A few days ago I was at a customer that uses Veeam to backup his vSphere environment. Nothing special in the configuration. We run this setup for a few years now and it was bulletproof.
Recently we upgraded to Veeam v9 and vSphere 6 to be on the latest major versions both vendors offer. Since then we have a strange problem that was overseen for a while.
The customers security requirements deny access for any system from the internal network to the DMZ, especially for the backup server. To have fully consistent backups of VMs running in the DMZ we use Veeam VAAIP agents uploaded to the VMs via VIX because RPC (admin share access via CIFS) is not allowed. This worked perfectly even with Veeam v9 and vSphere 6. Perfectly until the customer upgraded the VMware Tools on his DMZ VMs. The weeks before the problem arose the VMs ran on vSphere 6 but with VMware Tools from 5.5. The moment he upgraded to VMware Tools 10.x the VIX upload didn't work anymore. The problem only hits a few VMs that can not leverage RPC as alternative upload method.
The error can be simply reissued once you take a VM, install VMware Tools 10.x on it and choose "Test Now" for the credentials in the VAAIP panel.
RPC is working fine as the VMs reside on the same subnet as the backupserver but VIX isn't working anymore.
The error is "Connecting to guest OS via VIX Error: Cannot upload file to admin share [C:\Windows]. Cannot create folder in guest: [C:\Windows\VeeamGuestHelpersTest]. VIX Error: A file was not found Code: 4"
We checked credentials, UAC settings and even reinstalled the tools. Upgrading from 10.0.6 which is the version currently available on the ESXi hosts to the latest version 10.0.9 from the VMware homepage doesn't change anything.
Switching back to VMware Tools version 9.x from the vSphere 5.5 repository brings back VIX functionality. So it seems that anything changed between 9.x and 10.x that renders VIX upload unusable.
I searched on the net for any related posts but it seems either noone uses VIX or whatever. So I opened a call at Veeam to help understand where the problem is. The call is still open and there isn't a solution yet.
As a workaround you can use a guest interaction proxy with Veeam 9 that is installed in the DMZ and bag your security guys to open the needed two ports between the backupserver and the guest interaction proxy. If this is not an option, please be careful when upgrading to VMware Tools 10.x
Coming from a call with Veeam to discuss this problem and it seems this is a known problem with VMware Tools 10.x. Veeam already opened a call covering this problem at VMware in FEBRUARY!!! but still there is no general solution available. A workaround is to downgrade VMware Tools (well, I already mentioned this possibility above) or wait for VMware Tools 10.1 where this issue is addressed. It seems that there is a hotfix available at VMware but hotfixes are published only in severe situations where there is no other way to get things work so it seems it's not that easy to get the patch.
VMware support told me to either bring a real good reason why they should give me the hotfix (probably it can cause more trouble than it can fix....) or wait for version 10.1 scheduled for October 2016.