VMware Networking Community
KAhnemann
Contributor
Contributor
‎04-06-2020 07:06 AM

IDFW (Identity firewall) with NSX-T 2.5.1 not working

Does anyone here have actual experience getting the IDFW feature to work on 2.5.1 or 2.5.0?  I have been working with VMware support and we have not been able to successfully get this to work.  I have plenty of experience with this is NSX-V, but let's keep this focused on NSX-T.

Scenario:

UserA logs into a virtual desktop through horizon and needs to access an entire subnet(SubnetA) that has been dedicate to UserA.

UserB logs into a virtual desktop through horizon and needs to access an entire subnet(SubnetB) that has been dedicate to UserB.

UserA should not be able to access UserB's subnet and UserB should not be able to access UserA's subnet.

I also want the ability to put UserA or UserB into certain AD groups that would allow access to more universal resources such as specific items in SubnetC.

I have an AD group for each user and each user assigned to their AD group.

1 DFW rule exists for each user and that particular user is the source of each rule.

The destination of each rule is the dedicated subnet for that user.

I can see traffic hit the rule and head to the destination subent (a test vm exists with windows FW off) but the VM does not reply to the request (RDP).

I can RDP to test VM from another subnet that has a rule that is like "AdminVm -> any" and it connects fine, so i know it's not the VM.

What rule am I missing to make this work?  Screenshot of current rules attached.

Tags (1)
Preview file
30 KB
0 Kudos
1 Reply
bbirdy
VMware Employee
VMware Employee
‎05-05-2020 05:15 AM

Rule number 3 doesn't look correct, I think you have your source and destinations the wrong way round.

The traffic you are permitting is on the destination server side, so you want to allow RDP from your VDI desktops to your test VM, and apply this rule to your test VM only.

HTH

B

0 Kudos