and 2019)

l SCVMM (versions 2016 and 2019)
l Cluster (versions 2016 and 2019)

Note: The Cohesity DataProtect service does not support backing up Hyper-V VMs
with shared disks.

The DataProtect service supports these installation modes for Microsoft Hyper-V:

l Desktop Installation (Windows Server 2016 and Windows Server 2019)

l Server Core Installation (Windows Server 2016 and Windows Server 2019)

Supported guest operating system versions are:

l CentOS 5.x, 6.x, 7.x, 8.x

l Debian 7.0-7.11, 8.0-8.11, 9.0-9.12, 10.0-10.3
l Oracle Linux (OEL) 6.x, 7.x, 8.x
l Red Hat Enterprise Linux (RHEL) 5.x, 6.x, 7.x, 8.x
l SUSE Linux Enterprise Server SP2-SP5, 11 SP3, 12 SP1,15, 15 SP1-SP2
l Ubuntu 14.04, 16.04, 18.04, 20.04
l Windows 7, 8.1, 10
l FreeBSD 8.4,9.1-9.3, 10.0-10.3, 11.0, 11.1-11.3, 12-12.1

Firewall Ports

Ensure that TCP ports 445, 5986, and 50051 are open for communication between your data
sources and the service's SaaS Connectors.

Minimum Permissions

To be able to register your Hyper-V SCVMM (System Center Virtual Machine Manager)
server and Hyper-V hosts as sources, you need to first install the Cohesity Agent on that
source. To install the Cohesity Agent, you can use either the LOCAL SYSTEM account or a
domain user with administrative privileges on the SCVMM application.
For Hyper-V standalone clusters, add:

Cohesity DataProtect Delivered-as-a-Service User Guide 80

Virtual Machines Hyper-V

1. All hosts' machine accounts:

o Start the Failover Cluster Manager.
o From the clusters list, right-click the standalone cluster and select Properties
> Cluster Permissions > Add > Object Types > Check Computers > OK.
o Type <hostname>$ in “Enter the object names to select“ and select
Check Names > OK > Allow “Read” > OK.
2. Add all machine accounts to the Administrators group of each host in the standalone
cluster.

Download and Install the Cohesity Agent on Your SCVMM Server

Before you can register your SCVMM, you need to install the Cohesity Agent on the SCVMM
server, or on an existing proxy endpoint that is connected to the SCVMM server.
To install the Cohesity Agent on your SCVMM server:

1. Select Data Protection > Sources.

2. Click Download Cohesity Agent. Ensure the Agent has been downloaded to the
appropriate SCVMM server.
3. As an administrator with local system privileges, run the executable and complete the
installation wizard. Install the Agent without additional components.

The Agent starts automatically. Next, you'll need to install the Agent on the Hyper-V hosts
that you plan to protect.

Download and Install the Cohesity Agent on Your Hyper-V Hosts

Now install the Cohesity Agent on the Hyper-V hosts that you want to protect.
To install the Cohesity Agent on your Hyper-V hosts:

1. Select Data Protection > Sources.

2. Click Download Cohesity Agent. Ensure the Agent has been downloaded to the
appropriate Hyper-V hosts.
3. As an administrator with local system privileges, run the executable and complete the
installation wizard on each host. Install the Agent without additional components.

The Agent starts automatically.

Note: The minimum recommended specification for Guest Windows VMs is: 2 GB
RAM and the equivalent of a 1 GHz processor.

Best Practice

For Hyper-V 2016 and 2019, configure all VMs' Automatic Stop Action to shut down or
turn off, instead of save. This results in all powered-on VMs having minimal size .vmrs
files. VMs in the saved state, by contrast, generally have .vmrs files greater than 10 MB.

Cohesity DataProtect Delivered-as-a-Service User Guide 81

Virtual Machines Hyper-V

Though Cohesity supports the backup of .vmrs files greater than 10 MB, we recommend
that you back up .vmrs files with minimal size.
Next > Register your SCVMM server and Hyper-V hosts!

Register Hyper-V Sources

To start protecting your Hyper-V VMs, you need to register your SCVMM server and Hyper-V
hosts as Cohesity DataProtect sources.

Note: To connect with Hyper-V sources in your data center, you'll need to use a
SaaS Connection (or create one) to establish connectivity between the sources
and the Cohesity DataProtect service.

To register your Hyper-V sources:

1. Confirm that you meet the Hyper-V requirements for software version and user
account role privileges.
2. Navigate to Sources and select Register Source > Hypervisor.
3. In the form, choose Use Existing Connection and select one that is marked
Healthy, or click Create New Connection and follow the instructions in Create a
SaaS Connection.
4. Select the Hypervisor Source Type:
o HyperV: SCVMM Server
o HyperV: Standalone Host
o HyperV: Failover Cluster
5. Enter the hypervisor's Hostname or IP Address.
6. Enter the Username and Password.
7. Click Save.

Cohesity DataProtect Delivered-as-a-Service User Guide 82

Virtual Machines Hyper-V

Note:
If you are planning to edit the registered source (Actions menu (⋮) > Edit) for
moving the SCVMM proxy agent endpoint to a different proxy or to the SCVMM
cluster, or for moving from the SCVMM cluster to a proxy, then you must also:

1. Copy the old agent registry values from the Cohesity folder and subfolders.

2. When moving to:

o A proxy, paste the registry values to the new endpoint.

o SCVMM, paste the registry values to the active SCVMM node. (RDP'ing
into the SCVMM cluster redirects to the active master node.)

Best Practices

l Allocate at least 4 CPUs and 10 GB RAM is recommended for your Hyper-V SaaS
Connector.
l Deploy your Hyper-V SaaS Connector VMs onto failover clusters in a highly available
manner.
l Ensure your Hyper-V SaaS Connector VMs do not contain stateful data that would
require backup and restore upon recovery. In case of disaster, simply deploying a
new Hyper-V SaaS Connector VM is enough. It is unnecessary to back up SaaS
Connectors, and doing so can degrade performance.
l Create copies of the golden VHD for multiple SaaS Connectors. Do not create
differencing disks on top of a SaaS Connector.
l You need only a single networking switch; additional networking switches will not be
consumed.
l Cohesity DataProtect supports both Hyper-V Generation 1 and 2. Select the one that
best meets your internal best practices.
l You can convert from VHD to VHDX if you prefer. This, again, depends on your
organization's internal best practices.

Next > You're ready to protect your Hyper-V VMs.

Protect Hyper-V VMs

Once you have registered your SCVMM server and Hyper-V hosts as sources, you're ready
to use Cohesity DataProtect to protect the VMs on those Hyper-V hosts.
To protect your Hyper-V VMs:

Cohesity DataProtect Delivered-as-a-Service User Guide 83

Virtual Machines Hyper-V

1. Under Sources, find the Hyper-V source name and click into it.
2. Use the filters and search box at the top to narrow your search.
3. Use the checkboxes to select the objects for protection. To protect the whole source,
click the checkbox above the column.

Note:
When you check a parent object, you can choose:

o Select All Child Objects. To capture the tree as it currently exists,

or

o Auto Protect. To capture the tree and any future additions.

4. Click the Protect icon above the checkboxes.

5. In the New Protection dialog, select a Policy that matches the schedule and
retention period you need. If the existing policies do not meet your needs, you can
create a new policy with the settings you need.
6. If you wish to configure a specific Start Time, End Date, Alerts, and other
additional settings, click Additional Settings.
7. Click Protect.

Cohesity DataProtect starts backing up the Hyper-V VMs you selected. You can monitor the
status of the backup on the Activity page.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Also, the Activity tab of a specific Hyper-V VM instance shows the history of all protection
runs, including the one in progress.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Cohesity DataProtect Delivered-as-a-Service User Guide 84

Virtual Machines Hyper-V

Advance
Description
Settings

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

App Enable App Consistent backups if you want the guest operating systems of all the protected VMs to
Consistent be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

Priority Select a priority for the protection task execution. Cohesity DataProtect supports concurrent backups,
but if the number of tasks exceeds the ability to process them, they are executed in this priority order:

1. High-priority tasks

2. Medium-priority tasks

3. Low-priority tasks

Alerts Click to enable one or more of these alert types to trigger alerts for the following events and click Add
to enter email addresses.

l SLA Violation. Creates warning alert when a protection run exceeds the configured SLA.
Sends email.

l Failure. Creates critical alert when object protection fails to complete. Sends email.

l Success. Creates information alert when object protection completes. Does not send
email.

Cohesity DataProtect Delivered-as-a-Service User Guide 85

Virtual Machines Hyper-V

Advance
Description
Settings

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Pause Future Enable Pause Future Runs to suspend future protection runs for the object until you turn this off
Runs again. While this is enabled, no protection runs are scheduled.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Snapshot (Available only for NetApp data protection volumes)

Prefix
Select one of the following options to back up the snapshots from the data protection (DP) volume to
Cohesity DataProtect :

None. (Default) Enable this option if you want the Cohesity DataProtect service to take the full backup
from the oldest snapshot available on the DP volume and incremental backup from the latest
snapshots available on the DP volume.

Snapshot Prefix: Enable this option if you want the Cohesity DataProtect Service to take the full and
incremental backup from the snapshots that match the prefix name you specify:

Incremental Snapshot Prefix. Specify the prefix of the snapshot name present in the DP volume
from which Cohesity DataProtect can take incremental backups.

Full Snapshot Prefix. Specify the prefix of snapshot name present in the DP volume from which
Cohesity DataProtect can take the first full backup.

Cohesity DataProtect Delivered-as-a-Service User Guide 86

Virtual Machines Hyper-V

Next > When the first protection run completes, you will be ready to recover files from
your protected Hyper-V VMs if and when you need to.

Recover Hyper-V VMs & Files

Once you have protected your Hyper-V VMs, you can recover Hyper-V VMs or files, to their
original or a new location.

Prerequisite

Before recovering files to a target VM, depending on the guest OS system on the target VM,
be sure to install the Cohesity Windows or Linux Agent on the target VM.

Recover Hyper-V VMs

To recover Hyper-V VMs from your protected Hyper-V VMs:

1. Go to Sources to set up your recovery task.

2. Click into the Source name.
3. Above the tree, select Protection Status > Protected.
4. Use the filters, search box, and views to locate and select the Hyper-V source you
want to recover from.

Tip: You can also use Global Search to locate, filter, and select the objects
you need. Click the Global Search box at the top or type slash (/)
anywhere to start your search.

5. Locate and select the Hyper-V VMs you need, and then click Recover at the top to
open the New Recovery form with the Latest snapshot (protection run).

Note: If you do not see the option to recover VMs from your Hyper-V
backups, please contact Cohesity Support to request it.

6. If you need to recover from an earlier snapshot, click the Edit icon to select a new
recovery point.
o For each VM under Selected, you can click the Edit icon to open the Recovery
Point calendar. Click List to view the available recovery points by timestamp
and click one.
o Click Select Recovery Point.
o Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.

Cohesity DataProtect Delivered-as-a-Service User Guide 87

Virtual Machines Hyper-V

o If you choose New Location, select a Registered Source, Resource Pool,

Datastores, and the VM Folder.
8. Select your Recovery Options (for object recovery).
9. Click Start Recovery.

Cohesity DataProtect opens the Activity page, showing your file recovery task as it runs,
along with the recovery progress on the right.

Tip: The Activity page also shows the entire history of all protection runs and
recovery tasks, including any that are in progress.

Recover Hyper-V Files

To recover Hyper-V files from your protected Hyper-V VMs:

1. Go to Sources to set up your recovery task.

2. Click into the Source name.
3. Above the tree, select Protection Status > Protected.
4. Use the filters, search box, and views to locate and select the Hyper-V source you
want to recover from.

Tip: You can also use Global Search to locate, filter, and select the objects
you need. Click the Global Search box at the top or type slash (/)
anywhere to start your search.

5. Locate the source object containing the files you want to recover and click the
Recover Files icon on that row.
By default, the latest snapshot is selected for recovery. To recover from a different
snapshot, click the snapshots drop-down in the top-right corner and select the
snapshot you need.

Note: Changing the snapshot after selecting the items (files or folder)
removes the selected items from the cart.

6. Browse to the file or folder that you want to recover by clicking folders and their
subfolders.
7. Select the files to recover and choose one of the following options:
o Next. If you select this option, then continue to the next step to configure the
file recovery options.

Cohesity DataProtect Delivered-as-a-Service User Guide 88

Virtual Machines Hyper-V

o Download Files. If you are recovering a single file, this option downloads the
file to your browser’s download folder. For all other selections, this creates a
recovery task. When the task completes, from the Activity page, click the task
name and then click Download Files to download the generated zip file.
8. Under Recover To, select Original Server or New Server. For:
o Original Server, by default, the files are received to the original path. If you
want to recover to an alternate path, then toggle off Recover to Original
Path and enter the path. The default alternate path is /tmp/Recover-<date_
time>.
o New Server, select a Registered Source. You also have the option to
register a new source. Select the target VM, username, and password. By
default, the files are recovered to the /tmp directory, but you can provide a
different directory if needed.
9. Select your file Recovery Options and click Recover.

Cohesity DataProtect opens the Activity page, showing your file recovery task as it runs,
along with the recovery progress on the right.

Tip: The Activity page also shows the entire history of all protection runs and
recovery tasks, including any that are in progress.

Cohesity DataProtect Delivered-as-a-Service User Guide 89

Physical Servers Physical Server Requirements

Physical Servers
Cohesity DataProtect provides a simple, fast, and cost-effective backup, recovery, and data
management solution for Physical Servers.

Physical Server Requirements

To register your physical servers, ensure your servers meet the OS version & other
requirements, then download & install the Cohesity Agent.
Before you register your physical server sources, confirm that the server is on a supported
OS version and meets the disk and ports requirements below, then download & install the
Cohesity Agent on each server you want to protect.

Supported Deployments
The server deployments that are supported are:

l Windows Server 2016 Core, 2019 Core, 2022 Core

l Windows 10 Desktop Edition
l Windows 2008 R2 64-bit, 2012, 2012 R2 64-bit, 2016 64-bit, 2019 64-bit
l CentOS 6.0+ 64-bit, 7.0 - 7.9 64-bit, 8.0 64-bit, 8.3 64-bit
l Oracle Linux (OEL) 6.x 64-bit, 7.0 - 7.9 64-bit, 8.0 64-bit, 8.1 64-bit, 8.2 - 8.4 64-bit,
8.5 64-bit
l Red Hat Enterprise Linux (RHEL) 6.7+ 64-bit, 7.0 - 7.9 64-bit, 8.0 - 8.5 64-bit
l SUSE Linux Enterprise Server (SLES) 11 SP4 64-bit, 12 SP4 64-bit, 12.3 64-bit, 15.0
64-bit, 15.3 64-bit
l openSUSE 15.1 64-bit
l Ubuntu 14.x 64-bit, 16 64-bit, 18 64-bit, 20.x 64-bit, 22.04 64-bit
l Debian 9.6 64-bit, 10 64-bit. 11.x 64-bit

Disk Requirements
To install the Cohesity Agent, you'll need at least 56 MB of disk space on Windows systems
and 360 MB on Linux systems.

Ports Requirements
If the Windows firewall is active when you install the Cohesity Agent, you need to add a rule
in the firewall to open port 50051 for communication with Cohesity SaaS Connectors.

Cohesity DataProtect Delivered-as-a-Service User Guide 90

Physical Servers Physical Server Requirements

Download and Install the Cohesity Agent

Install the Cohesity Agent on each Windows and Linux physical server that you want to
protect.

Install the Cohesity Windows Agent

To download and install the Cohesity Windows Agent:

1. Navigate to Sources and select Register Source > Physical.

2. Click Download Cohesity Agent and download it to the appropriate server.
3. As an administrator with local system privileges on that server, run the executable
and complete the installation wizard.

If you have only Windows servers, you're ready to register them. If you have Linux servers
to protect, continue below.

Install the Cohesity Linux Agent

The Cohesity Linux Agent is available with different installer packages, providing support on
multiple Linux distributions. You’ll need to install the appropriate package (RPM, Debian, or
SUSE RPM) for your Linux distribution or install the script installer package.
The installer packages and Linux distributions on which the installer package is supported
are:

Installer Package Linux Distribution

(Default) RPM RHEL and itsclick derivative

Suse RPM SUSE

Debian Ubuntu

Script Installer All supported Linux operating systems

The Cohesity Linux Agent has dependencies on the following packages, which must be
installed on the Linux server:

Command/Package RHEL SUSE CentOS Ubuntu Debian

rsync rsync rsync rsync rsync rsync

mount util-linux util-linux util-linux mount mount

Cohesity DataProtect Delivered-as-a-Service User Guide 91

Physical Servers Physical Server Requirements

Command/Package RHEL SUSE CentOS Ubuntu Debian

lvm2 lvm2 lvm2 lvm2 lvm2 lvm2

sudo sudo sudo sudo sudo sudo

coreutils coreutils coreutils coreutils coreutils coreutils

util-linux util-linux util-linux util-linux util-linux util-linux

nfs client nfs-utils nfs client nfs-utils nfs-common nfs-common

lsof lsof lsof lsof lsof lsof

wget wget wget wget wget wget

Install RPM, Debian, or SUSE RPM Installer Package

To install the RPM, Debian, or SUSE installer package:

1. Navigate to Sources and select Register Source > Physical.

2. Click Download Cohesity Agent. Based on your Linux distribution, from the
Download Agents window, select RPM, Debian, or SUSE RPM and download it to the
server you want to protect.
3. As the root user with local system privileges on that server, change the directory to
the location of the installer package.
4. Run the following command depending on the installer package:

Installer
Command
Package

RPM rpm -i el-cohesity-

agent-6.5.1-1.x86_
64.rpm or yum
localinstall ./el-
cohesityagent-6.5.1-
1.x86_64.rpm

Debian dpkg -i cohesity-

agent_6.5.1-1_
amd64.deb

Cohesity DataProtect Delivered-as-a-Service User Guide 92

Physical Servers Physical Server Requirements

Installer
Command
Package

Suse RPM rpm -i cohesity-

agent-6.5.1-1.x86_
64.rpm

Note:
By default, the installation uses the root user permission for all the files, and
the service is started as root. Therefore, it is necessary to add non-root
users to the sudoers list by making the following changes in the /etc/sudoers
file:

<username> ALL=(ALL) NOPASSWD:ALL

Defaults:<username> !requiretty

5. To start the service as a non-root user, create a new user or use an existing user with
sudo permission and run the following command:

Installer
Command
Package

RPM export
COHESITYUSER=<username> ;
rpm -i el-cohesity-agent-6.5.1-
1.x86_64

Debian COHESITYUSER=<username>
dpkg -i cohesity-agent_6.5.1-1_
amd64

Suse RPM export

COHESITYUSER=<username>
rpm -i cohesity-agent-6.5.1-1.x86_
64

6. Provide the location details for:

l Installation directory: /opt/cohesity
l Log file: /var/log/cohesity

Cohesity DataProtect Delivered-as-a-Service User Guide 93

Physical Servers Physical Server Requirements

Install Script Installer Package

To install the script installer package:

1. Navigate to Sources and select Register Source > Physical Source.

2. Click Download Cohesity Agent. Based on your Linux distribution, select Script
Installer and download it to the server you want to protect from the Download
Agents window.
3. As the root user with local system privileges on that server, change the directory to
the location of the installer package.

Note: For SLES 11 SP4, you are required to install the Agent as the root
user.

4. Make the installer executable. For example:

chmod +x cohesity_agent_6.5.1-master_linux_x64_installer

5. Run the executable:

sudo cohesity_agent_6.5.1-master_linux_x64_installer -- --install

6. Provide the location details for:

l Installation directory: /home/<username>/cohesityagent or
/root/cohesityagent
l Log file: /home/cohesityagent/cohesityagent/logs

The Agent starts after installation completes, as follows:

l CentOS and RedHat (distributions with the "systemd" init system): The Agent starts
automatically.
l Ubuntu (distributions with the "upstart" init system): The Agent starts automatically.
If a Linux server's /etc/sudoers file is managed by a deployment engine such as Chef,
Puppet, or others, this might affect Cohesity DataProtect’s interaction with servers
that have the Linux Agent installed. Take the corresponding actions depending on user
type:

Cohesity DataProtect Delivered-as-a-Service User Guide 94

Physical Servers Physical Server Requirements

Agent Installation
Action Required
by User Type

As the default The Cohesity Linux Agent is

cohesityagent installed using the cohesityagent
user user by default.

For default installations, the

cohesityagent user is created by
the installer. During installation,
the installer updates the
/etc/sudoers file to allow
cohesityagent sudo and no-tty
sudo access.

Ensure the following settings in the

/etc/sudoers file for the
cohesityagent user are
preserved:

cohesityagent ALL=(ALL)
NOPASSWD:ALL
Defaults:cohesityagent
!requiretty

For example:

#includedir
/etc/sudoers.d
dgoble ALL=(ALL)
NOPASSWD:ALL
cohbackup ALL=(ALL)
NOPASSWD:ALL
Defaults:cohbackup
!requiretty

As a non-default Ensure the above settings in the

user, for example, /etc/sudoers file for the foo user
foo are preserved by replacing the
occurrences of 'cohesityagent' with
'foo'.

As root user No changes required.

Cohesity DataProtect Delivered-as-a-Service User Guide 95

Physical Servers Register Physical Server Sources

Upgrade the Agent on a Physical Server

When we release a new version of the Cohesity Agent, you will see an option to upgrade it
on the source details page.
To upgrade the Cohesity Agent running on your physical server source:

1. Navigate to Sources and click into the physical server source name.

2. In the Source Details page, click the More Options menu ( ) and then select
Upgrade Agent.

Note: The Upgrade Agent option is enabled only when a new version of the
Agent is available.

3. Select:
l Upgrade Now to upgrade the Agent immediately, then click Confirm.
l Schedule for Later. In the Schedule Agent Upgrade dialog, set the Date &
Time for the upgrade and click Schedule for Later.

The agent upgrade executes on the physical server source you selected.

Considerations
l Currently, a source can either be protected as either a physical server or as a SQL
database, but not both.
l Volume-based physical backups are not supported.

Next > Now you can register your physical server sources to protect them!

Register Physical Server Sources

Before you can protect a physical server, you need to register it as a Cohesity DataProtect
source.

Note: To connect with sources in your data center, you'll need to use a SaaS
Connection or (create one) to establish connectivity between the sources and the
Cohesity DataProtect service.

To register a physical server, check that it meets the requirements for physical servers and
then add it as a source in DataProtect.
To add a physical server as a Cohesity DataProtect source:

Cohesity DataProtect Delivered-as-a-Service User Guide 96

Physical Servers Protect Physical Servers

1. Navigate to Sources and select Register Source > Physical.

2. In the form, choose Use Existing Connection and select one that is marked
Healthy, or click Create New Connection and follow the instructions in Create a
SaaS Connection.
3. Under Source Details, enter the physical server hostname (FQDN) or IP address of
the server you’re registering. We recommend that you use the FQDN.
4. Click Register.

Note: Don't run any other actions in your DataProtect service until source
registration completes.

Next > You're ready to protect your physical servers!

Protect Physical Servers

Once you have registered your physical server as a source, you're ready to use Cohesity
DataProtect to protect it.
To protect your physical server:

1. Under Sources, find the physical server source, click into the source name, check the
box on that row, and click the Protect (shield) icon. The source is automatically
added as a protection object.
2. Optionally, to configure symlink, mount point, and exclusion options, click the Edit
(pencil) icon on the right:
l Follow symlink NAS target (Windows file-based backup only): Enable this
option if you want to back up the symbolic link pointing to a NAS target.
l Protect Nested Mount Points: Enable this option to back up the volumes that
are mounted to a subfolder within the selected directory structure.
l Exclusions: This option defines how you can add exclusion entries for
Individual files and folders. Click to exclude a particular path or a particular file
within the specified host.
3. Choose a policy to specify backup frequency and retention. If you don't have a policy,
you can easily create one.
4. If you wish to configure a specific Start Time, End Date, Alerts, and other
additional settings, click More Options.
l Cancel Runs at Quiet Time Start. Select this option to cancel in-progress
protection runs at the start of a quiet time, as defined in the associated
protection policy.

Cohesity DataProtect Delivered-as-a-Service User Guide 97

Physical Servers Protect Physical Servers

l SLA. A service-level agreement (SLA) defines how long you expect a protection
run to take. Enter:
l Full. The number of minutes you expect a full protection run, which
captures all the blocks in an object, to take.
l Incremental. The number of minutes you expect an incremental
protection run, which captures only the changed blocks in an object, to
take.
l Crash Consistent Backups. (Windows only) Enable this option to read files
from the snapshots of volumes on which the files (that need backup) are
residing before the protection run is executed.
l Source- Side Deduplication. Use this option to enable source-side
deduplication for all the servers that are part of the protection run.

Note: Source-side deduplication is not supported on Windows 2008 R2

servers.

5. Click Protect.

Cohesity DataProtect starts backing up the physical servers you selected.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Next > When the first protection run completes, you will be ready to recover your
protected servers when and if you need to.

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.

Cohesity DataProtect Delivered-as-a-Service User Guide 98

Physical Servers Protect Physical Servers

3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Start, Stop, or Remove Protection

Click the Actions menu ( ) next to the object, Cohesity DataProtect presents buttons for
the actions that are possible for those objects.

With the protected objects selected, you can click:

l Recover to recover the object or file.

l Unprotect to remove protection from the object.

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

l Run Now to start an on-demand protection run immediately.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Cohesity DataProtect Delivered-as-a-Service User Guide 99

Physical Servers Protect Physical Servers

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Cancel Runs (Available only if the selected policy has at least one Quiet Time)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Crash Enable Crash Consistent backups if you want the guest operating systems of all the protected VMs
Consistent to be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the Crash Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an Crash Consistent

backup. Enable this option if you want Cohesity DataProtect to capture a crash-consistent
snapshot if Cohesity DataProtect fails to capture an crash-consistent snapshot. If this option is
disabled and Cohesity DataProtect is unable to perform an crash-consistent backup of a VM, a
snapshot is not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Cohesity DataProtect Delivered-as-a-Service User Guide 100

Physical Servers Recover Physical Servers

Recover Physical Servers

After you protect your physical servers, you can recover them from Cohesity DataProtect to
their original or a new location.
To recover a protected physical server:

1. Go to Sources to set up your recovery task.

2. Click into the Source name.
3. Click the Recover icon.
4. Select the snapshot to recover and click Apply.
5. Browse the content of the backup and select files, folders, or volumes to be
recovered, then click Next.
6. Optionally, click Download Files to download the contents of the recovery task after
the task is completed.
7. Under Recover to, select Original Server or New Server. With:
l Original Server, DataProtect will overwrite the original physical server
instance. You can restore the data in the original path or provide an alternate
path for the restore.
To recover to a different location in the original server, disable the Recover to
Original Path option, and then provide the location to which the files or folders
are to be recovered in the Recover To field. By default, the files and folders
will be recovered to the original location.

Note: This is a destructive action that cannot be undone.

l New Server, select a registered Source, the Target instance, and provide the
recovery Path.
8. Under Recovery Options, you can set:
l Overwrite Existing File/Folder. By default, this option is enabled to
overwrite the existing files and folders. Disable this option to create the files
and folders in the specified location. Any duplicate files are skipped.
l Preserve File/Folder Attributes. By default, this option is enabled and the
ACLs, permissions, and timestamps are preserved for all files and folders. If
you disable this option, then ACLs and permissions are not preserved. If you
recover both folders and files, the folders will receive the new timestamps, but
the files retain their original timestamps. If you recover only files, then the files
will receive the new timestamps.
l Continue on Error. Enable this option if you want to continue the recovery
even if one of the objects encounters an error. By default, this option is

Cohesity DataProtect Delivered-as-a-Service User Guide 101

Physical Servers Recover Physical Servers

disabled and the recovery operation will fail if one of the objects encounters an
error.
l Task Name. Change the default name of the recovery task.
9. Click Recover.

Cohesity DataProtect Delivered-as-a-Service User Guide 102

NAS Register Generic NAS Sources

NAS
Cohesity DataProtect provides a simple, fast, and cost-effective backup, recovery, and data
management solution for NAS environments.

