Objective 4.1 – Install and Configure VMware Identity Manager
- Determine minimum hardware and software requirements
Windows
Hardware Sizing Requirements
Ensure that you meet the hardware requirements for VMware Identity Manager installations for Windows.
Number of Users |
Up to 1,000 |
1,000-10,000 |
10,000-25,000 |
25,000-50,000 |
50,000-100,000 |
Number of VMware Identity Manager servers |
1 server |
3 load-balanced servers |
3 load-balanced servers |
3 load-balanced servers |
3 load-balanced servers |
CPU (per server) |
2 CPU |
2 CPU |
4 CPU |
8 CPU |
8 CPU |
RAM (per server) |
6 GB |
6 GB |
8 GB |
16 GB |
32 GB |
Disk space (per server) |
60 GB |
100 GB |
100 GB |
100 GB |
100 GB |
If you install additional, standalone connectors, ensure that you meet the following requirements.
Number of Users |
Up to 1,000 |
1,000-10,000 |
10,000-25,000 |
25,000-50,000 |
50,000-100,000 |
Number of connector servers |
1 server |
2 load-balanced servers |
2 load-balanced servers |
2 load-balanced servers |
2 load-balanced servers |
CPU (per server) |
2 CPU |
4 CPU |
4 CPU |
4 CPU |
4 CPU |
RAM (per server) |
6 GB |
6 GB |
8 GB |
16 GB |
16 GB |
Disk space (per server) |
60 GB |
60 GB |
60 GB |
60 GB |
60 GB |
Software Requirements for Windows Installation
Ensure your VMware Identity Manager Windows server meets the following software requirements.
Requirement |
Notes |
Supported versions of Windows Server
|
|
PowerShell 4.0 or later |
Active Directory module for PowerShell (RSAT-AD-PowerShell) |
JRE 1.8 installed |
The VMware Identity Manager installer installs the latest version if it is not installed before deployment. If your JRE is an older version, the installer automatically updates the version, but does not remove the existing JRE. You must manually uninstall earlier versions. |
RabbitMQ Server |
The VMware Identity Manager installer installs RabbitgMQ server, if it is not installed before deployment. |
Erlang |
The VMware Identity Manager installer installs Erlang, if it is not installed before deployment. |
Linux
Hardware Sizing Requirements
Ensure that you meet the requirements for the number of VMware Identity Manager virtual appliances and the resources allocated to each appliance.
Number of Users |
Up to 1,000 |
1,000-10,000 |
10,000-25,000 |
25,000-50,000 |
50,000-100,000 |
Number of VMware Identity Manager servers |
1 server |
3 load-balanced servers |
3 load-balanced servers |
3 load-balanced servers |
3 load-balanced servers |
CPU (per server) |
2 CPU |
2 CPU |
4 CPU |
8 CPU |
8 CPU |
RAM (per server) |
6 GB |
6 GB |
8 GB |
16 GB |
32 GB |
Disk space (per server) |
60 GB |
100 GB |
100 GB |
100 GB |
100 GB |
If you install additional, standalone connectors, ensure that you meet the following requirements.
Number of Users |
Up to 1,000 |
1,000-10,000 |
10,000-25,000 |
25,000-50,000 |
50,000-100,000 |
Number of connector servers |
1 server |
2 load-balanced servers |
2 load-balanced servers |
2 load-balanced servers |
2 load-balanced servers |
CPU (per server) |
2 CPU |
4 CPU |
4 CPU |
4 CPU |
4 CPU |
RAM (per server) |
6 GB |
6 GB |
8 GB |
16 GB |
16 GB |
Disk space (per server) |
60 GB |
60 GB |
60 GB |
60 GB |
60 GB |
- Determine required firewall rules
Network Configuration Requirements
Component |
Minimum Requirement |
DNS record and IP address |
IP address and DNS record |
Firewall port |
Ensure that the inbound firewall port 443 is open for users outside the network to the VMware Identity Manager instance or the load balancer. |
Reverse Proxy |
Deploy a reverse proxy such as F5 Access Policy Manager in the DMZ to allow users to securely access the VMware Identity Manager user portal remotely. VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to securely access the VMware Identity Manager unified catalog remotely. Unified Access Gateway can be deployed in the DMZ behind the load balancers front-ending the VMware Identity Manager appliance. |
- Deploy OVA/OVF files
Note that this is only for the linux deployment of IDM
You deploy the VMware Identity Manager OVA file using the vSphere Web Client. You can download and deploy the OVA file from a local location that is accessible to the vSphere Web Client, or deploy it from a Web URL.
Note:
Use either Firefox or Chrome browsers to deploy the OVA file. Do not use Internet Explorer.
Prerequisites
Review Preparing to Install VMware Identity Manager.
Procedure
- Download the VMware Identity Manager OVA file from My VMware.
- Log in to the vSphere Web Client.
- Select File > Deploy OVF Template.
- In the Deploy OVF Template wizard, specify the following information.
Page |
Description |
Source |
Browse to the OVA package location, or enter a specific URL. |
OVF Template Details |
Review the product details, including version and size requirements. |
End User License Agreement |
Read the End User License Agreement and click Accept. |
Name and Location |
Enter a name for the VMware Identity Manager virtual appliance. The name must be unique within the inventory folder and can contain up to 80 characters. Names are case sensitive. Select a location for the virtual appliance. |
Host / Cluster |
Select the host or cluster in which to run the virtual appliance. |
Resource Pool |
Select the resource pool. |
Storage |
Select the storage for the virtual appliance files. You can also select a VM Storage Profile. |
Disk Format |
Select the disk format for the files. For production environments, select one of the Thick Provision formats. Use the Thin Provision format for evaluation and testing. In the Thick Provision format, all the space required for the virtual disk is allocated during deployment. In the Thin Provision format, the disk uses only the amount of storage space that it needs for its initial operations. |
Network Mapping |
Map the networks used in VMware Identity Manager to networks in your inventory. |
Properties |
Note: The Domain Name and Domain Search Path fields are not used. You can leave these blank. (Optional) After VMware Identity Manager is installed, you can configure IP Pools. See (Optional) Add IP Pools. |
Ready to Complete |
Review your selections and click Finish. |
Depending on your network speed, the deployment can take several minutes. You can view the progress in the progress dialog box that appears.
