EUC

NSX-T based Micro-segmentation with VMware Horizon

Setting up a Distributed Firewall

Introduction:

NSX-T Micro-Segmentation is one of the many features we can use to secure communication at the Transport. We will be looking at basic approaches using Micro-segmentation and the Identity Firewall in NSX-T. The objective of this exercise to ensure one understands the basics of implementing these rules and does not necessarily reflect a real world scenario.

Real World Scenarios will be vastly more complex and time consuming to configure.

Before continuing, there are some pre-requisite checks that need to be done

Implementing the Distributed Firewall
- On your ControlCenter server (which is also your landing server)
- Open your Google Chrome Browser
- Select the NSX Manager icon from the favourites bar. (Accept the untrusted certificate to continue)

On your Browser
- Login with Username admin
- With the password VMware1!VMware1!
- Select LOG IN

In the NSX Admin Console
- At the top of the NSX-T admin console select System
- Under Configuration, select Identity Firewall AD
- In the ACTIVE DIRECTORY area, to the left of the euc-livefire.com domain, select the 3 Dotted hyperlink
- Select Sync All

In the NSX Admin Console
- Select the Security tab
- In the left pane, under East West Security
  - Select Distributed Firewall

In Distributed Firewall area
- To the right, select the dropdown, next to ACTIONS
- Under Settings, select General Settings

In the General Firewall Settings
- Select Identity Firewall Settings tab

In the General Firewall Settings
- Under Identity Firewall Settings
  - Next to RegionA01-COMP01, Cluster Name, ensure the toggle is set to Enable
- Select SAVE

Part 1

Pre-deployment check

On your ControlCenter server
- Select and launch your Horizon client
- Select your Horizon.euc-livefire.com POD Broker
- Login as Mark with the password VMware1! and select Login
- Select your W10INST entitlement

On your virtual Desktop
- Select Start > Run
- Next to Open: type cmd

In the CMD interface type ping sql.euc-livefire.com
- Note the 192.168.110.45 IP address
- Please NOTE! Do not close your Horizon Desktop session

In the NSX-T admin console
- Select the Security Tab under East West Security
- Select Distributed Firewall

In the Distributed Firewall section
- Ensure that Application is selected
- Select ADD POLICY
  - You will notice a Policy has been added with a default name New Policy

In the Policy area you have just created
- Under Name select New Policy under Name and replace with Desktops

To left of your Desktops Policy, notice you have 3 vertical dots.
- Select the 3 vertical dots
- Select Add Rule

In the New Rule interface,
- Select New Rule and change to Block ICMP to SQL

Under Sources
- Select the pencil Icon next to Any

In the Set Source Window
- Select ADD GROUP

In the ADD GROUP interface
- Under Name type Subnet 10
- Under Compute Members select Set Members

In the Select Members | Subnet 10 window
- Select the IP Addresses tab

Under ACTIONS
1. In the Enter IP Address area, type 172.16.10.0/24 In the bottom right-hand corner,
  - Select APPLY
2. In the Set Source window select SAVE
3. Ensure that the checkbox next to Subnet 10 is selected
  - Select APPLY

Under Destinations
- Next to Any select the Pencil

In the Set Destination window
- Select ADD GROUP

In the ADD GROUP area
- Under Name type SQL in the Group Name area

Under Computer Members
- Select Set Members

In the Select Members | SQL area,
- Select the IP Addresses tab
- In the IP Addresses tab under Actions enter 192.168.110.45
- In the bottom right hand corner select APPLY

In the ADD GROUP area
- Select SAVE

Ensure the checkbox next to SQL is selected
- In the bottom right-hand corner select APPLY

Under Services
- Select the Pencil next to Any

In the Set Services window
- Scroll down and select the checkbox next to ICMP ALL
  - HINT, by typing ICMP in the box under services, it helps to find ICMP ALL
- Select APPLY

