estos data protection concept
23 April 2025
ProCall Business, ProCall Enterprise, ProCall DataCenter, ECSTA, MetaDirectory
General information
Area of application
To ensure the security, stability and recoverability of an IT system, IT administrators should create data backup concepts. This document is intended to provide guidelines in relation to the products mentioned in the product validity. The data backup concept includes product-specific recommendations as well as general recommendations and guidelines for creating a data backup concept for the system environment and backup implementation/organisation. The following chapters only form a manufacturer-specific, application-specific subset, the so-called data backup plan. This contains technical information for creating data backups and restoring systems and should be integrated into a generally applicable, customer-specific data backup concept for IT operations.
Further information
For general information and recommendations on creating a data protection concept, please refer to the building blocks from the IT-Grundschutz concept of the Federal Ministry for Information Security:
(status of the 2023 edition published in February 2023): https:// www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Kompendium/IT-Grundschutz-Bausteine/Bausteine_Download_Edition_node.html
Data backup plan - Specific requirements for estos products
Type and scope of the data to be backed up
ProCall Client for Windows
Configuration settings made by the user (such as added data sources, redirection profiles, etc.) are saved as follows and must be taken into account when backing up data:
In the registry
Keys | Content |
---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ESTOS\UCServer4\Client | Contains the settings made by the administrator during setup (including UCServer host name and port, enforce TLS, use DNS service records, user may specify a different server) |
HKEY_CURRENT_USER\SOFTWARE\ESTOS\UCServer4\Client | Contains the settings made by the user such as different server, user name (if not Windows session), language, use Outlook.addin, UCConnect settings (VPNless mode) |
HKEY_CURRENT_USER\Software\ESTOS\UCServer4\CtiMain | Contains settings that the user makes on the client. These include settings for language, logging, window positions, journalisation, call window, audio output, "unprocessed" tab, sum bubbles, hotkeys, callback and call forwarding, calendar synchronisation, contact information and search. |
HKEY_LOCAL_MACHINE\Software\ESTOS\UCServer4\CtiMain | Contains settings that the administrator specifies on the client. If keys are set here, these keys are ignored in HKEY_CURRENT_USER\Software\ESTOS\UCServer\CtiMain as they are specified by the administrator. This is a subset of the keys from HKEY_CURRENT_USER\Software\ESTOS\UCServer\CtiMain, which contain settings (such as language) or authorisations (such as whether calendar synchronisation can be used), but not runtime keys (such as the window position) |
In the file directory
Directory | Content |
---|---|
%APPDATA%\estos\ProCall <Version> |
A backup is recommended for files that represent a local setting. The cache files can be backed up optionally. |
%LOCALAPPDATA%\estos\ProCall <Version> | Contains log files, temporary caches, downloaded content from "Share content". Normally no backup necessary. |
In order to be able to use the configuration settings for a later restore, it is advisable to
- export the data mentioned in the registry and save it in a .reg file.
- back up the above data from the file directory.
ProCall Mobile App (for Android/iOS)
The ProCall Mobile app does not store any security-relevant data locally on the smartphone.
ProCall Client for MacOS
The ProCall Client for MacOS does not save any data locally.
ProCall UCServer
General
Securing via the following (possibly combined) mechanisms may be preferable:
- Mirroring of the disc partition(s) (e.g. via RAID-1)
- Snapshot(s) of the computer in a virtualised environment
- Backup/restore of the disc partition(s)
In addition, the (possibly changed) service properties should be documented so that the information is available for recovery. These cannot be backed up.
Example screenshot: UCServer Properties - Local computer - General - Service
Certificates and secrets
Certificate/Secret | Referencing |
---|---|
TLS certificate used for "TAPI clients" (port 7220), "Administration" (port 7221) and "UC clients (port 7222) | Are taken from the Windows certificate store. The fingerprint of the certificate to be used can be found in the ListeningInterfaces.xml file (see config folder of the UCServer) in the corresponding line in the CertHash="xxxx" attribute. |
TLS certificate for "UC Media Server (Port 8888 or 8433) | Is accessed via a referenced .pem file, which is referenced in the ListeningInterfaces.xml in the corresponding line in the "CertContainerFile" attribute with a complete path. It is also referenced again in "...\UCServer\MediaService\emswindows\etc\kurento\kurento.conf.json". |
TLS certificate for the UCWeb HTTPS (port 7225) | The content is entered in the UCServer\config\ cer_000000000000000000000000000000000008.ecert, as well as in the ListeningInterfaces.xml and eucwebconfig.json files. |
UCServer ↔ UCWeb | Secret of the UCServer is in the registry → see backup instruction Secret of the UCWeb is in the config folder → see backup instruction |
Key for JWT tokens | Contained in the UCWeb config folder → see backup instructions |
UCServer admin password | hashed in the UCServer registry → see backup instructions |
ProCall Enterprise
Manual backup
A backup can be carried out manually using the data import/data export functions.
