You create a security group at the NSX Manager level.


If you are creating a security policy for use with RDSH, ensure that:

  • Active Directory Server must be integrated with NSX Manager.
  • Hosts must have DFW enabled and be upgraded to NSX 6.4.0.
  • Guest machines must run updated VMware Tools.
  • The version of the GI SVM must be 6.4 or later.
  • The rule must be created in a new section of Firewall Rules.
  • The rule must have Enable User Identity at Source selected.
  • The Applied to field is not supported for rules for remote desktop access.
  • ICMP is not supported for IDFW for RDSH.


  1. In the vSphere Web Client, navigate to Networking & Security > Security > Service Composer.
  2. Ensure that you are in the Security Groups tab.
  3. Click the Add Security Group or the Add icon.

    Security groups for use with Identity Firewall for RDSH, must use security policies that are marked Enable User Identity at Source when created. Security groups for use with Identity Firewall for RDSH can only contain Active Directory (AD) groups, and all nested security groups must also be AD groups.

  4. Type a name and description for the security group and click Next.
  5. On the Dynamic Membership page, define the criteria that an object must meet for it to be added to the security group you are creating.
    For example, you may include a criteria to add all members tagged with the specified security tag (such as AntiVirus.virusFound) to the security group.

    Or you can add all virtual machines containing the name W2008 AND virtual machines that are in the logical switch global_wire to the security group.

    Security tags are case sensitive.
    Note: If you define a security group by virtual machines that have a certain security tag applied to them, you can create a dynamic or conditional workflow. The moment the tag is applied to a virtual machine, the virtual machine is automatically added to that security group.
  6. Click Next.
  7. On the Select objects to include page, select the object type from the drop-down.
    Note that security groups for use in remote desktop sessions can only contain Directory groups.
  8. Select the object that you want to add to the include list. You can include the following objects in a security group.
    • Other security groups to nest within the security group you are creating.
    • Cluster
    • Logical switch
    • Network
    • Virtual App
    • Datacenter
    • IP sets
    • AD groups
      Note: The AD configuration for NSX security groups is different from the AD configuration for vSphere SSO. NSX AD group configuration is for end users accessing guest virtual machines while vSphere SSO is for administrators using vSphere and NSX.
    • MAC Sets
      Note: Service Composer allows use of Security Groups that contain MAC Sets in Policy configurations, however, Service Composer fails to enforce rules for that specific MAC Set. Service Composer works on Layer 3 and does not support Layer 2 constructs.
    • Security tag
    • vNIC
    • Virtual Machine
    • Resource Pool
    • Distributed Virtual Port Group
    The objects selected here are always included in the security group regardless of whether or not they match the dynamic criteria.

    When you add a resource to a security group, all associated resources are automatically added. For example, when you select a virtual machine, the associated vNIC is automatically added to the security group.

  9. Click Next and double-click the objects that you want to exclude from the security group.
    The objects selected here are always excluded from the security group even if they match the dynamic criteria or are selected in the include list .
  10. Click Finish.


Membership of a security group is determined as follows:

{Expression result (derived from Step 5) + Inclusions (specified in Step 7} - Exclusion (specified in Step 9) which means that inclusion items are first added to the expression result. Exclusion items are then subtracted from the combined result.