VMware Networking Community
NicoVMCH
Contributor
Contributor

Identity Based Rules (AD) in NSX Firewall

Dear Community,


I have a simple question about identity based rules (AD) in NSX Firewall :


I suppose that identity based rules works with vmtools to identifiy wich user is logged on a VM (maybe it's wrong i don't know). Then my question is :

Does it works with a session between client physical PC and a server VM ?

Exemple of case :

The user "domain\john" work from his laptop and want to connect with ssh on a server VM. Can we do this rule :

Source : domain\john

Destination : VMLinux

Protocol : ssh

Action : allow

?

Thanks !

Nicolas

Reply
0 Kudos
5 Replies
larsonm
VMware Employee
VMware Employee

I tested this feature with older versions of the software, with SSH and other protocols using deny rules.  I had to actually connect and login before the NSX policy engine was able to identify the user account connecting and block access.  This feature may function more efficiently in newer versions.

Reply
0 Kudos
NicoVMCH
Contributor
Contributor

Thank you larsonm !

You reply is interresting. but doesn't answer to the question...

Nicolas

Reply
0 Kudos
jacobsmith14
Contributor
Contributor

I don't believe you can make the rule on the user, it has to be on the AD group. Other than that, the rule will work. You need to have the domain registered within NSX and make sure you have the guest introspection VM installed on the cluster.

-Jake

Reply
0 Kudos
i1wan
Enthusiast
Enthusiast

Hi,

When your VM is in the "virtual NSX" environment and you are trying to "allow" or "block" (certain) traffic from that VM this is a good use case where this is possible with the use of AD Security Groups.

Please read this guide and test it out like that.

Having a physical PC and wanting to enforce NSX security policy rules on that would not be a valid use-case I believe...

Reply
0 Kudos
tanurkov
Enthusiast
Enthusiast

NI all

No it not possible to do it.

AD members shepp is with in VM , NSX need to detect events and it can be done vie GI or Log Scrapper. Since in physical machine no GI and or log scraper related to virtual environment then there is no way to detect it.

NSX is designed only and for virtual environments , however  there are some use cases and for the physical one.

Regards Dmitri

Reply
0 Kudos