With the introduction of NSX in the vSphere environment companies got the opportunity to implement micro segmentation within the virtualized datacenters. NSX makes it possible to implement a firewall between every virtual network adapter and the distributed switch within the vSphere ESXi server. Many companies have since successfully introduced NSX into their datacenters to secure their server workload. But many are still struggling to implement the NSX distributed firewall based on identity of the user logging on to the desktop or remote desktop session.
Before the identity of a User can be used to apply a firewall rule with, the identity needs to be learned. NSX provides two methods of learning the user’s identity, thru Guest Introspection or thru Log Scrapping. Since the NSX identity based firewall rules are created based on Active Directory user groups the group member ship of each user must also be known. The NSX Manager requires read access to Active directory for this.
With this option the user’s identity is determined with the use of Guest Introspection. This is a Service VM (GI SVM) that needs to be running on each of the ESXi hosts in the NSX/vSphere environment. Therefor this option can only be used for servers or desktops running within the NSX environment. Within the virtual desktop or server, the VMTools with Guest Introspection needs to be installed, for the virtual machine to supply the user’s identity to the GI SVM. The following picture provides an overview of how the users identity is learned with Guest Introspection:
With this option the user’s identity is learned by monitoring or scrapping the security logs on Active Directory Domain Controllers. For this option a user doesn’t to log on to a desktop or server that is part of an NSX environment. The NSX Manager needs to be able to see the logon event in Active Directory. The following picture provides an overview of how the users identity is learned with Log Scrapping:
In the next post the installation steps for installing the identity based firewall with the Guest Introspection option in NSX-V.
With the introduction of NSX in the vSphere environment companies got the opportunity to implement micro segmentation within the virtualized datacenters. NSX makes it possible to implement a firewall between every virtual network adapter and the distributed switch within the vSphere ESXi server. Many companies have since successfully introduced NSX into their datacenters to secure their server workload. But many are still struggling to implement the NSX distributed firewall based on identity of the user logging on to the desktop or remote desktop session.
Before the identity of a User can be used to apply a firewall rule with, the identity needs to be learned. NSX provides two methods of learning the user’s identity, thru Guest Introspection or thru Log Scrapping. Since the NSX identity based firewall rules are created based on Active Directory user groups the group member ship of each user must also be known. The NSX Manager requires read access to Active directory for this.