Consider your entire deployment, including how you integrate resources, when you make decisions about hardware, resources, and network requirements.
Hardware Sizing Requirements
Ensure that you meet the hardware requirements for VMware Identity Manager installations for Windows.
Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
---|---|---|---|---|---|
Number of VMware Identity Manager servers | 1 server | 3 load-balanced servers | 3 load-balanced servers | 3 load-balanced servers | 3 load-balanced servers |
CPU (per server) | 2 CPU | 2 CPU | 4 CPU | 8 CPU | 8 CPU |
RAM (per server) | 6 GB | 6 GB | 8 GB | 16 GB | 32 GB |
Disk space (per server) | 60 GB | 100 GB | 100 GB | 100 GB | 100 GB |
If you install additional, standalone connectors, ensure that you meet the following requirements.
Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
---|---|---|---|---|---|
Number of connector servers | 1 server | 2 load-balanced servers | 2 load-balanced servers | 2 load-balanced servers | 2 load-balanced servers |
CPU (per server) | 2 CPU | 4 CPU | 4 CPU | 4 CPU | 4 CPU |
RAM (per server) | 6 GB | 6 GB | 8 GB | 16 GB | 16 GB |
Disk space (per server) | 60 GB | 60 GB | 60 GB | 60 GB | 60 GB |
Software Requirements for Windows Installation
Ensure your VMware Identity Manager Windows server meets the following software requirements.
Requirement | Notes |
---|---|
Supported versions of Windows Server
|
|
PowerShell 4.0 or later | Active Directory module for PowerShell (RSAT-AD-PowerShell) |
JRE 1.8 installed | The VMware Identity Manager installer installs the latest version if it is not installed before deployment. If your JRE is an older version, the installer automatically updates the version, but does not remove the existing JRE. You must manually uninstall earlier versions. |
RabbitMQ Server | The VMware Identity Manager installer installs RabbitgMQ server, if it is not installed before deployment. |
Erlang | The VMware Identity Manager installer installs Erlang, if it is not installed before deployment. |
Notepad++ | Recommend Notepad++ when making configuration edits. Notepad++ preserves the line break. Do not use Notepad. |
Database Requirements
Set up VMware Identity Manager with an external Microsoft SQL database to store and organize server data.
For information about the Microsoft SQL database versions and service pack configurations supported, see the VMware Product Interoperability Matrices at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
The following requirements apply to an external SQL Server database. The exact specifications needed for your SQL server depend on the size and needs of your deployment.
Number of Users | Up to 1,000 | 1,000-10,000 | 10,000-25,000 | 25,000-50,000 | 50,000-100,000 |
---|---|---|---|---|---|
CPU | 2 CPU | 2 CPU | 4 CPU | 8 CPU | 8 CPU |
RAM | 4 GB | 4 GB | 8 GB | 16 GB | 32 GB |
Disk space | 50 GB | 50 GB | 50 GB | 100 GB | 100 GB |
The SQL Server AlwaysOn capability is a combination of failover clustering and database mirroring combined with log shipping for high availability. AlwaysON allows for multiple read copies of your database and a single read-write copy for operations. If your deployment environment has the bandwidth to support the traffic generated, the VMware Identity Manager database supports AlwaysON.
Network Configuration Requirements
Component | Minimum Requirement |
---|---|
DNS record and IP address | IP address and DNS record VMware Identity Manager uses either the hostname.domainname or hostname.workgroupname during the install. These names must be set to match the DNS name of the server. |
Firewall port | Ensure that the inbound firewall port 443 is open for users outside the network to the VMware Identity Manager instance or the load balancer. |
Reverse Proxy | Deploy a reverse proxy such as F5 Access Policy Manager in the DMZ to allow users to securely access the VMware Identity Manager user portal remotely. VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to securely access the VMware Identity Manager unified catalog remotely. Unified Access Gateway can be deployed in the DMZ behind the load balancers front-ending the VMware Identity Manager appliance. |
Port Requirements
- To sync users and groups from Active Directory, VMware Identity Manager must connect to Active Directory.
