Commvault Backup as a Service (Self-Service) Quick Start Guide 4th August 2020

2

Contents

Getting Started with Commvault ........................................................................................3

Step One – Initial application setup.................................................................................. 9

Step Two – Configuring your Service Catalog ............................................................... 11

Step Three – Onboarding your first tenant ................................................................... 16

Step Four – Adding a tenant Hypervisor ........................................................................ 21

Post Setup................................................................................................................................. 25

Generating your first tenant usage report .................................................................... 31

3

Getting Started with Commvault

This Quick Start Guide will enable you to set up a simple Data Center – Backup as a Service

(BaaS) offering and perform data protection, recovery and billing operations.

This guide is intended for service providers that provide Self-Service Infrastructure as a Service

(IaaS) or dedicate an entire hypervisor host to an individual customer. If you provide IaaS

resources from a shared pool, see – Quick Start Guide (Fully Managed) for quick start setup.

The Data Center – Backup as a Service is intended to protect Virtual Machines, Servers and a

limited set of applications, located within your data center. There are three (3) Service Levels –

Essential, Standard and Premium. This guide will also cover the creation of additional backup

copies (i.e. offsite Disaster Recovery copies).

Note: This guide provides a starting point for your BaaS service. You are free to extend or modify

your service levels in accordance with your customer needs.

DATA CENTER BACKUP AS A SERVICE

- Application Aware refers to Microsoft Volume Snapshot Service (VSS) supported applications.

- Full application agents refers to Commvault Backup agents installed in guest VM or server.

- RPO refers to Recovery Point Objective, the frequency by which backups are run.

Protected workloads will reside on VMware or Hyper-V hypervisors only, with limited use of

filesystem and application agents where customer required.

Before we begin, let’s start with a quick understanding of the Commvault components.

4

KEY COMPONENTS

Command Center: The Commvault Command Center™ is the HTML5-based administration portal

for all Commvault operations. Command Center allows you, the MSP to manage your environment

and offer self-service capability to your end-users (tenants).

CommServe® (CS): The CommServe is the central management component of the data

management environment (basically the brain). It coordinates and executes all CommCell

operations, maintaining Microsoft SQL Server databases that contain all configuration, security,

and operational history for the CommCell environment.

MediaAgent (MA): The MediaAgent is responsible for data movement (Backup and Restore). It

provides high-performance data movement and manages the data storage libraries. The

CommServe server coordinates MediaAgent tasks. For scalability and resiliency, there can be

more than one MediaAgent in a CommCell environment.

Virtual Server Agent (VSA): The Virtual Agent is a software module that is installed on a computer

to protect a specific type of data (i.e. A Hypervisor). Different agent software is available to

manage different data types on a client. Software agents are not required on virtual machines

when using the VSA.

Downloading the Commvault Software

To get started, you can download the Commvault software trial before your final account and

license details are generated. Point your browser at learn.commvault.com/trials > and click the

START YOUR 30-DAY TRIAL BUTTON (link >).

NOTE: The reason you are asked for contact details is so that Commvault can provide you

support during your trial. Rest assured Commvault keeps your privacy secure and will not release

these details or use them for anything other than facilitating your trial support activation (see

Commvault Privacy Policy >).

Commvault documentation is available at the link below, but this guide Is structured to get you

up and running quickly by linking you to the relevant information in Commvault documentation -

documentation.commvault.com >

5

Once you submit your information with the Download my trial button you will receive credentials

to store.commvault.com > where you can download the Commvault Express installer >. This

small bootstrap installer will be used to quickly download the latest Commvault software onto

your server (sizing details for your server are included in this guide below).

NOTE: The bootstrap installer will need a functioning Internet connection to perform the

installation. If you do not have an Internet connect, execute the installer on a PC that has

connectivity and choose Download package to install on a different computer, then copy the

files to your trial server.

See information below to size your environment before beginning your install.

For trial assistance, you can:

• Consult the Trial Quick Start Installation > (pdf)

• Email trials@commvault.com >

• Call Commvault (Telephone-Based Support >) ye s you c an c al l du r in g you r t r ial se tu p

Your BaaS environment may range from an initial incubation trial to a planned large-scale

Production footprint. There are two (2) configurations provided below:

• Small to minimize your initial costs and infrastructure requirements to get

your BaaS platform running. Use this if your compute platform is new and still

growing.

• Large to start with a 100TB of c lient data in an already established compute

platform to be protected.

Small Environment Requirements for up to 15 TB of Client Data

Commvault recommends you start with a system that can handle your initial 6 month expected

workload, so get started with a virtual or physical server, with:

• Microsoft Windows Server 2019 (all editions) or 2016 (all editions)

• 4 CPU/vCPU cores

• 16GB RAM

• 100GB Diskspace for CommServe software and MS SQL database (E: \)

This will handle up to 25 physical servers, 100 virtual machines, and 200 laptops.

You will also need at least one Media Agent to perform backup and restoration operations from

backup media (disk, cloud, tape).

NOTE: In the Data Center – Backup as a Service (BaaS) catalog all backups are held on disk-

based devices in either the Primary or the Secondary data center. If you are implementing a

6

Hybrid Cloud BaaS service, head to partners.commvault.com > for an equivalent Build Guide for

Cloud solutions.

To get started quickly – you can install the Media Agent on your CommServe, you simply need to

ADD the following components to the specification (above): Your media agent will be performing

data movement, deduplication, and storing index caches.

• 2 CPU/vCPU cores

• 16GB RAM

• 10GB Diskspace in software_installation_directory (E:\)

• 200GB Diskspace for storing Job Results (F:\)

• 200GB Diskspace for storing Deduplication Database (DDB) (G:\)

• 400GB Diskspace for storing Index Cache (H:\)

This will permit protection of 5-15TB of client data before requiring a scaling up of resources.

NOTE: Please review the I/O requirements for the Deduplication Database and Index Cache drives

(Hardware Specifications >). These I/O requirements are mandatory and directly impact the

performance of your backup solution.

