To deploy the VMware Identity Manager connector, ensure your system meets the necessary requirements.
Compatibility Between VMware Identity Manager Service and Connector
You can use the VMware Identity Manager connector with the VMware Identity Manager Cloud service or with the on premises VMware Identity Manager service virtual appliance.
With the VMware Identity Manager Cloud service, you can use all supported versions of the connector. However, using the latest version of the connector is recommended.
With the VMware Identity Manager on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the VMware Identity Manager 19.03 service, you can use connector 19.03 and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 20.01 connector with the 19.03 service. Using the latest compatible version of the connector is recommended.
For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.
Hardware Requirements
Ensure the Windows server meets the following hardware requirements.
| Number of Users | Up to 1000 | 1000 to 10,000 | 10,000 to 25,000 | 25,000 to 50,000 | 50,000 to 100,000 |
|---|---|---|---|---|---|
| CPU | 2 | 2 load-balanced servers, each with 4 CPU |
2 load-balanced servers, each with 4 CPU |
2 load-balanced servers, each with 4 CPU |
2 load-balanced servers, each with 4 CPU |
| RAM (GB) Per Server | 6 | 6 each | 8 each | 16 each | 16 each |
| Disk Space (GB) | 50 | 50 each | 50 each | 50 each | 50 each |
- CPU Cores should each be 2.0 GHz or higher. An Intel processor is required.
- Disk Space requirements include: 1 GB disk space for the VMware Identity Manager connector application, Windows OS, and .NET runtime. Additional disk space is allocated for logging.
- To increase the memory after installing the connector, see Updating Java Memory for VMware Identity Manager Connector 19.03.
Software Requirements
Ensure the Windows server meets the following software requirements.
| Requirement | Notes |
|---|---|
| Windows Server 2019 or Windows Server 2016 or Windows Server 2012 R2 |
Note: As of September 2020, Windows Server 2012 and 2008 R2 are no longer supported.
|
| Install PowerShell on the server |
Note: PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.
Note: As of September 2020, Windows Server 2012 and 2008 R2 are no longer supported.
|
| Install .NET Framework 4.6.2 |
Network Requirements
For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.
An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the VMware Identity Manager connector. The outbound connection required for use by VMware Identity Manager connector must remain open at all times.
| Source | Destination | Port | Protocol | Notes |
|---|---|---|---|---|
| VMware Identity Manager connector | VMware Identity Manager service VMware Identity Manager service host (on-premises installations) |
443 | HTTPS | Default port Required |
| VMware Identity Manager connector | VMware Identity Manager service load balancer (on-premises installations) | 443 | HTTPS | |
| Browsers | VMware Identity Manager connector | 8443 | HTTPS | Administrative port Required |
| Browsers | VMware Identity Manager connector | 80 | HTTP | Required |
| Browsers | VMware Identity Manager connector | 443 | HTTPS | This port is only required for a connector being used in inbound mode. If Kerberos authentication is configured on the connector, this port is required. |
| VMware Identity Manager connector | Active Directory | 389, 636, 3268, 3269 | Default ports. These ports are configurable. | |
| VMware Identity Manager connector | DNS server | 53 | TCP/UDP | Every instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. |
| VMware Identity Manager connector | Domain controller | 88, 464, 135, 445 | TCP/UDP | For Kerberos authentication |
| VMware Identity Manager connector | RSA SecurID system | 5500 | Default port. This port is configurable. | |
| VMware Identity Manager connector | Horizon Connection Server | 389, 443 | Access to Horizon Connection Server instances for Horizon integrations |
|
| VMware Identity Manager connector | Integration Broker | 80, 443 | Access to the Integration Broker for integration with Citrix-published resources.
Important: If you install the Integration Broker on the same Windows server as the VMware Identity Manager connector, you must ensure that in the IIS Server Default Web Site site bindings, the HTTP and HTTPS binding ports do not conflict with the ports used by the
VMware Identity Manager connector.
The VMware Identity Manager connector uses ports 80, 443, and 8443. Installing the Integration Broker on the VMware Identity Manager connector server is not recommended. |
|
| VMware Identity Manager connector | syslog server | 514 | UDP | For external syslog server, if configured |
VMware Identity Manager Cloud Hosted IP Addresses
(Cloud deployments) See Knowledge Base article 68035 for the list of VMware Identity Manager service IP addresses to which the VMware Identity Manager connector must have access.
DNS Records and IP Addresses Requirements
A DNS entry and a static IP address must be available for the connector. Before you begin your installation, obtain the DNS record and IP addresses to use and configure the network settings of the Windows server.
Ensure that you select an appropriate, user-friendly host name for the connector if you intend to configure Kerberos authentication. The VMware Identity Manager connector host name is visible to end users when Kerberos is configured.
Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.
You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.
| Domain Name | Resource Type | IP Address |
|---|---|---|
| myconnector.company.com | A | 10.28.128.3 |
This example shows reverse DNS records and IP addresses.
| IP Address | Resource Type | Host Name |
|---|---|---|
| 10.28.128.3 | PTR | myconnector.company.com |
After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.
Time Synchronization
Configuring time synchronization on all VMware Identity Manager service and connector instances is required for a VMware Identity Manager deployment to function correctly.
For information on configuring time synchronization for the VMware Identity Manager connector, see Configuring Time Synchronization for the VMware Identity Manager Connector (Windows).
For information on configuring time synchronization for the VMware Identity Manager service, see Installing and Configuring VMware Identity Manager for Linux and Installing and Configuring VMware Identity Manager for Windows.
Supported Active Directory Versions
An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests is supported.
VMware Identity Manager supports Active Directory on Windows Server 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.
Limit on Number of Connectors
The VMware Identity Manager console can display only 20 legacy connectors (19.03 or earlier connectors). Depending on the version of the VMware Identity Manager service that you are using, legacy connectors are listed on either the Identity & Access Management > Setup > Connectors page or the Identity & Access Management > Setup > Legacy Connectors page. Do not add more than 20 legacy connector instances to the service.
This restriction does not apply to Workspace ONE Access connector 20.01 or later.
