Consider your entire deployment, including how you integrate resources, when you make decisions about hardware, resources, and network requirements.
Supported vSphere and ESX Versions
The following versions of vSphere and ESXi server are supported:
- 6.0 and later
Compatibility Between Workspace ONE Access Service and Connector
With the Workspace ONE Access on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the Workspace ONE Access 20.10 service, you can use connector 20.10 and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 20.10 connector with the 20.01 service. Using the latest compatible version of the connector is recommended.
For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.
Hardware Sizing Requirements
Ensure that you meet the requirements for the number of Workspace ONE Access virtual appliances and the resources allocated to each appliance.
- 4vCPU
- 8 GB Memory
- 100 GB disk space
| Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
|---|---|---|---|---|---|
| Number of Workspace ONE Access servers | 1 server | 3 load-balanced servers | 3 load-balanced servers | 3 load-balanced servers | 3 load-balanced servers |
| CPU (per server) | 4 CPU | 4 CPU | 4 CPU | 8 CPU | 8 CPU |
| RAM (per server) | 8 GB | 8 GB | 8 GB | 16 GB | 32 GB |
| Disk space (per server) | 100 GB | 100 GB | 100 GB | 100 GB | 100 GB |
Also, Ensure that you meet the requirements for the number of Workspace ONE Access connector instances. See Installing and Configuring Workspace ONE Access Connector.
Database Requirements
Set up Workspace ONE Access with the appropriate database to store and organize server data.
You can use the internal PostgreSQL database or an external Microsoft SQL database. An internal Postgres SQL database is embedded in the Workspace ONE Access appliance, but the internal database is not recommended for use with production deployments.
For information about the Microsoft SQL database versions and service pack configurations supported, see the VMware Product Interoperability Matrices at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
The following database requirements apply. The exact specifications needed depend on the size and needs of your deployment.
| Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
|---|---|---|---|---|---|
| CPU | 2 CPU | 2 CPU | 4 CPU | 8 CPU | 8 CPU |
| RAM | 4 GB | 4 GB | 8 GB | 16 GB | 32 GB |
| Disk space | 50 GB | 50 GB | 50 GB | 100 GB | 100 GB |
The SQL Server AlwaysOn capability is a combination of failover clustering and database mirroring combined with log shipping for faster availability. AlwaysON allows for multiple read copies of your database and a single read-write copy for operations. If your deployment environment has the bandwidth to support the traffic generated, the Workspace ONE Access database supports AlwaysON.
Network Configuration Requirements
| Component | Minimum Requirement |
|---|---|
| DNS record and IP address | IP address and DNS record |
| Firewall port | Ensure that the inbound firewall port 443 is open for users outside the network to the Workspace ONE Access instance or the load balancer. |
| Reverse Proxy | Deploy a reverse proxy such as F5 Access Policy Manager in the DMZ to allow users to access the Workspace ONE Access user portal remotely and securely. VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to access the Workspace ONE Access unified catalog remotely and securely. Unified Access Gateway can be deployed in the DMZ behind the load balancers front-ending the Workspace ONE Access appliance. |
Port Requirements
Ports used in the server configuration are described in the following table. For the most up-to-date port information, see https://ports.vmware.com/home/Workspace-ONE-Access.
- To sync users and groups from Active Directory, Workspace ONE Access must connect to Active Directory.
- To sync with ThinApp, Workspace ONE Access must join the Active Directory domain and connect to the ThinApp Repository share.