Large Environment Requirements for up to 100 TB of Client Data

Commvault recommends you start with a system that can handle your initial 6 month expected

workload, so get started with a virtual or physical server, with :

• Microsoft Windows Server 2019 (all editions) or 2016 (all editions)

• 12 CPU/vCPU cores

• 64 GB RAM

• 300 GB Disks for CommServe software (E:\), MS SQL database (F:\), and logs

(G:\)

This will handle up to 2500 physical servers, 5000 virtual machines, and 10000 laptops.

See Hardware Specifications for the CommServe Server >

You will also need at least one Media Agent to perform backup and restoration operations from

backup media (disk, cloud, tape). Commvault recommends deploying at least two (2) Media

Agents to provide resiliency and continued service when one MA is unavailable (Deduplication

Two Partitioned Mode >).

In this configuration you will need to build out two (2) separate (physical or virtual) Media Agent

with the following specs:

• 12 CPU/vCPU cores

• 64 GB RAM

7

• 400GB Diskspace for Commvault software + Job Results (E:\)

• 1.2TB Diskspace for hosting Deduplication Database (DDB) (F: \)

• 1TB Diskspace for hosting Index Cache (G:\)

NOTE: Please review the I/O requirements for the Deduplication Database and Index Cache drives

(Hardware Specifications >). These I/O requirements are mandatory and directly impact the

performance of your backup solution. All disk requirements above require SSD backed disks.

This configuration will permit protection of 160TB of front-end client data before requiring a

scaling up of resources.

For custom sizing please reach out to your local Commvault account representative.

NOTE: Commvault defines a front-end TB (FETB) as a TB of written client data, prior to

Commvault compression or deduplication. FETB is measured at the client, before Commvault

moves it from the client to backup store.

Installing the Commvault Software

You may follow the Trial Quick Start Guide for installation instructions. The instructions below

are identical but will continue to build out your services catalog. To get started it is

recommended to have a 100GB dedicated volume (i.e. E:\) to install the Commvault software and

database.

1. Log on to your CommServe as an Administrator (local or domain)

2. Copy the CommvaultExpress_R80_SP20_ddMonthYY.exe file to a local folder

3. Execute install file, read EULA, and select I Agree then > to continue

4. Select Install packages on this computer then > to continue

5. Change installation path as E:\Program Files\Commvault\Contentstore then > to

continue

Note: If you do not have a separate volume you may leave the default installation path on C:\ for

your initial trial deployment.

Installation will now begin. As an indicator, installation on an Amazon m5a instance (4 x vCPU,

16GB RAM) takes 35 mins to complete. Once complete – click the

https://commserve/adminconsole URL to launch your default browser and complete initial

setup, and then click Finish to close the installer.

NOTE: You have not yet installed SSL certificates in your CommServe, so accept any browser

warnings related to unsecure communications. You can correct this error after install by following

Configuring Secured Access for Web Applications (Command Center) >

8

Creating a default administrator account.

After installation, a default CommServe-local Commvault administrator account is automatically

created, enter the required information for your Commvault administrator (Note: per-user

administrative accounts are recommended for traceability):

1. Enter an Email address

(NOTE: This will create an account on the Cloud Services > website)

2. Enter a Password

3. Click Create account button

Note: If you already have a Commvault Cloud Services account, please use your existing

username and password.

Your password will need to comply to these conditions:

• Be at least 8 characters long

• Include at least one number

• Include at least one lower-case character

• Include at least one upper-case character

• Include at least one special character

Once the software has registered, you will be redirected to the Commvault Command Center™

login page. Enter the credentials you used to register the CommCell and click Login.

Note: Your username is admin -or- the email address used during registration...

The remaining steps will take place in the Commvault Command Center.

Click OK to accept the Commvault trial warning.

9

Step One – Initial application setup

When you log into the Command Center for the first time, a wizard will guide you through the

initial application setup. After you complete this core setup, you can complete quick start setup

specific to the applications you protect (e.g. Hypervisors, Databases). See Completing the Core

Setup Wizard (Command Center) for more detail.

Note: It is recommended to have a default backup library ready before commencing application

setup. You will need:

• A local drive (*attached to CommServe) -or- Network Attached Storage (NAS) share for

your backup data with no more than 15TB of client data to protect (Small environments).

• A dedicated local SSD drive (*attached to CommServe) with 600GB free size for DDB and

Index Cache (see Hardware Requirements >)

* during initial platform setup below, it is assumed that you only have one data mover or

MediaAgent, which is the CommServe itself. As your platform scales the data movement function

will normally reside on a separate server.

Performing initial Setup

1. Click Let’s get started > button

2. Add storage by supplying the following information and click Save

• Name: _SystemDefault (prefix is used to indicate system usage)

• MediaAgent: (select your CommServe)

• Type: Select Local or Network

• Backup location: select/create a folder to store data when it is backed up

(e.g. G:\_SystemDefault)

10

• Deduplication DB location: select/create a folder to store the Deduplication

Database (e.g. F:\_SystemDefault-DDB)

3. Create a default server backup plan by supplying the following information and clicking

Save

• Plan name: _Default (prefix is used to indicate system usage)

• Copies (backup copies that will be held)

i. Primary _SystemDefault 1 Months retention

• RPO - Runs every 1 Days

• Start time – 09:00 PM

Note: This is a default server backup plan used to protect your Commvault infrastructure. You will

configure your customer-facing backup plans separately.

You have now finished initial setup – click Dashboard (left) to view your configured CommCell.

Get notified of critical events

At a minimum, the platform administrator should be notified of any critical events requiring

attention. To provide email server information for Commvault alert delivery, perform the following:

1. Click Guided setup (left-pane)

2. Click Configure email quick task (right)

3. Supply your company SMTP server, port and authentication details

(if required in your organization)

4. Click Test email and confirm you receive the test email (see status in top of window)

5. Click Save button

Commvault will notify the administrator of critical and anomalous events by default.

(Alerts and Notifications – Predefined Alerts >)

Alternatively, you can forward alerts from the Commvault system to your centralized Event

Management system using SYSLOG > or SNMP >.

Downloading the latest software

While you perform further setup, the Commvault system can download the latest software onto

your CommServe, from your Guided setup page:

1. Click the Download/copy software quick start

2. Leave default as ‘Download software using – Internet’

3. Leave default as ‘Latest hotfixes for the service pack’

4. If you have Linux systems to protect, add Unix – Linux X86_64 to your download

5. Click the Download button

The latest software will be useful if you have a need to push application agents to clients to be

protected. This is covered below in Installing Application Agents on Clients (optional) >.

