At VeeamON, Veeam introduced Veeam Virtual Appliance (one of the highlights), is coming with the next version of VBR (v13). This feature requests right now. In this article series, I will guide you through the installation process (based on Rocky Linux) and provide an in-depth overview of both well-known and newly introduced features (as a reminder, we are working with a Beta version, so not all features are currently available).
Whether you’re an experienced Veeam user or new to the platform, this series is designed to equip you with the knowledge needed to get the most out of it.
Veeam Virtual Appliance and Veeam Backup & Replication v13:
Veeam Backup & Replication (VBR) v13 is set to introduce a range of exciting new features that enhance both usability and security.
Key updates include:
The Veeam Virtual Appliance will offer:
ISO/OVA Deployment: Pre-hardened for security and managed updates by Veeam, with no root access provided for enhanced security.
Note: The Windows version is not deprecated at this time. The design of the WebUI is currently 80% complete in terms of its final look and feel
In this Beta version, in order to deploy V13 as a virtual machine, certain prerequisites are required:
Installation:
Once the ISO is attached and the VM is started, a GRUB menu appears with two options:
Here, we are deploying VBR. The next step is to choose whether to perform a full installation, reinstall, or repair a failed installation. Since this is a first-time setup, we’ll go with the first option.
⚠️ Please note: this will erase all existing data and backups that may already be present on the system.
The installer checks whether the prerequisites are met — for example, if two 256GB disks are not allocated.
If all requirements are satisfied, the installation begins. You’ll notice that a customized version of Rocky Linux provided by Veeam is being used.
Once the installation is complete, simply reboot the system to launch the appliance configuration.
During startup, you’ll be presented with boot options: Rocky Linux itself, a rescue system, or UEFI firmware settings.
Configuration:
We will now proceed with configuring our appliance. First, we accept the license agreements:
Then define a name for the machine:
Next, you’ll need to configure the network settings. If multiple network interfaces are available, you can identify them using their MAC addresses. Both IPv4 and IPv6 are supported.
An important step not to overlook is the configuration of the NTP server — especially in a production environment, this is a critical aspect from a security standpoint.
You’ll also need to set a password for the default administrator account. Note that it cannot be renamed at this stage. Be aware that the password must comply with DISA STIG security best practices (character length, avoidance of repeated characters, etc.).
We recommend displaying the password as you type it 😉:
Two-factor authentication (2FA) is mandatory and must be configured in the next step. A code, and optionally a QR code, will be displayed on screen, making it easy to register with your preferred TOTP authenticator.
A new role has been introduced: the Security Officer. While optional, it is highly recommended. Configuring this role adds an extra layer of validation, requiring approval from this user for certain actions — such as when an administrator requests to delete backup data.
Once the configuration is complete, Veeam presents a summary screen for review.
After confirming, voilà — your Veeam server is up and running! The console displays the hostname along with the management URLs.
Host Management:
You will have the option to manage your new Appliance using two consoles: the native host console or a web interface. Code name: Cockpit!
Host Management WebUI:
Admin Role
The first method involves using the WebUI interface. Log in using the admin account.
For security reasons, two-factor authentication is required:
This new interface allows you to manage your newly deployed appliance, with features such as:
The homepage provides an overview of the global configuration.
1. Host Setting
A) In the Network menu, you have the ability to:
These actions currently do not appear to require approval from the Security Officer (SO).
B) The Time tab allows you to:
2. Security
A) In the Console Access menu, to enhance security, you have the option to disable this web interface and enforce login via the host console.
⚠️ Note: The SO account does not appear to be able to authenticate on this console.
You can also enable the SSH service. I strongly recommend keeping it disabled by default; it should only be activated for debugging purposes.
Enabling SSH is subject to SO validation.
A second action will be required to gain access to the root account.
B) Users and Roles
In this tab, you can:
✅ The deletion of a privileged account requires Security Officer (SO) approval.
3. Integration
A) The Applications menu allows you to enable additional options such as Data Collection, which will likely be used for integration with Veeam One. This integration is valid for 60 minutes. As with other actions, SO approval is required.
A new feature has also been introduced: Veeam High Availability. Similarly, this feature cannot be enabled without prior SO validation.
B) As the name suggests, the Updates menu is where you can check for updates provided by Veeam (similar to what you might find with Veeam for Azure).
4. Audit
In the final tab, Logs and Service, you can perform several actions such as:
Import/Export Configuration Files -You can import or export configuration files from this section:
In the Events tab, all actions performed through the interface are logged:
The final tab, Logs, allows you to generate support logs required when opening a case with Veeam Support:
Security Officer Role
Let’s now log in using the Security Officer account.
Since this account is intended for a second person (e.g., Security Admin, CISO, etc.), a password reset is required upon the first login.
The user will be prompted to enable MFA:
A recovery token is generated and should be stored securely:
Once this setup is complete, the interface is simplified compared to the admin view. As a reminder, the SO’s role is to approve certain actions and audit events when necessary.You will find the previously submitted requests, which can be approved or rejected.
In the Events section, you can filter events to more easily search for a specific action:
Host Management Console
The second method is to connect directly via the host console.
Once again, entering the MFA code is required:
Let’s explore the available options:
1. Host Configuration
Here, you can:
2. Remote Access Configuration
In this section, you can:
You also have the option to restart or shut down the Appliance:
SSH Access
To open an SSH session, the administrator must submit a request to the Security Officer.
The service will be available for a defined period.
The admin account can then initiate an SSH session using its username and password.
A big thank you to Philippe Dupuis for his valuable support and insights throughout this deployment and testing process. His contributions were instrumental in ensuring a smooth and secure configuration of the appliance.
VeeamON 2025 Recap: Here
v12.1 release – Veeam Data Platform: Blog Post
Veeam v12.1 – Integration with SIEM Systems : Blog Post
Veeam v12.1 – Object Storage as backup target: Blog Post
Veeam v12.1 KMS Support: Blog Post
Veeam v12.1 Malware Detection and YARA: Blog Post