The functions can be found in the UCServer administration in the "File" menu.
The data to be backed up (see screenshot) is saved in a zip archive. The zip archive can then be imported as a restore during the installation of the UCServer.
Example screenshot: Export settings
Automatic backup
If the backup is not to be performed manually, but registry entries and directory entries are to be backed up automatically, the procedure described under "ProCall DataCenter" can be followed.
ProCall DataCenter
The following data should be backed up regularly for each UCServer:
Directories
Directory | Content |
---|---|
<ucserver-rootdirectory>\ClientInstall (e.g. C:\Program Files\estos\UCServer\ClientInstall) |
|
<ucserver-rootdirectory>\config |
|
<ucserver-rootdirectory>\database |
|
<ucserver-rootdirectory>\linestates | Offline timestamp for all lines (including client lines) - backup not normally necessary |
<ucserver-rootdirectory>\logs | Log files - backup not normally necessary |
<ucserver-rootdirectory>\pending | Not yet sent "Call not answered" mails |
<ucserver-rootdirectory>\userstates | Presence and absence notification of users. When using ProCall DataCenter, this is already included in the Config DB. |
Registry
Keys | Content |
---|---|
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ESTOS\UCServer4\Server | Hashed or encrypted passwords and user/account names: Admin password, WebService password; JWT token-shared secret; separate logging/tracing settings; fine-tuning such as ADMaxRead |
Computer\HKEY_CURRENT_USER\SOFTWARE\ESTOS\UCServer4\Admin | Admin settings: Connection data of the last connection; encrypted credentials of the last connection, if applicable; manually set additional log settings for the admin |
ProCall UC Media Server service
The following data should be backed up regularly for each UC Media Server service:
Directories
Directory | Content |
---|---|
<ucmediaserver-rootverzeichnis>\emswindows\etc (bspw. C:\Program Files\estos\UCServer\MediaService\emswindows\etc) | Settings regarding network interfaces of the UC Media Server |
<ucmediaserver-rootverzeichnis>\logparams.txt | The created log files. Backup optional. |
The file used is referenced in the <ucmediaserver-root directory>. The correspondingly referenced .pem file must be backed up. See also the backup instructions for certificates.
Outsourced MediaServer
In the case of ProCall DataCenter, a media server can also be outsourced to a remote system. Please note that in this case, not only the media server service, but all installed services must be backed up.
ProCall UC Web Server
The following data should be backed up regularly:
Directories
The UC Web Server settings (network interfaces, logging, etc.) are persisted in the following directory:
<ucserver-rootverzeichnis>\config
(see "Specific requirements for the UCServer")
No settings are saved in the UC Web Server installation folder itself.
ProCall Chat/Journal database
In ProCall DataCenter and possibly also in ProCall Enterprise, chat and journal data (along with various other data) are stored in an SQL server database.
A suitable backup mechanism must be defined at SQL server level.
Folgende Daten sollten regelmäßig gesichert werden:
SQL Server database
The location of the database is specified in the UCServer administration on the "Database" page .
In ProCall DataCenter, the database is used by all UCServers in the multi-server environment.
ProCall configuration/user DB (ProCall DataCentre only)
With ProCall DataCenter, the configuration data is stored in an SQL server database.
A suitable backup mechanism must be defined at SQL server level.
The behaviour of all UCServers participating in the multi-server environment is defined via the database.
The following data should be backed up regularly:
SQL Server database
The location of the database is specified in the UCServer administration on the "Multi-server database" page .
Microsoft Active Directory (AD) - User administration
If "User administration with Active Directory Server" is active on the UCServer (see in the UCServer administration on the "User database" page), the UCServer saves data in the user, group and computer objects in the Active Directory.
The following data should be backed up regularly:
(A suitable backup mechanism must be defined at Active Directory level)
Attributes
Without schema extension, this only affects the "extensionName" attribute.
This attribute is not reserved exclusively for the UCServer; other applications can also store data here.
With schema extension , the UCServer saves data in all attributes that are assigned to the UCServer.
