Identity Firewall (IDFW) allows user-based distributed firewall rules (DFW).

User-based distributed firewall rules are determined by membership in an Active Directory (AD) group membership. IDFW monitors where AD users are logged in, and maps the login to an IP Address, which is used by DFW to apply firewall rules. Identity Firewall requires either guest introspection framework or active directory event log scraping. You can use both in your environment, or one or the other. When both the AD log scraper and Guest Introspection are used, Guest Introspection will take precedence. Note that if both the AD event log scraper and Guest Introspection are used, the two are mutually exclusive: if one of these stops working, the other does not begin to work as a back up.

AD group membership changes do not immediately take effect for logged in users using RDSH Identity Firewall rules, this includes enabling and disenabling users, and deleting users. For changes to take effect, users must log off and then log back on. We recommend AD administrators force a log off when group membership is modified. This behavior is a limitation of Active Directory.

The Northbound flow of IDFW:
  1. A user logs in to a VM.
  2. A user login event is received by the NSX management plane.
  3. The NSX management plane looks at the user and receives all of the Active Directory (AD) groups the user belongs to. The NSX management plane then sends group modify events for all of the affected AD groups.
  4. For each Active Directory group all of the Security Groups (SG) including this AD group are flagged, and a job is added to the queue to process this change. Because a single SG can include multiple Active Directory groups, a single user login event will often trigger multiple processing events for the same SG. To address this, duplicate Security Group processing requests are removed.

The Southbound flow of IDFW:

  1. A Security Group processing request is received. When a SG is modified, NSX updates all affected entities and triggers actions per IDFW rules.
  2. NSX receives all of the Active Directory groups for a SG.
  3. From Active Directory, NSX receives all of the users belonging to the AD groups.
  4. The Active Directory users are associated with their IP addresses.
  5. The IP address are mapped to vNICs, and then the vNICs are mapped to virtual machines (VMs). The resulting list of VMs is result of Security Group to VM translation.

Identity Firewall for RDSH is only supported with Windows Server 2016, Windows 2012 with VMware Tools 10.2.5 and later, and Windows 2012 R2 with VMware Tools 10.2.5 and later.


  1. Configure Active Directory Sync in NSX, see Synchronize a Windows Domain with Active Directory. This is required to use Active Directory groups in Service Composer.
  2. Prepare the ESXi cluster for DFW. See Prepare the Host Cluster for NSX in the NSX Installation Guide.
  3. Configure Identity Firewall logon detection options. One or both of these options must be configured.
    Note: If you have a multi-domain AD architecture, and the log scrapper isn't accessible due to security constraints, use Guest Introspection to generate login and logout events.