Workspace ONE Access Connector 21.08 Systems Requirements

Compatibility Between Workspace ONE Access Service and Connector

You can use the Workspace ONE Access connector with the Workspace ONE Access Cloud service or with the on premises Workspace ONE Access service virtual appliance.

With the Workspace ONE Access Cloud service, you can use all supported versions of the connector. However, using the latest version of the connector is recommended.

With the Workspace ONE Access on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the Workspace ONE Access 21.08 service, you can use connector 21.08 and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 21.08 connector with the 20.10 service. Using the latest compatible version of the connector is recommended.

For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.

Number of Servers Required

You can install the Directory Sync, User Auth, Kerberos Auth, and Virtual App services together on a single Windows server or install them on separate servers in any combination, depending on your preferences. To install all the services together, you need a more powerful server. To install the services separately, you must obtain multiple servers.

Multiple servers are required if you want to set up high availability for any of the services.

Also consider that the Kerberos Auth service requires inbound connectivity while the other services do not.

Important: If you install multiple services on a single server, make sure that the server meets the memory, compute, and storage requirements specified in the sizing guidelines. In particular, if you install the Directory Sync and Virtual App services on the same server, you must make sure that the server has enough memory and vCPU for both services. See the sizing guidelines for more information.

Hardware Requirements

Ensure the Windows server meets the following hardware requirements.

Processor: Inte(R)Xeon(R) CPU E5-2650 [email protected] GHZ (2 processors) x64 bit processor or higher

Table 1. Sizing Guidelines for Directory Sync Service Only
Deployment Size	Hardware Requirements for Directory Sync Service Server	Number of Users and Groups
Small	2 vCPU, 8 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=4g	Up to 50,000 users and 500 groups
Medium	4 vCPU, 8 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=4g	Up to 100,000 users and 1,000 groups
Large	8 vCPU, 12 GB RAM, 40 GB Disk Space Java memory allocation for Directory Sync service: xmx=8g	Up to 200,000 users and 2,000 groups

Table 2. Sizing Guidelines for User Auth Service or Kerberos Auth Service Only
Deployment Size	Hardware Requirements for User Auth Service or Kerberos Auth Service Server	User Auth Service	Kerberos Auth Service
Small/Medium/Large	2 vCPU, 4 GB RAM, 40 GB Disk Space Java memory allocation for User Auth service or Kerberos Auth service: xmx=1g	Password authentications: 390 - 480/min WSFed Active Flow: 720 - 900/min	Kerberos authentications: 420 - 480/min

Note: The User Auth service and Kerberos Auth service nodes are not vertically scalable. For better throughput, add more nodes.

Table 3. Sizing Guidelines for Virtual App Service Only
Deployment Size	Hardware Requirements for Virtual App Service Server	Number of Virtual Apps and Entitlements
Small/Medium/Large	2 vCPU, 4 GB RAM, 40 GB Disk Space Java memory allocation for Virtual App service: xmx=1g	Up to 500 virtual apps with 125,000 entitlements

Note: For Citrix integrations, a maximum of 630 user or group entitlements is supported for each resource.

Table 4. Sizing Guidelines for All Services Installed on a Single Server
Deployment Size	Hardware Requirements	Number of Users and Groups
Small	4 vCPU, 12 GB RAM, 50 GB Disk Space Java Memory Allocation: Directory Sync service: xmx=4g Kerberos Auth service: xmx=1g User Auth service: xmx=1g Virtual App service: xmx=1g	Up to 100,000 users and 1,000 groups
Medium	8 vCPU, 16 GB RAM, 50 GB Disk Space Java Memory Allocation: Directory Sync service: xmx=8g Kerberos Auth service: xmx=1g User Auth service: xmx=1g Virtual App service: xmx=2g	Up to 200,000 users and 2,000 groups
Large	12 vCPU, 32 GB RAM, 80 GB Disk Space Java Memory Allocation: Directory Sync service: xmx=12g Kerberos Auth service: xmx=1g User Auth service: xmx=1g Virtual App service: xmx=2g	Up to 300,000 users and 3,000 groups

Note:

The Memory requirements include the OS and the VMware connector components. If you plan to run any other applications or services on the server, adjust the requirements accordingly.
The Java memory allocation listed for each service refers to the Java heap memory. By default, 4 GB is allocated to the Directory Sync service, 1 GB to the User Auth service, 1 GB to the Kerberos Auth service, and 1 GB to the Virtual App service. See Increasing Java Memory for Workspace ONE Access Connector Enterprise Services for information on how to allocate memory.
The groups listed for the Directory Sync service are all one level, each group contains 500 users, and each user is associated with 5 groups.
Deployments with large groups or nested groups require more memory.
For Citrix integrations, a maximum of 630 user or group entitlements is supported for each resource.

