Migrate your existing directories and virtual apps collections from Workspace ONE Access 19.03 or 19.03.0.1 connectors to 22.09 connectors using the Migration Dashboard. The migration process is a staged approach that lets you test your environment with the new connectors before finishing the migration.
Migration Stages
The migration process includes the following stages:
- Install 22.09 Connectors
Install the new 22.09 connectors, which contain the Directory Sync, User Auth, Kerberos Auth, and Virtual App services. At a minimum, install the Directory Sync service. Install the User Auth service if connector-based authentication is configured on the legacy connectors. Install the Kerberos Auth service if the Kerberos authentication method is configured on the legacy connectors. Install the Virtual App service if virtual apps collections are configured on the legacy connectors.
- Migrate Directories
In this stage, you migrate all your directory data using the Migrate Directory wizard. Most of the required information is pre-populated from your environment but you enter some sensitive values such as the directory Bind user password.
Migrating the directories in this stage does not change any of your existing directory, authentication method, or identity provider configurations. You are still using the old connectors. The changes will take effect only after you go to the Preview stage.
- Migrate Virtual Apps Collections
In this stage, you select the connectors to which to migrate your existing virtual apps collections. The new settings will take effect only after you go to the Preview stage.
- Preview
In the Preview stage, you preview your environment with the new 22.09 connectors. The new Directory Sync, User Auth, Kerberos Auth, and Virtual App services from the 22.09 connectors perform directory sync, user authentication, and virtual apps sync. All authentication methods except for Kerberos are in outbound mode.
The Preview stage is intended for you to test your environment thoroughly with the new services. Verify that directory sync, virtual apps sync, user authentication, and application launch are working as expected.
In the Preview stage, you cannot create, edit, or delete directories, authentication methods, identity providers, or virtual apps collections.
From the Preview stage, you can roll back to using the old connectors. When you roll back, the directory data that you migrated in the previous stage is still maintained. If you make any changes later to any of your existing directories, authentication methods, or identity providers, ensure that you migrate the directory data again.
- Complete Migration
When you are satisfied with testing your new environment, complete the migration. After you complete the migration, you cannot roll back to using the old connectors.
Prerequisites
- Review the requirements listed in Requirements for Migrating to Workspace ONE Access Connector 22.09.
- Verify that all the connectors in your environment are version 19.03.x. If any connectors are an older version, upgrade them to 19.03.x before beginning the migration.
- Prepare one or more Windows servers for the 22.09 connectors.
See Requirements for Migrating to Workspace ONE Access Connector 22.09 for more information.
- If you are using an on-premises Workspace ONE Access virtual appliance, upgrade it to 22.09 before migrating the connectors.
- If you are installing the User Auth service, make sure that your environment does not contain any 22.05, 21.x, or 20.x User Auth service instances. As part of migration, you will install 22.09 connectors. All the User Auth service instances in your environment must be version 22.09. Migration cannot proceed if you have mixed versions of the User Auth service.
- If the RSA SecurID authentication method is configured on the 19.03.x connectors:
- Verify that you are using RSA Authentication Manager appliance version 8.2 SP1 or later. Workspace ONE Access connector 22.09 supports RSA Authentication Manager appliance 8.2 SP1 and later.
- If you have deployed multiple instances of the RSA Authentication Manager server, you must configure them behind a load balancer for the integration with Workspace ONE Access to work. Make sure that you meet the requirements listed in Workspace ONE Access Requirements for RSA SecurID Load Balancer in the Managing User Authentication Methods in Workspace ONE Access guide.
- In the RSA Security console, verify that the connector is added as an authentication agent using the fully qualified domain name (FQDN), for example, connectorserver.example.com. If you have already added the connector as an authentication agent using the NetBIOS name instead of the FQDN, add another entry using the FQDN. Leave the IP address field empty for the new entry. Do not delete the old entry.
- As part of the migration process, you configure the RSA SecurID authentication method. The information required to configure the authentication method includes the RSA Authentication Manager or load balancer server host name, communication port, access key, and the RSA Authentication Manager or load balancer server SSL certificate if the server uses a self-signed certificate. Because you obtain some of the information from the RSA Security Console, you also need the Security Console credentials.
- If a proxy server is configured with the connector, the communication port that is configured for the RSA Authentication Manager server must be open on the proxy server.
- If you are installing the User Auth service on a new Windows server, add the Windows server as an Agent in the RSA Authentication Manager server before starting the connector migration.
- (Workspace ONE Access on-premises installations only) If any IDPs are associated with multiple directories, modify the configuration so that each IDP is only associated with one directory.
- Before migrating directories, enable the Sync group members to the directory when adding group option and verify that users, groups, and group memberships are synced correctly.
- In the Workspace ONE Access console, select .
- Click Edit, select the Sync group members to the directory when adding group check box, and click Save.
- Go to the directory's Sync Settings tab, expand the Groups section, and click Save. Then expand the Users section and click Save.
Important: This step is required to ensure that the change in the Login Preferences page takes effect.
- Wait until a few directory sync runs complete successfully with the correct users, groups, and group memberships syncing to Workspace ONE Access.
- Ensure that the directory sync process is not running for any of the directories before you start the migration process.
- If you enabled the People Search feature, ensure that the photo sync process is not running for any of the directories before you start the migration process.
- If you are migrating a 19.03.x connector with no directory associated with it, keep in mind that when you select the Latest Workspace ONE Access Connector option in Step 5, the migration is considered complete and the 19.03.x connector is deleted from the tenant. If you decide later to use legacy connectors and you change your connector selection using the Reset Connector Selection button, the 19.03.x connector will not appear. You will have to reinstall the 19.03.x connector to reactivate it with the service.
Procedure
Results
All your directories and virtual apps collections are migrated to the new 22.09 connectors. The new Directory Sync, User Auth, Kerberos Auth, and Virtual App services now perform directory sync, user authentication, and virtual apps sync.
New identity providers are created for each directory and appear in the Identity Providers page with the name Migrated IDP for directory. The new identity providers are of type Built-in. For Kerberos authentication, a separate identity provider of type Workspace_IDP is created.
All authentication methods except for Kerberos are converted to outbound methods and are renamed with the (cloud deployment) suffix. For example, the Password authentication method is renamed to Password (cloud deployment). You can view and manage the new authentication methods from the Connector Authentication Methods page.
What to do next
- When the migration is complete, you must uninstall the old 19.03.x connectors from the servers on which they are installed.
If you migrated ThinApp virtual apps collections, uninstall the Linux connectors.
- After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service.
- For Horizon and Horizon Cloud integrations, ensure that the Horizon Connection Servers, or the Horizon Cloud tenant's underlying Horizon servers, have valid certificates signed by a trusted Certificate Authority (CA). If the Horizon servers have self-signed certificates, you must upload the certificate chain to the Workspace ONE Access connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon servers. This is a new requirement beginning with Workspace ONE Access connector 21.08. You upload the certificates using the connector installer. See Installing VMware Workspace ONE Access Connector 22.09 for more information. Make sure that you restart the connector services after uploading the certificates.