With Identity Firewall (IDFW) features an NSX administrator can create Active Directory user-based Distributed Firewall (DFW) rules.

IDFW can be used for Virtual Desktops (VDI) or Remote desktop sessions (RDSH support), enabling simultaneous log ins by multiple users, user application access based on requirements, and the ability to maintain independent user environments. VDI management systems control what users are granted access to the VDI virtual machines. NSX-T controls access to the destination servers from the source virtual machine (VM), which has IDFW enabled. With RDSH, administrators create security groups with different users in Active Directory (AD), and allow or deny those users access to an application server based on their role. For example, Human Resources and Engineering can connect to the same RDSH server, and have access to different applications from that server.

IDFW can also be used on VMs that have supported operating systems. See Identity Firewall Supported Configurations.

A high level overview of the IDFW configuration workflow begins with preparing the infrastructure. Preparation includes the administrator installing the host preparation components on each protected cluster, and setting up Active Directory synchronization so that NSX can consume AD users and groups. Next, IDFW must know which desktop an Active Directory user logs in to and apply IDFW rules. When network events are generated by a user, the thin agent installed with VMware Tools on the VM gathers and forwards the information, and sends it to the context engine. This information is used to provide enforcement for the distributed firewall.

IDFW processes the user identity at the source only in distributed firewall rules. Identity-based groups cannot be used as the destination in DFW rules.

Note: IDFW relies on the security and integrity of the guest operating system. There are multiple methods for a malicious local administrator to spoof their identity to bypass firewall rules. User identity information is provided by the NSX Guest Introspection Thin Agent inside guest VMs. Security administrators must ensure that thin agent is installed and running in each guest VM. Logged-in users should not have the privilege to remove or stop the agent.

For supported IDFW configurations see Identity Firewall Supported Configurations.

IDFW workflow:
  1. A user logs in to a VM and starts a network connection, by opening Skype or Outlook.
  2. A user login event is detected by the Thin Agent, which gathers connection information and identity information and sends it to the context engine.
  3. The context engine forwards the connection and the identity information to Distributed Firewall rule for any applicable rule enforcement.