Register Generic NAS Sources

Before you can protect a NAS device, you need to register it as a source in Cohesity
DataProtect. You can register any generic NAS, Dell EMC Isilon NAS, or NetApp ONTAP. For:

l Generic NAS, see the steps below.

l Isilon NAS, see Configure and Register Isilon NAS.
l NetApp ONTAP, see Configure and Register NetApp ONTAP.

Important: Ensure that the TCP/UDP ports 445, 8080, 111, and 2049 are open in
the firewall between your SaaS Connector and data source.

Register Generic NAS

You can connect a generic NAS source to Cohesity DataProtect as a mount point via the NFS
(v3, v4.1) or SMB (v1+, v2, v3) protocol.

Note: SMB v1 is not supported in DataProtect delivered as a Service.

To register your generic NAS source via NFS or SMB:

1. Navigate to Sources and click Register Source > NAS.

2. In the form, choose Use Existing Connection and select a SaaS Connection that is
marked Healthy, or click Create New Connection and follow the instructions in
Create a SaaS Connection.
3. Under NAS Source Type, select Generic NAS.
4. Under Mode, choose NFS or SMB.
5. Enter the Mount Path.
l For NFS, enter the hostname or IP:/Volume.
l For SMB, enter the \\hostname or IP\Share Path.
6. If you are confident the mount point is correct, you can enable Skip Mount Point
validation during registration. (Optional.)

Cohesity DataProtect Delivered-as-a-Service User Guide 103

NAS Configure and Register Isilon NAS

7. Add a Description to make it easier to recognize this source. (Optional.)

8. If you chose SMB above, enter the Username and Password required to access the
SMB share.
9. Click Save.

Your NAS device is now a registered source in your Cohesity DataProtect service and ready
to be protected.

Note: If you plan to stop protecting a NAS source, you can remove it from your

Cohesity DataProtect service. Navigate to Sources, click the Actions menu ( )

next to the NAS source and select Unregister. In the Unregister Source dialog,
click Unregister.

Next > You're ready to protect your NAS sources.

Configure and Register Isilon NAS

Check your Isilon requirements and minimum permissions, then register your Isilon NAS
sources with Cohesity DataProtect.
To add an Isilon cluster as a Cohesity DataProtect source:

1. Confirm that you have met the Isilon requirements.

2. Check the minimum Isilon user permissions.
3. Register your Isilon NAS source.

Note: To register other NAS types, see Register Generic NAS Sources or
Configure and Register NetApp ONTAP.

Isilon Requirements
l Ensure that the TCP/UDP ports 445, 8080, 111, and 2049 are open in the firewall
between your SaaS Connector and data source.
l Isilon OneFS version 8.0.x, 8.1, or 8.2.x.
l NFS v3 for NFS export backups.

Note: Cohesity DataProtect uses NFS v3 and SMB v2 or v3 for data

protection; SMB v1 is not supported in DataProtect delivered as a Service.

Cohesity DataProtect Delivered-as-a-Service User Guide 104

NAS Configure and Register Isilon NAS

l On Isilon NFS shares, enable the "Mount access to subdirectories" flag. Cohesity
DataProtect requires this setting to mount the .snapshot directory of the shared
path.
l SnapshotIQ license enabled on Isilon, with these settings:

Minimum Isilon User Permissions

Cohesity DataProtect accesses your Isilon cluster using an Isilon user account. The user
account must have the following permissions to back up and restore your Isilon data via
SMB or NFS.

Cohesity DataProtect Delivered-as-a-Service User Guide 105

NAS Configure and Register Isilon NAS

Access-level Command Description

ReadOnly Platform API For access to Isilon’s APIs.

Auth To verify users and passwords.

Cluster To obtain cluster identity and settings.

Network To obtain the network interfaces.

SMB To read the settings in the SMB server.

Read/Write Job Engine To read and write Changelist jobs.

Snapshot To fetch, create, and delete snapshots for shares and exports.

NFS To read and write settings to and from the NFS server.

Note: This setting modifies the NFS export used to mount, such
as /ifs.

Register Isilon Cluster

To register your Isilon cluster:

1. Navigate to Sources and click Register Source.

2. Select the workload type NAS.
3. In the form, choose Use Existing Connection and select one that is marked
Healthy, or click Create New Connection and follow the instructions in Create a
SaaS Connection.
4. Under NAS Source Type, select Isilon (Cluster).
5. Enter the Isilon cluster's Hostname or IP Address.
6. Enter the Username and Password that you configured earlier, under Minimum
Isilon User Permissions above.
7. If you are backing up SMB volumes or mixed-mode volumes, enable Back Up SMB
Volumes and enter the local or Active Directory (AD) Username and Password
required for at least read access to the Isilon SMB share.

Cohesity DataProtect Delivered-as-a-Service User Guide 106

NAS Configure and Register NetApp ONTAP

Note:
l You can assign the local or AD user to the built-in "BackupAdmin" role
to permit that user to read the SMB data for backup without modifying
the access control lists (ACLs).

l To provide access at the share level, grant the "Run as root" and "Full
Control" permissions at the share level.

l The user must have full control on the restore target during recovery.

8. To exclude IP addresses or subnets from the communications between Cohesity

DataProtect and the Isilon cluster, enable Exclude IPs and enter those IPs.
9. Click Save.

Your Isilon cluster is now a registered source in your Cohesity DataProtect service and
ready to be protected.

Note: If you plan to stop protecting a NAS source, you can remove it from your

Cohesity DataProtect service. Navigate to Sources, click the Actions menu ( )

next to the NAS source and select Unregister. In the Unregister Source dialog,
click Unregister.

Next > You're ready to protect your Isilon NAS sources.

Configure and Register NetApp ONTAP

Check your NetApp ONTAP requirements and minimum permissions, then register your
ONTAP sources with Cohesity DataProtect.
To add NetApp ONTAP as a Cohesity DataProtect source:

1. Confirm that you have met the NetApp ONTAP requirements below.
2. Check the supported NetAppONTAP versions and volumes.
3. Check the minimum permissions.
4. Register your NetApp ONTAP source.

Note: To register other NAS types, see Register Generic NAS Sources or
Configure and Register Isilon NAS.

Cohesity DataProtect Delivered-as-a-Service User Guide 107

NAS Configure and Register NetApp ONTAP

NetApp ONTAP Requirements

To register your NetApp ONTAP with Cohesity DataProtect, confirm you meet the following
prerequisites:

l SaaS Connection Requirements.

l Bidirectional TCP ports 111, 443, 445, 635, and 2049 are open in the firewall between
your SaaS Connector and NetApp ONTAP. For details, see Ports Used for
Communication below.
l The NetApp ONTAP SVM that you plan to protect have:
l An active logical interface attached to the SVM.
l The NFS and CIFS services configured on the SVM.
l The Make snapshot directory (.snapshot) visible option is enabled for all
NetApp ONTAP volumes that you plan to protect.

Support Matrix
Before you register your NetApp ONTAP with Cohesity DataProtect, ensure that the Cohesity
DataProtect service supports the NetApp ONTAP versions and volumes you want to protect.

Supported NetApp ONTAP Versions

Cohesity DataProtect delivered as a Service supports data protection of NetApp ONTAP

versions 8.2, 8.3, 9.1, 9.2, 9.3, 9.5, 9.6, 9.7, 9.8, 9.9.1, and 9.10.x.

Supported NetApp ONTAP Volumes

The supported NetApp ONTAP versions and volume types for backup are:

Volume Type Volume Subtype

Flex Volume Normal Flex Volume

Data Protection Volume SnapMirror Destination Volume

SnapVault Destination Volume

Supported NFS and SMB versions

The supported NFS and SMB versions for backup are:

Cohesity DataProtect Delivered-as-a-Service User Guide 108

NAS Configure and Register NetApp ONTAP

Protocol Version Notes

NFS NFSv3 If NFSv4 volume backup is triggered, Cohesity DataProtect will take the backup in
NFSv3 mode.

SMB SMB v2.x and SMB v1 is not supported in DataProtect delivered as a Service.
v3

Minimum Permissions
Ensure the user account you use to register your NetApp ONTAP SVM or NetApp ONTAP
cluster has the required permissions to communicate with the Cohesity DataProtect service.

Minimum Permissions for NetApp ONTAP Cluster

Before registering a NetApp ONTAP cluster as the source type, ensure the user account has
the following command permissions:

Access
Command Description Protocol
Level

All vserver export Adds the Cohesity SaaS Connector IP to the export policy so that NFS
policy Cohesity DataProtect can mount volumes.

volume Allows fetching, creating, and deleting snapshots for volumes. SMB / NFS
snapshot

ReadOnly vserver cifs Fetches information about CIFS/SMB shares for volumes. SMB / NFS

cluster Fetches information about the cluster. SMB / NFS

identity

network Fetches information about network interfaces that the Cohesity SMB / NFS
interface DataProtect service connects to for mounting volumes.

volume Fetches information about volumes. SMB / NFS

vserver Fetches information about SVM SMB / NFS

Minimum Permissions for NetApp ONTAP SVM

When registering a NetApp ONTAP SVM as the source type, ensure the user account has the
following command permissions:

Cohesity DataProtect Delivered-as-a-Service User Guide 109

NAS Configure and Register NetApp ONTAP

Access
Command Description Protocol
Level

All vserver export Adds the Cohesity SaaS Connector IP to the export policy so that SMB / NFS
policy Cohesity DataProtect can mount volumes.

volume Allows fetching, creating, and deleting snapshots for volumes. SMB / NFS
snapshot

ReadOnly vserver cifs Fetches information about CIFS/SMB shares for volumes. SMB

network Fetches information about network interfaces to which the Cohesity SMB / NFS
interface DataProtect service connects for mounting volumes.

volume Fetches information about volumes. SMB / NFS

vserver Fetches information about SVM. SMB / NFS

Minimum Permissions for SMB/CIFS Shares Backup and Recovery

To back up NetApp ONTAP SMB/CIFS shares, the user must have local or domain user
credentials that allow at least read access to the SMB share.
To recover the SMB/CIFS shares, the local or domain user must have full access control on
the target where the data is being restored.

Minimum Permissions for NFS Export Backup and Recovery

For Backup. To back up an NFS export, the user must have read and superuser access
permissions on the NFS volume to be backed up and on the parent root volume. Before
starting the backup, Cohesity DataProtect verifies that the user has these permissions and if
not, Cohesity adds a new export rule for the Cohesity SaaS Connector IP with the required
permissions in the export policy attached to the backup volume.
If there is already an existing export rule for the Cohesity SaaS Connector IP with a lower
rule index value, then this existing export rule will override the export rule added by
Cohesity for the Cohesity SaaS Connector IP. In such scenarios, you must manually update
the existing export rule with the required permissions for the Cohesity SaaS Connector IP.
For the parent root volume, you must manually add the permissions for the Cohesity SaaS
Connector IP.
For Recovery. To recover an NFS export, the user needs read/write and superuser access
permissions on the NFS volume to be restored. Before starting the restore, you must add a
new rule index for the Cohesity node subnet in the export policy attached to the source
volume and parent root volume to give the necessary permissions to the Cohesity SaaS
Connector IP.

Cohesity DataProtect Delivered-as-a-Service User Guide 110

NAS Configure and Register NetApp ONTAP

Credentials for NetApp ONTAP Backup with Multiple SVMs

To register NetApp ONTAP with multiple SVMs, create a custom role with the required
permissions and a local user at the SVM level. Assign the custom role to the local user. Use
the respective local user account to register multiple SVMs.

Ports Used for Communication

Ensure the following ports are open in the firewall (for your backup and recovery traffic)
between your SaaS Connector and NetApp ONTAP:

Network
Port Source Target Direction Usage
Protocol

111 NetApp Saas Bidirectional TCP/UDP Required for RPC connection

Connector

443 NetApp Saas Bidirectional TCP/UDP Required for HTTPS connection with
Connector NetApp

445 NetApp Saas Bidirectional TCP Required for SMB

Connector

635 NetApp Saas Bidirectional TCP/UDP Required for NFS

Connector

2049 NetApp Saas Bidirectional TCP/UDP Required for NFS

Connector

Considerations
Review and understand the following limitations before you protect your NetApp ONTAP
data with Cohesity DataProtect delivered as a Service:

l Instant Volume Mount for NetApp ONTAP stub file is not supported.
l You cannot restore the NetApp Data-Protect volume to the original location or to an
alternate Data-Protect volume because the Data-Protect volume is a read-only
volume.
l Cohesity does not support the backup of the following NetApp ONTAP volumes:
l FlexGroup Volume.
l Flex Volume subtypes SnapLock Enterprise Volume, SnapLock Compliance
Volume, and Encrypted Volume Storage.

Cohesity DataProtect Delivered-as-a-Service User Guide 111

NAS Configure and Register NetApp ONTAP

Register NetApp ONTAP

To register NetApp:

1. Navigate to Sources and click Register Source > NAS.

2. In the form, choose Use Existing Connection and select a SaaS Connection that is
marked Healthy, or click Create New Connection and follow the instructions in
Create a SaaS Connection.
3. Under NAS Source Type, select NetApp.
4. Choose between NetApp ONTAP cluster and SVM. Select:
l Cluster to register a NetApp ONTAP cluster.
l VServer/SVM to register a NetApp ONTAP SVM.
5. In the Cluster Hostname or IP field, enter the hostname or IP address of the
NetApp ONTAP cluster or SVM to register.
6. In the Username field, enter the username used to access the NetApp ONTAP cluster
or SVM. Specify a user that has adequate privileges to perform actions on the source.
See Minimum Permissions above for details.

Note: The username used to register the NetApp ONTAP cluster and SVM is
case sensitive.

7. In the Password field, enter the password for the specified user.
8. If you are backing up SMB volumes or mixed-mode volumes, enable Back Up SMB
Volumes and provide the local or Active Directory user credentials that allow at least
read access on the NetApp ONTAP cluster or SVM.
9. Enable Filter IPs and specify the IP addresses of the NetApp ONTAP source through
which the communication to the Cohesity DataProtect service must not happen. You
can enter the IP addresses in a comma-separated list or in a CIDR format.
10. Click Save.

Your NetApp ONTAP is now a registered source in your Cohesity DataProtect service and
ready to be protected.

Note: If you plan to stop protecting a NAS source, you can remove it from

Cohesity DataProtect. Navigate to Sources, click the Actions menu ( ) next to

the NAS source and select Unregister. In the Unregister Source dialog, click
Unregister.

Next > You're ready to protect your NetApp ONTAP NAS volumes and data.

Cohesity DataProtect Delivered-as-a-Service User Guide 112

NAS Protect NAS Sources

Protect NAS Sources

Use Cohesity DataProtect to protect the NAS volumes, files, and folders in your data center.
You can protect any generic NAS source, a Dell EMC Isilon NAS cluster, or a NetApp ONTAP
cluster or SVM with Cohesity DataProtect — just note that the registration process is
different for each:

l Register Generic NAS

l Configure and Register Isilon NAS
l Configure and Register NetApp ONTAP

Once registered, your NAS source is ready for protection!

Important: Ensure that the TCP/UDP ports 445, 8080, 111, and 2049 are open in
the firewall between Cohesity DataProtect and your NAS device.

Protect NAS
1. Under Sources, find the NAS source name and click into it.
2. Use the filters and search box at the top to narrow your search.
3. Use the checkboxes to select the objects for protection. To protect the whole source,
click the checkbox above the column.

Note:
When you check a parent object, you can choose:

o Select All Child Objects. To capture the tree as it currently exists,

or

o Auto Protect. To capture the tree and any future additions.

4. Click the Protect icon above the checkboxes.

5. In the New Protection dialog, select a Policy that matches the schedule and
retention period you need. If the existing policies do not meet your needs, you can
create a new policy with the settings you need.
6. If you wish to configure a specific Start Time, End Date, Alerts, and other
additional settings, click Additional Settings.
7. Click Protect.

Your selected NAS objects are backed up with the frequency and retention as defined in the
policy you have selected.

Cohesity DataProtect Delivered-as-a-Service User Guide 113

NAS Protect NAS Sources

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Next > When the first protection run completes, you will be ready to recover NAS volumes,
files, and folders when and if you need to.

Cohesity DataProtect Delivered-as-a-Service User Guide 114

NAS Protect NAS Sources

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.

Cohesity DataProtect Delivered-as-a-Service User Guide 115

NAS Protect NAS Sources

With the protected objects selected, you can click:

l Recover to recover the object or file.

l Unprotect to remove protection from the object.

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

l Run Now to start an on-demand protection run immediately.

Additional Settings

Advance
Description
Settings

End Date If you need to end protection on a specific date, enable this to select the date.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Cohesity DataProtect Delivered-as-a-Service User Guide 116

NAS Recover NAS Data

Recover NAS Data

After you protect your NAS sources, you can recover the NAS volumes, files, and folders
from your backups, to their original or a new location.
To recover protected NAS data:

1. Go to Sources to set up your NAS recovery task.

2. Follow the steps below for Recover NAS Volumes or Recover NAS Files & Folders.

Set Up NAS Recovery

To recover protected NAS data:

1. Navigate to Sources.
2. Click into the Source name.
3. Above the tree, select Object Protection > Protected.
4. Use the filters, search box, and views to locate the volumes or files you need.
5. To recover:
l NAS volumes, continue with Recover NAS Volumes below.
l Files and folders, continue with Recover NAS Files & Folders below.

Tip: You can also use Global Search to locate, filter, and select the objects you
need. Click the Global Search box at the top or type slash (/) anywhere to start
your search.

Recover NAS Volumes

To recover NAS volumes, follow these steps (from Recover Objects & Volumes):

1. Locate and select the NAS volumes you need, and then click Recover at the top to
open the New Recovery form with the Latest snapshot (protection run).
2. If you need to recover from an earlier snapshot, click the Edit icon to select a new
recovery point.
l For each object under Selected, you can click the Edit icon to open the
Recovery Point calendar. Click List to view the available recovery points by
timestamp and click one.
l Click Select Recovery Point.
l Click Next: Recover Options to return to the form.
3. Under Recover To, select Original Location or New Location.

Cohesity DataProtect Delivered-as-a-Service User Guide 117

NAS Recover NAS Data

l For VMs: If you choose New Location, select a Registered Source,

Resource Pool, Datastores, and the VM Folder.
l For NAS volumes: If you choose New Location, select a Registered Source
and the Volume.
4. Select your Recovery Options.
5. Click Start Recovery.

Cohesity DataProtect opens the Activity page, showing your file recovery task as it runs,
along with the recovery progress on the right.

Tip: The Activity page also shows the entire history of all protection runs and
recovery tasks, including any that are in progress.

Recover NAS Files & Folders

To recover files and folders from protected NAS volumes, follow these steps (from Recover
Files & Folders):

1. Locate the source volume containing the files and click Recover Files on the row for
that object to open the Select Files form.
2. If you need to recover from an earlier snapshot, click the Recovery Point calendar
drop-down to select the recovery point.
l Click List to view the available recovery points by timestamp and click one.
l Click Apply.
3. Click into the path to find the files and add them to the Selected Items list.
4. Choose how to recover your files: download locally or recover.
l Click Download Files to open the Activity page, showing your file recovery
task. Click into the recovery task and click Download Files a second time to
save them to your local system.
l Click Save to open the New Recovery form. Under Recover To, select
Original Location or New Location.
l If you choose Original Location, enter a Username and Password that has
access to the original server. You can also enable Recover to Alternate Path
to enter a new path on the original server.
l If you choose New Location, select a registered Source and a Target (VM) or
Volume (NAS). Enter a Username and Password that has access to that
server and enter a Recover To path.
5. Select your Recovery Options.
6. Click Start Recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 118

NAS Recover NAS Data

Cohesity DataProtect opens the Activity page, showing your file recovery task as it runs,
along with the recovery progress on the right.

Tip: The Activity page also shows the entire history of all protection runs and
recovery tasks, including any that are in progress.

Cohesity DataProtect Delivered-as-a-Service User Guide 119

Microsoft 365 Microsoft 365 Requirements

Microsoft 365
Microsoft 365 is a subscription service that bundles the traditional office productivity
applications and delivers them as SaaS applications. Microsoft 365 includes Exchange
Online, OneDrive for Business, SharePoint Online, Teams, and other applications. Cohesity
DataProtect provides simple, fast, and cost-effective data protection solution for the
following Microsoft 365 applications:

l Exchange Online Mailboxes

l OneDrive for Business
l SharePoint Online
l Microsoft Teams

Microsoft 365 Requirements

Before you register your Microsoft 365 sources with Cohesity DataProtect to protect your
M365 data, ensure you've met the following prerequisites:

1. In the Exchange admin center, add these roles to the M365 user account you will use
to register your M365 sources with Cohesity DataProtect:
l ApplicationImpersonation
l View-Only Configuration
l View-Only Recipients
l MailboxSearch
l MailRecipients

2. Update Microsoft Organization setting for Mailbox size reporting.

3. Register a custom Azure app. (For manual M365 source registration.)
4. Set additional permissions for SharePoint Online.

Finally, review the different considerations for each supported M365 application.

Considerations
While granular recovery is available for M365 Mailboxes, OneDrives, and SharePoint Online,
we do not currently support it for Teams. For Teams, backup and restore are supported only
at the object level, for now. The ability to restore specific content items from a Team will be
available soon.

Cohesity DataProtect Delivered-as-a-Service User Guide 120

Microsoft 365 Microsoft 365 Requirements

Mailbox

l Cohesity supports backup of mails and mailbox folders only for Exchange Online.
Calendar and contacts backup will be supported soon.

OneDrive

l For the same user, you cannot back up Mailbox and OneDrive in parallel.
l From the recovery workflow, you cannot download an empty folder.

SharePoint Online

l For List backup, only the list schema is backed up with this release. The list items are
not part of the SharePoint Online backup.
l Document libraries enabled with the ForceCheckout option are not restored.
l Restore of sites with the out-of-the-box (OOTB) modern theme or composed look is
not supported.
l Backup and restore of site or subsite URLs with non-ANSI characters are not
supported.
l Restore of a site collection is not supported if the site URL has changed after the
backup.
l From the recovery workflow, you cannot download an empty folder.
l Suppose folders such as Feeds, Sync Issues, Legacy Archive Journals, Outbound,
Managed Folders, Files, Yammer Root, Clutter, MeContact, and Archive, are not
already present. In that case, these folders are skipped during restore.

Teams

l Channel conversations are not backed up.

l Restoring the following Teams data from the Teams backup is not supported:
l Deleted Teams
l Deleted channels (both public and private)
l Team settings
l Channel names and descriptions
l System Document Libraries

Groups

l Granular recovery of Group messages and other contents is not supported.

l Restoring system document libraries is not supported. You can restore only the non-
system document libraries on a Group site.
l The entities protected for Groups include the SharePoint sites associated with the
Group.

Cohesity DataProtect Delivered-as-a-Service User Guide 121

Microsoft 365 Microsoft 365 Requirements

Add Roles to the Microsoft 365 User Account

Cohesity DataProtect accesses your Microsoft 365 domain with a user account to back up
your Microsoft Exchange Online data. You can either add these roles to an existing user
account or create a new user account with these roles.

Important: Ensure that multi-factor authentication is not enabled for the user
account.

To add roles to the Microsoft 365 user account:

1. Log in to Microsoft 365.

2. On the Office 365 page, click Admin.
3. On the Microsoft 365 admin center page, select Admin centers and then click
Exchange.
Follow the steps for Classic Exchange admin center in Step 4 next, or skip to Step 5 if
you're in the new Exchange admin center page.

Tip: TIP: If you see a message prompting you to switch to New Exchange,
you're still in classic Exchange.

4. To add roles from the Classic Exchange admin center page:

1. Click Permissions and then select the Admin roles tab.
2. In the Admin roles tab, click + to create a new role group.
3. On the new role group page, enter a Name and Description, and under
Roles, click +.
4. In the Write scope drop-down, select Default and click Next.
5. In the Select a Role page, select the following roles, click Add, and then OK:
l ApplicationImpersonation
l Mail Recipients
l Mailbox Search
l View-Only Configuration
l View-Only Recipients

Cohesity DataProtect Delivered-as-a-Service User Guide 122

Microsoft 365 Microsoft 365 Requirements

6. Under Members, click + to add the user account you plan to use to register the
Microsoft 365 domain with Cohesity DataProtect, then click OK.
7. Click Save to create the Role Group.

Cohesity DataProtect Delivered-as-a-Service User Guide 123

Microsoft 365 Microsoft 365 Requirements

Cohesity DataProtect Delivered-as-a-Service User Guide 124

Microsoft 365 Microsoft 365 Requirements

You're ready to update your M365 Org setting for Mailbox size reporting.
5. To add roles from the new Exchange admin center page:
1. Select Roles > Admin roles.
2. On the Admin roles page, click Add role group.
3. Under Basics, enter a Name and Description for the admin role.
4. In the Write scope drop-down, select Default and click Next.
5. Under Permissions, select the following and click Next:
l ApplicationImpersonation
l Mail Recipients
l Mailbox Search
l View-Only Configuration
l View-Only Recipients

6. Under Admins, search and select the user account you plan to use to register
the Microsoft 365 domain with Cohesity DataProtect, then click Next.

Cohesity DataProtect Delivered-as-a-Service User Guide 125

Microsoft 365 Microsoft 365 Requirements

7. Under Review and finish, review the configuration and click Add role
group.
6. After the role group is added, click Done.

You're ready to update your M365 Org setting for Mailbox size reporting.

Update Microsoft Organization Setting for Mailbox Size Reporting

By default, Microsoft reports, using Graph API, display information as de-identified names
for users, groups, and sites. However, for Mailbox size reporting to work in Cohesity, you
need to have identifiable information in the Email activity reports. To do that, you need to
disable de-identified names for users, groups, and sites in Microsoft 365 reports.
Update the following organization setting in your Microsoft 365 admin center:

1. Log in to your Microsoft 365 admin center as a Microsoft 365 tenant administrator.
2. Go to Settings > Org settings > Services > Reports.
3. In Reports, ensure the information is not de-identified by deselecting Display
concealed user, group, and site names in all reports.
4. Click Save.

To continue, if you are using:

l Cohesity's express registration for M365 sources, you are ready to add those sources
to Cohesity DataProtect.
l The manual registration for M365 sources, you must first register your custom Azure
app.

Note: For SharePoint Online data protection, ensure that you also set the required
add-in permissions and tenant permissions on the Azure application.

Register Custom Azure App

To get started, you'll register a custom Azure app below to add the necessary permissions.
Go to the Azure portal, register a new app, add the permissions, and capture the App ID and
Access Key. For more on registering and configuring Azure apps, see Register an
application with the Microsoft identity platform and Configure a client application to access
a web API in the Microsoft documentation.

Cohesity DataProtect Delivered-as-a-Service User Guide 126

Microsoft 365 Microsoft 365 Requirements

Note: Make sure that you make note of the App ID and Access Key while
registering the app. You'll need them to register your Microsoft 365 domain as a
source in Cohesity DataProtect.

To register your custom app for Cohesity DataProtect:

1. Open Azure Active Directory

1. To manage Azure Active Directory using the Azure Portal:
1. Log in to the Azure portal with your Microsoft 365 administrator user
credentials.
2. Click the main menu (≡) in the top left corner and select Azure Active
Directory.
2. To manage Azure Active Directory using M365
1. Log in to Microsoft 365.
2. On the Office 365 page, click Admin.
3. On the Microsoft 365 admin center page, select Admin centers and
then click Azure Active Directory.
4. Select Azure Active Directory.
2. Create a new custom app.
1. Under the Manage section, select App Registrations, then click New
Registration. In the Register an application page:
1. Enter a Name for your app.
2. Select the Supported account types that can access the app,
3. In the Redirect URI drop-down, select Web and enter
https://localhost.

Cohesity DataProtect Delivered-as-a-Service User Guide 127

Microsoft 365 Microsoft 365 Requirements

4. Click Register.

3. After the custom app has been created, click Overview and copy the Application
(client) ID. You need to use Application (client) ID to register Microsoft 365 as a
source in Cohesity DataProtect.

