Consider your entire deployment, including the resources you plan to integrate, when you make decisions about hardware, resources, and network requirements.
Supported vSphere and ESX Versions
You install the virtual appliance in vCenter Server. The following versions of vSphere and ESX server are supported:
- 5.5 and later
- 6.0 and later
The VMware vSphere® Web Client is required to deploy the OVA file and access the deployed virtual appliance remotely.
VMware Identity Manager Connector Virtual Appliance Requirements
Ensure that you meet the requirements for the number of servers and the resources allocated to each server.
| Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
|---|---|---|---|---|---|
| Number of connector servers | 1 server | 2 load-balanced servers | 2 load-balanced servers | 2 load-balanced servers | 2 load-balanced servers |
| CPU (per server) | 2 CPU | 4 CPU | 4 CPU | 4 CPU | 4 CPU |
| RAM (per server) | 6 GB | 6 GB | 8 GB | 16 GB | 16 GB |
| Disk space (per server) | 60 GB | 60 GB | 60 GB | 60 GB | 60 GB |
Network Configuration Requirements
| Component | Minimum Requirement |
|---|---|
| DNS record and static IP address | The requirements for the connector are the same as the requirements for the VMware Identity Manager virtual appliance. See "Create DNS Records and IP Addresses" in Installing and Configuring VMware Identity Manager.
Note: If you plan to set up Kerberos authentication, the connector host name must match the Active Directory domain to which the connector is joined. For example, if the Active Directory domain is sales.example.com, the connector host name must be
connectorhost.sales.example.com.
If you cannot assign a hostname that matches the Active Directory domain structure, you need to configure the connector and Active Directory manually. See the Knowledge Base for information. |
| Firewall port | Ensure that the outbound firewall port 443 is open from the connector instance to your VMware Identity Manager URL. |
Port Requirements
Ports used in the connector server configuration are described below. Your deployment might include only a subset of these.
| Port | Source | Target | Description |
|---|---|---|---|
| 443 | Connector virtual appliance |
VMware Identity Manager service host | HTTPS |
| 443 | Connector virtual appliance | VMware Identity Manager service load balancer | HTTPS |
| 443, 80 | Connector virtual appliance |
vapp-updates.vmware.com | Access to the upgrade server |
| 8443 | Browsers | Connector virtual appliance | HTTPS Administrator Port |
| 443 | Browsers | Connector virtual appliance | HTTPS This port is only required for a connector being used in inbound mode. If Kerberos authentication is configured on the connector, this port is required. |
| 389, 636, 3268, 3269 | Connector virtual appliance |
Active Directory | Default values are shown. These ports are configurable. |
| 5500 | Connector virtual appliance |
RSA SecurID system | Default value is shown. This port is configurable |
| 53 | Connector virtual appliance |
DNS server | TCP/UDP Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22 |
| 88, 464, 135, 445 | Connector virtual appliance |
Domain controller | TCP/UDP |
| 389, 443 | Connector virtual appliance |
View Connection Server |
Access to View Connection Server instances for Horizon/View integrations |
| 445 | Connector virtual appliance |
VMware ThinApp repository | Access to ThinApp repository |
| 80, 443 | Connector virtual appliance | Integration Broker server | TCP Connection to the Integration Broker server. Port option depends on whether a certificate is installed on the Integration Broker server. |
| 514 | Connector virtual appliance | syslog server | UDP For external syslog server, if configured |
Supported Directories
You integrate your enterprise directory with VMware Identity Manager and sync users and groups from your enterprise directory to the service. You can integrate the following types of directories.
- An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.
VMware Identity Manager supports Active Directory on Windows 2008, 2008 R2, 2012, and 2012 R2, with a Domain functional level and Forest functional level of Windows 2003 and later.
Note: A higher functional level may be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later. - An LDAP directory
Your directory must be accessible to the connector virtual appliance.
Deployment Checklists
The requirements for the connector are similar to the requirements for the VMware Identity Manager virtual appliance. See "Deployment Checklists" in Installing and Configuring VMware Identity Manager.
If you cannot assign a hostname that matches the Active Directory domain structure, you need to configure the connector and Active Directory manually. See the Knowledge Base for information.
