Workspace ONE Access is distributed as a virtual appliance in OVA format. The Workspace ONE Access appliance includes identity and access management services.

Deployment Type

You consider the deployment type - standard or cluster - according to the design objectives for the availability and number of users that the system and integrated SDDC solutions must support. Workspace ONE Access is deployed on the first cluster in the management domain.

In this design, you deploy a standard topology of Workspace ONE Access for region-specific SDDC solutions.
Table 1. Topology Attributes of the Region-Specific Workspace ONE Deployment

Deployment Type

Number of Nodes

User Scale




1,000 users

You deploy a standalone Workspace ONE Access instance on the first cluster in the management domain in each region.

Table 2. Design Decisions on the Deployment of Region-Specific Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication


Deploy a standalone Workspace ONE Access instance on the first cluster in the management domain in the region.

Each instance provides an identity and access management service to the regional SDDC solutions, such as NSX-T Data Center.



Use the OVA file to deploy the standalone Workspace ONE Access instance in each region, using the standard deployment type to provide identity and access management services to regional SDDC solutions.

Deploying the standard configuration that includes the single-node appliance architecture satisfies the design objectives in scope for the design allowing Workspace ONE Access to scale to a higher number of consuming users for NSX-T Data Center.

The region-specific Workspace ONE Access instance is not managed by vRealize Suite Lifecycle Manager.

Availability is managed by vSphere High Availability only.


Protect each Workspace ONE Access node by using vSphere High Availability.

Supports the availability objectives for Workspace ONE Access without a required manual intervention during a failure event.

The standalone Workspace ONE Access instance for region-specific SDDC solutions becomes unavailable during a vSphere HA failover.


When using two availability zones, add the Workspace ONE Access appliance to the primary availability zone VM group, sfo-m01-cl01_primary-az-vmgroup.

Ensures that, by default, the Workspace ONE Access appliance is powered on within the primary availability zone hosts group.

If Workspace ONE Access is deployed after the creation of the stretched clusters for management domain availability zones, the VM group for the primary availability zone virtual machines must be updated to include the Workspace ONE Access appliance.


Place each region-specific Workspace ONE Access node in a dedicated VM folder for its region, that is, sfo-m01-fd-wsa for Region A.

Organizes the region-specific Workspace ONE Access nodes in the management domain inventory.


Sizing Compute and Storage Resources

A Workspace ONE Access standard deployment requires certain CPU, memory, and storage resources.
Table 3. CPU, Memory, and Storage Resources for the Region-Specific Workspace ONE Access Standard Deployment



Number of appliances



2 vCPUs


6 GB


4.8 GB (thin provisioned)

60.2 GB (thick provisioned)