Procedure

  1. Make sure that the Active Directory server full/delta sync is working on the NSX Manager.
    1. In the vSphere Web Client, log in to the vCenter linked to the NSX Manager.
    2. Navigate to Home > Networking & Security> NSX Managers, and then select your NSX Manager from the list.
    3. Choose the Manage tab, then the Domains tab. Select your domain from the list. Verify that the Last Synchronization Status column displays SUCCESS and the Last Synchronization Time is current.
  2. If your firewall environment uses the event log scraping method of login detection, follow these steps to verify that you have configured an event log server for your domain:
    1. In the vSphere Web Client, log in to the vCenter linked to the NSX Manager.
    2. Navigate to Home > Networking & Security> NSX Managers, and then select your NSX Manager from the list.
    3. Choose the Manage tab and then the Domains tab. Select your domain from the list. Here you can view and edit the detailed domain configuration.
    4. Select Event Log Servers from the domain details and verify that your Event Log Server is added.
    5. Select your Event Log Server, and verify that the Last Sync Status column displays SUCCESS and the Last Sync Time is current.
  3. If your firewall environment uses Guest Introspection, the framework must be deployed to the compute clusters where your IDFW protected VMs will reside. The Service Health Status on the UI should be green. Guest Introspection diagnostic information is found in the following the Knowledge Base articles: Troubleshooting vShield Endpoint / NSX Guest Introspection https://kb.vmware.com/kb/2094261 and Collecting logs in VMware NSX for vSphere 6.x Guest Introspection Universal Service Virtual Machine https://kb.vmware.com/kb/2144624.
  4. After verifying the correct configuration of your logon detection method, ensure that the NSX Manager is receiving logon events;
    1. Log in an Active Directory user.
    2. Run the following command to query for login events. Verify your user is returned in the results. GET https://<nsxmgr-ip>/1.0/identity/userIpMapping.
      Example output:
      <UserIpMappings>
          <UserIpMapping>
              <ip>50.1.111.192</ip>
              <userName>user1_group20</userName>
              <displayName>user1_group20</displayName>
              <domainName>cd.ad1.db.com</domainName>
              <startTime class="sql-timestamp">2017-05-11 22:30:51.0</startTime>
              <startType>EVENTLOG</startType>
              <lastSeenTime class="sql-timestamp">2017-05-11 22:30:52.0</lastSeenTime>
              <lastSeenType>EVENTLOG</lastSeenType>
          </UserIpMapping>
      </UserIpMappings>
  5. Verify that your security group is used in a firewall rule, or has an assigned security policy. Security group processing in IDFW will not take place unless one of these conditions is true.
  6. After verifying that IDFW is detecting logons correctly, verify that the ESXi host where your desktop VM resides is receiving the correct configuration. These steps will use the NSX Manager central CLI. To check the desktop VM IP address populated in the ip-securitygroup list:
    1. See GUID-51A3BC3F-2C7C-4387-BE55-5BE131EED9B0.html#GUID-51A3BC3F-2C7C-4387-BE55-5BE131EED9B0 to retrieve the filter name applied on the desktop VM.
    2. Run the show dfw host hostID filter filterID rules command to view the locate DFW rules items.
    3. Run the show dfw host hostID filter filterID addrsets command to view the IP address populated in the ip-securitygroup list. Verify that your IP is displayed in the list.

Results

Note: When troubleshooting Identity IDFW with VMware Technical Support, this data is helpful:

  • If using event log scraping Active Directory scale data:

    • # of Domains for a single NSX Manager

      # of Forests

      # of Users / Forest

      # of Users / Domain

      # of Active Directory groups per Domain

      # of Users / Active Directory Group

      # of Active Directory / User

      # of Domain Controllers

      # of Active Directory Log Servers

  • User login scale data:

    • Average # of users per min

  • Deployment Details using IDFW with VDI:

    • # of VDI desktops / VC

      # of hosts / VC

      # VDI desktops / host

  • If using Guest Introspection:

    • Version of VMTools (Guest Introspection Drivers)

      Version of Windows Guest OS