VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0

0

One of the powerful features of VMware NSX is the ability to have identity based firewalling features. This is an extremely cool feature that allows resources to be scoped not just based on traditional constructs such as VLANs and IP scopes. Identity is a much better way to control access than the traditional means of doing so. With identity based firewall features, resources can be scoped down to the granular level a single user needs without affecting anyone else on the network. This level of micro-segmentation is very difficult if not impossible to do with traditional firewall solutions. In this post, we will look closer at the VMware NSX identity based firewall configuration in NSX-T 3.0 and see how this is easily setup.

What is VMware Identity Based Firewall?

With identity firewall (IDFW) in VMware NSX and NSX-T, you can create Active Directory user-based Distributed Firewall (DFW) rules. There are many different use cases for IDFW.

It an be used for VDI or Remote desktop sessions (RDSH) support. What is great about the VMware NSX solution is that resources that are shared such as RDSH, can have the individual network streams of users coming in, scoped as needed.

In other words, one user could be allowed to access specific resources and another user can be allowed to access other specific resources.

What are the supported operating systems?

The following operating systems are supported in the following scenarios.

Guest Operating SystemsEnforcement Type
Windows 8Desktop – supports desktop users use case
Windows 10Desktop – supports desktop users use case
Windows 2012Server – supports server users use case
Windows 2012R2Server – supports server users use case
Windows 2016Server – supports server users use case
Windows 2012R2RDSH – supports Remote Desktop Session Host
Windows 2016RDSH – supports Remote Desktop Session Host

How does Identity Firewall (IDFW) work?

There are a few configuration steps that need to be taken to properly allow NSX and NSX-T to properly consume Active Directory information for users and groups.

One of the requirements for IDFW to work is that NSX-T must know which desktop an end user is logged into to apply the IDFW rules. A thin agent installed with VMware tools on the VM is the piece that gathers the network information and forwards that to the NSX context engine.

Once the information is found and forwarded over, the NSX-T context engine then applies the enforcement of the IDFW rules appropriately.

IDFW workflow overview:

  1. A user logs in to a VM and starts a network connection, by opening Skype or Outlook.
  2. A user login event is detected by the Thin Agent, which gathers connection information and identity information and sends it to the context engine.
  3. The context engine forwards the connection and the identity information to Distributed Firewall Wall for any applicable rule enforcement.

Configuring Identity Based Firewall in NSX-T 3.0

The first thing that you want to do is add your identity source. Let’s look at this workflow. This is found under System > Configuration > identity Firewall AD > Active Directory > Add Active Directory.

Starting-to-add-an-Active-Directory-to-your-NSX-T-3.0-Identity-firewall VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Starting to add an Active Directory to your NSX-T 3.0 Identity firewall

Enter your Active Directory information including:

  • Name
  • NetBIOS name
  • Base Distinguished Name
  • Delta Synchronization Interval
  • Synchronization Status

Click the Set hyperlink on the LDAP Server.

Setting-your-LDAP-server-for-Active-Directory VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Setting your LDAP server for Active Directory

Click the Add LDAP Server.

Add-LDAP-server-for-supporting-your-Active-Directory-infrastructure VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Add LDAP server for supporting your Active Directory infrastructure

Enter the information:

  • Host
  • Protocol
  • Protocal
  • Username
  • Password

Click Add.

Finalize-adding-your-LDAP-server VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Finalize adding your LDAP server

Click Apply on the “Set LDAP Server”.

LDAP-server-is-added-and-ready VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
LDAP server is added and ready

Using Identity in the Distributed Firewall

When you navigate to the Distributed Firewall, you will see the banner that specifies Identity Firewall is disabled. Rules containing groups with identity entities (e.g. AD groups), will not be enforced. Click “Enable” on the banner.

Message-stating-identity-firewall-is-disabled VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Message stating identity firewall is disabled

This will launch a dialog box called General Firewall Settings. You will note the Identity Firewall Status will show as disabled. Move the toggle button to Enabled. Below, I have already enabled the feature.

Enable-identity-firewall-in-general-firewall-settings VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Enable identity firewall in general firewall settings

The same under the Identity Firewall Settings. Enable the toggle button for your cluster or standalone hosts/both.

Enable-identity-firewall-in-the-identity-firewall-settings VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Enable identity firewall in the identity firewall settings

Now, when you create a new firewall rule, you can edit the source, destination, etc.

Edit-firewall-rules-to-add-identity-objects-for-filtering VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Edit firewall rules to add identity objects for filtering

Notice you have a link to Set Members.

Set-members-for-the-firewall-rule VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
Set members for the firewall rule

When you click the Set Members link, one of the tabs is AD Groups. You should now see your Active Directory groups available to scope your firewall rules to.

You-can-now-select-AD-Groups-for-your-firewall-rules VMware NSX Identity Based Firewall (IDFW) Configuration in NSX-T 3.0
You can now select AD Groups for your firewall rules

As you can imagine, this is extremely powerful in function. As an example, you can allow or disallow customer support staff to access an HR database with a single firewall policy! Pretty cool stuff.

Concluding Thoughts

VMware NSX Identity Based Firewall is a powerful tool in your micro-segmentation initiatives. It allows using identity as a construct off of which you can build firewall rules. This is a much more granular and easier way to scope resources to users that need access.

VMware NSX identity based firewall configuration in NSX-T 3.0 is straightforward and only takes a few minutes to connect your NSX environment to Active Directory. This allows using users and groups as part of your firewall rules.

Take a look at this post on setting up a VMware NSX Home lab:

StarWind VSAN