11

Running your first DR backup

While the software downloads, let’s run your first Disaster Recovery backup.

1. Type Disaster into the top-bar search box, click Manage > System > Maintenance

2. Click the DR backup (Daily) tile

3. Click theicon to perform a DR backup to default location C:\DR

4. Select Full (default) and Enable database backup compression (default) and click Run job

5. Click view job details to monitor backup progress real-time -or-

Type Jobs in left-pane search and select Jobs menu.

Configure offsite DR backups

When the initial DR backup is complete, it is recommended to navigate back to Manage >

System > Maintenance > DR backup (Daily) and click the icon to configure at least one of

the following:

• A network share location for the Backup metadata destination (not on CommServe)

• Upload backup metadata to Commvault cloud > (recommended)

• Upload backup metadata to a cloud library > (recommended)

Commvault will retain one (1) database copy for FREE in Commvault controlled cloud (Azure).

Commvault recommends configuring a Cloud library for retention of at least fourteen (14) days,

this allows recovery from an event that may go unnoticed for a period of 1-2 weeks.

Step Two – Configuring your Service Catalog

The next step in configuring your multi-tenanted Backup as a Service (BaaS) platform is

configuring your Service Catalog. Commvault implements your Service Catalog as Plans. A Plan

defines what to protect, how often and where to keep backup copies.

The table below summarizes the default Data Center Backup as a Service (BaaS) plans for

Essential, Standard, and Premium. Essential is the most basic offering with features and monthly

cost increasing with each service level.

Plans

Service Plan Primary copy, Retention Secondary copy RPO

Essential Primary-Site1, 15 days - 24 Hours

Standard Primary-Site1, 30 days - 24 Hours

Premium Primary-Site1, 15 days Secondary-Site1, 30 days 8 Hoours

Premium-Offsite Primary-Site1, 15 days Secondary-Site1, 30 days 8 Hours

Standard-Offsite Primary-Site1, 30 days Secondary-Site1, 30 days 24 hours

12

These Service Plans will be sufficient for protecting your Virtual Machine, Server and Application

workloads both on-premises and at remote sites (co-location facilities). Long Term Retention

options have been excluded from initial setup.

Adding your Storage

Before your service plans can be created, you will need your storage locations provisioned and

available to Commvault. You will require a Primary storage location in the same data center as

the protected workloads, and another at a Secondary or remote location.

These storage locations may be – Cloud >, disk >, or tape libraries.

Adding Disk Storage

1. Navigate to Storage > Disk menu

2. Click Add (right)

3. Enter a Name (i.e. Primary-Site1)

4. Select the CommServe as the MediaAgent

5. Select a Type (Local or Network)

6. Provide a Backup Location

7. Provide a Deduplication DB location

8. Click Save

Adding Cloud Storage

1. Navigate to Storage > Cloud menu

2. Click Add (right)

3. Enter a Name (i.e. Secondary-Site1)

4. Select a Type (i.e. S3 Compatible Storage)

5. Select the CommServe as the MediaAgent

6. Enter S3 endpoint hostname/address

7. Enter Bucket name to store backup data in

8. Provide Credentials

9. Provide a Deduplication DB location

10. Click Save

Commvault recommends leveraging disk-based libraries for all your data-center BaaS backup

copies and cloud (or tape) libraries for long-term retention or archival data only.

Tip: Your Cloud provider may provide a method to present access to their S3/Object service

inside your virtual cloud network vs. traversing the Internet, configure direct access if available

(e.g. Gateway VPC Endpoints >).

Follow the links above for the process to add your Disk and/or Cloud Storage.

NOTE: Each Storage location will require a dedicated SSD drive to locate the Deduplication

DataBase (DDB) and Index cache data. The size of the SSD drive is dependent on the amount of

13

client data being sent to the Storage Pools, see Hardware Specifications for Deduplication

Mode >.

In the example above, there is a Primary-Site1 disk backup stored locally and a Secondary-Site1

cloud copy created for offsite / Disaster Recovery retention.

You may now proceed to Plan creation (below).

Adding your Plans

You may now configure your Service Plans by performing the following:

1. Navigate to Manage > Plans

2. Click Create plan (right) > Server backup

3. Supply the Plan name (see table below)

4. Click Add to add backup destination copies as required by service (see table below)

a. You will need to perform an Add for both your Primary and Secondary copy.

5. Set the RPO – Backup Frequency

6. Click Save button

Repeat for each Service Plan detailed (below). Other options may be left as default.

14

Tip: Using a numeric prefix to each plan enables tracking of your services history

Plan

Name

Primary

Copy

Primary

Storage

Retention

Period

Secondary

Copy

Secondary

Location

Retention

Period

RPO

1_Essential Primary Primary-Site1 1 Months - - 1 Days

2_Standard Primary Primary-Site1 1 Months - - 1 Days

3_Premium Primary Primary-Site1 15 Days Secondary Secondary-Site1

1 Months 8 Hours

4_Standard (+Offsite)

Primary Primary-Site1 1 Months Secondary Secondary-Site1

1 Months 1 Days

5_Premium (+LTR_1y)1

Primary Primary-Site1 15 Days Secondary Secondary-Site1

1 Months 8 Hours

5_Premium (+LTR_7y)2

Primary Primary-Site1 15 Days Secondary Secondary-Site1

1 Months 8 Hours

1 Secondary copy - Extended retention rule: Monthly Fulls, retained for 12 months 2 Secondary copy - Extended retention rule: Yearly Fulls, retained for 7 years

Extended retention is configured by enabling the Extended retention rules for a backup

destination and selecting the required backup Type and Retention period (see below)

15

See Plans > for more details, including Setting Default Plans > for new infrastructure.

