Enterprise Systems Connector System Requirements

Hardware Requirements

Use the following requirements as a basis for creating your Enterprise Systems Connector server.

If you are installing the ACC component only, use the following requirements.

Table 1. ACC Requirements
Number of Users	Up to 10,000	10,000 to 50,000	50,000 to 100,000
CPU Cores	2	2 load-balanced servers with 2 CPU Cores	3 load-balanced servers with 2 CPU Cores
RAM (GB) Per Server	4	4 each	8 each
Disk Space (GB)	50	50 each	50 each

The VMware Identity Manager Connector component has the following additional requirements. If you are installing both the ACC and VMware Identity Manager Connector components, add these requirements to the ACC requirements.

Table 2. VMware Identity Manager Connector Requirements
Number of Users	Up to 1000	1000 to 10,000	10,000 to 25,000	25,000 to 50,000	50,000 to 100,000
CPU	2	2 load-balanced servers, each with 4 CPU	2 load-balanced servers, each with 4 CPU	2 load-balanced servers, each with 4 CPU	2 load-balanced servers, each with 4 CPU
RAM (GB) Per Server	6	6 each	8 each	16 each	16 each
Disk Space (GB)	50	50 each	50 each	50 each	50 each

Note:

For the ACC component, traffic is automatically load-balanced by the AWCM component. It does not require a separate load balancer. Multiple ACC instances in the same organization group that connect to the same AWCM server for high availability can all expect to receive traffic (a live-live configuration). How traffic is routed is determined by AWCM and depends on the current load.
For the VMware Identity Manager Connector component, see Configuring High Availability for the VMware Identity Manager Connector.
CPU Cores should each be 2.0 GHz or higher. An Intel processor is required.
Disk Space requirements include: 1 GB disk space for the Enterprise Systems Connector application, Windows OS, and .NET runtime. Additional disk space is allocated for logging.

Software Requirements

Ensure your Enterprise Systems Connector server meets all the following software requirements.

Status Checklist	Requirement	Notes
	Windows Server 2008 R2 or Windows Server 2012 or Windows Server 2012 R2	Required for both components
	Install PowerShell on the server	Required for both components Note: (AirWatch Cloud Connector component) PowerShell version 3.0+ is required if you are deploying the PowerShell MEM-direct model for email. To check your version, open PowerShell and run the command $PSVersionTable. Note: (VMware Identity Manager Connector component) PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.
	Install .NET Framework 4.6.2	Required for both components Note: (AirWatch Cloud Connector component) The AirWatch Cloud Connector auto-update feature will not function correctly until your Enterprise Systems Connector server is updated to .NET Framework 4.6.2. The auto-update feature will not update the .NET Framework automatically. Install .NET Framework 4.6.2 manually on the Enterprise Systems Connector server before performing an upgrade.

Status Checklist

Requirement

Notes

Windows Server 2008 R2 or

Windows Server 2012 or

Windows Server 2012 R2

Required for both components

Install PowerShell on the server

Required for both components

Note:

(AirWatch Cloud Connector component) PowerShell version 3.0+ is required if you are deploying the PowerShell MEM-direct model for email. To check your version, open PowerShell and run the command $PSVersionTable.

Note:

(VMware Identity Manager Connector component) PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.

Install .NET Framework 4.6.2

Required for both components

Note:

(AirWatch Cloud Connector component) The AirWatch Cloud Connector auto-update feature will not function correctly until your Enterprise Systems Connector server is updated to .NET Framework 4.6.2. The auto-update feature will not update the .NET Framework automatically. Install .NET Framework 4.6.2 manually on the Enterprise Systems Connector server before performing an upgrade.

General Requirements

Ensure your Enterprise Systems Connector server is set up with the following general requirements to ensure a successful installation.

