With Identity Firewall (IDFW) features an NSX administrator can create Active Directory user-based distributed firewall (DFW) rules.

IDFW can be used for Virtual Desktops (VDI), Remote desktop sessions (RDSH support), and physical machines, enabling simultaneous log ins by multiple users, user application access based on requirements, and the ability to maintain independent user environments. VDI management systems control what users are granted access to the VDI virtual machines. NSX-T Data Center controls access to the destination servers from the source virtual machine (VM), which has IDFW enabled. With RDSH, administrators create security groups with different users in Active Directory (AD), and allow or deny those users access to an application server based on their role. For example, Human Resources and Engineering can connect to the same RDSH server, and have access to different applications from that server.

IDFW must know which desktop an Active Directory (AD) user logs onto in order to apply firewall rules. There are two methods IDFW uses for logon detection: Guest Introspection (GI) and/or event log scraping. Guest Introspection is deployed on ESXi clusters where IDFW virtual machines are running. When network events are generated by a user, a guest agent installed on the VM forwards the information through the Guest Introspection framework to the NSX Manager. The second option is the Active Directory event log scraper. Event log scraping enables IDFW for physical devices. Configure the Active Directory event log scraper in the NSX Manager to point at an instance of your Active Directory domain controller. NSX Manager will then pull events from the AD security event log.

Event log scraping can be used for virtual machines, however when both the AD log scraper and Guest Introspection are used, Guest Introspection will take precedence over event log scraping. Guest introspection is enabled through VMware Tools, and if you are using the complete VMware Tools installation and IDFW, guest introspection will take precedence over event log scraping.

IDFW can also be used on VMs that have supported operating systems. See Identity Firewall Supported Configurations.

IDFW processes the user identity at the source only in firewall rules. Identity-based groups cannot be used as the destination in firewall rules.

Note: IDFW relies on the security and integrity of the guest operating system. There are multiple methods for a malicious local administrator to spoof their identity to bypass firewall rules. User identity information is provided by the NSX Guest Introspection Thin Agent inside guest VMs. Security administrators must ensure that thin agent is installed and running in each guest VM. Logged-in users should not have the privilege to remove or stop the agent.

For supported IDFW configurations see Identity Firewall Supported Configurations.

Note that IDFW rules are not supported on Global Managers in a Federation environment. IDFW can still be used locally in Federated sites by creating IDFW rules on Local Managers.