You can update your Workspace ONE Access connector installation to add or modify enterprise services at any time. Run the installer again to make any changes.
You can make the following changes:
- Add the Directory Sync, User Auth, Kerberos Auth, or Virtual App service
- Specify custom ports for each service
- Configure a proxy server
- Configure a syslog server
- Install trusted root certificates
- (Kerberos Auth service only) Install a trusted SSL certificate for the Kerberos Auth service
- (Kerberos Auth and Virtual App services only) Configure the Kerberos Auth and Virtual App services to run as a domain user account
- Be aware that all the enterprise services in a connector installation are connected to the same Workspace ONE Access tenant. When you modify an existing installation to add a service, the configuration file that you downloaded from the tenant for the original installation is used automatically.
- If you are modifying the existing configuration, suspend the enterprise services from the Workspace ONE Access console first. In a Workspace ONE Access cloud tenant with the New Navigation toggle turned on, go to the page. In a Workspace ONE Access 21.08 virtual appliance, or cloud tenant with the New Navigation toggle turned off, go to the page. Click the connector, click Manage, and click the toggle buttons to suspend each service.
- Log in to the Windows server on which the Workspace ONE Access connector is installed.
- Go to the folder containing the connector installer and double-click the Workspace ONE Access Connector Installer.exe file.
- On the Welcome page, click Next.
- On the Program Maintenance page, select the Add/Remove Services option, then click Next.
- On the Service Selection page, select the services you want to add, if any, then click Next.
- If the Specify Configuration File page appears, select the same configuration file that you downloaded from the Workspace ONE Access tenant for the original installation.
The Specify Configuration File page appears only if you selected services to add.
- Make your changes on the appropriate pages of the wizard.
Option Action To update the ports the enterprise services run on On the Specify Ports page, enter the port for each service. Inbound connectivity is only required for the Kerberos Auth service port. It is not required for the User Auth service and Directory Sync service ports.
- User Auth service: 8090
- Directory Sync service: 8080
- Kerberos Auth service: 443
- Virtual App service: 8008
To upload a trusted SSL certificate for the connector server On the Install SSL Certificates page, select the Would you like to use your own SSL certificate? check box, click Browse, and select the certificate.
The certificate file must be in PEM or PFX format. If the file is in PEM format, also upload the key file. If the file is in PFX format, also enter the certificate password.
For more information about certificate requirements, see Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only).Important: A trusted SSL certificate is required for the Kerberos Auth service. If you do not upload a trusted SSL certificate, a self-signed certificate is auto-generated. To use this Workspace ONE Access generated self-signed certificate, you will need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf after installation.
While you can use the self-signed certificate for testing purposes, for production usage we recommend you use trusted SSL certificates signed by a public or internal CA.
To upload or remove trusted root certificates from the truststore On the Install Trusted Root Certificates page:
- To upload a certificate, click Browse and select the certificate.
- To remove a certificate, select the certificate and click Remove.
- To view an installed certificate, click View Certificate.
The connector will be able to establish secure connections to servers whose certificate chain includes any of the certificates you add to the truststore. Scenarios for uploading certificates to the truststore include:
- (On-premises installations only) If your on-premises Workspace ONE Access service instance has a self-signed certificate that you installed, you must upload its root, and, if required, intermediate certificate to establish trust between the enterprise services and the Workspace ONE Access service instance.
- (Kerberos Auth service only) If you deploy multiple instances of the Kerberos Auth service behind a load balancer, you must install the load balancer's root CA certificate on the connector instances to establish trust between the connectors and the load balancer.
- (Virtual App service only) If you integrate Workspace ONE Access with VMware Horizon, and you are using self-signed certificates temporarily for testing purposes on the Horizon Connection servers, you must upload the certificate chain to the connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon Connection servers. However, using certificates signed by a public CA is recommended.
To specify a proxy server On the Specify Proxy Server Information page, enter a proxy server if required. The enterprise services access Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must enter a proxy server. See Workspace ONE Access Connector 21.08 Systems Requirements for information about supported proxies.
You can also specify a list of non-proxy hosts, hosts that should be reached directly without going through the proxy server.
- Select the Enable Proxy check box.
- Enter the host name, specified as a fully qualified domain name (FQDN), or IP address of the proxy server.
- Enter the proxy server port.
- If you want to specify any non-proxy hosts, hosts that should be reached directly without going through the proxy server, enter the FQDN and ports in the Non Proxy Hosts text box. Use the following format, with each entry separated by |:
- If the proxy server requires authentication, select Basic and enter the user name and password for the proxy server.
To specify an external syslog server to store application-level event messages On the Specify Syslog Server Information page, select the Enable Syslog check box and enter the syslog server's IP address or FQDN, and port.
To specify a single syslog server, use the following format:
To specify multiple syslog servers, use the following format:
where host is the fully qualified domain name or IP address of the syslog server and port is the port number. For example:
syslog1.example.com:514,syslog2.example.com:601,syslog3.example.com:163Note: Only application-level events are exported to the syslog server. Operating system events are not exported.
To specify or change the domain user account used to run the Kerberos Auth and Virtual App services
A domain user account is required to run the Kerberos Auth and Virtual App services.
On the Service Account page, enter the user name and password of the domain user account in the format
DOMAIN\username, such as
EXAMPLE\administrator. Alternatively, click Browse and select the domain and user.
If you are unable to locate domains or users when you click Browse, type them in the text box in the format specified above.Important: The Kerberos Auth service only supports the following special characters in the domain user account password:
@!*. If the password contains any other special characters, Kerberos Auth service installation fails.
- In the Ready to Install the Program page, review your selections, then click Install.
Important: If you uploaded any certificates, make sure that you select the option to restart all the services.
What to do next
The installation is updated. New services are registered with the Workspace ONE Access tenant. Refresh the Connectors page in the Workspace ONE Access console to view the updated list of services.