Identity Firewall features allows an NSX administrator to create Active Directory user-based DFW rules.
A high level overview of the IDFW configuration workflow begins with preparing the infrastructure. This includes the administrator installing the host preparation components on each protected cluster, and setting up Active Directory synchronization so that NSX can consume AD users and groups. Next, IDFW must know which desktop an Active Directory (AD) user logs onto in order to apply DFW rules. There are two methods IDFW uses for logon detection: Guest Introspection (GI) and/or the Active Directory Event Log Scraper. Guest Introspection is deployed on ESXi clusters where IDFW virtual machines are running. When network events are generated by a user, a guest agent installed on the VM forwards the information through the Guest Introspection framework to the NSX Manager. The second option is the Active Directory event log scraper. Configure the Active Directory event log scraper in the NSX Manager to point at an instance of your Active Directory domain controller. NSX Manager will then pull events from the AD security event log. You can use both in your environment, or one or the other. When both the AD log scraper and Guest Introspection are used, Guest Introspection will take precedence. Note that if both the AD event log scraper and Guest Introspection are used, the two are mutually exclusive: if one of these stops working, the other does not begin to work as a back up.
Once the infrastructure is prepared, the administrator creates NSX Security Groups and adds the newly available AD Groups (referred to as Directory Groups). The administrator can then create Security Policies with associated firewall rules and apply those policies to the newly created Security Groups. Now, when a user logs into a desktop, the system will detect that event along with the IP address which is being used, look up the firewall policy that is associated with that user, and push those rules down. This works for both physical and virtual desktops. For physical desktops, AD event log scraper is also required to detect that a user is logged into a physical desktop.
Identity firewall can be used for micro-segmentation with remote desktop sessions (RDSH), enabling simultaneous logins by multiple users, user application access based on requirements, and the ability to maintain independent user environments. Identity Firewall with remote desktop sessions requires Active Directory.
For supported Windows operating systems see Identity Firewall Tested and Supported Configurations. Note that Linux based operating systems are not supported for Identity Firewall.