Deploying VMware Identity Manager in the DMZ

You can deploy the VMware Identity Manager virtual appliance in the DMZ if you do not want to deploy it in the enterprise network. If you deploy the VMware Identity Manager appliance in the DMZ, you also deploy a standalone VMware Identity Manager connector in outbound-only connection mode in the enterprise network.

System and Network Configuration Requirements

System and network configuration requirements for deploying VMware Identity Manager in the DMZ are similar to the requirements for deploying VMware Identity Manager in the enterprise network, described in "System and Network Configuration Requirements" and "Preparing to Deploy VMware Identity Manager" in Installing and Configuring VMware Identity Manager, except for the differences listed here.

You do not need to open an inbound firewall port to any appliance in the enterprise network.
The VMware Identity Manager virtual appliance is deployed in the DMZ. The VMware Identity Manager connector is deployed in the enterprise network in outbound-only connection mode and communicates with the service through a Websocket-based communication channel.
You do not need to deploy a reverse proxy or load balancer to allow external access to VMware Identity Manager.
A load balancer is needed only if you configure high availability and redundancy for the VMware Identity Manager virtual appliance.
If you set up certificate authentication on the embedded connector, you need to enable SSL pass-through on the load balancer for the port configured as the SSL pass-through port for certificate authentication. The default port is 7443.

The following ports are used. Your deployment might require only a subset of these.


Port	Source	Target	Description
443	Load balancer	VMware Identity Manager virtual appliance	HTTPS
443	VMware Identity Manager virtual appliance	Load balancer	HTTPS Needed to validate the load balancer FQDN when it is set
443	Connector	VMware Identity Manager service host	HTTPS
443	Connector	VMware Identity Manager service load balancer	HTTPS
443	Browsers	VMware Identity Manager virtual appliance	HTTPS
88	Browsers	VMware Identity Manager virtual appliance	TCP/UDP iOS SSO only
5262	Browsers	VMware Identity Manager virtual appliance	TCP/UDP Android SSO only
88	VMware Identity Manager virtual appliance	Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com.	UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used.
443, 80	VMware Identity Manager virtual appliance	vapp-updates.vmware.com	Access to the VMware upgrade server
443	VMware Identity Manager virtual appliance	catalog.vmwareidentity.com	Access to Cloud Catalog
443	VMware Identity Manager virtual appliance	discovery.awmdm.com	Access for Workspace ONE application autodiscovery
8443	Browsers	VMware Identity Manager virtual appliance	Administrator Port HTTPS
25	VMware Identity Manager virtual appliance	SMTP server	TCP port to relay outbound mail
53	VMware Identity Manager virtual appliance	DNS server	TCP/UDP Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.
443, 8443	VMware Identity Manager virtual appliance	VMware Identity Manager virtual appliance	HTTPS/HTTP For all VMware Identity Manager instances in a cluster and across clusters in different data centers
9300 (TCP) 54328 (UDP)	VMware Identity Manager virtual appliance	VMware Identity Manager virtual appliance	Audit needs
5701 (TCP)	VMware Identity Manager virtual appliance	VMware Identity Manager virtual appliance	Hazelcast cache
40002 (TCP) 40003 (TCP)	VMware Identity Manager virtual appliance	VMware Identity Manager virtual appliance	Ehcache
1433	VMware Identity Manager virtual appliance	Database	Microsoft SQL default port is 1433
443	VMware Identity Manager virtual appliance	Workspace ONE UEM REST API	HTTPS For device compliance checking and for the ACC Password authentication method, if used.
SSL pass-through port for certificate authentication	Browsers	VMware Identity Manager virtual appliance	HTTPS For certificate authentication configured on the embedded connector. Default port: 7443
514	VMware Identity Manager virtual appliance	syslog server	UDP For external syslog server, if configured

Deploying the VMware Identity Manager Appliance

For information about deploying and configuring the VMware Identity Manager virtual appliance, see "Deploying VMware Identity Manager" and "Managing Appliance System Configuration Settings" in Installing and Configuring VMware Identity Manager.

Configuring Failover and Redundancy

For information about configuring failover and redundancy for the VMware Identity Manager virtual appliance, see the following sections in Installing and Configuring VMware Identity Manager:

Configuring Failover and Redundancy in a Single Datacenter
Deploying VMware Identity Manager in a Secondary Datacenter for Failover and Redundancy

Note: The section "Using a Load Balancer or Reverse Proxy to Enable External Access to VMware Identity Manager" is not applicable in scenarios where VMware Identity Manager is deployed in the DMZ.