| Port | Protocol | Source | Target | Description |
|---|---|---|---|---|
| 443 | HTTPS | Load Balancer | Workspace ONE Access machine |
|
| 443 | HTTPS | Workspace ONE Access machine | Load Balancer | Required to validate the load balancer FQDN when it is set. |
| 443, 8443 | HTTPS/HTTP | Workspace ONE Access machine |
Workspace ONE Access machine | For all Workspace ONE Access instances in a cluster, and across clusters in different data centers. |
| 443 | HTTPS | Browsers | Workspace ONE Access machine |
|
| 443, 80 | HTTPS, HTTP | Workspace ONE Access machine |
vapp-updates.vmware.com | Access to the upgrade server |
| 443 | HTTPS | Workspace ONE Access machine | discovery.awmdm.com | Access for Workspace ONE Intelligent Hub application autodiscovery |
| 443 | HTTPS | Workspace ONE Access machine | catalog.vmwareidentity.com | Access to Cloud Catalog |
| 443 | HTTPS | Workspace ONE Access machine | signing.awmdm.com | Mandatory to launch Hub Services console and to provision certificates for Workspace ONE Notifications service. |
| 7443 | TCP | Browsers | Workspace ONE Access machine | SSL certificate authentication |
| 8443 | HTTPS | Browsers | Workspace ONE Access machine |
Administrator Port |
| 25 | SMTP | Workspace ONE Access machine |
SMTP | Port to relay outbound mail. |
| 389 636 3268 3269 |
LDAP LDAPS MSFT-GC MSFT-GC-SSL |
Workspace ONE Access machine |
Active Directory | Default values are shown. These ports are configurable. |
| 445 | TCP | Workspace ONE Access machine |
VMware ThinApp repository | Access to the ThinApp repository. |
| 5500 | UDP | Workspace ONE Access machine |
RSA SecurID system | Default value is shown. This port is configurable. |
| 53 | TCP/UDP | Workspace ONE Access machine |
DNS server | Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. |
| 88, 464, 135, 445 | TCP/UDP | Workspace ONE Access machine |
Domain controller | |
| 9300 |
TCP | Workspace ONE Access machine |
Workspace ONE Access machine |
Audit needs. |
| 54328 |
UDP | |||
| 5701 | TCP | Workspace ONE Access machine | Workspace ONE Access machine | Hazelcast cache. |
| 40002 40003 |
TCP | Workspace ONE Access machine | Workspace ONE Access machine | Ehcache. |
| 1433 |
TCP | Workspace ONE Access machine |
Database |
Microsoft SQL default port is 1433. |
| 443 |
|
Workspace ONE Access machine |
Horizon Connection Server |
Access to Horizon Connection Server. |
| 80, 443 | TCP | Workspace ONE Access machine | Integration Broker server | Connection to the Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server. |
| 443 | HTTPS |
Workspace ONE Access |
Workspace ONE UEM REST API | For device compliance checking and for the AirWatch Cloud Connector password authentication method, if that is used. |
| 88 | UDP | Unified Access Gateway |
Workspace ONE Access machine | UDP port to open for mobile SSO. |
| 5262 | TCP | Android mobile device | Workspace ONE UEM HTTPS proxy service | VMware Tunnel client routes traffic to the HTTPS proxy for Android devices. |
| 88 | UDP | iOS mobile device | Workspace ONE Access machine | Port used for Kerberos traffic from iOS devices to the hosted cloud KDC service. |
| 443 | HTTPS/TCP | |||
| 514 | UDP | Workspace ONE Access machine | syslog server | UDP For external syslog server, if configured. |
| 88 | UDP | Workspace ONE Access machine | Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com | UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used. |
Time Synchronization
Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly.
For information on configuring time synchronization for the Workspace ONE Access service, see Configuring Time Synchronization for the Workspace ONE Access Service.
For information on configuring time synchronization for the Workspace ONE Access connector, see Installing and Configuring Workspace ONE Access Connector.
Supported Directories
You integrate your enterprise directory with Workspace ONE Access and sync users and groups from your enterprise directory to the service.
- The Active Directory environment can consist of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.
Workspace ONE Access supports Active Directory on Windows 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.
Note: A higher functional level might be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.
Supported Web Browsers to Access the Workspace ONE Access Console
The Workspace ONE Access console is a web-based application you use to manage the Workspace ONE Access service . You can access the Workspace ONE Access console from the latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and Internet Explorer 11.
Supported Browsers to Access the Workspace ONE Portal
End users can access the Workspace ONE portal from the following browsers.
- Mozilla Firefox (latest)
- Google Chrome (latest)
- Safari (latest)
- Internet Explorer 11
- Microsoft Edge browser
- Native browser and Google Chrome on Android devices
- Safari on iOS devices
