I have a simple question about identity based rules (AD) in NSX Firewall :
I suppose that identity based rules works with vmtools to identifiy wich user is logged on a VM (maybe it's wrong i don't know). Then my question is :
Does it works with a session between client physical PC and a server VM ?
Exemple of case :
The user "domain\john" work from his laptop and want to connect with ssh on a server VM. Can we do this rule :
Source : domain\john
Destination : VMLinux
Protocol : ssh
Action : allow
I tested this feature with older versions of the software, with SSH and other protocols using deny rules. I had to actually connect and login before the NSX policy engine was able to identify the user account connecting and block access. This feature may function more efficiently in newer versions.
I don't believe you can make the rule on the user, it has to be on the AD group. Other than that, the rule will work. You need to have the domain registered within NSX and make sure you have the guest introspection VM installed on the cluster.
When your VM is in the "virtual NSX" environment and you are trying to "allow" or "block" (certain) traffic from that VM this is a good use case where this is possible with the use of AD Security Groups.
Please read this guide and test it out like that.
Having a physical PC and wanting to enforce NSX security policy rules on that would not be a valid use-case I believe...
No it not possible to do it.
AD members shepp is with in VM , NSX need to detect events and it can be done vie GI or Log Scrapper. Since in physical machine no GI and or log scraper related to virtual environment then there is no way to detect it.
NSX is designed only and for virtual environments , however there are some use cases and for the physical one.