Tailoring the user experience

In our BaaS solution, we will offer Virtual Machine, File-Server and Database backup only. Perform

the following to disable the user interface options associated with other data types:

1. Navigate to Manage > Customization

2. Click the Navigation tile, under Navigation preferences

3. Uncheck the following menu items that are not required for your Self-Service IaaS BaaS

service, for the Tenant admin, Tenant user columns:

a. Guided setup

b. Protect – Laptops, Applications (all)

c. Activate

d. Orchestrate

e. Manage – Plans, Regions

f. Network

g. Web console – My data

h. My Apps

4. Click the initial landing tab, select Company dashboard for the Tenant admin

5. Select Virtual machines for the Tenant user.

6. Select Company dashboard for Restricted user

7. Click Save, click Yes to confirm save.

Plans visibility is only required if your tenants needs to see the backup filters and exclusions you

have configured.

Note: Be aware these changes affect all tenants that are consuming your service. If you would like

to make changes specific to a Company, use the Navigation preferences tile for a company.

Warning: Do not navigate away from the Navigation preferences page during configuration or

you will lose your customizations.

16

Step Three – Onboarding your first tenant

Commvault utilizes a virtual construct called ‘Companies’ to represent a tenant within the shared

Commvault platform. To onboard a new tenant for Backup as a Service (BaaS) you will create a

‘Company’ with an associated administrator and users.

Creating a company

To onboard your first tenant, perform the following:

1. Navigate to Manage > Companies menu

2. Click Add company (right)

3. Enter the following details and click Save

• Company name

• Email (of the tenant administrator)

• Contact name (of the tenant administrator)

• Plans (select all service plans tenant can

subscribe to)

• Company alias enter a short alias for the

tenant

• Associated SMTP enter the email domain for

tenant

• Send welcome email toggle, leave enabled

(default)

• Ensure Auto discover applications is

disabled (default)

Application auto-discovery: Auto discover applications will run a scan on all systems within the

tenant every twenty-four (24) hours. If a supported application is identified, its Commvault

software agent will be pushed installed on the host. This feature should be disabled, as only

Premium customers receive application-agent based protection.

Tenants are emailed a welcome email and one-time password setup link – if welcome email is

enabled. If you will be configuring Single Sign On (SSO) authentication > for your tenants, it is

recommended to disable Send welcome email, as the users will use a previously supplied

password.

You can customize the email template to customize branding and welcome information per

Company – see Adding an Email Template >.

Enabling tenant solutions

When your tenant admin logs into the Command Center, they will be prompted to enable

protection for one or many solutions. Customize which solutions will be displayed, as follows:

1. Click the Company name

17

2. Click Edit on Supported solutions General setting

3. Enable File server, Virtualization and Databases (to match your Service Catalog)

4. Click OK

Activating an authcode for client installation

Commvault recommends activating Authorization Code(s) or authcodes for client registration

for each tenant. Please see Enabling Authorization Code for a Company > to complete this task.

Click Requires authcode for installation within the Company General settings tile.

Setting a default plan

To set a default plan for new infrastructure, you will need to login as the Tenant Administrator.

You may temporarily login as a tenant admin by selecting the company name (top-right) in the

Command Center™. See below

1. Select a default Server Plan

2. Select Do not ask me again,

3. Click Save

NOTE: Default plans will automatically associate new infrastructure with the default plan, consider

whether you want newly registered systems to receive BaaS services without customer

acceptance of terms and conditions.

Creating a Virtual Server Agent

In order for your tenants to protect their virtual infrastructure, they will require a dedicated

Virtual Server Agent (VSA). Provision a virtual machine within the customer network with the

following specifications (VMware >, Hyper-V >)

• Microsoft Windows Server 2012 – 2019

• 2 x CPU/vCPUs

• 24GB RAM

See Hardware Specifications for Virtual Server Agent > for scaling-up this host to handle up to

120TB or front-end TB client data.

Commvault refers to this host as a Virtual Server Agent, Access Node and/or a Proxy Client

throughout its documentation. This host will require a Layer 3 network path to the Hypervisor

hosts that host the tenant workloads.

18

Note: For Hyper-V deployments, the Virtual Server Agent is installed directly onto the Hyper-V

Server (documentation).

Configuring one-way network communication from tenants

In most multi-tenanted configurations, tenant networks utilize RFC1918 addressing with Network

Address Translation (NAT) to a service provider services network. Commvault must be

configured to ensure that all client communications will be tunneled over a one-way tunnel from

the tenant network towards the CommServe (on port 8403) and associated infrastructure.

This is a one-time setup task and will automatically apply to all tenants automatically.

This configuration allows tenant infrastructure to have overlapping IP addressing without

affecting backup and recovery services.

To configure Commvault to only accept incoming connections from tenant infrastructure you will

create a network topology to inform Commvault of the underlying network design. This will

consist of two (2) groups:

– Network - All <Tenant> Infrastructure and

– All Infrastructure.

To setup these groups:

1. Type Groups in left-pane search box

2. Click Add

3. Name the group, for example MSP.IO - Infrastructure

4. Select Manual association

5. Select all infrastructure residing the the MSP ‘restricted’ (non-tenant) network space.

6. Click Save

7. Click Add

8. Name the group, for example Network – All <tenant> Infrastructure

9. Select Automatic association

10. Click Add rule

11. Select Package installed, any in, File System Core, click Save

12. Click Add rule

13. Select Associated client group, not equal to, MSP.IO - Infrastructure, click Save

14. Click Add rule

15. Select Company Client Provider Associations equal to <Tenant>, click Save

16. Click Preview to ensure all infrastructure (except CommServe) is listed.

19

17. Click Save

Next create the Network Topology to describes the permitted network flows between these

groups:

1. Type Network in left-pane search

2. Select Network Topologies tile

3. Click Add topology

4. Enter Ensure one-way traffic from

tenants name

5. Select Servers as the client type

6. Select One-way as the topology type

7. Select Network – All <Tenant>

infrastructure as group Servers

8. Select MSP. IO - Infrastructure as group

DMZ Servers

9. Click Save

10. Select Actions > Push configuration

Creating a custom package

Your tenants will most likely be isolated on their own network. It is common for most MSPs to

utilize private addressing (RFC 1918) addresses in these networks, and only permit tenant to MSP

network communication.

If this matches your configuration – you will need a create an Installation package for your

tenants to install the initial Virtual Server Agent software. Once a VSA is established, a Remote

Software Cache > may be established inside the customer network for subsequent agent

installations.