Status Checklist	Requirement	Notes
	Ensure that you have remote access to the servers that AirWatch is installed on	VMware AirWatch recommends setting up Remote Desktop Connection Manager for multiple server management. You can download the installer from https://www.microsoft.com/en-us/download/details.aspx?id=44989. Typically, installations are performed remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide AirWatch with VPN credentials to directly access the environment as well.
	Installation of Notepad++ (Recommended)	VMware AirWatch recommends setting up Notepad++.
	Services accounts for authentication to backend systems	Validate AD connectivity method using LDP.exe tool (See http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip) LDAP, BES, PowerShell, etc.

Status Checklist

Requirement

Notes

Ensure that you have remote access to the servers that AirWatch is installed on

VMware AirWatch recommends setting up Remote Desktop Connection Manager for multiple server management. You can download the installer from https://www.microsoft.com/en-us/download/details.aspx?id=44989.

Typically, installations are performed remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide AirWatch with VPN credentials to directly access the environment as well.

Installation of Notepad++ (Recommended)

VMware AirWatch recommends setting up Notepad++.

Services accounts for authentication to backend systems

Validate AD connectivity method using LDP.exe tool (See http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip) LDAP, BES, PowerShell, etc.

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Enterprise Systems Connector. The outbound connection required for use by Enterprise Systems Connector must remain open at all times.

Note:

Any resource such as certificate authorities that you want to reach with the ACC must be on the same domain.

Table 3. AirWatch Cloud Connector Component Port Requirements (SaaS)
Status Checklist	Source Component	Destination Component	Protocol	Port	Verification
	Enterprise Systems Connector Server	AirWatch AWCM For example: (https://awcm274.awmdm. com)	HTTPS	443	Verify by entering https://awcmXXX.awmdm.com/awcm/status and ensure there is no certificate trust error. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.)
	Enterprise Systems Connector Server	AirWatch Console For example: (https://cn274.awmdm.com)	HTTP or HTTPS	80 or 443	Verify by entering https://cnXXX.awmdm.com and ensure there is no certificate trust error. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.) If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443.
	Enterprise Systems Connector Server	AirWatch API For example: (https://as274.awmdm.com)	HTTPS	443	Verify by entering https://asXXX.awmdm.com/api/help and ensure you are prompted for credentials. (Replace 'XXX' with the same number as used in your environment URL, for example, '100' for cn100.) ACC to API access is required for the proper functioning of the AirWatch Diagnostics service.
	Enterprise Systems Connector Server	CRL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl	HTTP	80	For various services to function properly
Optional Integrations
	Enterprise Systems Connector Server	Internal SMTP	SMTP	25
	Enterprise Systems Connector Server	Internal LDAP	LDAP or LDAPS	389, 636, 3268, or 3269
	Enterprise Systems Connector Server	Internal SCEP	HTTP or HTTPS	80 or 443
	Enterprise Systems Connector Server	Internal ADCS	DCOM	135, 1025-5000, 49152-65535
	Enterprise Systems Connector Server	Internal BES	HTTP or HTTPS	80 or 443
	Enterprise Systems Connector Server	Internal Exchange 2010 or higher	HTTP or HTTPS	80 or 443

