You can deploy the VMware Identity Manager virtual appliance in the DMZ if you do not want to deploy it in the enterprise network. If you deploy the VMware Identity Manager appliance in the DMZ, you also deploy a standalone VMware Identity Manager connector in outbound-only connection mode in the enterprise network.

System and Network Configuration Requirements

System and network configuration requirements for deploying VMware Identity Manager in the DMZ are similar to the requirements for deploying VMware Identity Manager in the enterprise network, described in "System and Network Configuration Requirements" and "Preparing to Deploy VMware Identity Manager" in Installing and Configuring VMware Identity Manager, except for the differences listed here.

  • You do not need to open an inbound firewall port to any appliance in the enterprise network.

    The VMware Identity Manager virtual appliance is deployed in the DMZ. The VMware Identity Manager connector is deployed in the enterprise network in outbound-only connection mode and communicates with the service through a Websocket-based communication channel.

  • You do not need to deploy a reverse proxy or load balancer to allow external access to VMware Identity Manager.

  • A load balancer is needed only if you configure high availability and redundancy for the VMware Identity Manager virtual appliance.

  • If you set up certificate authentication on the embedded connector, you need to enable SSL pass-through on the load balancer for the port configured as the SSL pass-through port for certificate authentication. The default port is 7443.

  • The following ports are used. Your deployment might require only a subset of these.

    Port

    Source

    Target

    Description

    443

    Load balancer

    VMware Identity Manager virtual appliance

    HTTPS

    443

    VMware Identity Manager virtual appliance

    Load balancer

    HTTPS

    Needed to validate the load balancer FQDN when it is set

    443

    Connector

    VMware Identity Manager service host

    HTTPS

    443

    Connector

    VMware Identity Manager service load balancer

    HTTPS

    443

    Browsers

    VMware Identity Manager virtual appliance

    HTTPS

    88

    Browsers

    VMware Identity Manager virtual appliance

    TCP/UDP

    iOS SSO only

    5262

    Browsers

    VMware Identity Manager virtual appliance

    TCP/UDP

    Android SSO only

    88

    VMware Identity Manager virtual appliance

    Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com.

    UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used.

    443, 80

    VMware Identity Manager virtual appliance

    vapp-updates.vmware.com

    Access to the VMware upgrade server

    443

    VMware Identity Manager virtual appliance

    catalog.vmwareidentity.com

    Access to Cloud Catalog

    443

    VMware Identity Manager virtual appliance

    discovery.awmdm.com

    Access for Workspace ONE application autodiscovery

    8443

    Browsers

    VMware Identity Manager virtual appliance

    Administrator Port

    HTTPS

    25

    VMware Identity Manager virtual appliance

    SMTP server

    TCP port to relay outbound mail

    53

    VMware Identity Manager virtual appliance

    DNS server

    TCP/UDP

    Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

    443, 8443

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    HTTPS/HTTP

    For all VMware Identity Manager instances in a cluster and across clusters in different data centers

    9300 (TCP)

    54328 (UDP)

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    Audit needs

    5701 (TCP)

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    Hazelcast cache

    40002 (TCP)

    40003 (TCP)

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    Ehcache

    1433

    VMware Identity Manager virtual appliance

    Database

    Microsoft SQL default port is 1433

    443

    VMware Identity Manager virtual appliance

    Workspace ONE UEM REST API

    HTTPS

    For device compliance checking and for the ACC Password authentication method, if used.

    SSL pass-through port for certificate authentication

    Browsers

    VMware Identity Manager virtual appliance

    HTTPS

    For certificate authentication configured on the embedded connector.

    Default port: 7443

    514

    VMware Identity Manager virtual appliance

    syslog server

    UDP

    For external syslog server, if configured

Deploying the VMware Identity Manager Appliance

For information about deploying and configuring the VMware Identity Manager virtual appliance, see "Deploying VMware Identity Manager" and "Managing Appliance System Configuration Settings" in Installing and Configuring VMware Identity Manager.

Configuring Failover and Redundancy

For information about configuring failover and redundancy for the VMware Identity Manager virtual appliance, see the following sections in Installing and Configuring VMware Identity Manager:

  • Configuring Failover and Redundancy in a Single Datacenter

  • Deploying VMware Identity Manager in a Secondary Datacenter for Failover and Redundancy

Note:

The section "Using a Load Balancer or Reverse Proxy to Enable External Access to VMware Identity Manager" is not applicable in scenarios where VMware Identity Manager is deployed in the DMZ.