VMware Networking Community
SrVMwarer
Hot Shot
Hot Shot
‎06-25-2020 05:54 PM

Blocking users to access Mgmt Network

Hi gurus,

May this question seem very basic I will re-ask based on the replies!

If I am planning to block non-Admin users from going to my vCenter web GUI let say these users are connected via Distributed Port group should I use the DFW

Source any dest: Cluster and choose Mgmt cluster and then action is block for HTTP/HTTPS or even any service doesn't matter and it would be effective ?

Because I did that in my lab and I still able to connect to my mgmt network, I think I am missing something

Thanks in Advance for your help

Regards, İlyas
1 Reply
NicolasAlauzet
Expert
Expert
‎06-26-2020 04:42 AM

Hey,

ANY > Cluster MGMT > Service > Deny. As you said should work.

Q1: Is your MGMT cluster prepared for NSX? You need to have the DFW module to work.

Q2: Check your exceptions tab, if your vcenter is in there, the firewall rule wont apply.

Is this like production cluster or is your lab and you want to hide it for peoplo looking at your infra? If is the second option you can use indentity firewall also to only allow your user to access it.

-------------------------------------------------------------------
Triple VCIX (CMA-NV-DCV) | vExpert | MCSE | CCNA