You can deploy the VMware Identity Manager virtual appliance in the DMZ if you do not want to deploy it in the enterprise network. When you deploy the VMware Identity Manager appliance in the DMZ, you also deploy a standalone VMware Identity Manager connector in outbound-only connection mode in the enterprise network.

System and Network Configuration Requirements

System and network configuration requirements for deploying VMware Identity Manager in the DMZ are similar to the requirements for deploying VMware Identity Manager in the enterprise network, described in System and Network Configuration Requirements and Preparing to Deploy VMware Identity Manager in Installing and Configuring VMware Identity Manager, except for the differences listed here.

  • You do not need to open an inbound firewall port to any appliance in the enterprise network.

    The VMware Identity Manager virtual appliance is deployed in the DMZ. The VMware Identity Manager connector is deployed in the enterprise network in outbound-only connection mode and communicates with the service through a Websocket-based communication channel.

  • You do not need to deploy a reverse proxy or load balancer to allow external access to VMware Identity Manager.

  • A load balancer is needed only if you configure high availability and redundancy for the VMware Identity Manager virtual appliance.

  • The following ports are used. Your deployment might require only a subset of these.

    Port

    Source

    Target

    Description

    443

    Load Balancer

    VMware Identity Manager virtual appliance

    HTTPS

    443

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    HTTPS

    443

    Browsers

    VMware Identity Manager virtual appliance

    HTTPS

    88

    Browsers

    VMware Identity Manager virtual appliance

    TCP/UDP

    iOS only

    5262

    Browsers

    VMware Identity Manager virtual appliance

    TCP/UDP

    Android only

    443

    VMware Identity Manager virtual appliance

    vapp-updates.vmware.com

    Access to the VMware upgrade server

    8443

    Browsers

    VMware Identity Manager virtual appliance

    Administrator Port

    HTTPS

    25

    VMware Identity Manager virtual appliance

    SMTP server

    TCP port to relay outbound mail

    53

    VMware Identity Manager virtual appliance

    DNS server

    TCP/UDP

    Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

    TCP: 9300-9400

    UDP: 54328

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    Audit needs

    5432

    VMware Identity Manager virtual appliance

    Database

    The PostgreSQL default port is 5432. The Oracle default port is 1521.

    443

    VMware Identity Manager virtual appliance

    AirWatch REST API

    HTTPS

    For device compliance checking and for the ACC Password authentication method, if used.

Deploying the VMware Identity Manager Appliance

For information about deploying and configuring the VMware Identity Manager virtual appliance, see Deploying VMware Identity Manager and Managing Appliance System Configuration Settings in Installing and Configuring VMware Identity Manager.

Configuring Failover and Redundancy

For information about configuring failover and redundancy for the VMware Identity Manager virtual appliance, see the following sections in Installing and Configuring VMware Identity Manager:

Note:

The section "Using a Load Balancer or Reverse Proxy to Enable External Access to VMware Identity Manager" is not applicable in scenarios where VMware Identity Manager is deployed in the DMZ.