To deploy the VMware Cloud Foundation Identity Connector, which includes the Directory Sync service and User Auth service as components, ensure that your Windows server meets the necessary requirements. Some requirements vary based on the service you are installing.
Compatibility Between VMware Cloud Foundation Service and Connector
You can use the VMware Cloud Foundation Identity Connector with the VCF Business Services Console.
Number of Servers Required
You can install the Directory Sync and User Auth services together on a single Windows server or install them on separate servers. To install the services together, you need a more powerful server. To install the services separately, you must obtain multiple servers.
Multiple servers are required if you want to set up high availability.
Hardware Requirements
Ensure the Windows server meets the following hardware requirements.
- Processor: Intel(R)Xeon(R) CPU E5-2650 (2 processors) x64 bit processor or higher
Deployment Size | Hardware Requirements for Directory Sync Service Server | Number of Users and Groups |
---|---|---|
Small | 2 vCPU, 8 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=4g |
Up to 50,000 users and 500 groups |
Medium | 4 vCPU, 8 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=4g |
Up to 100,000 users and 1,000 groups |
Large | 8 vCPU, 12 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=8g |
Up to 200,000 users and 2,000 groups |
Deployment Size | Hardware Requirements for User Auth Service Server | User Auth Service |
---|---|---|
Small/Medium/Large | 2 vCPU, 4 GB RAM, 40 GB Disk Space Java memory allocation for User Auth service: xmx=1g |
Password authentications: 390 - 480/min |
Deployment Size | Hardware Requirements | Number of Users and Groups |
---|---|---|
Small | 4 vCPU, 12 GB RAM, 50 GB Disk Space Java Memory Allocation: Directory Sync service: xmx=4g User Auth service: xmx=1g |
Up to 100,000 users and 1,000 groups |
Medium | 8 vCPU, 16 GB RAM, 50 GB Disk Space Java Memory Allocation: Directory Sync service: xmx=8g User Auth service: xmx=1g |
Up to 200,000 users and 2,000 groups |
Large | 12 vCPU, 32 GB RAM, 80 GB Disk Space Java Memory Allocation: Directory Sync service: xmx=12g User Auth service: xmx=1g |
Up to 300,000 users and 3,000 groups |
- The Memory requirements include the OS and the VMware connector components. If you plan to run any other applications or services on the server, adjust the requirements accordingly.
- The Java memory allocation listed for each service refers to the Java heap memory. By default, 4 GB is allocated to the Directory Sync service and 1 GB to the User Auth service. See Increasing Java Memory for VMware Cloud Foundation Identity Connector Enterprise Services for information on how to allocate memory.
- The groups listed for the Directory Sync service are all one level, with some groups reaching 50,000+ users, and each user is associated with 5 groups.
- Deployments with large groups or nested groups require more memory.
Software Requirements
Ensure the Windows server meets the following software requirements.
Requirement | Notes |
---|---|
One of the following versions of Windows Server:
|
|
PowerShell | Windows servers include PowerShell by default. |
.NET Framework 4.8 or later | Windows servers include .NET Framework by default. VMware Cloud Foundation Identity Connector requires .NET Framework 4.8 or later. If .NET Framework is not installed or does not match the required version, the connector installer prompts you to install the correct version during installation. |
Network Requirements
The table below lists port requirements for the connector. For the most up-to-date port information, see https://ports.vmware.com/home/Workspace-ONE-Access.
For configuring the ports listed, all traffic is uni-directional (outbound) from the source component to the destination component. An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the VMware Cloud Foundation Identity Connector. The outbound connection must remain open at all times.
Source | Destination | Port | Protocol | Notes |
---|---|---|---|---|
VMware Cloud Foundation Identity Connector | VMware Cloud Foundation Identity Broker service | 443 | HTTPS | Default port; required. Applies to Directory Sync service and User Auth service |
VMware Cloud Foundation Identity Connector | Active Directory | 389, 636, 3268, 3269 | Default ports; these ports are configurable. Applies to Directory Sync service. Also applies to User Auth service if password authentication is used. |
|
VMware Cloud Foundation Identity Connector | DNS server | 53 | TCP/UDP | Every connector instance must have access to the DNS server on port 53. Applies to Directory Sync service and User Auth service. |
VMware Cloud Foundation Identity Connector | Domain controller | 88, 464, 135, 445 | TCP/UDP | Applies to Directory Sync service. |
VMware Cloud Foundation Identity Connector | syslog server | 514 | UDP | Default port; this port is configurable. Port for external syslog server, if configured. Applies to Directory Sync service and User Auth service. |
VMware Cloud Foundation Cloud IP Addresses
The VMware Cloud Foundation Identity Connector must have access to Broadcom IP addresses to connect to the VMware Cloud Foundation Identity Broker. These IP addresses will be included in the email instructions that are sent to you as part of this migration.
DNS Records and IP Addresses Requirements
A DNS entry and a static IP address are required for the connector. Before you begin your installation, obtain the DNS record and IP address to use and configure the network settings of the Windows server.
Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.
You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.
Domain Name | Resource Type | IP Address |
---|---|---|
myconnector.example.com | A | 10.28.128.3 |
This example shows reverse DNS records and IP addresses.
IP Address | Resource Type | Host Name |
---|---|---|
10.28.128.3 | PTR | myconnector.example.com |
After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IP address must resolve to the DNS name lookup.
Time Synchronization
Configuring time synchronization on all VMware Cloud Foundation connector instances is required for a VMware Cloud Foundation deployment to function correctly. Set up time synchronization using an NTP server.
For the connector, configure time synchronization on the connector server.
Proxy Requirements
The connector accesses Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must configure a proxy server. You enter the proxy server information in the VMware Cloud Foundation Identity Connector installer during the installation.
VMware Cloud Foundation Identity Connector supports the following types of proxies:
- Unauthenticated HTTP proxies
- Unauthenticated HTTPS (SSL) proxies
- Authenticated HTTPS (SSL) proxies