You can deploy the VMware Identity Manager virtual appliance in the DMZ if you do not want to deploy it in the enterprise network. If you deploy the VMware Identity Manager appliance in the DMZ, you also deploy a standalone VMware Identity Manager connector in outbound-only connection mode in the enterprise network.

System and Network Configuration Requirements

System and network configuration requirements for deploying VMware Identity Manager in the DMZ are similar to the requirements for deploying VMware Identity Manager in the enterprise network, described in "System and Network Configuration Requirements" and "Preparing to Deploy VMware Identity Manager" in Installing and Configuring VMware Identity Manager, except for the differences listed here.

  • You do not need to open an inbound firewall port to any appliance in the enterprise network.

    The VMware Identity Manager virtual appliance is deployed in the DMZ. The VMware Identity Manager connector is deployed in the enterprise network in outbound-only connection mode and communicates with the service through a Websocket-based communication channel.

  • You do not need to deploy a reverse proxy or load balancer to allow external access to VMware Identity Manager.
  • A load balancer is needed only if you configure high availability and redundancy for the VMware Identity Manager virtual appliance.
  • If you set up certificate authentication on the embedded connector, you need to enable SSL pass-through on the load balancer for the port configured as the SSL pass-through port for certificate authentication. The default port is 7443.
  • The following ports are used. Your deployment might require only a subset of these.
    Port Source Target Description
    443 Load balancer

    VMware Identity Manager virtual appliance

    		HTTPS
    443 VMware Identity Manager virtual appliance Load balancer HTTPS

    Needed to validate the load balancer FQDN when it is set

    443 Connector VMware Identity Manager service host HTTPS
    443 Connector VMware Identity Manager service load balancer HTTPS
    443 Browsers

    VMware Identity Manager virtual appliance

    		HTTPS
    88 Browsers

    VMware Identity Manager virtual appliance

    		TCP/UDP

    iOS SSO only

    5262 Browsers VMware Identity Manager virtual appliance TCP/UDP

    Android SSO only

    88 VMware Identity Manager virtual appliance Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com.

    UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used.

    443, 80

    VMware Identity Manager virtual appliance

    		vapp-updates.vmware.com Access to the VMware upgrade server
    443 VMware Identity Manager virtual appliance catalog.vmwareidentity.com Access to Cloud Catalog
    443 VMware Identity Manager virtual appliance discovery.awmdm.com Access for Workspace ONE application autodiscovery
    8443 Browsers

    VMware Identity Manager virtual appliance

    		Administrator Port

    HTTPS

    25

    VMware Identity Manager virtual appliance

    		SMTP server TCP port to relay outbound mail
    53

    VMware Identity Manager virtual appliance

    		DNS server TCP/UDP

    Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

    443, 8443 VMware Identity Manager virtual appliance VMware Identity Manager virtual appliance HTTPS/HTTP

    For all VMware Identity Manager instances in a cluster and across clusters in different data centers

    9300 (TCP)

    54328 (UDP)

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    Audit needs

    5701 (TCP)

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    		Hazelcast cache
    40002 (TCP)

    40003 (TCP)

    VMware Identity Manager virtual appliance

    VMware Identity Manager virtual appliance

    		Ehcache

    1433

    VMware Identity Manager virtual appliance

    Database

    Microsoft SQL default port is 1433

    443

    VMware Identity Manager virtual appliance

    		Workspace ONE UEM REST API HTTPS

    For device compliance checking and for the ACC Password authentication method, if used.

    SSL pass-through port for certificate authentication Browsers VMware Identity Manager virtual appliance HTTPS

    For certificate authentication configured on the embedded connector.

    Default port: 7443

    514 VMware Identity Manager virtual appliance syslog server UDP

    For external syslog server, if configured

Deploying the VMware Identity Manager Appliance

For information about deploying and configuring the VMware Identity Manager virtual appliance, see "Deploying VMware Identity Manager" and "Managing Appliance System Configuration Settings" in Installing and Configuring VMware Identity Manager.

Configuring Failover and Redundancy

For information about configuring failover and redundancy for the VMware Identity Manager virtual appliance, see the following sections in Installing and Configuring VMware Identity Manager:

  • Configuring Failover and Redundancy in a Single Datacenter
  • Deploying VMware Identity Manager in a Secondary Datacenter for Failover and Redundancy
Note: The section "Using a Load Balancer or Reverse Proxy to Enable External Access to VMware Identity Manager" is not applicable in scenarios where VMware Identity Manager is deployed in the DMZ.