You can update your Workspace ONE Access connector installation to add or modify enterprise services at any time. Run the installer again to make any changes.
You can make the following changes:
- Add the Directory Sync, User Auth, or Kerberos Auth service
- Specify custom ports for each service
- Configure a proxy server
- Configure a syslog server
- Install trusted root certificates
- (Kerberos Auth service only) Install a trusted SSL certificate for the Kerberos Auth service
- (Kerberos Auth service only) Configure the Kerberos Auth service to run as a domain user account
- Be aware that all the enterprise services in a connector installation are connected to the same Workspace ONE Access tenant. When you modify an existing installation to add a service, the configuration file that you downloaded from the tenant for the original installation is used automatically.
- If you are modifying the existing configuration, suspend the enterprise services from the Workspace ONE Access console first. Navigate to the Manage and click the toggle buttons to suspend each service. page, click the connector, click
- Log in to the Windows server on which the Workspace ONE Access connector is installed.
- Go to the folder containing the connector installer and double-click the Workspace ONE Access Connector Installer.exe file.
- On the Welcome page, click Next.
- On the Program Maintenance page, select the Add/Remove Services option, then click Next.
- On the Service Selection page, select the services you want to add, if any, then click Next.
- If the Specify Configuration File page appears, select the same configuration file that you downloaded from the Workspace ONE Access tenant for the original installation.
The Specify Configuration File page appears only if you selected services to add.
- Make your changes on the appropriate pages of the wizard.
Option Action To update the ports the enterprise services run on On the Specify Ports page, enter the port for each service. Inbound connectivity is only required for the Kerberos Auth service port. It is not required for the User Auth service and Directory Sync service ports.
- User Auth service: 8090
- Directory Sync service: 8080
- Kerberos Auth service: 443
To upload a trusted SSL certificate for the connector server On the Install SSL Certificates page, select the Would you like to use your own SSL certificate? check box, click Browse, and select the certificate.
The certificate file must be in PEM or PFX format. If the file is in PEM format, also upload the key file. If the file is in PFX format, also enter the certificate password.
For more information about certificate requirements, see Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only).Important: A trusted SSL certificate is required for the Kerberos Auth service. If you do not upload a trusted SSL certificate, a self-signed certificate is auto-generated. To use this Workspace ONE Access generated self-signed certificate, you will need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf after installation.
While you can use the self-signed certificate for testing purposes, for production usage we recommend you use trusted SSL certificates signed by a public or internal CA.
To upload or remove trusted root certificates from the truststore On the Install Trusted Root Certificates page:
- To upload a certificate, click Browse and select the certificate.
- To remove a certificate, select the certificate and click Remove.
- To view an installed certificate, click View Certificate.
The connector will be able to establish secure connections to servers whose certificate chain includes any of the certificates you add to the truststore. Scenarios for uploading certificates to the truststore include:
- (On-premises installations only) If your on-premises Workspace ONE Access service instance has a self-signed certificate that you installed, you must upload its root, and, if required, intermediate certificate to establish trust between the enterprise services and the Workspace ONE Access service instance.
- (Kerberos Auth service only) If you deploy multiple instances of the Kerberos Auth service behind a load balancer, you must install the load balancer's root CA certificate on the connector instances to establish trust between the connectors and the load balancer.
To specify a proxy server On the Specify Proxy Server Information page, enter a proxy server if required. The enterprise services access Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must enter a proxy server.
You can also specify a list of non-proxy hosts, hosts that should be reached directly without going through the proxy server.
- Select the Enable Proxy check box.
- Enter the host name, specified as a fully qualified domain name (FQDN), or IP address of the proxy server.
- Enter the proxy server port.
- If you want to specify any non-proxy hosts, hosts that should be reached directly without going through the proxy server, enter the FQDN and ports in the Non Proxy Hosts text box. Use the following format, with each entry separated by |:
- If the proxy server requires authentication, select Basic/Windows and enter the user name and password for the proxy server.
To specify an external syslog server to store application-level event messages On the Specify Syslog Server Information page, select the Enable Syslog check box and enter the syslog server's IP address or FQDN, and port.
To specify a single syslog server, use the following format:
To specify multiple syslog servers, use the following format:
where host is the fully qualified domain name or IP address of the syslog server and port is the port number. For example:
syslog1.example.com:514,syslog2.example.com:601,syslog3.example.com:163Note: Only application-level events are exported to the syslog server. Operating system events are not exported.
To specify or change the domain user account used to run the Kerberos Auth service On the Service Account page, enter the user name and password of the domain user account in the format
DOMAIN\username, such as
EXAMPLE\administrator. Alternatively, click Browse and select the domain and user.Note: If you are unable to locate domains or users when you click Browse, type them in the text box in the format specified above.Important: A domain user account is required to run the Kerberos Auth service.
- In the Ready to Install the Program page, review your selections, then click Install.
What to do next
The installation is updated. New services are registered with the Workspace ONE Access tenant. Refresh thepage in the Workspace ONE Access console to view the updated list of services.