Consider your entire deployment, including how you integrate resources, when you make decisions about hardware, resources, and network requirements.

Hardware Sizing Requirements

Ensure that you meet the hardware requirements for VMware Identity Manager installations for Windows.

Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
Number of VMware Identity Manager servers 1 server 3 load-balanced servers 3 load-balanced servers 3 load-balanced servers 3 load-balanced servers
CPU (per server) 2 CPU 2 CPU 4 CPU 8 CPU 8 CPU
RAM (per server) 6 GB 6 GB 8 GB 16 GB 32 GB
Disk space (per server) 60 GB 100 GB 100 GB 100 GB 100 GB

If you install additional, standalone connectors, ensure that you meet the following requirements.

Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
Number of connector servers 1 server 2 load-balanced servers 2 load-balanced servers 2 load-balanced servers 2 load-balanced servers
CPU (per server) 2 CPU 4 CPU 4 CPU 4 CPU 4 CPU
RAM (per server) 6 GB 6 GB 8 GB 16 GB 16 GB
Disk space (per server) 60 GB 60 GB 60 GB 60 GB 60 GB

Software Requirements for Windows Installation

Ensure your VMware Identity Manager Windows server meets the following software requirements.

Requirement Notes
Supported versions of Windows Server
  • Windows Server 2008 R2
  • Windows Server 2012 R2
  • Windows Server 2016
PowerShell 4.0 or later Active Directory module for PowerShell (RSAT-AD-PowerShell)
JRE 1.8 installed The VMware Identity Manager installer installs the latest version if it is not installed before deployment.

If your JRE is an older version, the installer automatically updates the version, but does not remove the existing JRE. You must manually uninstall earlier versions.

RabbitMQ Server The VMware Identity Manager installer installs RabbitgMQ server, if it is not installed before deployment.
Erlang The VMware Identity Manager installer installs Erlang, if it is not installed before deployment.
Notepad++ Recommend Notepad++ when making configuration edits. Notepad++ preserves the line break. Do not use Notepad.

Database Requirements

Set up VMware Identity Manager with an external Microsoft SQL database to store and organize server data.

For information about the Microsoft SQL database versions and service pack configurations supported, see the VMware Product Interoperability Matrices at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

The following requirements apply to an external SQL Server database. The exact specifications needed for your SQL server depend on the size and needs of your deployment.

Number of Users Up to 1,000 1,000-10,000 10,000-25,000 25,000-50,000 50,000-100,000
CPU 2 CPU 2 CPU 4 CPU 8 CPU 8 CPU
RAM 4 GB 4 GB 8 GB 16 GB 32 GB
Disk space 50 GB 50 GB 50 GB 100 GB 100 GB

The SQL Server AlwaysOn capability is a combination of failover clustering and database mirroring combined with log shipping for high availability. AlwaysON allows for multiple read copies of your database and a single read-write copy for operations. If your deployment environment has the bandwidth to support the traffic generated, the VMware Identity Manager database supports AlwaysON.

Network Configuration Requirements

Component Minimum Requirement
DNS record and IP address IP address and DNS record

VMware Identity Manager uses either the hostname.domainname or hostname.workgroupname during the install. These names must be set to match the DNS name of the server.

Firewall port Ensure that the inbound firewall port 443 is open for users outside the network to the VMware Identity Manager instance or the load balancer.
Reverse Proxy

Deploy a reverse proxy such as F5 Access Policy Manager in the DMZ to allow users to securely access the VMware Identity Manager user portal remotely.

VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to securely access the VMware Identity Manager unified catalog remotely. Unified Access Gateway can be deployed in the DMZ behind the load balancers front-ending the VMware Identity Manager appliance.

