NSX-T IDFW how-to guide: How to consume NSX-T IDFW efficiently

I’ve had the privilege of working with VMware’s BU and the Livefire teams on an IDFW design that can be consumed at scale. Hopefully, people can make use of my findings.

Note: That this design can be consumed by VDI. but in this example i’m am using RDSH.

Requirements:

Requirements and supported AD, VMware Tools, and Guest Operating Systems

Just some critical information in the diagram above, especially the VMware tools elements.

  • Windows Server 2019 IDFW is supported in NSX-T 3.1 and above
  • VMware Tools install – VMCI Driver, NSX File Introspection Driver, NSX Network Introspection Driver

Design

VMware’s overview and demos give customers a high-level expectation of how IDFW works, but this doesn’t detail how to implement it in the real world.

So what does it look like in the real world?

Identity Firewall Logical design

For this example, I am using an RDSH cluster and two users with two AD security groups. The User must only be allowed to connect to their own applications and services but denied access to the other application.

Deliverables:

  • Deploy an RDSH Server Cluster. Both Admin Users can connect
  • RDP access to the RDSH server and Web Apps
  • Admin 01 can only connect to Web-App-01 & Admin 02 is denied
  • Admin 02 can only connect to Web-App-02 & Admin 01 is denied

Assumptions:

  1. All the users are connecting from outside of the NSX Domain
  2. The default Deny rule is enabled

Building the NSX-T IDFW rules:

Each of the AD groups will be associated with a dedicated NSX Group. The RDSH Servers will have their own dedicated NSX security group & The Application servers will have their own NSX Security group. To see how this would look, please refer to the table below:

Application NameAD Security GroupNSX Security Group For ServersNSX Security Group for AD Security Group
Web-App-01Admin-Web-App-01NSXSRV-Web-App-01NSXAD-Web-App-01
Web-App-02Admin-Web-App-02NSXSRV-Web-App-02NSXAD-Web-App-02
RDSH ServerN/ANSX-RDSH-ServerN/A

In the NSX GUI it would look like the following:

Example of NSX Group membership based on security groups

RDSH DFW Access Rules (Section 1 on Identity Firewall Logical design)

Now the security groups have been deployed. We need to implement inbound access to the RDSH servers. This is section 1 In the diagram Identity Firewall Logical design for Green and Red connections.

NameSourceDestinationServiceProfileApplied ToAction
Allow Access to RDSH ServersNetworks Accessing the RDSH HostsNSX-RDSH-ServerRDPRDPNSX-RDSH-ServerAllow
Deny Access to RDSH ServersAnyNSX-RDSH-ServerAnyAnyNSX-RDSH-ServerBlock
Access to the RDSH

Deploy Identity Access from the RDSH Hosts (Section 2 Identity Firewall Logical design)

Now the APP Groups have access to the RDSH hosts. We need to implement an identity firewall from the RDSH Servers. The key parts are the “Applied to” section, which deploys the rule to the security group listed in this section. In This case, the Active Directory groups to the destinations. Which mean the IDFW rule is deployed to the RDSH only and no other server or service.

NameSourceDestinationServiceProfileApplied ToAction
Allow Access AD to Web-App-01 ServersNSXAD-Web-App-01NSXSRV-Web-App-01RDPRDPNSX-RDSH-ServerAllow
Deny Access AD to Web-App-01 ServersNSXAD-Web-App-01NSXSRV-Web-App-01AnyAnyNSX-RDSH-ServerBlock
Allow Access AD to Web-App-02 ServersNSXAD-Web-App-02NSXSRV-Web-App-02RDPRDPNSX-RDSH-ServerAllow
Deny Access AD to Web-App-02 ServersNSXAD-Web-App-02NSXSRV-Web-App-02AnyAnyNSX-RDSH-ServerBlock
In-bound access to the RDSH

In the NSX GUI it will look something like this:

DFW Allow Access to Application Servers (Section 3 Identity Firewall Logical design)

Note this section has to be applied last otherwise the NSX DFW will process this rule before the other two sections

In section 2, we have created a rule that only allowed outbound access on the RDSH server. This applies the identity rule at the source. Any traffic leaving the RDSH servers will have been accepted by section 2, but the destination NSXSRV-Web-Apps need the policy to allow the traffic inbound to the systems. Otherwise, the default-deny will drop the traffic.

The below table is an example of such a deployment, you will note that all the groups are IP based and not AD integrated.

NameSourceDestinationServiceProfileApplied ToAction
Allow Access to Web-App-01 ServersNSX-RDSH-ServerNSXSRV-Web-App-01RDPRDPNSXSRV-Web-App-01Allow
Deny Access to Web-App-01 ServersNSX-RDSH-ServerNSXSRV-Web-App-01AnyAnyNSXSRV-Web-App-01Block
Allow Access to Web-App-02 ServersNSX-RDSH-ServerNSXSRV-Web-App-02RDPRDPNSXSRV-Web-App-02Allow
Deny Access to Web-App-02 ServersNSX-RDSH-ServerNSXSRV-Web-App-02AnyAnyNSXSRV-Web-App-02Block
In-bound access to the RDSH