You can view the traffic passing between defined containers such as AD groups, security groups and/or desktop pools. This can help you identify and configure access to shared services and to resolve mis-configured relationships between Inventory container definitions, desktop pools and AD groups.

About this task

Figure 1. Interaction between containers
inter

You can either do a quick query using the default search criteria by clicking Search, or tailor the query according to your requirements.

Prerequisites

  • Guest Introspection must be installed in your environment.

  • A domain must be registered with NSX Manager. For information on domain registration, see Register a Windows Domain with NSX Manager.

  • Data collection must be enabled on one or more virtual machines.

Procedure

  1. Log in to the vSphere Web Client.
  2. Click Networking & Security and then Activity Monitoring.
  3. Select the Inter Container Interaction tab in the left pane.
  4. Click the link next to Originating from.

    All groups discovered through guest introspection are displayed.

  5. Select the type of user group that you want to view resource utilization for.
  6. In Filter, select one or more group and click OK.
  7. In Where the destination is, select is or is not to indicate whether the selected group should be included in or excluded from the search.
  8. Click the link next to Where the destination is.
  9. Select the group type.
  10. In Filter, select one or more group and click OK.
  11. Click the During period (During Period icon) icon and select the time period for the search.
  12. Click Search.

Results

Search results filtered by the specified criterion are displayed. Click in a row to view information about the users that accessed the specified containers.

You can export a specific record or all records on this page and save them to a directory in a .csv format by clicking the export icon on the bottom right side of the page.

Interaction between Inventory Containers Query

  • Verify allowed communication

    If you have defined containers in your vCenter inventory and then added a rule to allow communication between these containers, you can verify that the rule is working by running this query with the two containers specified in the Originating from and Where the destination is fields.

  • Verify denied communication

    If you have defined containers in your vCenter inventory and then added a rule to deny communication between these containers, you can verify that the rule is working by running this query with the two containers specified in the Originating from and Where the destination is fields.

  • Verify denied intra-container communication

    If you have implemented a policy that does not allow members of a container communicating with other members of the same container, you can run this query to verify that the policy works. Select the container in both Originating from and Where the destination is fields.

  • Eliminate unnecessary access

    Suppose you have defined containers in your vCenter inventory and then added a rule to allow communication between these containers. There may be members in either container that do not interact with the other container at all. You may then choose to remove these members from the appropriate container to optimize security control. To retrieve such a list, select the appropriate containers in both Originating from and Where the destination is fields. Select is not next to the Where the destination is field.