Hi,

When the connection destination is also an NSX managed VM then the DFW applies in two places:

First it applies to the egress traffic leaving a client and here the IDFW memberships can be taken into account because VMtools Network Introspection driver feeds the DFW with a relevant information about the user identifier (SID) owning the sending network socket.  

Secondly it applies to the ingress traffic arriving the server and here the IDFW doesn't apply least with the network introspection technique. The connection itself doesn't carry any identity bits. However when using AD DS Security Log Scraping method it could apply here as well.

So the issue you're seeing here is DFW dropping traffic at the ingress to the server. Best way to avoid this kind of trouble is to scope the rules so, that you think egress rules for VDI VMs and ingress rules for servers listening connections differently.