Software Requirements

Ensure the Windows server meets the following software requirements.

Requirement	Notes
Windows Server 2019 or Windows Server 2016 or Windows Server 2012 R2
PowerShell	Windows servers include PowerShell by default.
.NET Framework 4.8 or later	Windows servers include .NET Framework by default. Workspace ONE Access connector requires .NET Framework 4.8 or later. If .NET Framework is not installed or does not match the required version, the connector installer prompts you to install the correct version during installation.
Citrix Studio (Citrix PowerShell SDK)	Required only if you are installing the Virtual App service and you plan to integrate Citrix Virtual Apps and Desktops. Citrix Studio includes the PowerShell SDK, which is required for the Citrix integration with Workspace ONE Access. The Citrix Studio version must be compatible with your Citrix deployment version. You can install Citrix Studio before or after you install the Workspace ONE Access connector. For information about installing Citrix Studio, see the Citrix documentation.

Network Requirements

The table below lists port requirements for the connector. For the most up-to-date port information, see https://ports.vmware.com/home/Workspace-ONE-Access.

For configuring the ports listed, all traffic is uni-directional (outbound) from the source component to the destination component. An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Workspace ONE Access connector. The outbound connection must remain open at all times.

Source	Destination	Port	Protocol	Notes
Workspace ONE Access connector	Workspace ONE Access service (cloud) Workspace ONE Access service host (on-premises installations)	443	HTTPS	Default port; required Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service
Workspace ONE Access connector	Workspace ONE Access service load balancer (on-premises installations)	443	HTTPS	Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service
Browsers	Workspace ONE Access connector	443	HTTPS	Required for Kerberos Auth service
Workspace ONE Access connector	Active Directory	389, 636, 3268, 3269		Default ports; these ports are configurable Applies to Directory Sync service. Also applies to User Auth service if password authentication is used.
Workspace ONE Access connector	DNS server	53	TCP/UDP	Every connector instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service.
Workspace ONE Access connector	Domain controller	88, 464, 135, 445	TCP/UDP	Applies to Directory Sync service and Kerberos Auth service
Workspace ONE Access connector	RSA SecurID server	5555		Default port; this port is configurable Applies to User Auth service if RSA SecurID is used
Workspace ONE Access connector	syslog server	514	UDP	Default port; this port is configurable Port for external syslog server, if configured. Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service
Workspace ONE Access connector	Horizon Connection server	443		For VMware Horizon integrations Applies to Virtual App service only
Workspace ONE Access connector	Citrix StoreFront server	The port configured for the Citrix StoreFront server		For integration with Citrix deployments Applies to Virtual App service only
Workspace ONE Access connector	Citrix XenApp or XenDesktop server	443		For integration with Citrix deployments Applies to Virtual App service only
Browsers	Client Access FQDNs configured for Horizon and Citrix virtual apps collections	The ports configured for the Client Access FQDNs		Applies to Virtual App service only

Workspace ONE Access Cloud IP Addresses

See https://kb.vmware.com/s/article/68035 for the list of Workspace ONE Access cloud service IP addresses to which the Workspace ONE Access connector must have access.

DNS Records and IP Addresses Requirements

A DNS entry and a static IP address are required for the connector. Before you begin your installation, obtain the DNS record and IP address to use and configure the network settings of the Windows server.

Ensure that you select an appropriate, user-friendly host name for the connector server if you intend to install the Kerberos Auth service. The Workspace ONE Access connector host name is visible to end users when Kerberos authentication is configured.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 5. Example of Forward DNS Records and IP Addresses
Domain Name	Resource Type	IP Address
myconnector.example.com	A	10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 6. Example of Reverse DNS Records and IP Addresses
IP Address	Resource Type	Host Name
10.28.128.3	PTR	myconnector.example.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.

Load Balancer

A load balancer is required if you want to configure high availability for Kerberos authentication.

Time Synchronization

Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly. Set up time synchronization using an NTP server.

Proxy Requirements

The connector accesses Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must configure a proxy server. You enter the proxy server information in the Workspace ONE Access connector installer during or after installation.

Workspace ONE Access connector 21.08 supports the following types of proxies:

Unauthenticated HTTP proxies
Unauthenticated HTTPS (SSL) proxies
Authenticated HTTPS (SSL) proxies

Note: Enable your proxy to handle only Internet traffic. To ensure that the proxy is set up correctly, set the parameter for internal traffic to no-proxy within the domain.