Identity based firewalling in NSX using Active Directory groups

This is one of those features I love about NSX – identity based rules to allow/prevent access for AD groups to any resources your NSX environment talks to. Nifty if you ask me. Here’s the low-down on this feature.


  • AD Group called SCVMM Admins shouldn’t have access to be able to access/create SMB shares
  • This should apply to all machines on 2 particular network segments
  • Ability to log attempts at creating/accessing shares

We’ll assume the group in AD already exists and the domain’s been added to NSX. We’ll create an NSX Security Group and call it SCVMM Admins so we know which AD users are likely to be members of the group.


Key with the above is to choose Directory Group from the Object Type drop-down list. The security group is dynamic already since it’s an AD group and NSX polls AD periodically to check for updates.

Next, we’ll go to the DFW section and begin to add our rules. Be mindful of where the rules are placed because as with any firewall, the rule check stops at the first rule that matches. Since this is a lab, there aren’t going to be too many rules and for the purpose of this blog post, I’ll place these rules at the top.


Key to the above step are the following items:

  • The source and destination have been set to 2 logical switches or logical network segments, one called LS-Prod-AppVMs and the other LS-Prod-WebVMs
  • Two services chosen, one called SMB and the other Server Message Block. It took me some trial and error to determine the right combo
  • Finally, the Applied To section is essential to all of this – I’ve set it to SCVMM Admins security group I created in the first picture
  • Choosing to publish changes kicks these 2 rules into action

One thing I’d like to add is when you click on the edit pencil in the Applied To section, the following dialog box is thrown:


The check box applies the rule to every cluster the DFW is available on. Unchecking it allows you to go very granular in the scope of your rule:


I chose the Security Group option in the drop-down and selected the group I created for this purpose. The logging requirement is covered in the Action tab:


Here’s a shot of a share mapped from a VM in the LS-Prod-AppVMs to another in the LS-Prod-WebVMs:


And the obligatory shot of the share not working – meaning the DFW rules are working:


No more engaging network/firewall teams to get them to add firewall rules, a vAdmin can do it too!

Leave a Comment

Your email address will not be published.