VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Workspace ONE Access Design Decisions

Use this design decision list for reference related to a Workspace ONE Access cluster in an environment with a single or multiple VMware Cloud Foundation instances
The deployment and configuration tasks for most design decisions are automated in VMware Cloud Foundation. You must perform the configuration manually only for a limited number of decisions as noted in the design implication.
For full design details, see Workspace ONE Access Design.

Deployment Specification

Design Decisions on the Deployment Model for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-CFG-001
Deploy Workspace ONE Access by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode.
  • With this configuration, the Workspace ONE Access deployment can be scaled to support a higher number of consuming users for vRealize Operations and vRealize Automation.
  • The Workspace ONE Access instance is managed by vRealize Suite Lifecycle Manager and imported into the SDDC Manager inventory.
None.
VCF-VRS-WSA-CFG-002
Use the embedded PostgreSQL database with Workspace ONE Access.
Removes the need for external database services.
None.
VCF-VRS-WSA-CFG-003
Protect all Workspace ONE Access nodes using vSphere High Availability (vSphere HA).
Supports high availability for Workspace ONE Access.
None for standard deployments.
Clustered Workspace ONE Access deployments might require intervention if an ESXi host failure occurs.
Design Decisions on the Deployment Model for Clustered Workspace ONE Access
VCF-VRS-WSA-CFG-005
Add a VM group for the Workspace ONE Access cluster nodes and set VM rules to restart the Workspace ONE Access VM group before any of the VMs that depend on it for authentication.
You can define the startup order of virtual machines regarding the service dependency. The startup order ensures that vSphere HA powers on the Workspace ONE Access virtual machines in an order that respects product dependencies.
None.
VCF-VRS-WSA-CFG-005
Add a VM group for the Workspace ONE Access cluster nodes and set VM rules to restart the Workspace ONE Access VM group before any of the VMs that depend on it for authentication.
You can define the startup order of virtual machines regarding the service dependency. The startup order ensures that vSphere HA powers on the Workspace ONE Access virtual machines in an order that respects product dependencies.
None.
Design Decisions on the Deployment of Workspace ONE Access for Multiple Availability Zones
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-CFG-006
Add the Workspace ONE Access appliances to the VM group for the first availability zone.
Ensures that, by default, the Workspace ONE Access cluster nodes are powered on a host in the first availability zone.
  • If the Workspace ONE Access instance is deployed after the creation of the stretched management cluster, you must add the appliances to the VM group manually.
  • Clustered Workspace ONE Access might require manual intervention after a failure of the active availability zone occurs.
Design Decisions on Sizing Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-CFG-007
Deploy each of the Workspace ONE Access appliances as a medium-size appliance.
Supports scalability for a vRealize Automation cluster deployment.
None.
Design Decisions on Directories for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-CFG-008
Connect the Workspace ONE Access instance to Active Directory.
You can integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to the Workspace ONE Access identity and access management services.
None.
VCF-VRS-WSA-CFG-009
Use Active Directory over LDAP as the Directory Service connection option.
The native (embedded) Workspace ONE Access connector binds to Active Directory over LDAP using a standard bind authentication.
  • In a multi-domain forest, where the Workspace ONE Access instance connects to a child-domain, Active Directory security groups must have global scope. Therefore, members added to the Active Directory global security group must reside within the same Active Directory domain.
  • If authentication to more than one Active Directory domains is required, additional Workspace ONE Access directories are required.
VCF-VRS-WSA-CFG-010
Use an Active Directory user account with the minimum of read-only access to Base DNs for users and groups as the service account for the Active Directory bind.
Provides the following access control features:
  • Workspace ONE Access connects to the Active Directory with the minimum set of required permissions to bind and query the directory.
  • You can introduce an improved accountability in tracking request-response interactions between the Workspace ONE Access and Active Directory.
  • You must manage the password life cycle of this account.
  • If authentication to more than one Active Directory domains is required, additional accounts are required for the Workspace ONE Access connector bind to each Active Directory domain over LDAP.
VCF-VRS-WSA-CFG-011
Configure the directory synchronization to synchronize only groups required for the integrated SDDC solutions.
  • Limits the number of replicated groups required for each product.
  • Reduces the replication interval for group information.
You must manage the groups from your enterprise directory selected for synchronization to Workspace ONE Access.
VCF-VRS-WSA-CFG-012
Enable the synchronization of enterprise directory group members when a group is added to the Workspace ONE Access directory.
When enabled, members of the enterprise directory groups are synchronized to the Workspace ONE Access directory when groups are added. When disabled, group names are synchronized to the directory, but members of the group are not synchronized until the group is entitled to an application or the group name is added to an access policy.
None.
VCF-VRS-WSA-CFG-013
Enable Workspace ONE Access to synchronize nested group members by default.
Allows Workspace ONE Access to update and cache the membership of groups without querying your enterprise directory.
Changes to group membership are not reflected until the next synchronization event.
VCF-VRS-WSA-CFG-014
Add a filter to the Workspace ONE Access directory settings to exclude users from the directory replication.
Limits the number of replicated users for Workspace ONE Access within the maximum scale.
To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema that works for your organization based on your directory attributes.
VCF-VRS-WSA-CFG-015
Configure the mapped attributes included when a user is added to the Workspace ONE Access directory.
You can configure the minimum required and extended user attributes to synchronize directory user accounts for the Workspace ONE Access to be used as an authentication source for cross-instance vRealize Suite solutions.
User accounts in your organization's enterprise directory must have the following required attributes mapped:
  • firstname
    , for example,
    givenname
     for Active Directory
  • lastName
    , for example,
    sn
     for Active Directory
  • email
    , for example,
    mail
     for Active Directory
  • userName
    , for example,
    sAMAccountName
     for Active Directory
  • If you require users to sign in with an alternate unique identifier, for example,
    userPrincipalName
    , you must map the attribute and update the identity and access management preferences.
VCF-VRS-WSA-CFG-016
Configure the Workspace ONE Access directory synchronization frequency to a reoccurring schedule, for example, 15 minutes.
Ensures that any changes to group memberships in the corporate directory are available for integrated solutions in a timely manner.
Schedule the synchronization interval to be longer than the time to synchronize from the enterprise directory. If users and groups are being synchronized to Workspace ONE Access when the next synchronization is scheduled, the new synchronization starts immediately after the end of the previous iteration. With this schedule, the process is continuous.
Design Decisions on Identity Providers and Connectors in Clustered Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-CFG-017
Configure second and third native connectors that correspond to the second and third Workspace ONE Access cluster nodes to support the high availability of directory services access.
Adding the additional native connectors provides redundancy and improves performance by load-balancing authentication requests.
Each of the Workspace ONE Access cluster nodes must be joined to the Active Directory domain to use Active Directory with Integrated Windows Authentication with the native connector.

