Workspace ONE Access Design Elements for VMware Cloud Foundation

Use this list of requirements and recommendations for reference related toWorkspace ONE Access in an environment with a single or multiple VMware Cloud Foundation instances. The design elements also considers whether the management domain has a single or multiple availability zones.

For full design details, see Workspace ONE Access Design for VMware Cloud Foundation.

Table 1. Workspace ONE Access Design Requirements for VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-WSA-REQD-ENV-001	Create a global environment in vRealize Suite Lifecycle Manager to support the deployment of Workspace ONE Access.	A global environment is required by vRealize Suite Lifecycle Manager to deploy Workspace ONE Access.	None.
VCF-WSA-REQD-SEC-001	Import certificate authority-signed certificates to the Locker repository for Workspace ONE Access product life cycle operations.	You can reference and use certificate authority-signed certificates during product life cycle operations, such as deployment and certificate replacement.	When using the API, you must specify the Locker ID for the certificate to be used in the JSON payload.
VCF-WSA-REQD-CFG-001	Deploy an appropriately sized Workspace ONE Access instance according to the deployment model you have selected by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode.	The Workspace ONE Access instance is managed by vRealize Suite Lifecycle Manager and imported into the SDDC Manager inventory.	None.
VCF-WSA-REQD-CFG-002	Place the Workspace ONE Access appliances on an overlay-backed or VLAN-backed NSX network segment.	Provides a consistent deployment model for management applications in an environment with a single or multiple VMware Cloud Foundation instances.	You must use an implementation in NSX to support this network configuration.
VCF-WSA-REQD-CFG-003	Use the embedded PostgreSQL database with Workspace ONE Access.	Removes the need for external database services.	None.
VCF-WSA-REQD-CFG-004	Add a VM group for Workspace ONE Access and set VM rules to restart the Workspace ONE Access VM group before any of the VMs that depend on it for authentication.	You can define the startup order of virtual machines regarding the service dependency. The startup order ensures that vSphere HA powers on the Workspace ONE Access virtual machines in an order that respects product dependencies.	None.
VCF-WSA-REQD-CFG-005	Connect the Workspace ONE Access instance to a supported upstream Identity Provider.	You can integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to the Workspace ONE Access identity and access management services.	None.
VCF-WSA-REQD-CFG-006	If using clustered Workspace ONE Access, configure second and third native connectors that correspond to the second and third Workspace ONE Access cluster nodes to support the high availability of directory services access.	Adding the additional native connectors provides redundancy and improves performance by load-balancing authentication requests.	Each of the Workspace ONE Access cluster nodes must be joined to the Active Directory domain to use Active Directory with Integrated Windows Authentication with the native connector.
VCF-WSA-REQD-CFG-007	If using clustered Workspace ONE Access, use the NSX load balancer that is configured by SDDC Manager on a dedicated Tier-1 gateway.	During the deployment of Workspace ONE Access by using vRealize Suite Lifecycle Manager, SDDC Manager automates the configuration of an NSX load balancer for Workspace ONE Access to facilitate scale-out.	You must use the load balancer that is configured by SDDC Manager and the integration with vRealize Suite Lifecycle Manager.

Table 2. Workspace ONE Access Design Requirements for Stretched Clusters in VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-WSA-REQD-CFG-008	Add the Workspace ONE Access appliances to the VM group for the first availability zone.	Ensures that, by default, the Workspace ONE Access cluster nodes are powered on a host in the first availability zone.	If the Workspace ONE Access instance is deployed after the creation of the stretched management cluster, you must add the appliances to the VM group manually. ClusteredWorkspace ONE Access might require manual intervention after a failure of the active availability zone occurs.

Table 3. Workspace ONE Access Design Requirements for NSX Federation in VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-WSA-REQD-CFG-009	Configure the DNS settings for Workspace ONE Access to use DNS servers in each VMware Cloud Foundation instance.	Improves resiliency if an outage of external services for a VMware Cloud Foundation instance occurs.	None.
VCF-WSA-REQD-CFG-010	Configure the NTP settings on Workspace ONE Access cluster nodes to use NTP servers in each VMware Cloud Foundation instance.	Improves resiliency if an outage of external services for a VMware Cloud Foundation instance occurs.	If you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on Workspace ONE Access must be updated.

