Identity Firewall (IDFW) allows user-based distributed firewall rules (DFW).
About this task
User-based distributed firewall rules are determined by membership in an Active Directory (AD) group membership. IDFW monitors where Active Directory users are logged into, and maps the login to an IP Address, which is used by DFW to apply firewall rules. Identity Firewall requires either guest introspection framework or active directory event log scraping.
- Configure Active Directory Sync in NSX, see Synchronize a Windows Domain with Active Directory. This is required to use Active Directory groups in Service Composer.
- Prepare the ESXi cluster for DFW. See Prepare the Host Cluster for NSX in the NSX Installation Guide.
- Configure Identity Firewall logon detection options. One or both of these options must be configured.
If you have a multi-domain AD architecture, and the log scrapper isn't accessible due to security constraints, use Guest Introspection to generate login and logout events.
Configure Active Directory event log access. See Register a Windows Domain with NSX Manager.
Windows Guest OS with guest agent installed. This comes with a complete installation of VMware Tools ™. Deploy Guest Introspection service to protected clusters. See Install Guest Introspection on Host Clusters. For troubleshooting Guest Introspection, see Collecting Guest Introspection Troubleshooting Data.