Table 4. AirWatch Cloud Connector Component Port Requirements (On Premises)
	Source Component	Destination Component	Protocol	Port	Verification
	Enterprise Systems Connector Server	AirWatch Cloud Messaging Servwer	HTTPS	2001	Telnet from Enterprise Systems Connector to AWCM Server on port or once installed. Verify by entering `https://<AWCM URL>:2001/awcm/status`and ensure there is no certificate trust error. If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443. If you are using ACC with AWCM and you have multiple AWCM servers and want to load balance them, you need to configure persistence. For more information on setting up AWCM Persistence Rules Using F5, see the following Knowledge Base article: https://support.air-watch.com/articles/115001666028.
	Enterprise Systems Connector Server	AirWatch Console	HTTP or HTTPS	80 or 443	Telnet from Enterprise Systems Connector to Console on port or once installed. Verify by entering `https://<Console URL>` and ensure there is no certificate trust error. If auto-update is enabled, ACC must be able to query AirWatch Console for updates using port 443.
	Enterprise Systems Connector Server	API server (or wherever API is installed)	HTTPS	443	Verify by navigating to the URL of your API server. ACC to API access is required for the proper functioning of the AirWatch Diagnostics service.
	Enterprise Systems Connector Server	CRL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl	HTTP	80	For various services to function properly
Optional Integrations
	Enterprise Systems Connector Server	Internal SMTP	SMTP	25
	Enterprise Systems Connector Server	Internal LDAP	LDAP or LDAPS	389, 636, 3268, or 3269
	Enterprise Systems Connector Server	Internal SCEP	HTTP or HTTPS	80 or 443
	Enterprise Systems Connector Server	Internal ADCS	DCOM	135, 1025-5000, 49152-65535
	Enterprise Systems Connector Server	Internal BES	HTTP or HTTPS	80 or 443
	Enterprise Systems Connector Server	Internal Exchange 2010 or higher	HTTP or HTTPS	80 or 443

Table 5. VMware Identity Manager Connector Component Port Requirements (SaaS or On Premises)
Source Component	Destination Component	Port	Protocol	Notes
VMware Identity Manager Connector	VMware Identity Manager service	443	HTTPS	Default port. This port is configurable.
Browsers	VMware Identity Manager Connector	8443	HTTPS	Administrative port. Required
Browsers	VMware Identity Manager Connector	80	HTTP	Required
VMware Identity Manager Connector	Active Directory	389, 636, 3268, 3269		Default ports. These ports are configurable.
VMware Identity Manager Connector	DNS server	53	TCP/UDP	Every instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.
VMware Identity Manager Connector	Domain controller	88, 464, 135, 445	TCP/UDP
VMware Identity Manager Connector	RSA SecurID system	5500		Default port. This port is configurable
VMware Identity Manager Connector	View Connection Server	389, 443		Access to View Connection Server instances for Horizon View integrations
VMware Identity Manager Connector	Integration Broker	80, 443		Access to the Integration Broker for integration with Citrix-published resources. Important: If you install the Integration Broker on the same Windows server as the Enterprise Systems Connector, you must ensure that in the IIS Server Default Web Site site bindings, the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager Connector component. The VMware Identity Manager Connector always uses port 80. It also uses 443, unless a different port is configured during installation.
VMware Identity Manager Connector	syslog server	514	UDP	For external syslog server, if configured

(VMware Identity Manager Connector Component) VMware Identity Manager Cloud Hosted IP Addresses

(SaaS customers) See Knowledge Base article 2149884 for the list of VMware Identity Manager service IP addresses to which the VMware Identity Manager Connector must have access.

(VMware Identity Manager Connector Component) DNS Records and IP Addresses Requirements

A DNS entry and a static IP address must be available for the connector. Before you begin your installation, request the DNS record and IP addresses to use and configure the network settings of the Windows server.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 6. Examples of Forward DNS Records and IP Addresses
Domain Name	Resource Type	IP Address
myidentitymanager.company.com	A	10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 7. Examples of Reverse DNS Records and IP Addresses
IP Address	Resource Type	Host Name
10.28.128.3	PTR	myidentitymanager.company.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the virtual appliance command host IPaddress must resolve to the DNS name lookup.

Note:

If you have a load balancer with a Virtual IP address (VIP) in front of the DNS servers, note that VMware Identity Manager does not support using a VIP. You can specify multiple DNS servers separated by a comma.

Note:

If you are using a Unix or Linux-based DNS server and plan to join the connector to the Active Directory domain, make sure that the appropriate service (SRV) resource records are created for each Active Directory domain controller.

(VMware Identity Manager Connector Component) Supported Active Directory Versions

VMware Identity Manager supports Active Directory on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, with a Domain functional level and Forest functional level of Windows 2003 and later.

An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests is supported.