HFS Storage Protect for VMware

vSphere 6.7, 7.0 and 8.0 are currently supported.

Features of Storage Protect for VMware include:

  • "Forever incremental" image-level backups of virtual machines using VMware changed block tracking (CBT).
  • Client-side deduplication (reduces network traffic).
  • Image-level restores of entire virtual machines.
  • Restores of individual files from image-level backups (using iSCSI).

There are some limitations.  The Storage Protect for VMware client cannot back up virtual machines with the following properties:

  • Virtual machines with virtual disks, including RDM disks, greater than 2 TB. (Default setting: can be changed to 8TB.)
  • Virtual machines with physical RDM disks (virtual RDM disks can be backed up).

There are Storage Protect for VMware settings that allow these VMs to be backed up but unsupported disks will be skipped.

Expand All

Changed block tracking (CBT) enabled

CBT must be enabled on the virtual machines that you wish to back up.  Without this, Storage Protect will always perform a full backup of a virtual machine, which will consume a lot of resources for both the Storage Protect client and the Storage Protect server.

A suitable "data mover" VM

This should, ideally, be installed on the vSphere infrastructure that you are planning to back up. The below Windows x64 operating systems are currently supported:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016*
  • Windows Server 2019*
  • Windows Server 2022*

* Only Long-Term Servicing Channel (LTSC) products are supported.

IBM's recommended hardware specification for the data mover VM is 16 cores (2.8 GHz) CPU with 8 GB of RAM.

Please note that for virtual environments comprising over 100TB of data, it is recommended to have one data mover for every 100TB. Please see the 'Multiple data movers' section below for more details.

Firewall configuration

When setting up Storage Protect for VMware on a data mover, several ports are used for communication between the data mover and the vCenter server or vice versa.  These ports need to be open in any host-based or dedicated firewall between the two machines and are listed in this table:

Firewall configuration for Storage Protect for VMware
Source host Destination port Destination host Use Required?
Data mover machine 443 vCenter server Communication between the data mover and the vCenter server. Yes
Data mover machine 902 vCenter server Used for NBD (Network Block Disk) transport. If data mover machine is not a VM.
VMs 3260 Data mover Default iSCSI port. If using iSCSI file-level restore.
Data mover 1500 oxhfs1.hfs.ox.ac.uk
Storage Protect backup traffic.  Destination host will be advised by the HFS Backup Services Team on account setup. Yes


Also ensure that the data mover is able to resolve the fully qualified domain name (FQDN) of the ESXi host and the vCenter server.  Ping the ESXi host and vCenter server by name from the data mover and confirm it resolves the IP address.

vCenter server and backup user

Storage Protect for VMware communicates with a vCenter server to perform VM backups. The user required for this needs some elevated privileges but does not need to be a full administrator. It is recommended that you set up a new vCenter user specifically for Storage Protect backup and restore.

Please see the 'vCenter Server privileges required for the Data Protection for VMware vSphere GUI and data mover' page on the IBM support site, to find out which privileges the vCenter user will require.

Please note that access to the service is by application. Contact us at hfs@ox.ac.uk to request an account.

Please note that depending which packages are installed, this procedure may require a reboot so take care if installing on a VM or machine that performs other tasks.


Install Storage Protect for VMware

  1. Download and extract the latest IBM Storage Protect for VMware installer onto the "data mover" VM. You need up to 2 GB of free space for the files.

  2. Run spinstall.exe.

  3. Follow the prompts and accept the licence terms.

  4. Accept the default installation location.

  5. For the Installation Type, choose Advanced installation, then Install the data mover feature only.

  6. The installer will install several IBM packages and possibly some prerequisites too, such as C++ redistributable packages.

  7. Follow the prompts, making sure to untick the Register as a vSphere Web Client plug-in option if asked.

Configuration tool

Please be aware that when upgrading your existing Storage Protect for VMware software, there is no need to follow the steps outlined below.