- When the deployment is complete, click Close in the progress dialog box.
- Select the VMware Identity Manager virtual appliance you deployed, right-click, and select Power > Power on.
The virtual appliance is initialized. When the initialization is complete, the console screen displays the VMware Identity Manager version, IP address, and the URLs to log in to the VMware Identity Manager console and to complete the set up.
What to do next
- (Optional) Add IP Pools.
- Configure VMware Identity Manager settings, including connecting to your Active Directory or LDAP directory and selecting users and groups to sync to VMware Identity Manager.
- Determine forward and reverse DNS requirements for VMware Workspace virtual appliances
A DNS entry and a static IP address must be available for the VMware Identity Manager virtual appliance. Because each company administers their IP addresses and DNS records differently, before you begin your installation, request the DNS record and IP addresses to use.
Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the virtual appliance uses the correct network configuration.
You can use the following sample list of DNS records when you talk to your network administrator. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.
Domain Name |
Resource Type |
IP Address |
myidentitymanager.company.com |
A |
10.28.128.3 |
Examples of Forward DNS Records and IP Addresses
This example shows reverse DNS records and IP addresses.
IP Address |
Resource Type |
Host Name |
10.28.128.3 |
PTR |
myidentitymanager.company.com |
Examples of Reverse DNS Records and IP Addresses
After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the virtual appliance command host IPaddress must resolve to the DNS name lookup.
- Configure initial installation (console, web)
After the VMware Identity Manager instance is deployed, you use the Setup wizard to set passwords and select a database. Then you set up the connection to your Active Directory or LDAP directory.
Make sure that your run the Setup wizard using the fully qualified host name. Do not enter the IP address as the name.
Prerequisites
- The VMware Identity Manager machine is powered on.
- The external database is configured and the external database connection information is available. Before you run the Setup wizard, verify that the database configuration is correct. See Create the VMware Identity Manager Service Database for information.
- Before setting up the directory, review Directory Integration with VMware Identity Manager for requirements and limitations.
- You have your Active Directory or LDAP directory information.
- When multi-forest Active Directory is configured and the Domain Local group contains members from domains in different forests, the Bind DN user used on the VMware Identity Manager Directory page must be added to the Administrators group of the domain in which Domain Local group resides. If this is not done, these members are missing from the Domain Local group.
- You have a list of the user attributes you want to use as filters, and a list of the groups and users you want to add to VMware Identity Manager.
Group names are synced to the directory immediately. Members of a group do not sync until the group is entitled to resources or added to a policy rule. Users who need to authenticate before group entitlements are configured should be added directly during the initial configuration.
Procedure
- Go to the VMware Identity Manager URL that was displayed when you finished the installation. Enter the fully qualified domain name (FQDN). For example, https://hostname.example.com.
- Accept the certificate, if prompted.
You can update the certificate after the initial set up. - In the Get Started page, click Continue.
- In the Set Passwords page, set passwords for the following administrator accounts, which are used to manage the appliance, then click Continue.
Account |
|
Appliance Administrator |
Set the password for the admin user. This user name cannot be changed. The admin user account is used to manage the appliance settings. Important: The admin user password must be at least 6 characters in length. |
Appliance Root |
Set the root user password. The root user has full rights to the appliance. |
Remote User |
Set the sshuser password, which is used to log in remotely to the appliance with an SSH connection. |
- In the Select Database page, select the database to use.
See Configure VMware Identity Manager to Use an External Database- If you are using an external database, select External Database and enter the external database connection information, user name, and password. To verify that VMware Identity Manager can connect to the database, click Test Connection.
After you verify the connection, click Continue. - If you are using the internal database, click Continue.
Note:
The internal database is not recommended for use with production deployments.
The connection to the database is configured and the database is initialized. When the process is complete, the Setup is complete page appears.
- If you are using an external database, select External Database and enter the external database connection information, user name, and password. To verify that VMware Identity Manager can connect to the database, click Test Connection.
- Click the Log in to the administration console link on the Setup is complete page to log in to the VMware Identity Manager console to set up the Active Directory or LDAP directory connection.
- Log in to the VMware Identity Manager console as the admin user, using the password you set.
You are logged in as a local admin and the Directories page appears. Before you add a directory, ensure that you review Directory Integration with VMware Identity Manager for requirements and limitations. - Click the Identity & Access Management tab.
- Click Setup > User Attributes to select the user attributes to sync to the directory.
Default attributes are listed and you can select the ones that are required. If an attribute is marked required, only users with that attribute are synced to the service. You can also add other attributes.
Important:
After a directory is created, you cannot change an attribute to be a required attribute. You must make that selection now.
Also, be aware that the settings in the User Attributes page apply to all directories in the service. When you mark an attribute required, consider the effect on other directories. If an attribute is marked required, users without that attribute are not synced to the service. - Click Save.
- Click the Identity & Access Management tab.
- In the Directories page, click Add Directory and select Add Active Directory over LDAP/IWA or Add LDAP Directory, based on the type of directory you are integrating.
You can also create a local directory in the service. For more information about using local directories, see #GUID-FF1F0D8B-F68E-41CE-B2F7-733F32B82665. - For Active Directory, follow these steps.
- Enter a name for the directory you are creating in VMware Identity Manager and select the type of directory, either Active Directory over LDAP or Active Directory (Integrated Windows Authentication).
- Provide the connection information.
|
|
|
|
|
|
- Click Save & Next.
The page with the list of domains appears.
