VMware Identity Manager 2.9.2 – Workspace ONE – Installation in DMZ with Outbound-Only Connection Mode

Hi All,

In this post, we will go over one of the many deployment scenarios of VMware Identity Manager 2.9.2 aka Workspace ONE. As always please check the latest guides available at http://docs.vmware.com, more precisely for Identity Manager: https://docs.vmware.com/en/VMware-Identity-Manager/2.9.1/com.vmware.wsp-install_29/GUID-96E2F98A-5B90-4F81-A302-8264E6362494.html . VMware Identity Manager deployment topology and procedures can change based on your requirements in your environment and and also per integration needs on-premise or cloud with Airwatch, Horizon etc. For deployment options, please also visit here.

I will try to summarize what needs to be done when deployed on-premise (for Demo) within DMZ; “On Premises Deployment Model Using VMware Identity Manager Connector in Outbound-Only Connection Mode”.  And, we will build on this post later…

The topology I will be following is:

OutboundMode

This mode supports all authentication methods, namely;

  • Password – uses the connector
  • RSA Adaptive Authentication – uses the connector
  • RSA SecurID – uses the connector
  • RADIUS – uses the connector
  • Certificate (cloud deployment) – through the Built-in identity provider
  • VMware Verify – through the Built-in identity provider
  • Mobile SSO (iOS) – through the Built-in identity provider
  • Mobile SSO (Android) – through the Built-in identity provider
  • Inbound SAML through a third-party identity provider

Installation Video:

Lets get our hands dirty:

  1. The OVF is provided for VMware Identity Manager. Download both Identity Manager Server and its Connector appliance
  2. For required network ports, please refer to the documentation.
  3. Create DNS (Forward and Reverse) for VMware Identity Manager: SPLIT DNS is required for the scenario mentioned here, and appliance needs to point to your internal DNS Servers.
  4. For Production, external DB is required but as the scope here is for demo, built-in internal DB will be used.
  5. Deploy OVF… Nothing extraordinary, IP, subnet, hostname, DNS etc.
    Note: The Domain Name and Domain Search Path are not used. You can leave these blank….
    FQDN might change per your environment. In this scenario, my FQDN will be public FQDN: I want to have my users to use the same name while connecting internally and externally, and this will be only server.
  6. Once the appliance is deployed, power on the appliance, and go to configuration page at: https://FQDN:8443 after powering on the appliance…If you get HSTS Error, you need to delete the FQDN from your browser as stated at “VMware Identity Manager self signed certificate gives a HSTS message (2147071)”
    Per my experience, also clear the browsing history, cached files etc. and then try to relaunch browser.

IDM

Specify Passwords:

IDM

Choose DB.

IDM

Processing…

IDM

And Done.

 

Now, login to administrator console, go to “Appliance Settings > Manage Configuration” (or https://FQDN:8443 > Appliance Settings) to Update SSL certificate depending on your FQDN and then change Identity Manager FQDN if necessary.  Updating the SSL certificate might take some time, so be patient. then you may use the new FQDN to login to administrator console. You need to have private key and chain certificates in PEM format to copy/paste.  You can also user Terminate SSL on a load balancer option if your IDM is behind a load balancer within this page.

certificate

 

That’s all for the Identity Manager server deployment. You may login to administrator console with the password you provided earlier, https://FQDN..

Before configuring it, lets get done with deployment and lets deploy connector appliance now. Again for all great stuff, visit documentation for the connector. Per your requirements, you may (or not) need the connector as it is also built within the server appliance as well.

During installation of the connector appliance you will need an activation key. For this, login to VMware Identity Manager Administrator console and go to “Setup > Connectors > Add Connector”, and Enter name and click generate activation Code. Save it!

Deploying connector Appliance is pretty similar. Once deployed and powered on, go to https://FQDN_Connector to configure. You will need to provide appliance passwords and need to paste the activation code created earlier. Done…

Now, you can setup Directory settings to sync up with. Go to Administrator console under Directories Section, and Add Directory:

  • Choose Active Directory over LDAP if there is only one domain.

  • Choose, Integrated Windows Authentication if you want to connect to connect to multi-domain/forest.

    Directory

    Scroll down:

Directory

Click Save and Next:

Directory

Select User Attributes

Directory

 

Then go to connectors page again, click on the connector created and select Auth adapters, enable at least one (Password for now)… This might have already be enabled for you.

auth adapters

Once you click on PasswordIdpAdapter, if you followed the design here, you will be redirected to the connector appliance page with the following screen:

auth adapters

 

 

In order to apply outbound connection mode, associate the connector with the Built-in provider. Go to Identity Providers, click on Built In,

 

Provider

And, in the Connectors Section, select the Connector within Dropdown box and click Add. Then you can specify Users, Network, etc.

Provider

And the last but not the least configuration is to change Policies to be able to use Cloud Deployed (Connector) password (If you miss this step, when you try to login, IDM server will redirect you to connector appliance’s URL.

Go to Policies and select default access policy set:

Policies

Select Authentication method and

 

Policies

Change the “the user may authenticate using the following method” to “Password (Cloud Deployment)

Policies

That is it for initial setup. More later.

 

 

 

 

Bulent Tolu

Bulent Tolu

Sr. Systems Engineer at VMware
Bulent is an IT professional with Master's in MIS and 10-years of experience in broad range of Information Technologies. He is exposed to engineering/architecting, implementation/integration, and administration of various high-available IT systems and infrastructure. He has a passion to continually research, test and evaluate new technologies and follow industry best practices to secure and optimize IT systems. Currently, he lives in Istanbul and works as a Sr. Systems Engineer at VMware.
Bulent Tolu

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation

Share
Translate »