To create a VSA package:

1. Login to the CommServe as an Administrator

2. Locate the Installation Source you used to install the CommServe.

3. Rename install.xml to install.old

4. Run Setup.exe, choose Language, and click >

5. Enable I agree, and click >

6. Select Create a custom package to install on a different computer, and click >

20

7. Deselect, and reselect Windows > WinX64 (default), and click >

8. Select New Installations, and click >

9. Select Select Packages, and click >

10. Enter a new folder for the package to be stored (E:\VSAPackageLocation), and click >

11. Select Virtualization > Virtual Server, and click >

12. Select Include Third Party packages

13. Select Include .NET Framework 4.0 Installer

14. Select Create self-extracting executable, and click >

15. Click Finish

You will need to copy this file to your newly created Virtual Server Agent VM / host for

installation. Commvault provides a web-based Download Center > as a built-in file-share server

for making packages available to your tenants.

Installing the Virtual Server Agent

Your customer will need a VSA to connect to their Hypervisor for protection. To install the initial

Virtual Server agent:

1. Login to your newly provisioned Virtual Server Agent VM as an Administrtaor

2. Execute the WinX64.exe created in previous step

3. Accept the default Destination Folder (C:\Program Files\Commvault\installer), Extract

4. Choose Language, click >

5. Select I Agree, click >

6. Select Install packages on this computer, click >

7. Select Virtualization > Virtual Server, click >

8. Enter a Installation Path, click >, click >

9. Select Configure Comunication services

a. Select This machine can open connection to CommServe on tunnel port

10. Click >

11. Click > to accept Client Name, and Host Name

12. Enter your commserve client name and fully qualified hostname/IP name, click >

13. Leave the CommServe HTTP/HTTPS tunnel port number: as 8403 (default), click >

14. Click > to skip HTTP Proxy information (if there is no proxy to access commserve)

15. Click > to skip providing a per-client certificate

16. Select Enter Authcode, enter authcode from the tenant company configuration, click >

17. Click > to skip Plan selection

18. Click Finish

Note: These answers can be recorded in the VSA package to simplify tenant self-service VSA

installation (Creating a Custom Package for Windows Computers Using the Download

Manager >).

The VSA will be installed and registered with the CommServe as owned by the tenant.

21

Note: It is crucial to enter a authcode during install, this flags the VSA as dedicated to the tenant.

Enabling security roles for tenant use

Once you have workloads protected, your tenant administrators will want to grant self-service

management capability to individual users or user groups. In order to enable Commvault built-in

roles, you will need to publish roles to each of the tenants. To unlock standard roles for tenant

use:

1. Type Roles in left-pane search box, click Manage > Security > Roles

2. For VM End User role, click the role name, select Visible to all

3. Click Save

This is a one-time setup task and will apply to all tenants.

Step Four – Adding a tenant Hypervisor

Now that you have finished the core setup it’s time to setup for Infrastructure as a Service (IaaS)

platform protection. The following steps will enable the Virtualization solution and add a tenant-

dedicated Hypervisor host(s) for protection.

Note: In this setup, you will be protecting Self-service Infrastructure, each tenant has their own

Hypervisor infrastructure, Virtual Machines, and Applications. Restore requests are expected to

be performed by the customer or via tickets logged to your Service Desk.

Creating tenant hypervisors

In order for your tenants to onboard their own Hypervisor, they must have role-based access into

a shared hypervisor -or- dedicated infrastructure (i.e. Hyper-V physical host per tenant). The

steps below assume you tenant has been setup on a dedicated hypervisor host and role-based

access provided per the link below.

Configuration of vSphere User Accounts >

Onboarding your Hypervisor

The tasks below may be completed by Switching login to the Tenant Admin, or provided to the

customer so they can self-service onboard at their own leisure.

To add the tenant Hypervisor for protection:

1. Click Protect > Hypervisors > Add hypervisor button

2. Select vendor either VMware vCenter > or Microsoft Hyper-V > and supply the

following information and click Save

• Server name (of hypervisor access point)

• Hypervisor display name (i.e. MSP.IO – Fully Managed Infrastructure)

• Username (of hypervisor administrator)

22

• Password (of suitable administrator account on hypervisor)

• Access nodes (this is CommServe for initial setup)

3. Provide a VM group Name (i.e. Essential VMs) and matching Plan (i.e. 1_Essential), and

click Finish button

a. Select the specific VMs you would like to be protected on this plan

(if you have VMs already provisioned)

You will be redirected to your newly created VM group, click the Configuration TAB to view the

detailed configuration information. A backup will be started automatically for selected VMs, you

will be redirected to the Active jobs monitor to view the progress. Only the first VM group

creation will trigger an automated backup.

TIP: It is recommended that Infrastructure within your Hypervisor platform are grouped (by

Resource Group, VM Folder) or tagged to identify customer service plan (see below for VMware

vCenter tagging example).

If tags or grouping are utilized, Commvault can auto-discover new Virtual Machines and protect

them with appropriate service plan. Where tags are not available, Commvault has a broad

selection of metadata to auto-discover and map hosts to a plan (see Add rule options above).

Setting virtual machine backup type

Each of your service plans provides a differentiated method of protecting the underlying

application data. Configure the Virtual machine backup type by clicking Edit in the VM Group

Setting tile and selecting the following settings. Remember your Service Catalog provides a

staggered value approach:

• Essential plans receive crash consistent protection only.

• Standard plans receive AppAware protection (needs service account on host)

• Premium plans receive Application agent protection (needs agent install on host)

Plan Name Backup type

1_Essential Crash consistent

2_Standard Application Aware

3_Premium File system and application consistent (you will install a app. agent later)

23

4_Standard (+Offsite) Application Aware

5_Premium (+LTR_1y)1 File system and application consistent (you will install a app. agent later)

5_Premium (+LTR_7y)2 File system and application consistent (you will install a app. agent later)

Once configured, you should click the Backup button on each of your VM Groups to validate

successful backup execution, all Incremental backups will be converted to Full for first backup.

Best Practices

If utilizing storage array snapshot technology, it is recommended to place Virtual Machine (VMs)

in dedicated datastores or volumes aligned to their service level.

The reason for consolidating hosts on common service plans is that a storage array snapshot will

capture ALL VMs in a given datastore. Co-locating all VMs with common service levels will reduce

the size and overall footprint of the storage snapshot.