- For LDAP directories, follow these steps.
- Provide the connection information.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- To test the connection to the LDAP directory server, click Test Connection.
If the connection is not successful, check the information you entered and make the appropriate changes. - Click Save & Next.
The page listing the domain appears.
- For an LDAP directory, the domain is listed and cannot be modified.
For Active Directory over LDAP, the domains are listed and cannot be modified.
For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.
Note:
If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.
Click Next. - Verify that the VMware Identity Manager attribute names are mapped to the correct Active Directory or LDAP attributes and make changes, if necessary.
Important:
If you are integrating an LDAP directory, you must specify a mapping for the domain attribute. - Click Next.
- Select the groups you want to sync from your Active Directory or LDAP directory to the VMware Identity Manager directory.
Option |
Description |
Specify the group DNs |
To select groups, you specify one or more group DNs and select the groups under them.
Note: When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced. |
Sync nested group members |
The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will be members of the parent group that you selected for sync. If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync. |
- Click Next.
- Specify additional users to sync, if required.
Because members of groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
- Click + and enter the user DNs. For example, CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
Important:
Specify user DNs that are under the Base DN that you entered. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in. - (Optional) To exclude users, create a filter to exclude some types of users.
You select the user attribute to filter by, the query rule, and the value.
- Click Next.
- Review the page to see how many users and groups will sync to the directory and to view the sync schedule.
To make changes to users and groups, or to the sync frequency, click the Edit links. - Click Sync Directory to start the directory sync.
Results
Note:
If a networking error occurs and the host name cannot be uniquely resolved using reverse DNS, the configuration process stops. You must fix the networking problems and restart the virtual appliance. Then, you can continue the deployment process. The new network settings are not available until after you restart the virtual appliance.
- Setup database (Postgres and SQL)
The VMware Identity Manager service requires an external Microsoft SQL Server database to store and organize server data. Your database administrator must prepare an empty Microsoft SQL Server database and schema before you install VMware Identity Manager.
When you connect to the Microsoft SQL server, you enter the name of the instance you want to connect to and the authentication mode. You can select either Windows Authentication mode and specify the domain username or SQL Server Authentication mode and specify the local user name and password.
You connect to the external database connection when you run the VMware Identity Manager Setup wizard. You can also go to the Appliance Settings > VA Configuration > Database Connection Setup page to configure the connection to the external database.
You can use Microsoft SQL Server to set up a high availability database environment.
An internal Postgres SQL database is embedded in the VMware Identity Manager appliance, but the internal database is not recommended for use with production deployments.
- Configure the Microsoft SQL Database with Windows Authentication ModeTo use a Microsoft SQL database for the VMware Identity Manager, you must create a new database in the Microsoft SQL server. During setup, you must select an authentication mode for the database. If you select Windows Authentication, when you create the database, you enter the user name and domain. The user name and domain is entered as domain username. [Read more]
- Configure Microsoft SQL Database Using Local SQL Server Authentication ModeTo use a Microsoft SQL database for the VMware Identity Manager, you must create a new database in the Microsoft SQL server. During setup, you must select an authentication mode for the database. If you select SQL Server Authentication, when you create the database, you enter a local user name and password. [Read more]
- Confirm Microsoft SQL Database Is Correctly ConfiguredTo confirm that the Microsoft SQL database is configured correctly to work with VMware Identity Manager, the following verification script runs after the database is configured. [Read more]
- Configure VMware Identity Manager to Use an External DatabaseAfter you create the Microsoft SQL database, if the external database you created is not automatically configured in VMware Identity Manager, you configure VMware Identity Manager to use the database in the Appliance Settings page. [Read more]
- Change Database-Level RolesWhen the saas schema is used to create the Microsoft SQL database for the VMware Identity Manager service, the database role membership is granted to the db_owner role. Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database. [Read more]
- Administering the Internal DatabaseThe internal PostgreSQL database is configured and ready to use by default. Note that the internal database is not recommended for use with production deployments.
- Configure Syslog
Application-level events from the service can be exported to an external syslog server. Operating system events are not exported.
Since most companies do not have unlimited disk space, VMware Identity Manager does not save the complete logging history. If you want to save more history or create a centralized location for your logging history, you can set up an external syslog server.
If you do not specify a syslog server during the initial configuration, you can configure it later from the Appliance Settings > VA Configuration > Manage Configuration > Configure Syslog page.
Prerequisites
- Set up an external syslog server. You can use any of the standard syslog servers available. Several syslog servers include advanced search capabilities.
- Ensure that VMware Identity Manager can reach the syslog server on port 514 (UDP).
Procedure
- Log in to the VMware Identity Manager console.
- Click the Appliance Settings tab, then click Manage Configuration.
- Select Configure Syslog in the left pane.
- Click Enable.
- Enter the IP address or the FQDN of the syslog server where you want to store the logs.
- Click Save.
Results
A copy of your logs is sent to the syslog server.
- Configure AD/LDAP users and groups
During the VMware Identity Manager service directory setup, you select Active Directory user attributes and filters to select which users sync in the VMware Identity Manager directory. You can change the user attributes that sync from the VMware Identity Manager console, Identity & Access Management tab, Setup > User Attributes.
Changes that are made and saved in the User Attributes page are added to the Mapped Attributes page in the VMware Identity Manager directory. The attributes changes are updated to the directory with the next sync to Active Directory.
The User Attributes page lists the default directory attributes that can be mapped to Active Directory attributes. You select the attributes that are required, and you can add other attributes that you want to sync to the directory. When you add attributes, the attribute name you enter is case-sensitive. For example, address, Address, and ADDRESS are different attributes.
