Veeam Backup for Salesforce: Setup and Configuration from Scratch
Salesforce is not like other infrastructure you protect. There is no VM to snapshot, no VMDK to copy. The data lives entirely in Salesforce's cloud, the platform manages uptime, and you manage your data. That distinction matters because Salesforce's native tools are not a backup strategy. They protect against platform failure, not against user error, misconfigured automation, or runaway data migrations. Veeam Backup for Salesforce fills that gap. This article covers the architecture, deployment, initial configuration, backup policy setup, restore workflows, and the things most people do not find out until something goes wrong.
Why Salesforce Data Needs Third-Party Backup
Salesforce's shared responsibility model is clear: Salesforce keeps the platform running and your data available at the infrastructure level. What it does not cover is accidental deletion, bulk data corruption from a bad import, a broken flow that overwrites field values, or a user with too many permissions running the wrong report action. Salesforce itself recommends that customers maintain regular backups and perform manual point-in-time backups before any major data project. That recommendation exists because the native tools have meaningful gaps.
Veeam Backup for Salesforce is a self-managed Linux-based solution that you deploy where your requirements demand: on-premises, in AWS, in Azure, or anywhere else. It uses Salesforce's native APIs, meaning it does not require any third-party AppExchange integrations and does not introduce additional trust surfaces. One installation can manage multiple Salesforce organizations from a single console.
Architecture
The product runs as a set of Linux services around a central management server. Understanding what each piece does helps you make the right call on whether to co-locate components or separate them.
Management Server (vbsf-backend)
Core service. Manages backup, restore, and archival operations. Hosts the web UI. Coordinates all jobs and sessions. Install this on a dedicated machine.
Configuration Database (PostgreSQL)
Stores app configuration, Salesforce org connections, backup policies, restore jobs, sessions, and audit trail. Can be co-located for small environments; should be separated for production.
File Storage
Where backed-up Salesforce files and metadata are stored. Default path is /opt/vbsf/data. Should be a dedicated partition or mount. If you change this path, you must migrate existing backups manually before enabling policies.
Log Repository
Default path /var/log/vbsf/. Veeam recommends a dedicated partition here to prevent log growth from filling the OS disk.
The management server communicates with Salesforce entirely through native Salesforce APIs. Access is established through a Connected App that you create in Salesforce and authorize through the initial configuration wizard. No agent is installed in Salesforce. No data passes through Veeam-managed intermediaries in the Salesforce tenancy.
Licensing
Licensing is per Salesforce user. A free Community Edition exists with a cap of 50 users. Paid licensing starts above that. Install your license file during the initial configuration wizard. You can start with the community edition during testing and upgrade to a paid license without reinstalling.
System Requirements
| Component | Requirement |
|---|---|
| OS | RHEL, AlmaLinux, Rocky Linux, Oracle Linux, or Ubuntu. 64-bit. Veeam recommends a fresh, dedicated machine - clean OS, nothing else running on it. Avoid co-installing with other applications that may conflict with nginx or PostgreSQL. Check the current System Requirements page on the Help Center for specific CPU and RAM minimums as these are sized by org count and data volume. |
| SELinux | If SELinux is enabled, you must allow httpd to connect to the network before installation. Run setsebool -P httpd_can_network_connect 1 before installing. Not doing this breaks the web UI and you will spend time you do not have tracking down why the product installed but will not load. |
| File System | XFS recommended for the data and log partitions. Separate disks for data, logs, and OS are strongly recommended for production. |
| Outbound Connectivity | The management server must be able to reach the Salesforce authentication endpoint. Verify outbound HTTPS is permitted before attempting installation. |
| PostgreSQL | Can be installed locally by the install script (easiest) or pointed at an existing remote instance. For production environments with multiple orgs or large data volumes, dedicate a separate PostgreSQL host. |
| nginx | Used as the reverse proxy for the web UI. Let the installer configure it automatically. Manual nginx configuration is documented in a Veeam KB but adds complexity without benefit for most deployments. |
Step 1: Install the Software
The installation uses a script-based approach on RHEL-family and Ubuntu systems. The script handles repository setup, package install, dependency resolution, and the nginx and PostgreSQL prompts. Manual package installation is also documented but the script path is the right choice for first deployments.
RHEL, AlmaLinux, Rocky, Oracle
sudo curl https://repository.veeam.com/yum/el/vbsf-install-script.sh \
--output ./vbsf-install-script.sh
chmod +x ./vbsf-install-script.sh
sudo ./vbsf-install-script.shThe script will install the Veeam software repository, then pull and install all packages and dependencies. After all configuration checks pass, it will either run the server configuration script automatically or prompt you to run it. Follow the prompts for PostgreSQL installation and nginx configuration. Let both configure automatically on a clean machine.
