To deploy Enterprise Systems Connector, ensure your system meets the necessary requirements.
Hardware Requirements
Use the following requirements as a basis for creating your Enterprise Systems Connector server.
If you are installing the ACC component only, use the following requirements.
Number of Users |
Up to 10,000 |
10,000 to 50,000 |
50,000 to 100,000 |
---|---|---|---|
CPU Cores |
2 |
2 load-balanced servers with 2 CPU Cores |
3 load-balanced servers with 2 CPU Cores |
RAM (GB) Per Server |
4 |
4 each |
8 each |
Disk Space (GB) |
50 |
50 each |
50 each |
The VMware Identity Manager Connector component has the following additional requirements. If you are installing both the ACC and VMware Identity Manager Connector components, add these requirements to the ACC requirements.
Number of Users |
Up to 1000 |
1000 to 10,000 |
10,000 to 25,000 |
25,000 to 50,000 |
50,000 to 100,000 |
---|---|---|---|---|---|
CPU |
2 |
2 load-balanced servers, each with 4 CPU |
2 load-balanced servers, each with 4 CPU |
2 load-balanced servers, each with 4 CPU |
2 load-balanced servers, each with 4 CPU |
RAM (GB) Per Server |
6 |
6 each |
8 each |
16 each |
16 each |
Disk Space (GB) |
50 |
50 each |
50 each |
50 each |
50 each |
For the ACC component, traffic is automatically load-balanced by the AWCM component. It does not require a separate load balancer. Multiple ACC instances in the same organization group that connect to the same AWCM server for high availability can all expect to receive traffic (a live-live configuration). How traffic is routed is determined by AWCM and depends on the current load.
For the VMware Identity Manager Connector component, see Configuring High Availability for the VMware Identity Manager Connector.
CPU Cores should each be 2.0 GHz or higher. An Intel processor is required.
Disk Space requirements include: 1 GB disk space for the Enterprise Systems Connector application, Windows OS, and .NET runtime. Additional disk space is allocated for logging.
Software Requirements
Ensure your Enterprise Systems Connector server meets all the following software requirements.
Status Checklist |
Requirement |
Notes |
---|---|---|
Windows Server 2008 R2 or Windows Server 2012 or Windows Server 2012 R2 |
Required for both components |
|
Install PowerShell on the server |
Required for both components
Note:
(AirWatch Cloud Connector component) PowerShell version 3.0+ is required if you are deploying the PowerShell MEM-direct model for email. To check your version, open PowerShell and run the command $PSVersionTable.
Note:
(VMware Identity Manager Connector component) PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2. |
|
Install .NET Framework 4.6.2 |
Required for both components
Note:
(AirWatch Cloud Connector component) The AirWatch Cloud Connector auto-update feature will not function correctly until your Enterprise Systems Connector server is updated to .NET Framework 4.6.2. The auto-update feature will not update the .NET Framework automatically. Install .NET Framework 4.6.2 manually on the Enterprise Systems Connector server before performing an upgrade. |
General Requirements
Ensure your Enterprise Systems Connector server is set up with the following general requirements to ensure a successful installation.
Status Checklist |
Requirement |
Notes |
---|---|---|
Ensure that you have remote access to the servers that AirWatch is installed on |
VMware AirWatch recommends setting up Remote Desktop Connection Manager for multiple server management. You can download the installer from https://www.microsoft.com/en-us/download/details.aspx?id=44989. Typically, installations are performed remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide AirWatch with VPN credentials to directly access the environment as well. |
|
Installation of Notepad++ (Recommended) |
VMware AirWatch recommends setting up Notepad++. |
|
Services accounts for authentication to backend systems |
Validate AD connectivity method using LDP.exe tool (See http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip) LDAP, BES, PowerShell, etc. |
Network Requirements
For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.
An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Enterprise Systems Connector. The outbound connection required for use by Enterprise Systems Connector must remain open at all times.
Any resource such as certificate authorities that you want to reach with the ACC must be on the same domain.
