The clustered Workspace ONE Access is distributed as a virtual appliance in OVA format that you can deploy and manage from vRealize Suite Lifecycle Manager together with other vRealize Suite products. The Workspace ONE Access appliance includes identity and access management services.

Deployment Type

You consider the deployment type, standalone or cluster, according to the design objectives for the availability and number of users that the system and integrated SDDC solutions must support. You deploy Workspace ONE Access on the default management vSphere cluster.

Table 1. Topology Attributes of Workspace ONE Access

Deployment Type

Number of Nodes

Considerations

Standard

1

  • Single node without a load balancer

  • Can be scaled out to a 3-node cluster behind an NSX load balancer

Cluster (Recommended)

3

  • Clustered deployment using internal PostgreSQL database.

  • NSX load balancer automatically deployed.

This design uses the recommended cluster topology of Workspace ONE Access.

Table 2. Design Decisions on the Deployment Model for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-001

Deploy Workspace ONE Access in a cluster by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode.

  • Deploying the cluster configuration that includes a three-node appliance architecture satisfies the common requirements of production environments.

  • With this configuration, the Workspace ONE Access cluster deployment scales to support a higher number of consuming users for vRealize Operations and vRealize Automation.

  • The Workspace ONE Access cluster is managed by vRealize Suite Lifecycle Manager and imported into the SDDC Manager inventory.

None.

VCF-VRS-WSA-CFG-002

Use the embedded PostgreSQL database cluster with Workspace ONE Access.

Removes the need for external database services.

vRealize Suite Lifecycle Manager configures a native PostgreSQL database cluster as part of the Workspace ONE Access cluster deployment.

None.

VCF-VRS-WSA-CFG-003

Protect all Workspace ONE Access nodes using vSphere High Availability (vSphere HA).

Supports high availability for Workspace ONE Access without requiring manual intervention during an ESXi host failure event.

None.

VCF-VRS-WSA-CFG-004

Apply vSphere Distributed Resource Scheduler (vSphere DRS) anti-affinity rules for the Workspace ONE Access cluster nodes.

Using vSphere DRS prevents the Workspace ONE Access cluster nodes from residing on the same ESXi host and risking the high availability of the deployment.

  • You can place only a single ESXi host at a time into maintenance mode for a management cluster of four ESXi hosts.

  • Requires at least four physical hosts to guarantee that the three Workspace ONE Access cluster nodes continue to run if an ESXi host failure occurs.

VCF-VRS-WSA-CFG-005

Add a VM group for the Workspace ONE Access cluster nodes and set VM rules to restart the Workspace ONE Access VM group before any of the VMs that depend on it for authentication.

You can define the startup order of virtual machines regarding the service dependency. The startup order ensures that vSphere HA powers on the Workspace ONE Access virtual machines in an order that respects product dependencies.

None.

Deployment of Workspace ONE Access in Multiple Availability Zones

Under normal operating conditions, the Workspace ONE Access cluster runs in the first availability zone. If a failure in occurs in the first availability zone, the Workspace ONE Access cluster is failed over to the second availability zone.

Table 3. Design Decisions on the Deployment of Workspace ONE Access for Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-006

Add the Workspace ONE Access cluster nodes to the VM group for the first availability zone.

Ensures that, by default, the Workspace ONE Access cluster nodes are powered on a host in the first availability zone.

If the Workspace ONE Access cluster is deployed after the creation of the stretched management cluster, you must add the cluster nodes to the VM group manually.

Sizing Compute and Storage Resources

A Workspace ONE Access cluster deployment requires certain CPU, memory, and storage resources to support the maximum users and groups that can be synced.

Table 4. CPU, Memory, and Storage Resources for the Clustered Workspace ONE Access

Appliance Size

Directory Sync of Users and Groups per Tenant

CPU per Appliance

Memory per Appliance

Disk per Appliance

Extra Small

Maximum:

  • 3,000 users

  • 30 groups

4 vCPU

8 GB

100 GB

Small

Maximum:

  • 5,000 users

  • 50 groups

6 vCPU

10 GB

100 GB

Medium (Minimum requirement for vRealize Automation)

Maximum:

  • 10,000 Users

  • 100 groups

8 vCPU

16 GB

100 GB

Large

Maximum:

  • 25,000 users

  • 250 groups

10 vCPU

16 GB

100 GB

Extra Large

Maximum:

  • 50,000 users

  • 500 groups

12 vCPU

32 GB

100 GB

Extra Extra Large

Maximum:

  • 100,000 users

  • 1,000 groups

14 vCPU

48 GB

100 GB

Table 5. Design Decisions on Sizing Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-007

Deploy each of the Workspace ONE Access node as a medium-size appliance.

Supports scalability for a vRealize Automation cluster deployment.

None.