To deploy the Workspace ONE Access connector, which includes the Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service as components, ensure that your Windows server meets the necessary requirements. Some requirements vary based on the service you are installing.

Compatibility Between Workspace ONE Access Service and Connector

You can use the Workspace ONE Access connector with the Workspace ONE Access Cloud service or with the on premises Workspace ONE Access service virtual appliance.

With the Workspace ONE Access Cloud service, you can use all supported versions of the connector. However, using the latest version of the connector is recommended.

With a Workspace ONE Access on premises installation, you can use supported connector versions that are either the same or lower than the Workspace ONE Access service version. For example, with the Workspace ONE Access 22.09 service, you can use connector 22.09 and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 22.09 connector with the 21.08 service. Using the latest compatible version of the connector is recommended.

For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.

Number of Servers Required

You can install the Directory Sync, User Auth, Kerberos Auth, and Virtual App services together on a single Windows server or install them on separate servers in any combination, depending on your preferences. To install all the services together, you need a more powerful server. To install the services separately, you must obtain multiple servers.

Multiple servers are required if you want to set up high availability for any of the services.

Also consider that the Kerberos Auth service requires inbound connectivity while the other services do not.

Important: If you install multiple services on a single server, make sure that the server meets the memory, compute, and storage requirements specified in the sizing guidelines. In particular, if you install the Directory Sync and Virtual App services on the same server, you must make sure that the server has enough memory and vCPU for both services. See the sizing guidelines for more information.

Hardware Requirements

Ensure the Windows server meets the following hardware requirements.

  • Processor: Inte(R)Xeon(R) CPU E5-2650 0@2.00 GHZ (2 processors) x64 bit processor or higher
Table 1. Sizing Guidelines for Directory Sync Service Only
Deployment Size Hardware Requirements for Directory Sync Service Server Number of Users and Groups
Small

2 vCPU, 8 GB RAM, 40 GB Disk Space

Java memory allocation for Directory Sync service: xmx=4g

Up to 50,000 users and 500 groups
Medium

4 vCPU, 8 GB RAM, 40 GB Disk Space

Java memory allocation for Directory Sync service: xmx=4g

Up to 100,000 users and 1,000 groups
Large

8 vCPU, 12 GB RAM, 40 GB Disk Space

Java memory allocation for Directory Sync service: xmx=8g

Up to 200,000 users and 2,000 groups
Table 2. Sizing Guidelines for User Auth Service or Kerberos Auth Service Only
Deployment Size Hardware Requirements for User Auth Service or Kerberos Auth Service Server User Auth Service Kerberos Auth Service
Small/Medium/Large

2 vCPU, 4 GB RAM, 40 GB Disk Space

Java memory allocation for User Auth service or Kerberos Auth service: xmx=1g

Password authentications: 390 - 480/min

WSFed Active Flow: 720 - 900/min

Kerberos authentications: 420 - 480/min
Note: The User Auth service and Kerberos Auth service nodes are not vertically scalable. For better throughput, add more nodes.
Table 3. Sizing Guidelines for Virtual App Service Only
Deployment Size Hardware Requirements for Virtual App Service Server Number of Virtual Apps and Entitlements
Small/Medium/Large

2 vCPU, 4 GB RAM, 40 GB Disk Space

Java memory allocation for Virtual App service: xmx=1g

Up to 500 virtual apps with 125,000 entitlements
Note: For Citrix integrations, a maximum of 630 user or group entitlements is supported for each resource.
Table 4. Sizing Guidelines for All Services Installed on a Single Server
Deployment Size Hardware Requirements Number of Users and Groups
Small

4 vCPU, 12 GB RAM, 50 GB Disk Space

Java Memory Allocation:

Directory Sync service: xmx=4g

Kerberos Auth service: xmx=1g

User Auth service: xmx=1g

Virtual App service: xmx=1g

Up to 100,000 users and 1,000 groups
Medium

8 vCPU, 16 GB RAM, 50 GB Disk Space

Java Memory Allocation:

Directory Sync service: xmx=8g

Kerberos Auth service: xmx=1g

User Auth service: xmx=1g

Virtual App service: xmx=2g

Up to 200,000 users and 2,000 groups
Large

12 vCPU, 32 GB RAM, 80 GB Disk Space

Java Memory Allocation:

Directory Sync service: xmx=12g

Kerberos Auth service: xmx=1g

User Auth service: xmx=1g

Virtual App service: xmx=2g

Up to 300,000 users and 3,000 groups
Note:
  • The Memory requirements include the OS and the VMware connector components. If you plan to run any other applications or services on the server, adjust the requirements accordingly.
  • The Java memory allocation listed for each service refers to the Java heap memory. By default, 4 GB is allocated to the Directory Sync service, 1 GB to the User Auth service, 1 GB to the Kerberos Auth service, and 1 GB to the Virtual App service. See Increasing Java Memory for Workspace ONE Access Connector Enterprise Services for information on how to allocate memory.
  • The groups listed for the Directory Sync service are all one level, each group contains 500 users, and each user is associated with 5 groups.
  • Deployments with large groups or nested groups require more memory.
  • For Citrix integrations, a maximum of 630 user or group entitlements is supported for each resource.