Onboarding a Virtual Machine to a user

Now that you have one or many virtual machines protected, you can assign self-service

permissions to tenant users. You will need to create additional users for your company, per

Creating a User > instructions.

1. Login as admin to Command Center.

2. Click Dashboard (left-pane)

3. Click VMs

4. Click the Name of the Virtual Machine you want to assign

5. Click the Configuration tab

6. Click Edit in the Security tile

Assign permission as one of the following. Permissions may be added to an individual user or a

group of users (recommended):

• <tenant>\<user> user as a Owner

• <tenant>\<user> user as a Tenant Admin role

• <tenant>\<user> user as a VM End User Role

Note: There is no need to assign <tenant>\Tenant Admin or <tenant>\Tenant Admin group as

these users/user groups have automatically been granted the Tenant Admin role.

Features Tenant Admin

Role

VM

Owner

VM End User

Role

View VM protection history, SLA ✓ ✓ ✓

Ad hoc Backup1, Suspend, Resume, Kill ✓ ✓

24

View jobs, job details, logs ✓ ✓ ✓

Restore – guest files (in-place, out of place) ✓ ✓ ✓

Restore – virtual machine files (vmdks, disks) ✓

Restore – attach disk to existing VM ✓

Restore – full VM (in-place, out of place2,3,4) ✓ ✓ ✓

Restore – download files (in browser) ✓ ✓ ✓

Restore – Live recovery ✓

Restore – Live mount ✓

View or change service plan ✓

Assign additional VM owners, associations ✓

1 Users may initiate Incremental only protection.

Full backup must be run the Tenant Admin or via MSP Service Desk request.

2 New VMs (restores) will not be visible until at least one backup has run on them.

3 New VMs (restores) will not inherit their source VM permissions, Tenant Admin will need to

grant self-service user permission/ownership after restoration. 4 New VMs (restores) will not be restored into ESX VM folders, MSP will need to migrate these

systems to their appropriate VM folder (if folders are used).

WARNING: As of Commvault v11.19 vCenter tags are not correctly restored. As vCenter tags are

used to assign VMs to Plans, the newly created VM will not be protected. The Tenant Admin will

need to manually assign the VM to a VM Group and request the application of the ‘Service Plan’

vCenter tag via Service Desk request.

Items marked with a cross will require the user to contact their Tenant Admin to complete -

or- log a Service Desk request to be actioned.

Note: If your commserve is utilizing internal DNS, you may need to edit the /etc/hosts file on your

ESX infrastructure and enter an entry from each of the Media Agents that will handle Live

Recovery, Live Mount VM restoration. Commvault will mount a temporary NFS datastore from the

Media Agent to the ESX host during recovery (ports 111, 2049)

Running an adhoc backup

Performing your first self-service data protection operation is simple. Follow the steps below to

complete a protection job.

Performing an ad hoc backup, as the MSP Administrator:

1. Navigate to Protect > Virtualization (or your solution of choice)

2. Select VM groups from the top menu and click the ellipses … and choose Back

up.

25

3. Click backup from the top right to select your desired backup type (Full,

Incremental, Synthetic).

4. Upon selecting your backup type click Ok .

5. Click view job details from the popup box that displays. You will be taken to

the Job Monitor.

You can monitor and control the status of the job from the Active Jobs page.

WARNING: At least one (1) backup must have been run from a Virtual Machine before it can be

assigned self-service permissions, like assigning owners / operators.

Post Setup

Registering your installation and activating Cloud Services

By now you have you trial Commvault software setup and you are running backups for a set of

test tenants and virtual machines.

When your MSP commercial agreement is completed with Commvault, register your CommServe

computer on the Cloud Services portal. For more information, see Registering a CommServe

Computer on the Cloud Services Portal >.

Once registered you may start using the value-add features of the Cloud Services Portal,

specifically:

• Downloads

• Reports

• Remote monitoring

For more information on registering your administrators for Cloud Services usage, see

Commvault Cloud Services – Register Your Product.

Enabling single file recovery for Linux hosts

By default, your initial installation will not allow single-file or folder recovery from Linux Virtual

Machine host backups. To enable the mounting of Linux file-systems and single-file recovery you

will need to:

• Provision a new virtual Linux Media Agent in the tenant network

• Install the Media Agent and Virtual Server Agent software on the host (docs >)

• Modify the Tenant Hypervisor definition to include the newly registered MA as a File

Recovery Enabler for Linux (Specifying the Default File Recovery Enabler >)

26

Enabling automatic software pushes to VMs

Where you will be providing Application Aware protection > for tenant VMs (i.e. Standard plans),

you will need to enable a remote software cache within the customer network. You will also

need to instruct Commvault to utilize the customer Virtual Server Agent (VSA) to hold copies of

the latest Commvault software for installation.

Note: this process is optional and may be avoided by provided installation custom installation

packages for the tenant to self-install (see creating custom install packages).

Setup a Remote Software Cache

1. Login to CommServe as an Administrator

2. Open Commvault CommCell Console

3. Right-click your commserve, All tasks > Add/Remove Software > Software Cache

Configuration

4. Navigate to the Remote Software Cache tab

5. Click Add (to add a new cache)

6. Select your tenant VSA as the Computer to host the cache.

7. Ensure Enable Remote Software Cache is checked (default)

8. Specify alternate cache directory if desired.

9. Click Configure Packages to Sync

a. Ensure Sync Packages is checked (default)

b. Select Customize Packages (default)

c. Select the OS, click + and select the packages

(Media Agent, File System Core, File System, VSS Provider, VSS Hardware

Provider, Virtual Server, SQL Server, Oracle)

10. Click OK, Click OK,

11. Click Add/Remove Clients

12. Select your Company (tenant) Client Computer Group, click Include All >>

13. Click OK

14. Click Sync Cache

15. Click OK

16. Right-click your commserve, All tasks > Add/Remove Software > Download Software

17. Click the Options tab, select Sync

18. Select your newly created Remote Software Cache, click OK

After each Commvault update is validated in your environment, you can selectively push the

updates to each of your tenant software caches to allow rolling patch upgrades.

