Two main types of deployment models are available for deploying VMware Identity Manager in the DMZ, one that integrates with a VMware AirWatch® deployment, and one that does not require AirWatch and uses the VMware Identity Manager connector.
You can also combine deployment models if you require functionality that is not supported in one of the models.
Deployment Model using AirWatch Cloud Connector
If you have an existing AirWatch deployment, you can integrate VMware Identity Manager with it quickly. In this model, user and group sync from your enterprise directory and user authentication are handled by AirWatch. You deploy VMware Identity Manager in the DMZ.
Note that integrating VMware Identity Manager with resources such as Horizon 7 and Citrix-published resources is not supported in this model. Only integration with Web applications and native mobile applications is supported.
Deployment Model using VMware Identity Manager Connector in outbound-only connection mode
In scenarios that do not require an AirWatch deployment, you can install the VMware Identity Manager server virtual appliance in the DMZ and a VMware Identity Manager connector virtual appliance in the enterprise network. The connector connects the server with on-premises services such as Active Directory. The connector is installed in outbound-only connection mode and does not require inbound firewall port 443 to be opened. In this model, user and group sync from your enterprise directory and user authentication are handled by the VMware Identity Manager connector.
Adding Kerberos authentication support to your VMware Identity Manager Connector deployment
You can add Kerberos authentication for internal users (which requires inbound connection mode) to your deployment based on outbound-only connection mode connectors.