In the Block ICMP to SQL row,
- Under Applied To select the Pencil next to DFW

In the Set Applied To window
- Change the DFW radio button to Groups radio button

In the Set Applied To window select the Groups radio button
- Select ADD GROUP

In the Set Applied To window
- Under the Name area type Windows 10,
- Under Compute Members select the Set Members

In the Select Members | Windows 10
- Select + ADD CRITERIA

In the Select Members | Windows 10 window under Criteria 1 select : -
- Virtual Machine > Computer Name > Starts With > Type W10INST
- Select APPLY

In the Set Applied To window in the ADD GROUP area
- Select SAVE

In the Set Applied To window
- Ensure the checkbox is selected next to Windows 10
- In the bottom right corner select APPLY

Under Action
- Select the Drop down arrow next to Allow
- Select Reject

In the top right hand corner of the NSX-T Admin Console
- Select PUBLISH
  - Notice that the status Uninitialized now changes to Success

On your ControlCenter server
- Revert back to your Horizon Client session
- From the CMD Prompt ping sql.euc-livefire.com
  - You will notice now you get a Destination Host Unreachable message
- Log-off from your Horizon Client session by going to Options dropdown
- Select Disconnect and Log Off
- Select OK to log Off

Part 2: Testing further Micro-segmentation scenarios with Distributed Firewall Rules

Introduction:

In this exercise we will look at variable options implement Micro-segmentation. Even with all the limitations we have in this lab setup. The variable options when configuring are impressive. The objective of Part 2 will be to follow on from Part 1 and we look at the variable options of the rules and how they work.

On your ControlCenter server,
- Switch back to your browser with your NSX-T session.
  - If necessary login with the username Admin and the password VMware1!VMware1!
- Ensure you have the Security tab selected and under EAST WEST Security
- Ensure your are in the Distributed Firewall area

On the NSX-T Admin Console
- Select the 3 dots next to Desktops
- Select Add Rule

In the New Rule interface,
- Replace the name New Rule by selecting and typing Sales Rule

Under Sources,
- Select the pencil icon, next to Any

In the Set Source window
- Select ADD GROUP

In the ADD GROUP window
- Under Name type Sales

Under Compute Members
- Select Set Members

In the Select Members | Sales Group window
- Select the AD Groups tab

In the search area
- Type Sales,
- Select the checkbox next to Sales
- Select APPLY

Back to the Set Source window
- Select SAVE

In the Set Source Rule > Sales rule window
- Ensure the check box to the left of Sales is selected for this rule
- Select APPLY

Under Destinations next to Any
- Select the Pencil

In the Set Destination window
- Select the checkbox next to RDSH
- Select APPLY in the bottom right corner.

In the Sales Rule row
- Under Services select the Pencil next to Any

In the Set Services window
- Under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
- Select the HTTP and HTTPS check boxes
- Select APPLY

In the Sales Rule row
- Under Applied To select the Pencil next to DFW

In the Set Applied To window
- Select the radio button next to Groups

In the Set Applied To window,
- Select the check box, next to Windows 10.
- Select APPLY

Under Action. We will leave the default Action that being Allow

In the NSX-T Admin Console
- In the top right corner PUBLISH
  - We will now create a DENY ALL Groups Rule in addition to what we have just created

In the NSX-T Admin Console > Security > Distributed Firewall
- Right-Click the 3 DOTS next the BLOCK ICMP to SQL checkbox
- Select Add Rule

Under your Sales Rule
- In the New Rule section rename New Rule to Deny All Groups

In Deny All Groups rule row
- Under Destinations select the Pencil next to Any

In the Set Destination window,
- Select the checkbox next to RDSH
- Select APPLY

In the Deny All Groups row under Services
- Select the Pencil next to Any

In the Set Services window
1. under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
2. Select the HTTP and HTTPS check boxes
3. Select APPLY

In the Deny All Groups row under Applied To select the Pencil next to DFW

In the Set Applied To window select the Groups radio button

In the Set Applied To window
- Select the Windows 10 group checkbox
- Select Apply