Software Requirements

Ensure the Windows server meets the following software requirements.

Requirement Notes

Windows Server 2019 or

Windows Server 2016 or

Windows Server 2012 R2

PowerShell Windows servers include PowerShell by default.
.NET Framework 4.8 or later Windows servers include .NET Framework by default. Workspace ONE Access connector requires .NET Framework 4.8 or later. If .NET Framework is not installed or does not match the required version, the connector installer prompts you to install the correct version during installation.
Citrix Studio (Citrix PowerShell SDK) Required only if you are installing the Virtual App service and you plan to integrate Citrix Virtual Apps and Desktops. Citrix Studio includes the PowerShell SDK, which is required for the Citrix integration with Workspace ONE Access. The Citrix Studio version must be compatible with your Citrix deployment version. You can install Citrix Studio before or after you install the Workspace ONE Access connector. For information about installing Citrix Studio, see the Citrix documentation.

Network Requirements

The table below lists port requirements for the connector. For the most up-to-date port information, see https://ports.vmware.com/home/Workspace-ONE-Access.

For configuring the ports listed, all traffic is uni-directional (outbound) from the source component to the destination component. An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Workspace ONE Access connector. The outbound connection must remain open at all times.

Source Destination Port Protocol Notes
Workspace ONE Access connector Workspace ONE Access service (cloud)

Workspace ONE Access service host (on-premises installations)

443 HTTPS Default port; required

Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service

Workspace ONE Access connector Workspace ONE Access service load balancer (on-premises installations) 443 HTTPS Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service
Browsers Workspace ONE Access connector 443 HTTPS Required for Kerberos Auth service
Workspace ONE Access connector Active Directory 389, 636, 3268, 3269 Default ports; these ports are configurable

Applies to Directory Sync service. Also applies to User Auth service if password authentication is used.

Workspace ONE Access connector DNS server 53 TCP/UDP Every connector instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service.

Workspace ONE Access connector Domain controller 88, 464, 135, 445 TCP/UDP Applies to Directory Sync service and Kerberos Auth service
Workspace ONE Access connector RSA SecurID server 5555 Default port; this port is configurable

Applies to User Auth service if RSA SecurID is used

Workspace ONE Access connector syslog server 514 UDP Default port; this port is configurable

Port for external syslog server, if configured. Applies to Directory Sync service, User Auth service, Kerberos Auth service, and Virtual App service

Workspace ONE Access connector Horizon Connection server 443 For VMware Horizon integrations

Applies to Virtual App service only

Workspace ONE Access connector Citrix StoreFront server The port configured for the Citrix StoreFront server For integration with Citrix deployments

Applies to Virtual App service only

Workspace ONE Access connector Citrix XenApp or XenDesktop server 443 For integration with Citrix deployments

Applies to Virtual App service only

Browsers Client Access FQDNs configured for Horizon and Citrix virtual apps collections The ports configured for the Client Access FQDNs Applies to Virtual App service only

Workspace ONE Access Cloud IP Addresses

See https://kb.vmware.com/s/article/68035 for the list of Workspace ONE Access cloud service IP addresses to which the Workspace ONE Access connector must have access.

DNS Records and IP Addresses Requirements

A DNS entry and a static IP address are required for the connector. Before you begin your installation, obtain the DNS record and IP address to use and configure the network settings of the Windows server.

Ensure that you select an appropriate, user-friendly host name for the connector server if you intend to install the Kerberos Auth service. The Workspace ONE Access connector host name is visible to end users when Kerberos authentication is configured.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 5. Example of Forward DNS Records and IP Addresses
Domain Name Resource Type IP Address
myconnector.example.com A 10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 6. Example of Reverse DNS Records and IP Addresses
IP Address Resource Type Host Name
10.28.128.3 PTR myconnector.example.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.

Load Balancer

A load balancer is required for the Workspace ONE Access connector if you want to configure high availability for Kerberos authentication.

Time Synchronization

Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly. Set up time synchronization using an NTP server.

Proxy Requirements

The connector accesses Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must configure a proxy server. You enter the proxy server information in the Workspace ONE Access connector installer during or after installation.

Workspace ONE Access connector supports the following types of proxies:

  • Unauthenticated HTTP proxies
  • Unauthenticated HTTPS (SSL) proxies
  • Authenticated HTTPS (SSL) proxies
Note: Enable your proxy to handle only Internet traffic. To ensure that the proxy is set up correctly, set the parameter for internal traffic to no-proxy within the domain.