Skip to main content

Veeam Appliance Updates and Veeam Update Repository Mirror Server

  • December 8, 2025
  • 6 comments
  • 104 views
PeteSteven
Forum|alt.badge.img+5

With the Veeam Software Appliance and the Veeam Infrastructure Appliance, update distribution is fundamentally changing. The Veeam Appliances automatically install certain updates to ensure security and operational continuity. This represents a massive increase in security and compliance.

 

What is updated?

Operating system and security updates are installed centrally and automatically, cannot be deselected, and are mandatory for both appliances. Security updates for Veeam Backup & Replication are also installed automatically and without user intervention to ensure security.

Both appliances can also optionally install feature and bug fix updates automatically, provided this is enabled in the configuration. Major updates (e.g., V14.0), minor releases (e.g., 13.x), and private fixes are optional by default.

Here is a simplified overview:
Mandatory updates

  • Veeam cumulative & security updates (e.g., 13.0.x)
  • Operating system security updates

Optional updates

  • Minor product updates (e.g., 13.x)
  • Major product updates (e.g., 14.0)

 

How are updates controlled?

Automatic installation is performed by Veeam Updater. Veeam Updater checks for updates regularly (every 12 hours) and installs them automatically for itself (for the updater service).
Updates are installed on Veeam Software Appliance and Veeam Infrastructure Appliance according to the specified maintenance window.
Updates can also be postponed for a certain period of time using the compliance deadline.

The Veeam Software Appliance can now be used to centrally control updates to the Veeam Software Appliance and the Veeam Infrastructure Appliance (for all components connected to the VBR) –> Local override possible (e.g., different time zone).

 

Configuring updates in Veeam:

The configuration of update settings can be found in the Help Center.
Configuring Updates – Veeam Backup & Replication User Guide

 

How are updates downloaded by default?

By default, updates are downloaded directly from “repository.veeam.com” via the Internet by all Veeam appliances that were installed with a Veeam appliance ISO/OVA (including VBR, EM, Repo, Proxy, etc.). This requires that all components be allowed to communicate with the Internet.

 

How can updates be downloaded via mirroring server?

Unfortunately, there is currently no Veeam Backup Repository Mirror Appliance available. If you do not want every Veeam infrastructure component/virtual software appliance to require Internet access and updates to be downloaded multiple times (for multiple repositories, proxies, VBRs, etc.), you will need to build your own repository mirror server.

The repository mirror server downloads the updates from the Veeam repository (repository.veeam.com) using “wget” and makes the updates available internally via a web server of your choice. I decided to use Apache for this.

The updates are downloaded to the Veeam software appliance and the infrastructure appliances directly from the mirror server.

 

Install update repository mirror server

Install a Rocky Linux server with a 200 GB hard drive (this should be sufficient for quite some time. I calculated the data and came up with approximately 32 GB of repo files).

During installation, select “Minimal Install” and “Standard” in the software selection.
Everything else can be left as default installation with a static IP  (set a DNS entry for the upcoming web server access).

Update after installation:

sudo dnf Update

 

Install & Configure Apache

To access the data on the mirror server from the Veeam components, the Apache web server must be installed and configured.

Install Apache
Apache must be installed and the service must be enabled and started.

sudo dnf install httpd
sudo systemctl enable httpd
sudo systemctl start httpd

Check Apache service

sudo systemctl status httpd
Example
[rockyadmin@srv-veeammirror etc]$ sudo systemctl status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Mon 2025-12-08 16:42:40 CET; 2s ago
 Invocation: b7c00b5c618e4277b71b95006d6a0b85
       Docs: man:httpd.service(8)
   Main PID: 2889 (httpd)
     Status: "Started, listening on: port 80"
      Tasks: 177 (limit: 22946)
     Memory: 13.9M (peak: 14.4M)
        CPU: 84ms
     CGroup: /system.slice/httpd.service
             ├─2889 /usr/sbin/httpd -DFOREGROUND
             ├─2890 /usr/sbin/httpd -DFOREGROUND
             ├─2891 /usr/sbin/httpd -DFOREGROUND
             ├─2892 /usr/sbin/httpd -DFOREGROUND
             └─2893 /usr/sbin/httpd -DFOREGROUND

Dec 08 16:42:21 srv-veeammirror systemd[1]: Starting httpd.service - The Apache HTTP Server...
Dec 08 16:42:21 srv-veeammirror (httpd)[2889]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS
Dec 08 16:42:31 srv-veeammirror httpd[2889]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::20c:29ff:fe56:2922%ens34. Set the 'ServerName' directive globally to suppress this message
Dec 08 16:42:40 srv-veeammirror httpd[2889]: Server configured, listening on: port 80
Dec 08 16:42:40 srv-veeammirror systemd[1]: Started httpd.service - The Apache HTTP Server.

Create Apache folder

A folder must be created for the Apache server.

Change the folder name to “/var/www/” with the server name (in my case, “srv-veeammirror.steffan.local”).

sudo mkdir /var/www/srv-veeammirror.steffan.local

Create Apache configuration

A configuration file must be created for the Apache server.
Change the file name to match the server name (in my case, “srv-veeammirror.steffan.local”).

sudo nano /etc/httpd/conf.d/srv-veeammirror.steffan.local.conf

Insert the following text block into the configuration file and customize it with your own server names and folder names

<VirtualHost *:80>
       ServerAdmin veeam@steffan.local
       ServerName srv-veeammirror.steffan.local
       DocumentRoot /var/www/srv-veeammirror.steffan.local
       ErrorLog /var/log/httpd/srv-veeammirror.steffan.local_error.log
       CustomLog /var/log/httpd/srv-veeammirror.steffan.local_access.log combined
</VirtualHost>
<Directory /var/www/srv-veeammirror.steffan.local>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Create log + wget folder

Now create a folder below the main folder for the updates and a folder for the wget logs.

cd /var/www/srv-veeammirror.steffan.local
sudo mkdir rocky
sudo mkdir wget-log

Test Apache config and restart

After the configuration is done test the apache config and restart the httpd service:

sudo apachectl configtest

Output:

Syntax OK

Restart:

sudo systemctl restart httpd

 

Cron Job

If the folders for the web server have been created, you can set up a cron job.
With this command, the latest update files are always downloaded and stored directly in our web server directory. In addition, a log is created that documents the wget process.

