This section describes the configuration of the NSX Advanced Load Balancer for Workspace ONE (WS1) access.

VMware Identity Manager combines applications and desktops in a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based. With fewer management points and flexible access, Identity Manager reduces the complexity of IT administration.

There are five Workspace ONE Access services in scope for load balancing:

  • Horizon IDM Service – This is the primary service powering the catalog and all the Access settings.

  • CertProxy – Android SSO using TLS mutual authentication.

  • KDC – iOS SSO using Kerberos pk-init authentication.

  • CertAuth Service – Pure TLS mutual authentication.

  • Integrated Windows Auth/Connector – Domain joined Kerberos authentication.

Note:

In this section, we are covering configuration steps for all these five services. It is not mandatory to have all these in place, so check the requirement to understand which services need to be configured. It is assumed that services 1 to 4 are running on the same backend servers on different ports.

Prerequisites

  • Ensure the new FQDN for Identity Manager is in DNS with both forward and reverse records and points to the virtual server IP address on the NSX Advanced Load Balancer that will be used for load balancing the Identity Manager appliances.

    Note:

    VMware recommends using certificates that support Subject Alternate Names (SANs) defining each of the node FQDNs (public or internal) within the load-balanced VIP FQDN.

    Wildcard certificates can be used, but due to wildcard certificate formats, SAN support is typically not available with wildcards from public CAs - and public CAs can complain about supplying an internal FQDN as a SAN value even if they do support SAN values. Additionally, some VMware Identity Manager features may not be usable with wildcard certificates when SAN support is not defined.

  • For information on the pre-requisites and deployment instructions for Workspace ONE Access, see System and Network Configuration Requirements.

    During the deployment of theVMware Identity Manager machine, you enter the VMware Identity Manager FQDN and port number. These values must point to the host name that you want end users to access. The VMware Identity Manager machine always runs on port 443. You can use a different port number for the load balancer. If you use a different port number, you must specify it during deployment. Do not use 8443 as the port number, as this port number is the VMware identity Manager administrative port and is unique for each machine in a cluster.

  • vIDM Connectors are required to implement Kerberos AuthN for domain joined workstations.

  • For information on Load Balancer recommendations, see Using a Load Balancer or Reverse Proxy to Enable External Access to VMware Identity Manager.

External Load Balancer Proxy with Virtual Machines

During deployment, theVMware Identity Manager instance is set up inside the internal network. If you want to provide access to the service for users connecting from outside networks, you must install a load balancer in DMZ. If you do not use a load balancer or reverse proxy, you cannot expand the number of VMware Identity Manager instances later. You might need to add more instances to provide redundancy and load balancing.

The following diagram shows the basic deployment architecture that you can use to enable external access.



NSX Advanced Load Balancer Configuration Entities

Application and TCP/UDP Profile

Service/Component

Application Profile

TCP/UDP Type

TCP Timeout(in seconds)

IDM Horizon

HTTP Profile

TCP-Proxy

3600

Cet Proxy

System-L4-Application

TCP-Proxy or TCP-Fast Path

1800

Cert Auth

System-L4-Application

TCP-Proxy or TCP-Fast Path

1800

KDC-TCP

System-L4-Application

TCP-Proxy or TCP-Fast Path

1800

KDC-UDP

System-L4-Application

UDP-Proxy or UDP-Fast Path

1800

Connector/IWA

HTTP Profile

TCP-Proxy

3600

Monitors

Service/Component

Monitor Type

Health Monitor Recommendation

Health HTTP Response Code

IDM Horizon

HTTPS:443

GET /SAAS/API/1.0/REST/system/health/heartbeat

200 OK

Cet Proxy

HTTPS:5262

GET /system/health

200 OK

Cert Auth

HTTPS:7443

GET /SAAS/API/1.0/REST/system/health/heartbeat

200 OK

KDC

TCP:88

NA

NA

Connector/IWA

HTTPS:443

GET /hc/API/1.0/REST/system/health/allOk

200 OK

Persistence Profile

Service/Component

Persistence Type

Persistence Timeout

IDM Horizon

Cookie

Session Cookie

Cet Proxy

Source IP

3600 seconds

Cert Auth

Source IP

3600 seconds

KDC

Source IP

3600 seconds

Connector/IWA

No

N/A

Client SSL Profile

There is no recommended profile as such. However, if you have iOS users, then Apple iOS App Transport Security requirements apply to the Workspace ONE app on iOS. To enable users to use the Workspace ONE app on iOS, the load balancer must have ciphers with forward secrecy. The following ciphers meet this requirement: ECDHE_ECDSA_AES and ECDHE_RSA_AES in GCM or CBC mode as stated in the iOS 11 iOS Security document.

Server SSL profile

There is no recommended profile as such. However, if you have iOS users, then Apple iOS App Transport Security requirements apply to the Workspace ONE app on iOS. To enable users to use the Workspace ONE app on iOS, the load balancer must have ciphers with forward secrecy. The following ciphers meet this requirement: ECDHE_ECDSA_AES and ECDHE_RSA_AES in GCM or CBC mode as stated in the iOS 11 iOS Security document.

Pool

Service/Component

Port

Load Balancing Algorithm

Persistence

SSL Profile

IDM Horizon

443

Least Connection

Cookie

WS1-access-ServerSSL

Cet Proxy

5262

Least Connection

Source IP Address

WS1-access-ServerSSL

Cert Auth

7443

Least Connection

Source IP Address

WS1-access-ServerSSL

KDC

88

Least Connection

Source IP Address

N/A

Connector/IWA

443

Least Connection

No

WS1-access-ServerSSL

Virtual Service

Service/Component

VIP:Port

Virtual Service Type

Pool

IDM Horizon

IP1:443

L7:HTTPS

IDM Horizon-Pool

Cet Proxy

IP1:5262

L4:TCP

CertProxy-Pool

Cert Auth

IP1:7443

L4:TCP

CertAuth-Pool

KDC

IP1:88

  • L4:TCP

  • L4-UDP

KDC-Pool

Connector/IWA

IP2:443

L7-HTTPS

Connection IWA-Pool