Consider your entire deployment, including how you integrate resources, when you make decisions about hardware, resources, and network requirements.

Supported vSphere and ESX Versions

The following versions of vSphere and ESXi server are supported:

  • 6.0 and later

Compatibility Between Workspace ONE Access Service and Connector

With the Workspace ONE Access on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the Workspace ONE Access 20.10 service, you can use connector 20.10 and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 20.10 connector with the 20.01 service. Using the latest compatible version of the connector is recommended.

For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.

Hardware Sizing Requirements

Ensure that you meet the requirements for the number of Workspace ONE Access virtual appliances and the resources allocated to each appliance.

Note: For new deployments, the default Workspace ONE Access sizing requirements are as follows:
  • 4vCPU
  • 8 GB Memory
  • 100 GB disk space
Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
Number of Workspace ONE Access servers 1 server 3 load-balanced servers 3 load-balanced servers 3 load-balanced servers 3 load-balanced servers
CPU (per server) 4 CPU 4 CPU 4 CPU 8 CPU 8 CPU
RAM (per server) 8 GB 8 GB 8 GB 16 GB 32 GB
Disk space (per server) 100 GB 100 GB 100 GB 100 GB 100 GB

Also, Ensure that you meet the requirements for the number of Workspace ONE Access connector instances. See Installing and Configuring Workspace ONE Access Connector.

Database Requirements

Set up Workspace ONE Access with the appropriate database to store and organize server data.

You can use the internal PostgreSQL database or an external Microsoft SQL database. An internal Postgres SQL database is embedded in the Workspace ONE Access appliance, but the internal database is not recommended for use with production deployments.

For information about the Microsoft SQL database versions and service pack configurations supported, see the VMware Product Interoperability Matrices at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

The following database requirements apply. The exact specifications needed depend on the size and needs of your deployment.

Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
CPU 2 CPU 2 CPU 4 CPU 8 CPU 8 CPU
RAM 4 GB 4 GB 8 GB 16 GB 32 GB
Disk space 50 GB 50 GB 50 GB 100 GB 100 GB

The SQL Server AlwaysOn capability is a combination of failover clustering and database mirroring combined with log shipping for faster availability. AlwaysON allows for multiple read copies of your database and a single read-write copy for operations. If your deployment environment has the bandwidth to support the traffic generated, the Workspace ONE Access database supports AlwaysON.

Network Configuration Requirements

Component Minimum Requirement
DNS record and IP address IP address and DNS record
Firewall port Ensure that the inbound firewall port 443 is open for users outside the network to the Workspace ONE Access instance or the load balancer.
Reverse Proxy

Deploy a reverse proxy such as F5 Access Policy Manager in the DMZ to allow users to access the Workspace ONE Access user portal remotely and securely.

VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to access the Workspace ONE Access unified catalog remotely and securely. Unified Access Gateway can be deployed in the DMZ behind the load balancers front-ending the Workspace ONE Access appliance.

Port Requirements

Ports used in the server configuration are described in the following table. For the most up-to-date port information, see https://ports.vmware.com/home/Workspace-ONE-Access.

Your deployment might include only a subset of the listed ports. For example:
  • To sync users and groups from Active Directory, Workspace ONE Access must connect to Active Directory.
  • To sync with ThinApp, Workspace ONE Access must join the Active Directory domain and connect to the ThinApp Repository share.
Note: For information about configuring and enabling Kerberos authentication in Workspace ONE Access, including port information, see Managing Workspace ONE Access User Authentication Methods.
Port Protocol Source Target Description
443 HTTPS Load Balancer

Workspace ONE Access machine

443 HTTPS Workspace ONE Access machine Load Balancer Required to validate the load balancer FQDN when it is set.
443, 8443 HTTPS/HTTP

Workspace ONE Access machine

Workspace ONE Access machine For all Workspace ONE Access instances in a cluster, and across clusters in different data centers.
443 HTTPS Browsers

