To deploy the Workspace ONE Access 20.01 connector, which includes the Directory Sync service, User Auth service, and Kerberos Auth service as components, ensure that your Windows server meets the necessary requirements. Some requirements vary based on the service you are installing.
Compatibility Between Workspace ONE Access Service and Connector
You can use the Workspace ONE Access connector with the Workspace ONE Access Cloud service or with the on premises Workspace ONE Access service virtual appliance.
With the Workspace ONE Access Cloud service, you can use all supported versions of the connector. However, using the latest version of the connector is recommended.
With the Workspace ONE Access on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the Workspace ONE Access 20.01 service, you can use connector 20.01.x and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 20.01 connector with the 19.03 service. Using the latest compatible version of the connector is recommended.
For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.
Number of Servers Required
You can install the Directory Sync, User Auth, and Kerberos Auth services together on a single Windows server or install them on separate servers in any combination, depending on your preferences. To install all the services together, you need a more powerful server. To install the services separately, you need to obtain multiple servers.
Multiple servers are required if you want to set up high availability for any of the services.
Also consider that the Kerberos Auth service requires inbound connectivity while the other services do not.
Hardware Requirements
Ensure the Windows server meets the following hardware requirements.
- Processor: Inte(R)Xeon(R) CPU E5-2650 [email protected] GHZ (2 processors) x64 bit processor or higher
| Deployment Size | Hardware Requirements | Number of Users and Groups |
|---|---|---|
| Small | 2 vCPU, 8 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=4g |
Up to 50,000 users and 500 groups |
| Medium | 4 vCPU, 8 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=4g |
Up to 100,000 users and 1,000 groups |
| Large | 8 vCPU, 12 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=8g |
Up to 200,000 users and 2,000 groups |
| Deployment Size | Hardware Requirement for User Auth or Kerberos Auth Service Server | User Auth Service | Kerberos Auth Service |
|---|---|---|---|
| Small/Medium/Large | 2 vCPU, 4 GB RAM, 40 GB Disk Space Java memory allocation for User Auth service or Kerberos Auth service: xmx=1g |
Password authentications: 390 - 480/min WSFed Active Flow: 720 - 900/min |
Kerberos authentications: 420 - 480/min |
| Deployment Size | Hardware Requirements | Directory Sync |
|---|---|---|
| Small | 2 vCPU, 8GB RAM, 40GB Disk Space Java Memory Allocation: Directory Sync service: xmx=4g Kerberos Auth service: xmx=1g User Auth service: xmx=1g |
Up to 50,000 users and 500 groups |
| Medium | 4 vCPU, 8GB RAM, 40GB Disk Space Java Memory Allocation: Directory Sync service: xmx=4g Kerberos Auth service: xmx=1g User Auth service: xmx=1g |
Up to 100,000 users and 1,000 groups |
| Large | 8 vCPU, 16GB RAM, 40GB Disk Space Java Memory Allocation: Directory Sync service: xmx=8g Kerberos Auth service: xmx=1g User Auth service: xmx=1g |
Up to 200,000 users and 2,000 groups |
- The Memory requirements include the OS and the VMware connector components. If you plan to run any other applications or services on the server, adjust the requirements accordingly.
- The Java memory allocation listed for each service refers to the Java heap memory. By default, 4 GB is allocated to the Directory Sync service, 1 GB to the User Auth service, and 1 GB to the Kerberos Auth service. See Increasing Java Memory for Enterprise Services for information on how to allocate memory.
- The groups listed for the Directory Sync service are all one level, each group contains 500 users, and each user is associated with 5 groups.
- Deployments with large groups or nested groups require more memory.
Software Requirements
Ensure the Windows server meets the following software requirements.
| Requirement | Notes |
|---|---|
| Windows Server 2019 or Windows Server 2016 or Windows Server 2012 R2 |
Note: As of September 2020, Windows Server 2008 R2 is no longer supported.
|
| PowerShell | Windows servers include PowerShell by default.
Note: PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.
As of September 2020, Windows Server 2008 R2 is no longer supported. |
| .NET Framework 4.6.2 or later | Windows servers include .NET Framework by default. Workspace ONE Access connector requires .NET Framework 4.6.2 or later. |
Network Requirements
The table below lists port requirements for the connector. For the most up-to-date port information, see https://ports.vmware.com/home/Workspace-ONE-Access.
For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component. An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Workspace ONE Access connector. The outbound connection must remain open at all times.
| Source | Destination | Port | Protocol | Notes |
|---|---|---|---|---|
| Workspace ONE Access connector | Workspace ONE Access service (cloud) Workspace ONE Access service host (on-premises installations) |
443 | HTTPS | Default port; required Applies to Directory Sync service, User Auth service, and Kerberos Auth service |
| Workspace ONE Access connector | Workspace ONE Access service load balancer (on-premises installations) | 443 | HTTPS | Applies to Directory Sync service, User Auth service, and Kerberos Auth service |
| Browsers | Workspace ONE Access connector | 443 | HTTPS | Required for Kerberos Auth service |
| Workspace ONE Access connector | Active Directory | 389, 636, 3268, 3269 | Default ports; these ports are configurable Applies to Directory Sync service. Also applies to User Auth service if password authentication is used. |
|
| Workspace ONE Access connector | DNS server | 53 | TCP/UDP | Every connector instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. Applies to Directory Sync service, User Auth service, and Kerberos Auth service. |
| Workspace ONE Access connector | Domain controller | 88, 464, 135, 445 | TCP/UDP | Applies to Directory Sync service and Kerberos Auth service |
| Workspace ONE Access connector | RSA SecurID system | 5500 | Default port; this port is configurable Applies to User Auth service if RSA SecurID is used |
|
| Workspace ONE Access connector | syslog server | 514 | UDP | Default port; this port is configurable Port for external syslog server, if configured. Applies to Directory Sync service, User Auth service, and Kerberos Auth service |
Workspace ONE Access Cloud IP Addresses
See https://kb.vmware.com/s/article/68035 for the list of Workspace ONE Access cloud service IP addresses to which the Workspace ONE Access connector must have access.
DNS Records and IP Addresses Requirements
A DNS entry and a static IP address are required for the connector. Before you begin your installation, obtain the DNS record and IP address to use and configure the network settings of the Windows server.
Ensure that you select an appropriate, user-friendly host name for the connector server if you intend to install the Kerberos Auth service. The Workspace ONE Access connector host name is visible to end users when Kerberos authentication is configured.
Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.
You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.
| Domain Name | Resource Type | IP Address |
|---|---|---|
| myconnector.example.com | A | 10.28.128.3 |
This example shows reverse DNS records and IP addresses.
| IP Address | Resource Type | Host Name |
|---|---|---|
| 10.28.128.3 | PTR | myconnector.example.com |
After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.
Load Balancer
A load balancer is required if you want to configure high availability for Kerberos authentication.
Time Synchronization
Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly. Set up time synchronization using an NTP server.
