Identity Firewall features allows an NSX administrator to create Active Directory user-based DFW rules.

A high level overview of the IDFW configuration workflow begins with preparing the infrastructure. This includes the administrator installing the host preparation components on each protected cluster, and setting up Active Directory synchronization so that NSX can consume AD users and groups. Next, IDFW must know which desktop an Active Directory user logs onto in order to apply DFW rules. There are two methods IDFW uses for logon detection: Guest Introspection and/or the Active Directory Event Log Scraper. Guest Introspection is deployed on ESXi clusters where IDFW virtual machines are running. When network events are generated by a user, a guest agent installed on the VM forwards the information through the Guest Introspection framework to the NSX Manager. The second option is the Active Directory event log scraper. Configure the Active Directory event log scraper in the NSX Manager to point at an instance of your Active Directory domain controller. NSX Manager will then pull events from the AD security event log. You can use both in your environment, or one or the other. Note that if both the AD event log scraper and Guest Introspection are used, the two are mutually exclusive: if one of these stops working, the other does not begin to work as a back up.

Once the infrastructure is prepared, the administrator creates NSX Security Groups and adds the newly available AD Groups (referred to as Directory Groups). The administrator can then create Security Policies with associated firewall rules and apply those policies to the newly created Security Groups. Now, when a user logs into a desktop, the system will detect that event along with the IP address which is being used, look up the firewall policy that is associated with that user, and push those rules down. This works for both physical and virtual desktops. For physical desktops AD event log scraper is also required to detect that a user is logged into a physical desktop.

OS Supported With IDFW

AD Supported Servers

  • Windows 2012

  • Windows 2008

  • Windows 2008 R2

Guest OS Supported

  • Windows 2012

  • Windows 2008

  • Windows 2008 R2

  • Windows 10

  • Windows 8 32/64

  • Windows 7 32/64