Configuring Identity Based Firewall using VMware NSX and Horizon

VMware NSX(-T) is a powerful network virtualization and security platform that provides a wide range of functionalities to enhance networking and security in virtualized environments. One of its features is the Identity-Based Firewall (IDFW), which can play a crucial role in securing virtual desktop infrastructures, such as those deployed with VMware Horizon. It is possible to control the access from the virtual desktops to systems, where not all VDI users should have access to. This UseCase can be ideally combined with AppVolumes, so that Apps and the access to systems can only be performed by authorized users.

This dynamic and context-aware approach helps organizations meet their security requirements while providing a flexible and user-friendly virtualized environment for their end-users. In this blog post the steps to configue IDFW are described.

Prerequisits:
- T0/T1 gateway configuration
- Overlay or VLAN segments for virtual desktop networks
- ESXI hosts are configured for NSX
- Active directory read only service Account in the target domain
- Active directory security groups for firewall rules.
- Windows OS based virtual desktops

There are two ways to configure IDFW:

The first is to use a VMware Tools extension inside the virtual desktop.
The second is called Active Directory log scraping, which connects to the domain controllers and analyzes the audit logs of domain logons. This method requires permissions to access AD event logs and time must be fully synchronized.

Since VMware Tools are already installed on the virtual desktops, this is the preferred method in a VDI environment.

1. Install VMware Tools extension for NSX File- and Networkintrospection driver in the Master / golden image.

 This driver allows NSX on the ESXi host to detect the User identity so that identity based firewall rules can be applied.

2. Add Active Directoy domain which contains user identitys in NSX-Manager

Go to System -> Identity Firewall AD and Add Active Directory

 

Enter the Active Directory FQDN, NetBios name and Base DN.

Add the LDAP server using FQDN or IP-Address, and the Service-Account.

Validate connectivity using the built-in feature. Based on the protocol, firewall rules may be required in your environment from your NSX manager to the Active Directory domain controllers.

Finally, click on the number of organizations to synchronize. It is recommended to synchronize only the organizational units that contain VDI users and groups for the best performance.

Click Save and monitor the synchronization status.

3. Create identity based distributed firewall rules

Go to the Security -> Distributed Firewall. Create a new firewall rule. Existing firewall rules using other object types cannot be combined with IDFW. 

In the source section click edit and add a new group as it is not directly possible to select and Active Directory group.

In the new group set members and select the Active directory tab.

All groups in the specified OU are displayed. Select the appropriate one. Click Save to save the group. Any computer or IP object can be selected in the target field.

Finally, publish the created rule.

4. Test the rule by logging into a virtual desktop after the master image has been published to a pool