I recently got a question on VMware NSX: is it possible to create firewall rules that depend on the user that is logged on to a server or virtual desktop? The use-case is to implement (extra) network security to allow or block network access to certain applications/servers in the datacenter, depending on the logged-on user. VMware calls this “identity-based firewalling”, which is one of the features in NSX.

To use identity-based firewalling you will need VMware vSphere, NSX and Active Directory. These solutions take care of monitoring which user is logged on to a desktop and changes/updates the pre-configured firewall rules accordingly. In this article I will show you how to configure an identity based firewall rule.

Connect to AD and configure the grouping object in NSX

The first step is to connect NSX to Active Directory. This step is completed on the NSX Manager under manage -> domains. Add the domain you want to use to NSX:

An identity-based firewall rule in NSX is using Active Directory groups. You have to add the AD group you want to use to an NSX grouping object, available under manage->grouping objects. The next screenshot shows a new Grouping Object called “AD Group” which has a dynamic membership defined where “Entity belongs to TestGroup”. Note that this second TestGroup is a group in the Active Directory. You can use the Grouping Object, and thus the AD group membership, in a firewall rule…that’s exactly what we want!

Configure the firewall rule

After you’ve succefully created the grouping object, it’s time to create the firewall rule. This step is actually pretty straight forward:

In this example the rule’s source is the grouping object AD group, while the destination is the gateway of the network. I’ve created a block rule which will block all traffic to the gateway if a member of the AD TestGroup is logged on to a virtual machine. In this example a member of the TestGroup is logged on to testvm01, so this results in a blocking rule for this virtual machine. After I log on to this virtual machine using an account that is not a member of the TestGroup AD group, testvm01 will be removed automatically from the rule:

I noticed that the rule changes after another user logs on, logging off the original account will not remove the VM from the firewall rule.

I hope this helps in creating some identity-based firewalling rules. Feel free to send me any questions, or if anything written here is incorrect or incomplete.