VMware Identity Manager Directory Attribute Name |
Default Mapping to Active Directory Attribute |
userPrincipalName |
userPrincipalName |
distinguishedName |
distinguishedName |
employeeId |
employeeID |
domain |
canonicalName. Adds the fully qualified domain name of object. |
disabled (external user disabled) |
userAccountControl. Flagged with UF_Account_Disable When an account is disabled, users cannot log in to access their applications and resources. The resources that users were entitled to are not removed from the account so that when the flag is removed from the account users can log in and access their entitled resources |
phone |
telephoneNumber |
lastName |
sn |
firstName |
givenName |
|
|
userName |
sAMAccountName. |
Default Active Directory Attributes to Sync to Directory
The following attributes cannot be used as custom attribute names because VMware Identity Manager service uses these attributes internally for user identity management.
- externalUserDisabled
- employeeNumber
- Select Attributes to Sync with Directory
When you set up the VMware Identity Manager directory to sync with Active Directory, you specify the user attributes that sync to the directory. Before you set up the directory, you can specify on the User Attributes page which default attributes are required and add additional attributes that you want to map to Active Directory attributes.
You can integrate your enterprise LDAP directory with VMware Identity Manager to sync users and groups from the LDAP directory to the VMware Identity Manager service.
To integrate your LDAP directory, you create a corresponding VMware Identity Manager directory and sync users and groups from the LDAP directory to the VMware Identity Manager directory. You can set up a regular sync schedule for subsequent updates.
You also select the LDAP attributes that you want to sync for users and map them to VMware Identity Manager attributes.
Your LDAP directory configuration might be based on default schemas or custom schemas. It may also have custom attributes. For VMware Identity Manager to be able to query your LDAP directory to obtain user or group objects, you need to provide the LDAP search filters and attribute names that are applicable to your LDAP directory.
Specifically, you need to provide the following information.
- LDAP search filters for obtaining groups, users, and the bind user
- LDAP attribute names for group membership, UUID, and distinguished name
Certain limitations apply to the LDAP directory integration feature. See Limitations of LDAP Directory Integration.
Prerequisites
- Review the attributes in the Identity & Access Management > Setup > User Attributes page and add additional attributes that you want to sync. You map the VMware Identity Manager attributes to your LDAP directory attributes when you create the directory. These attributes are synced for the users in the directory.
Note:
When you make changes to user attributes, consider the effect on other directories in the service. If you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for userName, which can be marked required. The settings in the User Attributes page apply to all directories in the service. If an attribute is marked required, users without that attribute are not synced to the VMware Identity Manager service. - A Bind DN user account. Using a Bind DN user account with a non-expiring password is recommended.
- In your LDAP directory, the UUID of users and groups must be in plain text format.
- In your LDAP directory, a domain attribute must exist for all users and groups.
You map this attribute to the VMware Identity Manager domain attribute when you create the VMware Identity Manager directory. - User names must not contain spaces. If a user name contains a space, the user is synced but entitlements are not available to the user.
- If you use certificate authentication, users must have values for userPrincipalName and email address attributes.
Procedure
- In the VMware Identity Manager console, click the Identity & Access Management tab.
- In the Directories page, click Add Directory and select Add LDAP Directory.
- Enter the required information in the Add LDAP Directory page.
Option |
Description |
Directory Name |
A name for the VMware Identity Manager directory. |
Directory Sync and Authentication |
|
Server Location |
Enter the LDAP Directory server host and port number. For the server host, you can specify either the fully-qualified domain name or the IP address. For example, myLDAPserver.example.com or 100.00.00.0. If you have a cluster of servers behind a load balancer, enter the load balancer information instead. |
LDAP Configuration |
Specify the LDAP search filters and attributes that VMware Identity Manager can use to query your LDAP directory. Default values are provided based on the core LDAP schema. LDAP Queries
Attributes
|
Certificates |
If your LDAP directory requires access over SSL, select the This Directory requires all connections to use SSL and copy and paste the LDAP directory server’s root CA SSL certificate. Ensure the certificate is in PEM format and include the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines. |
Bind User Details |
Base DN: Enter the DN from which to start searches. For example, cn=users,dc=example,dc=com Bind DN: Enter the user name to use to bind to the LDAP directory. Note: Using a Bind DN user account with a non-expiring password is recommended. Bind DN Password: Enter the password for the Bind DN user. |
- To test the connection to the LDAP directory server, click Test Connection.
If the connection is not successful, check the information you entered and make the appropriate changes. - Click Save & Next.
- In the Domains page, verify that the correct domain is listed, then click Next.
- In the Map Attributes page, verify that the VMware Identity Manager attributes are mapped to the correct LDAP attributes.
These attributes will be synced for users.
Important:
You must specify a mapping for the domain attribute.
You can add attributes to the list from the User Attributes page. - Click Next.
- In the groups page, click + to select the groups you want to sync from the LDAP directory to the VMware Identity Manager directory.
When groups are added, group names are synced to the directory. Users that are members of the group are not synced to the directory until the group is entitled to an application or the group name is added to an access policy rule.
If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in the groups page.
The Sync nested group users option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced when the group is entitled. In the VMware Identity Manager directory, these users will appear as members of the top-level group that you selected for sync. In effect, the hierarchy under a selected group is flattened and users from all levels appear in VMware Identity Manager as members of the selected group.
If this option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync. - Click Next.
- Click + to add users. For example, enter CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
Because members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
To exclude users, create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.
Click Next. - Review the page to see how many users and group names will sync to the directory and to view the default sync schedule.
To make changes to users and groups, or to the sync frequency, click the Edit links. - Click Sync Directory to start the directory sync.
Results
The connection to the LDAP directory is established and users and group names are synced from the LDAP directory to the VMware Identity Manager directory. The Bind DN user has an administrator role in VMware Identity Manager by default.
- Define and promote administrators
With role-based access control, you can create a role to manage one action or many actions.
When you create a role, you can add one or more services to the role. You name the role, select the type of services and the specific actions within the service that the role can manage.
- When you create a role with the Directory Management service, the Identity and Access Management service must also be configured in the role.
