Use this design decision list for reference related to a Workspace ONE Access cluster in an environment with a single or multiple VMware Cloud Foundation instances

The deployment and configuration tasks for most design decisions are automated in VMware Cloud Foundation. You must perform the configuration manually only for a limited number of decisions as noted in the design implication.

For full design details, see Workspace ONE Access Design.

Deployment Specification

Table 1. Design Decisions on the Deployment Model for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-001

Deploy Workspace ONE Access in a cluster configuration by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode.

  • Deploying the cluster configuration that includes a three-node appliance architecture satisfies the common requirements of production environments.

  • With this configuration, the Workspace ONE Access cluster deployment scales to support a higher number of consuming users for vRealize Operations Manager and vRealize Automation.

  • The Workspace ONE Access cluster is managed by vRealize Suite Lifecycle Manager and imported into the SDDC Manager inventory.

None.

VCF-VRS-WSA-CFG-002

Use the embedded PostgreSQL database cluster with Workspace ONE Access.

Removes the need for external database services.

vRealize Suite Lifecycle Manager configures a native PostgreSQL database cluster as part of the Workspace ONE Access cluster deployment.

None.

VCF-VRS-WSA-CFG-003

Protect all Workspace ONE Access nodes using vSphere High Availability (vSphere HA).

Supports high availability for Workspace ONE Access without requiring manual intervention during an ESXi host failure event.

None.

VCF-VRS-WSA-CFG-004

Apply vSphere Distributed Resource Scheduler (vSphere DRS) anti-affinity rules for the Workspace ONE Access cluster nodes.

Using vSphere DRS prevents the Workspace ONE Access cluster nodes from residing on the same ESXi host and risking the high availability of the deployment.

  • You can place only a single ESXi host at a time into maintenance mode for a management cluster of four ESXi hosts.

  • Requires at least four physical hosts to guarantee that the three Workspace ONE Access cluster nodes continue to run if an ESXi host failure occurs.

VCF-VRS-WSA-CFG-005

Add a VM group for the Workspace ONE Access cluster nodes and set VM rules to restart the Workspace ONE Access VM group before any of the VMs that depend on it for authentication.

You can define the startup order of virtual machines regarding the service dependency. The startup order ensures that vSphere HA powers on the Workspace ONE Access virtual machines in an order that respects product dependencies.

None.

Table 2. Design Decisions on the Deployment of Workspace ONE Access for Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-006

Add the Workspace ONE Access cluster nodes to the VM group for the first availability zone.

Ensures that, by default, the Workspace ONE Access cluster nodes are powered on a host in the first availability zone.

If the Workspace ONE Access cluster is deployed after the creation of the stretched management cluster, you must add the cluster nodes to the VM group manually.

Table 3. Design Decisions on Sizing Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-007

Deploy each of the Workspace ONE Access node as a medium-size appliance.

Supports scalability for a vRealize Automation cluster deployment.

None.

Table 4. Design Decisions on Directories for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-008

Connect the clustered Workspace ONE Access instance to Active Directory.

You can integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to the Workspace ONE Access identity and access management services.

None.

VCF-VRS-WSA-CFG-009

Use Active Directory over LDAP as the Directory Service connection option.

The native (embedded) Workspace ONE Access connector binds to Active Directory over LDAP using a standard bind authentication.

  • In a multi-domain forest, where the Workspace ONE Access instance connects to a child-domain, Active Directory security groups must have global scope. Therefore, members added to the Active Directory global security group must reside within the same Active Directory domain.

  • If authentication to more than one Active Directory domains is required, additional Workspace ONE Access directories are required.

VCF-VRS-WSA-CFG-010

Use an Active Directory user account with the minimum of read-only access to Base DNs for users and groups as the service account for the Active Directory bind.

Provides the following access control features:

  • Workspace ONE Access connects to the Active Directory with the minimum set of required permissions to bind and query the directory.

  • You can introduce an improved accountability in tracking request-response interactions between the Workspace ONE Access and Active Directory.

  • You must manage the password life cycle of this account.

  • If authentication to more than one Active Directory domains is required, additional accounts are required for the Workspace ONE Access connector bind to each Active Directory domain over LDAP.

VCF-VRS-WSA-CFG-011

Configure the directory synchronization to synchronize only groups required for the integrated SDDC solutions.

  • Limits the number of replicated groups required for each product.

  • Reduces the replication interval for group information.

You must manage the groups from your enterprise directory selected for synchronization to Workspace ONE Access.

VCF-VRS-WSA-CFG-012

Enable the synchronization of enterprise directory group members when a group is added to the Workspace ONE Access directory.

When enabled, members of the enterprise directory groups are synchronized to the Workspace ONE Access directory when groups are added. When disabled, group names are synchronized to the directory, but members of the group are not synchronized until the group is entitled to an application or the group name is added to an access policy.

