NSX-T IDFW (identity firewall) is a great feature that enables customers to create Active Directory group-based Distributed Firewall (DFW) rules within an NSX-T deployment.
One of the biggest challenges specifically in larger Active Directory deployments is the total number of users and a total number of groups that NSX-T 3.1.x can consume. At the current time of writing the IDFW maximums are the following:
Identity Firewall
Active Directory Groups
100,000
Identity Firewall
Total Users in all Active Directory Domains
100,000
Source: VMware Configuration Maximum tool
So why is this a problem?
Well, the NSX-T GUI only lets you configure the root Base Distinguished Name, which means NSX-T will pick up all the security groups within the configured domain. This is a big challenge especially in Large multinationals corps, but it impacts the ease of operationalization of IDFW specifically when creating NSX-T groups containing Active Directory security groups.
For example, being able to target a specific OU for your security groups makes it easier to find the AD groups deployed for NSX-T consumption, One of the other drawbacks of using the root DN rather than a specific OU is synchronisation time.
Synchronisation time.
Synchronisation time is the time for NSX-T to synchronises groups, users so it’s stored locally on NSX-T, when configuring NSX-T IDFW Directory you presented with the following options:
| Menu Item | Description |
|---|---|
| Sync Delta | Perform a delta synchronization, where local AD objects that have changed since the last synchronization are updated. |
| Sync All | Perform a full synchronization, where the local state of all AD objects is updated. |
Whats the Solution?
NSX-T API to configure selective sync
To enable selective sync, use domain create/update API with selective sync enabled, and a list of selected Organisation Units (OUs). When selective sync is enabled, NSX-T only synchronises the AD data inside the selected OUs. During a selective delta sync, only the Active Directory data which is inside the selected OUs and has been created or changed since last sync are updated. If any directory-groups are removed from the selected OUs, they will not be updated during a selective delta sync. They will be updated during a full sync when all directory groups are updated.
Example API config i use in my lab
POST https://<nsx-mgr>/api/v1/directory/domains
{
"resource_type": "DirectoryAdDomain",
"description": "Active directory domain vcumulus.lab",
"display_name": "vCumulus AD",
"base_distinguished_name": "DC=vcumulus,DC=lab",
"netbios_name": "VCUMULUS",
"name": "vcumulus.lab",
"ldap_servers": [
{
"resource_type": "DirectoryAdLdapServer",
"display_name": "lab-vc-ad01.vcumulus.lab",
"host": "lab-vc-ad01.vcumulus.lab",
"username": "gllewellyn",
"password": "VMware1!VMware1!",
"thumbprint": "3b1f4f3b636569d648a3092fc5b5b00fe4f6ec6abd34de86ae657f4bba22913e",
"port": 389,
"protocol": "LDAP"
}
],
"sync_settings": {
"delta_sync_interval": 100
},
"selective_sync_settings": {
"enabled": true,
"selected_org_units": [
"OU=NSX-IDFW,OU=Groups,DC=vcumulus,DC=lab"
]
}
}The key areas are the domain configuration an the selective sync settings
You can use the API to configure the selective sync settings to multiple OU’s
"sync_settings": {
"delta_sync_interval": 100
},
"selective_sync_settings": {
"enabled": true,
"selected_org_units": [
"OU=NSX-IDFW,OU=Groups,DC=vcumulus,DC=lab",
"OU=NSX-USERS,OU=Groups,DC=vcumulus,DC=lab""
]
}
}What are the benefits?
- Reduces the Active Directory Sync times Can make larger AD deployments with IDFW
- Easier to operationalise by making AD OU scope more granular