Active Directory objects can be used to create security groups based on user identity, and identity-based firewall rules.

Note: Do not enable Distributed Intrusion Detection Service (IDS) in an environment that is using Distributed Load Balancer. NSX-T Data Center does not support using IDS with a Distributed Load Balancer.

You can register an entire AD (Active Directory) domain to be used by IDFW (Identity Firewall), or you can synchronize a subset of a large domain. Once a domain is registered, NSX synchronizes all AD data required by IDFW. Selective sync is used for large active directory domains, where you only want to sync Configuration maximums still apply selective sync.

Selective sync allows you to selectively choose organizational units so that you do not have to sync the entire domain. Only the selected organization units which are created and changed since the last delta sync will be updated during a selective sync. Groups that are moved out of the selected organization units are not updated during a selective sync. Deleted groups are removed in a full sync, when all groups are updated. To specify organization units for synchronization, see Configuring Active Directory and Event Log Scraping.

If you use the API to manually end a full sync after it is has begun, the sync stats will not be updated correctly.

Scale limits for Active Directory and IDFW can be found on the VMware Configuration Maximums page.

Note: IDFW relies on the security and integrity of the guest operating system. There are multiple methods for a malicious local administrator to spoof their identity to bypass firewall rules. User identity information is provided by the Guest Introspection Agent inside guest VMs. Security administrators must ensure that NSX Guest Introspection Agent is installed and running in each guest VM. Logged-in users should not have the privilege to remove or stop the agent.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Navigate to System > Identity Firewall AD.
  3. Click the three button menu () next to the Active Directory that you want to synchronize, and select one of the following:
    Groups that are moved out of the selected OrgUnits are not updated during a selective sync. Deleted groups are removed in a full sync, when all groups are updated.
    Option Description
    Sync all organization units and domains Full sync of all organization units is performed.
    Select organization units to sync Individually select organization units. If the parent is selected, the child units inside of the parent are automatically selected. You can also select all of the organization units by selecting the top Organization Units box, and then unselect the specific units you do not want to include in the sync. Only the selected organization units which are created and changed since the last delta sync will be updated during a selective sync.
  4. Click Save.
  5. Click View Sync Status to see the current state of the Active Directory, the previous synchronization state, the synchronization status, and the last synchronization time.