To deploy Enterprise Systems Connector, ensure your system meets the necessary requirements.

Hardware Requirements

Use the following requirements as a basis for creating your Enterprise Systems Connector server.

If you are installing the ACC component only, use the following requirements.

Table 1. ACC Requirements

Number of Users

Up to 10,000

10,000 to 50,000

50,000 to 100,000

CPU Cores

2

2 load-balanced servers with 2 CPU Cores

3 load-balanced servers with 2 CPU Cores

RAM (GB) Per Server

4

4 each

8 each

Disk Space (GB)

50

50 each

50 each

The VMware Identity Manager Connector component has the following additional requirements. If you are installing both the ACC and VMware Identity Manager Connector components, add these requirements to the ACC requirements.

Table 2. VMware Identity Manager Connector Requirements

Number of Users

Up to 1000

1000 to 10,000

10,000 to 25,000

25,000 to 50,000

50,000 to 100,000

CPU

2

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

RAM (GB) Per Server

6

6 each

8 each

16 each

16 each

Disk Space (GB)

50

50 each

50 each

50 each

50 each

Note:
  • For the ACC component, traffic is automatically load-balanced by the AWCM component. It does not require a separate load balancer. Multiple ACC instances in the same organization group that connect to the same AWCM server for high availability can all expect to receive traffic (a live-live configuration). How traffic is routed is determined by AWCM and depends on the current load.

  • For the VMware Identity Manager Connector component, see Configuring High Availability for the VMware Identity Manager Connector.

  • CPU Cores should each be 2.0 GHz or higher. An Intel processor is required.

  • Disk Space requirements include: 1 GB disk space for the Enterprise Systems Connector application, Windows OS, and .NET runtime. Additional disk space is allocated for logging.

Software Requirements

Ensure your Enterprise Systems Connector server meets all the following software requirements.

Status Checklist

Requirement

Notes

Windows Server 2008 R2 or

Windows Server 2012 or

Windows Server 2012 R2

Required for both components

Install PowerShell on the server

Required for both components

Note:

(AirWatch Cloud Connector component) PowerShell version 3.0+ is required if you are deploying the PowerShell MEM-direct model for email. To check your version, open PowerShell and run the command $PSVersionTable.

Note:

(VMware Identity Manager Connector component) PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.

Install .NET Framework 4.6.2

Required for both components

Note:

(AirWatch Cloud Connector component) The AirWatch Cloud Connector auto-update feature will not function correctly until your Enterprise Systems Connector server is updated to .NET Framework 4.6.2. The auto-update feature will not update the .NET Framework automatically. Install .NET Framework 4.6.2 manually on the Enterprise Systems Connector server before performing an upgrade.

General Requirements

Ensure your Enterprise Systems Connector server is set up with the following general requirements to ensure a successful installation.

Status Checklist

Requirement

Notes

Ensure that you have remote access to the servers that AirWatch is installed on

VMware AirWatch recommends setting up Remote Desktop Connection Manager for multiple server management. You can download the installer from https://www.microsoft.com/en-us/download/details.aspx?id=44989.

Typically, installations are performed remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide AirWatch with VPN credentials to directly access the environment as well.

Installation of Notepad++ (Recommended)

VMware AirWatch recommends setting up Notepad++.

Services accounts for authentication to backend systems

Validate AD connectivity method using LDP.exe tool (See http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip) LDAP, BES, PowerShell, etc.

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Enterprise Systems Connector. The outbound connection required for use by Enterprise Systems Connector must remain open at all times.

Note:

Any resource such as certificate authorities that you want to reach with the ACC must be on the same domain.

Table 3. AirWatch Cloud Connector Component Port Requirements (SaaS)

Status Checklist

Source Component

Destination Component

Protocol

Port

Verification

Enterprise Systems Connector Server

AirWatch AWCM For example: (https://awcm274.awmdm. com)

HTTPS

443

Verify by entering https://awcmXXX.awmdm.com/awcm/status and ensure there is no certificate trust error. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.)

Enterprise Systems Connector Server

AirWatch Console For example: (https://cn274.awmdm.com)

HTTP or HTTPS

80 or 443

Verify by entering https://cnXXX.awmdm.com and ensure there is no certificate trust error. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.) If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443.

Enterprise Systems Connector Server

AirWatch API For example: (https://as274.awmdm.com)

HTTPS

443

Verify by entering https://asXXX.awmdm.com/api/help and ensure you are prompted for credentials. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.) ACC to API access is required for the proper functioning of the AirWatch Diagnostics service.

