Consider your entire deployment, including how you integrate resources, when you make decisions about hardware, resources, and network requirements.
Supported vSphere and ESX Versions
The following versions of vSphere and ESX server are supported:
- 5.5 and later
- 6.0 and later
If you deploy multiple virtual appliances on different hosts, consider disabling the Sync to Host option for time synchronization and configuring the NTP server in each virtual appliance directly to ensure that there is no time drift between the virtual appliances.
Compatibility Between VMware Identity Manager Service and Connector
With the VMware Identity Manager on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the VMware Identity Manager 3.3 service, you can use connector 2018.8.1.0, the connector released with the 3.3 service, and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 19.03 connector with the 3.3 service. Using the latest compatible version of the connector is recommended.
For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.
Hardware Sizing Requirements
Ensure that you meet the requirements for the number of VMware Identity Manager virtual appliances and the resources allocated to each appliance.
| Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
|---|---|---|---|---|---|
| Number of VMware Identity Manager servers | 1 server | 3 load-balanced servers | 3 load-balanced servers | 3 load-balanced servers | 3 load-balanced servers |
| CPU (per server) | 2 CPU | 2 CPU | 4 CPU | 8 CPU | 8 CPU |
| RAM (per server) | 6 GB | 6 GB | 8 GB | 16 GB | 32 GB |
| Disk space (per server) | 60 GB | 100 GB | 100 GB | 100 GB | 100 GB |
If you install additional, standalone connectors, ensure that you meet the following requirements.
| Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
|---|---|---|---|---|---|
| Number of connector servers | 1 server | 2 load-balanced servers | 2 load-balanced servers | 2 load-balanced servers | 2 load-balanced servers |
| CPU (per server) | 2 CPU | 4 CPU | 4 CPU | 4 CPU | 4 CPU |
| RAM (per server) | 6 GB | 6 GB | 8 GB | 16 GB | 16 GB |
| Disk space (per server) | 60 GB | 60 GB | 60 GB | 60 GB | 60 GB |
Database Requirements
Set up VMware Identity Manager with an external Microsoft SQL database to store and organize server data.
For information about the Microsoft SQL database versions and service pack configurations supported, see the VMware Product Interoperability Matrices at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
The following requirements apply to an external SQL Server database. The exact specifications needed for your SQL server depend on the size and needs of your deployment.
| Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
|---|---|---|---|---|---|
| CPU | 2 CPU | 2 CPU | 4 CPU | 8 CPU | 8 CPU |
| RAM | 4 GB | 4 GB | 8 GB | 16 GB | 32 GB |
| Disk space | 50 GB | 50 GB | 50 GB | 100 GB | 100 GB |
The SQL Server AlwaysOn capability is a combination of failover clustering and database mirroring combined with log shipping for high availability. AlwaysON allows for multiple read copies of your database and a single read-write copy for operations. If your deployment environment has the bandwidth to support the traffic generated, the VMware Identity Manager database supports AlwaysON.
Network Configuration Requirements
| Component | Minimum Requirement |
|---|---|
| DNS record and IP address | IP address and DNS record |
| Firewall port | Ensure that the inbound firewall port 443 is open for users outside the network to the VMware Identity Manager instance or the load balancer. |
| Reverse Proxy | Deploy a reverse proxy such as F5 Access Policy Manager in the DMZ to allow users to securely access the VMware Identity Manager user portal remotely. VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to securely access the VMware Identity Manager unified catalog remotely. Unified Access Gateway can be deployed in the DMZ behind the load balancers front-ending the VMware Identity Manager appliance. |
Port Requirements
- To sync users and groups from Active Directory, VMware Identity Manager must connect to Active Directory.
