To deploy the VMware Identity Manager connector, ensure your system meets the necessary requirements.

Compatibility Between VMware Identity Manager Service and Connector

You can use the VMware Identity Manager connector with the VMware Identity Manager Cloud service or with the on premises VMware Identity Manager service virtual appliance.

With the VMware Identity Manager Cloud service, you can use all supported versions of the connector. However, using the latest version of the connector is recommended.

With the VMware Identity Manager on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the VMware Identity Manager 19.03 service, you can use connector 19.03 and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 20.01 connector with the 19.03 service. Using the latest compatible version of the connector is recommended.

For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.

Hardware Requirements

Ensure the Windows server meets the following hardware requirements.

Table 1. VMware Identity Manager Connector Requirements
Number of Users Up to 1000 1000 to 10,000 10,000 to 25,000 25,000 to 50,000 50,000 to 100,000
CPU 2

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

RAM (GB) Per Server 6 6 each 8 each 16 each 16 each
Disk Space (GB) 50 50 each 50 each 50 each 50 each
Note:
  • CPU Cores should each be 2.0 GHz or higher. An Intel processor is required.
  • Disk Space requirements include: 1 GB disk space for the VMware Identity Manager connector application, Windows OS, and .NET runtime. Additional disk space is allocated for logging.
  • To increase the memory after installing the connector, see Updating Java Memory for VMware Identity Manager Connector 19.03.

Software Requirements

Ensure the Windows server meets the following software requirements.

Requirement Notes

Windows Server 2019 or

Windows Server 2016 or

Windows Server 2012 R2

Note: As of September 2020, Windows Server 2012 and 2008 R2 are no longer supported.
Install PowerShell on the server
Note: PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.
Note: As of September 2020, Windows Server 2012 and 2008 R2 are no longer supported.
Install .NET Framework 4.6.2

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the VMware Identity Manager connector. The outbound connection required for use by VMware Identity Manager connector must remain open at all times.

Table 2. VMware Identity Manager Connector Port Requirements
Source Destination Port Protocol Notes
VMware Identity Manager connector VMware Identity Manager service

VMware Identity Manager service host (on-premises installations)

443 HTTPS Default port

Required

VMware Identity Manager connector VMware Identity Manager service load balancer (on-premises installations) 443 HTTPS
Browsers VMware Identity Manager connector 8443 HTTPS Administrative port

Required

Browsers VMware Identity Manager connector 80 HTTP Required
Browsers VMware Identity Manager connector 443 HTTPS This port is only required for a connector being used in inbound mode.

If Kerberos authentication is configured on the connector, this port is required.

VMware Identity Manager connector Active Directory 389, 636, 3268, 3269 Default ports. These ports are configurable.
VMware Identity Manager connector DNS server 53 TCP/UDP

Every instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

VMware Identity Manager connector Domain controller 88, 464, 135, 445 TCP/UDP For Kerberos authentication
VMware Identity Manager connector RSA SecurID system 5500 Default port. This port is configurable.
VMware Identity Manager connector Horizon Connection Server 389, 443

Access to Horizon Connection Server instances for Horizon integrations

VMware Identity Manager connector Integration Broker 80, 443 Access to the Integration Broker for integration with Citrix-published resources.
Important: If you install the Integration Broker on the same Windows server as the VMware Identity Manager connector, you must ensure that in the IIS Server Default Web Site site bindings, the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager connector.

The VMware Identity Manager connector uses ports 80, 443, and 8443.

Installing the Integration Broker on the VMware Identity Manager connector server is not recommended.

VMware Identity Manager connector syslog server 514 UDP For external syslog server, if configured

VMware Identity Manager Cloud Hosted IP Addresses

(Cloud deployments) See Knowledge Base article 68035 for the list of VMware Identity Manager service IP addresses to which the VMware Identity Manager connector must have access.

DNS Records and IP Addresses Requirements

A DNS entry and a static IP address must be available for the connector. Before you begin your installation, obtain the DNS record and IP addresses to use and configure the network settings of the Windows server.

Ensure that you select an appropriate, user-friendly host name for the connector if you intend to configure Kerberos authentication. The VMware Identity Manager connector host name is visible to end users when Kerberos is configured.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 3. Example of Forward DNS Records and IP Addresses
Domain Name Resource Type IP Address
myconnector.company.com A 10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 4. Example of Reverse DNS Records and IP Addresses
IP Address Resource Type Host Name
10.28.128.3 PTR myconnector.company.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.

Note: If you have a load balancer with a Virtual IP address (VIP) in front of the DNS servers, note that VMware Identity Manager does not support using a VIP. You can specify multiple DNS servers separated by a comma.
Note: If you are using a Unix or Linux-based DNS server and plan to join the connector to the Active Directory domain, make sure that the appropriate service (SRV) resource records are created for each Active Directory domain controller.

Time Synchronization

Configuring time synchronization on all VMware Identity Manager service and connector instances is required for a VMware Identity Manager deployment to function correctly.

For information on configuring time synchronization for the VMware Identity Manager connector, see Configuring Time Synchronization for the VMware Identity Manager Connector (Windows).

For information on configuring time synchronization for the VMware Identity Manager service, see Installing and Configuring VMware Identity Manager for Linux and Installing and Configuring VMware Identity Manager for Windows.

Supported Active Directory Versions

An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests is supported.

VMware Identity Manager supports Active Directory on Windows Server 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.

Note: As of September 2020, Windows Server 2008, 2008 R2, and 2012 are no longer supported.
Note: A higher functional level may be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.

Limit on Number of Connectors

The VMware Identity Manager console can display only 20 legacy connectors (19.03 or earlier connectors). Depending on the version of the VMware Identity Manager service that you are using, legacy connectors are listed on either the Identity & Access Management > Setup > Connectors page or the Identity & Access Management > Setup > Legacy Connectors page. Do not add more than 20 legacy connector instances to the service.

This restriction does not apply to Workspace ONE Access connector 20.01 or later.