Status Checklist |
Source Component |
Destination Component |
Protocol |
Port |
Verification |
---|---|---|---|---|---|
Enterprise Systems Connector Server |
AirWatch AWCM For example: (https://awcm274.awmdm. com) |
HTTPS |
443 |
Verify by entering https://awcmXXX.awmdm.com/awcm/status and ensure there is no certificate trust error. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.) |
|
Enterprise Systems Connector Server |
AirWatch Console For example: (https://cn274.awmdm.com) |
HTTP or HTTPS |
80 or 443 |
Verify by entering https://cnXXX.awmdm.com and ensure there is no certificate trust error. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.) If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443. |
|
Enterprise Systems Connector Server |
AirWatch API For example: (https://as274.awmdm.com) |
HTTPS |
443 |
Verify by entering https://asXXX.awmdm.com/api/help and ensure you are prompted for credentials. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.) ACC to API access is required for the proper functioning of the AirWatch Diagnostics service. |
|
Enterprise Systems Connector Server |
CRL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl |
HTTP |
80 |
For various services to function properly |
|
Optional Integrations |
|||||
Enterprise Systems Connector Server |
Internal SMTP |
SMTP |
25 |
||
Enterprise Systems Connector Server |
Internal LDAP |
LDAP or LDAPS |
389, 636, 3268, or 3269 |
||
Enterprise Systems Connector Server |
Internal SCEP |
HTTP or HTTPS |
80 or 443 |
||
Enterprise Systems Connector Server |
Internal ADCS |
DCOM |
135, 1025-5000, 49152-65535 |
||
Enterprise Systems Connector Server |
Internal BES |
HTTP or HTTPS |
80 or 443 |
||
Enterprise Systems Connector Server |
Internal Exchange 2010 or higher |
HTTP or HTTPS |
80 or 443 |
Source Component |
Destination Component |
Protocol |
Port |
Verification |
|
---|---|---|---|---|---|
Enterprise Systems Connector Server |
AirWatch Cloud Messaging Servwer |
HTTPS |
2001 |
Telnet from Enterprise Systems Connector to AWCM Server on port or once installed. Verify by entering https://<AWCM URL>:2001/awcm/statusand ensure there is no certificate trust error. If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443. If you are using ACC with AWCM and you have multiple AWCM servers and want to load balance them, you need to configure persistence. For more information on setting up AWCM Persistence Rules Using F5, see the following Knowledge Base article: https://support.air-watch.com/articles/115001666028. |
|
Enterprise Systems Connector Server |
AirWatch Console |
HTTP or HTTPS |
80 or 443 |
Telnet from Enterprise Systems Connector to Console on port or once installed. Verify by entering https://<Console URL> and ensure there is no certificate trust error. If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443. |
|
Enterprise Systems Connector Server |
API server (or wherever API is installed) |
HTTPS |
443 |
Verify by navigating to the URL of your API server. ACC to API access is required for the proper functioning of the AirWatch Diagnostics service. |
|
Enterprise Systems Connector Server |
CRL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl |
HTTP |
80 |
For various services to function properly |
|
Optional Integrations |
|||||
Enterprise Systems Connector Server |
Internal SMTP |
SMTP |
25 |
||
Enterprise Systems Connector Server |
Internal LDAP |
LDAP or LDAPS |
389, 636, 3268, or 3269 |
||
Enterprise Systems Connector Server |
Internal SCEP |
HTTP or HTTPS |
80 or 443 |
||
Enterprise Systems Connector Server |
Internal ADCS |
DCOM |
135, 1025-5000, 49152-65535 |
||
Enterprise Systems Connector Server |
Internal BES |
HTTP or HTTPS |
80 or 443 |
||
Enterprise Systems Connector Server |
Internal Exchange 2010 or higher |
HTTP or HTTPS |
80 or 443 |
Status Checklist |
Source Component |
Destination Component |
Port |
Protocol |
Notes |
---|---|---|---|---|---|
VMware Identity Manager Connector |
VMware Identity Manager service |
443 |
HTTPS |
Default port. This port is configurable. |
|
Browsers |
VMware Identity Manager Connector |
8443 |
HTTPS |
Administrative port. Required |
|
Browsers |
VMware Identity Manager Connector |
80 |
HTTP |
Required |
|
VMware Identity Manager Connector |
Active Directory |
389, 636, 3268, 3269 |
Default ports. These ports are configurable. |
||
VMware Identity Manager Connector |
DNS server |
53 |
TCP/UDP |
Every instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. |
|
VMware Identity Manager Connector |
Domain controller |
88, 464, 135, 445 |
TCP/UDP |
||
VMware Identity Manager Connector |
RSA SecurID system |
5500 |
Default port. This port is configurable |
||
VMware Identity Manager Connector |
View Connection Server |
389, 443 |
Access to View Connection Server instances for Horizon View integrations |
||
VMware Identity Manager Connector |
Integration Broker |
80, 443 |
Access to the Integration Broker for integration with Citrix-published resources.
Important:
If you install the Integration Broker on the same Windows server as the Enterprise Systems Connector, you must ensure that in the IIS Server Default Web Site site bindings, the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager Connector component. The VMware Identity Manager Connector always uses port 80. It also uses 443, unless a different port is configured during installation. |
||
VMware Identity Manager Connector |
syslog server |
514 |
UDP |
For external syslog server, if configured |
(VMware Identity Manager Connector Component) VMware Identity Manager Cloud Hosted IP Addresses
(SaaS customers) See Knowledge Base article 2149884 for the list of VMware Identity Manager service IP addresses to which the VMware Identity Manager Connector must have access.
(VMware Identity Manager Connector Component) DNS Records and IP Addresses Requirements
A DNS entry and a static IP address must be available for the connector. Before you begin your installation, request the DNS record and IP addresses to use and configure the network settings of the Windows server.
Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.
You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.
Domain Name |
Resource Type |
IP Address |
---|---|---|
myidentitymanager.company.com |
A |
10.28.128.3 |
This example shows reverse DNS records and IP addresses.
IP Address |
Resource Type |
Host Name |
---|---|---|
10.28.128.3 |
PTR |
myidentitymanager.company.com |
After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the virtual appliance command host IPaddress must resolve to the DNS name lookup.
If you have a load balancer with a Virtual IP address (VIP) in front of the DNS servers, note that VMware Identity Manager does not support using a VIP. You can specify multiple DNS servers separated by a comma.
If you are using a Unix or Linux-based DNS server and plan to join the connector to the Active Directory domain, make sure that the appropriate service (SRV) resource records are created for each Active Directory domain controller.
(VMware Identity Manager Connector Component) Supported Active Directory Versions
VMware Identity Manager supports Active Directory on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, with a Domain functional level and Forest functional level of Windows 2003 and later.
An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests is supported.