During deployment, the VMware Identity Manager virtual appliance is set up inside the internal network. If you want to provide access to the service for users connecting from outside networks, you must install a load balancer or a reverse proxy, such as Apache, nginx, or F5, in the DMZ.
If you do not use a load balancer or reverse proxy, you cannot expand the number of VMware Identity Manager appliances later. You might need to add more appliances to provide redundancy and load balancing. The following diagram shows the basic deployment architecture you can use to enable external access.
Specify VMware Identity Manager FQDN during Deployment
During the deployment of the VMware Identity Manager virtual machine, you enter the VMware Identity Manager FQDN and port number. These values must point to the host name that you want end users to access.
The VMware Identity Manager virtual machine always runs on port 443. You can use a different port number for the load balancer. If you use a different port number, you must specify it during deployment.
Load Balancer Settings to Configure
Load balancer settings to configure include enabling X-Forwarded-For headers, setting the load balancer timeout correctly, and enabling sticky sessions. In addition, SSL trust must be configured between the VMware Identity Manager virtual appliance and the load balancer.
You must enable X-Forwarded-For headers on your load balancer. This determines the authentication method. See the documentation provided by your load balancer vendor for more information.
Load Balancer Timeout
For VMware Identity Manager to function correctly, you might need to increase the load balancer request timeout from the default. The value is set in minutes. If the timeout setting is too low, you might see this error, “502 error: The service is currently unavailable.”
Enable Sticky Sessions
You must enable the sticky session setting on the load balancer if your deployment has multiple VMware Identity Manager appliances. The load balancer will then bind a user's session to a specific instance.
The load balancer must have WebSocket support.