Friday, June 24, 2016

NSX 6.2.3 Active Directory Scaling Enhancements

One of the most common use cases for NSX is to provide a per-user firewall in an End User Computing (EUC) environment like VMware Horizon. This feature, called Identity Firewall (IDFW) allows admins the ability to leverage the group membership of a user to define firewall policy. For example, you can define a NSX Distributed Firewall Policy to allow members of the "Domain Admins" AD group to be able to use ping when they login while it is disabled for all other users.

A rule like this is created.
I defined the AD group by creating a new security group and then setting the criteria that "entity belongs to" and then selecting the Domain Admins group from the list.
Very cool, huh?  That's just the tip of the iceberg when it comes to NSX's security capabilities.  What I want to focus on is a capability we've added to NSX in 6.2.3 to help scale our IDFW implementation.

When a NSX manager is configured to integrate into and Active Directory domain, NSX pulls in user and group information to keep a local, secure, copy for quick lookups and validation. For many of our customers, once you have an AD account created, it is never removed even if you leave the organization. When you leave, they simply disable the account. AD sets a flag on the account to indicate it is disabled which in our use cases means it cannot be a valid account to login with. In the past we would have kept that account in our local copy even though it never would have been used. This means it is taking up resources and if a customer has thousands or tens of thousands of disabled users, it can have a negative impact on scalability.

To address this consideration, we added the ability to have the IDFW ignore disabled users and the good news is that to enable it, it's just a selection from the configuration. Piece of cake!  See below where this feature is disabled.

So how do you enable it? Simply click on the pencil icon and you'll see this.
Finish the configuration and you'll see this.

On a side note, event log access is not required and now you can skip the step via this new screen.
With that, you are all done and now your IDFW can scale higher by ignoring disabled user accounts.

If you are considering NSX in an EUC environment, then this design guide is for you - fresh off the press June 22, 2016.
NSX EUC Design Guide

No comments:

Post a Comment