Which attributes are involved can be seen under "Advanced" on the "User database" page in the UCServer administration.
In this case, the attributes are used exclusively by UCServer. Further information can be found under the Schema reference link.
Redis Datenbank (nur ProCall DataCenter)
Die Nutzdaten in der Redis Datenbank sind flüchtig und müssen nicht gesichert werden.
MetaDirectory Enterprise
The following data should be backed up regularly for each MetaDirectory server:
Registry
These are not normally present, but if they are, they can be optionally saved.
Keys | Content |
---|---|
HKEY_LOCAL_MACHINE\Software\estos\MetaDirectory\Diagnostic | Special keys to enable extended debugging |
HKEY_LOCAL_MACHINE\SOFTWARE\ESTOS\MetaDirectory\Server | Special log file and database connection settings |
HKEY_CURRENT_USER\Software\ESTOS\MetaDirectory\Admin | Admin settings: Connection data of the last connection; encrypted credentials of the last connection, if applicable; window position, etc. |
Directories
Directory | Content |
---|---|
<MetaDirectory-rootdirectory>\config | Configuration of the MetaDirectory and the replicators set up |
<MetaDirectory-rootdirectory>\database |
|
<MetaDirectory-rootdirectory>\wwwroot | Configuration of "Services", "Terminals" and "Templates/Websites". Only needs to be saved if these settings have been manually adjusted in the admin and/or if the website templates have been manually adjusted. |
ECSTA
The configuration of an estos ECSTA is stored completely in the registry.
The following data should be backed up regularly for each ECSTA:
Registry
Keys | Content |
---|---|
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ESTOS\<ECSTA Name> incl. all substructures Example of ECSTA for Mitel OpenScape 4000: | Complete configuration of the ECSTA (instance-specific settings such as PBX connection and line list, but also log level etc.) |
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Providers | The TSP providers registered in the system |
Licences
The licence keys of all installed applications/components should be saved or noted in one place so that they can be re-entered if necessary.
Manual changes
If manual changes have been made to files, directories or registry entries that are not described here, these must also be backed up automatically or manually.
Frequency, timing and generations
Allgemein
An event-dependent data backup must be carried out before major changes are made .
ProCall UCServer
This applies in particular to changes such as more extensive changes to the end user base, changes to the multi-server environment (addition/removal of servers, changes to connected databases) and version changes (update, upgrade, ...).
MetaDirectory
This applies in particular to changes such as more extensive changes to the replicators and version changes (update, upgrade, ...).
Data recovery
ProCall Client for Windows
In the event of problems or data loss, the UCClient can be (uninstalled and) reinstalled (e.g. using packaging methods) to restore it to a functional state.
If only files and registry entries that were created by the setup during the UCClient installation have been lost, a repair installation is sufficient.
Configuration settings made by the user (such as added data sources, redirection profiles, etc.) are lost during a complete uninstallation and must be made again after a new installation.
These configuration settings are retained during an update installation and a repair installation.
To restore the configuration settings, the files created during the data backup can be restored.
It is recommended to do this:
- import the saved data from the .reg file into the registry.
copy the saved data from the file directory to the data directory.
The UCClient must not be executed during this step.
ProCall Mobile App (for Android/iOS)
If the app is no longer functional, it can be (possibly uninstalled and) reinstalled in order to restore it to a functional state.
The user must know the UCConnect ID in order to be able to reconnect to the UCServer via the login dialogue. The UCConnect ID or the local UCServer is usually provided automatically via the invitation email sent by the administration.
Some app settings may be reset to the default settings, especially if the app is installed on a different smartphone.
ProCall Client for MacOS
If the app is no longer functional, it can be reinstalled (and uninstalled if necessary) and is then functional again.
ProCall UCServer
If the UCServer does not start or crashes during startup, the cause can be found in damaged or deleted UCServer installation files or a damaged or deleted service definition of the "estos UCServer".
In this case, a repair installation of the UCServer is recommended.
All files not included in the installation remain untouched (startup files, log files, local SQLite databases, etc.).
The UC Media Server and UC Web Server components are also repaired.
The service definitions of UCServer, UC Media Server and UC Web Server are removed and recreated with default settings.
Alternatively, the UCServer can be reinstalled. If the files that are not included in the installation (startup files, log files, local SQLite databases, etc.) are to be retained, this can be specified during the uninstallation process.
Certificates and secrets
After reinstalling Windows or changing the DNS name, the computer normally requires a new certificate. TLS must be set up again so that the UCServer can use this new certificate:
- After the files and registry entries have been restored, first start the start menu entry "UCServer PRODUKTNAME Server Setup".
