For secure access to the UI and API of Workspace ONE Access, you deploy the virtual appliances on virtual network segments.

Virtual Network Segment

This network design has the following features:

  • Workspace ONE Access cluster nodes for cross-region SDDC solutions are deployed together on the same cross-region virtual network segment in Region A. This provides a consistent deployment model for management applications, and supports growth to a dual-region design.
  • All Workspace ONE Access components have routed access to the VLAN-backed management network through the NSX-T Data Center Tier-0 Gateway.

  • Routing to the VLAN-backed management network and other external networks is dynamic and is based on the Border Gateway Protocol (BGP).

Figure 1. Network Design of the Cross-Region Workspace ONE Access Deployment

The cross-region Workspace ONE Access cluster nodes are connected to the cross-region virtual network segment, which is connected to the management network through the NSX-T Tier-0/ Tier-1 gateway.

As part of this design, use the application virtual network configuration to connect Workspace ONE Access with the other management solutions in the SDDC. The cross-region Workspace ONE Access cluster is connected to the cross-region virtual network segment, xreg-m01-seg01, and use the load balancer on the NSX-T Tier-1 Gateway for high availability and balancing user access across the Workspace ONE Access cluster.

Table 1. Design Decisions on the Virtual Network Segment for the Cross-Region Workspace ONE Access Deployment

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-021

Place the Workspace ONE Access cluster nodes for cross-region SDDC solutions on the existing cross-region virtual network segment, xreg-m01-seg01.

Provides a consistent deployment model for management applications and potential to extend to a dual-region design.

You must use an implementation in NSX-T Data Center to support this network configuration.

IP Addressing

Allocate a statically assigned IP address and host name from the cross-region network segment to the cross-region Workspace ONE Access cluster virtual appliances.

Table 2. Design Decisions on the IP Addressing for the Cross-Region Workspace ONE Access Deployment

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-022

Allocate statically assigned IP addresses and host names to the Workspace ONE Access nodes in the management domain.

Using statically assigned IP addresses ensures stability across the SDDC and makes it simpler to maintain and easier to track.

Requires precise IP address management.

Name Resolution

The IP addresses of the cross-region Workspace ONE Access cluster nodes are associated with a fully qualified name whose suffix is set to the root domain, rainpole.io.

Table 3. Design Decisions on Name Resolution for Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-023

Configure forward and reverse DNS records for each cross-region Workspace ONE Access appliance IP address and the load-balancer virtual IP address.

Workspace ONE Access is accessible by using a fully qualified domain name instead of by using IP addresses only.

You must provide DNS records for each Workspace ONE Access appliance and the load-balancer virtual IP address.

Time Synchronization

Workspace ONE Access is dependent on time synchronization for all nodes.

Table 4. Design Decisions on Time Synchronization for Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-024

Configure NTP for each Workspace ONE Access appliance.

Workspace ONE Access depends on time synchronization for all nodes.

All firewalls located between the Workspace ONE Access nodes and the NTP servers must allow NTP traffic.

Load Balancing

A Workspace ONE Access cluster deployment requires a load balancer to manage connections to Workspace ONE Access services.

The design uses load balancing services provided by NSX-T Data Center in the management domain.

Table 5. Design Decisions on Load Balancing for Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-025

Add a small-size load balancer in NSX-T Data Center on a dedicated Tier-1 gateway in the management domain to load balance connections across the cross-region Workspace ONE Access cluster members.

Required to deploy Workspace ONE Access as a cluster deployment type, enabling it to handle a greater load and obtain a higher level of availability for vRealize Automation and vRealize Operations, which also share this load balancer.

You must use an implementation in NSX-T Data Center to support this network configuration.

SDDC-COM-SEC-IAM-026

  • Add an NSX-T Data Center load-balancer monitor,wsa-https-monitor, for the cross-region Workspace ONE Access cluster with an active HTTPS monitor on monitoring port 443.

  • Use the default intervals and timeouts for the monitor:

    • Monitoring interval: 3 seconds

    • Idle timeout period: 10 seconds

    • Rise/Fall: 3 seconds.

  • Set the HTTP request for the monitor:

    • HTTP method: Get

    • HTTP request version: 1.1

    • Request URL: /SAAS/API/1.0/REST/system/health/heartbeat.

  • Set the HTTP response for the monitor:

    • HTTP response code: 200

    • HTTP response body: OK

  • Set the SSL configuration for the monitor:

    • Server SSL: Enabled

    • Client certificate: Cross-region Workspace ONE Access cluster certificate

    • SSL profile: default-balanced-server-ssl-profile.

  • The active monitor uses HTTPS requests to monitor the application health reported by Workspace ONE Access.

  • Ensures that connections to unhealthy cross-region Workspace ONE Access members in the pool are disabled until a subsequent periodic health check finds the members to be healthy.

  • You must manage the life cycle of the certificate used on the load balancer for the cross-region Workspace ONE Access cluster.