In the Deny All Groups row
- Under Action select the Dropdown
- Select Drop

In the top right corner, of the NSX-T Admin Console
- Select PUBLISH

We have now completed two rules both based on the Source .
Our last set of Rules will Aimed at the Destination Server services

NSX-T Admin Console > Security > Distributed Firewall
- Under CATEGORY SPECIFIC RULES in the APPLICATION section select +ADD POLICY

You will notice you have a New Policy .1st in the policy order. We will now re-order this policy

In the NSX-T Admin Console > Security > Distributed Firewall
- Select with a left click and hold your mouse on the 3 DOTS at the beginning of the New Policy Line
- Drag the New Policy down till just after Desktop Policy and release your mouse
- Your New Policy should appear in the order in the second screenshot of this image

In the NSX-T Admin Console > Security > Distributed Firewall
- In the New Policy interface, rename New Policy to Server Access

In the NSX-T Admin Console > Security > Distributed Firewall
- Select the 3 DOTS in front of your Server Access Policy and select Add rule
  - Notice you now have a new rule called New Rule that is part of the Server Access Policy

In the New Rule section,
- Rename New Rule to Permit Win 10 to RDSH

In the Permit Win10 to RDSH section
- Under Sources, select the Pencil next to Any

In the Set Source window,
- Select the checkbox next to Windows 10
- Select APPLY

In the Permit Win10 to RDSH section
- Under Destinations, select the Pencil next to Any

On the Set Destination window,
- Select the checkbox next to RDSH
- Select APPLY

In the Permit Win 10 to RDSH row under Services select the Pencil next to Any

In the Set Services window
1. Under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
2. Select the HTTP and HTTPS check boxes
3. Select APPLY

In the Permit Win 10 to RDSH row
- Under Applied To select the Pencil next to DFW

In the Set Applied To window select the Groups radio button

In the Set Applied To window
- Select the RDSH group checkbox
- Select Apply

Select PUBLISH in the top right corner

Please NOTE: When Identity Based Firewall rules are applied, it is essential, to logon after the rules have been applied. Any Active VMware Horizon sessions that you are logged into, Disconnect and Log Off before starting with Part 3

Part 3. Testing the results

Some background information about our setup and what we are going to test.

In this setup we have a Horizon Instant Clone Desktop pool with 4 Virtual machines
The Desktop Pool has two Active Directory security groups entitled to this Desktop Pool
- IT-Support
- Sales
All 4 virtual Machines are running on the 172.16.10.0 / 24 subnet and have a VLAN ID 10 for this subnet configured for its NSX-T segment.
As part of the test we have a server with IIS installed called RDSH-01a
Note this exercise is teaching Micro-segmentation functionality and one should not read anything into the choice of group name for this exercise.
- We will first Test Mark Debio and Jill Verneo who are members of the Sales group. Mark and Jill will do a HTTP connection to the RDSH-01a server.
- We will then test Kim Markez who is not a member of the Sales Group and see what happens when attempt to do a connection request to RDSH-01a

Part 3 :

On your ControlCenter desktop,
- Launch the Horizon client
- Launch the Horizon .euc-livefire.com POD
- On the Login window next to
  - User name: Mark
  - Password : VMware1!
- Select Login
- Select the W10INST entitlement

On your ControlCenter desktop, launch the Horizon client
- Launch the Horizon.euc-livefire.com POD
- On the Login window next to
  - User name: Jill
  - Password : VMware1!
- Select Login
- Select the W10INST entitlement

On your ControlCenter desktop, open the Remote Desktops folder
1. Launch the RDP client for W10Ext01a.RDP
  - Login as [email protected] with password VMware1!
2. On the W10 client Launch the Horizon client
  - Launch the Horizon.euc-livefire.com POD
  - On the login window next to
    - User name: kim
    - Password : VMware1!
  - Select Login
  - Select the W10INST entitlement