Table 4. Workspace ONE Access Design Recommendations for VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-WSA-RCMD-CFG-001	Protect all Workspace ONE Access nodes using vSphere HA.	Supports high availability for Workspace ONE Access.	None for standard deployments. Clustered Workspace ONE Access deployments might require intervention if an ESXi host failure occurs.
VCF-WSA-RCMD-CFG-002	When using Active Directory as an Identity Provider, use Active Directory over LDAP as the Directory Service connection option.	The native (embedded) Workspace ONE Access connector binds to Active Directory over LDAP using a standard bind authentication.	In a multi-domain forest, where the Workspace ONE Access instance connects to a child domain, Active Directory security groups must have global scope. Therefore, members added to the Active Directory global security group must reside within the same Active Directory domain. If authentication to more than one Active Directory domain is required, additional Workspace ONE Access directories are required.
VCF-WSA-RCMD-CFG-003	When using Active Directory as an Identity Provider, use an Active Directory user account with the minimum of read-only access to Base DNs for users and groups as the service account for the Active Directory bind.	Provides the following access control features: Workspace ONE Access connects to the Active Directory with the minimum set of required permissions to bind and query the directory. You can introduce an improved accountability in tracking request-response interactions between theWorkspace ONE Access and Active Directory.	You must manage the password life cycle of this account. If authentication to more than one Active Directory domain is required, additional accounts are required for the Workspace ONE Access connector bind to each Active Directory domain over LDAP.
VCF-WSA-RCMD-CFG-004	Configure the directory synchronization to synchronize only groups required for the integrated SDDC solutions.	Limits the number of replicated groups required for each product. Reduces the replication interval for group information.	You must manage the groups from your enterprise directory selected for synchronization to Workspace ONE Access.
VCF-WSA-RCMD-CFG-005	Activate the synchronization of enterprise directory group members when a group is added to the Workspace ONE Access directory.	When activated, members of the enterprise directory groups are synchronized to the Workspace ONE Access directory when groups are added. When deactivated, group names are synchronized to the directory, but members of the group are not synchronized until the group is entitled to an application or the group name is added to an access policy.	None.
VCF-WSA-RCMD-CFG-006	Enable Workspace ONE Access to synchronize nested group members by default.	Allows Workspace ONE Access to update and cache the membership of groups without querying your enterprise directory.	Changes to group membership are not reflected until the next synchronization event.
VCF-WSA-RCMD-CFG-007	Add a filter to the Workspace ONE Access directory settings to exclude users from the directory replication.	Limits the number of replicated users for Workspace ONE Access within the maximum scale.	To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema that works for your organization based on your directory attributes.
VCF-WSA-RCMD-CFG-008	Configure the mapped attributes included when a user is added to the Workspace ONE Access directory.	You can configure the minimum required and extended user attributes to synchronize directory user accounts for the Workspace ONE Access to be used as an authentication source for cross-instance vRealize Suite solutions.	User accounts in your organization's enterprise directory must have the following required attributes mapped: `firstname`, for example, `givenname` for Active Directory `lastName`, for example, `sn` for Active Directory `email`, for example, `mail` for Active Directory `userName`, for example,`sAMAccountName` for Active Directory If you require users to sign in with an alternate unique identifier, for example, `userPrincipalName`, you must map the attribute and update the identity and access management preferences.
VCF-WSA-RCMD-CFG-009	Configure the Workspace ONE Access directory synchronization frequency to a reoccurring schedule, for example, 15 minutes.	Ensures that any changes to group memberships in the corporate directory are available for integrated solutions in a timely manner.	Schedule the synchronization interval to be longer than the time to synchronize from the enterprise directory. If users and groups are being synchronized to Workspace ONE Access when the next synchronization is scheduled, the new synchronization starts immediately after the end of the previous iteration. With this schedule, the process is continuous.
VCF-WSA-RCMD-SEC-001	Create corresponding security groups in your corporate directory services for these Workspace ONE Access roles: Super Admin Directory Admins ReadOnly Admin	Streamlines the management of Workspace ONE Access roles to users.	You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period. You must create the security group outside of the SDDC stack.
VCF-WSA-RCMD-SEC-002	Configure a password policy for Workspace ONE Access local directory users, admin and configadmin.	You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards. The password policy is applicable only to the local directory users and does not impact your organization directory.	You must set the policy in accordance with your organization policies and regulatory standards, as applicable. You must apply the password policy on the Workspace ONE Access cluster nodes.