With Identity Firewall (IDFW) features an NSX administrator can create Active Directory user-based Distributed Firewall (DFW) rules.
IDFW can be used for Virtual Desktops (VDI) or Remote desktop sessions (RDSH support), enabling simultaneous log ins by multiple users, user application access based on requirements, and the ability to maintain independent user environments. VDI management systems control what users are granted access to the VDI virtual machines. NSX-T controls access to the destination servers from the source virtual machine (VM), which has IDFW enabled. With RDSH, administrators create security groups with different users in Active Directory (AD), and allow or deny those users access to an application server based on their role. For example, Human Resources and Engineering can connect to the same RDSH server, and have access to different applications from that server.
IDFW can also be used on VMs that have supported operating systems. See Identity Firewall Supported Configurations.
A high level overview of the IDFW configuration workflow begins with preparing the infrastructure. Preparation includes the administrator installing the host preparation components on each protected cluster, and setting up Active Directory synchronization so that NSX can consume AD users and groups. Next, IDFW must know which desktop an Active Directory user logs on to in to apply IDFW rules. When network events are generated by a user, the thin agent installed with VMware Tools on the VM gathers and forwards the information, and sends it to the context engine. This information is used to provide enforcement for the distributed firewall.
IDFW processes the user identity at the source only in distributed firewall rules. Identity-based groups cannot be used as the destination in DFW rules.
For supported IDFW configurations see Identity Firewall Supported Configurations.
- A user logs in to a VM and starts a network connection, by opening Skype or Outlook.
- A user login event is detected by the Thin Agent, which gathers connection information and identity information and sends it to the context engine.
- The context engine forwards the connection and the identity information to Distributed Firewall Wall for any applicable rule enforcement.