7 Replies Latest reply on Dec 10, 2015 6:36 AM by cfraser36

    AD security groups

    cfraser36 Lurker

      I am working on setting up in our lab the ability to control access with AD groups in View/VDI. What I have noticed is that even though I create a rule that only allows 80 and 443 to the view desktops and connection servers I am still able to ssh to other hosts when logged in as one of the test accounts. I have an explicit deny any/any rule as a part of my service composer rule set in the firewall. They are rules 1 and 2 right now.(rule ID # 1055 & 1056) When I view in flow monitor what rule ID is being used to allow the access I notice there are rule further down in the rule set allowing this access. (rule ID1032 & 1002/ FW rules 32) What could I be missing here? I thought the DFW in NSX treated FW rules much like any other FW top to bottom?

        • 1. Re: AD security groups
          larsonm Expert
          vExpert

          Can you post a screen shot of the rules that were created as part of your policy?

          • 2. Re: AD security groups
            cfraser36 Lurker

            The default any/any allow is still in place.

             

            • 3. Re: AD security groups
              cfraser36 Lurker

              Anyone have input on why this is happening?

              • 4. Re: AD security groups
                i1wan Novice
                vExpert

                Hi,

                 

                In your screenshot I do not see your "deny" rule.

                 

                What I would try is to create a specific "deny" rule with the corresponding AD security group and user account part of that group, and create a specific "allow" rule with the corresponding AD security group and account part of that group.

                 

                You can set up identity based firewalling up in three ways I believe, and I only tested one of them.

                 

                - create an ALLOW and DENY AD security group with both corresponding users and create rules in the NSX Edge firewall with having BOTH items in the source

                - create an DENY security group with both corresponding user and create rules in the NSX Edge firewall where you have an explicit "ALLOW" at the end

                - create an ALLOW security group with both corresponding user and create rules in the NSX Edge firewall where you have an explicit "DENY" at the end


                In order to test it out I used this guide with success.

                • 5. Re: AD security groups
                  cfraser36 Lurker

                  Rule #2 or rule ID 1056 is a deny rule which doesn't seem to matter as when I test ssh to other servers while logged in as the AD group specified  it allows me to make connections. Thank you for that link. That was actually the one I used to get the Sales AD group create in my DFW.

                  • 6. Re: AD security groups
                    larsonm Expert
                    vExpert

                    NSX will dynamically add the computer to Sales-Dept group when a user from the sales department user logs into one of the virtual desktops.  Group 1- Tenant 1 is an AD group account.  A user from Group 1 - Tenant 1 is logged into 3 computers, which are not effective members of the group and thus the rule.

                     

                    Capture.JPG

                     

                    With a sales department user logged in,  click on the Sales-Dept object in the ruleset to see if the computer to which the sales department user is logged into shows up on the list.

                    • 7. Re: AD security groups
                      cfraser36 Lurker

                      Excellent I will take a look at that.