- When you create a role with the Roles Administration service, the User and Groups service must also be configured with the actions to manager users and to manage groups selected.
Prerequisites
To create a role, you must be a super admin or an admin assigned the role that is configured with the Roles Administration service.
Procedure
- In the VMware Identity Manager console Roles tab, click Add.
- In the Role Name text box, enter a descriptive role name and add a description.
Each role name in your environment must be unique. - Click Next.
- Select the service to be managed by this role.
- In the Actions drop-down menu, select the type of actions that can be managed.
- Select All resources to manage all resources within the action, or select Some and then select the condition that can be managed from the Conditions drop-down menu.
- To add additional actions to be managed by this role, click + and complete the configuration action.
- Click Save.
The Services page displays the configuration you set up. - If you want to add another service to this role, select the service and complete the configuration steps 5–8.
- When finished, click Save on the Configuration page.
What to do next
Assign this role to users to make them administrators of this service.
A VMware Identity Manager super administrator or a role that includes the role administrator service and the users and groups service can assign a role to users and groups to elevate them to administrators of that role.
Prerequisites
- Before adding an identity manager administrator role to a user who is synced from the Workspace ONE UEM directory, make sure that the user profile is configured with an Admin User Promote account in the Workspace ONE UEM console.
When users with the Admin User Promote account sync to VMware Identity Manager, they are recognized as administrators and can be assigned a role in VMware Identity Manager. If an admin is not in this account in the UEM console, when the Workspace ONE UEM directory syncs with the VMware Identity Manager directory, the admin role is removed from the user profile.
Procedure
- In the VMware Identity Manager console Roles tab, select the role and click Assign.
- Enter a name in the search box and select the user or group.
Only groups with fewer than 500 users in the group can be promoted to an administrator role. - Click Save.
The users or groups become administrators for the role. The user profile page is updated to show the role.
Objective 4.2 – Manage VMware Identity Manager
- Package VMware ThinApp applications
To configure VMware Identity Manager to provide users access to ThinApp packages, you create a virtual apps collection which contains configuration information such as the path to the storage location of the packages, the connector to use for sync, and the sync schedule.
You can only create a single virtual apps collection for all your ThinApps integrations.
Prerequisites
- Create a network share with the appropriate configuration and store the ThinApp packages in the appropriate location in that network share. See Create a Network Share for ThinApp Packages That VMware Identity Manager Manages.
- Verify that you have the UNC path to the network share folder where the ThinApp packages are located.
- If the connector is not already domain-joined, verify that you have an Active Directory domain name and the username and password of an account in that Active Directory that has the rights to join the domain. Even if you are using account-based access, the VMware Identity Manager console requires the completion of the Join Domain page before you can use the ThinApp Packages page.
To enable domain-based access, you must also join VMware Identity Manager to the same Active Directory domain to which the ThinApp package repository is joined. Verify that you have the Active Directory domain name for the domain that the network share uses and the username and password of an account in that Active Directory that has the rights to join the domain. The Active Directory account is used to join VMware Identity Manager to the domain. - When enabling account-based access, verify that you have a username and password that has permission to read the network share. See VMware Identity Manager Requirements for ThinApp Packages and the Network Share Repository.
Note:
Unless you want to restrict use of the ThinApp packages to domain-joined Windows systems for all runtime situations, you should enable account-based access in addition to domain-based access. This combination provides the most flexibility for supporting runtime situations where users need to use their entitled ThinApp packages without joining their Windows systems to the domain. - You must use an administrator role that can perform the Manage ThinApps action in the Catalog service.
Procedure
- (VMware Identity Manager Linux virtual appliance only) If the connector is not already domain-joined, join it to the Active Directory domain.
- Log in to the VMware Identity Manager console.
- Select the Identity & Access Management tab.
- Click Setup.
- In the Connectors page, click Join Domain in the appropriate connector row.
- On the Join Domain page, type the information for the Active Directory domain and click Join Domain.
Important:
Do not use non-ASCII characters when you enter the Active Directory (AD) domain name, AD username, or AD password. Non-ASCII characters are not supported in these entry fields in the VMware Identity Manager console.
|
|
|
|
|
|
|
|
- Select the Catalog > Virtual Apps tab, then click Virtual Apps Configuration.
- Click Add Virtual Apps and select ThinApp Application.
- Enter a unique name for the collection.
- From the Sync Connectors drop-down menu, select the connector that you want to use to sync the resources in this collection.
If you have set up multiple connectors for high availability, click Add Connector and select all the connectors that appear in the list. The order in which the connectors are listed determines the failover order.
Important:
Ensure that you add all the connectors. When an application is launched using HTTP_DOWNLOAD mode, the request may be sent to any of the connectors. - In the Path text box, type the path to the shared folder where the ThinApp packages’ folders are located, in the UNC path format \\server\share\subfolder. For example: \\DirectoryHost\ThinAppFileShare . For DirectoryHost, provide the hostname, not the IP address.
For both CIFS and DFS network shares, this path must be a directory under the namespace, and not the namespace itself. - To enable account based access to the stored ThinApp packages, select the check box and enter values in the Share User and Share Password text boxes.
Account based access is required in the following cases:- For NetApp storage systems and other brands of DFS network shares
- If you are using HTTP download deployment mode
- If you want users to be able to use their entitled ThinApp packages on non-domain-joined Windows systems
Option |
Description |
Share User |
Type the username for a user account that has read access to the network share. |
Share Password |
Type the password associated with the Share User user account. |
- From the Sync Frequency drop-down menu, select how often you want to sync the resources in this collection.
You can set up a regular sync schedule or choose to sync manually. If you select Manual, you must click Sync on the Virtual Apps Configuration page after you set up the collection and whenever there is a change in your ThinApp packages. - From the Activation Type drop-down list, select how ThinApp packaged applications are made available to users in Workspace ONE.