4. Add API permissions to the custom app:

Cohesity DataProtect Delivered-as-a-Service User Guide 128

Microsoft 365 Microsoft 365 Requirements

1. Add Oauth API permission if the M365 source tenant has OAuth enabled for
secure communication:
1. Under the Manage section, select App Registrations and click Add a
permission.
2. In the Request API permissions page, click the APIs my
organization uses tab.
a. In the search bar, enter Office 365 Exchange Online then click
the API. (Use the complete app name.)

b. In the Office 365 Exchange Online API, click Application

Permissions.

c. Under Other Permissions, select full_access_as_app to enable

OAuth and click Add Permissions.

App Permissions Permission Type Mailboxes

full_access_as_app Application Y

Cohesity DataProtect Delivered-as-a-Service User Guide 129

Microsoft 365 Microsoft 365 Requirements

2. Add Graph API permissions:

1. Under the Manage section, select App Registrations, and then click
Add a permission.
2. In the Request API permissions page, select Microsoft Graph API.

3. Click Application Permissions and add the permissions listed below for

Cohesity DataProtect Delivered-as-a-Service User Guide 130

Microsoft 365 Microsoft 365 Requirements

your Microsoft 365 application.

SharePoi
Permissio Mailboxe OneDriv MS Team
App Permissions nt Online
n Type s e s
Sites

Channel.Create Applicatio N/A N/A N/A

n

Channel.ReadBasic.All Applicatio N/A N/A N/A

n

ChannelMember.ReadWr Applicatio N/A N/A N/A

ite.All n

Directory.ReadWrite.All Applicatio
n

Files.ReadWrite.All Applicatio N/A

n

Group.Create Applicatio N/A N/A N/A

n

Group.ReadWrite.All Applicatio N/A

n

Reports.Read.All Applicatio
n

Sites.ReadWrite.All Applicatio
n

Sites.FullControl.All Applicatio N/A N/A

n

User.Read.All Applicatio
n

User.ReadWrite.All Applicatio N/A

n

4. Click Add permissions.

Cohesity DataProtect Delivered-as-a-Service User Guide 131

Microsoft 365 Microsoft 365 Requirements

3. Add SharePoint permissions to the custom app:

1. Under the Manage section, select App Registrations and click Add a
permission.
2. In the Request API permissions page, select SharePoint. (If you
don't see it, scroll further down.)
a. Click Delegated Permissions and add the permissions listed
below, then click Add permissions.
b. Click Application Permissions and add the permissions listed
below, then click Add permissions.

Permission Type Permissions Name

Delegated AllSites.FullControl

AllSites.Manage

AllSites.Read

MyFiles.Read

MyFiles.Write

Sites.Search.All

TermStore.ReadWrite.All

User.ReadWrite.All

Application Sites.FullControl.All

Sites.Manage.All

Sites.ReadWrite.All

TermStore.ReadWrite.All

User.ReadWrite.All

5. Grant admin consent for the API permissions.

1. Under Configured permissions, click Grant admin consent.
2. On the Grant admin consent confirmation, click Yes.

Cohesity DataProtect Delivered-as-a-Service User Guide 132

Microsoft 365 Microsoft 365 Requirements

6. Create a new client secret that will be used to register Microsoft 365 as a source in
Cohesity DataProtect.
1. Under the Manage section, select Certificates & secrets.
1. In the Client secrets section, click New client secret. Enter a
Description.
2. In the Expires drop-down, select how long the secret key will be valid.

Cohesity DataProtect Delivered-as-a-Service User Guide 133

Microsoft 365 Microsoft 365 Requirements

3. Click Add.

2. Under Client secrets, click the Copy button next to the string under VALUE.
You need the Value key of the client secret to register Microsoft 365 as a source
in Cohesity DataProtect.
3. Store the Value key in a secure location. After you exit this page, you will not
be able to see the Value key again. If you lose your value key, you will need to
create a new client secret.

When you finish, your custom Azure app should include the permissions as shown below.

Cohesity DataProtect Delivered-as-a-Service User Guide 134

Microsoft 365 Microsoft 365 Requirements

Set Additional Permissions for SharePoint Online

For SharePoint Online data protection, ensure that you set the required add-in permissions
and tenant permissions below.
When you finish, your custom Azure app should include the permissions as shown below.

Add-In Permissions in SharePoint Online

Make sure that you assign the following add-in permissions to the custom app. For more
information, see Add-in permissions in SharePoint in the Microsoft documentation.

Cohesity DataProtect Delivered-as-a-Service User Guide 135

Microsoft 365 Microsoft 365 Requirements

Scope URI Required Rights

http://sharepoint/content/tenant FullControl

http://sharepoint/content/sitecollection FullControl

http://sharepoint/content/sitecollection/web FullControl

http://sharepoint/content/sitecollection/web/list FullControl

http://sharepoint/taxonomy Read,Write

Tenant Permissions

For recovering the SharePoint Online sites to the Microsoft 365 tenant or an alternate
Microsoft 365 tenant, ensure that you configure the following Custom Scripts permissions
on the tenant:

l Allow users to run custom scripts on personal sites.

l Allow users to run custom scripts on self-service created sites.

After you have registered the custom app, configure the tenant permissions on the custom
app.
To configure the tenant permissions:

1. Launch the SharePoint Admin Center using the URL: https://<your-tenant>-

admin.sharepoint.com/_layouts/15/AppInv.aspx

2. In the SharePoint Admin Center, log in as the tenant admin.

3. In the App ID and Title section, perform the following:
1. In the App Id field, enter the AppID of the custom app you have created and
click Lookup to search for the custom app.
2. In the App Domain field, enter www.localhost.com as the app domain.

Important: Do not enter any other string other than

www.localhost.com in the App Domain field.

3. In the Redirect URL field, enter https://localhost.com/ as the redirect URL.

Important: Do not enter any other URL other than

https://localhost.com/ in the Redirect URL field.

Cohesity DataProtect Delivered-as-a-Service User Guide 136

Microsoft 365 Microsoft 365 Requirements

4. In the Permission Request XML field, enter the following values:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant"
Right="FullControl" />
<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection"
Right="FullControl" />
<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection/web"
Right="FullControl" />
<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection/web/list"
Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/taxonomy"
Right="Read,Write" />
</AppPermissionRequests>

App Configuration for SharePoint Online

4. Click Create.
5. In the Do you trust <app_title>? page, perform the following:
a. From the drop-down, select DO_NOT_DELETE_SPLIST_TENANTADMIN_
AGGREGATED_SITECOLLECTIONS.
b. click Trust It.

Cohesity DataProtect Delivered-as-a-Service User Guide 137

Microsoft 365 Microsoft 365 Requirements

6. For recovering sites to the Microsoft 365 tenant or to an alternate Microsoft 365
tenant, you also need to configure the following recovery permissions on the tenant:
1. Launch the tenant settings using the following URL: https://<your-tenant>-
admin.sharepoint.com/_layouts/15/online/TenantSettings.aspx

2. Under Custom Scripts, enable:

l Allow users to run custom scripts on personal sites
l Allow users to run custom scripts on self-service created sites

Important: If you have created your Microsoft 365 tenant on or after

Sep 20, 2020, you must install SharePoint Online PowerShell. Using
the global administrator account, run the following commands in an
administrator PowerShell session:
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -
ListAvailable | Select Name,Version
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
Install-Module -Name
Microsoft.Online.SharePoint.PowerShell -Scope AllUsers
Connect-SPOService -Url 'https://<tenant>-
admin.sharepoint.com'
Set-SPOTenant -DisableCustomAppAuthentication $False

Cohesity DataProtect Delivered-as-a-Service User Guide 138

Microsoft 365 Register Microsoft 365 Sources

Register Microsoft 365 Sources

To start protecting Microsoft 365 applications, you need to register the Microsoft 365
domain as a source in Cohesity DataProtect.
Cohesity DataProtect uses the Microsoft Graph API for object discovery, backup, and
recovery in Microsoft 365. To use the Graph API, Cohesity DataProtect uses an Azure
application created and registered on the Azure portal with necessary permissions. You can
either let Cohesity create the Azure application or manually enter Azure application details
while registering your Microsoft 365 domain as a source in Cohesity DataProtect.

Express Registration for M365 Sources

Before you register your Microsoft 365 domain, ensure that you have:

l Added roles to the Microsoft 365 user account.

l Updated your Microsoft Organization setting for Mailbox size reporting.

To register your Microsoft 365 domain:

1. Navigate to Sources and select Register Source > Microsoft 365.

2. In the Source Details section, select a cloud region for your data backups.
3. Choose the Microsoft 365 Applications to discover.
4. In the Account Credentials section, enter the Microsoft 365 Username and
Password.
(Optional) To help you handle Exchange Online throttling mailbox backup and
recovery on tenants where OAuth is not enabled, you can add multiple Microsoft 365
service accounts. Under the Additional Service Accounts section, enter the
Username and Password of the Microsoft 365 service account and click + to add up
to 20 Microsoft 365 service accounts.

Note: Ensure that the Microsoft 365 service accounts are assigned the
required roles.

5. If you have not enabled OAuth authentication for EWS for Exchange Online in
Microsoft 365, toggle the Enable OAuth option off.
6. In the Azure Applications section, enter the number of Azure applications that you
want to create based on your requirements and click Create.

Note: By default, two Azure applications will be created. To better manage

M365 throttling, Cohesity recommends one Azure app for every 2,000
Microsoft 365 objects that you want to protect.

Cohesity DataProtect Delivered-as-a-Service User Guide 139

Microsoft 365 Register Microsoft 365 Sources

7. In the Add Azure Application form, copy the device code and click the Microsoft
Azure App link to open the Microsoft Azure App authorization service in a new tab.

Note: If you prefer to create your Azure apps manually, see Manual
Registration for M365 Sources.

8. In the Microsoft Azure App authorization service, paste the copied code and click
Next.
9. Log in to Microsoft Azure, enter the Username and Password of your Microsoft 365
account and click Sign in.

Note: Ensure that your Microsoft 365 account has global administrator
access.

10. Follow the instructions to complete the authorization on the Microsoft Azure portal.
11. Wait for Microsoft Azure Authorization to complete and then click Register.

For SharePoint Online data protection, ensure that you set the required add-in permissions
and tenant permissions on the Azure application. For more information, see Set additional
permissions for SharePoint Online.
You can follow the Microsoft 365 source discovery and registration progress on the Sources
page.
Next > You are now ready to protect your Microsoft 365 Mailboxes, OneDrives, SharePoint
Online Sites, and Teams!

Manual Registration for M365 Sources

To register your Microsoft 365 domain manually, make sure you've met all the Microsoft
365 Requirements and then:

1. Navigate to Sources and select Register Source > Microsoft 365.

2. In the Source Details section, select a cloud region for your data backups.
3. Choose the Microsoft 365 Applications to discover.
4. In the Account Credentials section, enter the Microsoft 365 Username and
Password.
5. If you have not enabled OAuth authentication for EWS for Exchange Online in
Microsoft 365, toggle the Enable OAuth option off.
6. In the Azure Applications section, enter the number of Azure applications that you
want to create based on your requirements and click Create.

Cohesity DataProtect Delivered-as-a-Service User Guide 140

Microsoft 365 Explore Microsoft 365 Sources

Note: By default, two Azure applications will be created. To better manage

M365 throttling, Cohesity recommends one Azure app for every 2,000
Microsoft 365 objects that you want to protect.

7. In the Add Azure Application form, click the You can also add Azure App
manually link and then enter the App ID and App Secret Key that you noted down
while registering your custom Azure app.

Tip: You can add multiple Azure apps for a Microsoft 365 source to load
balance your backup and restore operations. Click + to add multiple Azure
apps. When you do, ensure that you provide the valid App ID and App
Secret Key.

8. Click Register.

For SharePoint Online data protection, ensure that you set the required add-in permissions
and tenant permissions on the Azure application. For more information, see Set additional
permissions for SharePoint Online.
You can follow the Microsoft 365 source discovery and registration progress on the Sources
page.
Next > You are now ready to protect your Microsoft 365 Mailboxes, OneDrives, SharePoint
Online Sites, and Teams!

Explore Microsoft 365 Sources

After you have registered your Microsoft 365 domain as a source, you can review the Users,
Mailboxes, OneDrives, Sites, and Teams that Cohesity DataProtect discovered for the
source.

Overview
To explore your Microsoft 365 source details, under Sources, find the Microsoft 365 source
and click it.
The discovered Mailboxes, OneDrives, Sites, and Teams are listed in their respective tabs
on the M365 source details page. In addition, the source details page also displays a glance
bar that communicates:

l Object Counts. The number of Users, Mailboxes, OneDrives, Sites and Teams
discovered from the source.

Cohesity DataProtect Delivered-as-a-Service User Guide 141

Microsoft 365 Explore Microsoft 365 Sources

l Protected/Unprotected Objects. The protected and unprotected count of Microsoft

365 objects in the source. For example, the number of protected and unprotected
Mailboxes in the source.
l Size. The size (FETB) of protected and unprotected Microsoft 365 application data.
For example, the amount of protected and unprotected Mailboxes data in the source.
l Cross-App Counts. Summary of protected and unprotected objects across all the
Microsoft 365 applications in the source.

Interpret the Numbers

Every M365 licensed user is counted as a User in Cohesity. A User might have both a
Mailbox and a OneDrive. Or a User can have either a Mailbox or a OneDrive. In addition,
Shared Mailboxes and Resource Mailboxes are not counted as Users. That means that the
count of Mailboxes, OneDrives, and Users is not expected to be the same.
For example, in the source details page below, the right side of the glance bar lists 17
Users but the number of Mailboxes listed on the left side of the glance bar is 22.

Similarly, in the following details page, the right side of the glance bar lists 17 users but the
number of OneDrives listed on the left side of the glance bar is 21.

Cohesity DataProtect Delivered-as-a-Service User Guide 142

Microsoft 365 Exchange Online Mailboxes

Next > You are now ready to protect your Microsoft 365 Mailboxes, OneDrives, SharePoint
Online Sites, and Teams!

Exchange Online Mailboxes

Microsoft Exchange Online is a SaaS application that is bundled in your Microsoft 365
subscription service. It is a hosted messaging solution that delivers the capabilities of
Microsoft Exchange Server as a cloud-based service. It gives users access to email,
calendar, contacts, and tasks from PCs, the web, and mobile devices. Using the policy-
based data protection solution from Cohesity DataProtect, you can protect Exchange Online
data on Microsoft 365.

Protect M365 Mailboxes

Once you have registered your Microsoft 365 domain as a source, you're ready to use
Cohesity DataProtect to protect the user Mailboxes in your domain.
To protect your M365 Mailboxes:

1. Under Sources, find the Microsoft 365 source and click into it.
2. Click the Mailbox tab.
3. Select the individual Mailboxes you wish to protect or:
l Click Users > Select All Child Objects to protect all the Mailboxes in this
source.

Cohesity DataProtect Delivered-as-a-Service User Guide 143

Microsoft 365 Exchange Online Mailboxes

l Click Users > Auto Protect This to protect all the Mailboxes plus any future
additional Mailboxes on that source.
4. Click the Protect icon above the list.
5. Choose a policy to specify backup frequency and retention. If you don't have a policy,
you can easily create one.
6. Under Settings, edit the Start Time if necessary.
7. Under Additional Settings, you can enable Indexing, configure a specific End
Date, Alerts, and other additional settings.

Note: If you plan to recover individual emails or folders, in addition to

whole Mailboxes, you need to enable Indexing in this step. When you do,
you can include or exclude specific Mailboxes from indexing.

8. Click Protect.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Next > When the first protection run completes, you will be ready to recover your
protected Mailboxes when and if you need to.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 144

Microsoft 365 Exchange Online Mailboxes

Advance
Description
Settings

App Enable App-Consistent backups if you want the guest operating systems of all the protected VMs
Consistent to be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

Priority Select a priority for the protection task execution. Cohesity DataProtect supports concurrent backups,
but if the number of tasks exceeds the ability to process them, they are executed in this priority order:

1. High-priority tasks

2. Medium-priority tasks

3. Low-priority tasks

Alerts Click to enable one or more of these alert types to trigger alerts for the following events and click Add
to enter email addresses.

l SLA Violation. Creates warning alert when a protection run exceeds the configured SLA.
Sends email.

l Failure. Creates critical alert when object protection fails to complete. Sends email.

l Success. Creates information alert when object protection completes. Does not send
email.

Cohesity DataProtect Delivered-as-a-Service User Guide 145

Microsoft 365 Exchange Online Mailboxes

Advance
Description
Settings

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Pause Future Enable Pause Future Runs to suspend future protection runs for the object until you turn this off
Runs again. While this is enabled, no protection runs are scheduled.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Snapshot (Available only for NetApp data protection volumes)

Prefix
Select one of the following options to back up the snapshots from the data protection (DP) volume to
Cohesity DataProtect :

None. (Default) Enable this option if you want the Cohesity DataProtect service to take the full
backup from the oldest snapshot available on the DP volume and incremental backup from the latest
snapshots available on the DP volume.

Snapshot Prefix: Enable this option if you want the Cohesity DataProtect Service to take the full and
incremental backup from the snapshots that match the prefix name you specify:

Incremental Snapshot Prefix. Specify the prefix of the snapshot name present in the DP volume
from which Cohesity DataProtect can take incremental backups.

Full Snapshot Prefix. Specify the prefix of snapshot name present in the DP volume from which
Cohesity DataProtect can take the first full backup.

Cohesity DataProtect Delivered-as-a-Service User Guide 146

Microsoft 365 Exchange Online Mailboxes

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.

Cohesity DataProtect Delivered-as-a-Service User Guide 147

Microsoft 365 Exchange Online Mailboxes

With the protected objects selected, you can click:

l Recover Mailbox to recover the mailbox.

l Recover Mailbox Items to recover the mailbox items.
l Run Now to start an on-demand protection run immediately.
l Unprotect to remove protection from the object.

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

Additional Settings

Advance Settings Description

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the
protection run should start. Enter the Start Time and select AM or PM. The default
time zone is the browser's time zone. You can change the time zone of the protection
run by selecting a different time zone here.

Cohesity DataProtect Delivered-as-a-Service User Guide 148

Microsoft 365 Exchange Online Mailboxes

Advance Settings Description

SLA The service-level agreement (SLA) defines how long the administrator expects a
protection run to take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all
the blocks in an object, to take.

l Incremental. The number of minutes you expect an incremental protection

run, which captures only the changed blocks in an object, to take.

Cancel Runs at Quiet (Available only if the selected policy has at least one Quiet Time)
Time Start
When enabled, all the protection runs that are currently executing will cancel when the
Quiet Time period starts. By default, this setting is disabled, meaning that after a
protection run starts, it continues to execute even when a Quiet Time period starts.
However, new protection runs will not start during a Quiet Time.

Indexing By default, indexing is enabled.

Note: Indexing is mandatory for granular restore of an Exchange Online

mailbox , such as restoring a folder or restoring an email.

Exclusions Select the folders that you plan to exclude from the backup or click Add to add custom
folders that you want to exclude from the backup.

Recover M365 Mailboxes, Emails, & Folders

After you protect your users' M365 Mailboxes, you can recover them — as whole Mailboxes,
individual emails, or folders — from Cohesity DataProtect.

Note: You can recover Mailboxes to a target Mailbox as long as the Microsoft 365
domain for the target Mailbox is registered within the same cloud region as the
Microsoft 365 domain of the Mailbox being recovered.

You can recover:

l Whole Mailboxes
l Individual emails
l Folders

Recover User Mailboxes

To recover protected Microsoft 365 user Mailboxes:

Cohesity DataProtect Delivered-as-a-Service User Guide 149

Microsoft 365 Exchange Online Mailboxes

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Mailbox tab.
3. Above the tree, select Show All > Protected.
4. Find the Mailbox you need and click the Recover icon on that row to open the New
Recovery form with the Latest snapshot (protection run).
5. In the New Recovery form, if you need to add more Mailboxes and/or recover from
an earlier backup, click the Edit icon in the top right of the form.
l To add Mailboxes, enter a Search term on the left, locate the other
Mailboxes, and select them.
l To use a different Recovery Point for a Mailbox, click the Edit icon on the tile
for that Mailbox. Find the recovery point you need and click Select Recovery
Point.
Click Next: Recover Options to return to the form.
6. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target
Mailbox.
7. Select your Recovery Options:
l Continue on Error. Enable to recover even if errors occur when recovering
Mailboxes. For example, if one of the Mailboxes cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected Mailboxes.
l Task Name. Change the default name of the recovery task.
8. Click Start Recovery.

Next > Protect your M365 OneDrives, SharePoint Online Sites, and Teams so you can
recover them easily when you need to, as well!

Recover Mailbox Items

After you protect your users' M365 Mailboxes, you can recover the Mailbox items such as
individual emails, folders, calendar invites, contacts, notes, or tasks — from Cohesity
DataProtect.

Recover Emails

To recover specific emails from a protected M365 user Mailbox:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Mailbox tab.
3. Use the search or filter options, find and select the user you need, and click the
Recover Mailbox Items icon above the list to open the New Recovery form.

Cohesity DataProtect Delivered-as-a-Service User Guide 150

Microsoft 365 Exchange Online Mailboxes

Tip: You can also use Global Search to locate, filter, and select the Mailbox
you need. Click the Global Search box at the top or type slash (/) anywhere
to start your search.

4. Select Emails & Folders from the Item Type drop-down.

5. Use the '*' wildcard character or enter the text to search for emails with a matching
subject in the Search bar. Select the emails to recover from the search results.
Or
Click Advanced Search and select Emails to search based on these filters:

Filters Description

Subject Subject line in the email.

From Mail sender email address.

To Mail recipient email address. Use a comma or space separator to enter multiple addresses.

Date Using the calendar, select a specific date range to search the emails.
Range

Email Select one of the email types:

Type
l All Emails

l Only emails with attachments

l Only emails without attachments

cc The email address in the Cc: line of the email. Use a comma or space separator to enter multiple
addresses.

bcc The email address in the Bcc: line of the email. Use a comma or space separator to enter multiple
addresses.

Search in Search for the email within the specified folder. For example, Inbox, Drafts, and so on. Use a
Folder comma or space separator to enter multiple folder names.

To use a different Recovery Point for a Mailbox, click the Edit icon on the tile for
that Mailbox. Find the recovery point you need and click Select Recovery Point.
6. Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.

Cohesity DataProtect Delivered-as-a-Service User Guide 151

Microsoft 365 Exchange Online Mailboxes

If you choose New Location, select a Registered Source and the Target
Mailbox, and specify the Folder name to which you plan to recover.

Note: If a folder with the specified name does not exist, Cohesity
DataProtect creates the folder and recovers the emails to that folder.

8. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
Mailboxes. For example, if one of the emails cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected emails.
l Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Recover Mailbox Folders

To recover specific folders from a protected M365 user Mailbox:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Mailbox tab.
3. Use the search or filter options, find and select the user you need, and click the
Recover Mailbox Items icon above the list to open the New Recovery form.

Tip: You can also use Global Search to locate, filter, and select the Mailbox
you need. Click the Global Search box at the top or type slash (/) anywhere
to start your search.

4. On the New Recovery page, select Emails & Folders from the Item Type drop-
down
5. Click Advanced Search and select Folders.
6. Enter the Folder Name and click Apply. Select the folders to recover from the
search results.
To use a different Recovery Point for a Mailbox, click the Edit icon on the tile for
that Mailbox. Find the recovery point you need and click Select Recovery Point.
7. Click Next: Recover Options to return to the form.
8. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target
Mailbox, and specify the Folder name to which you plan to recover.

Cohesity DataProtect Delivered-as-a-Service User Guide 152

Microsoft 365 Exchange Online Mailboxes

Note: If a folder with the specified name does not exist, Cohesity
DataProtect creates the folder and recovers the data to it.

9. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
Mailboxes. For example, if one of the emails cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected emails.
l Task Name. Change the default name of the recovery task.
10. Click Start Recovery.

Recover Calendar Invites

You can recover specific calendar invites from a protected M365 user Mailbox. However, if
you plan to recover the entire calendar, then recover the mailbox folder called Calendar.
To recover calendar Invites:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Mailbox tab.
3. Use the search or filter options, find and select the user you need, and click the
Recover Mailbox Items icon above the list to open the New Recovery form.

Tip: You can also use Global Search to locate, filter, and select the Mailbox
you need. Click the Global Search box at the top or type slash (/) anywhere
to start your search.

4. On the New Recovery page, select Calenders from the Item Type drop-down.
5. Use the '*' wildcard character or enter the text to search for calendar items with a
matching subject of the calendar invite in the Search bar. Select the calendar invite
to recover from the search results.
Or
Click Advanced Search and search calendar invite based on these filters and click
Apply:

Filters Description

Subject of Subject line in the calendar invite.

Event

Cohesity DataProtect Delivered-as-a-Service User Guide 153

Microsoft 365 Exchange Online Mailboxes

Filters Description

Organizer The email address of the event organizer.

Invitee Event recipients' email addresses. Use a comma or space separator to enter multiple
addresses.

Invitation Date Using the calendar, select a specific date range to search the calendar invites.

To use a different Recovery Point for a Mailbox, click the Edit icon on the tile for
that Mailbox. Find the recovery point you need and click Select Recovery Point.
6. Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target
Mailbox, and specify the Folder name to which you plan to recover.

Note: If a folder with the specified name does not exist, Cohesity
DataProtect creates the folder and recovers the calendar invite(s) to that
folder.

8. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
calendar invites. For example, if one of the calendar invites cannot be
recovered, Cohesity DataProtect will still attempt to recover the other selected
calendar invite.
l Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Recover Contacts

You can recover specific contacts from a protected M365 user Mailbox. However, if you plan
to recover the complete contacts list, then recover the mailbox folder called Contacts.
To recover specific contacts:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Mailbox tab.
3. Use the search or filter options, find and select the user you need, and click the
Recover Mailbox Items icon above the list to open the New Recovery form.

Cohesity DataProtect Delivered-as-a-Service User Guide 154

Microsoft 365 Exchange Online Mailboxes

Tip: You can also use Global Search to locate, filter, and select the Mailbox
you need. Click the Global Search box at the top or type slash (/) anywhere
to start your search.

4. On the New Recovery page, select Contacts from the Item Type drop-down.
5. Use the '*' wildcard character or enter the text to search for contacts with a matching
contact name in the Search bar. Select the contact to recover from the search
results.
Or
Click Advanced Search and search the contact based on these filters and click
Apply:

Filters Description

First Name The first name of the contact.

Last Name The last name of the contact.

Email Address The email address of the contact.

Invitation Date Using the calendar, select a specific date range to search the calendar invites.

To use a different Recovery Point for a Mailbox, click the Edit icon on the tile for
that Mailbox. Find the recovery point you need and click Select Recovery Point.
6. Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target
Mailbox, and specify the Folder name to which you plan to recover.

Note: If a folder with the specified name does not exist, Cohesity
DataProtect creates the folder and recovers the contact(s) to that folder.

8. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
the contacts. For example, if one of the contacts cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected contacts.
l Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 155

Microsoft 365 Exchange Online Mailboxes

Recover Notes

You can recover specific notes from a protected M365 user Mailbox. However, if you plan to
recover the complete set of notes in the user Mailbox, then recover the mailbox folder
called Notes.
To recover specific notes:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Mailbox tab.
3. Use the search or filter options, find and select the user you need, and click the
Recover Mailbox Items icon above the list to open the New Recovery form.

Tip: You can also use Global Search to locate, filter, and select the Mailbox
you need. Click the Global Search box at the top or type slash (/) anywhere
to start your search.

4. On the New Recovery page, select Notes from the Item Type drop-down.
5. Use the '*' wildcard character or enter the text to search for notes with a matching
subject of the note in the Search bar. Select the note(s) to recover from the search
results.
Or
Click Advanced Search and search the note based on these filters and click Apply:

Filters Description

Subject The subject of the note.

Creation Date Using the calendar, select a specific date range to search the notes based on the creation
date.

Modification Using the calendar, select a specific date range to search the notes based on the
Date modification date.

