To deploy the Workspace ONE Access 20.01 connector, which includes the Directory Sync service, User Auth service, and Kerberos Auth service as components, ensure that your Windows server meets the necessary requirements. Some requirements vary based on the service you are installing.

Compatibility Between Workspace ONE Access Service and Connector

You can use the Workspace ONE Access connector with the Workspace ONE Access Cloud service or with the on premises Workspace ONE Access service virtual appliance.

With the Workspace ONE Access Cloud service, you can use all supported versions of the connector. However, using the latest version of the connector is recommended.

With the Workspace ONE Access on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the Workspace ONE Access 20.01 service, you can use connector 20.01.x and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 20.01 connector with the 19.03 service. Using the latest compatible version of the connector is recommended.

For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.

Number of Servers Required

You can install the Directory Sync, User Auth, and Kerberos Auth services together on a single Windows server or install them on separate servers in any combination, depending on your preferences. To install all the services together, you need a more powerful server. To install the services separately, you need to obtain multiple servers.

Multiple servers are required if you want to set up high availability for any of the services.

Also consider that the Kerberos Auth service requires inbound connectivity while the other services do not.

Hardware Requirements

Ensure the Windows server meets the following hardware requirements.

  • Operating System: Windows Server 2012R2 Standard 64 bit or higher
  • Processor: Inte(R)Xeon(R) CPU E5-2650 0@2.00 GHZ (2 processors) x64 bit processor or higher
Table 1. Sizing Guidelines for Directory Sync Service Only
Deployment Size Hardware Requirements Number of Users and Groups
Small 2 vCPU, 8 GB RAM, 40 GB Disk Space

Java memory allocation for Directory Sync service: xmx=4g

Up to 50,000 users and 500 groups
Medium 4 vCPU, 8 GB RAM, 40 GB Disk Space

Java memory allocation for Directory Sync service: xmx=4g

Up to 100,000 users and 1,000 groups
Large 8 vCPU, 12 GB RAM, 40 GB Disk Space

Java memory allocation for Directory Sync service: xmx=8g

Up to 200,000 users and 2,000 groups
Table 2. Sizing Guidelines for User Auth Service or Kerberos Auth Service Only
Deployment Size Hardware Requirement for User Auth or Kerberos Auth Service Server User Auth Service Kerberos Auth Service
Small/Medium/Large 2 vCPU, 4 GB RAM, 40 GB Disk Space

Java memory allocation for User Auth service or Kerberos Auth service: xmx=1g

Password authentications: 390 - 480/min

WSFed Active Flow: 720 - 900/min

Kerberos authentications: 420 - 480/min
Note: The User Auth service and Kerberos Auth service nodes are not vertically scalable. For better throughput, add more nodes.
Table 3. Sizing Guidelines for All Services Installed on a Single Server
Deployment Size Hardware Requirements Directory Sync
Small 2 vCPU, 8GB RAM, 40GB Disk Space

Java Memory Allocation:

Directory Sync service: xmx=4g

Kerberos Auth service: xmx=1g

User Auth service: xmx=1g

Up to 50,000 users and 500 groups
Medium 4 vCPU, 8GB RAM, 40GB Disk Space

Java Memory Allocation:

Directory Sync service: xmx=4g

Kerberos Auth service: xmx=1g

User Auth service: xmx=1g

Up to 100,000 users and 1,000 groups
Large 8 vCPU, 16GB RAM, 40GB Disk Space

Java Memory Allocation:

Directory Sync service: xmx=8g

Kerberos Auth service: xmx=1g

User Auth service: xmx=1g

Up to 200,000 users and 2,000 groups
Note:
  • The Memory requirements include the OS and the VMware connector components. If you plan to run any other applications or services on the server, adjust the requirements accordingly.
  • The Java memory allocation listed for each service refers to the Java heap memory. By default, 4 GB is allocated to the Directory Sync service, 1 GB to the User Auth service, and 1 GB to the Kerberos Auth service. See Increasing Java Memory for Enterprise Services for information on how to allocate memory.
  • The groups listed for the Directory Sync service are all one level, each group contains 500 users, and each user is associated with 5 groups.
  • Deployments with large groups or nested groups require more memory.

Software Requirements

Ensure the Windows server meets the following software requirements.

Requirement Notes

Windows Server 2019 or

Windows Server 2016 or

Windows Server 2012 R2

Note: As of September 2020, Windows Server 2008 R2 is no longer supported.
PowerShell Windows servers include PowerShell by default.
Note: PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.

As of September 2020, Windows Server 2008 R2 is no longer supported.

.NET Framework 4.6.2 or later Windows servers include .NET Framework by default. Workspace ONE Access connector requires .NET Framework 4.6.2 or later.

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component. An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Workspace ONE Access connector. The outbound connection must remain open at all times.

Source Destination Port Protocol Notes
Workspace ONE Access connector Workspace ONE Access service (cloud)

Workspace ONE Access service host (on-premises installations)

443 HTTPS Default port; required

Applies to Directory Sync service, User Auth service, and Kerberos Auth service

Workspace ONE Access connector Workspace ONE Access service load balancer (on-premises installations) 443 HTTPS Applies to Directory Sync service, User Auth service, and Kerberos Auth service
Browsers Workspace ONE Access connector 443 HTTPS Required for Kerberos Auth service
Workspace ONE Access connector Active Directory 389, 636, 3268, 3269 Default ports; these ports are configurable

Applies to Directory Sync service. Also applies to User Auth service if password authentication is used.

Workspace ONE Access connector DNS server 53 TCP/UDP Every connector instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

Applies to Directory Sync service, User Auth service, and Kerberos Auth service.

Workspace ONE Access connector Domain controller 88, 464, 135, 445 TCP/UDP Applies to Directory Sync service and Kerberos Auth service
Workspace ONE Access connector RSA SecurID system 5500 Default port; this port is configurable

Applies to User Auth service if RSA SecurID is used

Workspace ONE Access connector syslog server 514 UDP Default port; this port is configurable

Port for external syslog server, if configured. Applies to Directory Sync service, User Auth service, and Kerberos Auth service

Workspace ONE Access Cloud IP Addresses

See https://kb.vmware.com/s/article/68035 for the list of Workspace ONE Access cloud service IP addresses to which the Workspace ONE Access connector must have access.

DNS Records and IP Addresses Requirements

A DNS entry and a static IP address are required for the connector. Before you begin your installation, obtain the DNS record and IP address to use and configure the network settings of the Windows server.

Ensure that you select an appropriate, user-friendly host name for the connector server if you intend to install the Kerberos Auth service. The Workspace ONE Access connector host name is visible to end users when Kerberos authentication is configured.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 4. Example of Forward DNS Records and IP Addresses
Domain Name Resource Type IP Address
myconnector.example.com A 10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 5. Example of Reverse DNS Records and IP Addresses
IP Address Resource Type Host Name
10.28.128.3 PTR myconnector.example.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.

Load Balancer

A load balancer is required if you want to configure high availability for Kerberos authentication.

Time Synchronization

Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly. Set up time synchronization using an NTP server.