Use this list of requirements and recommendations for reference related toWorkspace ONE Access in an environment with a single or multiple VMware Cloud Foundation instances. The design elements also considers whether the management domain has a single or multiple availability zones.
For full design details, see Workspace ONE Access Design for VMware Cloud Foundation.
Requirement ID |
Design Requirement |
Justification |
Implication |
---|---|---|---|
VCF-WSA-REQD-ENV-001 |
Create a global environment in VMware Aria Suite Lifecycle to support the deployment of Workspace ONE Access. |
A global environment is required by VMware Aria Suite Lifecycle to deploy Workspace ONE Access. |
None. |
VCF-WSA-REQD-SEC-001 |
Import certificate authority-signed certificates to the Locker repository for Workspace ONE Access product life cycle operations. |
|
When using the API, you must specify the Locker ID for the certificate to be used in the JSON payload. |
VCF-WSA-REQD-CFG-001 |
Deploy an appropriately sized
Workspace ONE Access instance according to the deployment model you have selected by using
VMware Aria Suite Lifecycle in
VMware Cloud Foundation mode.
|
The Workspace ONE Access instance is managed by VMware Aria Suite Lifecycle and imported into the SDDC Manager inventory. |
None. |
VCF-WSA-REQD-CFG-002 |
Place the Workspace ONE Access appliances on an overlay-backed or VLAN-backed NSX network segment. |
Provides a consistent deployment model for management applications in an environment with a single or multiple VMware Cloud Foundation instances. |
You must use an implementation in NSX to support this network configuration. |
VCF-WSA-REQD-CFG-003 |
Use the embedded PostgreSQL database with Workspace ONE Access. |
Removes the need for external database services. |
None. |
VCF-WSA-REQD-CFG-004 |
Add a VM group for Workspace ONE Access and set VM rules to restart the Workspace ONE Access VM group before any of the VMs that depend on it for authentication. |
You can define the startup order of virtual machines regarding the service dependency. The startup order ensures that vSphere HA powers on the Workspace ONE Access virtual machines in an order that respects product dependencies. |
None. |
VCF-WSA-REQD-CFG-005 |
Connect the Workspace ONE Access instance to a supported upstream Identity Provider. |
You can integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to the Workspace ONE Access identity and access management services. |
None. |
VCF-WSA-REQD-CFG-006 |
If using clustered Workspace ONE Access, configure second and third native connectors that correspond to the second and third Workspace ONE Access cluster nodes to support the high availability of directory services access. |
Adding the additional native connectors provides redundancy and improves performance by load-balancing authentication requests. |
Each of the Workspace ONE Access cluster nodes must be joined to the Active Directory domain to use Active Directory with Integrated Windows Authentication with the native connector. |
VCF-WSA-REQD-CFG-007 |
If using clustered Workspace ONE Access, use the NSX load balancer that is configured by SDDC Manager on a dedicated Tier-1 gateway. |
|
You must use the load balancer that is configured by SDDC Manager and the integration with VMware Aria Suite Lifecycle. |
Requirement ID |
Design Requirement |
Justification |
Implication |
---|---|---|---|
VCF-WSA-REQD-CFG-008 |
Add the Workspace ONE Access appliances to the VM group for the first availability zone. |
Ensures that, by default, the Workspace ONE Access cluster nodes are powered on a host in the first availability zone. |
|
Requirement ID |
Design Requirement |
Justification |
Implication |
---|---|---|---|
VCF-WSA-REQD-CFG-009 |
Configure the DNS settings for Workspace ONE Access to use DNS servers in each VMware Cloud Foundation instance. |
Improves resiliency if an outage of external services for a VMware Cloud Foundation instance occurs. |
None. |
VCF-WSA-REQD-CFG-010 |
Configure the NTP settings on Workspace ONE Access cluster nodes to use NTP servers in each VMware Cloud Foundation instance. |
Improves resiliency if an outage of external services for a VMware Cloud Foundation instance occurs. |
If you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on Workspace ONE Access must be updated. |
Recommendation ID |
Design Recommendation |
Justification |
Implication |
---|---|---|---|
VCF-WSA-RCMD-CFG-001 |
Protect all Workspace ONE Access nodes using vSphere HA. |
Supports high availability for Workspace ONE Access. |
None for standard deployments. Clustered Workspace ONE Access deployments might require intervention if an ESXi host failure occurs. |
VCF-WSA-RCMD-CFG-002 |
When using Active Directory as an Identity Provider, use Active Directory over LDAP as the Directory Service connection option. |
The native (embedded) Workspace ONE Access connector binds to Active Directory over LDAP using a standard bind authentication. |
|
VCF-WSA-RCMD-CFG-003 |
When using Active Directory as an Identity Provider, use an Active Directory user account with a minimum of read-only access to Base DNs for users and groups as the service account for the Active Directory bind. |
Provides the following access control features:
|
|
VCF-WSA-RCMD-CFG-004 |
Configure the directory synchronization to synchronize only groups required for the integrated SDDC solutions. |
|
You must manage the groups from your enterprise directory selected for synchronization to Workspace ONE Access. |
VCF-WSA-RCMD-CFG-005 |
Activate the synchronization of enterprise directory group members when a group is added to the Workspace ONE Access directory. |
When activated, members of the enterprise directory groups are synchronized to the Workspace ONE Access directory when groups are added. When deactivated, group names are synchronized to the directory, but members of the group are not synchronized until the group is entitled to an application or the group name is added to an access policy. |
None. |
VCF-WSA-RCMD-CFG-006 |
Enable Workspace ONE Access to synchronize nested group members by default. |
Allows Workspace ONE Access to update and cache the membership of groups without querying your enterprise directory. |
Changes to group membership are not reflected until the next synchronization event. |
VCF-WSA-RCMD-CFG-007 |
Add a filter to the Workspace ONE Access directory settings to exclude users from the directory replication. |
Limits the number of replicated users for Workspace ONE Access within the maximum scale. |
To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema that works for your organization based on your directory attributes. |
VCF-WSA-RCMD-CFG-008 |
Configure the mapped attributes included when a user is added to the Workspace ONE Access directory. |
You can configure the minimum required and extended user attributes to synchronize directory user accounts for the Workspace ONE Access to be used as an authentication source for cross-instance VMware Aria Suite solutions. |
User accounts in your organization's enterprise directory must have the following required attributes mapped:
|
VCF-WSA-RCMD-CFG-009 |
Configure the Workspace ONE Access directory synchronization frequency to a reoccurring schedule, for example, 15 minutes. |
Ensures that any changes to group memberships in the corporate directory are available for integrated solutions in a timely manner. |
Schedule the synchronization interval to be longer than the time to synchronize from the enterprise directory. If users and groups are being synchronized to Workspace ONE Access when the next synchronization is scheduled, the new synchronization starts immediately after the end of the previous iteration. With this schedule, the process is continuous. |
VCF-WSA-RCMD-SEC-001 |
Create corresponding security groups in your corporate directory services for these Workspace ONE Access roles:
|
Streamlines the management of Workspace ONE Access roles to users. |
|
VCF-WSA-RCMD-SEC-002 |
Configure a password policy for Workspace ONE Access local directory users, admin and configadmin. |
You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards. The password policy is applicable only to the local directory users and does not impact your organization directory. |
You must set the policy in accordance with your organization policies and regulatory standards, as applicable. You must apply the password policy on the Workspace ONE Access cluster nodes. |