- To sync with ThinApp, the VMware Identity Manager must join the Active Directory domain and connect to the ThinApp Repository share.
| Port | Protocol | Source | Target | Description |
|---|---|---|---|---|
| 443 | HTTPS | Load Balancer | VMware Identity Manager machine |
|
| 443 | HTTPS | VMware Identity Manager | Load Balancer | Needed to validate the load balancer FQDN when it is set. |
| 443, 8443 | HTTPS/HTTP | VMware Identity Manager machine |
VMware Identity Manager machine |
For all VMware Identity Manager instances in a cluster, and across clusters in different data centers. |
| 443 | HTTPS | Browsers | VMware Identity Manager machine |
|
| 443, 80 | HTTPS, HTTP | VMware Identity Manager machine |
vapp-updates.vmware.com | Access to the upgrade server |
| 443 | HTTPS | VMware Identity Manager machine | discovery.awmdm.com | Access for Workspace ONE application autodiscovery |
| 443 | HTTPS | VMware Identity Manager machine | catalog.vmwareidentity.com | Access to Cloud Catalog |
| 8443 | HTTPS | Browsers | VMware Identity Manager machine |
Administrator Port |
| 25 | SMTP | VMware Identity Manager machine |
SMTP | Port to relay outbound mail |
| 389 636 3268 3269 |
LDAP LDAPS MSFT-GC MSFT-GC-SSL |
VMware Identity Manager machine |
Active Directory | Default values are shown. These ports are configurable. |
| 445 | TCP | VMware Identity Manager machine |
VMware ThinApp repository | Access to the ThinApp repository |
| 5500 | UDP | VMware Identity Manager machine |
RSA SecurID system | Default value is shown. This port is configurable. |
| 53 | TCP/UDP | VMware Identity Manager machine |
DNS server | Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. |
| 88, 464, 135, 445 | TCP/UDP | VMware Identity Manager machine |
Domain controller | |
| 9300 |
TCP | VMware Identity Manager machine |
VMware Identity Manager machine |
Audit needs |
| 54328 |
UDP | |||
| 5701 | TCP | VMware Identity Manager machine | VMware Identity Manager machine | Hazelcast cache |
| 40002 40003 |
TCP | VMware Identity Manager machine | VMware Identity Manager machine | Ehcache |
| 1433 |
TCP | VMware Identity Manager machine |
Database |
Microsoft SQL default port is 1433 |
| 443 |
|
VMware Identity Manager |
Horizon server |
Access to Horizon server |
| 80, 443 | TCP | VMware Identity Manager | Integration Broker server | Connection to the Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server |
| 443 | HTTPS |
VMware Identity Manager |
Workspace ONE UEM (AirWatch) REST API | For device compliance checking and for the AirWatch Cloud Connector password authentication method, if that is used. |
| 88 | UDP | Unified Access Gateway |
VMware Identity Manager machine | UDP port to open for mobile SSO |
| 5262 | TCP | Android mobile device | Workspace ONE UEM (AirWatch) HTTPS proxy service | Workspace ONE UEM (AirWatch) Tunnel client routes traffic to the HTTPS proxy for Android devices. |
| 88 | UDP | iOS mobile device | VMware Identity Manager machine | Port used for Kerberos traffic from iOS devices to the hosted cloud KDC service. |
| 443 | HTTPS/TCP | |||
| 514 | UDP | VMware Identity Manager machine | syslog server | UDP For external syslog server, if configured |
| 88 | UDP | VMware Identity Manager machine | Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com | UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used. |
Supported Directories
You integrate your enterprise directory with VMware Identity Manager and sync users and groups from your enterprise directory to the service.
- The Active Directory environment can consist of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.
VMware Identity Manager supports Active Directory on Windows 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.
Note: A higher functional level might be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.
Supported Web Browsers to Access the VMware Identity Manager Console
The VMware Identity Manager console is a web-based application you use to manage your tenant. You can access the VMware Identity Manager console from the latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and Internet Explorer 11.
Supported Browsers to Access the Workspace ONE Portal
End users can access the Workspace ONE portal from the following browsers.
- Mozilla Firefox (latest)
- Google Chrome (latest)
- Safari (latest)
- Internet Explorer 11
- Microsoft Edge browser
- Native browser and Google Chrome on Android devices
- Safari on iOS devices