Network Design

Design Decisions on the NSX Segment for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-NET-001
Place the Workspace ONE Access appliances on an overlay-backed or VLAN-backed NSX network segment.
Provides a consistent deployment model for management applications in an environment with a single or multiple VMware Cloud Foundation instances.
You must use an implementation in NSX-T Data Center to support this network configuration.
Design Decisions on the IP Addressing Scheme for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-NET-002
Allocate statically assigned IP addresses for the following:
  • Standard Workspace ONE Access
    • Workspace ONE Access appliance
  • Clustered Workspace ONE Access
    • Workspace ONE Access cluster nodes
    • Embedded PostgreSQL database
    • NSX load-balancer virtual server
Using statically assigned IP addresses ensures stability across the SDDC and makes it simpler to maintain and easier to track.
Requires precise IP address management.
Design Decisions on Name Resolution for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-NET-003
Configure forward and reverse DNS records for the following components:
  • Standard Workspace ONE Access
    • Workspace ONE Access appliance
  • Clustered Workspace ONE Access
    • Workspace ONE Access cluster nodes
    • NSX load balancer virtual server
Workspace ONE Access is accessible by using a set of fully qualified domain names instead of by using only IP address.
  • None.
VCF-VRS-WSA-NET-004
Configure the DNS settings for Workspace ONE Access to use DNS servers in the first VMware Cloud Foundation instance.
Workspace ONE Access requires DNS resolution to connect to SDDC Components.
None.
Design Decisions on Name Resolution for Workspace ONE Access for Multiple VMware Cloud Foundation Instances
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-NET-005
Configure the DNS settings for Workspace ONE Access to use DNS servers in each VMware Cloud Foundation instance.
Improves resiliency if an outage of a DNS server occurs.
None.
Design Decisions on Time Synchronization for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-NET-006
Configure the NTP settings on Workspace ONE Access to use NTP servers in the first VMware Cloud Foundation instance.
Workspace ONE Access depends on time synchronization for all cluster nodes.
None.
Design Decisions on Time Synchronization for Workspace ONE Access for Multiple VMware Cloud Foundation Instances
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-NET-007
Configure the NTP settings on Workspace ONE Access cluster nodes to use NTP servers in each VMware Cloud Foundation instance.
Improves resiliency in the event of an outage of an NTP server.
If you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on Workspace ONE Access must be updated.
Design Decisions on Load Balancing for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-NET-008
Use the NSX load balancer that is configured by SDDC Manager on a dedicated Tier-1 gateway to load balance connections across the Workspace ONE Access cluster nodes.
  • Required to deploy Workspace ONE Access as a cluster, enabling it to handle a greater load and obtain a higher level of service availability for cross-instance vRealize Suite solutions, which also share this load balancer.
  • During the deployment of Workspace ONE Access by using vRealize Suite Lifecycle Manager, SDDC Manager automates the configuration of the NSX load balancer for the Workspace ONE Access cluster.
You must use the load balancer that is configured by SDDC Manager and the integration with vRealize Suite Lifecycle Manager.