Port Requirements

Ports used in the server configuration are described here. Your deployment might include only a subset of these ports. For example:
  • To sync users and groups from Active Directory, VMware Identity Manager must connect to Active Directory.
Port Protocol Source Target Description
443 HTTPS Load Balancer

VMware Identity Manager machine

443 HTTPS VMware Identity Manager machine Load Balancer Needed to validate the load balancer FQDN when it is set.
443, 8443 HTTPS/HTTP

VMware Identity Manager machine

VMware Identity Manager machine

For all VMware Identity Manager instances in a cluster, and across clusters in different data centers.
443 HTTPS Browsers

VMware Identity Manager machine

443 HTTPS VMware Identity Manager machine discovery.awmdm.com Access for Workspace ONE application autodiscovery
443 HTTPS VMware Identity Manager machine catalog.vmwareidentity.com Access to Cloud Catalog
8443 HTTPS Browsers

VMware Identity Manager machine

Administrator Port
25 SMTP

VMware Identity Manager machine

SMTP Port to relay outbound mail

389

636

3268

3269

LDAP

LDAPS

MSFT-GC

MSFT-GC-SSL

VMware Identity Manager machine

Active Directory Default values are shown. These ports are configurable.
5500 UDP

VMware Identity Manager machine

RSA SecurID system Default value is shown. This port is configurable.
53 TCP/UDP

VMware Identity Manager machine

DNS server

Every virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

88, 464, 135, 445 TCP/UDP

VMware Identity Manager machine

Domain controller

9300

TCP

VMware Identity Manager machine

VMware Identity Manager machine

Audit needs

54328

UDP
5701 TCP VMware Identity Manager machine VMware Identity Manager machine Hazelcast cache
40002

40003

TCP VMware Identity Manager machine VMware Identity Manager machine Ehcache

1433

TCP

VMware Identity Manager machine

Database

Microsoft SQL default port is 1433

443

VMware Identity Manager machine

View server

Access to View server

80, 443 TCP VMware Identity Manager machine Integration Broker server Connection to the Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server
443

HTTPS

VMware Identity Manager macine

AirWatch REST API

For device compliance checking and for the AirWatch Cloud Connector password authentication method, if that is used.

88 UDP

Unified Access Gateway

VMware Identity Manager machine UDP port to open for mobile SSO
5262 TCP Android mobile device AirWatch HTTPS proxy service AirWatch Tunnel client routes traffic to the HTTPS proxy for Android devices.
88 UDP iOS mobile device VMware Identity Manager machine Port used for Kerberos traffic from iOS devices to the hosted cloud KDC service.
443 HTTPS/TCP
514 UDP VMware Identity Manager machine syslog server UDP

For external syslog server, if configured

88 UDP VMware Identity Manager machine Hybrid KDC Server in the cloud. Hostname is kdc.<realm>. For example, kdc.op.vmwareidentity.com UDP port used to authenticate iOS Mobile SSO auth adapter configuration updates that are saved to the cloud KDC service. This port is only used if the Hybrid KDC iOS Mobile SSO feature is used.

Supported Directories

You integrate your enterprise directory with VMware Identity Manager and sync users and groups from your enterprise directory to the service.

  • The Active Directory environment can consist of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.

    VMware Identity Manager supports Active Directory on Windows 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.

    Note: A higher functional level might be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.

Supported Web Browsers to Access the VMware Identity Manager Console

The VMware Identity Manager console is a web-based application you use to manage your tenant. You can access the VMware Identity Manager console from the latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and Internet Explorer 11.

Note: In Internet Explorer 11, JavaScript must be enabled and cookies allowed to authenticate through VMware Identity Manager.

Supported Browsers to Access the Workspace ONE Portal

End users can access the Workspace ONE portal from the following browsers.

  • Mozilla Firefox (latest)
  • Google Chrome (latest)
  • Safari (latest)
  • Internet Explorer 11
  • Microsoft Edge browser
  • Native browser and Google Chrome on Android devices
  • Safari on iOS devices
Note: In Internet Explorer 11, JavaScript must be enabled and cookies allowed to authenticate through VMware Identity Manager.