Consider your entire deployment, including how you integrate resources, when you make decisions about hardware, resources, and network requirements.

Supported vSphere and ESX Versions

The following versions of vSphere and ESX server are supported:

  • 5.5 and later
  • 6.0 and later
Note: You must turn on time sync at the ESX host level using an NTP server. Otherwise, a time drift occurs between the virtual appliances.

If you deploy multiple virtual appliances on different hosts, consider disabling the Sync to Host option for time synchronization and configuring the NTP server in each virtual appliance directly to ensure that there is no time drift between the virtual appliances.

Compatibility Between VMware Identity Manager Service and Connector

With the VMware Identity Manager on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the VMware Identity Manager 3.3 service, you can use connector 2018.8.1.0, the connector released with the 3.3 service, and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 19.03 connector with the 3.3 service. Using the latest compatible version of the connector is recommended.

For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.

Hardware Sizing Requirements

Ensure that you meet the requirements for the number of VMware Identity Manager virtual appliances and the resources allocated to each appliance.

Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
Number of VMware Identity Manager servers 1 server 3 load-balanced servers 3 load-balanced servers 3 load-balanced servers 3 load-balanced servers
CPU (per server) 2 CPU 2 CPU 4 CPU 8 CPU 8 CPU
RAM (per server) 6 GB 6 GB 8 GB 16 GB 32 GB
Disk space (per server) 60 GB 100 GB 100 GB 100 GB 100 GB

If you install additional, standalone connectors, ensure that you meet the following requirements.

Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
Number of connector servers 1 server 2 load-balanced servers 2 load-balanced servers 2 load-balanced servers 2 load-balanced servers
CPU (per server) 2 CPU 4 CPU 4 CPU 4 CPU 4 CPU
RAM (per server) 6 GB 6 GB 8 GB 16 GB 16 GB
Disk space (per server) 60 GB 60 GB 60 GB 60 GB 60 GB

Database Requirements

Set up VMware Identity Manager with an external Microsoft SQL database to store and organize server data.

For information about the Microsoft SQL database versions and service pack configurations supported, see the VMware Product Interoperability Matrices at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

The following requirements apply to an external SQL Server database. The exact specifications needed for your SQL server depend on the size and needs of your deployment.

Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
CPU 2 CPU 2 CPU 4 CPU 8 CPU 8 CPU
RAM 4 GB 4 GB 8 GB 16 GB 32 GB
Disk space 50 GB 50 GB 50 GB 100 GB 100 GB

The SQL Server AlwaysOn capability is a combination of failover clustering and database mirroring combined with log shipping for high availability. AlwaysON allows for multiple read copies of your database and a single read-write copy for operations. If your deployment environment has the bandwidth to support the traffic generated, the VMware Identity Manager database supports AlwaysON.

Network Configuration Requirements

Component Minimum Requirement
DNS record and IP address IP address and DNS record
Firewall port Ensure that the inbound firewall port 443 is open for users outside the network to the VMware Identity Manager instance or the load balancer.
Reverse Proxy

Deploy a reverse proxy such as F5 Access Policy Manager in the DMZ to allow users to securely access the VMware Identity Manager user portal remotely.

VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to securely access the VMware Identity Manager unified catalog remotely. Unified Access Gateway can be deployed in the DMZ behind the load balancers front-ending the VMware Identity Manager appliance.

Port Requirements

Ports used in the server configuration are described here. Your deployment might include only a subset of these ports. For example:
  • To sync users and groups from Active Directory, VMware Identity Manager must connect to Active Directory.
  • To sync with ThinApp, the VMware Identity Manager must join the Active Directory domain and connect to the ThinApp Repository share.
Port Protocol Source Target Description
443 HTTPS Load Balancer

VMware Identity Manager machine

443 HTTPS VMware Identity Manager Load Balancer Needed to validate the load balancer FQDN when it is set.
443, 8443 HTTPS/HTTP

VMware Identity Manager machine

VMware Identity Manager machine

For all VMware Identity Manager instances in a cluster, and across clusters in different data centers.
443 HTTPS Browsers

VMware Identity Manager machine

443, 80 HTTPS, HTTP

VMware Identity Manager machine

vapp-updates.vmware.com Access to the upgrade server
443 HTTPS VMware Identity Manager machine discovery.awmdm.com Access for Workspace ONE application autodiscovery
443 HTTPS VMware Identity Manager machine catalog.vmwareidentity.com Access to Cloud Catalog
8443 HTTPS Browsers

VMware Identity Manager machine

Administrator Port
25 SMTP

VMware Identity Manager machine

SMTP Port to relay outbound mail

389

636

3268

3269

LDAP

LDAPS

MSFT-GC

MSFT-GC-SSL

VMware Identity Manager machine

Active Directory Default values are shown. These ports are configurable.
445 TCP

VMware Identity Manager machine

VMware ThinApp repository Access to the ThinApp repository
5500 UDP

VMware Identity Manager machine

RSA SecurID system Default value is shown. This port is configurable.
53 TCP/UDP

VMware Identity Manager machine

DNS server

Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

88, 464, 135, 445 TCP/UDP

VMware Identity Manager machine

Domain controller

9300

TCP

VMware Identity Manager machine

VMware Identity Manager machine

Audit needs

54328

UDP
5701 TCP VMware Identity Manager machine VMware Identity Manager machine Hazelcast cache
40002

40003

TCP VMware Identity Manager machine VMware Identity Manager machine Ehcache

1433

TCP

VMware Identity Manager machine

Database

Microsoft SQL default port is 1433

443

VMware Identity Manager

Horizon server

Access to Horizon server

80, 443 TCP VMware Identity Manager Integration Broker server Connection to the Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server
443

HTTPS

VMware Identity Manager

Workspace ONE UEM (AirWatch) REST API

For device compliance checking and for the AirWatch Cloud Connector password authentication method, if that is used.

88 UDP

Unified Access Gateway

VMware Identity Manager machine UDP port to open for mobile SSO
5262 TCP Android mobile device Workspace ONE UEM (AirWatch) HTTPS proxy service Workspace ONE UEM (AirWatch) Tunnel client routes traffic to the HTTPS proxy for Android devices.
88 UDP iOS mobile device VMware Identity Manager machine Port used for Kerberos traffic from iOS devices to the hosted cloud KDC service.
443 HTTPS/TCP
514 UDP VMware Identity Manager machine syslog server UDP

For external syslog server, if configured

88 UDP VMware Identity Manager machine Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used.

Supported Directories

You integrate your enterprise directory with VMware Identity Manager and sync users and groups from your enterprise directory to the service.

  • The Active Directory environment can consist of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.

    VMware Identity Manager supports Active Directory on Windows 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.

    Note: A higher functional level might be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.

Supported Web Browsers to Access the VMware Identity Manager Console

The VMware Identity Manager console is a web-based application you use to manage your tenant. You can access the VMware Identity Manager console from the latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and Internet Explorer 11.

Note: In Internet Explorer 11, JavaScript must be enabled and cookies allowed to authenticate through VMware Identity Manager.

Supported Browsers to Access the Workspace ONE Portal

End users can access the Workspace ONE portal from the following browsers.

  • Mozilla Firefox (latest)
  • Google Chrome (latest)
  • Safari (latest)
  • Internet Explorer 11
  • Microsoft Edge browser
  • Native browser and Google Chrome on Android devices
  • Safari on iOS devices
Note: In Internet Explorer 11, JavaScript must be enabled and cookies allowed to authenticate through VMware Identity Manager.