1. On your ControlCenter2 server,
   • Switch back to your browser with  your NSX-T session.
     • If necessary login with the username Admin and the password VMware1!VMware1!
   • Ensure you have the Security tab selected and under EAST WEST Security
   • Ensure your are in the  Distributed Firewall area

2. On the NSX-T Admin Console
   • Select the 3 dots next to Desktops
   • Select Add Rule

3. In the New Rule interface,
   • Replace the name New Rule by selecting and typing Marketing Rule

4. Under Sources,
   • Select the pencil icon, next to Any

5. In the Set Source window
   • Select ADD GROUP

6. In the ADD GROUP window
   • Under Name type Marketing

7. Under Compute Members
   • Select Set Members

8. In the Select Members | Marketing Group window
   • Select the AD Groups tab

9. In the search area
   • Type Marketing,
   • Select the checkbox next to Marketing
   • Select APPLY

10. Back to the Set Source window
    • Select SAVE

11. In the Set Source Rule > Marketing rule window
    • Ensure the check box to the left  of Marketing is selected for this rule
    • Select APPLY

12. Under Destinations next to Any
    • Select the Pencil

13. In the Set Destination window
    • Select the checkbox next to RDSH
    • Select APPLY in the bottom right corner.

14. In the Marketing Rule row
    • Under Services select the Pencil next to Any

15. In the Set Services window
    • Under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
    • Select the HTTP and HTTPS check boxes
    • Select APPLY

16. In the Marketing Rule row
    • Under Applied To select the Pencil next to DFW

17. In the Set Applied To window
    • Select the radio button next to Groups

18. In the Set Applied To window,
    • Select the check box, next to Windows 10.
    • Select APPLY

19. Under Action. We will leave the default Action that being Allow

20. In the NSX-T Admin Console
    • In the top right corner  PUBLISH
      • We will now create a DENY ALL Groups Rule in addition to what we have just created

21. In the NSX-T Admin Console > Security > Distributed Firewall
    • Right-Clickthe 3 DOTS next the BLOCK ICMP to SQL checkbox
    • Select Add Rule

22. Under your Marketing Rule
    • In the New Rule section rename New Rule to Deny All Groups

23. In Deny All Groups rule row
    • Under Destinations select the Pencil next to Any

24. In the Set Destination window,
    • Select the checkbox next to RDSH
    • Select APPLY

25. In the Deny All Groups row under Services
    • Select the Pencil next to Any

26. In the Set Services window
    1. under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
    2. Select the HTTP and HTTPS check boxes
    3. Select APPLY

27. In the Deny All Groups row under Applied To select the Pencil next to DFW

28. In the Set Applied To window select the Groups radio button

29. In the Set Applied To window
    • Select the Windows 10 group checkbox
    • Select Apply

30. In the Deny All Groups row
    • Under Action select the Dropdown
    • Select Drop

31. In the top right corner, of the NSX-T Admin Console
    • Select PUBLISH

• We have now completed two rules both based on the Source .
• Our last set of Rules will Aimed at the Destination Server services

32. NSX-T Admin Console > Security > Distributed Firewall
    • Under CATEGORY SPECIFIC RULES in the APPLICATION section select +ADD POLICY

33. You will notice you have a New Policy .1st in the policy order. We will now re-order this policy

34. In the NSX-T Admin Console > Security > Distributed Firewall
    • Select with a left click and hold your mouse on the 3 DOTS at the beginning of the New Policy Line
    • Drag the New Policy down till just after Desktop Policy and release your mouse
    • Your New Policy should appear in the order in the second screenshot of this image

35. In the NSX-T Admin Console > Security > Distributed Firewall
    • In the New Rules policy, rename New Rules to Server Access

36. In the NSX-T Admin Console > Security > Distributed Firewall
    • Select the 3 DOTS in front of your Server Access Policy and select Add rule
      • Notice you now have a new rule called New Rule that is part of the Server Access Policy

37. In the New Rule section,
    • Rename New Rule to Permit Win 10 to RDSH

38. In the Permit Win10 to RDSH section
    • Under Sources, select the Pencil next to Any

39. In the Set Source window,
    • Select the checkbox next to Windows 10
    • Select APPLY

40. In the Permit Win10 to RDSH section
    • Under Destinations, select the Pencil next to Any

41. On the Set Destination window,
    • Select the checkbox next to RDSH
    • Select APPLY

42. In the Permit Win 10 to RDSH   row under Services select the Pencil next to Any

43. In the Set Services window
    1. Under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
    2. Select the HTTP and HTTPS check boxes
    3. Select APPLY

44. In the Permit Win 10 to RDSH row
    • Under Applied To select the Pencil next to DFW

45. In the Set Applied To window select the Groups radio button

46. In the Set Applied To window
    • Select the RDSH group checkbox
    • Select Apply

47. Select PUBLISH in the top right corner

49. Please NOTE: When Identity Based Firewall rules are applied, it is essential, to logon after the rules have been applied. Any Active VMware Horizon sessions that you are logged into,  Disconnect and Log Off before starting with Part 3

Some background information about our setup and what we are going to test.

• In this setup we a Horizon Instant Clone Desktop pool with 4 Virtual machines
• The Desktop Pool has two Active Directory security groups entitled to this Desktop Pool
  • Marketing
  • IT-Support
  • Users 1 - 4 are members of the Marketing security group.
  • Users 5 - 6 are members a security group called IT support.
• All 4 virtual Machines are running on the 172.16.10.0 / 24 subnet  and have a VLAN ID 10 for this subnet configured for its NSX-T segment.
• As part of the test we have a server with IIS installed called RDSH-01a
• Note this exercise is teaching Micro-segmentation  functionality and one should not read anything into the choice of group name for this exercise.

• We will first Test User 4 who is a member of the Marketing group. User 4 will do a HTTP connection to the RDSH-01a server.
• We will then test User 5 who is not a member of the Marketing Group and see what happens when attempt to do a connection request to RDSH-01a
• We will continue editing rules to demonstrate a new supported Feature in NSX-T 3.0 with regard to the use of ping with AD groups, that being Marketing and IT Support
• We will test and validate the associated functionality