Life Cycle Management Design

Design Decisions on Life Cycle Management for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-LCM-001
Use vRealize Suite Lifecycle Manager to perform the life cycle management of Workspace ONE Access.
vRealize Suite Lifecycle Manager automates the life cycle of Workspace ONE Access.
  • You must deploy vRealize Suite Lifecycle Manager by using SDDC Manager.
  • You must manually apply patches, updates, and hot fixes for Workspace ONE Access, following the related VMware Knowledge Base articles. Patches, updates, and hot fixes for Workspace ONE Access are not generally managed by vRealize Suite Lifecycle Manager.

Information Security and Access Control Design

Design Decisions on Integrations for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-SEC-001
Configure the Workspace ONE Access instance as the authentication provider for each supported SDDC component.
Enables authentication through Workspace ONE Access identity and access management services for vRealize Suite solutions that require mobility across VMware Cloud Foundation instances.
Required for vRealize Automation authentication.
Workspace ONE Access must be online and operational before you can authenticate to vRealize Automation.
Design Decisions on Identity Management for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-SEC-002
Create corresponding security groups in your corporate directory services for these Workspace ONE Access roles:
  • Super Admin
  • Directory Admins
  • ReadOnly Admin
Streamlines the management of Workspace ONE Access roles to users.
  • You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.
  • You must create the security group outside of the SDDC stack.
Design Decisions on Password Management for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-SEC-003
Rotate the appliance
root
 user password on a schedule post deployment.
The password for the
root
 user account expires 60 days after the initial deployment and after subsequent password changes.
You must manage the password rotation schedule for the
root
 user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
root
 password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-004
Rotate the appliance
sshuser
 user password on a schedule post deployment.
The password for the
sshuser
 appliance user account expires 60 days after the initial deployment and after subsequent password changes.
You must manage the password rotation schedule for the appliance
sshuser
 user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
sshuser
 password rotation schedule on the Workspace ONE Access cluster nodes by using vRealize Suite Lifecycle Manager.
VCF-VRS-WSA-SEC-005
Rotate the
System Admin (admin user of port 8443)
 application user password on a schedule post deployment.
The password of
System Admin (admin user of port 8443)
 is initially the same as the password of the
admin
 application user but for password rotation the account is managed by vRealize Suite Lifecycle Manager separately.
You must manage the password rotation schedule for the
admin
 application user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
admin
 password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-006
Rotate the
admin
 application user password on a schedule post deployment.
The password for the default administrator application user account does not expire after the initial deployment.
You must manage the password rotation schedule for the
admin
 application user account in accordance with your corporate policies and regulatory standards, as applicable.
You must manage the
admin
 password rotation schedule on the Workspace ONE Access nodes by using SDDC Manager.
VCF-VRS-WSA-SEC-007
Rotate the
configadmin
 application user password on a schedule post deployment.
The password for the configuration administrator application user account does not expire after the initial deployment.
You must manage the password rotation schedule for the configuration administrator application user account in accordance with your corporate policies and regulatory standards, as applicable.
You must use a combination of Workspace ONE Access and vRealize Suite Lifecycle Manager to manage the password rotation schedule of the configadmin user.
VCF-VRS-WSA-SEC-008
Configure a password policy for Workspace ONE Access local directory users,
admin
 and
configadmin
.
You can set a policy for Workspace ONE Access local directory users that addresses your corporate policies and regulatory standards.
The password policy is applicable only to the local directory users and does not impact your organization directory.
You must set the policy in accordance with your organization policies and regulatory standards, as applicable.
You must apply the password policy on the Workspace ONE Access cluster nodes.
Design Decisions on Certificates for Workspace ONE Access
Decision ID
Design Decision
Design Justification
Design Implication
VCF-VRS-WSA-SEC-009
Use a CA-signed certificate containing the following in the SAN attributes, when deploying Workspace ONE Access.
  • Standard Workspace ONE Access
    • Workspace ONE Access cluster node
  • Clustered Workspace ONE Access
    • Each Workspace ONE Access cluster node FQDN
    • Workspace ONE Access cluster load balancer FQDN
Ensures that all communications to the externally facing Workspace ONE Access browser-based UI, API, and between the components are encrypted.
  • Certificate management is managed by the Locker in vRealize Suite Lifecycle Manager.
  • Using CA-signed certificates from a certificate authority increases the deployment preparation time, because certificate requests are generated and delivered.
  • You must manage the life cycle of the certificate replacement.
  • The SSL certificate key size must be 2048 bits or 4096 bits.
VCF-VRS-WSA-SEC-010
Use a SHA-2 or higher algorithm when signing certificates.
The SHA-1 algorithm is considered less secure and has been deprecated.
Not all certificate authorities support SHA-2.

Content feedback and comments