VMware Identity Manager 2.9.2 – Workspace ONE – Installation in DMZ with Outbound-Only Connection Mode
In this post, we will go over one of the many deployment scenarios of VMware Identity Manager 2.9.2 aka Workspace ONE. As always please check the latest guides available at http://docs.vmware.com, more precisely for Identity Manager: https://docs.vmware.com/en/VMware-Identity-Manager/2.9.1/com.vmware.wsp-install_29/GUID-96E2F98A-5B90-4F81-A302-8264E6362494.html . VMware Identity Manager deployment topology and procedures can change based on your requirements in your environment and and also per integration needs on-premise or cloud with Airwatch, Horizon etc. For deployment options, please also visit here.
I will try to summarize what needs to be done when deployed on-premise (for Demo) within DMZ; “On Premises Deployment Model Using VMware Identity Manager Connector in Outbound-Only Connection Mode”. And, we will build on this post later…
The topology I will be following is:
- Password – uses the connector
- RSA Adaptive Authentication – uses the connector
- RSA SecurID – uses the connector
- RADIUS – uses the connector
- Certificate (cloud deployment) – through the Built-in identity provider
- VMware Verify – through the Built-in identity provider
- Mobile SSO (iOS) – through the Built-in identity provider
- Mobile SSO (Android) – through the Built-in identity provider
- Inbound SAML through a third-party identity provider
Lets get our hands dirty:
- The OVF is provided for VMware Identity Manager. Download both Identity Manager Server and its Connector appliance
- For required network ports, please refer to the documentation.
- Create DNS (Forward and Reverse) for VMware Identity Manager: SPLIT DNS is required for the scenario mentioned here, and appliance needs to point to your internal DNS Servers.
- For Production, external DB is required but as the scope here is for demo, built-in internal DB will be used.
- Deploy OVF… Nothing extraordinary, IP, subnet, hostname, DNS etc.
Note: The Domain Name and Domain Search Path are not used. You can leave these blank….
FQDN might change per your environment. In this scenario, my FQDN will be public FQDN: I want to have my users to use the same name while connecting internally and externally, and this will be only server.
- Once the appliance is deployed, power on the appliance, and go to configuration page at: https://FQDN:8443 after powering on the appliance…If you get HSTS Error, you need to delete the FQDN from your browser as stated at “VMware Identity Manager self signed certificate gives a HSTS message (2147071)”
Per my experience, also clear the browsing history, cached files etc. and then try to relaunch browser.
Now, login to administrator console, go to “Appliance Settings > Manage Configuration” (or https://FQDN:8443 > Appliance Settings) to Update SSL certificate depending on your FQDN and then change Identity Manager FQDN if necessary. Updating the SSL certificate might take some time, so be patient. then you may use the new FQDN to login to administrator console. You need to have private key and chain certificates in PEM format to copy/paste. You can also user Terminate SSL on a load balancer option if your IDM is behind a load balancer within this page.
That’s all for the Identity Manager server deployment. You may login to administrator console with the password you provided earlier, https://FQDN..
Before configuring it, lets get done with deployment and lets deploy connector appliance now. Again for all great stuff, visit documentation for the connector. Per your requirements, you may (or not) need the connector as it is also built within the server appliance as well.
During installation of the connector appliance you will need an activation key. For this, login to VMware Identity Manager Administrator console and go to “Setup > Connectors > Add Connector”, and Enter name and click generate activation Code. Save it!
Deploying connector Appliance is pretty similar. Once deployed and powered on, go to https://FQDN_Connector to configure. You will need to provide appliance passwords and need to paste the activation code created earlier. Done…
Now, you can setup Directory settings to sync up with. Go to Administrator console under Directories Section, and Add Directory:
Choose Active Directory over LDAP if there is only one domain.
Choose, Integrated Windows Authentication if you want to connect to connect to multi-domain/forest.
Click Save and Next:
Select User Attributes
Then go to connectors page again, click on the connector created and select Auth adapters, enable at least one (Password for now)… This might have already be enabled for you.
Once you click on PasswordIdpAdapter, if you followed the design here, you will be redirected to the connector appliance page with the following screen:
In order to apply outbound connection mode, associate the connector with the Built-in provider. Go to Identity Providers, click on Built In,
And, in the Connectors Section, select the Connector within Dropdown box and click Add. Then you can specify Users, Network, etc.
And the last but not the least configuration is to change Policies to be able to use Cloud Deployed (Connector) password (If you miss this step, when you try to login, IDM server will redirect you to connector appliance’s URL.
Go to Policies and select default access policy set:
Select Authentication method and
Change the “the user may authenticate using the following method” to “Password (Cloud Deployment)
That is it for initial setup. More later.