Reply to Message

View discussion in a popup

Replying to:
LukaszDziwisz
Hot Shot
Hot Shot
‎10-18-2022 11:09 AM

NSX-T 3.2 Active Directory based Groups

Hello All,

I'm hoping to see if anybody might have any insight into the problem that we are seeing with Active Directory based groups and rules not applying properly. 

Here is the scenario:

I have created 2 persistent virtual machines GUAT1 and GUAT2 and created group for them called GUAT_persistent and selected the 2 virtual machines

Then, I have created one active directory based group called Test Group and added my account to it, then logged in to one of the VMs above.

Here are the rules I have configured 

LukaszDziwisz_1-1666115978546.png

So, after doing that I’m signed in to GUAT1 persistent VM and tried pinging GUAT2(member of the GUAT_Persistent) and it fails. But it does work when pinging Test Server object which is an external server that lives in another vCenter not managed by this NSX-Manager. The Test Server is a group that consists the IP of that destination server.

Then I have changed Service from ICMP to RDP and got the same result. For the GUAT_Persistent group, I have tried definining it by Ips only, OS name, virtual machine name and simply selecting VMs but the result is the same each time.

 

So to me it appears that the identity based rules are not getting applied properly when we deal with VMs that live within the same Compute manager managed by that NSX-Manager but it does apply properly when the destination is an object that doesn’t belong to that vCenter

Also, what I'm seeing is that if I click on members of the Test Group it always only shows one object even though there is more users logged in that belong to the same AD group and their VMs should be showing up here. At least it did back in NSX-V

LukaszDziwisz_2-1666116173073.png

LukaszDziwisz_3-1666116269459.png

I have 4 different standalone vCenters 2 in production and 2 in UAT for my Horizon Pods with instant clones and some persistent VMs and it appears to be happening on all 4 of them. The production ones were migrations from NSX-V to NSX-T using the migration coordinator where the UAT ones were brand new inmplementations on NSX-T. There are no overlays, Edges or Tiers configured as it is just for microsegmentation. 

I have updated them from 3.2.0.1 to 3.2.1.2 (newest) seeing a lot of fixes for Identity portion and hoping it will be resolved but to no avail. I do have a support ticket opened and working with an engineer on it but wanted to see if somebody here might have seen anything like it?

 

 

 

Labels (2)
Labels
Tags (2)
Reply
0 Kudos