As part of the security and compliance layer, this design uses Workspace ONE Access to provide identity and access management to the SDDC management components. To satisfy the requirements of the management components for availability and locality, you deploy a region-specific Workspace ONE Access instance and a cross-region Workspace ONE Access instance.

Workspace ONE Access provides these services:

  • Directory integration to authenticate users against existing directories such as Active Directory or LDAP.

  • Addition of two-factor authentication through integration with third-party software such as RSA SecurID, Entrust, and others.

For information on the account configuration in Active Directory and local accounts, see Planning and Preparation Workbook.

Figure 1. Cross-Region and Region-Specific Workspace ONE Access Deployments in Region A


Region-Specific Workspace ONE Access

The region-specific Workspace ONE Access instance provides identity and access management services to regional SDDC solutions.

Figure 2. Logical Design of the Region-Specific Workspace ONE Access Deployment
Table 1. Design Details on Region-Specific Workspace ONE Access

Design Attribute

Description

Deployment model

One appliance that is connected to the Active Directory domain of the SDDC. The appliance is deployed from an OVA file.

Authenticated components

  • NSX-T Data Center

  • vRealize Log Insight

Network segment

Region-specific virtual network segment. See Dynamic Routing and Virtual Network Segments.

Identity and access management setup

  • Integration with the rainpole.io Active Directory domain.

  • Directory Service connection is Active Directory with Integrated Windows Authentication

Cross-Region Workspace ONE Access

The cross-region Workspace ONE Access provides identity and access management services to cross-region SDDC solutions.

Table 2. Design Details on Cross-Region Workspace ONE Access

Design Attribute

Description

Deployment model

A cluster of three nodes behind a load balancer. The cluster is deployed by using vRealize Suite Lifecycle Manager.

Network segment

Cross-region virtual network segment. See Dynamic Routing and Virtual Network Segments.

Authenticated components

  • vRealize Suite Lifecycle Manager

  • vRealize Operations Manager

  • vRealize Automation

Identity and access management setup

  • Integration with the rainpole.io Active Directory domain.

  • Directory Service connection is Active Directory with Integrated Windows Authentication