Directory servers and log scraping servers supported with IDFW.
| Server/Version | Supported? |
|---|---|
| Windows Server 2016 | Yes |
| Windows Server 2012 | Yes |
| Windows Server 2012 R2 | Yes |
| Windows Server 2008 R2 | No |
| Windows Server 2008 | No |
| Windows Server 2003 | No |
| LDAP Servers other than Microsoft AD | No |
| Server/Version | Supported? |
|---|---|
| Windows 2016 | Yes |
| Windows 2012 with VMware Tools 10.2.5 and later | Yes |
| Windows 2012 R2 with VMware Tools 10.2.5 and later | Yes |
Note that Identity Firewall with RDSH support requires Guest Introspection network drivers be installed.
| Server/Version | Supported? |
|---|---|
| Domain synchronization with LDAP and LDAPs | Yes |
| Event log addition with CIFs and WMI | Yes |
| Domain sync with single rootDN | Yes |
| Domain sync with multiple RootDN OUs | 6.4.0 and later |
| Domain sync with single subtree of OUs with level hierarchy | 6.4.0 and later |
| Domain sync with multiple subtree of OUs | 6.4.0 and later |
| Delete and re-add same domain with selective OU | 6.4.0 and later |
| Add new subtree under synced OU | 6.4.0 and later |
| Sync with selective BaseDN | 6.4.0 and later |
| Sync with ignoring disabled users | Yes |
| Delta sync with changes in AD domain | Yes |
| Server/Version | Supported? |
|---|---|
| Windows Server 2016 | Yes |
| Windows Server 2012 | Yes |
| Windows Server 2012 R2 | Yes |
| Windows Server 2008 R2 | Yes |
| Linux or other LDAP Implementations | No |
- VM requires rebooting for an incoming login event if the following occur:
- users are disabled or enabled
- VM IP address change
- re-adding the same domain with NSX Manager
- The event log queue for incoming login events is limited, and login events are not received if the log is full.
For more information about domain synchronization see Synchronize a Windows Domain with Active Directory.
| Server/Version | Supported? |
|---|---|
| Win-7 (32-bit, 64 bit) | Yes |
| Win-8 (64 bit) | Yes |
| Win-10 (32-bit, 64 bit) | Yes |
| Windows Server 2016 | Yes. |
| Windows Server 2012 | Yes |
| Windows Server 2008 R2 | Yes |
| Linux Support | No |
-
GI framework must be deployed to every cluster where IDFW VMs are running.
-
A complete installation of VMware Tools ™ must be installed on all Guest VMs.
- UDP sessions are not supported. Networking events are not generated for UDP sessions on Guest VMs.
- Linux GOS integration with Active Directory Server is not supported.
Supported Microsoft Active Directory Configurations
Based on the standard and best practices design guides from Microsoft, https://msdn.microsoft.com/en-us/library/bb727085.aspx, following configurations of Active Directory Forests, Domains, Domain-Trees, Groups/Users are supported and tested for Identity Firewall:
| Scenarios | Supported? |
|---|---|
| Change user membership within domain | Yes |
| Circular group membership | Yes, supported from 6.2.8 and later |
| Nested group membership | Yes |
| Add and modify group name | Yes |
| Add and modify user name | Yes |
| Delete group and user | Yes |
| Disable and enable user | Yes |
| Scenarios | Supported? |
|---|---|
| Users created in parent domain and part of groups in parent domain | Yes |
| Users created in child domain but part of groups in parent domain | No |
| Users created in child domain1 and membership is in child domain2 | |
| Change user membership between two different domain (root and child) | Yes |
| Circular group membership | Yes, supported from 6.2.8 and later |
| Nested group membership in single domain, (Not supported for Cross Domain) | Yes |
| Add and modify group and username | Yes |
| Delete group and user | Yes |
| Disable and enable user | Yes |
| Scenarios | Supported? |
|---|---|
| Change Domain Password after sync | Yes |
| Change IP address after sync | Yes |
| Rename domain controllers | Yes |
| Disconnect and reconnect network of domain and event log server during domain sync | Yes |
| Disconnect and reconnect network of domain and event log server after domain sync | Yes |
- A user login event is processed only when a TCP session is initiated from a guest VM.
-
User log out events are not sent or processed. Enforced ruleset remains until an 8-hour time span elapses since a user's last network activity, or a different user generates a TCP connection from the same VM. The system processes this as a log out from the previous user and a log on from the new user.
- Multi-user support is available with IDFW with RDSH in NSX 6.4.0 and later.
-
RDSH VM logins are primarily handled by the context engine for rule enforcement. RDSH logins are only matched to firewall rules created with Enable User Identity at Source, and the rule must be created in a new section of Firewall Rules. If a user belongs to a non user identity at source security group and logs in to an RDSH VM, the login won't trigger any translation on the non user identity at source security group. An RDSH VM never belongs to any non user identity at source security groups.