None.

VCF-VRS-WSA-CFG-013

Enable Workspace ONE Access to synchronize nested group members by default.

Allows Workspace ONE Access to update and cache the membership of groups without querying your enterprise directory.

Changes to group membership are not reflected until the next synchronization event.

VCF-VRS-WSA-CFG-014

Add a filter to the Workspace ONE Access directory settings to exclude users from the directory replication.

Limits the number of replicated users for Workspace ONE Access within the maximum scale.

To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema that works for your organization based on your directory attributes.

VCF-VRS-WSA-CFG-015

Configure the mapped attributes included when a user is added to the Workspace ONE Access directory.

You can configure the minimum required and extended user attributes to synchronize directory user account for the Workspace ONE Access cluster to be used as an authentication source for cross-instance vRealize Suite solutions.

User accounts in your organization's enterprise directory must have the following required attributes mapped:

  • firstname, for example, givenname for Active Directory

  • lastName, for example, sn for Active Directory

  • email, for example, mail for Active Directory

  • userName, for example,sAMAccountName for Active Directory

  • If you require users to sign in with an alternate unique identifier, for example, userPrincipalName, you must map the attribute and update the identity and access management preferences.

VCF-VRS-WSA-CFG-016

Configure the Workspace ONE Access directory synchronization frequency to a reoccurring schedule, for example, 15 minutes.

Ensures that any changes to group memberships in the corporate directory are available for integrated solutions in a timely manner.

Schedule the synchronization interval to be longer than the time to synchronize from the enterprise directory. If users and groups are being synchronized to Workspace ONE Access when the next synchronization is scheduled, the new synchronization starts immediately after the end of the previous iteration. With this schedule, the process is continuous.

Table 5. Design Decisions on Identity Providers and Connectors in Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-017

Configure second and third native connectors that correspond to the second and third Workspace ONE Access cluster nodes to support the high availability of directory services access.

High availability is achieved by installing three Workspace ONE Access cluster nodes load-balanced by an NSX load balancer. Adding the additional native connectors provides redundancy and improves performance by load-balancing authentication requests.

Each of the Workspace ONE Access cluster nodes must be joined to the Active Directory domain to use Active Directory with Integrated Windows Authentication with the native connector.

Network Design

Table 6. Design Decisions on the NSX Segment for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-NET-001

Place the Workspace ONE Access cluster nodes on an overlay-backed or VLAN-backed NSX network segment.

Provides a consistent deployment model for management applications in an environment with a single or multiple VMware Cloud Foundation instances.

You must use an implementation in NSX-T Data Center to support this network configuration.

Table 7. Design Decisions on the IP Addressing Scheme for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-NET-002

Allocate statically assigned IP addresses for the following:

  • Workspace ONE Access cluster nodes

  • Embedded PostgreSQL database

  • NSX load-balancer virtual server

Using statically assigned IP addresses ensures stability across the SDDC and makes it simpler to maintain and easier to track.

Requires precise IP address management.

Table 8. Design Decisions on Name Resolution for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-NET-003

Configure forward and reverse DNS records for the following components:

  • Workspace ONE Access cluster nodes

  • NSX load balancer virtual server

Workspace ONE Access is accessible by using a set of fully qualified domain names instead of by using only IP address.

  • You must provide DNS records for each Workspace ONE Access node and for the load balancer virtual server IP address.

  • All firewalls between the Workspace ONE Access nodes and the DNS servers must allow DNS traffic.

VCF-VRS-WSA-NET-004

Configure the DNS settings for the Workspace ONE Access cluster nodes to use DNS servers in the first VMware Cloud Foundation instance.

Workspace ONE Access requires DNS resolution to connect to SDDC Components.

None.

Table 9. Design Decisions on Name Resolution for Workspace ONE Access for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-NET-005

Configure the DNS settings for the Workspace ONE Access cluster nodes to use DNS servers in each VMware Cloud Foundation instance.

Improves resiliency if an outage of a DNS server occurs.

None.

Table 10. Design Decisions on Time Synchronization for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-NET-006

Configure the NTP settings on the Workspace ONE Access cluster nodes to use NTP servers in the first VMware Cloud Foundation instance.

Workspace ONE Access depends on time synchronization for all cluster nodes.

All firewalls located between the Workspace ONE Access cluster nodes and the NTP servers must allow NTP traffic.

Table 11. Design Decisions on Time Synchronization for Workspace ONE Access for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-NET-007

Configure the NTP settings on the Workspace ONE Access cluster nodes to use NTP servers in each VMware Cloud Foundation instance.

Improves resiliency in the event of an outage of an NTP server.