Installing the Media Agent package on VSA

In order for Commvault to share out the software cache to your tenant systems, the Media

Agent package requires installation on your VSA.

1. Login to Command Center as admin

27

2. Navigate to Manage > Servers

3. Locate your search using the search box, click Actions, Add Software

4. Select Media Agent, click OK, click Install, click Ok

5. Once complete you will see the MediaAgent role appear on your server (Roles tile)

Configure use of vsa for package installation

Commvault must be told that application pushes within the tenant network must use the VSA as

ther software source. To instruct Commvault to use the VSA:

1. Login to CommServe as an Administrator

2. Open Commvault CommCell Console

3. Right-click your commserve, Properties

4. Choose Additional Settings tab

5. Click Add and add new setting called PushInstallThroughProxy, click Lookup

6. Set Value to 1, ensure Enable is checked (default)

7. Enter a comment (required to track why setting was applied)

8. Click Ok

For additional information see - Enabling Remote Installations from the VSA Proxy >

Warning: In order for Application Aware > backups to automatically push application agents –

the File System Core package must be installed on all hosts that may perform application

backups. It is recommended that infrastructure provisioning scripts perform a Unattended

Install > as part of initial VM provisioning.

Commvault recommends making a File System Core package available to tenants. Customers

can install the agents if required.

You may now perform an Application Aware enabled VM backup (i.e. Standard plan VMs) and

agents will be automatically pushed (e.g. MS SQL, Oracle) if the customer installs and configures

the application on the host.

Installing Application Agents on Clients (optional)

Premium services offer the ability for customers to activate application integrated backups by

installing Commvault software agents on their application server. The installation process may be

performed via a push method from the Command Center -or- supplied to the customer as an

installation file.

See Adding Commvault Software to an Existing Server (Command Center) >

More common in Managed Service Provider environments is a solution where a downloadable

executable is made available to the end customer to install at their own leisure.

Commvault recommends customer self-installation and activation using authcodes, see below

for the process:

28

1. Create a custom package with at least a File System agent, plus any

additional applications you would like to protect

Creating a Custom Package for Windows Computers Using the Installation Package >

Creating a Custom Package for UNIX Linux, and Macintosh Computers Using the

Installation Package >

2. Access the Web Console

Accessing the Web Console >

3. Add a new download repository

Adding a Repository to Download Center >

4. Add your package to Download Center

Adding a Package to Download Center >

NOTE: To ensure users can download packages without logging in. Ensure you have created a

CommCell group named Everyone and then make the package Visible To > Everyone.

Agent-based Onboarding

For host(s) that have Commvault software agents installed, during interactive or automated

installation a registration credential is supplied. This credential (either username/password or

authcode) will automatically assign the infrastructure to the associated tenant / company.

Additional owners may be added after registration by Adding an Owner to a Client >.

NOTE: In environments with firewall security, Commvault recommends the Readiness Check

Report > to validate basic network is functioning before further service activation.

Enabling tenant Single-Sign On (SSO)

In order to provide single sign on (SSO) access to the Commvault Command Center for a tenant

organization (Admins and User), you will need to configure an Identity Provider (iDP) for the

tenant (i.e. Company).

This activity is ideally performed by the Tenant Administrator, or as part of initial tenant

creation/onboarding.

Detailed instructions may be found at Set Up Authentication >, instructions for Active Directory

(AD) are provided below:

1. Navigate to Manage > Security > Identity servers

2. Click Add (top-right)

3. Enter the following information and click Save

• Select Directory Type = Active Directory

• NETBIOS name is the Domain name (pre-Windows 2000)

29

• Domain name is the fully qualified hostname of your Domain

Controller

• User name is a Domain account with at least read capability

• Password for the supplied Domain account

4. Select company/tenant in the ‘Created for company’ drop-down

5. Click Save

Note: You will require Layer 3 connectivity between your CommServe and the Active Directory

(AD) server for LDAP, DNS and KERBEROS protocols.

Note: there is the ability to utilize a proxy-host to access Active Directory but this method is not

yet supported via Commvault Command Center™.

Onboarding a tenant user

Once you have configured authentication for your tenant, you must onboard each user

individually as either a Tenant Administrator, User or Operator. To onboard a user, you create a

Commvault account entry with the required role.

1. Type User group in left-pane search box

2. Click Security > User groups

3. Locate the Group name for your Company. There are three (3) groups (roles)

created per tenant:

• <company>\Tenant Admin perform management of all company backups.

• <company>\Tenant Users perform backup & recovery for specific hosts.

• <company>\Tenant Operators perform management of multiple

companies.

4. Click the Group name

5. Click Add users

6. Click Add new user , select External user , enter the following and click Save

• Select the company configured External provider (AD server)

• Enter User name for user (matching AD user name)

• Enter Email for user (matching AD email address)

• User group will be pre-selected as Tenant Admin, Tenant User or Tenant

Operator

You can Perform a Bulk Import of Users (Command Center) > if multiple Tenant Admins or

Users are being added as part of the same change.

30

A note on multi-tenant personas

There are three (3) primary user types or user personas within a Commvault multi-tenanted

solution.

• Commcell admin is held by the Service Provider and has access to configure the shared

services platform and create (onboard) new tenants.

• Tenant Admins are created initially by the Service Provider, but then manage the

onboarding (creation, deletion, modification) of users, protected infrastructure and

integration with their company identity systems (i.e. Active Directory).

• Tenant User/Operators are created by the Tenant Administrator and given protected

infrastructure rights to perform self-service backup and recovery, in alignment with

subscribed services.

These map to specific role-based access controls via default ‘roles’ configured within

Commvault.

• Master role is held by the Service Provider (CommCell admin) and has access to

configure the shared services platform and create (onboard) new tenants.

• Tenant Admins are created initially by the Service Provider, but then manage the

onboarding (creation, deletion, modification) of users, protected infrastructure and

integration with their company identity systems (i.e. Active Directory).

• Tenant Users are created by the Tenant Administrator and given protected

infrastructure rights to perform self-service backup and recovery, in alignment with

subscribed services.

Upgrading SQL Server Express to SQL Server Standard

Once you have received your permanent license and credentials to cloud.commvault.com you

may download the full Commvault Enterprise installation (either bootstrap or full zip). To upgrade

your CommServe embedded database perform these steps.