Ubuntu
A separate script is available for Ubuntu deployments. The process is identical in structure: download, make executable, run as root. The Ubuntu path is documented in the Veeam Help Center deployment guide under the Ubuntu installation section.
Locale Must Be Set Before Running the Script
The install script requires the system locale to be configured. If you have just provisioned a minimal Linux VM, set the locale and log out and back in before running the script. Skipping this step causes character encoding issues in the web UI and in backup job logs.
After the script completes, it outputs a URL in the form https://<IP>:<port>/?token=<value>. Copy that URL. You need it to complete the initial configuration wizard. The token is single-use and authorizes the first admin account creation.
Step 2: Initial Configuration Wizard
Open the generated URL in a browser. The wizard walks through eight steps. Every step matters - do not skip or defer any of them.
- 1Accept the license agreement. Standard click-through. Nothing to configure here.
- 2Create the local administrator account. This is your first admin user. The credentials you set here are used to access the web UI until you configure SSO. Store them properly. There is no "forgot password" flow without database access.
- 3Connect to PostgreSQL. If the install script created PostgreSQL locally, accept the defaults. The credentials were auto-generated and saved to /opt/vbsf/vbsf-backend/config/vbsf_default_credentials.properties. If pointing at a remote PostgreSQL instance, enter the host, port, database name, and credentials here.
- 4Provide a license file. Upload your license file. For evaluation or small environments under 50 users, you can continue without a license to use the community edition. You can add or upgrade a license at any time from the Configuration page without reinstalling.
- 5Create the Salesforce Connected App. This is the most involved step. See the Connected App section below.
- 6Connect to your Salesforce organization. After the Connected App is created and credentials are entered, you authorize access. You will be redirected to Salesforce to log in as a Salesforce administrator and approve the connection. Once approved, control returns to the wizard.
- 7Set the initial backup policy schedule. Configure when the first backup runs and its initial frequency. This can be changed after the wizard completes. Do not leave it at the default if the default does not match your RPO requirements.
- 8Finish the wizard. The wizard completes and the management console loads. Your first backup policy is now active based on what you configured at step 7.
Creating the Salesforce Connected App
The Connected App is how Veeam authenticates to your Salesforce organization. You create it in Salesforce, not in Veeam. The wizard will prompt you for the consumer key and consumer secret that the Connected App generates.
- 1In Salesforce, go to Setup and search for App Manager. Click New Connected App.
- 2Fill in the Connected App name and contact email. Under API (Enable OAuth Settings), check Enable OAuth Settings.
- 3In the Callback URL field, enter the FQDN or IP address of your Veeam Backup for Salesforce server. The wizard will tell you the exact callback URL to use. It must match exactly - this value also maps to the backend.domain setting in Advanced Settings.
- 4Add the required OAuth scopes. At minimum: Full access or the specific scopes documented in the Veeam KB article referenced in the wizard (KB4240). Save the Connected App.
- 5After saving, click Manage Consumer Details. Copy the Consumer Key and Consumer Secret. You will paste these into the Veeam wizard at step 5. Keep these credentials safe - they grant API access to your Salesforce org.
Callback URL Must Be Reachable
The callback URL you enter in the Connected App must be the public IP or DNS name of your Veeam server, accessible over HTTPS. If Salesforce cannot reach that URL during the authorization redirect, the connection fails silently. Test HTTPS connectivity to your management server from an external network before running the wizard if you are not sure.
Step 3: Configure Backup Policies
The initial wizard creates one backup policy covering the organization you connected. Backup policies in Veeam Backup for Salesforce are more granular than a typical "protect this org" toggle. You control what gets backed up, how often, and for how long at the object level.
Creating Additional Backup Policies
- 1In the web UI, navigate to the Jobs section. Click Add Backup Policy to launch the policy wizard.
- 2Configure Connection: Select the Salesforce organization this policy will protect. If you have multiple orgs connected, each can have separate policies with different schedules and retention settings.
- 3Backup Settings: Select which Salesforce objects to include. You can back up all objects or select specific ones. High-change objects like Opportunities, Cases, and Contacts warrant higher-frequency policies than static metadata objects.
- 4Files and Attachments: Enable backup of Salesforce Files, Attachments, and ContentDocuments separately from data backups. File backups write to the file storage path and can grow quickly in orgs with heavy attachment usage. Enable this intentionally, not by default.
- 5Encryption: Optionally enable client-side encryption. You can use Veeam's built-in key management or AWS KMS if your compliance requirements demand key custody outside of the backup server. If you enable encryption, document your key management approach immediately.
- 6Retention: Set how long to retain backup data. Retention is enforced per-policy. Consider regulatory requirements for your industry. Salesforce-regulated data in financial services or healthcare typically has explicit retention mandates.