With both the User Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.
The activation policy that you select on this page applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the application or desktop’s Entitlements page.
Setting the activation policy for the collection to User Activated is recommended if you intend to set up an approval flow. - Click Save.
The collection is created and appears in the Virtual Apps page. The applications are not synced yet. - To sync the applications in the collection, click Sync next to the collection in the Virtual Apps Configuration page.
Each time ThinApp applications or entitlements change, a sync is required to propagate the changes to VMware Identity Manager.
Results
VMware Identity Manager is now configured so that you can entitle groups and users to ThinApp packages, and those users can run their entitled ThinApp packages using the VMware Identity Manager Desktop application installed on their Windows systems.
- Entitle and deploy applications
You can entitle users and groups to Windows applications that are captured as ThinApp packages.
You can only entitle VMware Identity Manager users, users who are imported from your directory server, to ThinApp packages. When you entitle a user to a ThinApp package, the user sees the application and can start it from the VMware Identity Manager Desktop application on their system. If you remove the entitlement, the user cannot see or start the application.
Often, the most effective way to entitle users to ThinApp packages is to add a ThinApp package entitlement to a group of users. In certain situations entitling individual users to a ThinApp package is more appropriate.
Prerequisites
Set up a virtual apps collection for ThinApp packages from the Catalog > Virtual Apps > Virtual Apps Configuration page. After you create the collection, sync the ThinApp packages to VMware Identity Manager. When the ThinApp packages are synced to your catalog, you can entitle them to your users and groups.
Procedure
- Log in to the VMware Identity Manager console.
- Entitle users to a ThinApp package.
Option |
Description |
Access a ThinApp package and entitle users or groups to it. |
|
Access a user or group and add ThinApp package entitlements to that user or group. |
|
Results
The selected users or groups are now entitled to use the ThinApp package.
Before your VMware Identity Manager users can run their ThinApp packages that are registered to them using VMware Identity Manager, those users must have the VMware Identity Manager Desktop application installed and running on their Windows systems.
ThinApp packages are virtualized Windows applications. The ThinApp packages are distributed to Windows systems, and a user logged into the Windows system can launch and run those ThinApp packages that are registered on that Windows system. VMware Identity Manager can distribute and manage ThinApp packages that are compatible with VMware Identity Manager.
To successfully launch and run one of these virtualized applications in the user’s logged-in Windows session, the following elements are required:
- The virtualized application’s ThinApp package is registered for that user’s use by VMware Identity Manager.
- A particular DLL is available on that Windows system.
- The hws-desktop-client.exe process is running.
When a compatible ThinApp package is created, it is configured to load a particular DLL when the logged-in user launches the virtualized application in their logged-in Windows session. At that time, the virtualized application attempts to load the DLL. When the DLL is loaded, it attempts to verify with the locally installed VMware Identity Manager Desktop application whether that ThinApp package is registered on that Windows desktop for that user. The locally installed VMware Identity Manager Desktop application determines whether that application is registered for that user without communicating with VMware Identity Manager. If the application is registered on that Windows desktop for that user, the VMware Identity Manager Desktop application checks to see when it last synced with VMware Identity Manager. If the VMware Identity Manager Desktop application confirms that the time from the last sync is within the offline grace period configured for the installed client, the client allows the application to run.
Because that DLL is available on the Windows system only if the VMware Identity Manager Desktop application is installed, and because the hws-desktop-client.exe process is running if the VMware Identity Manager Desktop application is running on that system, the VMware Identity Manager Desktop application must be installed on the Windows system to run ThinApp packages that are distributed and managed by VMware Identity Manager.
Deploying the VMware Identity Manager Desktop Application To Use ThinApp Packages
The VMware Identity Manager Desktop application can be installed by either double-clicking its installer EXE file, running the executable file using the command-line options, or running a script that uses the command-line options. Local administrator privileges are required to install the application. For information about installing the VMware Identity Manager Desktop application by double-clicking its installer EXE file, see the VMware Identity Manager User Guide.
The configuration of the installed application determines how a ThinApp package that is distributed by VMware Identity Manager is deployed to that Windows system. By default, when the VMware Identity Manager Desktop application is installed by double-clicking its installer EXE file, the client is configured to deploy ThinApp packages using the COPY_TO_LOCAL deployment mode, with the AUTO_TRY_HTTP option enabled. Those default installer options result in what is called a download deployment mode. With the COPY_TO_LOCAL and AUTO_TRY_HTTP default settings, the client application first tries to download the ThinApp packages by copying them to the Windows system endpoint, and if the first attempt fails, the client application tries to download the ThinApp packages using HTTP.
If VMware Identity Manager is configured for account-based access to your ThinApp repository, the client application can download the ThinApp packages using HTTP. After the ThinApp packages are downloaded to the local Windows system, the user runs the virtualized applications on the local system.
To avoid having the virtualized applications downloaded to the local Windows system and using space on the Windows system, you can have users run the ThinApp packages from the network share by using what is called a streaming deployment mode. To have your users run the ThinApp packages using streaming mode, you must install the VMware Identity Manager Desktop application on the Windows systems using a command-line installation process. The installer has command-line options that you can use to set the runtime deployment mode for the ThinApp packages. To set the runtime deployment mode to stream the ThinApp packages, use the RUN_FROM_SHARE installer option.
One method for installing the VMware Identity Manager Desktop application to multiple Windows systems is to use a script to install the application silently to the Windows systems. You can install the client silently to multiple Windows systems at the same time.
Note:
A silent installation does not display messages or windows during the install process.
You set a value in the script to indicate whether the clients installed by that script deploy ThinApp packages using the ThinApp streaming mode, or RUN_FROM_SHARE option, or one of the ThinApp download modes, such as the COPY_TO_LOCAL or HTTP_DOWNLOAD option.