To use a different Recovery Point for a Mailbox, click the Edit icon on the tile for
that Mailbox. Find the recovery point you need and click Select Recovery Point.
6. Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target
Mailbox, and specify the Folder name to which you plan to recover.

Cohesity DataProtect Delivered-as-a-Service User Guide 156

Microsoft 365 Exchange Online Mailboxes

Note: If a folder with the specified name does not exist, Cohesity
DataProtect creates the folder and recovers the note(s) to that folder.

8. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
the notes. For example, if one of the notes cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected note.
l Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Recover Tasks

You can recover specific tasks from a protected M365 user Mailbox. However, if you plan to
recover the complete set of tasks in the user Mailbox, then recover the mailbox folder
called Tasks.
To recover specific notes:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Mailbox tab.
3. Use the search or filter options, find and select the user you need, and click the
Recover Mailbox Items icon above the list to open the New Recovery form.

Tip: You can also use Global Search to locate, filter, and select the Mailbox
you need. Click the Global Search box at the top or type slash (/) anywhere
to start your search.

4. On the New Recovery page, select Tasks from the Item Type drop-down.
5. Use the '*' wildcard character or enter the text to search for notes with a matching
subject of the task in the Search bar. Select the task(s) to recover from the search
results.
Or
Click Advanced Search and search the tasks based on these filters and click Apply:

Filters Description

Subject The subject of the task.

Cohesity DataProtect Delivered-as-a-Service User Guide 157

Microsoft 365 OneDrive for Business

Filters Description

Creation Date Using the calendar, select a specific date range to search the tasks based on their creation
date.

Due Date Using the calendar, select a specific date range to search the tasks based on their due date.

Status The status of the task.

To use a different Recovery Point for a Mailbox, click the Edit icon on the tile for
that Mailbox. Find the recovery point you need and click Select Recovery Point.
6. Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target
Mailbox, and specify the Folder name to which you plan to recover.

Note: If a folder with the specified name does not exist, Cohesity
DataProtect creates the folder and recovers the task(s) to that folder.

8. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
the tasks. For example, if one of the tasks cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected tasks.
l Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Next > Protect your M365 OneDrives, SharePoint Online Sites, and Teams so you can
recover them easily when you need to, as well!

OneDrive for Business

OneDrive for Business is a SaaS application that is bundled in your Microsoft 365
subscription service. It is an intelligent files app for Microsoft 365 connecting you to all your
files so you can share and work together from anywhere while protecting your work. It
enables you to easily store, access, and discover your individual and shared work files in
Microsoft 365. Using the policy-based data protection solution from Cohesity DataProtect,
you can protect OneDrive for Business data on Microsoft 365.

Cohesity DataProtect Delivered-as-a-Service User Guide 158

Microsoft 365 OneDrive for Business

Protect M365 OneDrives

Once you have registered your Microsoft 365 domain as a source, you're ready to use
Cohesity DataProtect to protect the user OneDrives in your domain.
To protect your M365 OneDrives:

1. Under Sources, find the Microsoft 365 source and click into it.
2. Click the OneDrive tab.
3. Select the individual OneDrives you wish to protect or:
l Click Users > Select All Child Objects to protect all the OneDrives in this
source.
l Click Users > Auto Protect This to protect all the OneDrives plus any future
additional OneDrives on that source.
4. Click the Protect icon above the list.
5. Choose a policy to specify backup frequency and retention. If you don't have a policy,
you can easily create one.
6. Under Settings, edit the Start Time if necessary.
7. Under Additional Settings, you can enable Indexing, configure a specific End
Date, Alerts, and other additional settings.
8. Click Protect.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Next > When the first protection run completes, you will be ready to recover your
protected OneDrives when and if you need to.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Cohesity DataProtect Delivered-as-a-Service User Guide 159

Microsoft 365 OneDrive for Business

Advance
Description
Settings

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

App Enable App-Consistent backups if you want the guest operating systems of all the protected VMs
Consistent to be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

Priority Select a priority for the protection task execution. Cohesity DataProtect supports concurrent backups,
but if the number of tasks exceeds the ability to process them, they are executed in this priority order:

1. High-priority tasks

2. Medium-priority tasks

3. Low-priority tasks

Alerts Click to enable one or more of these alert types to trigger alerts for the following events and click Add
to enter email addresses.

l SLA Violation. Creates warning alert when a protection run exceeds the configured SLA.
Sends email.

l Failure. Creates critical alert when object protection fails to complete. Sends email.

l Success. Creates information alert when object protection completes. Does not send
email.

Cohesity DataProtect Delivered-as-a-Service User Guide 160

Microsoft 365 OneDrive for Business

Advance
Description
Settings

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Pause Future Enable Pause Future Runs to suspend future protection runs for the object until you turn this off
Runs again. While this is enabled, no protection runs are scheduled.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Snapshot (Available only for NetApp data protection volumes)

Prefix
Select one of the following options to back up the snapshots from the data protection (DP) volume to
Cohesity DataProtect :

None. (Default) Enable this option if you want the Cohesity DataProtect service to take the full
backup from the oldest snapshot available on the DP volume and incremental backup from the latest
snapshots available on the DP volume.

Snapshot Prefix: Enable this option if you want the Cohesity DataProtect Service to take the full and
incremental backup from the snapshots that match the prefix name you specify:

Incremental Snapshot Prefix. Specify the prefix of the snapshot name present in the DP volume
from which Cohesity DataProtect can take incremental backups.

Full Snapshot Prefix. Specify the prefix of snapshot name present in the DP volume from which
Cohesity DataProtect can take the first full backup.

Cohesity DataProtect Delivered-as-a-Service User Guide 161

Microsoft 365 OneDrive for Business

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.

Cohesity DataProtect Delivered-as-a-Service User Guide 162

Microsoft 365 OneDrive for Business

With the protected objects selected, you can click:

l Recover OneDrive to recover the OneDrive.

l Recover OneDrive Documents to recover the OneDrive documents.
l Run Now to start an on-demand protection run immediately.
l Unprotect to remove protection from the object.

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

Additional Settings

Advance Settings Description

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the
protection run should start. Enter the Start Time and select AM or PM. The default
time zone is the browser's time zone. You can change the time zone of the protection
run by selecting a different time zone here.

Cohesity DataProtect Delivered-as-a-Service User Guide 163

Microsoft 365 OneDrive for Business

Advance Settings Description

SLA The service-level agreement (SLA) defines how long the administrator expects a
protection run to take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all
the blocks in an object, to take.

l Incremental. The number of minutes you expect an incremental protection

run, which captures only the changed blocks in an object, to take.

Cancel Runs at Quiet (Available only if the selected policy has at least one Quiet Time)
Time Start
When enabled, all the protection runs that are currently executing will cancel when the
Quiet Time period starts. By default, this setting is disabled, meaning that after a
protection run starts, it continues to execute even when a Quiet Time period starts.
However, new protection runs will not start during a Quiet Time.

Indexing By default, indexing is enabled.

Note: Indexing is mandatory to search for files or folders in a OneDrive.

Exclusions Click Add to add custom folders that you want to exclude from the backup.

Recover OneDrives
After you protect your users' M365 OneDrives, you can recover them — as whole OneDrives
or just specific contents in a user's M365 OneDrive — from Cohesity DataProtect, to the
same location, alternate location, or across Microsoft 365 domains.

Note: You can recover a OneDrive to a target OneDrive as long as the Microsoft
365 domain for the target OneDrive is registered within the same cloud region as
the Microsoft 365 domain of the OneDrive being recovered. the same cloud
region.

You can recover:

l User OneDrives
l User OneDrive Contents

Recover User OneDrives

To recover protected Microsoft 365 user OneDrives:

Cohesity DataProtect Delivered-as-a-Service User Guide 164

Microsoft 365 OneDrive for Business

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the OneDrive tab.
3. Above the tree, select Protection Status > Protected.
4. Use the search and filter options to find and select the OneDrive you need, click the
Actions (⋮) menu on that row, and select Recover OneDrive to open the New
Recovery form with the Latest snapshot (protection run).
5. In the New Recovery form, if you need to add more OneDrives and/or recover from
an earlier backup, click the Edit icon in the top right of the form.
l To add OneDrives, enter a Search term on the left, locate the other OneDrives,
and select them.
l To use a different Recovery Point for a OneDrive, click the Edit icon on the
tile for that OneDrive. Find the recovery point you need and click Select
Recovery Point.
Click Next: Recover Options to return to the form.
6. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target
OneDrive.
7. Select your Recovery Options:
l Continue on Error. Enable to recover even if errors occur when recovering
OneDrives. For example, if one of the OneDrives cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected OneDrives.
l Task Name. Change the default name of the recovery task.
8. Click Start Recovery.

Next > Protect your M365 Mailboxes, SharePoint Online Sites, and Teams so you can
recover them easily when you need to, as well!

Recover OneDrive Contents

Important: Before you can recover a user's OneDrive contents, you need to set
up M365 OneDrive protection with Indexing enabled.

To recover specific OneDrive contents from a protected M365 OneDrive:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the OneDrive tab.
3. Above the tree, select Protection Status > Protected.

Cohesity DataProtect Delivered-as-a-Service User Guide 165

Microsoft 365 OneDrive for Business

4. Use the search and filter options to find and select the OneDrive you need, click the
Actions (⋮) menu on that row, and select Recover OneDrive Documents to open
the New Recovery form.
5. On the New Recovery Microsoft 365 - OneDrive page, in the Recovery Type,
select any one of the following tabs to search for the file or folder:
l Browse OneDrive and Recover. You can browse the individual user
OneDrive to navigate and select the files or folders to be restored.
l Search Files and Recover. You can use the global search to find the files and
folders that need to be restored.
6. To browse and recover:
1. In the Recovery Type section, select Browse OneDrive and Recover.
2. Select the file or folder you plan to restore. Do any one of the following based
on your requirements:
l To recover the file(s) or folder(s), click Next.
l To download the file(s) or folder(s), click Download Files.
A new recovery task is created to download the file(s) or folder(s). When
the task completes, from the Activity page, click the task name and then
click Download Files to download the generated zip file.
3. Click Next: Recover Options to return to the form and skip to step 8.
7. To search and recover:
a. In the Recovery Type section, select Search Files and Recover.
b. Use the '*' wildcard character and/or enter text to search for the folders or files
with a matching folder name or file name in the Search bar. Select the folders
or files to recover from the search results.
Or
Click Advanced Search and select Both, Files, or Folder and search based
on the available filters and click Apply.
c. To use a different Recovery Point for a folder or file, click the Edit icon on the
tile for that folder or file. Find the recovery point you need and click Select
Recovery Point.
d. Click Next: Recover Options to return to the form.
8. Under Recover To, select Original Location or New Location.
l If you choose Original Location, the existing document library is overwritten.
l If you choose New Location, select a Registered Source and the Target
Site, and specify the Document Library name to which you plan to recover

Cohesity DataProtect Delivered-as-a-Service User Guide 166

Microsoft 365 SharePoint Online

the document library items. Optionally, you can also enter a new prefix for
the Document Library.

Note: If a folder with the specified name does not exist in the OneDrive,
Cohesity DataProtect creates the folder and recovers the OneDrive contents
to that folder.

9. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
the document library items. For example, if a document cannot be recovered,
Cohesity DataProtect will still attempt to recover the other selected documents
from that document library.
l Task Name. Change the default name of the recovery task.
10. Click Start Recovery.

Next > Protect your M365 Mailboxes, SharePoint Online Sites, and Teams so you can
recover them easily when you need to, as well!

SharePoint Online
SharePoint Online is a SaaS application bundled with the Microsoft 365 service. It provides
an extensive range of collaborative and creative capabilities enabling organizations to
share, manage, and access information from almost any device.
Using the policy-based data protection solution from Cohesity DataProtect, you can backup
and recover the SharePoint Online site templates. Thus enabling you to backup and recover
the SharePoint Online sites or subsites and its contents such as document libraries and so
on.

Protect M365 SharePoint Online Sites

Once you have registered your Microsoft 365 domain as a source, you're ready to use
Cohesity DataProtect to protect the SharePoint Online sites in your domain.
To protect your M365 SharePoint Online sites:

1. Under Sources, find the Microsoft 365 source and click into it.
2. Click the Site tab.
3. Select the individual SharePoint Online site you wish to protect or:
l Click Users > Select All Child Objects to protect all the SharePoint Online
sites in this source.

Cohesity DataProtect Delivered-as-a-Service User Guide 167

Microsoft 365 SharePoint Online

l Click Users > Auto Protect This to protect all the SharePoint Online sites in
this source.
4. Click the Protect icon above the list.
5. Choose a policy to specify backup frequency and retention. If you don't have a policy,
you can easily create one.
6. Under Settings, edit the Start Time if necessary.
7. Under Additional Settings, you can enable Indexing, configure a specific End
Date, Alerts, and other additional settings.

Note: If you plan to recover individual document library items, in addition

to whole sites, you need to enable Indexing in this step. When you do, you
can include or exclude specific sites from indexing.

8. Click Protect.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Next > When the first protection run completes, you will be ready to recover your
protected SharePoint Online sites when and if you need to.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 168

Microsoft 365 SharePoint Online

Advance
Description
Settings

App Enable App-Consistent backups if you want the guest operating systems of all the protected VMs
Consistent to be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

Priority Select a priority for the protection task execution. Cohesity DataProtect supports concurrent backups,
but if the number of tasks exceeds the ability to process them, they are executed in this priority order:

1. High-priority tasks

2. Medium-priority tasks

3. Low-priority tasks

Alerts Click to enable one or more of these alert types to trigger alerts for the following events and click Add
to enter email addresses.

l SLA Violation. Creates warning alert when a protection run exceeds the configured SLA.
Sends email.

l Failure. Creates critical alert when object protection fails to complete. Sends email.

l Success. Creates information alert when object protection completes. Does not send
email.

Cohesity DataProtect Delivered-as-a-Service User Guide 169

Microsoft 365 SharePoint Online

Advance
Description
Settings

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Pause Future Enable Pause Future Runs to suspend future protection runs for the object until you turn this off
Runs again. While this is enabled, no protection runs are scheduled.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Snapshot (Available only for NetApp data protection volumes)

Prefix
Select one of the following options to back up the snapshots from the data protection (DP) volume to
Cohesity DataProtect :

None. (Default) Enable this option if you want the Cohesity DataProtect service to take the full
backup from the oldest snapshot available on the DP volume and incremental backup from the latest
snapshots available on the DP volume.

Snapshot Prefix: Enable this option if you want the Cohesity DataProtect Service to take the full and
incremental backup from the snapshots that match the prefix name you specify:

Incremental Snapshot Prefix. Specify the prefix of the snapshot name present in the DP volume
from which Cohesity DataProtect can take incremental backups.

Full Snapshot Prefix. Specify the prefix of snapshot name present in the DP volume from which
Cohesity DataProtect can take the first full backup.

Cohesity DataProtect Delivered-as-a-Service User Guide 170

Microsoft 365 SharePoint Online

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.

Cohesity DataProtect Delivered-as-a-Service User Guide 171

Microsoft 365 SharePoint Online

With the protected objects selected, you can click:

l Recover SharePoint Sites to recover the SharePoint sites.

l Recover SharePoint Documents to recover the SharePoint documents.
l Run Now to start an on-demand protection run immediately.
l Unprotect to remove protection from the object.

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

Additional Settings

Advance Settings Description

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the
protection run should start. Enter the Start Time and select AM or PM. The default
time zone is the browser's time zone. You can change the time zone of the protection
run by selecting a different time zone here.

Cohesity DataProtect Delivered-as-a-Service User Guide 172

Microsoft 365 SharePoint Online

Advance Settings Description

SLA The service-level agreement (SLA) defines how long the administrator expects a
protection run to take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all
the blocks in an object, to take.

l Incremental. The number of minutes you expect an incremental protection

run, which captures only the changed blocks in an object, to take.

Cancel Runs at Quiet (Available only if the selected policy has at least one Quiet Time)
Time Start
When enabled, all the protection runs that are currently executing will cancel when the
Quiet Time period starts. By default, this setting is disabled, meaning that after a
protection run starts, it continues to execute even when a Quiet Time period starts.
However, new protection runs will not start during a Quiet Time.

Indexing By default, indexing is enabled.

Note: Indexing is mandatory for granular restore of SharePoint sites.

Recover M365 SharePoint Online Sites & Items

After you protect your users' M365 SharePoint Online sites, you can recover them — as
whole sites or just specific document library items — from Cohesity DataProtect, to the
same location, alternate location, or across Microsoft 365 domains.

Note: To recover site system files such as HTML, Javascript, and so on, ensure
that you enable Custom Scripts permissions on the tenant. For more information,
see Tenant Permissions in Microsoft 365 Requirements.

You can recover:

l SharePoint Sites
l SharePoint Document Library Items

Recover SharePoint Sites

To recover protected Microsoft 365 SharePoint Online sites:

1. Go to Sources to set up your recovery task.

2. Click into the Source name.
3. Above the tree, select Show All > Protected.

Cohesity DataProtect Delivered-as-a-Service User Guide 173

Microsoft 365 SharePoint Online

4. Find the sites you need and click the Recover button on that row to open the New
Recovery form with the Latest snapshot (protection run).
5. In the New Recovery form, if you need to add more SharePoint Online sites and/or
recover from an earlier backup, click the Edit icon in the top right of the form.
l To add SharePoint Online sites, enter a Search term on the left, locate the
other SharePoint Online sites, and select them.
l To use a different Recovery Point for a site, click the Edit icon on the tile for
that site. Find the recovery point you need and click Select Recovery Point.

Note: To recover a site collection and its sub-sites, search using the site
collection relative URL such as "/sites/myrootsite" and add them to the
recovery task.

Click Next: Recover Options to return to the form.

6. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target.
7. Select your Recovery Options:
l Continue on Error. Enable to recover even if errors occur when recovering
SharePoint Online sites. For example, if one of the sites cannot be recovered,
Cohesity DataProtect will still attempt to recover the other selected sites.
l Task Name. Change the default name of the recovery task.
8. Click Start Recovery.

Next > Protect your M365 Mailboxes, OneDrives, and Teams so you can recover them
easily when you need to, as well!

Recover SharePoint Document Library Items

Important: Before you can recover SharePoint document library items, you need
to set up SharePoint protection with Indexing enabled.

To recover specific document library items from a protected M365 SharePoint Online Site:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Site tab.
3. Use the search or filter options, find and select the site you need, click the Actions
menu (⋮) on that row, and select Recover SharePoint Documents to open the
New Recovery form.

Cohesity DataProtect Delivered-as-a-Service User Guide 174

Microsoft 365 SharePoint Online

4. In the New Recovery Microsoft 365 - SharePoint Online page, under the
Recovery Type section, select any one of the following to search for the file or
folder:
l Browse Site and Recover. You can browse the individual site to navigate and
select the files/document library to be restored.
l Search Files and Recover. You can use the global search to find the files and
document libraries that need to be restored.
5. To browse and recover:
a. In the Recovery Type section, select Browse Site and Recover.
b. Search for the site name and click the site name to browse the site.
c. Select the file or document library you plan to restore. Do any one of the
following based on your requirements:
i. To recover the file(s) or document library(s), click Next.
ii. To download the file(s) or document library(s), click Download Files.
A new recovery task is created to download the file(s) or document
library(s). When the task completes, from the Activity page, click the
task name and then click Download Files to download the generated zip
file.
d. Click Next: Recover Options to return to the form and skip to step 8.
6. To search and recover:
1. In the Recovery Type section, select Search Files and Recover.
2. Use the '*' wildcard character and/or enter text (such as ‘*.xlsx’ or ‘*.pdf’) to
search for the folders or files with a matching folder name or file name in the
Search bar. Select the folders or files to recover from the search results.
Or
Click Advanced Search and select Both, Files, or Folder and search based
on the available filters and click Apply.
3. To use a different Recovery Point for a folder or file, click the Edit icon on the
tile for that folder or file. Find the recovery point you need and click Select
Recovery Point.
4. Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.
l If you choose Original Location, the existing document library is overwritten.
l If you choose New Location, select a Registered Source and the Target
Site, and specify the Document Library name to which you plan to recover

Cohesity DataProtect Delivered-as-a-Service User Guide 175

Microsoft 365 Microsoft Teams

the document library items. Optionally, you can also enter a new prefix for
the Document Library.

Note: If a document library with the specified name does not exist on the
site, Cohesity DataProtect creates the document library and recovers the
folders or files to that document library.

8. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
the document library items. For example, if a document cannot be recovered,
Cohesity DataProtect will still attempt to recover the other selected documents
from that document library.
l Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Next > Protect your M365 Mailboxes, OneDrives, and Teams so you can recover them
easily when you need to, as well!

Microsoft Teams
Microsoft Teams is a collaboration solution provided by Microsoft that is bundled with the
Microsoft 365 service. For more information, see Microsoft documentation. Using the
policy-based data protection solution from Cohesity DataProtect, you can backup and
recover Teams data in Microsoft 365.

Protect M365 Teams

Once you have registered your Microsoft 365 domain as a source, you're ready to use
Cohesity DataProtect to protect the Teams data in your domain.
To protect your M365 Teams:

1. Under Sources, find the Microsoft 365 source and click into it.
2. Click the Site tab.
3. Select the individual Team you wish to protect or:
l Click Users > Select All Child Objects to protect all the Teams in this
source.
l Click Users > Auto Protect This to protect all the Teams in this source.
4. Click the Protect icon above the list.

Cohesity DataProtect Delivered-as-a-Service User Guide 176

Microsoft 365 Microsoft Teams

5. Choose a policy to specify backup frequency and retention. If you don't have a policy,
you can easily create one.
6. Under Settings, edit the Start Time if necessary.
7. Under Additional Settings, you can enable Indexing, configure a specific End
Date, Alerts, and other additional settings.

Note: If you plan to recover individual document library items (coming

soon!), in addition to whole sites, you need to enable Indexing in this step.
When you do, you can include or exclude specific sites from indexing.

8. Click Protect.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Next > When the first protection run completes, you will be ready to recover your
protected Teams when and if you need to.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 177

Microsoft 365 Microsoft Teams

Advance
Description
Settings

App Enable App-Consistent backups if you want the guest operating systems of all the protected VMs
Consistent to be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

Priority Select a priority for the protection task execution. Cohesity DataProtect supports concurrent backups,
but if the number of tasks exceeds the ability to process them, they are executed in this priority order:

1. High-priority tasks

2. Medium-priority tasks

3. Low-priority tasks

Alerts Click to enable one or more of these alert types to trigger alerts for the following events and click Add
to enter email addresses.

l SLA Violation. Creates warning alert when a protection run exceeds the configured SLA.
Sends email.

l Failure. Creates critical alert when object protection fails to complete. Sends email.

l Success. Creates information alert when object protection completes. Does not send
email.

Cohesity DataProtect Delivered-as-a-Service User Guide 178

Microsoft 365 Microsoft Teams

Advance
Description
Settings

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Pause Future Enable Pause Future Runs to suspend future protection runs for the object until you turn this off
Runs again. While this is enabled, no protection runs are scheduled.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Snapshot (Available only for NetApp data protection volumes)

Prefix
Select one of the following options to back up the snapshots from the data protection (DP) volume to
Cohesity DataProtect :

None. (Default) Enable this option if you want the Cohesity DataProtect service to take the full
backup from the oldest snapshot available on the DP volume and incremental backup from the latest
snapshots available on the DP volume.

Snapshot Prefix: Enable this option if you want the Cohesity DataProtect Service to take the full and
incremental backup from the snapshots that match the prefix name you specify:

Incremental Snapshot Prefix. Specify the prefix of the snapshot name present in the DP volume
from which Cohesity DataProtect can take incremental backups.

Full Snapshot Prefix. Specify the prefix of snapshot name present in the DP volume from which
Cohesity DataProtect can take the first full backup.

Cohesity DataProtect Delivered-as-a-Service User Guide 179

Microsoft 365 Microsoft Teams

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.

Cohesity DataProtect Delivered-as-a-Service User Guide 180

Microsoft 365 Microsoft Teams

With the protected objects selected, you can click:

l Recover Teams to recover the Teams.

l Recover Teams Content to recover the Teams content.
l Run Now to start an on-demand protection run immediately.
l Unprotect to remove protection from the object.

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

Cohesity DataProtect Delivered-as-a-Service User Guide 181

Microsoft 365 Microsoft Teams

Additional Settings

Advance Settings Description

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the
protection run should start. Enter the Start Time and select AM or PM. The default
time zone is the browser's time zone. You can change the time zone of the protection
run by selecting a different time zone here.

SLA The service-level agreement (SLA) defines how long the administrator expects a
protection run to take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all
the blocks in an object, to take.

l Incremental. The number of minutes you expect an incremental protection

run, which captures only the changed blocks in an object, to take.

Cancel Runs at Quiet (Available only if the selected policy has at least one Quiet Time)
Time Start
When enabled, all the protection runs that are currently executing will cancel when the
Quiet Time period starts. By default, this setting is disabled, meaning that after a
protection run starts, it continues to execute even when a Quiet Time period starts.
However, new protection runs will not start during a Quiet Time.

Indexing By default, indexing is enabled.

Note: Indexing is mandatory for granular restore of Teams contents.

Recover M365 Teams and Teams Content

After you protect your users' Teams, you can recover them — as whole Teams or just
specific Teams content — from Cohesity DataProtect to the original Team in the same
Microsoft 365 domain.
You can recover:

l M365 Teams
l M365 Teams Content

Recover M365 Teams

To recover protected Microsoft 365 Teams:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Teams tab.

Cohesity DataProtect Delivered-as-a-Service User Guide 182

Microsoft 365 Microsoft Teams

3. Above the tree, select Show All > Protected.

4. Find the Team you need and click the Recover button on that row to open the New
Recovery form with the Latest snapshot (protection run).
5. In the New Recovery form, if you need to add more Teams and/or recover from an
earlier backup, click the Edit icon in the top right of the form.
l To add Teams, enter a Search term on the left, locate the other Teams, and
select them.
l To use a different Recovery Point for a Team, click the Edit icon on the tile
for that Team. Find the recovery point you need and click Select Recovery
Point.
Click Next: Recover Options to return to the form.
6. Under Recover To, select Original Location or New Location.
If you choose New Location, select a Registered Source and the Target.
7. Select your Recovery Options:
l Continue on Error. Enable to recover even if errors occur when recovering
Teams. For example, if one of the Teams cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected Teams.
l Task Name. Change the default name of the recovery task.
8. Click Start Recovery.

Next > Protect your M365 Mailboxes, OneDrives, and SharePoint Online Sites so you can
recover them easily when you need to, as well!

Recover M365 Teams Content

To recover specific content from a protected M365 Team:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Teams tab.
3. Use the search or filter options, find and select the Team you need, and click
Recover Teams Content on that row to open the New Recovery form.
4. Use the '*' wildcard character and/or enter the text (such as ‘*.xlsx’ or ‘*.jpg) to
search for the folders or files with a matching folder name or file name in the Search
bar. Select the folders or files to recover from the search results.
Or
Click Advanced Search and select Both, Files, or Folder and search based on the
available filters and click Apply.
5. To use a different Recovery Point for a folder or file, click the Edit icon on the tile
for that folder or file. Find the recovery point you need and click Select Recovery
Point.

Cohesity DataProtect Delivered-as-a-Service User Guide 183

Microsoft 365 Microsoft Groups

6. Click Next: Recover Options to return to the form.

7. Under Recover To, select Original Location.

Important: When you take this action, the existing Teams content is
overwritten.

8. Select your Recovery Options:

l Continue on Error. Enable to recover even if errors occur when recovering
Teams content. For example, if one of the Teams cannot be recovered,
Cohesity DataProtect will still attempt to recover the other selected Teams.
l Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Next > Protect your M365 Mailboxes, OneDrives, and SharePoint Online Sites so you can
recover them easily when you need to, as well!

Microsoft Groups
Microsoft 365 groups are used for collaboration between users, both inside and outside your
company. With each Microsoft 365 group, members get a group email and shared
workspace for conversations, files, calendar events, and a planner.