Enterprise Systems Connector Server

CRL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl

HTTP

80

For various services to function properly

Optional Integrations

Enterprise Systems Connector Server

Internal SMTP

SMTP

25

Enterprise Systems Connector Server

Internal LDAP

LDAP or LDAPS

389, 636, 3268, or 3269

Enterprise Systems Connector Server

Internal SCEP

HTTP or HTTPS

80 or 443

Enterprise Systems Connector Server

Internal ADCS

DCOM

135, 1025-5000, 49152-65535

Enterprise Systems Connector Server

Internal BES

HTTP or HTTPS

80 or 443

Enterprise Systems Connector Server

Internal Exchange 2010 or higher

HTTP or HTTPS

80 or 443

Table 4. AirWatch Cloud Connector Component Port Requirements (On Premises)

Source Component

Destination Component

Protocol

Port

Verification

Enterprise Systems Connector Server

AirWatch Cloud Messaging Servwer

HTTPS

2001

Telnet from Enterprise Systems Connector to AWCM Server on port or once installed.

Verify by entering https://<AWCM URL>:2001/awcm/statusand ensure there is no certificate trust error.

If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443.

If you are using ACC with AWCM and you have multiple AWCM servers and want to load balance them, you need to configure persistence.

For more information on setting up AWCM Persistence Rules Using F5, see the following Knowledge Base article: https://support.air-watch.com/articles/115001666028.

Enterprise Systems Connector Server

AirWatch Console

HTTP or HTTPS

80 or 443

Telnet from Enterprise Systems Connector to Console on port or once installed.

Verify by entering https://<Console URL> and ensure there is no certificate trust error.

If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443.

Enterprise Systems Connector Server

API server (or wherever API is installed)

HTTPS

443

Verify by navigating to the URL of your API server.

ACC to API access is required for the proper functioning of the AirWatch Diagnostics service.

Enterprise Systems Connector Server

CRL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl

HTTP

80

For various services to function properly

Optional Integrations

Enterprise Systems Connector Server

Internal SMTP

SMTP

25

Enterprise Systems Connector Server

Internal LDAP

LDAP or LDAPS

389, 636, 3268, or 3269

Enterprise Systems Connector Server

Internal SCEP

HTTP or HTTPS

80 or 443

Enterprise Systems Connector Server

Internal ADCS

DCOM

135, 1025-5000, 49152-65535

Enterprise Systems Connector Server

Internal BES

HTTP or HTTPS

80 or 443

Enterprise Systems Connector Server

Internal Exchange 2010 or higher

HTTP or HTTPS

80 or 443

Table 5. VMware Identity Manager Connector Component Port Requirements (SaaS or On Premises)

Status Checklist

Source Component

Destination Component

Port

Protocol

Notes

VMware Identity Manager Connector

VMware Identity Manager service

443

HTTPS

Default port. This port is configurable.

Browsers

VMware Identity Manager Connector

8443

HTTPS

Administrative port.

Required

Browsers

VMware Identity Manager Connector

80

HTTP

Required

VMware Identity Manager Connector

Active Directory

389, 636, 3268, 3269

Default ports. These ports are configurable.

VMware Identity Manager Connector

DNS server

53

TCP/UDP

Every instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

VMware Identity Manager Connector

Domain controller

88, 464, 135, 445

TCP/UDP

VMware Identity Manager Connector

RSA SecurID system

5500

Default port. This port is configurable

VMware Identity Manager Connector

View Connection Server

389, 443

Access to View Connection Server instances for Horizon View integrations

VMware Identity Manager Connector

Integration Broker

80, 443

Access to the Integration Broker for integration with Citrix-published resources.

Important:

If you install the Integration Broker on the same Windows server as the Enterprise Systems Connector, you must ensure that in the IIS Server Default Web Site site bindings, the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager Connector component.

The VMware Identity Manager Connector always uses port 80. It also uses 443, unless a different port is configured during installation.

(VMware Identity Manager Connector Component) VMware Identity Manager Cloud Hosted IP Addresses

(SaaS customers) See Knowledge Base article 2149884 for the list of VMware Identity Manager service IP addresses to which the VMware Identity Manager Connector must have access.

(VMware Identity Manager Connector Component) DNS Records and IP Addresses Requirements

A DNS entry and a static IP address must be available for the connector. Before you begin your installation, request the DNS record and IP addresses to use and configure the network settings of the Windows server.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 6. Examples of Forward DNS Records and IP Addresses

Domain Name

Resource Type

IP Address

myidentitymanager.company.com

A

10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 7. Examples of Reverse DNS Records and IP Addresses

IP Address

Resource Type

Host Name

10.28.128.3

PTR

myidentitymanager.company.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the virtual appliance command host IPaddress must resolve to the DNS name lookup.

Note:

If you have a load balancer with a Virtual IP address (VIP) in front of the DNS servers, note that VMware Identity Manager does not support using a VIP. You can specify multiple DNS servers separated by a comma.

Note:

If you are using a Unix or Linux-based DNS server and plan to join the connector to the Active Directory domain, make sure that the appropriate service (SRV) resource records are created for each Active Directory domain controller.

(VMware Identity Manager Connector Component) Supported Active Directory Versions

VMware Identity Manager supports Active Directory on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, with a Domain functional level and Forest functional level of Windows 2003 and later.

An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests is supported.