Determining the Appropriate Deployment Mode for ThinApp Packages on Windows Endpoints
The configuration of the VMware Identity Manager Desktop application on the Windows endpoint determines whether a ThinApp package that is distributed using VMware Identity Manager is deployed using ThinApp streaming mode, RUN_FROM_SHARE, or one of the ThinApp download modes, COPY_TO_LOCAL or HTTP_DOWNLOAD. When you create the script to silently install the VMware Identity Manager Desktop application to Windows endpoints, such as desktop and laptop computers, you set the options that set the ThinApp package deployment mode. Choose the deployment mode that best fits the network environment for the selected endpoints, considering details such as network latency.
With streaming mode, when the VMware Identity Manager Desktop application synchronizes with VMware Identity Manager, the client downloads application shortcuts for the ThinApp packages’ virtualized Windows applications to the Windows desktop, and when the user launches the ThinApp packages, the virtualized Windows applications run from the file share on which the ThinApp packages reside.
Therefore, streaming mode is appropriate for systems that will always be connected to the network share, such as View desktops.
With download mode, at the first use or update of a ThinApp package, the user must wait for the ThinApp package to download to the Windows system first, and shortcuts to be created. After the initial download, the user launches and runs the virtualized Windows application on the local Windows system.
Important:
For non-persistent View desktops, also known as floating or stateless View desktops, you are expected to set the client to use ThinApp streaming mode by using the command-line installer option /v INSTALL_MODE=RUN_FROM_SHARE when installing the client. The RUN_FROM_SHARE option provides the most optimal runtime experience for using ThinApp packages in floating View desktops. See Command-Line Installer Options for VMware Identity Manager Desktop.
Important:
HTTP_DOWNLOAD mode requires the IDP URL to be reachable from the user’s Windows machine. RUN_FROM_SHARE and COPY_TO_LOCAL modes require the ThinApp share to be reachable from the user’s Windows machine.
Mode |
Description |
ThinApp streaming mode |
In ThinApp streaming mode, the virtualized applications are streamed each time they are started. This method avoids using disk space in the desktop that would be used when copying the virtualized applications to the desktop. The desktop must be connected to the ThinApp packages’ network share for the applications to run. The following environments might provide the consistency and stability required:
The account that the user uses to log in to the Windows system is used to obtain the ThinApp packages from the network share. That account must have the appropriate permissions on the network share to read and execute files on the network share. |
ThinApp download mode |
In ThinApp download mode, applications are downloaded to the Windows endpoint. The user runs the virtualized application locally on the endpoint. You might prefer ThinApp download mode for the following situations:
VMware Identity Manager provides two flavors of the ThinApp download mode: COPY_TO_LOCAL and HTTP_DOWNLOAD. If the client is configured for COPY_TO_LOCAL, the Windows endpoint must be joined to the same domain as the file share unless the AUTO_TRY_HTTP option is enabled and VMware Identity Manager is configured for account-based access to the ThinApp packages’ network share. When the AUTO_TRY_HTTP option is enabled and VMware Identity Manager is configured for account-based access, if the Windows endpoint is not joined to the same domain and the first attempt to download the ThinApp packages fails, the VMware Identity Manager Desktop application will automatically try to download the ThinApp packages using the HTTP protocol as for the HTTP_DOWNLOAD mode. With HTTP_DOWNLOAD, the Windows endpoint does not have to be joined to the same domain as the file share. However, the copy and sync times when using HTTP_DOWNLOAD are significantly longer than when using COPY_TO_LOCAL. Important: If VMware Identity Manager is not enabled for account-based access, downloading using the HTTP protocol does not work, even if AUTO_TRY_HTTP is enabled or the client is configured with the HTTP_DOWNLOAD option. When using COPY_TO_LOCAL, the account that the user uses to log in to the Windows system is used to obtain the ThinApp packages from the network share. That account must have the appropriate permissions on the network share to read and copy files from the network share. When using HTTP_DOWNLOAD, the share user account that you enter in the VMware Identity Manager console when you configure access from VMware Identity Manager to the ThinApp packages’ network share is the account that is used to download the ThinApp packages. That share user account needs to have read permission on the ThinApp packages’ network share to copy the files from the network share. |
ThinApp Deployment Mode for the Virtualized Applications Captured as ThinApp Packages
The ThinApp packages’ network share must meet the appropriate requirements for the deployment mode that you set for the Windows endpoints. See VMware Identity Manager Installation and Configuration.
- Enable Horizon desktop access
Configure Horizon pods and pod federations in the VMware Identity Manager console to sync resources and entitlements to the VMware Identity Manager service.
To configure the pods and pod federations, you create one or more virtual apps collections in the Catalog > Virtual Apps page and enter configuration information such as the Horizon Connection servers from which to sync resources and entitlements, pod federation details, the VMware Identity Manager connector to use for sync, and administrator settings such as the default launch client.
You can add all the Horizon pods and pod federations in one collection or you can create multiple collections, based on your needs. For example, you may choose to create separate collections for each pod federation or each pod for easier management and to distribute the sync load across multiple connectors. Or you may choose to include all pods and pod federations in one collection for test purposes and have another identical collection for your production environment.
After you add the pods, configure client access URLs for specific network ranges.
Prerequisites
- Set up Horizon according to Requirements for Integrating Horizon Pods and Requirements for Integrating Horizon Pod Federations.
- Set up VMware Identity Manager according to Set up Your VMware Identity Manager Environment.
- For each Horizon pod, ensure that you have the credentials of a user who has the Administrators role.
- You must use an administrator role that can perform the Manage Desktop Apps action in the Catalog service.
Procedure
- Log in to the VMware Identity Manager console.
- Select the Catalog > Virtual Apps tab, then click Virtual Apps Configuration.
- Click Add Virtual Apps and select Horizon View On-Premises.
- Enter a unique name for the collection.
- From the Sync Connectors drop-down menu, select the connector that you want to use to sync the resources in this collection.