Note: This is an Early Access feature. Contact your Cohesity account team to
enable the feature for your tenant.

Using the policy-based data protection solution from Cohesity DataProtect, you can back up
and recover Unified Groups data in Microsoft 365.

Protect M365 Groups

Once you have registered your Microsoft 365 domain as a source, you're ready to use
Cohesity DataProtect to protect the Groups in your domain.
To protect your M365 Groups:

1. Under Sources, find the Microsoft 365 source and click into it.
2. Click the Group tab.
3. Select the individual Team you wish to protect or:
l Click Groups > Select All Child Objects to protect all the Teams in this
source.

Cohesity DataProtect Delivered-as-a-Service User Guide 184

Microsoft 365 Microsoft Groups

l Click Groups > Auto Protect This to protect all the Teams in this source.
4. Click the Protect icon above the list.
5. Choose a policy to specify backup frequency and retention. If you don't have a policy,
you can easily create one.
6. Under Settings, edit the Start Time if necessary.
7. Under Additional Settings, you can enable Indexing, configure a specific End
Date, Alerts, and other additional settings.

Note: If you plan to recover individual document library items (coming

soon!), in addition to whole sites, you need to enable Indexing in this step.
When you do, you can include or exclude specific sites from indexing.

8. Click Protect.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Next > When the first protection run completes, you will be ready to recover your
protected Groups when and if you need to.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 185

Microsoft 365 Microsoft Groups

Advance
Description
Settings

App Enable App-Consistent backups if you want the guest operating systems of all the protected VMs
Consistent to be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

Priority Select a priority for the protection task execution. Cohesity DataProtect supports concurrent backups,
but if the number of tasks exceeds the ability to process them, they are executed in this priority order:

1. High-priority tasks

2. Medium-priority tasks

3. Low-priority tasks

Alerts Click to enable one or more of these alert types to trigger alerts for the following events and click Add
to enter email addresses.

l SLA Violation. Creates warning alert when a protection run exceeds the configured SLA.
Sends email.

l Failure. Creates critical alert when object protection fails to complete. Sends email.

l Success. Creates information alert when object protection completes. Does not send
email.

Cohesity DataProtect Delivered-as-a-Service User Guide 186

Microsoft 365 Microsoft Groups

Advance
Description
Settings

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Pause Future Enable Pause Future Runs to suspend future protection runs for the object until you turn this off
Runs again. While this is enabled, no protection runs are scheduled.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Snapshot (Available only for NetApp data protection volumes)

Prefix
Select one of the following options to back up the snapshots from the data protection (DP) volume to
Cohesity DataProtect :

None. (Default) Enable this option if you want the Cohesity DataProtect service to take the full
backup from the oldest snapshot available on the DP volume and incremental backup from the latest
snapshots available on the DP volume.

Snapshot Prefix: Enable this option if you want the Cohesity DataProtect Service to take the full and
incremental backup from the snapshots that match the prefix name you specify:

Incremental Snapshot Prefix. Specify the prefix of the snapshot name present in the DP volume
from which Cohesity DataProtect can take incremental backups.

Full Snapshot Prefix. Specify the prefix of snapshot name present in the DP volume from which
Cohesity DataProtect can take the first full backup.

Cohesity DataProtect Delivered-as-a-Service User Guide 187

Microsoft 365 Microsoft Groups

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.
With the protected objects selected, you can click:

l Recover to recover the Groups.

l Run Now to start an on-demand protection run immediately.
l Unprotect to remove protection from the object.

Cohesity DataProtect Delivered-as-a-Service User Guide 188

Microsoft 365 Microsoft Groups

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

Additional Settings

Advance Settings Description

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the
protection run should start. Enter the Start Time and select AM or PM. The default
time zone is the browser's time zone. You can change the time zone of the protection
run by selecting a different time zone here.

SLA The service-level agreement (SLA) defines how long the administrator expects a
protection run to take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all
the blocks in an object, to take.

l Incremental. The number of minutes you expect an incremental protection

run, which captures only the changed blocks in an object, to take.

Cancel Runs at Quiet (Available only if the selected policy has at least one Quiet Time)
Time Start
When enabled, all the protection runs that are currently executing will cancel when the
Quiet Time period starts. By default, this setting is disabled, meaning that after a
protection run starts, it continues to execute even when a Quiet Time period starts.
However, new protection runs will not start during a Quiet Time.

Recover Groups
After you protect the Groups in your domain, you can recover them as whole Groups from
Cohesity DataProtect, to the same Microsoft 365 Group, to an alternate Microsoft 365
Group, or to a new Microsoft 365 Group in the same Microsoft 365 domain.
Points to note:

l Granular recovery of Group contents is not supported.

l If you're restoring a Group that does exist in the Microsoft 365 domain, Cohesity
DataProtect creates a new Group with the metadata and data from the backup
snapshot.
l If you restore to an existing Group, the group resources in the existing Microsoft 365
Group are overwritten or appended with the restored data. The following table details
the group resources that are overwritten or appended:

Cohesity DataProtect Delivered-as-a-Service User Guide 189

Microsoft 365 Microsoft Groups

Restore Behavior Group Resource Type

Appended members

owners

mails (data)

Overwritten hideFromAddressLists

hideFromOutlookClients

displayName visibility

securityEnabled

description

theme

You can restore the Microsoft 365 Group data to:

l The same Microsoft 365 Group.

l A different Microsoft 365 Group in the same Microsoft 365 domain.
l A new Microsoft 365 Group in the same Microsoft 365 domain.

To recover protected Microsoft 365 Group:

1. Go to Sources to set up your recovery task.

2. Click into the Source name and select the Group tab.
3. Above the tree, select Show All > Protected.
4. Find the Group you need and click the Recover button on that row to open the New
Recovery form with the Latest snapshot (protection run).
5. In the New Recovery form, if you need to add more Groups and/or recover from an
earlier backup, click the Edit icon in the top right of the form.
1. To add Teams, enter a Search term on the left, locate the other Teams, and
select them.
2. To use a different Recovery Point for a Team, click the Edit icon on the tile
for that Team. Find the recovery point you need and click Select Recovery
Point.
6. Click Next: Recover Options to return to the form.
7. Under Recover To, select Original Location or New Location.

Cohesity DataProtect Delivered-as-a-Service User Guide 190

Microsoft 365 Microsoft Groups

If you choose New Location, specify the Group Name and the Group SMTP.
8. Select your Recovery Options:
1. Continue on Error. Enable to recover even if errors occur when recovering
Groups. For example, if one of the Groups cannot be recovered, Cohesity
DataProtect will still attempt to recover the other selected Groups.
2. Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Next > Protect your M365 Mailboxes, OneDrives, SharePoint Online Sites, and Teams so
you can recover them easily when you need to, as well!

Cohesity DataProtect Delivered-as-a-Service User Guide 191

Amazon Web Services AWS Account Requirements

Amazon Web Services

Cohesity DataProtect provides a simple, fast, and cost-effective backup, recovery, and data
management solution for Amazon Web Services.

AWS Account Requirements

To register your AWS account, run the CloudFormation Template (CFT) and add permissions
to the IAM user.
The tables below list the permissions used by Cohesity in your AWS account. You do not
need to add these permissions manually (except the IAM User Permissions to Execute CFT),
as they are automatically added when you run the CFT provided by Cohesity during your
AWS account registration with the Cohesity DataProtect and SiteContinuity services.

IAM User Permissions to Execute CFT

To register an AWS account with the Cohesity DataProtect service, you need to run the
CloudFormation Template on the AWS console. Ensure the IAM user you use has the
following permissions to run the CloudFormation Template and to create and view the
stack:

Note: Ensure to add these permissions manually.

l cloudformation:CreateChangeSet
l cloudformation:CreateStack
l cloudformation:CreateUploadBucket
l cloudformation:DeleteStack
l cloudformation:DescribeStackEvents
l cloudformation:DescribeStackResources
l cloudformation:DescribeStacks
l cloudformation:GetTemplate
l cloudformation:GetTemplateSummary
l cloudformation:ListStackResources
l cloudformation:ListStacks
l cloudformation:UpdateStack
l iam:AddRoleToInstanceProfile

Cohesity DataProtect Delivered-as-a-Service User Guide 192

Amazon Web Services AWS Account Requirements

l iam:AttachRolePolicy
l iam:CreateInstanceProfile
l iam:CreateRole
l iam:DeleteInstanceProfile
l iam:DeleteRole
l iam:DeleteRolePolicy
l iam:DetachRolePolicy
l iam:GetInstanceProfile
l iam:GetRole
l iam:GetRolePolicy
l iam:PassRole
l iam:PutRolePolicy
l iam:RemoveRoleFromInstanceProfile
l lambda:AddPermission
l lambda:CreateFunction
l lambda:DeleteFunction
l lambda:InvokeFunction
l lambda:RemovePermission
l s3:CreateBucket
l s3:GetObject
l s3:PutObject

Permissions for Amazon EC2 Data Protection

Note: You do not need to add these permissions manually, as they are
automatically added when you run the CFT.

Cohesity DataProtect Delivered-as-a-Service User Guide 193

Amazon Web Services AWS Account Requirements

Resource Permissions Reason

ebs ebs:CompleteSnapshot These permissions are required for EBS direct

APIs to read & write data from/to EBS snapshots.
ebs:GetSnapshotBlock

ebs:ListChangedBlocks

ebs:ListSnapshotBlocks

ebs:PutSnapshotBlock

ebs:StartSnapshot

Cohesity DataProtect Delivered-as-a-Service User Guide 194

Amazon Web Services AWS Account Requirements

Resource Permissions Reason

ec2 ec2:AssociateIamInstanceProfile These permissions are required to register the

AWS account on Cohesity BaaS with the IAM
ec2:AttachVolume
role which got created by the Cloud Formation
ec2:CopySnapshot template. Once the source is registered on
ec2:CreateSnapshot BaaS, describe permissions are needed so
Cohesity can identify resources present in the
ec2:CreateTags
account, which will be used for backups as well
ec2:CreateVolume as at the time of recovery we use this information

ec2:DeleteSnapshot to provide a list of options(VPC, subnet, KeyPair,

etc) to choose from.
ec2:DeleteVolume
For Cohesity snapshots we create SaaS
ec2:DeregisterImage
Connector instances for doing backup and
ec2:DescribeAccountAttributes recovery of AWS EC2 instances. Cohesity
creates snapshots of the EC2 volumes while
ec2:DescribeAddresses
backing up and storing the different instance
ec2:DescribeAvailabilityZones
attributes and tags. While recovering the AWS
ec2:DescribeInstanceStatus EC2 instance, Cohesity creates volumes of
original disk size. It also attaches the original
ec2:DescribeInstanceTypes
tags and corresponding network and security
ec2:DescribeInstances groups as part of the recovery, along with IAM
ec2:DescribeKeyPairs Instance Profile if it exists. Cohesity requires the
delete snapshots permissions to delete the
ec2:DescribeRegions
expired/old snapshots it creates during the
ec2:DescribeReservedInstances backup. Cohesity requires the delete volume and

ec2:DescribeReservedInstancesOfferings instance termination permissions to tear down

the SaaS Connectors.
ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVpcEndpointServiceConfigurations

ec2:DescribeVpcs

ec2:DetachVolume

ec2:ModifyInstanceAttribute

ec2:RegisterImage

Cohesity DataProtect Delivered-as-a-Service User Guide 195

Amazon Web Services AWS Account Requirements

Resource Permissions Reason

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

iam iam:PassRole PassRole permission is needed so that we can

iam:SimulatePrincipalPolicy
iam:GetInstanceProfile
iam:AmazonSSMManagedInstanceCore
attach the created role to SaaS Connectors, as
well as the original roles on the recovered EC2
instances. SimulatePricipalPolicy is needed so
we can ensure required actions are allowed on
the IAM role we created as part of the Cloud
Formation template. GetInstanceProfile is
needed to check if the required Instance profile
is present at the time of recovery in the target
location. AmazonSSMManagedInstanceCore is
needed to access the AWS Systems Manager
Agent (SSM) on the target VM.

kms kms:CreateGrant KMS permissions are needed to read data of

encrypted volumes at the time of backup, as well
kms:Decrypt
as write encrypted data to the recovered EBS
kms:DescribeKey volumes. Describe permissions are needed so
kms:Encrypt we can list & identifies keys associated with EBS
volumes.
kms:GenerateDataKey

kms:GenerateDataKeyWithoutPlaintext

kms:GetKeyPolicy

kms:ListAliases

kms:ReEncryptFrom

kms:ReEncryptTo

ssm ssm:GetCommandInvocation SSM permissions are needed at the time of

claiming (adding) SaaS Connections to Cohesity
ssm:SendCommand
BaaS.

Cohesity DataProtect Delivered-as-a-Service User Guide 196

Amazon Web Services AWS Account Requirements

Permissions for Amazon RDS Data Protection

Note: You do not need to add these permissions manually, as they are
automatically added when you run the CFT.

Resource Permissions Reason

ec2 ec2:DescribeAvailabilityZones Required for AWS source registration, and discover the
resources present in the account, which will be used for
ec2:DescribeInstances
backups. Also needed for recovery to provide list of
ec2:DescribeKeyPairs options to choose from.
ec2:DescribeRegions

ec2:DescribeReservedInstancesOfferings

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVolumes

ec2:DescribeVpcs

iam iam:SimulatePrincipalPolicy SimulatePricipalPolicy is needed to ensure that the

required actions are allowed on the IAM role we
created as part of the Cloud Formation template.

kms kms:CreateGrant KMS permissions are needed to read data of an

encrypted database at the time of backup, as well as
kms:DescribeKey
write encrypted data to the recovered database.
kms:ListAliases Describe permissions are needed so we can list &
identify keys associated with database instances.

Cohesity DataProtect Delivered-as-a-Service User Guide 197

Amazon Web Services
Resource Permissions
rds rds:AddTagsToResource
rds:CopyDBClusterSnapshot
rds:CopyDBSnapshot
rds:CreateDBClusterSnapshot
rds:CreateDBInstance
rds:CreateDBSnapshot
rds:DeleteDBClusterSnapshot
rds:DeleteDBSnapshot
rds:DescribeDBClusterSnapshots
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBParameterGroups
rds:DescribeDBSnapshots
rds:DescribeDBSubnetGroups
rds:DescribeOptionGroups
rds:ModifyDBClusterSnapshotAttribute
rds:ModifyDBSnapshotAttribute
rds:RestoreDBClusterFromSnapshot
rds:RestoreDBClusterToPointInTime
rds:RestoreDBInstanceFromDBSnapshot
rds:RestoreDBInstanceToPointInTime
Permissions for Cohesity SiteContinuity (Disaster Recovery)
Note: You do not need to add these permissions manually, as they are
automatically added when you run the CFT.
Cohesity DataProtect Delivered-as-a-Service User Guide
AWS Account Requirements
Reason
These permissions are required to register the AWS
account on Cohesity BaaS with the IAM role which got
created by the Cloud Formation template. Once the
source is registered on BaaS, describe permissions are
needed so Cohesity can identify resources present in
the account, which will be used for backups as well as
at the time of recovery we use this information to
provide a list of options to choose from.
Cohesity creates snapshots of the RDS & Aurora
instances while backing up and storing the different
database instance attributes and tags. While recovering
the database instance, Cohesity creates DB
instance/cluster, it also attaches the original tags.
Cohesity requires the delete snapshots permissions to
delete the expired/old snapshots it creates during the
backup. We need to modify snapshot attributes
permission so that we can share the snapshot across
accounts if cross-account recovery is attempted.
RestoreDBInstanceToPointInTime and
RestoreDBClusterToPointInTime is needed to do the
point in time recoveries.
198
Amazon Web Services AWS Account Requirements

Resource Permissions Reason

ebs ebs:CompleteSnapshot These permissions are required for EBS direct APIs to
read & write data from/to EBS snapshots. Reading EBS
ebs:GetSnapshotBlock
data is done during failback preparation, and writing to
ebs:ListChangedBlocks EBS is done at failover.
ebs:ListSnapshotBlocks

ebs:PutSnapshotBlock

ebs:StartSnapshot

Cohesity DataProtect Delivered-as-a-Service User Guide 199

Amazon Web Services AWS Account Requirements

Resource Permissions Reason

ec2 ec2:AssociateIamInstanceProfile These permissions are required to register the AWS

account on Cohesity Helios with the IAM role created
ec2:AttachVolume
by the Cloud Formation template. Once the source is
ec2:CancelExportTask registered, describe permissions are needed so
ec2:CancelImportTask Cohesity can identify resources present in the account
like EC2 instance, VPC, subnet, etc. These describe
ec2:CopySnapshot
permissions are also used at the time of failover and
ec2:CreateImage failback.

ec2:CreateInstanceExportTask The import/export permissions are required because

ec2:CreateSnapshot we use AWS Import/Export as our fallback mechanism

if Cohesity Import/Export does not work. Cohesity
ec2:CreateTags
requires all the instance-related permissions to run
ec2:CreateVolume instances and terminate them if some error occurs.

ec2:DeleteSnapshot Delete permissions are required so that Cohesity can

delete the temporary resources like volumes or
ec2:DeleteTags
snapshots it has created in the process of failover or
ec2:DeleteVolume
failback so that we do not leave any garbage behind.
ec2:DeregisterImage

ec2:DescribeAccountAttributes

ec2:DescribeAddresses

ec2:DescribeAvailabilityZones

ec2:DescribeExportTasks

ec2:DescribeImages

ec2:DescribeImportImageTasks

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstances

ec2:DescribeKeyPairs

ec2:DescribeRegions

ec2:DescribeReservedInstancesOfferings

ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

Cohesity DataProtect Delivered-as-a-Service User Guide 200

Amazon Web Services AWS Account Requirements

Resource Permissions Reason

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVpcs

ec2:DetachVolume

ec2:ImportImage

ec2:ModifyInstanceAttribute

ec2:ModifyNetworkInterfaceAttribute

ec2:ModifySnapshotAttribute

ec2:RegisterImage

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

iam iam:AddRoleToInstanceProfile These IAM permissions are needed because we have

to SSM into the converter instance, and for that to work,
iam:AttachRolePolicy
an instance profile should be attached to the converter
iam:CreateInstanceProfile instance. So to create that instance profile for the role,
iam:CreateRole these permissions are needed.

iam:GetInstanceProfile

iam:GetRole

iam:GetRolePolicy

iam:PassRole

iam:PutRolePolicy

iam:SimulatePrincipalPolicy

kms kms:ListAliases KMS permission is needed to list the aliases attached

to an EC2 instance at the time of source register.

Cohesity DataProtect Delivered-as-a-Service User Guide 201

Amazon Web Services AWS Account Requirements

Resource Permissions Reason

s3 s3:CreateBucket These S3 permissions are needed in case of the

vmimport role we use in case of failover.
s3:DeleteObject

s3:GetBucketAcl

s3:GetObject

s3:HeadObject

s3:PutBucketAcl

s3:PutBucketPublicAccessBlock

ssm ssm:GetCommandInvocation SSM permissions are needed at the time of failover,

where we launch the SaaS Connector and temporary
ssm:ListCommandInvocations
converter instance for creating EC2 instances.
ssm:SendCommand

Considerations
Considerations for Amazon EC2 Cohesity Snapshots

l When using Cohesity snapshots to back up & recover EC2 instances within the same
AWS region, if your AWS SaaS Connectors are deployed in a:
l Public subnet, configure the Internet Gateway and S3 Gateway VPC endpoint.
l Private subnet, configure the EBS VPC Interface Endpoint and S3 Gateway
VPC endpoints.
l When using Cohesity snapshots to back up & recover EC2 across different AWS
regions, if your SaaS Connectors are deployed in a:
l Public subnet, configure the Internet Gateway and S3 Gateway VPC endpoint.
l Private subnet, configure the EBS VPC Interface Endpoint and the S3
Interface VPC endpoints.

Note: Cross-region data transfer charges apply if Cohesity snapshots are

ingested to or recovered from a different AWS region. Using a public subnet
for your SaaS Connectors provides cost efficiency compared to a private
subnet.

l To prepare your AWS account for Cohesity SaaS Connector deployment in a Public or
Private subnet, see AWS SaaS Connector Deployment.

Cohesity DataProtect Delivered-as-a-Service User Guide 202

Amazon Web Services Register Your AWS Account

Considerations for Amazon RDS

l Cross-account recovery of Amazon RDS is not supported.

l AWS Aurora cluster is recovered with at most one reader.
l Auto protection is not currently supported.

Register Your AWS Account

To start protecting your AWS account, check the AWS account requirements and then
register the AWS account as a data source in Cohesity DataProtect. (You can also unregister
an AWS account if and when necessary.)

Register AWS Account

1. Navigate to Sources and select Register Source > AWS.
2. In the Register AWS Source form, enter the AWS Account ID and select the
Destination cloud region.

Note: If you decide to create air-gapped Cohesity snapshots of your

Amazon EC2 instances, this is the AWS region where the Cohesity
DataProtect service will store them.

3. Enable the option to Use this account as a backup source in DataProtect

(enabled by default).
4. Select the AWS Services you want to register:
l EC2
l RDS
By default, both services are selected.
5. Disable the Use this account as a DR target in SiteContinuity option. Enable
this option only if you are planning to use this AWS account as a disaster recovery
(DR) target in Cohesity SiteContinuity.
6. Click Next to generate a CloudFormation Template, which you will use to complete
the AWS source registration.
7. Click Download CloudFormation Template.
8. Run the CloudFormation Template in your AWS account to create the IAM roles and
policies that the Cohesity DataProtect service needs. On running the CFT, IAM roles
and policies are created depending on the AWS services (EC2 instances and RDS
databases) you selected for registration.

Cohesity DataProtect Delivered-as-a-Service User Guide 203

Amazon Web Services Register Your AWS Account

Optionally, you can restrict the granted permissions to a set of resources when
creating the CloudFormation stack. For details, see Run CloudFormation Template.
9. Once the roles and policies are created successfully, the Register AWS Source form
will indicate the account authentication status.
10. Once account authentication is successful, click Register. (If authentication fails,
contact Cohesity Support.)

If you plan to protect Amazon EC2 instances using Cohesity snapshots, make sure you
deploy one or more SaaS Connectors in your AWS account by going to Sources and editing
your AWS source. From there, you can enter the SaaS Connector configuration details.

Unregister AWS Account

If you plan to stop backing up your Amazon EC2 instances or Amazon RDS, you can
unregister the AWS account from Cohesity DataProtect.

Note: Before you unregister an AWS account from Cohesity DataProtect, you
must unprotect all the protected objects in that AWS account.

To unregister the AWS account:

1. Navigate to Sources.

2. Click the Actions menu ( ) next to the AWS account and select Unregister.

3. In the Unregister Source dialog, click Unregister.

Edit AWS Account

You can edit the registered AWS account to add or remove the AWS services protected by
the Cohesity DataProtect service from your AWS account.
To edit an AWS Account:

1. Navigate to Sources.

2. Click the Actions menu ( ) next to the AWS account and select Edit.

3. In the Edit AWS Source form, select or unselect the AWS services (EC2 and/or RDS)
you need and click Update.

Important: If you add or remove any AWS services, then you must update the
CloudFormation Template and execute it in your AWS account again to update the
existing CloudFormation stack.

Cohesity DataProtect Delivered-as-a-Service User Guide 204

Amazon Web Services Amazon EC2 Instances

Next > You are now ready to protect the Amazon EC2 instances or RDS databases in your
AWS account!

Amazon EC2 Instances

Cohesity DataProtect provides a simple, fast, and cost-effective backup, recovery, and data
management solution for Amazon EC2 instances in your AWS account.

Protect Your Amazon EC2 Instances

Once you have registered your AWS account, you are ready to protect the EC2 instances in
that account.

Cohesity's Options for EC2 Backup: AWS or Cohesity Snapshot

Cohesity DataProtect provides two options for Amazon EC2 backup:

l AWS snapshot: Cohesity DataProtect protects the EC2 instances using the native
AWS snapshots and stores them in the same AWS account and region as the source
EC2 instances.
l Cohesity snapshot: Cohesity DataProtect protects the EC2 instances by ingesting
the backup data to an AWS region supported by the Cohesity DataProtect service. The
target AWS region is the region that is selected during AWS source registration.
Cohesity snapshots provide an air-gapped backup and granular file & folder level
recoveries.

When selecting a protection policy below, you can choose to back up your EC2 instances
using either approach, or both.

Consideration

l Backing up NFS mount points mounted on EC2 instance is not supported.

Add Protection to Your Registered Amazon EC2 Instances

To protect your Amazon EC2 instances:

1. Under Sources, find the registered AWS account and click into it.
2. Use the filters and search box at the top to narrow your search.
3. Use the checkboxes to select the objects for protection. To protect the whole source,
click the checkbox above the column.

Cohesity DataProtect Delivered-as-a-Service User Guide 205

Amazon Web Services Amazon EC2 Instances

Note:
When you check a parent object, you can choose:

l Select All Child Objects. To capture the tree as it currently exists,

or

l Auto Protect. To capture the tree and any future additions.

4. Click the Protect icon above the checkboxes.

5. In the New Protection dialog, select a Policy from the following snapshot options:
l Policy (AWS snapshot)
l Policy (Cohesity snapshot)
You can create AWS snapshots, Cohesity snapshots, or both. If you choose to create
both snapshot types, you can use either the same policy or different policies to
specify the backup frequency and retention.
If the existing policies do not meet your needs, you can create a new policy with the
backup frequency and retention settings as desired.

Note: If you have selected Policy (Cohesity snapshot), ensure that an AWS
SaaS Connection is deployed for all the AWS regions where you have
instances to protect. If a region in your AWS account does not have a SaaS
Connection deployed, protecting the Amazon EC2 instances in that region
will fail.

To view the SaaS Connections that are already configured, click the Actions menu (
) next to the registered AWS source and select Setup SaaS Connection.

6. If you wish to configure a specific Start Time, End Date, Alerts, and other
additional settings, click More Options.
7. Click Protect.

Cohesity DataProtect starts backing up the Amazon EC2 instances you selected. You can
monitor the status of the backup in the Activity page.
Also, the Activity tab of a specific Amazon EC2 instance shows the history of all protection
runs, including the one in progress.
If you have selected both AWS snapshot and Cohesity snapshot policies, then the
Activity page will display two protection runs for the objects that are being backed up:

Cohesity DataProtect Delivered-as-a-Service User Guide 206

Amazon Web Services Amazon EC2 Instances

l Backup. The protection run created for Cohesity snapshot-based protection.

l Backup (AWS Snapshot). The protection run created for AWS snapshot-based
protection.

To learn about managing the existing protection, see Manage Existing Protection.

Additional Settings

Advance
Description
Settings

End Date If you need to end protection on a specific date, enable this to select the date.

Volume EC2 disks can be excluded based on disk tags using simple query rules. For example, the query, (type =
Exclusion log AND environment IN (qa, dev)) OR exclude = yes, excludes all volumes from backup for which the
Settings volume tags meet the above condition.

Cancel Runs Available only if the selected policy has at least one quiet time period. Toggle it ON to specify that all
at Quiet currently executing protection runs should abort if a quiet time period specified for the Protection Group
Time Start starts. By default this toggle is OFF, which means after a protection run starts, it continues to execute
even when a quiet time period specified for this protection run starts. However, a new protection run
will not start during a quiet time period.

Next > When the first protection run completes, you will be ready to recover your
protected Amazon EC2 instances if and when you need to.

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.
Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

Cohesity DataProtect Delivered-as-a-Service User Guide 207

Amazon Web Services Amazon EC2 Instances

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.

With the protected objects selected, you can click:

l Recover to recover the object or file.

l Unprotect to remove protection from the object.

Cohesity DataProtect Delivered-as-a-Service User Guide 208

Amazon Web Services Amazon EC2 Instances

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

l Run Now to start an on-demand protection run immediately.

Additional Settings

Advance
Description
Settings

End Date If you need to end protection on a specific date, enable this to select the date.

Volume EC2 disks can be excluded based on disk tags using simple query rules. For example, the query, (type =
Exclusion log AND environment IN (qa, dev)) OR exclude = yes, excludes all volumes from backup for which the
Settings volume tags meet the above condition.