- There, select the only possible option "Update this UCServer PRODUCT NAME" and keep pressing until you reach the network interfaces.
- Check the TLS settings of each individual interface and enter the new certificate.
If this is not the case, it is possible to use the existing certificates.
ProCall Enterprise
A restore can be performed using the zip file created and saved during the data export. The zip file can be specified during the installation of the UCServer as part of the wizard. This is then used to reinstall and restore the UCServer.
The installation should be carried out in the identical UCServer version.
If the backup was not performed manually, but directory and registry entries were backed up automatically, you can proceed as described under "ProCall DataCenter".
ProCall DataCenter
Restoring the UCServer installation to an old status is achieved by
- Installing the UCServer (in the identical version).
Attention: Cancel the "estos UCServer - Setup" automatically started at the end of the installation in the first dialogue. - Restore the backed up folders in <ucserver-rootdirectory>
- Restore additional customisations made in the service definitions
- Restoring the registry entries
- Restore the TLS settings of the individual interfaces and import new certificates if necessary
- Start UCServer service
ProCall UC Media Server
The backed up data can be restored after a UCServer installation by copying the backed up directories.
ProCall Chat/Journal database
During a restore of the database, the UCServer or all UCServers of the multi-server environment must be stopped.
ProCall Configuration/User DB (only ProCall DataCenter)
Während eines Restore der Datenbank muss der UCServer bzw. alle UCServer der Multi-Server-Umgebung gestoppt sein.
MetaDirectory
Restoring the MetaDirectory installation to an old status is achieved by
- Installing the MetaDirectory (in the identical version)
- Stopping the estos MetaDirectory service
- Restore the backed up folders in <Metadirectory root folder>
- Restore TLS encryption if necessary
- The "estos MetaDirectory" service must then be restarted.
Restore TLS encryption
If TLS encryption is used, the fingerprint of the certificate to be used must be determined in the Windows certificate store and the value in the XML attribute "CertHash" in the file <MetaDirectory-Rootfolder>\config\ListeningInterfaces.xml must be replaced with the fingerprint of the new certificate for each entry.
- The "estos MetaDirectory" service must then be restarted.
ECSTA
Restoring the ECSTA installation to an old status is achieved by:
- Installing the ECSTA driver
Please cancel the configuration started at the end of the installation! - Restore the configuration by importing the saved .reg file
- Add an instance of the driver in "Phone Driver Options Advanced"
Ff the recovery is carried out as part of a new installation of the Windows operating system, the .reg files must be imported before all TSP instances (including non-estos instances) are set up!
Background: The key "*\Telephony\Providers" contains all instances registered in the system and the assignment of the instances is done by a sequential number which is otherwise assigned incorrectly.
If this cannot be ensured, the following (manual) alternative method can be used for backup/restore:
Backup
- Back up the registry HKEY_LOCAL_MACHINE\SOFTWARE\ESTOS\<ECSTA-Name> including the subkeys (Provider<x>)
- Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Providers, determine and remember the name of the ECSTA file (e.g. ecsmxone.tsp)
Recovery
- Install ECSTA and cancel the wizard to create an instance
- Manually add a new TSP instance under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Providers:
- Create new REG_SZ ProviderFilename<n>, with n = next free value (should match the value in NumProviders)
- Enter the name of the tsp file as the value ecsmxone.tsp
- Create a new REG_DWORD ProviderID<n> (same n as above) and remember it (we need the decimal value below, not hex)
- Enter the value from NextProviderID in ProviderID<n>
- Increase the values in NextProviderID and NumProviders by one each
- In the saved reg file, replace the path "Provider<x>" with "Provider<ID saved in 2c>" and save
- Import the modified reg file
- If the telephony service is running, restart it or reboot the computer
Licenses
Online licenses
Online licences are stored in the UCConnect server account. If the same UCConnect account is used for the new installation, the licences are automatically transferred.
ProCall DataCenter licenses
ProCall DataCenter licences are stored in the configuration database and do not normally need to be entered again.
Offline licences
The licence keys of all installed applications/components must be restored manually by entering them in the applications. As the hardware ID usually changes when the systems are completely reinstalled, the licence must be rebound.
Manual Changes
If manual changes have been made to files, directories or registry entries that are not described here, these must also be made again (by restoring or entering them manually).
Further information
Data export via the UCServer administration
Data import via the UCServer administration
Privacy-friendly default settings (Art. 25 GDPR)