Workspace ONE Access machine

443, 80 HTTPS, HTTP

Workspace ONE Access machine

vapp-updates.vmware.com Access to the upgrade server
443 HTTPS Workspace ONE Access machine discovery.awmdm.com Access for Workspace ONE Intelligent Hub application autodiscovery
443 HTTPS Workspace ONE Access machine catalog.vmwareidentity.com Access to Cloud Catalog
443 HTTPS Workspace ONE Access machine signing.awmdm.com Mandatory to launch Hub Services console and to provision certificates for Workspace ONE Notifications service.
7443 TCP Browsers Workspace ONE Access machine SSL certificate authentication
8443 HTTPS Browsers

Workspace ONE Access machine

Administrator Port
25 SMTP

Workspace ONE Access machine

SMTP Port to relay outbound mail.

389

636

3268

3269

LDAP

LDAPS

MSFT-GC

MSFT-GC-SSL

Workspace ONE Access machine

Active Directory Default values are shown. These ports are configurable.
445 TCP

Workspace ONE Access machine

VMware ThinApp repository Access to the ThinApp repository.
5500 UDP

Workspace ONE Access machine

RSA SecurID system Default value is shown. This port is configurable.
53 TCP/UDP

Workspace ONE Access machine

DNS server

Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

88, 464, 135, 445 TCP/UDP

Workspace ONE Access machine

Domain controller

9300

TCP

Workspace ONE Access machine

Workspace ONE Access machine

Audit needs.

54328

UDP
5701 TCP Workspace ONE Access machine Workspace ONE Access machine Hazelcast cache.
40002

40003

TCP Workspace ONE Access machine Workspace ONE Access machine Ehcache.

1433

TCP

Workspace ONE Access machine

Database

Microsoft SQL default port is 1433.

443

Workspace ONE Access machine

Horizon Connection Server

Access to Horizon Connection Server.

80, 443 TCP Workspace ONE Access machine Integration Broker server Connection to the Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.
443

HTTPS

Workspace ONE Access

Workspace ONE UEM REST API

For device compliance checking and for the AirWatch Cloud Connector password authentication method, if that is used.

88 UDP

Unified Access Gateway

Workspace ONE Access machine UDP port to open for mobile SSO.
5262 TCP Android mobile device Workspace ONE UEM HTTPS proxy service VMware Tunnel client routes traffic to the HTTPS proxy for Android devices.
88 UDP iOS mobile device Workspace ONE Access machine Port used for Kerberos traffic from iOS devices to the hosted cloud KDC service.
443 HTTPS/TCP
514 UDP Workspace ONE Access machine syslog server UDP

For external syslog server, if configured.

88 UDP Workspace ONE Access machine Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used.

Time Synchronization

Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly.

For information on configuring time synchronization for the Workspace ONE Access service, see Configuring Time Synchronization for the Workspace ONE Access Service.

For information on configuring time synchronization for the Workspace ONE Access connector, see Installing and Configuring Workspace ONE Access Connector.

Supported Directories

You integrate your enterprise directory with Workspace ONE Access and sync users and groups from your enterprise directory to the service.

  • The Active Directory environment can consist of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.

    Workspace ONE Access supports Active Directory on Windows 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.

    Note: A higher functional level might be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.

Supported Web Browsers to Access the Workspace ONE Access Console

The Workspace ONE Access console is a web-based application you use to manage the Workspace ONE Access service . You can access the Workspace ONE Access console from the latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and Internet Explorer 11.

Note: In Internet Explorer 11, JavaScript must be enabled and cookies allowed to authenticate through Workspace ONE Access.

Supported Browsers to Access the Workspace ONE Portal

End users can access the Workspace ONE portal from the following browsers.

  • Mozilla Firefox (latest)
  • Google Chrome (latest)
  • Safari (latest)
  • Internet Explorer 11
  • Microsoft Edge browser
  • Native browser and Google Chrome on Android devices
  • Safari on iOS devices
Note: In Internet Explorer 11, JavaScript must be enabled and cookies allowed to authenticate through Workspace ONE Access.