Cancel Runs Available only if the selected policy has at least one quiet time period. Toggle it ON to specify that all
at Quiet currently executing protection runs should abort if a quiet time period specified for the Protection Group
Time Start starts. By default this toggle is OFF, which means after a protection run starts, it continues to execute
even when a quiet time period specified for this protection run starts. However, a new protection run
will not start during a quiet time period.

Recover Your Amazon EC2 Instances

After you protect your Amazon EC2 instances, you can recover them to their original
location or a new location using Cohesity DataProtect.
We recommend that you also review the Amazon EC2 Recovery Support Matrix and
Important Considerations at the end of this article.

Recover EC2s to Original Location

To recover your protected Amazon EC2 instances to their original location:

1. Go to Sources.
2. Click the Source name.
3. Select Show All > Protected.
4. Use the filters, search box, and views to locate and select the EC2 instances you want
to recover.

Cohesity DataProtect Delivered-as-a-Service User Guide 209

Amazon Web Services Amazon EC2 Instances

Tip: You can also use Global Search to locate, filter, and select the objects
you need. Click the Global Search box at the top or type slash (/)
anywhere to start your search.

5. Click the Recover icon at the top to open the New Recovery form. By default, the
Latest snapshot is pre-selected for recovery. If you need to recover from an earlier
snapshot, click the Edit (pencil) icon to choose the desired snapshot. The icon(s)
displayed under Location indicates the snapshot type(s) available (AWS snapshot
and/or Cohesity snapshot) for recovery. Choose a snapshot type and click its icon
to proceed with the recovery task:
l Click Select Recovery Point.
l Click Next: Recover Options to return to the form.

Note: To recover from a Cohesity snapshot, you need an AWS SaaS

Connection deployed in the target AWS region.

6. Under Recover To, select Original Location.

7. Select your Recovery Options:
l Rename: Add a Prefix and/or Suffix to the recovered Amazon EC2 instances.
l Power State: Disable Power On if you want the recovered EC2 instances to
remain powered off after they are created.
l Continue on Error: Enable this option if you want to continue the recovery
even if one of the objects encounters an error. By default, this option is
disabled and the recovery operation will fail if one of the objects encounters an
error.
l Task Name: Change the default name of the recovery task.
8. Click Recover.

Cohesity DataProtect begins to restore the selected Amazon EC2 instances.

Recover EC2s to New Location

To recover your protected Amazon EC2 instances to a new location:

1. Go to Sources.
2. Click the Source name.
3. Select Show All > Protected.
4. Use the filters, search box, and views to locate and select the EC2 instances you want
to recover.

Cohesity DataProtect Delivered-as-a-Service User Guide 210

Amazon Web Services Amazon EC2 Instances

Tip: You can also use Global Search to locate, filter, and select the objects
you need. Click the Global Search box at the top or type slash (/)
anywhere to start your search.

5. Click the Recover icon at the top to open the New Recovery form. By default, the
Latest snapshot is pre-selected for recovery. If you need to recover from an earlier
snapshot, click the Edit (pencil) icon to choose the desired snapshot. The icon(s)
displayed under Location indicates the snapshot type(s) available (AWS snapshot
and/or Cohesity snapshot) for recovery. Choose a snapshot type and click its icon
to proceed with the recovery task:
l Click Select Recovery Point.
l Click Next: Recover Options to return to the form.

Note: To recover from a Cohesity snapshot, you need an AWS SaaS

Connection deployed in the target AWS region.

6. Under Recover To, select New Location and provide:

l Source. Select a registered AWS account as the new recovery destination.
l Region. Select a destination AWS region.
l Subnet. Select the subnet where the recovered EC2 Instance(s) will be
launched.
l Key Pair. Select an AWS key pair to be associated with the recovered EC2
Instance(s).
l Network Security Group. Select the network security group to be associated
with the recovered EC2 Instance(s).
7. Select your Recovery Options:
l Rename: Add a Prefix and/or Suffix to the recovered Amazon EC2 instances.
l Power State: Disable Power On if you want the recovered EC2 instances to
remain powered off after they are created.
l Continue on Error: Enable this option if you want to continue the recovery
even if one of the objects encounters an error. By default, this option is
disabled and the recovery operation will fail if one of the objects encounters an
error.
l Task Name: Change the default name of the recovery task.
8. Click Recover.

Cohesity DataProtect begins to restore the selected Amazon EC2 instances.

Cohesity DataProtect Delivered-as-a-Service User Guide 211

Amazon Web Services Amazon EC2 Instances

Amazon EC2 Recovery Support Matrix

Recovery to Recovery to same Recovery to a diff Recovery to a diff

Backup Same AWS AWS account, AWS account, AWS account,
Data Source
Type account, same different AWS same AWS different AWS
AWS region region Region Region

AWS Encrypted Supported Supported Supported Supported

Snapshot

AWS Non- Supported Supported Supported Supported

Snapshot Encrypted

Cohesity Encrypted Supported Supported Supported Supported

Snapshot

Cohesity Non- Supported Supported Supported Supported

Snapshot Encrypted

Important Considerations

For recovery to:

l Same AWS Account, same AWS Region: No prerequisites.

l Same AWS Account, different AWS Region: To recover encrypted EC2 instance
(s), you must create a KMS encryption key in the target AWS account & region with
the same alias name as the KMS encryption key used to encrypt the source EC2
instance(s).
l Different AWS Account, same AWS Region:
a. Target AWS account should be registered as a data source in the same
destination cloud region.
b. To recover encrypted EC2 instance(s), you must create a KMS encryption key in
the target AWS account & region with the same alias name as the KMS
encryption key used to encrypt the source EC2 instance(s).
c. Additional limitations for AWS snapshot recovery:
l AWS KMS encryption key should be shared from the source AWS account
to the target AWS account before the recovery is attempted.
l If the source EC2 instances were encrypted with default AWS KMS
encryption key, their recovery to a different AWS account will fail. (AWS
limitation).
l Different AWS Account, different AWS Region:

Cohesity DataProtect Delivered-as-a-Service User Guide 212

Amazon Web Services Amazon EC2 Instances

a. Target AWS account should be registered as a data source in the same

destination cloud region.
b. To recover encrypted EC2 instance(s), you must create a KMS encryption key in
the target AWS account & region with the same alias name as the KMS
encryption key used to encrypt the source EC2 instance(s).
c. Additional limitations for AWS snapshot recovery:
l AWS KMS encryption key should be shared from the source AWS account
to the target AWS account before the recovery is attempted.
l If the source EC2 instances were encrypted with default AWS KMS
encryption key, their recovery to a different AWS account will fail. (AWS
limitation).

Recover Amazon EC2 Files and Folders

You can download or restore specific files and folders from a protected EC2 instance to
either the original or an alternate EC2 instance.

Prerequisites

l The SaaS Connector must be able to reach the target VM on port 50051 so that the
SaaS Connector can push the files being recovered to the target VM using the
Cohesity agent.
l If the Cohesity Agent is to be installed as part of the recovery task in Cohesity, ensure
that:
l AWS Systems Manager Agent (SSM) access is available on the target VM. For
more information, see AWS documentation.
l The target VM is able to reach the SaaS Connector on port 443 so that the target
VM can pull the agent installer from the SaaS Connector.

Considerations

When recovering files and folders from protected Amazon EC2 instances, remember:

l Files and folders download is only available for EC2 Cohesity snapshots and not for
AWS snapshots.
l Download of symlinks is not available.
l Recovery of Windows symlinks is not supported.
l Recovery of files and folders from a combination of different volumes is not
supported.

Cohesity DataProtect Delivered-as-a-Service User Guide 213

Amazon Web Services Amazon EC2 Instances

Recover Amazon EC2 Files and Folders

Important: To restore files from a Cohesity snapshot to an Amazon EC2 instance,

you need an AWS SaaS Connection deployed in the target AWS region.

To recover or download your files and folders from your protected Amazon EC2 instances:

1. Go to Sources.
2. Click the Source name.
3. Select Protection Status > Protected.
4. Use the filters, search box, and views to locate and select the EC2 instances you want
to recover.
You can also use Global Search to locate, filter, and select the objects you need.
Click the Global Search box at the top or type slash (/) anywhere to start your
search.
5. Click the required EC2 backed up as a Cohesity Snapshot and click the Recover Files
icon for the EC2. The page with the EC2 details is displayed.
6. Select the timeline drop-down list on the top right corner to select the snapshot and
click Apply.
7. Click the required volume to browse the file system and select the file or folder to be
recovered.
You can click Download Files to download the selected files.
8. Click Next. The Files page is displayed.
9. Under Recover To, select Original Server or New Server.
l For recovery to the original EC2, you can provide the new recovery path in the
Recover To field or use the Recover To Original Path option to recover to
the original path on the original server.
l For recovery to an alternate EC2, you can choose any AWS server and select a
Target. Provide the new recovery path in the Recover To field.

Note: The recovery process will attempt to install the Cohesity Agent on the
target EC2 instance using AWS SSM. If the SSM agent is not running on the
target EC2 instance or if the Cohesity IAM role does not have access to send
SSM commands to the target EC2 instance, then you can download the agent
using the Download Cohesity Agent link and install it on the target EC2
instance before starting the recovery. For more details, see Download and
Install the Cohesity Agent.

Cohesity DataProtect Delivered-as-a-Service User Guide 214

Amazon Web Services Amazon EC2 Instances

10. Select your Recovery Options:

l Overwrite Existing File/Folder: Enable this option to overwrite the existing
files and folders. Disable this option to create the files and folders in the
specified location. If a file with the same name already exists in the target
location, the file is overwritten or skipped based on this selection.
If Overwrite Existing File/Folder is enabled, recovering a file to source
when the file is in use may cause the open file to be overwritten. Whether
overwriting occurs depends on the application using the file.
l Preserve File/Folder Attributes: By default, this option is enabled and the
ACLs, permissions, and timestamps are preserved for all files and folders. If
you disable this option, then ACLs and permissions are not preserved. If both
folders and files are recovered, then folders will receive the new timestamps,
but files retain their original timestamps. If recovering only files, then files will
receive the new timestamps.
l Continue on Error: Enable this option if you want to continue the recovery
even if one of the objects encounters an error. By default, this option is
disabled and the recovery operation will fail if one of the objects encounters an
error.
l Task Name: Change the default name of the recovery task.
11. Click Recover.

Cohesity DataProtect begins to restore the selected Amazon EC2 files and folders.

Download and Install the Cohesity Agent

Install the Cohesity Agent on each Windows and Linux Amazon EC2 instance that you want
to recover to.

Install the Cohesity Windows Agent

To download and install the Cohesity Windows Agent:

1. Navigate to the Files page to recover the Amazon EC2 instance. To access the Files
page, follow steps 1-8 in Recover Amazon EC2 Files and Folders above.
2. Click Download Cohesity Agent and download it to the appropriate server.
3. As an administrator with local system privileges on that server, run the executable
and complete the installation wizard.

Install the Cohesity Linux Agent

The Cohesity Linux Agent is available with different installer packages, providing support on
multiple Linux distributions. You’ll need to install the appropriate package (RPM, Debian, or
SUSE RPM) for your Linux distribution or install the script installer package.
The installer packages and Linux distributions on which the installer package is supported
are:

Cohesity DataProtect Delivered-as-a-Service User Guide 215

Amazon Web Services Amazon EC2 Instances

Installer Package Linux Distribution

(Default) RPM RHEL and its click derivative

Suse RPM SUSE

Debian Ubuntu

Script Installer All supported Linux Operating Systems

The Cohesity Linux Agent has dependencies on the following packages, which must be
installed on the Linux server:

Command/Package RHEL SUSE CentOS Ubuntu Debian

rsync rsync rsync rsync rsync rsync

mount util-linux util-linux util-linux mount mount

lvm2 lvm2 lvm2 lvm2 lvm2 lvm2

sudo sudo sudo sudo sudo sudo

coreutils coreutils coreutils coreutils coreutils coreutils

util-linux util-linux util-linux util-linux util-linux util-linux

nfs client nfs-utils nfs client nfs-utils nfs-common nfs-common

lsof lsof lsof lsof lsof lsof

wget wget wget wget wget wget

Install RPM, Debian, or SUSE RPM Installer Package

To install the RPM, Debian, or SUSE installer package:

1. Navigate to the Files page to recover the Amazon EC2 instance. To access the Files
page, follow steps 1-8 in Recover Amazon EC2 Files and Folders above.
2. Click Download Cohesity Agent. Based on your Linux distribution, from the
Download Agents window, select RPM, Debian, or SUSE RPM and download it to the
server you want to protect.

Cohesity DataProtect Delivered-as-a-Service User Guide 216

Amazon Web Services Amazon EC2 Instances

3. As the root user with local system privileges on that server, change the directory to
the location of the installer package.
4. Run the following command depending on the installer package:

Installer Package Command

RPM rpm -i el-cohesity-agent-6.5.1-1.x86_64.rpm

or

yum localinstall ./el-cohesityagent-6.5.1-1.x86_64.rpm

Debian dpkg -i cohesity-agent_6.5.1-1_amd64.deb

Suse RPM rpm -i cohesity-agent-6.5.1-1.x86_64.rpm

Note:
By default, the installation uses the root user permission for all the files, and
the service is started as root. Therefore, it is necessary to add non-root
users to the sudoers list by making the following changes in the /etc/sudoers
file:

<username> ALL=(ALL) NOPASSWD:ALL

Defaults:<username> !requiretty

5. To start the service as a non-root user, create a new user or use an existing user with
sudo permission and run the following command:

Installer
Command
Package

RPM export
COHESITYUSER=
<username> ; rpm -i
el-cohesity-agent-
6.5.1-1.x86_64

Cohesity DataProtect Delivered-as-a-Service User Guide 217

Amazon Web Services Amazon EC2 Instances

Installer
Command
Package

Debian COHESITYUSER=
<username> dpkg -i
cohesity-agent_6.5.1-
1_amd64

Suse RPM export

COHESITYUSER=
<username> rpm -i
cohesity-agent-6.5.1-
1.x86_64

6. Provide the location details for:

l Installation directory: /opt/cohesity
l Log file: /var/log/cohesity

Install Script Installer Package

To install the script installer package:

1. Navigate to the Files page to recover the Amazon EC2 instance. To access the Files
page, follow steps 1-8 in Recover Amazon EC2 Files and Folders above.
2. Click Download Cohesity Agent. In the Download Agents window, select Script
Installer based on your Linux distribution, and download it to the server you want to
protect.
3. As the root user with local system privileges on that server, change the directory to
the location of the installer package.

Note: For SLES 11 SP4, you are required to install the Agent as the root
user.

4. Make the installer executable. For example:

chmod +x cohesity_agent_6.5.1-master_linux_x64_installer

5. Run the executable:

sudo cohesity_agent_6.5.1-master_linux_x64_installer -- --install

6. Provide the location details for:

Cohesity DataProtect Delivered-as-a-Service User Guide 218

Amazon Web Services Amazon EC2 Instances

l Installation directory: /home/<username>/cohesityagent or

/root/cohesityagent
l Log file: /home/cohesityagent/cohesityagent/logs

The Agent starts after installation completes, as follows:

l CentOS and RedHat (distributions with the "systemd" init system): The Agent starts
automatically.
l Ubuntu (distributions with the "upstart" init system): The Agent starts automatically.
If a Linux server's /etc/sudoers file is managed by a deployment engine such as Chef,
Puppet, or others, this might affect Cohesity DataProtect’s interaction with servers
that have the Linux Agent installed. Take the corresponding actions depending on user
type:

Cohesity DataProtect Delivered-as-a-Service User Guide 219

Amazon Web Services Amazon EC2 Instances

Agent Installation
Action Required
by User Type

As the default The Cohesity Linux Agent is

cohesityagent installed using the cohesityagent
user user by default.

For default installations, the

cohesityagent user is created by
the installer. During installation,
the installer updates the
/etc/sudoers file to allow
cohesityagent sudo and no-tty
sudo access.

Ensure the following settings in the

/etc/sudoers file for the
cohesityagent user are
preserved:

cohesityagent ALL=(ALL)
NOPASSWD:ALL
Defaults:cohesityagent
!requiretty

For example:

#includedir
/etc/sudoers.d
dgoble ALL=(ALL)
NOPASSWD:ALL
cohbackup ALL=(ALL)
NOPASSWD:ALL
Defaults:cohbackup
!requiretty

As a non-default Ensure the above settings in the

user, for example, /etc/sudoers file for the foo user
foo are preserved by replacing the
occurrences of 'cohesityagent' with
'foo'.

As root user No changes required.

Cohesity DataProtect Delivered-as-a-Service User Guide 220

Amazon Web Services Amazon RDS Databases

Amazon RDS Databases

Cohesity DataProtect provides a simple, fast, and cost-effective backup, recovery, and data
management solution for Amazon RDS databases in your AWS account.

Protect Your Amazon RDS Databases

Once you have registered your AWS account, you are ready to protect the Amazon RDS DB
instances in that account.
To protect your Amazon RDS databases:

1. Under Sources, find the registered AWS account and click into it.
2. Click the RDS tab.
3. Use the checkboxes to select the objects for protection. To protect all objects in the
source, click the checkbox next to the AWS account

Note:
When you check a parent object, you can choose:

l Select All Child Objects. To capture the tree as it currently exists,

or

l Auto Protect. To capture the tree and any future additions.

4. Click the Protect icon above the checkboxes.

5. Choose a policy to specify backup frequency and retention. If you don't have a policy,
you can easily create one.
6. Under Settings, edit the Start Time if necessary.
7. Under Additional Settings, configure the following option:
l Cancel Runs at Quiet Time Start: (Available only if the selected policy has
at least one Quiet Time) When enabled, all the protection runs that are
currently executing will cancel when the Quiet Time period starts. By default,
this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs
will not start during a Quiet Time.
8. Click Protect.

Next > When the first protection run completes, you will be ready to recover your
protected Amazon RDS databases if and when you need to.

Manage Existing Protection

Edit protection settings, change the policy, and start, stop, & pause protection.

Cohesity DataProtect Delivered-as-a-Service User Guide 221

Amazon Web Services Amazon RDS Databases

Once you have applied protection to the objects in your sources, Cohesity DataProtect
makes it easy to make changes to that protection quickly. You can:

l Edit additional settings like End Date, Exclusions, Alerts, and more.
l Apply a different policy.
l Start an on-demand protection run, pause and resume it, or even remove protection.

Edit Protection Settings

To edit protection settings:

1. Navigate to Sources.
2. Click into the Source name.
3. Select Show All > Protected and use the other filters, search box, and views at the
top to narrow your search.

4. Click the Actions menu ( ) next to the object and select Edit Protection to open
the protection settings for that object.

Apply a New Protection Policy

To change the Policy, click the drop-down and select a different policy. To help you choose,
each policy in the list shows the Backup frequency and the Retain period for each backup.
If you don't have a policy that meets your needs, scroll to the bottom of the list and click
Create Policy to create your own policy.

Edit Additional Protection Settings

Under Settings, you can change the protection Start Time (and select the Time Zone).
Click the drop-down next to Additional Settings to change more options. See Additional
Protection Settings for details.

Start, Stop, or Remove Protection

When you select protected objects in one of your sources, Cohesity DataProtect presents
buttons for the actions that are possible for those objects.

Cohesity DataProtect Delivered-as-a-Service User Guide 222

Amazon Web Services Amazon RDS Databases

With the protected objects selected, you can click:

l Recover to recover the object or file.

l Unprotect to remove protection from the object.

Tip: If a protected object is deleted from the source, you can search the
object using Global Search and unprotect it.

l Run Now to start an on-demand protection run immediately.

Additional Settings

Advance
Description
Settings

End Date If you need to end protection on a specific date, enable this to select the date.

Volume EC2 disks can be excluded based on disk tags using simple query rules. For example, the query, (type =
Exclusion log AND environment IN (qa, dev)) OR exclude = yes, excludes all volumes from backup for which the
Settings volume tags meet the above condition.

Cohesity DataProtect Delivered-as-a-Service User Guide 223

Amazon Web Services Amazon RDS Databases

Advance
Description
Settings

Cancel Runs Available only if the selected policy has at least one quiet time period. Toggle it ON to specify that all
at Quiet currently executing protection runs should abort if a quiet time period specified for the Protection Group
Time Start starts. By default this toggle is OFF, which means after a protection run starts, it continues to execute
even when a quiet time period specified for this protection run starts. However, a new protection run
will not start during a quiet time period.

Recover Your Amazon RDS Databases

After you protect your Amazon RDS DB instances, you can recover them to their original
location or a new location using Cohesity DataProtect.
We recommend that you also review the Amazon RDS Recovery Support Matrix and
Important Considerations at the end of this article.

Recover Amazon RDS to Original Location

To recover your protected Amazon RDS DB instances to their original location:

1. Go to Sources.
2. Click the Source name.
3. Select Show All > Protected.
4. Use the filters, search box, and views to locate and select the DB instances you want
to recover.

Tip: You can also use Global Search to locate, filter, and select the objects
you need. Click the Global Search box at the top or type slash (/)
anywhere to start your search.

5. Click the Recover icon at the top to open the New Recovery form. By default, the
Latest snapshot is pre-selected for recovery. If you need to recover from an earlier
snapshot, click the Edit (pencil) icon to choose the desired snapshot. You can also
select any point from the green solid line on the slider if you want to restore to a
specific point in time. Selecting an invalid time from the slider automatically selects
the closest available snapshot.
6. Under Recover To, select Original Location.
7. Enable the Multi A-Z Deployment option if you want the database instances to be
recovered to have a standby instance deployed in another availability zone. This
option is disabled by default.
8. Configure the following Additional Settings:

Cohesity DataProtect Delivered-as-a-Service User Guide 224

Amazon Web Services Amazon RDS Databases

a. Database Instance Identifier: Specify the unique key that identifies the
database instance that will be recovered.
b. DB Port: Specify the TCP/IP port that the DB instance will use for application
connections. The connection string of any application connecting to the DB
instance must specify the port number of the DB instance. Both the security
group applied to the instance and your company's firewalls must allow
connections to this port.
c. IAM DB Authentication: Enable this option if you want to manage your
database user credentials through AWS IAM users and roles. This option is
disabled by default.
d. Public Accessibility: Enable this option if you want the DB instance to also
have a public IP address in addition to the private IP address. This option is
disabled by default.
e. Copy Tags To Snapshots: Enable this option for copying tags to snapshots.
This option is disabled by default.
f. Auto Minor Version Upgrade: Enable this option if you want the DB instance
to automatically upgrade when a new minor database engine version is
available. This option is disabled by default.
9. Optional. Change the default name of the recovery task in the Task Name field.
10. Click Recover.

Cohesity DataProtect begins to restore the selected Amazon RDS databases.

Recover Amazon RDS Databases to New Location

To recover your protected Amazon RDS DB instances to a new location:

1. Go to Sources.
2. Click the Source name.
3. Select Show All > Protected.
4. Use the filters, search box, and views to locate and select the Amazon RDS database
you want to recover.

Tip: You can also use Global Search to locate, filter, and select the objects
you need. Click the Global Search box at the top or type slash (/)
anywhere to start your search.

5. Click the Recover icon at the top to open the New Recovery form. By default, the
Latest snapshot is pre-selected for recovery. If you need to recover from an earlier
snapshot, click the Edit (pencil) icon to choose the desired snapshot. You can also
select any point from the green solid line on the slider if you want to restore to a

Cohesity DataProtect Delivered-as-a-Service User Guide 225

Amazon Web Services Amazon RDS Databases

specific point in time. Selecting an invalid time from the slider automatically selects
the closest available snapshot.
6. Under Recover To, select New Location.
7. Enable the Multi A-Z Deployment option if you want the Amazon RDS database
instance to be recovered to have a standby instance deployed in another availability
zone. This option is disabled by default.
8. Under Location, provide the following information:
1. Source: Select a registered AWS account as the new recovery destination.
2. Region: Select a destination AWS region.
9. Under Network Settings, configure the following settings:
1. Subnet: Select a subnet in the Amazon VPC to store the recovered Amazon
RDS.
2. Network Security Groups: Select the security group that should be applied
to the DB instance.
3. Availability Zone: Select an availability zone in AWS to recover the RDS.
10. Configure the following Additional Settings:
1. Database Instance Identifier: Specify the unique key that identifies the
database instance that will be recovered.
2. DB Port: Specify the TCP/IP port that the DB instance will use for application
connections. The connection string of any application connecting to the DB
instance must specify the port number of the DB instance. Both the security
group applied to the instance and your company's firewalls must allow
connections to this port.
3. DB Option Group: Select an option group that contains the option you want to
attach to the DB instance that will be recovered. If there are not any option
groups compatible with the selected engine, a default group will be created at
launch.
4. DB Parameter Group: Select the database parameter group to associate with
the DB instance.
5. IAM DB Authentication: Enable this option if you want to manage your
database user credentials through AWS IAM users and roles. This option is
disabled by default.
6. Public Accessibility: Enable this option if you want the DB instance to also
have a public IP address in addition to the private IP address. This option is
disabled by default.
7. Copy Tags To Snapshots: Enable this option for copying tags to snapshots.
This option is disabled by default.

Cohesity DataProtect Delivered-as-a-Service User Guide 226

Amazon Web Services Amazon RDS Databases

8. Auto Minor Version Upgrade: Enable this option if you want the DB instance
to automatically upgrade when a new minor database engine version is
available. This option is disabled by default.
11. Optional. Change the default name of the recovery task in the Task Name field.
12. Click Recover.

Cohesity DataProtect begins to restore the selected Amazon RDS databases.

Amazon RDS Recovery Support Matrix

Recovery to Recovery to same Recovery to a diff Recovery to a diff

Backup Same AWS AWS account, AWS account, AWS account,
Data Source
Type account, Same different AWS same AWS different AWS
AWS region region region region

AWS Encrypted Supported Supported Coming soon Coming soon

Snapshot

AWS Non- Supported Supported Coming soon Coming soon

Snapshot Encrypted

Important Considerations

For recovery to:

l Same AWS Account, same AWS Region: No prerequisites.

l Same AWS Account, Different AWS Region: To recover encrypted RDS instance
(s), you must create a KMS encryption key in the target AWS account & region with
the same alias name as the KMS encryption key used to encrypt the source RDS
instance(s).

Cohesity DataProtect Delivered-as-a-Service User Guide 227

Databases MS SQL

Databases
Cohesity DataProtect unifies fragmented data protection solutions for databases.

MS SQL
Cohesity DataProtect provides a simple, fast, cost-effective backup, recovery, and data
management solution for growing MS SQL database environments.

MS SQL Requirements
To register Microsoft SQL Server sources, ensure you meet the version and permission
requirements, then download and install the Cohesity Agent.
Before you register your Microsoft (MS) SQL Server source, confirm that you have one of
the following supported MS SQL deployments:

l Microsoft SQL Server 2019

l Microsoft SQL Server 2017
l Microsoft SQL Server 2016
l Microsoft SQL Server 2014
l Microsoft SQL Server 2012/R2
l Microsoft SQL Server Express

Also, make sure you meet the minimum permissions below and then install the Cohesity
Agent on each SQL server you wish to protect.

Minimum Permissions

To be able to register an MS SQL Server source, you need to first install the Cohesity Agent
on that source. To install the Cohesity Agent, you can use either the LOCAL SYSTEM account
or an account that:

l Is a member of the local Windows Administrators group. For example, if qa01\tme-

backup is an Active Directory user account in the data center that the backup admin
plans to use, qa01\tme-backup must be part of the local Windows Administrators
group on the SQL server.
l Has Log on as a service in the User Rights Assignment on the MS SQL server to
install the CohesityAgent.
l Has the sysadmin role in the MS SQL Server instance for transaction (T-log) log
backup requirements. The sysadmin role is a Microsoft requirement that allows

Cohesity DataProtect Delivered-as-a-Service User Guide 228

Databases MS SQL

third-party solutions to back up transaction logs (T-logs) for full and bulk-logged
recovery model databases.