  1. Download the latest configuration tool onto the "data mover" VM.

  2. Extract the downloaded file and run Config_tool.exe.

  3. Provide the information provided by the HFS Backup Services Team when requested by the displayed form.

  4. Finally select Configure.

  5. Once the configuration is complete, select Exit.

The configuration file tsm4ve.opt is located within C:\Program Files\Tivoli\TSM\baclient.  We have tried to choose reasonable defaults, but you may want to adjust the following configuration options to suit your setup.


This sets the list of VMs that you want to back up.  If the data mover is a VM on the vCenter server, you should not back it up via itself so add its name to the -VM part of DOMAIN.VMFULL.  To exclude virtual machines vm1vm2 and vm3 from the backups, give them as the value for -VM, separated by commas:

DOMAIN.VMFULL  all-vm;-VM=vm1,vm2,vm3

Note that if the VM name contains spaces, it should not be surrounded by quotation marks.  There should also be no spaces between VM names and the commas.  This applies to all DOMAIN.VMFULL options.

To specify explicitly the VMs to back up, use the VM option.  For example to back up vm1vm2 and vm3, use:

DOMAIN.VMFULL vm=vm1,vm2,vm3

VMs can also be specified by vCenter folder, host, host cluster and datastore.  To back up specific folders, use:

DOMAIN.VMFULL  vmfolder=folder1,folder2,folder3

To back up specific ESX/ESXi hosts, use:

DOMAIN.VMFULL  vmhost=host1,host2,host3

To back up specific host clusters, use:

DOMAIN.VMFULL  vmhostcluster=cluster1,cluster2,cluster3

To back up specific datastores, use:

DOMAIN.VMFULL  vmdatastore=datastore1,datastore2,datastore3


EXCLUDE.VMDISK excludes the specified virtual disk from backup.  For example, to exclude virtual disk "Hard Disk 2" of virtual machine "vmname":

EXCLUDE.VMDISK vmname "Hard Disk 2"

The second argument is the virtual disk's label, rather than the VMDK file.  The disk label can be obtained from the vSphere client or from the Storage Protect command line with:

backup vm -preview vmname


INCLUDE.VMDISK includes specific virtual disks in the backup of a virtual machine and creates an implicit exclude for all other virtual disks on that virtual machine.  For example, if you have a virtual machine named "vmname" with four virtual disks ("Hard Disk 1" to "Hard Disk 4"), the following would back up "Hard Disk 1" and "Hard Disk 2" of "vmname" but not "Hard Disk 3" or "Hard Disk 4":

INCLUDE.VMDISK vmname "Hard Disk 1"
INCLUDE.VMDISK vmname "Hard Disk 2"

The second argument is the virtual disk's label, rather than the VMDK file.  The disk label can be obtained from the vSphere client or from the Storage Protect command line with:

backup vm vmname -mode=ifincr -preview


Maximum number of VM backups to perform in parallel per instance of the Storage Protect client.


Maximum number of VM backups to perform in parallel per ESX or ESXi host.


Maximum number of VM backups to perform in parallel per datastore.

The limit options can be used to ensure that parallel VM backups do not put too much load on any one part of your infrastructure.  If you have one ESX/ESXi host and one datastore then all the limits on parallel backups should be equal.

Using the Storage Protect client GUI

  1. Launch the Storage Protect for VE client GUI on the data mover.

  2. Choose Actions Backup VM to display the Backup Virtual Machine window.

  3. Expand the Virtual Machines item, then expand or click on the ESX/ESXi hosts.

  4. Select virtual machines to back up.

  5. Choose Incremental Forever - Incremental from the drop down, then Backup.

  6. Task List window displays the backup progress.

  7. For detailed information, select Report.

Using the Storage Protect command line

To back up all virtual machines specified in the DOMAIN.VMFULL option, start the Storage Protect for VE command line client and run:

Protect> backup vm -mode=IFincr

To back up a specific VM, run:

Protect> backup vm 'vmname' -mode=IFincr

Using the Storage Protect client GUI

  1. Launch the Storage Protect GUI client on the data mover.

  2. Select Actions > Restore VM to display the Restore Virtual Machine window.

  3. Choose a VM to display its available backups.

  4. Select a backup then Restore.

  5. In the Restore Destination window:

    • To restore to the original location, ensure there is no VM with the same name in that location.

