To deploy the VMware Identity Manager connector, ensure your system meets the necessary requirements.

Hardware Requirements

Ensure the Windows server meets the following hardware requirements.

Table 1. VMware Identity Manager Connector Requirements
Number of Users Up to 1000 1000 to 10,000 10,000 to 25,000 25,000 to 50,000 50,000 to 100,000
CPU 2

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU

RAM (GB) Per Server 6 6 each 8 each 16 each 16 each
Disk Space (GB) 50 50 each 50 each 50 each 50 each
Note:
  • CPU Cores should each be 2.0 GHz or higher. An Intel processor is required.
  • Disk Space requirements include: 1 GB disk space for the VMware Identity Manager connector application, Windows OS, and .NET runtime. Additional disk space is allocated for logging.

Software Requirements

Ensure the Windows server meets the following software requirements.

Status Checklist Requirement Notes

Windows Server 2008 R2 or

Windows Server 2012 or

Windows Server 2012 R2 or

Windows Server 2016

Install PowerShell on the server
Note: PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.
Install .NET Framework 4.6.2

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the VMware Identity Manager connector. The outbound connection required for use by VMware Identity Manager connector must remain open at all times.

Table 2. VMware Identity Manager Connector Port Requirements
Source Destination Port Protocol Notes
VMware Identity Manager connector VMware Identity Manager service

VMware Identity Manager service host (on-premises installations)

443 HTTPS Default port

Required

VMware Identity Manager connector VMware Identity Manager service load balancer (on-premises installations) 443 HTTPS
Browsers VMware Identity Manager connector 8443 HTTPS Administrative port

Required

Browsers VMware Identity Manager connector 80 HTTP Required
Browsers VMware Identity Manager connector 443 HTTPS This port is only required for a connector being used in inbound mode.

If Kerberos authentication is configured on the connector, this port is required.

VMware Identity Manager connector Active Directory 389, 636, 3268, 3269 Default ports. These ports are configurable.
VMware Identity Manager connector DNS server 53 TCP/UDP

Every instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

VMware Identity Manager connector Domain controller 88, 464, 135, 445 TCP/UDP For Kerberos authentication
VMware Identity Manager connector RSA SecurID system 5500 Default port. This port is configurable.
VMware Identity Manager connector Horizon Connection Server 389, 443

Access to Horizon Connection Server instances for Horizon integrations

VMware Identity Manager connector Integration Broker 80, 443 Access to the Integration Broker for integration with Citrix-published resources.
Important: If you install the Integration Broker on the same Windows server as the VMware Identity Manager connector, you must ensure that in the IIS Server Default Web Site site bindings, the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager connector.

The VMware Identity Manager connector uses ports 80, 443, and 8443.

Installing the Integration Broker on the VMware Identity Manager connector server is not recommended.

VMware Identity Manager connector syslog server 514 UDP For external syslog server, if configured

VMware Identity Manager Cloud Hosted IP Addresses

(Cloud deployments) See Knowledge Base article 2149884 for the list of VMware Identity Manager service IP addresses to which the VMware Identity Manager connector must have access.

DNS Records and IP Addresses Requirements

A DNS entry and a static IP address must be available for the connector. Before you begin your installation, obtain the DNS record and IP addresses to use and configure the network settings of the Windows server.

Ensure that you select an appropriate, user-friendly host name for the connector if you intend to configure Kerberos authentication. The VMware Identity Manager connector host name is visible to end users when Kerberos is configured.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 3. Example of Forward DNS Records and IP Addresses
Domain Name Resource Type IP Address
myconnector.company.com A 10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 4. Example of Reverse DNS Records and IP Addresses
IP Address Resource Type Host Name
10.28.128.3 PTR myconnector.company.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.

Note: If you have a load balancer with a Virtual IP address (VIP) in front of the DNS servers, note that VMware Identity Manager does not support using a VIP. You can specify multiple DNS servers separated by a comma.
Note: If you are using a Unix or Linux-based DNS server and plan to join the connector to the Active Directory domain, make sure that the appropriate service (SRV) resource records are created for each Active Directory domain controller.

Time Synchronization

Configuring time synchronization on all VMware Identity Manager service and connector instances is required for a VMware Identity Manager deployment to function correctly.

For information on configuring time synchronization for the VMware Identity Manager connector, see Configuring Time Synchronization for the VMware Identity Manager Connector (Windows).

For information on configuring time synchronization for the VMware Identity Manager service, see Installing and Configuring VMware Identity Manager for Linux and Installing and Configuring VMware Identity Manager for Windows.

Supported Active Directory Versions

An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests is supported.

VMware Identity Manager supports Active Directory on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 with a Domain functional level and Forest functional level of Windows 2003 and later.

Note: A higher functional level may be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.