Download and Install the Agent

Install the Cohesity Agent on each SQL server that you want to protect.
To install the Cohesity Agent:

1. Navigate to Sources and select Register Source > MS SQL Server.

2. At the bottom of the Register an MS SQL Server dialog, click Download Cohesity
Agent. Make sure you download the Agent on the server you plan to protect.
3. As an administrator with local system privileges on that server, run the executable
and complete the installation wizard.
4. File System CBT (Changed Block Tracker). Install this component to perform MS
SQL Server backup and database recovery.
5. Service Account Credentials. Enter either the LOCAL SYSTEM account credentials
or an account that meets the minimum permissions above.
6. Wait for the Agent installation to finish. In SQL Server Management Studio (SSMS),
validate that the account used to install the Cohesity Agent has SQL Server Role:
sysadmin in the SQL server instances.
7. The Agent starts automatically.

Repeat the Agent installation process on each SQL server you want to protect. This includes
any standalone MS SQL servers and Microsoft SQL Server nodes with AAGs.

Note: SQL Server AAG backup is currently not supported with the Cohesity
DataProtect service. AAG databases will be treated as if the databases are
deployed on a stand-alone SQL Server instance for backup and restore operations.

Next > Register your MS SQL source to protect your databases!

Register MS SQL Server Sources

To start protecting an MS SQL Server database, once you meet the MS SQL requirements,
you need to register the SQL Server as a source.

Note: To connect with sources in your data center, you'll need to use a SaaS
Connection (or create one) to establish connectivity between the sources and the
Cohesity DataProtect service.

To register an MS SQL server, check that it meets the prerequisites below and then add it as
a source in DataProtect.

Cohesity DataProtect Delivered-as-a-Service User Guide 229

Databases MS SQL

Prerequisites

l Verify MS SQL Server services are running.

l On the server's Windows system, set the Power Plan to High performance.
l On the SQL Server where you have installed the Cohesity Agent, open the following
ports:
l 50051, for backup operations (incoming).
l 11113 and 11117, for VDI-based backup and restore (outgoing).

Note:
For SQL running in an Amazon EC2 instance, add inbound rules to the EC2
and SaaS connector(s) security groups, to allow the backup and recovery of
SQL Server.

l For SaaS Connector(s) (source) to EC2 instance (destination), use TCP

and Port 50051.

l For EC2 instance (source) to SaaS Connector(s) (destination), use TCP

and Ports 11113 and 11117.

l If you're using the Windows Firewall, set:

l Inbound rules:
l Add a rule to accept SQL Server traffic and TCP connections on local port
1433.
l Set Remote Port to All Ports.
l Outbound rules (for MS SQL Server 2016 running on Windows 2016):
l Update the 'Block network access for R local user accounts in SQL server
instance MSSQLSERVER' rule by navigating to General > Action
window and selecting Allow the connection.

Register an MS SQL Server Source

To add an MS SQL Server as a Cohesity DataProtect source:

1. Confirm that you meet the MS SQL requirements for software version and user
account minimum permissions.
2. Navigate to Sources and click Register Source.
3. Select workload type MS SQL Server.
4. In the form, choose Use Existing Connection and select one that is marked
Healthy, or click Create New Connection and follow the instructions in Create a

Cohesity DataProtect Delivered-as-a-Service User Guide 230

Databases MS SQL

SaaS Connection.
5. Enter the MS SQL server Hostname or IP Address, the FQDN of the server, or the
VIP of the SQL FCI.
6. Click Save. Cohesity DataProtect auto-discovers the entire MS SQL topology on the
Windows cluster.
7. From the topology list, select Register all MSSQL Nodes to register the MS SQL
nodes as individual MS SQL sources.
8. Click Complete Registration.

Next > You are now ready to protect your SQL databases.

Protect MS SQL Databases

Once you have registered an MS SQL server as a source, you're ready to use Cohesity
DataProtect to protect the MS SQL databases on that server.
To protect your MS SQL databases:

1. Under Sources, find the MS SQL source, click the Actions menu (⋮), and select
Protect.
2. Click Add Objects. Browse through the SQL Server instances and select the
databases that you want to protect. Click Continue.
3. Choose a policy to specify backup frequency and retention.* If you don't have a
policy, you can easily create one.
4. Click More Options and review the following MS SQL Settings:
o Make Full Backups Copy-only. Enable if you want full backups to be copy-
only backups so they do not affect the differential base. Note that copy-only full
backups do not take log backups even if the policy schedules them.
o WITH Clause. Define the WITH clause that you want to use to customize the
backup. For more information, see BACKUP (Transact-SQL) in the Microsoft
documentation.
o Number of Streams. Define the number of .bak files you want to create for
better backup performance. By default, Cohesity DataProtect creates three
.bak files for each database backup for better backup performance.
5. Click Protect.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Cohesity DataProtect starts backing up the databases you selected.

Cohesity DataProtect Delivered-as-a-Service User Guide 231

Databases MS SQL

Note: When choosing or configuring your policy, ensure the full, incremental (SQL
Differential), and T-Log backup retention periods are properly configured. The
retention period requirements for SQL VDI are identical to those for SQL native
backups. For example, we recommend aligning your retention periods for each
backup type along these lines:

l Full Backups. Daily at 1 AM with a 7-day retention.

l Incremental Backups (equivalent to SQL Differential backups). Every 12 hours with
a 3-day retention.
l T-Log Backups. Every 15 minutes with a 1-day retention.

Next > When the first protection run completes, you will be ready to recover your
protected databases when and if you need to.

Recover SQL Databases

After you protect your MS SQL databases, you can recover them from Cohesity DataProtect,
to their original or a new location.
To recover protected MS SQL databases:

1. Go to Sources to set up your recovery task.

2. Click into the Source name.
3. Above the tree, select Show All > Protected.
4. Use the filters, search box, and views to locate and select the SQL databases you
need.

Tip: You can also use Global Search to locate, filter, and select the objects
you need. Click the Global Search box at the top or type slash (/)
anywhere to start your search.

5. Click Recover at the top to open the New Recovery form with the Latest snapshot
(protection run).
If you need to recover from an earlier snapshot, click the Edit icon to open the
Recovery Point calendar. Click List to view the available recovery points by
timestamp and click one.
o Click Select Recovery Point.
o Click Next: Recover Options to return to the form.

Cohesity DataProtect Delivered-as-a-Service User Guide 232

Databases Oracle

6. Under Targets, select Recover as a new Database or Overwrite Original

Database. If you choose:
o Recover as a new Database, select a registered MS SQL Instance or
Restore to Original SQL Server Instance.
o Overwrite Original Database, DataProtect will overwrite the original SQL
Server instance. Note that this is a destructive action that cannot be undone.
7. If necessary, under Database File Paths, you can:
o Update the Database Files and Log Files paths.
o Enter additional File Path Rules.
8. Select your Recovery Options:
o Rename. Choose whether to Bulk Rename with a Suffix or Rename
Individual Objects.
o WITH RECOVERY: By default, an MS SQL restore WITH RECOVERY is
performed. You can optionally toggle this off to perform a restore WITH
NORECOVERY.
o Keep CDC: Use this option to restore a backed-up database with the change
data capture (CDC) enabled. By default, the Keep CDC switch is ON. If the
backed-up database is not CDC enabled and the user tries to restore it with
Keep CDC, the database will be restored without CDC.
o WITH Clause: Specify the WITH clause that you want to use for the restore.
o Capture Tail Logs: You can optionally choose to Capture tail logs. Tail logs
capture records that have not yet been backed up. They are captured to ensure
all transactions are backed up before restoring the database.
o Task Name. Change the default name of the recovery task.
9. Click Start Recovery.

Oracle
Cohesity DataProtect provides a simple, fast, cost-effective backup, recovery, and data
management solution for growing Oracle database environments.

Oracle Requirements
To register your Oracle servers and protect your databases, be sure you meet the
requirements and install the Cohesity Agent on each server.
Before you register your Oracle servers to protect your Oracle Databases, confirm that you
meet the software version, prerequisites, credentials, choose an authentication method,
and set sudoers permissions below, then download and install the Cohesity Linux Agent for
Oracle on the servers you wish to protect.

Cohesity DataProtect Delivered-as-a-Service User Guide 233

Databases Oracle

Also, be sure to review the limitations at the end.

Software Version Requirements

Cohesity DataProtect delivered as a Service supports Oracle Database protection for

versions 11gR2, 12cR1, 12cR2, 18c, and 19c single-instance Oracle Databases on physical
servers running versions:

l Oracle Enterprise Linux (OEL) 6.x, 7.x, 8.x

l Red Hat Enterprise Linux (RHEL) 6.x, 7.x, 8.x

Prerequisites

Make sure the following prerequisites are met before you proceed with Oracle source
registration:

l UUIDs. All the Oracle Databases that are protected using Cohesity DataProtect
should have a unique UUID on the Oracle source where the databases reside.
l Archive Log Mode. Archive Log mode must be enabled for databases to be opened
in Read-Write mode.
l Read Only Mode: The Oracle Databases should be opened in Read-Write mode.
l Version. The recovery source and target database must be the same Oracle
database version. For example, snapshots of an 11g Oracle Database cannot be
recovered to a 12c Oracle Database.
l Oracle Single Instance Deployment. For an Oracle single-instance database, the
database must be entered into the /etc/oratab file. Otherwise, Cohesity DataProtect
will not be able to discover this database.
l Authentication. If you choose DB authentication, all the databases on the system
should have the same username and password or OS Authentication. At the backup
level, they can have individual passwords for the databases.
l Ports. On the Oracle Server where you install the Cohesity Linux Agent (below), open
the 50051 port for backup operations (incoming) and 59999 port for self-monitoring
and debug pages.

Credentials and Privileges

Once you register your physical servers with Cohesity DataProtect as Oracle servers,
Cohesity DataProtect will discover your Oracle databases automatically. For Cohesity
DataProtect to successfully discover your Oracle databases, the user account running the
Cohesity Linux Agent must have the appropriate credentials and privileges.
You can install the Cohesity Linux Agent to run with the ROOT user or with a separate OS
user (also known as the ‘OS Service Account user’).
When connecting to Oracle databases, Cohesity DataProtect can use either the Oracle OS
Authentication or Oracle DB Authentication method. These two types of Oracle

Cohesity DataProtect Delivered-as-a-Service User Guide 234

Databases Oracle

authentication are available whether the Agent is run with the ROOT user or a separate OS
Service Account user.

Note: While most Oracle operations are available using either OS or DB

authentication, some specific operations specifically require one or the other. For
details, see Oracle Authentication Method Requirement below.

Running Agent with ROOT User

You can install Cohesity’s Linux Agent to run with the ROOT user. When you take this
approach, the agent runs every command using the ROOT user, except for Oracle
commands and utilities like RMAN or SQLPLUS. To run Oracle commands and utilities, the
Agent will ‘su’ to the user who is the owner of the Oracle binary in the current Oracle Home.
If an Oracle operation is run against a source database that has DB Authentication
configured (where the user has previously configured DB credentials for this Oracle source
database), DB Authentication will be used to run Oracle commands and utilities. Otherwise,
OS Authentication via the Oracle binary owner will be used.
When you install the Cohesity Agent to run with the ROOT user, there is no need to configure
additional SUDOERS privileges.
To start the service as a ROOT user, add the following permission to the sudoers file:
Defaults:<oracle_binary_user> !requiretty.

Running Agent with OS Service Account user

You can install Cohesity’s Linux Agent to run with a specific OS Service Account user
account, as long as it meets the following requirements:

l The OS user is automatically granted the required sudo privileges. This allows the
Cohesity Agent to execute specific privileged commands. For details, see Oracle
Sudoers Permissions for Linux Databases below.
l The OS user should be part of the OS group with SYSDBA or SYSBACKUP privileges
(for example, dba).

You can run the Cohesity Agent as a different service user, the cohesityagent user, if this
user is part of the OSDBA group in Oracle.
If you choose DB authentication, then all the databases on the system should have the same
username and password.
If you wish to add the OS user to the Oracle Database as an OS-authenticated user, use the
IDENTIFIED EXTERNALLY clause.

Oracle Authentication Method Requirement

You can either use either OS user or DB user authentication to connect to your Oracle
Databases, but for recovery to alternate servers, you must use OS authentication.
Table: Available Oracle Operations by Authentication Method.

Cohesity DataProtect Delivered-as-a-Service User Guide 235

Databases Oracle

Authentication
Oracle Operation Notes
Method

Backup OS Authentication None

or DB
Authentication

Restore to Original OS Authentication Restoring data to the same server overwrites the original database.
Server (a.k.a. or DB
Overwrite Restore) Authentication

Restore to Alternate OS Authentication DB Recovery or Restore into a different server is available, assuming the
Server Oracle binaries already exist and the target Oracle server has free space to
store the newly created database files.

Oracle Sudoers Permissions for Linux Databases

The following tables list the sudoers permissions required for the Cohesity Linux Agent for
Oracle.

Note: When you install the Cohesity Agent to run with the ROOT user, there is no
need to configure additional SUDOERS privileges.

Operating
Sudoers Permissions Sudoers Permissions
System

Cohesity Linux Agent Commands for both Oracle sources & Additional commands only for Linux
Linux servers servers

Cohesity DataProtect Delivered-as-a-Service User Guide 236

Databases Oracle

Operating
Sudoers Permissions Sudoers Permissions
System

Linux l cp l blkid

l chown l lsof

l chmod l losetup

l mkdir l dmsetup

l rm l lvs

l tee l vgs

l hostname l lvcreate

l stat l lvremove

l timeout l lvchange

l ls

l rsync

Download and Install the Cohesity Agent

The Cohesity Linux Agent can be installed to run as a ROOT user or as an OS Service
Account user. Install the Cohesity Linux Agent on each Oracle server that you want to
protect.

Cohesity Linux Agent Best Practices

We recommend you follow these best practices when you plan to deploy the Cohesity Linux
Agent on Oracle servers and hosts:

l If you choose DB authentication, then all the databases on the system should have the
same username and password.
l Create a database user for your Cohesity Oracle backup and restore workflows.
(Optional)
l Both the Oracle host and the Cohesity Linux Agent should have permission to write to
the adump and diag directories, control file, and the database restores locations.
l Enable Block Change Tracking (BCT) to improve the incremental backup performance
of the Oracle server. (Optional)
l Assign sudoers to the user running the Cohesity Linux Agent.
l Make the Cohesity Linux Agent user part of the Oracle dba group.
l Given that Oracle Secure Backup (SBT)-based incremental backups are not fully
hydrated (unlike imagecopy-based backups), we recommend you take a full database
backup regularly.

Cohesity DataProtect Delivered-as-a-Service User Guide 237

Databases Oracle

Install the Cohesity Linux Agent to Run with ROOT User

To install the Cohesity Linux Agent to run as the ROOT user on your Oracle server:

1. Navigate to Sources and select Register Source > Oracle Source.

2. Click Download Cohesity Agent. Ensure the agent has been downloaded to the
appropriate server.
3. Run the executable file with sudo using the following command syntax:
sudo /<path_to_installer_file> -- --install -c 0 -S root -G root
The command options are:
o -S: The user to run the Agent. Specify 'root'.
o -G: The group permission the Agent will use for files and directories installed
by the agent. Specify 'root'.
o -c: The boolean switch that controls whether the OS user and group should be
created. '0' means do not create the OS user and group, and '1' means the
Agent installation will create the specified OS user and group. (If you choose to
run with the root user, specify ‘-c 0’ as ‘root’ already exists.)

The Agent starts automatically after the installation, as well as on a subsequent Oracle host
reboot.
At the end of the installation, the commands used to start, stop, or get Agent status are
displayed for future reference.

Install the Cohesity Linux Agent to Run with OS Service Account User

To install the Cohesity Linux Agent to run as the OS Service Account user on the Oracle
server:

1. Navigate to Sources and select Register Source > Oracle Source.

2. Click Download Cohesity Agent. Ensure the agent has been downloaded to the
appropriate server.
3. Grant sudo permission to the user who will install the agent. This user must be part of
the OS DBA group. For details, see Credentials and Privileges above.
o If you plan to run the Oracle SQL commands as OS authenticated user, we
recommend you perform the installation as the Oracle OS user. Even if the
Cohesity Agent user is part of the DBA group, you can run the Oracle SQL
commands.
o Because restoring to alternate locations requires OS authentication, we
recommend you use OS instead of DB authentication. The restore to alternate
locations will succeed only if the Cohesity Agent is installed with dba or
oinstall as the user group.

Cohesity DataProtect Delivered-as-a-Service User Guide 238

Databases Oracle

o The Cohesity Agent installer grants sudo permission for the following
commands:
/usr/bin/cp, /usr/bin/chown, /usr/bin/chmod, /usr/bin/mkdir,
/usr/bin/rm, /usr/bin/tee, usr/bin/hostname, /usr/bin/stat,
/usr/sbin/blkid, /usr/sbin/lsof, /usr/bin/ls, /usr/sbin/losetup,
/usr/sbin/dmsetup, /usr/bin/rsync, /usr/bin/timeout,
/usr/sbin/lvs, /usr/sbin/vgs,
/usr/sbin/lvcreate,/usr/sbin/lvremove, /usr/sbin/lvchange

4. Copy the downloaded file to the target Oracle host and run the executable file as a
sudo user using the following command syntax:
For script-based installer:
sudo /<path_to_installer_file> -- --install

For RPM-based installer:

sudo rpm -i path_to_install_file

The installer creates the user group, 'cohesity agent,' and installs the Agent.

The Agent starts automatically after the installation or on reboot.

Considerations

l Oratab. Only standalone databases listed in the oratab file on the Oracle server can
be registered and protected. Cohesity DataProtect cannot discover databases that are
not in oratab.
l Auto Protect. Auto Protect is not supported for Oracle databases.
l Point-in-Time Restore. During a point-in-time restore to a time near the end of a
full backup, the restore might fail due to this Oracle issue.

Next > Register your Oracle servers!

Register Oracle Sources

To start protecting your Oracle Databases, you need to register your Oracle servers and
hosts as Cohesity DataProtect sources. Confirm you've met the Oracle requirements and
then register your Oracle sources.

Note: To connect with sources in your data center, you'll need to use a SaaS
Connection (or create one) to establish connectivity between the sources and the
Cohesity DataProtect service.

To register an Oracle Server as a Cohesity DataProtect source:

Cohesity DataProtect Delivered-as-a-Service User Guide 239

Databases Oracle

1. Confirm that you meet the Oracle requirements for software version and the required
credentials and privileges.
2. Navigate to Sources and select Register Source > Oracle.
3. From the SaaS selection drop-down, choose the Existing Connection and select one
that is marked Healthy, or click Create SaaS Connection and follow the
instructions in Create a SaaS Connection.
4. Choose your Oracle authentication method: OS Authentication (the default) or DB
Authentication.

Note: If you choose DB authentication, then all the databases on the system
should have the same username and password.

5. Click Register.

Your Oracle server appears under Sources in Cohesity DataProtect.

Next > You're ready to protect your Oracle Databases!

Protect Oracle Databases

Once you have registered an Oracle server as a source, you're ready to use Cohesity
DataProtect to protect the Oracle Databases on that server.
To protect your Oracle Databases:

1. Under Sources, select the Oracle source and click Protect.

2. Click Add Objects. Browse through the Oracle server instances and select the
databases that you want to protect. Click Continue.
3. Click the Edit (pencil) icon next to the selected object and select one of the following
options:
o System selects active node. Cohesity DataProtect auto-selects an active
single-instance Oracle node and configures the number of RMAN channels for
the database object. (Default)
o Select specific node(s). If you select this option, you can choose the number
of RMAN channels and the SBT library path to be used for the database object.
o Delete Archive Log. Toggle on and specify the days after which the archived
logs on the source database should be deleted. If you enter a value of "0" days,
source archived logs will be deleted immediately after each successful
protection run.

Cohesity DataProtect Delivered-as-a-Service User Guide 240

Databases Oracle

Important: If you do not enable this option, Cohesity DataProtect will

not delete the archived logs after each protection run and you are
responsible for deleting the archived logs from the source server.

4. Click Save.
5. In the New Protection dialog, select a Policy that matches the schedule and
retention period you need. If the existing policies do not meet your needs, you can
create a new policy with the settings you need.
6. If you wish to configure a specific End Date, Alerts, and other additional settings,
click Additional Settings.
7. Click Protect.

Note: The backups start immediately after you protect the objects, regardless of
the time you set for the protection run.

Additional Settings

Advance
Description
Settings

Start Time Available only if the selected policy is set to Backup Daily. Indicates what time the protection run
should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time
zone. You can change the time zone of the protection run by selecting a different time zone here.

End Date If you need to end protection on a specific date, enable this to select the date.

Exclusions Enable Exclude Disks to select the disks to exclude for all VMs in this object's protection. Enter the
Controller Type, Controller Bus Number, and Unit Number for each disk to exclude. Excluded
disks are not backed up and are not recovered during VM recovery.

Cohesity DataProtect Delivered-as-a-Service User Guide 241

Databases Oracle

Advance
Description
Settings

App Enable App-Consistent backups if you want the guest operating systems of all the protected VMs
Consistent to be quiesced before snapshots of these VMs are created. Quiescing of VMs prior to capturing
Backups snapshots ensures the integrity of the data saved in the snapshots.

With the App Consistent backups enabled, the following options are available:

l Take a Crash Consistent backup if unable to perform an App Consistent backup.

Enable this option if you want Cohesity DataProtect to capture a crash-consistent snapshot if
Cohesity DataProtect fails to capture an app-consistent snapshot. If this option is disabled and
Cohesity DataProtect is unable to perform an app-consistent backup of a VM, a snapshot is
not captured.

l Backup application data and truncate their log files. Enable this option if you want to
back up applications (MS SQL, Exchange Server) that are running on the Hyper-V server and
truncate the logs of applications.

Note: This option is applicable only for VSS copy backup.

Priority Select a priority for the protection task execution. Cohesity DataProtect supports concurrent backups,
but if the number of tasks exceeds the ability to process them, they are executed in this priority order:

1. High-priority tasks

2. Medium-priority tasks

3. Low-priority tasks

Alerts Click to enable one or more of these alert types to trigger alerts for the following events and click Add
to enter email addresses.

l SLA Violation. Creates warning alert when a protection run exceeds the configured SLA.
Sends email.

l Failure. Creates critical alert when object protection fails to complete. Sends email.

l Success. Creates information alert when object protection completes. Does not send
email.

Cohesity DataProtect Delivered-as-a-Service User Guide 242

Databases Oracle

Advance
Description
Settings

SLA The service-level agreement (SLA) defines how long the administrator expects a protection run to
take. Enter:

l Full. The number of minutes you expect a full protection run, which captures all the blocks in
an object, to take.

l Incremental. The number of minutes you expect an incremental protection run, which
captures only the changed blocks in an object, to take.

Pause Future Enable Pause Future Runs to suspend future protection runs for the object until you turn this off
Runs again. While this is enabled, no protection runs are scheduled.

Skip Files on (On by default)

Errors
A protection run continues even if it encounters errors on files, such as permissions errors. If files are
skipped, the protection run details page indicates a Warning status and provides additional
information. If toggled off, the protection run stops when it encounters an error.

Exclusions By default, all files and folders are included for protection. Use this option if you want to exclude or
and include specific locations. By creating exclusion and inclusion rules, you can limit the protection to a
Inclusions specific set of files and directories and therefore minimize the disk space used to store the data.

Cancel Runs (Available only if the selected policy has at least one Quiet Time.)
at Quiet Time
When enabled, all the protection runs that are currently executing will cancel when the Quiet Time
Start
period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues
to execute even when a Quiet Time period starts. However, new protection runs will not start during a
Quiet Time.

Snapshot (Available only for NetApp data protection volumes)

Prefix
Select one of the following options to back up the snapshots from the data protection (DP) volume to
Cohesity DataProtect :

None. (Default) Enable this option if you want the Cohesity DataProtect service to take the full backup
from the oldest snapshot available on the DP volume and incremental backup from the latest
snapshots available on the DP volume.

Snapshot Prefix: Enable this option if you want the Cohesity DataProtect Service to take the full and
incremental backup from the snapshots that match the prefix name you specify:

Incremental Snapshot Prefix. Specify the prefix of the snapshot name present in the DP volume
from which Cohesity DataProtect can take incremental backups.

Full Snapshot Prefix. Specify the prefix of snapshot name present in the DP volume from which
Cohesity DataProtect can take the first full backup.

Cohesity DataProtect Delivered-as-a-Service User Guide 243

Databases Oracle

Next > When the first protection run completes, you will be ready to recover your
protected Oracle Databases if and when you need to.

Recover Oracle Databases

Once you have protected your Oracle Databases, you can recover them from Cohesity
DataProtect, to their original or a new location.
To recover protected Oracle Databases:

1. Go to Sources to set up your recovery task.

2. Click into the Source name.
3. Click the Recover icon.
4. Select the Recovery Type:
o Databases to recover an entire database.
o Archive Logs to recover just the archive logs.
5. Under Targets, select Alternate Database or Overwrite Original Database.
1. For Alternate Database:
l Oracle Host. Provide the hostname to which you want to restore the
database.
l Configure Channels:
o System selects active node. Cohesity DataProtect auto-selects
an active single-instance Oracle node and configures the number of
RMAN channels for the database object. (Default)
o Select specific node(s). If you select this option, you can choose
the number of RMAN channels and the SBT library path to be used
for the database object.
l Recovery Options. Enter:
o Restore Database Files to. Specify the path to an existing empty
directory. The newly created database files will reside in this path.
You can restore to an ASM path using this option. If you do, enter
just the ASM volume name instead of the entire path. For example,
if the restore path for ASM volume data1 is “+data1” and you enter
the entire path, +data1/dbname, the restore task will fail.
o Oracle Home. The ORACLE_HOME value for the host where the
database is restored.
o Base Directory. The directory for the restored database.

Cohesity DataProtect Delivered-as-a-Service User Guide 244

Databases Oracle

o Target Database Name. The name for the target database to

recover the database components and data files.
o Enable Archive Log mode for the Database. Select the
checkbox to enable redo log archiving on the recovered database.
o BCT File Path. The BCT file path specifies the location where the
block change tracking file will be created. If not provided, BCT is
not enabled for the restored database.
o Leave database in Recovery Mode. Select the checkbox if you
do not want the recovered database to be opened.
o Shell Environment. Configure your shell environment that
executes the Cohesity DataProtect restore tasks. For example,
define your TNS_ADMIN shell variable here to point to a different
sqlnet.ora file for use as the restore target database. For TDE
support, the wallet location for your restore target database might
depend on a shell variable. Use this to specify your wallet location
for restoring a backup taken from a TDE database.
o Task Name. Change the default name of the recovery task.
2. For Overwrite Original Database:
l Leave database in Recovery Mode. Select the checkbox if you do not
want the recovered database to be opened.
l Shell Environment. Configure your shell environment that executes the
Cohesity DataProtect restore tasks. For example, define your TNS_
ADMIN shell variable here to point to a different sqlnet.ora file for use
as the restore target database. For TDE support, the wallet location for
your restore target database might depend on a shell variable. Use this to
specify your wallet location for restoring a backup taken from a TDE
database.
l Task Name. Change the default name of the recovery task.
6. Click Recover.

Cohesity DataProtect Delivered-as-a-Service User Guide 245

Monitoring Reporting

Monitoring

Reporting
Cohesity provides one-stop-shop reporting on Helios. You have an aggregated view of your
Cohesity deployment regardless of the use case, workload, or deployment type (on-
premises, consumed as a Cohesity-hosted service, or a combination).
The built-in reports are designed to address your top use cases out-of-the-box. You can
view an overall summary of your data protection jobs and storage systems, or analyze data
at the granular level using powerful filtering options. You can filter, schedule, email, and
download reports. The report that you schedule or download inherits the filters that you
have applied.

Tip: You can also watch the Helios Next Generation Reporting video to know more
about Helios Reporting.

