How to install a Veeam Virtual Lab

These are my notes about creating a Veeam Virtual Lab. After a lot of testing en searching why my installation was not working I finally took the time to read the manual Emoticon met brede lach … As a good technical person this is the last thing to do after searching with google…  So these are the important text pieces of the Veeam Backup & Replication v6 manual.

What is a Virtual Lab

A virtual lab is an isolated virtual test environment where verified VMs with all components required for their proper operation are started and tested. A virtual lab is created using existing resources in your virtual environment and ensures secure integrity and functionality testing for backed up VMs.

When a new virtual lab is created, Veeam Backup & Replication adds a new VM folder, vSwitch and an optional resource pool on the host where the virtual lab is registered. The network configuration in the virtual lab mirrors the configuration of the production network. For example, if a tested VM and its dependencies are located in two logical networks in your production environment, these two networks will be recreated in the virtual lab and mapped to corresponding production networks.

To enable communication between the outer world and VMs in the virtual lab, Veeam Backup & Replication uses a proxy appliance that is created and registered in the folder and resource pool of the virtual lab. The proxy appliance is a VM that acts as a gateway routing requests from the production network to the isolated network.

To connect to isolated networks, Veeam Backup & Replication adds to the proxy appliance a vNIC adapter for each network. Each vNIC adapter gets an IP address from the network to which it is connected, which is typically the same as the IP address of a default gateway in the corresponding production network.

If the application group to be started in the virtual lab does not have a DHCP server and some applications in this group as well as verified applications require DHCP, you can enable the DHCP service on the vNIC adapter for each isolated network. You can also select specific DNS servers from the production network that should be started in the isolated network. Keep in mind that to be able to add a DNS server, you should have it virtualized in your production environment, and you should also have its backup.


To ensure correct work of applications, VMs in isolated networks are run with the same IP addresses as in the production network. To avoid IP address conflicts between VMs in production and isolated networks, Veeam Backup & Replication uses IP masquerading. For each isolated logical network, Veeam Backup & Replication assigns a masquerade IP address, and adds a new route to the IP routing table in the Veeam Backup console, where a proxy appliance is specified as a gateway to access VMs in this network.

For example, when trying to access a VM with IP address in the isolated network, Veeam Backup & Replication sends a request to the masquerade IP address According to the routing rule added to the IP routing table, all requests are first sent to the next hop – the proxy appliance. The proxy appliance performs address translation, substitutes the masquerade IP address with a real IP address in the isolated network, and forwards the request to the necessary VM in the isolated network – in our case, to

Sometimes it is necessary to provide many clients with access to a restored VM, which is especially the case for user-directed U-AIR restores. For example, you may want to provide access to a backup copy of the Exchange Server for employees using web-based access (Outlook Web Access). In this situation, it is impossible to update the routing table on every client machine. Veeam Backup & Replication enables you to get access to a VM in the isolated network directly from a production environment. To get access to a VM in the isolated network, you should reserve a static IP address in the pool of production IP addresses and specify which IP address of the VM powered on in the isolated environment it matches. This static IP address will be assigned to the proxy appliance NIC connected to the production network. IP traffic directed to the specified static IP address will be routed by the proxy appliance to the VM powered on in isolated network.

For example, to access a VM that has IP address in the isolated network, you can reserve IP address (in production) for it. You should also register an alias record in the production DNS server for the reserved IP address. For the example mentioned above, you can register as an alias for the IP address

Creating a Virtual Lab

When setting up a virtual lab, you should select an ESX host on which it should be created, a datastore to hold redo logs and files of the proxy appliance, and specify settings for a proxy appliance and isolated networks.

To create a new virtual lab, you have to start the New Virtual Lab wizard. Do one of the following:

• Right-click the Virtual Lab item in the menu on the left and select Create virtual lab from the shortcut menu.

• Click Virtual Labs under SureBackup in the management tree, right-click anywhere on blank area in the information pane and select Create virtual lab from the shortcut menu.

Step 1. Specify Name and Description

Enter a name and description for the new virtual lab. The default description contains time at which the lab was created and user who created it.


Step 2. Select a Host

Click Choose to select an ESX(i) host on which the new virtual lab will be created. You can select a standalone ESX(i) host or the one being a part of a cluster.

Note If you want to create a virtual lab on the ESX(i) server being a part of the vCenter hierarchy, make sure that this vCenter server is added to the Veeam Backup & Replication console. If such ESX(i) server is added as a standalone host, a virtual lab will not be created on it.


For every new virtual lab, Veeam Backup & Replication creates a dedicated folder and a resource pool where all tested VMs and the virtual proxy will run during recovery verification process. By default, the folder and the pool have the same name as the virtual lab. To change the name of the destination folder and/or resource pool, click Configure and enter the necessary names in the Destination Options section.

Note In clusters with disabled DRS no resource pools can be created. If the destination host is included in such a cluster, click Configure and clear the Create resource pool check box. For details, refer to the VMware Knowledge Base.

