Eric Sloof - NTPRO.NL

In this video, VMware demonstrates how the Multi-Session Identity Firewall feature in NSX for vSphere 6.4 enables per user-session security for customers use Remote Desktop Services through VMware Horizon RDSH or Citrix XenApp.

Augmenting the existing Identity Firewall feature, Multi-Session Identity Firewall in NSX for vSphere 6.4 leverages User Context in order to differentiate users that may be connected to the same session host and apply the appropriate security policy for each user.

This guide highlights design and deployment considerations when using NSX to implement network virtualization, create a secure end user environment, and
load balance Horizon infrastructure.


The intended audience is virtualization, networking, and security architects who are interested in deploying Horizon for virtual desktops and NSX in a vSphere
environment. Solid conceptual understanding and hands-on experience with both NSX-v and Horizon products is recommended for successfully understanding this design guide. 

I got a question from a fellow VCI asking me why a vSAN policy with FTT=1 and SW=2 doesn't need any witnesses and why a policy with FTT=2 and SW=1 needs two witnesses. He was also confused by the number of votes the components got.

There's a simple answer for this, please keep in mind that components are not able to get a majority of votes if you lose more than one host. So, in case of FTT=2 and losing two hosts, one single surviving component would only get 33% of the votes, without any witnesses but if we tie two extra witnesses the surviving component, we would get 20+20+20=60% which is a majority. The total number of votes is 5, 3 from the components and 2 from the witnesses allowing us to lose two components and still get a majority. 

Why don't we need a witness when the stripe width (SW) is configured with a value of 2? If you have a host failure with FT=1 and SW=2, the remaining stripe component of the crippled RAID_0 team is still able to contribute to the votes in order to get a majority. 

The number of votes depends on the number and location of the components, I don't know the exact formula but if multiple components are sharing the same ESXi host, the sum of these votes is equal to the number of votes of a single component on a single host. A component will get an extra tiebreaker vote if the total number of votes is even.

In the first screen shot you can see that all the components are located on different hosts that's why we have 2+1+1+1=5. In the second screenshot two components are sharing esx07 so the minimum number of votes for a component on a single host is the sum of the components of the shared host which is two. 2+2+1+1=6 so one components gets 3 votes to make the total number uneven,  3+2+1+1=7.

I've also posted a video explaing the components and diffrent policies in more detail: VMware vSAN 6.6 Witnesses, Components and Votes

Context- aware firewall enhances the visibility at the application level and helps to override the problem of application permeability. Visibility at the application layer helps you to monitor the workloads better from a resource, compliance, and security point of view.

Firewall rules cannot consume application IDs. Context-aware firewall identifies applications and enforces a micro-segmentation for EAST-WEST traffic, independent of the port that the application uses. Context-aware or application-based firewall rules can be defined by defining Layer 7 service objects. 

After defining Layer 7 service objects in rules, you can define rules with specific protocol, ports, and their application definition. Rule definition can be based on more than 5-tuples. You can also use Application Rule Manager to create context-aware firewall rules.

Firewall can take action based on one or a combination of different L2, L3, L4, and L7 packet headers that are added to the data as it moves through each layer of the TCP/IP model.

In layer 3 or layer 4 firewall, the action is taken solely based on source/destination IP, port, and protocol. The activity of network connections is also tracked. This type of firewall is known as a stateful firewall.

Layer 7 firewall is also called as a context-aware firewall. Layer 7 or context-aware firewall can do everything that the layer 3 and layer 4 firewall do. Also, it can intelligently inspect the content of the packets. For example, a layer 7 firewall rule can be written to deny all HTTP requests from a specific IP address.

VMware NSX for vSphere 6.4 Eases Operations, Improves Application Security with Context