Embed Size (px)
Citation preview
REVISED 6 NOVEMBER 2018
ARCHITECTURAL OVERVIEW
ARCHITECTURAL OVERVIEW
GUIDE | 2
Table of Contents
Architectural Overview
– Workspace ONE Logical Architecture
ARCHITECTURAL OVERVIEW
GUIDE | 3
VMware Workspace ONE Cloud-Based ReferenceArchitecture - Architectural Overview
Architectural Overview
A VMware Workspace ONE® design uses several complementary components and provides avariety of highly available services to address the identified use cases. Before we can assemble andintegrate these components to form the desired service, we first need to design and build theinfrastructure required.
The components in Workspace ONE, such as VMware Identity Manager™, VMware Workspace
ONE® UEM (powered by VMware AirWatch®), and VMware Horizon® are available as on-premisesand cloud-hosted products.
For this reference architecture, the approach taken is to use the cloud-hosted offerings of VMware
Identity Manager and Workspace ONE UEM (AirWatch) and to utilize VMware Horizon® CloudService™ on Microsoft Azure.
Workspace ONE Logical Architecture
The Workspace ONE platform is composed of VMware Identity Manager and Workspace ONE UEM.Although each product can operate independently, integrating them is what enables the WorkspaceONE product to function.
VMware Identity Manager and Workspace ONE UEM provide tight integration between identity anddevice management. This integration has been simplified in recent versions to ensure thatconfiguration of each product is relatively straightforward.
Although VMware Identity Manager and Workspace ONE UEM are the core components in aWorkspace ONE deployment, you can deploy a variety of other components, depending on yourbusiness use cases. For example, and as shown in the following figure, you can use VMware Unified
Access Gateway™ to provide the VMware Workspace ONE® Tunnel or VPN-based access to on-premises resources.
For more information about the full range of components that might apply to a deployment, refer tothe VMware Workspace ONE UEM documentation.
ARCHITECTURAL OVERVIEW
GUIDE | 4
Figure: Sample Logical Architecture of a Workspace ONE Deployment Using Horizon Cloud Service on Microsoft Azure
Following is a description of the components shown in the Workspace ONE architecture diagram:
VMware Workspace ONE UEM SaaS tenant – Cloud-hosted instance of the Workspace ONEUEM service. Workspace ONE UEM acts as the mobile device management (MDM), mobilecontent management (MCM), and mobile application management (MAM) platform.
VMware Identity Manager SaaS tenant – Cloud-hosted instance of VMware IdentityManager. VMware Identity Manager acts as an identity provider by syncing with ActiveDirectory to provide SSO across SAML-based applications, VMware Horizon–based apps anddesktops, and VMware ThinApp® packaged apps. It is also responsible for enforcingauthentication policy based on networks, applications, or platforms.
Horizon Cloud Control Plane – A control plane that VMware hosts in the cloud for centralorchestration and management of VDI desktops, RDSH-published desktops, and RDSH-published applications. Because VMware hosts the service, feature updates andenhancements are consistently provided for a software-as-a-service experience.
Horizon Cloud Administration Console – The cloud control plane also hosts acommon management user interface, which runs in industry-standard browsers. Thisconsole provides IT administrators with a single location for management tasks involvinguser assignments to and management of VDI desktops, RDSH-published desktops, andRDSH-published applications.
Horizon Cloud Node – VMware software deployed to a supported capacity environment, suchas Microsoft Azure cloud. Along with access to the Horizon Cloud Administration Console, the
ARCHITECTURAL OVERVIEW
GUIDE | 5
service includes the software necessary to pair the deployed node with the cloud control planeand deliver virtual desktops and applications.
Workspace ONE native mobile app – OS-specific versions of the native app are available foriOS, Android, and Windows 10. The Workspace ONE app presents a unified applicationcatalog across VMware Identity Manager resources and native mobile apps, allows users toeasily find and install enterprise apps, and provides an SSO experience across resource types.
VMware Enterprise Systems Connector™ – Combination of two different services (theformer AirWatch Cloud Connector and VMware Identity Manager Connector) bundled within asingle Windows-based installer. The Enterprise Systems Connector connects resourceslocated in different security zones (namely, the DMZ and the LAN).
AirWatch Cloud Connector (ACC) component – Runs in the internal network, acting as aproxy that securely transmits requests from Workspace ONE UEM to the organization’s criticalback-end enterprise infrastructure components. Organizations can leverage the benefits ofWorkspace ONE UEM Mobile Device Management™, running in any configuration, togetherwith those of their existing LDAP, certificate authority, email, and other internal systems.
VMware Identity Manager Connector component – Performs directory sync andauthentication between an on-premises Active Directory and the VMware Identity Managerservice. This component is available as either a Windows installer or a Linux-based virtualappliance.
Secure email gateway – Workspace ONE UEM supports integration with email services, suchas Microsoft Exchange, GroupWise, IBM Notes (formerly Lotus Notes), and G Suite (formerlyGoogle Apps for Work). You have three options for integrating email:
VMware Secure Email Gateway – Requires a server to be configured in the data center.
PowerShell integration – Communicates directly with Exchange ActiveSync onExchange 2010 or later or Microsoft Office 365.
G Suite integration – Integrates directly with the Google Cloud services and does notneed additional servers.
Content integration – The Workspace ONE UEM Mobile Content Management solution helpsorganizations address the challenge of securely deploying content to a wide variety of devicesusing a few key actions. An administrator can leverage the Workspace ONE UEM Console tocreate, sync, or enable a file repository. After configuration, this content deploys to end-userdevices with VMware Workspace ONE Content. Access to content can be either read-only orread-write.
VMware Unified Access Gateway – Virtual appliance that provides secure edge services andallows external access to internal resources.
Provision of Workspace ONE UEM Per-App Tunnels and the Tunnel Proxy to allow
ARCHITECTURAL OVERVIEW
GUIDE | 6
mobile applications secure access to internal services
Access from Workspace ONE Content to internal file shares or SharePoint repositoriesby running the Content Gateway service
Reverse proxying of web servers
Single sign-on access to on-premises legacy web applications by identity bridging fromSAML or certificates to Kerberos
Secure external access to Horizon 7 desktops and applications
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listedat http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may betrademarks of their respective companies.
![[MS-APDS-Diff]: Authentication Protocol Domain Supportdownload.microsoft.com/download/C/6/C/C6C3C6F1-E84A-44EF-82A… · Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS](https://img.pdfslide.us/doc/110x75/5faa63871882812b0979e1d6/ms-apds-diff-authentication-protocol-domain-access-protocol-ldap-versions-2.jpg)