Port | Protocol | Source | Target | Description |
---|---|---|---|---|
443 | HTTPS | Load Balancer | VMware Identity Manager machine |
|
443 | HTTPS | VMware Identity Manager machine | Load Balancer | Needed to validate the load balancer FQDN when it is set. |
443, 8443 | HTTPS/HTTP | VMware Identity Manager machine |
VMware Identity Manager machine |
For all VMware Identity Manager instances in a cluster, and across clusters in different data centers. |
443 | HTTPS | Browsers | VMware Identity Manager machine |
|
443 | HTTPS | VMware Identity Manager machine | discovery.awmdm.com | Access for Workspace ONE application autodiscovery |
443 | HTTPS | VMware Identity Manager machine | catalog.vmwareidentity.com | Access to Cloud Catalog |
8443 | HTTPS | Browsers | VMware Identity Manager machine |
Administrator Port |
25 | SMTP | VMware Identity Manager machine |
SMTP | Port to relay outbound mail |
389 636 3268 3269 |
LDAP LDAPS MSFT-GC MSFT-GC-SSL |
VMware Identity Manager machine |
Active Directory | Default values are shown. These ports are configurable. |
5500 | UDP | VMware Identity Manager machine |
RSA SecurID system | Default value is shown. This port is configurable. |
53 | TCP/UDP | VMware Identity Manager machine |
DNS server | Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. |
88, 464, 135, 445 | TCP/UDP | VMware Identity Manager machine |
Domain controller | |
9300 |
TCP | VMware Identity Manager machine |
VMware Identity Manager machine |
Audit needs |
54328 |
UDP | |||
5701 | TCP | VMware Identity Manager machine | VMware Identity Manager machine | Hazelcast cache |
40002 40003 |
TCP | VMware Identity Manager machine | VMware Identity Manager machine | Ehcache |
1433 |
TCP | VMware Identity Manager machine |
Database |
Microsoft SQL default port is 1433 |
443 |
|
VMware Identity Manager machine |
View server |
Access to View server |
80, 443 | TCP | VMware Identity Manager machine | Integration Broker server | Connection to the Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server |
443 | HTTPS |
VMware Identity Manager macine |
AirWatch REST API | For device compliance checking and for the AirWatch Cloud Connector password authentication method, if that is used. |
88 | UDP | Unified Access Gateway |
VMware Identity Manager machine | UDP port to open for mobile SSO |
5262 | TCP | Android mobile device | AirWatch HTTPS proxy service | AirWatch Tunnel client routes traffic to the HTTPS proxy for Android devices. |
88 | UDP | iOS mobile device | VMware Identity Manager machine | Port used for Kerberos traffic from iOS devices to the hosted cloud KDC service. |
443 | HTTPS/TCP | |||
514 | UDP | VMware Identity Manager machine | syslog server | UDP For external syslog server, if configured |
88 | UDP | VMware Identity Manager machine | Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com | UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used. |
Supported Directories
You integrate your enterprise directory with VMware Identity Manager and sync users and groups from your enterprise directory to the service.
- The Active Directory environment can consist of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.
VMware Identity Manager supports Active Directory on Windows 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.
Note: A higher functional level might be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.
Supported Web Browsers to Access the VMware Identity Manager Console
The VMware Identity Manager console is a web-based application you use to manage your tenant. You can access the VMware Identity Manager console from the latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and Internet Explorer 11.
Supported Browsers to Access the Workspace ONE Portal
End users can access the Workspace ONE portal from the following browsers.
- Mozilla Firefox (latest)
- Google Chrome (latest)
- Safari (latest)
- Internet Explorer 11
- Microsoft Edge browser
- Native browser and Google Chrome on Android devices
- Safari on iOS devices