Select your Mark Horizon client session
- On the Desktop, select and launch the Edge Browser in the Task Bar
- In the Edge Browser address, type http://rdsh-01a.euc-livefire.com
  - As you can see we are able to connect to the web service on the server as Mark.
  - Repeat the same test for Jill

Switch to your Kim Horizon client session running from W10EXT01a
- On the Desktop, select and launch the Edge Browser in the Task Bar
- In the Edge Browser address, type http://rdsh-01a.euc-livefire.com
  - Kim is not a member of the Sales Group and would therefore be denied access. Our Identity Firewall only allows for Sales to communicate with the RDSH-01a server.
- From the Horizon Client
  - Select the 3 dots in the right corner
  - From the dropdown, select Logoff Desktop
  - In the Disconnect and log off desktop? window,
    - Select OK

Switch back to your NSX-T admin console. Ensure you are still in Security > Distributed Firewall
- Select 3 Dots next to Desktops Policy and select Add Rule,
  - Notice you now have a New Rule

In the New Rule row replace New Rule with ICMP for IT Support

In the ICMP for IT Support row under Sources
- Select the Pencil next to ANY

In the Set Source window select ADD GROUP

Under the ADD GROUP area under Name type IT Support
- Under Compute Members, select Set Members

In the Select Members | IT Support window
- Select the AD Groups tab
- Under AD Groups start typing IT Supp
- Select the checkbox next to IT Support
- Select APPLY in the bottom right corner

Select SAVE
- Select APPLY to close the Set Source window

In the ICMP for IT Support row under Destinations
- Select the Pencil next to Any

In the Set Destination window
- Select the checkbox next to RDSH
- Select Apply

In the ICMP for IT Support row
- Under Services select the Pencil next to Any

In the Set Services window , type ICMP

Select the checkbox next to ICMP ALL
- Select APPLY

In the ICMP for IT Support row under Applied To
- Select the Pencil next to DFW

In the Set Applied To window
- Change the DFW radio button to the Groups radio button

In the Groups Area
- Select the checkbox next to Windows 10
- Select APPLY

In the Deny All Groups row under Services, select the Pencil next to HTTP/HTTPS

In the Set Services window under Services type icmp

Select the check box next ICMP ALL
- Select APPLY

Expand the Server Access Policy
- In the Permit W10 to RDSH row under Services, select the Pencil next to HTTP/HTTPS

In the Set Services window under Services type icmp

Select the check box next ICMP ALL
- Select APPLY

Select PUBLISH

Review your Policies and associated Rules

On your WinEXT10 RDP session.
- Using the Horizon client login again as Kim with the password VMware1!
- Launch the W10INST, entitlement
- From the Start menu > RUN > type cmd.exe
- Select OK

In the cmd.exe window type, ping rdsh-01a.euc-livefire.com.
- Your micro-segmentation rules using the Identity Firewall setting should ALLOW and you should get a reply.

On your ControlCenter server desktop, revert back to your Mark horizon client session
- If the session is disconnected and logged off . Log back in as Mark with the password VMware1!
- Launch CMD.exe window from RUN if this is closed.
- In the cmd.exe window type, ping rdsh-01a.euc-livefire.com.
  - Your micro-segmentation rules using the Identity Firewall setting should DENY and you should not get a reply.

References

VMware documentation

NSX-T Data Center and EUC Design Guide

https://communities.vmware.com/docs/DOC-40565

Acknowledgements

A huge thank you to Baldeep Birdy from the NSX Livefire Team.

Without his support in troubleshooting and help in the development of this session

EUC

NSX-T based Micro-segmentation with VMware Horizon

Setting up a Distributed Firewall

Part 1

Pre-deployment check

Part 2: Testing further Micro-segmentation scenarios with Distributed Firewall Rules

Part 3. Testing the results

Part 3 :

References

Acknowledgements

Notes about the author Reinhart Nel

0 Comments

Add your comment

Topics

Last Updated