If you are upgrading to Workspace ONE® Access™ (formerly known as VMware Identity Manager™) 20.10 from a version prior to 20.01, to use the new Workspace ONE Access 20.10 connectors you must follow a migration process. The process includes installing new 20.10 connectors and migrating your existing directories to the new connectors. You cannot directly upgrade 19.03.x or earlier versions of the connector to 20.10.
Beginning with version 20.01, the Workspace ONE Access connector is a collection of enterprise services that can be installed individually or together on Windows servers. It includes the following services:
- Directory Sync service: Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service
- User Auth service: Provides connector-based authentication methods including Password (cloud deployment), RSA SecurID (cloud deployment), and RADIUS (cloud deployment)
- Kerberos Auth service: Provides Kerberos authentication for internal users
To migrate to the 20.10 connector from legacy connectors, you migrate your directories. When you migrate the directories, all data, including authentication methods and identity providers, is migrated.
Requirements for Migration
- Workspace ONE Access 20.x connectors do not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApps integrations). If your deployment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.10 connectors.
To integrate Horizon, Horizon Cloud, or Citrix applications and desktops, use VMware Identity Manager connector (Windows) version 19.03.0.1. To integrate ThinApp packaged applications, use VMware Identity Manager connector (Linux) version 2018.8.1.0.
- You need one or more Windows servers to install the 20.10 connector. The Directory Sync, User Auth, and Kerberos Auth services can be installed together on one server or separately on different servers. See Installing Workspace ONE Access Connector 20.10 for requirements.
You can install the 20.10 connector either on a new server or on the legacy 19.03.x connector server. However, if Kerberos authentication is configured on your legacy connector, you must use a separate Windows server to install the 20.10 Kerberos Auth service. Do not install the new Kerberos Auth service on the 19.03.x connector server. Workspace ONE Access does not support multiple instances of Kerberos on the same server.
If you plan to install the 20.10 connector on a new server, see Installing Workspace ONE Access Connector 20.10 for system requirements. If you are planning to install the 20.10 connector on a Windows server that has a 19.03.x connector installed, see Migrating to Latest Connector on a Windows Server Running Workspace ONE Access 19.03.x.
During the migration process, you will switch between using the old connectors and the new connectors to test the migration. The 19.03.x legacy connector servers must be running during the migration process. Do not uninstall the 19.03.x connectors until the migration is complete.
- All existing connectors in your tenant must be version 19.03.x. If you have any older connectors, upgrade them to 19.03.x first.
- If you have an on-premises instance of the Workspace ONE Access service, upgrade the service to version 20.10 before migrating to 20.10 connectors.
- During migration, you must migrate all the directories in your tenant to the 20.10 connector. You cannot choose to migrate a subset of the directories.
- After migration, you can use only the new 20.10 connectors. You cannot have a mix of legacy connectors and 20.10 connectors in your environment.
- If you have 19.03.0.1 connectors installed and you are planning to migrate them, consider migrating to connector version 20.10 instead of 20.01.x. There is a known issue with migration from connector version 19.03.0.1 to version 20.01.x if your Workspace ONE Access directory of type Active Directory over LDAP or IWA has the External ID option set to any attribute other than the default value of objectGUID. When you migrate the directory as part of connector migration, all users will be deleted and added back. As a result, all users will be logged out and will have to log in again. You will also have to reconfigure user entitlements.
Note: If you are using the on-premises Workspace ONE Access service, keep in mind that the connector version must be equal to or lower than the service version.