View Reports
To view a report in Helios:

1. Log in to Helios.
2. Select DataProtect from the drop-down list in the upper-right corner of the page.
3. On the left navigation menu, click Reporting.
By default, the Library tab is displayed.
4. Click a report card. For more information, see Choose a Report Type.
Each report helps you view, visualize, and analyze data. The following table describes
the key features of Helios reports:

Filters Each report provides various filters that help you pare down the report until it only shows the data
that you want in the report. The filter options change depending on the type of report. For more
information, see Filter Report Data.

Glance bar The glance bar provides a summary of the report for the time period you set in the filter.

Charts Each report includes chart(s) that provide a graphical representation of data.

Cohesity DataProtect Delivered-as-a-Service User Guide 246

Monitoring Reporting

Data table The Data table in the report provides deeper insights to help you analyze the data. You can
customize the columns in the table. For more information, see Customize Table Columns.

Common You can perform the following tasks:

tasks
l Download Reports

l Schedule Reports

l Manage Scheduled Reports

l Reset to Default View

Choose a Report Type

Each different report type can help you identify the information you need. Currently, 14
built-in reports are available in Helios:

l Failures
l Protected / Unprotected Objects
l Protected Objects
l Protection Runs
l Recovery
l Service Consumption

Filter Report Data

Reporting in Helios provides a comprehensive view of the data under management. You
have full control over what data you want to include and view in your reports. Use the filters
to pare down your report until it only shows the data that you want in the report. The filter
options change depending on the type of report.
The following animated image shows the filter options available in the Failures report:

Cohesity DataProtect Delivered-as-a-Service User Guide 247

Monitoring Reporting

For more information about the filtering options available in each report, refer to the help
page for the respective report.

Customize Table Columns

Each report in Helios provides comprehensive data. In each report, data is displayed in a
tabular format. You can add and remove columns from the Data table. The changes you
make to columns in a table persist until you change them again or restore the report to the
default view.
To customize table columns:

Cohesity DataProtect Delivered-as-a-Service User Guide 248

Monitoring Reporting

1. Log in to Helios.
2. Select DataProtect from the drop-down list in the upper-right corner of the page.
3. On the left navigation menu, click Reporting.
4. Click a report card.

5. In the upper-right corner of the table, click the Settings ( ) icon:

l Enable the toggle to add a column

l Disable the toggle to remove a column

The following animated image shows the procedure to customize table columns:

Cohesity DataProtect Delivered-as-a-Service User Guide 249

Monitoring Reporting

Download Reports
You can download reports in different file formats from the Helios reports page. On any
report, click the Download icon and select one of the file formats:

The report in the selected file format gets downloaded to your system.

Note: The time taken to generate a report depends on multiple factors such as
the number of clusters selected, other filters applied on the report, amount of
data, and so on. If the report is very large, it may take a few moments to
download the report.

Schedule Reports
You can schedule reports to run at periodic intervals. Once you select a report and filter the
scope, you can schedule the report to run and send an email to recipients at specified times.

Important Points to Note

l SSO users can view and download reports. To schedule reports, SSO users must be
explicitly added in Helios. For more information about explicitly adding users, see
Add SSO Users & Groups.
l If the report is too large, the email will contain a download link instead of an
attachment.
l Columns included in the scheduled report are the columns available in the default
view. If you have customized the table, those changes are not reflected in the
scheduled report.

Cohesity DataProtect Delivered-as-a-Service User Guide 250

Monitoring Reporting

To schedule reports:

1. Log in to Helios.
2. Select DataProtect from the drop-down list in the upper-right corner of the page.
3. On the left navigation menu, click Reporting.
By default, the Library tab is displayed.
4. Click a report card. For more information, see Choose a Report Type.
5. Click Schedule.

Note: If the SSO user is not explicitly added in Helios, the Schedule button
is not displayed.

The Schedule Report pop-up window is displayed:

6. Configure the following details:

Cohesity DataProtect Delivered-as-a-Service User Guide 251

Monitoring Reporting

l Schedule Name—Enter a name for your report.

l Schedule—Choose the frequency and the time at which to run the report.
l Recipients—Enter the email address of the recipient. You can enter multiple
email addresses.
l Email Subject—Enter a subject line for the email.
l Format—Select the format(s). The recipients receive the report in the format
that you select.
7. Click Schedule.

The recipients receive a new email with the updated report on the schedule you selected.
See your scheduled reports under the Scheduled tab on the Reporting page.

Manage Scheduled Reports

You can perform the following tasks from the Scheduled tab:

l Instantly run a report

l Pause a report
l Modify the settings of a report
l Delete a report

Note: Users with the Super Admin role can view and manage all scheduled
reports in the same Helios account.

To manage scheduled reports:

1. Log in to Helios.
2. Select DataProtect from the drop-down list in the upper-right corner of the page.
3. On the left navigation menu, click Reporting.
4. Click the Scheduled tab.

5. Hover over a report and click the Actions menu ( ):

l Select Run Now to instantly run and email the report.

l Select Pause to pause the schedule.
l Select Edit to modify the settings of a scheduled report. Update the settings as
necessary and click Schedule.
l Select Delete to delete a scheduled report. You must click Delete to confirm
the deletion.

Cohesity DataProtect Delivered-as-a-Service User Guide 252

Monitoring Reporting

Reset to Default View

Once you filter a report or customize table columns, you can reset the report page’s view to
the default view. To switch to the default Helios reports page view, click the Restore to
default display button:

The page refreshes and reverts to the default view.

Helios Reporting APIs

The Helios architecture is API driven. You can programmatically interface with the Helios
Reporting service. For more information about using Helios Reporting APIs, see Helios
Reporting Service APIs.

Failures
The Failures report provides a summary and list of objects that had one or more backup
run failures. It also helps you identify consecutive failures in the last three backups, and
breaks down the failed objects by object type.
Example use case: Which object do I have no successful backup of in the last week?

Filter Report Data

The report supports multiple filters to pare down the data that you want to view in the
report:

l System—Select all cluster(s) to include.

l Source—Select all the sources to include.
l Type—Choose the types of objects to include — Generic NAS, Isilon, NetApp,
Physical, Pure, VMware, and so on.
l Time Range—Set the time period for your report.
l Object—Enter an object name to filter by the name of the object.
l Organization—Choose one or more organizations to see the report data specific to
the selected organizations.

Glance Bar

The glance bar provides a summary of the report for the specified period:

l Total Sources—The total number of sources.

l Total Objects—The total number of objects.

Cohesity DataProtect Delivered-as-a-Service User Guide 253

Monitoring Reporting

l Failed Objects—The total number of objects that experienced one or more backup
run failures during the specified date range.
l Without Snapshots—The total number of objects without any snapshots.

Charts

The report includes the following two charts:

l Failures in Last 3 Backups

l Success and Failed Objects by Object Type

Report Data

The following table describes the data displayed in the Data table. Use the search bar to
filter the data by object name, source, system name, or policy.

Note: You can add or remove columns. For more information, see Customize
Table Columns.
The data displayed in the Policy and System columns are from the last backup
run of the object in the specified time period.

Cohesity DataProtect Delivered-as-a-Service User Guide 254

Monitoring Reporting

Column Name Description

Object Name The name of the object.

Source The hostname or IP address of the registered source.

System The name of the cluster on which the protection job was run.

Policy The protection policy associated with the Protection Group.

Last Failed Run The date and time at which the last backup run failed.

Failed Backups The total number of backup runs that failed.

Failures in Last 3 Backups The total number of failures in the last three backups.

Last Fail Reason The reason for the failure of the last backup.

Related Topics

l View Reports
l Filter Report Data
l Download Reports
l Schedule Reports
l Manage Scheduled Reports
l Reset to Default View

Protected Objects
The Protected Objects report provides a summary and list of all protected objects that
had a backup run. You can view the backup status and the objects with an active snapshot.
Example use case: Do I have a good backup of my VM in the last month?

Filter Report Data

The report supports multiple filters to pare down the data that you want to view in the
report:

l System—Select all cluster(s) to include.

l Source—Select all the sources to include.
l Type—Choose the types of objects to include — Generic NAS, Isilon, NetApp,
Physical, Pure, VMware, and so on.

Cohesity DataProtect Delivered-as-a-Service User Guide 255

Monitoring Reporting

l Backup Status—Filter by objects with successful backups or unsuccessful backups.

l Last Run Status—Filter by the status of the most recent protection run — Canceled,
Failed, Running, Success, and/or Warning.
l Time Range—Set the time period for your report.

Note: If you set a time period, the report displays all objects that had a
backup run during the selected time period. If an object is no longer
protected, the report would still display data if the object had a backup run
during the selected time period. If an object is protected and if it did not
have a backup run during the selected time period, the report does not
display the data specific to this object.

l Object—Enter an object name to filter by the name of the object.

l Organization—Choose one or more organizations to see the report data specific to
the selected organizations.

Glance Bar

The glance bar provides a summary of the report for the specified period:

l Success Rate—Without Successful Backup / Total Objects.

l Total Objects—The total number of objects.
l With Successful Backup—The total number of objects that have one or more
successful backups.
l Without Successful Backup—The total number of objects that did not have any
successful protection runs.
l With Snapshots—The total number of objects with snapshots retained. This number
can differ from the earlier “With Successful Backups”, for example, all backups fail
for an object during the selected date range but the object still has actively retained
snapshots from earlier backups (that occurred before the selected date range).
l Without Snapshots—The total number of objects without snapshots.

Charts

The report includes the following two charts:

Cohesity DataProtect Delivered-as-a-Service User Guide 256

Monitoring Reporting

l Protected Objects by Type

l Object Protection by Type

Report Data

The following table describes the data displayed in the Data table. Use the search bar to
filter the data by object name, system name, source, or policy.

Note: You can add or remove columns. For more information, see Customize
Table Columns.

Column Name Description

Object Name The name of the protected object.

Source The hostname or IP address of the registered source.

Policy The protection policy associated with the latest run of the object.

Cohesity DataProtect Delivered-as-a-Service User Guide 257

Monitoring Reporting

Column Name Description

Last Run The date and time at which the last backup for the object ran.

Last Successful Backup The date and time at which the last successful backup for the object ran.

Active Snapshots The total number of active snapshots for the object.

Successful Backups The total number of successful backups for the object.

Unsuccessful Backups The total number of unsuccessful backups for the object.

System The name of the cluster on which the object had the latest run.

Related Topics

l View Reports
l Filter Report Data
l Download Reports
l Schedule Reports
l Manage Scheduled Reports
l Reset to Default View

Protected / Unprotected Objects

The Protected / Unprotected Objects report provides a summary and list of objects
along with their protection status. You can identify objects that are not associated with a
Protection Group. The report does not contain data about Cohesity views.
Example use case: Are all the objects in my vCenter protected?

Filter Report Data

The report supports multiple filters to pare down the data that you want to view in the
report:

l System—Select all cluster(s) to include.

l Source—Select all the sources to include.
l Type—Choose the types of objects to include — Generic NAS, Isilon, NetApp,
Physical, Pure, VMware, and so on.
l Protection Status—Filter by object protection status — Protected or Unprotected.
l Object—Enter an object name to filter by the name of the object.

Cohesity DataProtect Delivered-as-a-Service User Guide 258

Monitoring Reporting

l Organization—Choose one or more organizations to see the report data specific to

the selected organizations.

Glance Bar

The glance bar provides a summary of the report for the specified period:

l Protected Objects—The percentage of Protected Objects to Total Objects.

l Total Sources—The total number of sources.
l Total Objects—The total number of objects.
l Protected Objects—The total number of protected objects.
l Unprotected Objects—The total number of unprotected objects.

Charts

The report includes the following two charts:

l Protection Status by Type

l Unprotected Objects by Source

Cohesity DataProtect Delivered-as-a-Service User Guide 259

Monitoring Reporting

Report Data

The following table describes the data displayed in the Data table. Use the search bar to
filter the data by object name, protection status, source, or system name.

Note: You can add or remove columns. For more information, see Customize
Table Columns.

Column Name Description

Object Name The name of the object.

Protection The protection status of the object.

Status

Source The name of the registered source.

System The name of the cluster on which the object is registered.

Logical Data The combined total of data in the objects that are protected by Cohesity. These metrics are different
depending on workload type.

l VMs—The data size reported by VMware is the provisioned amount, not the actual data
residing in the VM. For example, if a VM is provisioned for 1 TB but contains only 100 GB of
data, VMware reports it as 1 TB.

l All Other Workloads—The data size reported is the actual front end data residing on the
server. If a server with 1 TB capacity contains 100 GB of data, the server reports 100 GB.

Note: Cohesity does not include unprotected objects in these metrics.

Organization The name specified for the organization when added to the cluster.

Related Topics

l View Reports
l Filter Report Data
l Download Reports
l Schedule Reports
l Manage Scheduled Reports
l Reset to Default View

Cohesity DataProtect Delivered-as-a-Service User Guide 260

Monitoring Reporting

Protection Runs
The Protection Runs report provides a summary and list of all backup activities per object
per run. You can view the summary and success rate of protection runs. You can also view
the snapshot status of the protection run.
Example use case: How many failed protection runs did I have in the last week?

Filter Report Data

The report supports multiple filters to pare down the data that you want to view in the
report:

l System—Select all cluster(s) to include.

l Source—Select all the sources to include.
l Type—Choose the types of objects to include — Generic NAS, Isilon, NetApp,
Physical, Pure, VMware, and so on.
l Run Status—Filter by the status of the protection run — Canceled, Failed, Running,
Success, and/or Warning.
l Snapshot Status—Filter by the status of the snapshot — Active or Expired.
l Time Range—Set the time period for your report.
l Organization—Choose one or more organizations to see the report data specific to
the selected organizations.

Glance Bar

The glance bar provides a summary of the report for the specified period:

l Success Rate—Total Successful / Total Runs.

l Total Runs—The total number of protection runs.
l Total Successful—The total number of successful runs.
l Success—The total number of protection runs with status Success.
l Warning—The total number of protection runs with status Warning.
l Failed—The total number of protection runs with status Failed.
l Canceled—The total number of protection runs with status Canceled.
l Running—The total number of protection runs with status Running.
l SLA Met—The total number of protection runs that met SLA.
l SLA Missed—The total number of protection runs that missed SLA.

Charts

The report includes the following two charts:

Cohesity DataProtect Delivered-as-a-Service User Guide 261

Monitoring Reporting

l Run Status by Policy

l Run Status by Type

Report Data

The following table describes the data displayed in the Data table. Use the search bar to
filter the data by object name, source, policy, system name, or snapshot status.

Note: You can add or remove columns. For more information, see Customize
Table Columns.

Column Name Description

Start Time The date and time at which the protection run started.

End Time The date and time at which the protection run was completed.

Object Name The name of the protected object.

Source The hostname or IP address of the registered source.

Policy The protection policy associated with the protection run for the corresponding object.

System The name of the cluster on which the object had a protection run.

Cohesity DataProtect Delivered-as-a-Service User Guide 262

Monitoring Reporting

Column Name Description

Snapshot Status The status of the snapshot.

Duration The time taken by the protection run.

Logical Data The combined total of data in the objects that are protected by Cohesity. These metrics are different
depending on workload type.

l VMs—The data size reported by VMware is the provisioned amount, not the actual data
residing in the VM. For example, if a VM is provisioned for 1 TB but contains only 100 GB of
data, VMware reports it as 1 TB.

l All Other Workloads—The data size reported is the actual front end data residing on the
server. If a server with 1 TB capacity contains 100GB of data, the server reports 100 GB.

Note: Cohesity does not include unprotected objects in these metrics.

Currently, the logical data value shown on the Helios Dashboard is a sum of the
logical data values captured across all the protection runs. For instance, if the
source has 100 GB of logical data, and assuming it remains at 100 GB for the
first 10 protection runs, Cohesity would report, after 10 runs, the Logical Data to
be 1000 GB (1 TB).

Data Read Size of the set of protected objects as read by Cohesity for a single backup run. This number is a per
protection run statistic and is not additive across backup runs.

Data Written Data written on the Cohesity platform after the unique logical data has been reduced by data
deduplication and data compression.

Note: This number reflects unique data written, before resiliency operations.

Organization The name specified for the organization when added to the cluster.

Related Topics

l View Reports
l Filter Report Data
l Download Reports
l Schedule Reports
l Manage Scheduled Reports
l Reset to Default View

Cohesity DataProtect Delivered-as-a-Service User Guide 263

Monitoring Reporting

Recovery
The Recovery report provides a summary and list of all the clone and recovery tasks that
were executed. It also provides other details such as the time taken for the operation and
status of the operation.

Note: If a Cohesity view is unprotected, the report does not display data about
clone view operations.

Example use case: How many recovery tasks failed in the last week?

Filter Report Data

The report supports multiple filters to pare down the data that you want to view in the
report:

l System—Select all cluster(s) to include.

l Source—Select all the sources to include.
l Organization – Choose one or more organizations to see the report data specific to
the selected organizations.
l Type—Choose the types of objects to include — Generic NAS, Isilon, NetApp,
Physical, Pure, VMware, and so on.
l Status—Filter by the status of the recovery task — Canceled, Failed, Running,
Success, and/or Warning.
l Time Range—Set the time period for your report.
l Object—Enter an object name to filter by the name of the object.

Glance Bar

The glance bar provides a summary of the report for the specified period:

l Success Rate—Successful / Total Recoveries.

l Total Recoveries—The total number of recovery runs.
l Successful—The total number of recoveries with status Success.
l Failed—The total number of recoveries with status status Failed.
l Warning—The total number of recoveries with status Warning.
l Canceled—The total number of recoveries with status Canceled.
l Running—The total number of recoveries with status Running.

Cohesity DataProtect Delivered-as-a-Service User Guide 264

Monitoring Reporting

Chart

The report includes the Recovery Status by Type chart:

Report Data

The following table describes the data displayed in the Data table. Use the search bar to
filter the data by object name, source, system name, task name, or username.

Column Name Description

Start Time The date and time at which the recovery task started.

Object Name The name of the object.

Source The hostname or IP address of the registered source.

System The name of the cluster on which the recovery task was run.

Recovery Point The date and time of the backup run from which the object was recovered.

Duration The time taken by the recovery task.

Task Name The name of the recovery task.

Username The name of the user who initiated the recovery.

Organization The name specified for the organization when added to the cluster.

Related Topics

l View Reports
l Filter Report Data
l Download Reports
l Schedule Reports
l Manage Scheduled Reports
l Reset to Default View

Cohesity DataProtect Delivered-as-a-Service User Guide 265

Monitoring Detect Ransomware Attacks

Service Consumption
The Service Consumption report provides statistics — like average usage, peak usage,
and change rates — about the DataProtect service consumed by your protected objects. It
also helps break down current usage and monthly peak usage by type.

Detect Ransomware Attacks

Ransomware can take over enterprise data and threaten to publish it or block access to it
until a ransom is paid. Cohesity DataProtect detects potential ransomware attacks in your
environment.
We use machine learning algorithms to continuously monitor change rates in the backup
data. If the rate is out of the normal range — based on daily and historical rates — Cohesity
DataProtect flags it as a potential ransomware attack.
If Cohesity DataProtect detects an anomaly during a protection run of your data, it triggers
the critical alert, DataIngestAnomalyAlert. Using the alert information, you can
investigate the anomaly and decide on the next course of action.
After reviewing the anomaly, you can either ignore the anomaly or recover the object from
the last clean snapshot.
To locate and inspect potential anomalies:

1. Navigate to Alerts and click the Severity filter. Select Critical and click Apply.
2. If you see a DataIngestAnomalyAlert alert, click into it.
3. On the DataIngestAnomalyAlert page, review the alert details.
4. Once you have thoroughly reviewed the alert, click:
l Ignore Anomaly to dismiss the anomaly.
l Recover Object to recover the object from the last clean snapshot.

Cohesity DataProtect Delivered-as-a-Service User Guide 266

Monitoring Audit Logs

Audit Logs
The Audit Logs page records the events that occur in Cohesity DataProtect. The events
are:

l Read or write actions performed by the users on your Cohesity clusters.

l Login and logout actions performed by the Helios users in DataProtect.

View Audit Logs

On the Audit Logs page in DataProtect, you can find the following details for the events
that are logged by the registered regions:

l Date
l Time
l User & action
l System (DataProtect region)

Note: By default, only the write actions performed by the users on Cohesity
clusters are displayed on the Audit Logs page. To see read actions, select Read
Actions from the Actions filter and click Apply. See Use Filters to Locate
Specific Logs next.

Use Filters to Locate Specific Logs

Use the following filters to narrow the listed audit logs and locate the specific logs.

Filter Purpose

Date Range Filter the audit logs based on the selected time window.

System Filter the audit logs based on the DataProtect regions.

Users View the audit trails of specific users.

Category Filter the audit logs based on predefined categories. See Review Cluster Audit Log Categories next.

Action Filter the audit logs based on the read or write actions performed by the users in the registered regions.
See Logged Actions below

Cohesity DataProtect Delivered-as-a-Service User Guide 267

Monitoring Audit Logs

Review Cluster Audit Log Categories

Audit logs are logged under predefined categories for you to find the relevant audit logs and
analyze the correct logs quickly.

l API Key
l Access Token
l Active Directory
l Alert
l Alert Notification Rule
l AMQP Target Configuration
l Antivirus Service Group
l App
l Bifrost Connection
l Bifrost Connector
l Chassis
l Clone Refresh Task
l Clone Task
l CloudSpin
l Cluster
l Cluster Partition
l Cluster Services
l CSR
l Data Tiering Analysis Group
l Data Tiering Downtier Task
l Data Tiering Uptier Task
l Disk
l Encryption Key
l Group
l Helios Event
l Hotfix
l Hybrid Extender
l IDP Configuration
l Infected File
l Interface

Cohesity DataProtect Delivered-as-a-Service User Guide 268

Monitoring Audit Logs

l IOTier
l IP
l Keystone
l KMS Configuration
l LDAP
l Network
l Network Interface Group
l NIS
l NIS Net Group
l Node
l Object
l Patch
l Physical Agent
l Preferred Domain Controller
l Protection Group
l Protection Run
l Protection Policy
l Proxy Server
l QoS
l Quorum Application
l Quorum Group
l Recovery Task
l Remote Cluster
l Resolution
l Role
l SaaS Connector
l Scheduler
l Search Job
l Service Flag
l Share
l SMTP Server
l Snapshot

Cohesity DataProtect Delivered-as-a-Service User Guide 269

Monitoring Audit Logs

l SNMP Config
l Source
l SSL Certificate
l Static Route
l Storage Domain
l Support Server
l Swift Roles
l Tags
l Tenant
l Trusted CA
l User
l Vault
l View
l Share
l VLAN

Logged Actions

Along with the read actions, the following write actions are logged:

Write Actions Descriptions

Accept A user accepted the license agreement.

Activate A user activated an entity such as Protection Group.

Add A user added a Region.

Apply A user applied a setting or configuration. For example, the user applied a patch.

Assign A user assigns a source to a tenant.

Cancel A user canceled an entity such as a running Protection Group or a Recovery task.

Clone A user cloned an entity such as a Snapshot, VM, View, or SQL Server.

Close A user closed an SMB file.

Cloud Spin A user deployed a VM on the cloud.

Cohesity DataProtect Delivered-as-a-Service User Guide 270

Monitoring Audit Logs

Write Actions Descriptions

Cluster Expand A user expanded the cluster.

Create A user created an entity such as a Protection Group.

Deactivate A user deactivated a Protection Group.

Delete A user deleted an entity such as a Protection Group, Protection Policy, or View.

Disjoin A user disjoined the Cluster from an AD domain.

Download A user downloaded a VMX file or a file from a VM Snapshot.

Import A user performed a generic action for any import operations. For example, the user has imported patch
binary.

Install A user performed a generic action for any installation. For example, the user has installed an app.

Join A user joined the Cluster to an AD domain.

Login A user logged in to the Cohesity cluster.

Logout A user logged out of the Cohesity cluster.

Mark A user marked an entity for removal such as a disk.

Modify A user modified an entity such as a User, Protection Group, or Remote Cluster.

Notification A user modified the notification rule.

Rule

Overwrite A user performed an overwrite operation.

Pause A user paused an entity such as a running Protection Group.

Recover A user recovered an entity such as a VM, file, or SQL Database.

Refresh A user performed a refresh of the entities in the Cohesity cluster. For example, the user refreshed the
source configuration.

Register A user registered an entity such as an External Target (Vault).

Cohesity DataProtect Delivered-as-a-Service User Guide 271

Monitoring Audit Logs

Write Actions Descriptions

Mark Removal A user marked an entity for removal. For example, the user marked a disk for removal.

Rename A user renamed an entity such as a Storage Domain.

Restart A user restarted a Cohesity Platform service in their cluster.

Resume A user performed a resume action on a Protection Group.

Revert A user reverted a setting or action.

Run A user ran a diagnostics. For example, the user ran diagnostics on the agent to collect logs and other
Diagnostics metrics.

Run Now A user performed a Run Now action on a Protection Group.

Schedule A user scheduled an event such as cluster upgrade.

Schedule A user scheduled an email report.

Report

Search A user searched for a term such as gflags.

Start A user started a Cohesity cluster service.

Stop A user stopped a Cohesity cluster service.

Unassign A user removes a source from a tenant.

Uninstall A user uninstalled an app.

Unregister A user unregistered an entity such as a Source.

Update A user updated an entity in a Cohesity cluster.

Upgrade A user upgraded the Cohesity cluster.

Upload A user uploaded an entity.

Validate A user validated an entity.

Download Audit Logs

You can download the Audit Logs in CSV format from DataProtect for analysis and sharing.

Cohesity DataProtect Delivered-as-a-Service User Guide 272

Monitoring Audit Logs

Note: The downloaded .CSV file contains more details than what the Helios
Dashboard displays. For example, the file contains details about the IP addresses
of the systems from which the cluster is accessed, tenants, impersonation, and so
on.

To download audit logs:

1. In DataProtect, navigate to Audit Logs.

2. In the top right, click the Download icon.

The audit logs CSV file is downloaded.

Cohesity DataProtect Delivered-as-a-Service User Guide 273

How-To Videos Audit Logs

How-To Videos
Use these videos to learn some of the key tasks you'll be performing in Cohesity
DataProtect delivered as a Service in detail.

Cohesity DataProtect Delivered-as-a-Service User Guide 274

Cohesity Support Reach Cohesity Support

Cohesity Support

Reach Cohesity Support

Go to Cohesity Support, to search in our knowledge base; or contact us by phone - United
States and Canada: 1-855-9CO-HESI (926-4374), option 2.

Reach Cohesity Support by Email

There are several ways to create a Cohesity support case.

l Email Cohesity Support with a brief description of the problem. If the Cohesity
software is running on a hardware platform, include your product's chassis serial
number.
l Log in to the Cohesity Support Portal. Click OPEN CASES and Create Case.
l Click Support in the footer of the Cohesity Dashboard.

Support/Service Assistance
First contact the Service Provider that you have contracted for service and support. If you
work directly with Cohesity and have a product warranty/entitlement, repair pricing or
technical support related question, see your options below:

l To find solutions to your product issues or for suggestions or best practices, visit
Cohesity Knowledge Base.
l To open a Service Request online, go to Cohesity Support Portal, log in to the portal,
and go to My Cohesity > Submit a Case.
l To monitor your open cases, log in to the portal, click My Cases in the upper right
side of the home page. This page should have all case status and updates and you can
view individual case status.

Cohesity Software Running on Partner Hardware

If Cohesity software is running on qualified third-party hardware, the following support
workflow applies:

1. The customer may contact Cohesity Support first if the issue cannot be determined as
a hardware issue.

Cohesity DataProtect Delivered-as-a-Service User Guide 275

Cohesity Support Cohesity Software Running on Partner Hardware

Note: Cohesity cannot process hardware replacement requests for non-

Cohesity hardware.

2. Cohesity Support triages the issue. If it is a software issue, Cohesity Support

continues to work on it.
3. If it is a hardware/firmware issue or is suspected to be a hardware/firmware issue,
Cohesity provides information about the issue to the customer and requests that the
customer open a support ticket with the appropriate partner.
4. If needed, Cohesity Support can join a three-way call with the partner and the
customer.
5. The customer informs Cohesity Support on the progress of the partner’s case.

Cohesity DataProtect Delivered-as-a-Service User Guide 276