Identity Firewall (IDFW) features allow an NSX administrator to create Active Directory user-based Distributed Firewall (DFW) rules.

IDFW can be used for Virtual Desktops (VDI) or Remote desktop session (RDSH support), enabling simultaneous logins by multiple users, user application access based on requirements, and the ability to maintain independent user environments. VDI management systems control what users are granted access to the VDI virtual machines. NSX-T controls access to the destination servers from the source VM. IDFW is processed at the source VM. With RDSH administrators create security groups with different users in Active Directory (AD), and allow or deny those users access to an application server based on their role. For example, the Human Resources and Engineering can connect to the same RDSH server and have access to different applications from that server.

Note: IDFW relies on the security and integrity of the guest operating system. There are multiple methods for a malicious local administrator to spoof their identity to bypass firewall rules. User identity information is provided by the Guest Introspection Agent inside guest VMs. Security administrators need to ensure that NSX Guest Introspection Agent is installed and running in each guest VM. Logged-in users should not have the privilege to remove or stop the agent.

Linux based operating systems are not supported.

IDFW is supported on:

Microsoft Active Directory Windows Server:
  • 2008
  • 2012
  • 2012R2
  • 2016
  • 2019

VMware Tools version 10.3 or later: NSX File Introspection driver, NSX Network Introspection driver, VMCI driver.

Host operating system: ESXi only

Guest Operating systems:
  • Desktop enforcement: Windows 8, Windows 10
  • RDSH enforcement: Windows 2012R2, Windows 2016

A high level overview of the IDFW configuration workflow begins with preparing the infrastructure. This includes the administrator installing the host preparation components on each protected cluster, and setting up Active Directory synchronization so that NSX can consume AD users and groups. Next, IDFW must know which desktop an Active Directory user logs onto in order to apply IDFW rules. When network events are generated by a user, the thin agent installed with VMware Tools on the VM, gathers the information and forwards the information and sends it to the Context Engine. This information is used to provide enforcement for the Distributed Firewall.

IDFW workflow:
  1. A user logs in to a VM and starts a network connection, by opening Skype or Outlook.
  2. A user login event is detected by the Thin Agent, which gathers connection information and identity information and sends it to the Context Engine.
  3. The context engine forwards the connection and the identity information to Distributed Firewall Wall for any applicable rule enforcement.