1. Login to Command Center

2. Navigate to Manage > System > Maintenance > DR backup > run a ful l DR

backup

3. On the CommServe itself, open the software installation directory f rom your

full Commvault Enterprise download (you will need login via Remote Desktop)

4. Navigate to

DownloadPackageLocation_WinX64\ThirdParty\MSSQL\SQL_Standard_Editio

n directory and run the setup.exe binary

5. In SQL Server Installation Center, click Maintenance , click Edition upgrade

6. Click Next >

7. Click Next > (to accept supplied Product Key)

31

8. Click I accept the license terms and, then Next >

9. Click Next > to accept default feature selection

Generating your first tenant usage report

Note: You will require a Commvault Cloud Services > account to download this report.

In order to bill your customers for Backup as a Service (BaaS) consumption, you will need to

generate a Chargeback Report. Your MSP subscription comes with access to Premium

Operations Reporting which provides a specialized report for Billing purposes.

1. Login to Command Center

2. Navigate to the Reports menu (left-pane)

3. Click Actions > Connect to store (you will need

your commvault supplied credentials)

4. Search for ChargeBack (top right)

5. Click Install on the ChargeBack Details report

6. Navigate back to <commserve>/adminconsole > Reports and type Chargeback

into search box (top-right)

7. On each report, hover over report name, click on ellipses and choose Tag ,

enter Chargeback and click Save

8. Press <F5> to refresh the Reports via in Command Center

9. Click ChargeBack Details report, fi lter the Client Group to a company you

require a ChargeBack Report and click Apply

You may optionally Email a Report >, Export a report > (PDF, HTML, CSV) or Schedule

generation of a report > from the More actions menu.

The generated report will detail of the Front End TB protected data and the size of data on Media.

If you would like to configure Chargeback reporting to include Pricing across one or many

CommServe(s), see below.

Enabling Full Private Metrics

For environments that require long-term historical reporting and aggregation of multiple

CommServes, Commvault Private Metrics Server must be deployed. To enable Private Metrics

Server – follow Activating Private Metrics Reporting on the Command Center >, the process is

summarized below

1. Login to Command Center

32

2. Type Metrics in the topbar search box, choose Manage > System > Metrics

Reports

3. Toggle Commcell diagnostics and usage to on .

4. Enable Audit , Chargeback checkboxes

5. Select (at least) Daily frequency (Commvault recommends Daily, Weekly, and

Monthly)

6. Enter http://<commserve

hostname>.<domain>/downloads/sqlscripts/ in the Download URL

7. Enter http://<commserve hostname>.<domain>/webconsole/ in the

Upload URL.

8. Click Save

9. Click Upload now

10. Hit <F5> to refresh window until Last upload time reflects current date and

You will need to wait one (1) hour for the first Private Metrics collection to

occur.

You may optionally install the Metrics Upload > workflow to enable real-time metrics collection

and upload.

Generating a ChargeBack Details Report

Once Private Metrics is enabled and performing collection, you may access and configure your

ChargeBack Details report. ChargeBack details is slightly more detailed that the default

ChargeBack report and allows extraction of tenant consumption by Service Plan (Essential,

Standard, Premium)

1. Login to Command Center

2. Click Reports (left-pane)

3. Enter ‘Chargeback’ in search box (top -right)

4. Click the Chargeback Details report

33

Generate a per-tenant report

To generate a Chargeback Report for a specific tenant:

1. Select the time range for report (day, week, month)

2. Select the client group (tenant) by searching by tenant name (select all groups

for the tenant)

3. Click Apply

You will receive a Chargeback Summary with the following information

Features Definition

Front End Backup Size The amount of data in the largest full backup job from each subclient during the specified time period. If no full backup job completed during the specified time period, then it is the amount of data in the largest full

backup job from the previous time period.

For VMs, this is the largest guest size in the last full backup cycle for the selected time period.

For clients that have both VSA and other agents installed, we display only the front end size for VSA subclients.

Jobs that run on a VM are counted only once, regardless of the number of subclients used to back up the virtual machine.

This is Front End data measured at the client prior to compression or

deduplication.

Front End Archive Size Total Front End data on clients that was archived during time period.

This will be 0 for the catalog configured.

Primary App Size The amount of application data before compression and deduplication

that was written to primary copies, including aged data and pruned data,

during the specified time period.

For VMs, the application size is the backup size

Protected App Size The size of application data before compression and deduplication of all

active jobs, that ran during the specified time period, in all storage policy

copies, including aged data and pruned data.

34

Media Size The amount of data that was saved on storage media during the specified

time period, including aged and pruned data.

For storage policy copies with deduplication enabled, the media size for

each job is calculated based on the average deduplication ratio of the

copy. Where media size = application size * average deduplication ratio

per copy.

The average deduplication ratio of a destination copy is calculated by

(total size on disk)/(total protected app size) for the destination copy.

Total Protected App Size The size of application data before compression and deduplication of all

active jobs, that ran at any time, in all storage policy copies, excluding

aged data. For VMs, the application size is the backup size

Total Media Size The amount of all active data that is saved on storage media,

including all storage policy copies on all media types, and excluding

aged data.

For storage policy copies with deduplication enabled, the media

size for each job is calculated based on the average deduplication

ratio of the copy. Where media size = application size * average

deduplication ratio per copy.

The average deduplication ratio of a destination copy is calculated

by (total size on disk)/(total protected app size) for the destination

copy.

35

Commvault recommends that Front End Backup Size be used as the only meter for customer

metering and billing. Use of any meter that mentions Media Size in deduplication environments

should be discouraged as deduplication factors obfuscate accurate reporting.

Customers are adept at managing their consumed storage (or Front End TB) on their

infrastructure. This metrics is the most commonly adopted and understood metric for Backup as

a Service (BaaS) offerings.

A note on roles and responsibilities

The initial platform tasks covered in this document must be completed entirely by the Service

Provider with a Commvault user account and role of Master.

Once the Tenant Administrator account is created, the Tenant Admin may login and:

• Create additional ‘admins’ or ‘users’ for the tenant

• Onboard systems for protected to a specific plan

• Integrate company-specific identity servers with Commvault Command Center for

single-sign on.