- 7Finish the wizard. The policy runs on the schedule you defined. You can also trigger a manual run at any time from the Jobs view.
Per-Object Custom Schedules
The backup policy wizard includes a Custom Schedules option where you can assign different schedules to specific Salesforce objects. The three built-in schedules are Hourly, Daily, and Weekly. You can also create custom schedules. If you have high-change objects like active Opportunities during a sales cycle that need tighter protection than everything else, assign them a more frequent custom schedule without touching the default schedule for the rest of the org.
Step 4: Adding Additional Salesforce Organizations
One installation manages multiple orgs. After the initial wizard, you can add organizations from the Configuration page under Managing Salesforce Organizations. Each org requires its own Connected App and authorization. The process is identical to the initial connection: create the Connected App in Salesforce, copy the credentials, authorize access in the Veeam console.
For MSP environments or enterprises with sandbox and production orgs, this multi-org management from a single pane is significant. Each org gets its own set of policies, retention settings, and restore jobs. Permissions and RBAC can be scoped per-org if you enable SSO through Microsoft Entra ID or Salesforce as the identity provider.
Restore Workflows
Restore is where Veeam Backup for Salesforce earns its keep. The restore options are granular enough to handle surgical recovery without touching surrounding data.
Restoring Records
Navigate to Restore and select Restore Records. The wizard lets you select the organization, choose a backup point in time, and then select specific objects and records. You can restore full objects including their child hierarchy - Veeam preserves parent-child relationships during restore. You can also restore selected records from a specific point in time without restoring the entire object, which is the right approach for targeted user error recovery.
Restoring Field Values
The most surgical restore option. If a flow or automation overwrote specific field values on a set of records, you can restore those field values to a point in time without touching anything else on the record. Select the organization, the object, the specific records, and then select which fields to restore. This is genuinely useful and not something native Salesforce tools can do.
Restoring Files
Restores Salesforce Files (ContentDocuments, Attachments) that were backed up with the file backup option enabled. Select the organization, choose your restore point, and select the specific files. Files can be restored to their original Salesforce record or to an alternate location.
Restoring Metadata
Metadata restore covers Reports, Profiles, Permission Sets, Flows, and other configuration objects that define how your org behaves. If a deployment went wrong or someone modified a permission set that broke access for a user group, metadata restore lets you roll back that specific metadata component without touching data. This is the restore type most Salesforce admins do not know they need until they need it badly.
Compare with Production
Before committing to a restore, you can compare a backed-up version of a record or metadata component against the current production state. For data, you see field-level differences. For metadata, you get a line-by-line diff. Use this before any restore to confirm you are replacing what you think you are replacing and not introducing unintended changes.
Configuring Alerts
Navigate to Configuration then Managing Alerts. Alerts fire for backup failures, restore job completions, licensing issues, connection problems, and data change anomalies. Configure email delivery under Notification Settings first, then create alerts for the events your team needs to act on. At minimum, set alerts for backup failures and license expiry. For security-conscious environments, the data change alerting is worth enabling: it flags unusual changes in protected data that could indicate a malicious actor or a broken automation running amok.
Gotchas and Common Failure Modes
- Locale not set before install. A missing or misconfigured locale causes character encoding problems in the UI and in job logs. Set it before running the install script and log out and back in to apply it.
- Callback URL mismatch. The callback URL in the Connected App must match exactly what Veeam uses. If the management server is accessible by multiple hostnames or IP addresses, pick one and use it consistently. A mismatch breaks the Salesforce authorization redirect silently.
- SELinux blocking httpd. On RHEL-family systems with SELinux enforcing, httpd cannot connect to the network by default. The Veeam web UI fails to load or behaves erratically. Run setsebool -P httpd_can_network_connect 1 before installation.
- Changing the file storage path post-installation. If you change data.storage.location in Advanced Settings after policies have run, you must manually move all existing backup data to the new path before re-enabling policies. Failure to do this causes restore jobs to fail with missing data errors.
- Log partition filling the OS disk. Default log path is /var/log/vbsf/ on the OS disk. For any environment running daily backups at scale, create a dedicated partition for logs and mount it at that path before running the install script.
- PostgreSQL on the same machine for large orgs. Acceptable for evaluation and small deployments. For orgs with high object counts or large file volumes, the PostgreSQL load and the backup service load will compete on the same host. Separate them for production at scale.
- Encryption keys - document before you need them. If you enable client-side encryption and then need to restore to a different server or after a failure, you need your encryption keys. Veeam provides key download from the Configuration page. Download them immediately after enabling encryption and store them off the backup server.
- Restore jobs run serially by default. The restore.job.allow.parallel setting in Advanced Settings defaults to serial execution. If you need to run parallel restore jobs for the same organization (common during large data recovery events), you must explicitly enable this setting.
What You Have Completed