If you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on each Workspace ONE Access cluster node must be updated.

Table 12. Design Decisions on Load Balancing for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-NET-008

Use the NSX load balancer that is configured by SDDC Manager on a dedicated Tier-1 gateway to load balance connections across the Workspace ONE Access cluster nodes.

  • Required to deploy Workspace ONE Access as a cluster, enabling it to handle a greater load and obtain a higher level of service availability for cross-instance vRealize Suite solutions, which also share this load balancer.

  • During the deployment of Workspace ONE Access by using vRealize Suite Lifecycle Manager, SDDC Manager automates the configuration of the NSX load balancer for the Workspace ONE Access cluster.

You must use the load balancer that is configured by SDDC Manager and the integration with vRealize Suite Lifecycle Manager.

Life Cycle Management Design

Table 13. Design Decisions on Life Cycle Management for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-LCM-001

Use vRealize Suite Lifecycle Manager to perform the life cycle management of the Workspace ONE Access cluster.

vRealize Suite Lifecycle Manager automates the life cycle of the Workspace ONE Access cluster.

SDDC Manager provides the upgrade bundles for Workspace ONE Access to vRealize Suite Lifecycle Manager, but does not support initiating a Workspace ONE Access upgrades through the integration with vRealize Suite Lifecycle Manager.

Upgrades of Workspace ONE Access require a bundle download in SDDC Manager, and a sync to vRealize Suite Lifecycle Manager, before invoking the life cycle automation workflows in vRealize Suite Lifecycle Manager.

Information Security and Access Control Design

Table 14. Design Decisions on Integrations for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-SEC-001

Configure the Workspace ONE Access instance as the authentication provider for each supported SDDC component.

Enables authentication through Workspace ONE Access identity and access management services for vRealize Suite solutions that require mobility across VMware Cloud Foundation instances.

Required for vRealize Automation authentication.

The Workspace ONE Access cluster must be online and operational before you can authenticate to vRealize Automation.

Table 15. Design Decisions on Identity Management for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-SEC-002

Create corresponding security groups in your corporate directory services for these Workspace ONE Access roles:

  • Super Admin

  • Directory Admins

  • ReadOnly Admin

Streamlines the management of Workspace ONE Access roles to users.

  • You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.

  • You must create the security group outside of the SDDC stack.

Table 16. Design Decisions on Password Management for the Clustered Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-SEC-003

Rotate the appliance root user password on a schedule post deployment.

The password for the root user account expires 60 days after the initial deployment and after subsequent password changes.

You must manage the password rotation schedule for the root user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the root password rotation schedule on the Workspace ONE Access cluster nodes by using SDDC Manager.

VCF-VRS-WSA-SEC-004

Rotate the appliance sshuser user password on a schedule post deployment.

The password for the appliance sshuser user account expires 60 days after the initial deployment and after subsequent password changes.

You must manage the password rotation schedule for the appliance sshuser user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the sshuser password rotation schedule on the Workspace ONE Access cluster nodes by using vRealize Suite Lifecycle Manager.

VCF-VRS-WSA-SEC-005

Rotate the admin application user password on a schedule post deployment.

The password for the default administrator application user account does not expire after the initial deployment.

You must manage the password rotation schedule for the admin application user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the admin password rotation schedule on the Workspace ONE Access cluster nodes by using SDDC Manager.

VCF-VRS-WSA-SEC-006

Rotate the configadmin application user password on a schedule post deployment.

The password for the configuration administrator application user account does not expire after the initial deployment.

You must manage the password rotation schedule for the configuration administrator application user account in accordance with your corporate policies and regulatory standards, as applicable.

You must manage the password rotation schedule on the Workspace ONE Access cluster nodes by using vRealize Suite Lifecycle Manager.

VCF-VRS-WSA-SEC-007

Configure a password policy for Workspace ONE Access local directory users, admin and configadmin.

You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards.

The password policy is applicable only to the local directory users and does not impact your organization directory.

You must set the policy in accordance with your organization policies and regulatory standards, as applicable.

You must apply the password policy on the Workspace ONE Access cluster nodes.

Table 17. Design Decisions on Certificates for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-SEC-008

Use a CA-signed certificate containing the following the in the SAN attributes, when deploying Workspace ONE Access.

  • Each Workspace ONE Access cluster node FQDN

  • Workspace ONE Access cluster load balancer FQDN

Ensures that all communications to the externally facing Workspace ONE Access browser-based UI, API, and between the components are encrypted.

  • Certificate management is managed by the Locker in vRealize Suite Lifecycle Manager.

  • Using CA-signed certificates from a certificate authority increases the deployment preparation time, because certificate requests are generated and delivered.

  • You must manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 bits or 4096 bits.

VCF-VRS-WSA-SEC-009

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.