    • To restore to a new location, specify as much information as necessary.

    • Specifying only a new name will restore the VM to the original location with the new name.

  6. Select Restore.

Using the Storage Protect command line

  • To restore a virtual machine to the same name and location as it was backed up from:

    Protect> restore vm 'vm name'

    You must ensure that the target VM name no longer exists.

  • To restore a virtual machine to its original location but with a new name:

    Protect> restore vm 'vm name' -vmname='new vm name'
  • To restore a VM to a new name and new location, specify both the name and location:

    Protect> restore vm 'vm name' -vmname='new vm name' -datacenter='data center name' -host='ESXi host name' -datastore='datastore name'

Restoring individual files is achieved by using the IBM Storage Protect Recovery Agent software.

Using iSCSI

The most flexible way to restore individual files is by using the Recovery Agent to export a backup as an iSCSI target which the iSCSI initiator on a virtual machine can then mount.

  1. Select New IBM Storage Protect server... from the drop down menu within IBM Storage Protect Server.

  2. Set the following, then OK:


    Server address oxhfs1.hfs.ox.ac.uk, oxhfs2.hfs.ox.ac.uk, oxhfs3.hfs.ox.ac.uk or oxhfs4.hfs.ox.ac.uk.  See the TCPServerAddress field within your tsm4ve.opt file
    Server port See the TCPPort field in tsm4ve.opt
    Node access method Direct
    Authentication node The data mover name.  This is the NodeName setting in tsm4ve.opt
    Password The password for the authentication node


  3. Within Select snapshot, choose the relevant backup by selecting the Virtual machine, Snapshot and Disk.

  4. Click Mount.

  5. Choose Mount as an iSCSI target, set a unique (on the data mover) iSCSI target name and the appropriate iSCSI initiator name which corresponds to the virtual machine that will connect to this iSCSI target.  Then OK.

    Note that:

    • port 3260 must be open between the computer and the initiator on any firewall.

    • the iSCSI initiator name can be obtained from the client virtual machine; for example, on a Windows VM, it can be obtained from the "iSCSI Initiator" configuration.

  6. The iSCSI target will now be listed in the Mounted Volumes list.  Configure the iSCSI initiator on the appropriate VM to mount the target as read-only and copy the required files to the VM using standard operating system tools.  This will vary for each operating system.

  7. When the iSCSI target is not needed any longer, unmount it and disconnect the iSCSI initiator from the target.  Select the target in the Recovery Agent and click Dismount.

  8. Select Close to exit the Recovery Agent.

Although the above procedure was run on the Storage Protect for VMware data mover it is possible to install the recovery agent on a VM to perform local mounts.  Contact us at hfs@ox.ac.uk if you wish to do this.

You will need to install and configure the backup software on each data mover. Be aware that it is essential to distribute the virtual machines you intend to back up among them to ensure efficient operation and load balancing. Attempting to back up the same virtual machine with two or more data movers simultaneously will result in backup failures.

For effective management of multiple data movers, assign each of them to handle a distinct group of virtual machines. You can achieve this by configuring any of the below DOMAIN.VMFULL options in the data mover's option file:

  • vmhost
  • vmfolder
  • vmhostcluster
  • vmdatastore
  • vmresourcepool
  • vmhostfolder
  • vmdatacenter

To find out more information about the above options, please visit the following IBM help site: https://www.ibm.com/docs/en/storage-protect/8.1.23?topic=reference-domainvmfull

Contact us at hfs@ox.ac.uk if you have any questions regarding having multiple data movers.

Get support

If you cannot find the solution you need here then we have other ways to get IT support

Get IT support