I have configured the cron job to download the updates at 10 p.m. every day. Alternatively, it can be set to run every x hours (here, for example, every 6 hours: 0 */6 * * *).

Open Cron config

sudo crontab -e

Change folder paths and insert the following text

0 22 * * * /usr/bin/wget --mirror -e robots=off -np -nH --cut-dirs=1 -P /var/www/srv-veeammirror.steffan.local/rocky https://repository.veeam.com/rocky/ >/var/www/srv-veeammirror.steffan.local/wget-log/wget-veeamrepo.log 2>&1

Check Cron config

sudo crontab -l

What does this wget command and the paramters do?

The command wget –mirror -e robots=off -np -nH –cut-dirs=1 -P /mnt/veeamrepo https://repository.veeam.com/rocky/ recursively mirrors (downloads) the entire Veeam repository for Rocky Linux, saving the content to the local /mnt/veeamrepo directory.

Key Options Explained

  • –mirror enables recursive downloading with timestamping, infinite depth, and other behaviors ideal for creating a local copy of a site or repository, equivalent to -r -N -l inf –no-remove-listing.
  • -e robots=off executes the command to ignore robots.txt restrictions, ensuring full access to all directory listings.
  • -np or –no-parent prevents ascending to parent directories, keeping the download strictly within the specified URL path.
  • -nH or –no-host-directories avoids creating a subdirectory named after the host (e.g., no repository.veeam.com folder).
  • –cut-dirs=1 skips the first level of directories in the URL path during local recreation (here, omitting the base path under /rocky/).
  • -P /mnt/veeamrepo sets the output prefix directory for all downloaded files, typically RPM packages and metadata for Veeam tools on Rocky Linux.
  • https://repository.veeam.com/rocky/ is the website/folder that is being downloaded

 

Firewall

We need to create firewall rules so that we can also access the web server from outside the server.

Check what rules exist

sudo firewall-cmd --permanent --list-all

Add the rules as permanent rules

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

Check

sudo firewall-cmd --permanent --list-all
Example:
public (default)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http https ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Saving the rules

sudo firewall-cmd --reload

 

Testing the website

Now you can access the web server’s URL using a web browser. Make sure to include “/rocky” and access the server via its DNS name. After downloading the updates for the first time, you should see the folder structure. Before that, you may receive a message saying that there is no content in the folder.

 

Certificate

For productive operation, a certificate can/should be added to the web server. This would be beyond the scope of this blog post, however.

 

Customize update settings in Host Management

The update settings must be adjusted in the host management of the Veeam Virtual Software Appliance. To do this, enter the DNS name of the Veeam Virtual Software Appliance with port “10443” in the web browser and log in with an admin user (e.g., veeamadmin).

Now go to “Settings” via ‘Updates’ and activate “Manual settings override.”
Under “Software repository,” click “mirror repository” and enter the path to the web server and the “/rocky” folder.

After clicking “Check for Updates,” the latest Veeam updates for my Veeam Software Appliance (VBR Server) were displayed and downloaded from my repository server and installed.

The settings should be distributed from the Veeam Software Appliance (VBR) to the other Veeam infrastructure appliances connected to the VBR.

 

Original Post on my blog: Veeam Appliance Updates and Veeam Update Repository Mirror Server - petersvirtualworld.de

Peter Steffan - My Blog: petersvirtualworld.de - Veeam Vanguard 2025
Chris.Childerhose
AndrePulia
Dynamic

6 comments

Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • December 8, 2025

I love this part of the VSA and updating.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Dynamic
PeteSteven
AndrePulia
Forum|alt.badge.img+9
  • AndrePulia
  • Veeam Vanguard
  • December 9, 2025

Really great article ​@PeteSteven , I’ll vote as a blog of the month :-)

André Pulia - VMCA | VMCE | VMCT |Veeam Vanguard | VUG Leader Brazil | ObjectFirst ACE | HPECI | VCI | Nutanix Certified Instructor | Twitter: @andrepulia | Blog Site – https://pulia.com.br | https://www.credly.com/users/andre-pulia
Dynamic
PeteSteven
Dynamic
Forum|alt.badge.img+13
  • Dynamic
  • Veeam Vanguard
  • December 9, 2025

Great Job Peter, saved to my favorites 😀

Markus Hartmann | Veeam Vanguard | Veeam Legend 2024 | VMCA 2024 & VMCE 2024 | VMware Certified Implementation Expert - DCV | https://markushartmann.blog/
PeteSteven
lukas.k
Forum|alt.badge.img+13
  • lukas.k
  • Influencer
  • December 9, 2025

Nice writeup! Good to see that at the end of the day Veeam is pushing massively forward with automation. Makes life a lot easier!

LK | Veeam Enterprise Architect | Former Veeam Vanguard | Security Specialist
Dynamic
PeteSteven
jos.maliepaard
Forum|alt.badge.img+7

This feature will make life easier for everyone. good explanation, Thanks!

@jos.maliepaard@masto.nu
PeteSteven
lukas.k
MarvinMichalski
Forum|alt.badge.img

Perfect How-To! Many thanks ​@PeteSteven for this article 😊

PeteSteven
Terms & ConditionsAccessibility statement