Hi,

In your screenshot I do not see your "deny" rule.

What I would try is to create a specific "deny" rule with the corresponding AD security group and user account part of that group, and create a specific "allow" rule with the corresponding AD security group and account part of that group.

You can set up identity based firewalling up in three ways I believe, and I only tested one of them.

- create an ALLOW and DENY AD security group with both corresponding users and create rules in the NSX Edge firewall with having BOTH items in the source

- create an DENY security group with both corresponding user and create rules in the NSX Edge firewall where you have an explicit "ALLOW" at the end

- create an ALLOW security group with both corresponding user and create rules in the NSX Edge firewall where you have an explicit "DENY" at the end

In order to test it out I used this guide with success.

Rule #2 or rule ID 1056 is a deny rule which doesn't seem to matter as when I test ssh to other servers while logged in as the AD group specified  it allows me to make connections. Thank you for that link. That was actually the one I used to get the Sales AD group create in my DFW.

NSX will dynamically add the computer to Sales-Dept group when a user from the sales department user logs into one of the virtual desktops.  Group 1- Tenant 1 is an AD group account.  A user from Group 1 - Tenant 1 is logged into 3 computers, which are not effective members of the group and thus the rule.

With a sales department user logged in,  click on the Sales-Dept object in the ruleset to see if the computer to which the sales department user is logged into shows up on the list.

Excellent I will take a look at that.