  • If a higher level SSL cipher profile is required, set the SSL Configuration to use the default-high-security-server-ssl-profile SSL profile.

SDDC-COM-SEC-IAM-027

  • Add an NSX-T Data Center load-balancer server pool, wsa-server-pool, for cross-region Workspace ONE Access to use the LEAST_CONNECTION algorithm.

  • Set the SNAT translation mode to Auto Map for the pool.

  • Set the static members for the pool:

    • Name: host name

    • IP: IP address

    • Port: 443

    • Weight: 1

    • State: Enabled

  • Set the monitor for the pool, wsa-https-monitor.

  • LEAST_CONNECTION distributes requests to members based on the number of current connections. New connections are sent to the pool member with the fewest connections.

  • Workspace ONE Access services respond on TCP 443.

  • Auto Map is required for one-arm load balancing.

None

SDDC-COM-SEC-IAM-028

  • Add an NSX-T Data Center load-balancer HTTP application profile, wsa-http-app-profile, for the cross-region Workspace ONE Access.

  • Set the timeout to 3600 seconds (60 minutes).

  • Set X-Forwarded-For to Insert.

  • The cross-region Workspace ONE Access cluster requires the X-Forwarded-For header.

  • The cross-region Workspace ONE Access cluster requires a longer timeout.

None

SDDC-COM-SEC-IAM-029

  • Add an NSX-T Data Center load-balancer cookie persistence profile,wsa-cookie-persistence-profile, for the cross-region Workspace ONE Access.

  • Set the cookie name to JSESSIONID.

  • Set the cookie mode to Rewrite.

The cross-region Workspace ONE Access cluster requires cookie session persistence for the Workspace ONE Access UI.

None

SDDC-COM-SEC-IAM-030

  • Add an NSX-T Data Center load-balancer virtual server, wsa-https, for the cross-region Workspace ONE Access cluster to use the L7 HTTP type and port 443.

  • Set the IP for the load balancer.

  • Set the persistence to Cookie.

  • Set the cookie, wsa-cookie-persistence-profile.

  • Set the application profile,wsa-http-app-profile.

  • Set the server pool to use the cross-region Workspace ONE Access cluster server pool, wsa-server-pool.

  • The virtual server receives all the client connections and distributes them among the pool members based on the state of the pool members.

  • The cross-region Workspace ONE Access cluster requires cookie session persistence.

None

SDDC-COM-SEC-IAM-031

  • Configure the NSX-T Data Center load-balancer virtual server,wsa-https, for the cross-region Workspace ONE Access cluster to use an SSL configuration.

  • Set the SSL configuration for the client SSL:

    • Client SSL: Enabled

    • Client certificate: Cross-region Workspace ONE Access cluster certificate

    • SSL Profile: default-balanced-client-ssl-profile.

  • Set the SSL configuration for the server SSL:

    • Server SSL: Enabled

    • Client certificate: Cross-region Workspace ONE Access cluster certificate

    • SSL Profile: default-balanced-server-ssl-profile.

End-to-end SSL is required to support load balancing for the cross-region Workspace ONE Access cluster deployment type.

  • You must manage the life cycle of the certificate used on the load balancer for the cross-region Workspace ONE Access cluster.

  • If a higher level SSL cipher profile is required, set the SSL configuration to use the default-high-security-server-ssl-profile SSL profile.

SDDC-COM-SEC-IAM-032

Configure the NSX-T Data Center load-balancer virtual server, wsa-https, for the cross-region Workspace ONE Access cluster to use Request Rewrite phase.

  • Match Conditions: Delete

  • Match Strategy: ALL

  • Action: HTTP Request Header Rewrite

  • Header Name: RemotePort

  • Header Value: $_remote_port

HTTP header rewrites are required to support load balancing for the cross-region Workspace ONE Access cluster deployment type.

None

SDDC-COM-SEC-IAM-033

  • Add another NSX-T Data Center load-balancer HTTP application profile, wsa-http-profile-redirect, for the cross-region Workspace ONE Access to redirect HTTP to HTTPS.

  • Set the idle timeout to 3600 seconds (60 minutes).

  • Set Redirection to HTTP to HTTPS Redirect.

  • Ensures that connections to non-secure HTTP are automatically redirected to HTTPS for the cross-region Workspace ONE Access cluster.

  • The cross-region Workspace ONE Access cluster requires a longer timeout.

None

SDDC-COM-SEC-IAM-034

  • Add another NSX-T Data Center load-balancer virtual server, wsa-http-redirect for the cross-region Workspace ONE Access cluster HTTP to HTTPS redirection to use the L7 HTTP type and port 80.

  • Set the IP address for the load balancer to the same IP address that is used for the HTTPS virtual server, wsa-https.

  • Set the application profile to the HTTP to HTTPS redirect profile,wsa-http-app-profile-redirect.

Ensures that connections to non-secure HTTP are automatically redirected to HTTPS for the cross-region Workspace ONE Access cluster.

None