Step 3. Select Datastore

Click Choose to select a datastore on which redo logs for tested VMs should be stored. Redo logs are auxiliary files used to store all changes that take place when a VM is run from a read-only backup. As soon as a recovery verification jobs completes, redo logs are deleted.


Step 4. Set Up Proxy Appliance

To enable automatic recovery verification of VMs, select the Use proxy appliance in this virtual lab check box. The proxy appliance acts as a gateway that provides access from Veeam Backup server to VMs running in the isolated virtual lab. If you do not select this check box, you will only be able to verify VMs and perform item-level restore using built-in temporary VM console in Veeam Backup & Replication, or using vSphere Client, and perform heartbeat tests.


By default, the virtual proxy uses the name of the virtual lab. To change the default name, click Configure in the Proxy appliance VM settings section and specify the name of the created virtual appliance.


Click Configure in the Production network connection section to select a network where the proxy appliance should be created, specify its IP address and settings of DNS server to be used. You can choose to automatically obtain IP address for the proxy appliance and DNS server, or set them manually.


Important! If you assign a proxy appliance an IP address from the same network where the Veeam Backup server is located, Veeam Backup & Replication will automatically add a new route to the routing table on the Veeam Backup server. If you assign a proxy appliance an IP address from the network other than that where the Veeam Backup server is located, you will have to manually add a new route to the routing table on the router in the production network. Otherwise you will not be able to access virtual machines in isolated networks.

Step 5. Select the Networking Mode

Select the type of network settings configuration. Veeam Backup & Replication offers two types of networking for the created virtual lab:

• Basic – this type of networking is recommended if you have only one production network, and the Veeam Backup server is located in that network. Veeam Backup & Replication will use parameters of this network to automatically configure an isolated network to verify tested VMs.

• Advanced – this type of networking is recommended if you are planning to verify VMs that have dependencies on other VMs located in different networks. In this case, you will have to configure network parameters for these isolated networks manually.


Step 6. Specify Isolated Networks

This step is available if you have selected the Advanced networking option at the Networking step of the wizard.

At this step of the wizard, you should create isolated networks where verified VMs should be started, and map them to production networks where these VM are located.

To add a network, click Add and select a production network in which a VM from the application group or a verified VM resides. Then, specify a name for an isolated network that should be mapped to this production network, and enter an identifier for the created virtual network.


Step 7. Specify Network Settings

This step is available if you have selected the Advanced networking option at the Networking step of the wizard.

At this step of the wizard, you should specify settings for every created isolated networks and how a proxy appliance should connect the production network to these networks.

Communication between the production network and an isolated network is carried out through the vNIC adapter that is added to the proxy appliance. A vNIC adapter is added for each isolated network.

To add an adapter, click Add and specify its connection settings.


Select the network to which you want this adapter to be connected. Specify the IP address that the proxy appliance should have in this isolated network, and the subnet mask. Typically, the IP address should coincide with the gateway IP address in the production network.

Note Network addresses for different adapters should be different. For example, if the first adapter has address with mask, and the second one – with mask, such configuration will not be supported.

Once you specify the IP address, Veeam Backup & Replication will automatically configure a masquerade IP address for accessing VMs running in the virtual lab through the production network.

Select the Enable DHCP service on this adaptor check box and specify settings of a virtualized DNS server if necessary. Click OK to save settings.


Select the Route network traffic between vNICs check box to enable communication between isolated networks. When you select this option, make sure that the IP address of the proxy appliance in the isolated network matches the IP address of a proxy appliance in the production network.

Step 8. Specify Static IP Mapping

At this step of the wizard, you can specify static IP address mapping rules to make VMs in the virtual lab accessible from any computer in the production network.

To add a new static IP relation, click Add. In the IP relation window, specify an IP address of a VM in the production network, and its masquerade IP – a free IP address from the production network that will be used to access it in the isolated network from the production environment.


Step 9. Apply Parameters

Review the parameters of the virtual lab which will be created. You can go back to any previous step to adjust the parameters. If everything is fine, click Next to create the virtual lab.

Important! Use Veeam Backup & Replication to modify or delete a virtual lab. If you change lab settings or delete any of its components from outside (for example, using vSphere Client), the lab will be corrupted and its component such as created vSwitch, resource pool and so on will remain in the virtual infrastructure.

I also found a Youtube movie about the working of the Virtual Lab. This movie is created by Andreas Neufert of Veeam.

Related articles:

The information in this article is provided “AS IS” with no warranties, and confers no rights. This article does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.


Marco works for ViaData as a Senior Technical Consultant. He has over 15 years experience as a system engineer and consultant, specialized in virtualization. VMware VCP4, VCP5-DC & VCP5-DT. VMware vExpert 2013, 2014,2015 & 2016. Microsoft MCSE & MCITP Enterprise Administrator. Veeam VMSP, VMTSP & VMCE.