IDFW enhances traditional firewall by allowing firewall rules based on user identity. For example, administrators can allow or disallow customer support staff to access an HR database with a single firewall policy.

User-based distributed firewall rules are determined by membership in an Active Directory (AD) group membership. Identity Firewall requires a Thin Agent.

Note: IDFW relies on the security and integrity of the guest operating system. There are multiple methods for a malicious local administrator to spoof their identity to bypass firewall rules. User identity information is provided by the Guest Introspection Agent inside guest VMs. Security administrators need to ensure that NSX Guest Introspection Agent is installed and running in each guest VM. Logged-in users should not have the privilege to remove or stop the agent.
Note: For Identity Firewall rule enforcement, Windows Time service should be on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. Additionally, AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a log out when group membership is modified. This behavior is a limitation of Active Directory.

Prerequisites

Microsoft Active Directory Windows Server:
  • 2008
  • 2012
  • 2012R2
  • 2016
  • 2019

VMware Tools version 10.3 or later: NSX File Introspection driver, NSX Network Introspection driver, VMCI driver.

Host operating system: ESXi only

Guest Operating systems:
  • Desktop enforcement: Windows 8, Windows 10
  • RDSH enforcement: Windows 2012R2, Windows 2016

Procedure

  1. Enable NSX File Introspection driver and NSX Network Introspection driver. VMware Tools full installation adds these by default.
  2. Enable IDFW on cluster or standalone host: Enable Identity Firewall.
  3. Configure Active Directory domain: Add an Active Directory.
  4. Configure Active Directory sync operations: Synchronize Active Directory.
  5. Create security groups (SG) with Active Directory group members: Add a Group.
  6. Assign SG with AD group members to a distributed firewall rule: Add a Distributed Firewall.