If you have set up multiple connectors for high availability, click Add Connector and select the other connectors. The order in which the connectors are listed determines the failover order. - In the Horizon Pods section, provide the configuration information for the Horizon pods that you are adding to this collection.
Connection Server |
Enter the fully qualified hostname of the Horizon Connection Server instance, such as connectionserver.example.com. The domain name must exactly match the domain name to which you joined the Horizon Connection Server instance. |
Username |
Enter the administrator username for the pod. The user must have the Administrators role in Horizon. |
Password |
Enter the administrator password for the pod. |
Smart Card Authentication |
If users use smart card authentication to sign in to the pod instead of passwords, select the check box. |
True SSO Enabled |
Select this option if True SSO is enabled in Horizon. This option only applies to Horizon versions that support the True SSO feature. When True SSO is enabled in Horizon, users do not require a password to log into their Windows desktops. However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can select this option to prevent a password dialog box from being shown to users in that scenario. |
Sync Local Entitlements |
If local entitlements are configured for the pod, select this option. |
For example:
- To add multiple pods to the collection, click Add Pod and enter the configuration information for each pod.
- To add a pod federation, follow these steps.
- Select the Enable check box in the Horizon Cloud Pod Architecture Configuration section.
- Enter the pod federation configuration information.
|
|
|
|
|
|
|
|
|
|
- To add another pod federation, click Add Federation and enter the configuration information.
Note:
If the collection only includes individual Horizon pods that do not belong to a pod federation, do not enable this option.
For example:
- Select the Do not sync duplicate applications check box to prevent duplicate applications from being synced from multiple servers.
When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Selecting this option prevents duplication of the desktop or application pools in your VMware Identity Manager catalog. - Select the Configuring Horizon Connection Server 5.x check box if you are configuring any View Connection Server 5.x instances.
Selecting this option enables an alternative way of syncing resources that is required for View 5.x.
Note:
If you select the Perform Directory Sync option, the Configuring Horizon Connection Server 5.x option is also automatically selected as both options rely on the alternative way of syncing resources. - Select the Perform Directory Sync check box if you want directory sync to be performed as part of resource sync when any users and groups that are entitled to Horizon pools in the Horizon Connection Server instances are missing in the VMware Identity Manager directory.
The Perform Directory Sync option does not apply to pod federations. If users and groups with global entitlements are missing in the VMware Identity Manager directory, directory sync is not triggered.
Users and groups synced through this process can be managed like any other users added by VMware Identity Manager directory sync.
Important:
Sync takes longer when you use the Perform Directory Sync option.
Note:
When this option is selected, the Configuring Horizon Connection Server 5.x option is also selected automatically as both options rely on an alternative way of syncing resources. - From the Default Launch Client drop-down list, select the default client in which to launch Horizon applications or desktops.
Option |
Description |
NONE |
No default preference is set at the administrator level. If this option is set to None and an end user preference is not set either, the Horizon Default display protocol setting is used to determine how to launch the desktop or application. |
BROWSER |
Horizon desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting. |
NATIVE |
Horizon desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting. |
This setting applies to all users for all resources in this collection.
The following order of precedence, listed from highest to lowest, applies to the default launch client settings:
- End user preference setting, set in the Workspace ONE portal. This option is not available in the Workspace ONE app.
- Administrator Default Launch Client setting for the collection, set in the VMware Identity Manager console.
- Horizon Remote Display Protocol > Default display protocol setting for the desktop or application pool, set in Horizon Administrator. For example, when the display protocol is set to PCoIP, the application or desktop is launched in the Horizon Client.
- From the Sync Frequency drop-down menu, select how often you want to sync the resources in this collection.
You can set up a regular sync schedule or choose to sync manually. If you select Manual, you must click Sync on the Virtual Apps Configuration page after you set up the collection and whenever there is a change in your View resources or entitlements. - From the Activation Policy drop-down list, select how Horizon resources are made available to users in Workspace ONE.
With both the User Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.
The activation policy that you select on this page applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the application or desktop’s Entitlements page.
Setting the activation policy for the collection to User Activated is recommended if you intend to set up an approval flow. - Click Save.
The collection is created and appears in the Virtual Apps Configuration page. The resources in the collection are not synced yet. - To sync the resources in the collection to VMware Identity Manager, click Sync in the Virtual Apps Configuration page.
Each time you change settings in Horizon, such as adding an entitlement or a user, a sync is required to propagate the changes to VMware Identity Manager. - Configure Client Access URLs for the pods and pod federations.
You customize the URLs for specific network ranges. For example, different launch URLs are typically set for internal and external access.
- Review your network ranges and create new ones, if required.
- Click the Identity & Access Management > Policies tab.
- Click Network Ranges.
- Review the network ranges and click Add Network Range to add new ranges, if required.
- Click the Catalog > Virtual Apps tab, then click Virtual App Settings.
- Click Network Settings.
- Select the network range to configure.
The View CPA federation section lists the global launch URL of the pod federations you added to the collection. The View Pod section lists all the View pods that you added to the collection that have the Sync Local Entitlements option selected.
- In the View CPA federation section, for the global launch URL, specify the fully-qualified domain name of the server to which to direct launch requests for global entitlements that come from this network range. This is typically the global load balancer URL of the View pod federation deployment.
For example: lb.example.com
The global launch URL is used to launch globally-entitled resources. - In the View Pod section, for each pod, specify the fully-qualified domain name of the server to which to direct launch requests for local entitlements that come from this network range. You can specify a Horizon Connection Server instance, a load balancer, or a security server. For example, if you are editing a range that provides internal access, you would specify the internal load balancer for the pod.
For example: lb.example.com
The client access URL is used to launch locally-entitled resources from the pod.
Note:
For information about the Wrap Artifact in JWT and Audience in JWT options, see Launching Horizon Resources Through Validating Gateways. - Click Finish.
0 Comments