Installing VMware Workspace ONE Access Connector 20.01 ......Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server

Installing VMware Workspace ONE Access Connector 20.01

Modified AUG 2020JAN 2020VMware Workspace ONE AccessVMware Workspace ONE Access 20.01

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright ©

2020 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

http://pubs.vmware.com/copyright-trademark.html

Contents

Installing VMware Workspace ONE Access Connector 20.01 4

1 Systems Requirements 5

2 Prerequisites for Installing the Workspace ONE Access Connector 11

3 Installing the Workspace ONE Access Connector 12

4 Updating Your Workspace ONE Access Connector Installation 26Adding or Modifying Enterprise Services on the Workspace ONE Access Connector 26

Deleting an Enterprise Service from the Connector 30

Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only) 31

5 Upgrading Java on the Workspace ONE Access Connector Server 33

6 Increasing Java Memory for Enterprise Services 34

7 Suspending Enterprise Services 35

8 Configuring a Load Balancer for Kerberos Auth Service High Availability 36

9 Installing the Workspace ONE Access Connector in Silent Mode 38Run the Workspace ONE Access Connector Installer in Silent Mode 38

Silent Mode Installation Properties 41

Creating an XML File for Silent Mode Installation 44

10 Uninstalling the Workspace ONE Access Connector 46

11 Troubleshooting the Workspace ONE Access Connector Installation 47Accessing Workspace ONE Access Connector Log Files 47

Creating a Workspace ONE Access Connector Log Bundle 48

Updating the Workspace ONE Access Connector Host Name 49

Updating Workspace ONE Access Service FQDN in Enterprise Services application.properties Files 50

VMware, Inc. 3


The VMware Workspace ONE® Access™ connector is an on-premises component of VMware Workspace ONE Access (formerly known as VMware Identity Manager™) that integrates with your on-premises infrastructure such as Active Directory, RADIUS, and RSA SecurID to provide directory integration and user authentication.

The connector contains the following enterprise services:

n Directory Sync service

Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service

n User Auth service

Provides connector-based authentication methods, including Password (cloud deployment), RSA SecurID (cloud deployment), and RADIUS (cloud deployment)

n Kerberos Auth service

Provides Kerberos authentication for internal users

Note The Workspace ONE Access 20.01 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApps integrations). To integrate Horizon, Horizon Cloud, or Citrix applications and desktops, use VMware Identity Manager connector (Windows) version 19.03. To integrate ThinApp packaged applications, use VMware Identity Manager connector (Linux) version 2018.8.1.0.

The enterprise services can be installed individually on separate Windows servers or together on the same server. When you install the connector, you select which services to install. The services run independently of each other and can be stopped, started, and managed separately.

All the services, except for the Kerberos Auth service, are outbound and do not require an inbound connection.

The Workspace ONE Access connector is installed on Windows servers only.

Related Documentation

n For information about configuring directories using the Directory Sync service, see Directory Integration with VMware Workspace ONE Access.

n For information about configuring authentication using the User Auth or Kerberos Auth service, see Managing User Authentication Methods in VMware Workspace ONE Access.

VMware, Inc. 4

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/ws1_access_directory/GUID-DF53F9EF-6715-469A-A885-9ACFE4B2A35B.html

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/ws1_access_directory/GUID-DF53F9EF-6715-469A-A885-9ACFE4B2A35B.html

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/ws1_access_authentication/GUID-04224060-D467-4DE0-BB08-B21E0AA9817D.html

Systems Requirements 1To deploy the Workspace ONE Access connector, which includes the Directory Sync service, User Auth service, and Kerberos Auth service as components, ensure that your Windows server meets the necessary requirements. Some requirements vary based on the service you are installing.

Number of Servers

You can install the Directory Sync, User Auth, and Kerberos Auth services together on a single Windows server or install them on separate servers in any combination, depending on your preferences. To install all the services together, you need a more powerful server. To install the services separately, you need to obtain multiple servers.

Multiple servers are required if you want to set up high availability for any of the services.

Also consider that the Kerberos Auth service requires inbound connectivity while the other services do not.

Hardware Requirements

Ensure the Windows server meets the following hardware requirements.

n Operating System: Windows Server 2012R2 Standard 64 bit or higher

n Processor: Inte(R)Xeon(R) CPU E5-2650 [email protected] GHZ (2 processors) x64 bit processor or higher

VMware, Inc. 5

Table 1-1. Sizing Guidelines for Directory Sync Service Only

Deployment Size Hardware Requirements Number of Users and Groups

Small 2 vCPU, 8 GB RAM, 40 GB Disk Space

Java memory allocation for Directory Sync service: xmx=4g

Up to 50,000 users and 500 groups

Medium 4 vCPU, 8 GB RAM, 40 GB Disk Space


Up to 100,000 users and 1,000 groups

Large 8 vCPU, 12 GB RAM, 40 GB Disk Space



Table 1-2. Sizing Guidelines for User Auth Service or Kerberos Auth Service Only

Deployment Size

Hardware Requirement for User Auth or Kerberos Auth Service Server User Auth Service Kerberos Auth Service

Small/Medium/Large 2 vCPU, 4 GB RAM, 40 GB Disk Space

Java memory allocation for User Auth service or Kerberos Auth service: xmx=1g

Password authentications: 390 - 480/min

WSFed Active Flow: 720 - 900/min

Kerberos authentications: 420 - 480/min

Note The User Auth service and Kerberos Auth service nodes are not vertically scalable. For better throughput, add more nodes.


VMware, Inc. 6

Table 1-3. Sizing Guidelines for All Services Installed on a Single Server

Deployment Size Hardware Requirements Directory Sync

Small 2 vCPU, 8GB RAM, 40GB Disk Space

Java Memory Allocation:

Directory Sync service: xmx=4g

Kerberos Auth service: xmx=1g

User Auth service: xmx=1g

Up to 50,000 users and 500 groups

Medium 4 vCPU, 8GB RAM, 40GB Disk Space






Large 8 vCPU, 16GB RAM, 40GB Disk Space






Note n The Memory requirements include the OS and the VMware connector components. If you

plan to run any other applications or services on the server, adjust the requirements accordingly.

n The Java memory allocation listed for each service refers to the Java heap memory. By default, 4 GB is allocated to the Directory Sync service, 1 GB to the User Auth service, and 1 GB to the Kerberos Auth service. See Chapter 6 Increasing Java Memory for Enterprise Services for information on how to allocate memory.

n The groups listed for the Directory Sync service are all one level, each group contains 500 users, and each user is associated with 5 groups.

n Deployments with large groups or nested groups require more memory.

Software Requirements

Ensure the Windows server meets the following software requirements.


VMware, Inc. 7

Requirement Notes

Windows Server 2019

Windows Server 2016 or

Windows Server 2012 R2 or

Windows Server 2008 R2

Install PowerShell on the server Note PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.

Install .NET Framework 4.6.2

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component. An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the Workspace ONE Access connector. The outbound connection must remain open at all times.

Source Destination Port Protocol Notes

Workspace ONE Access connector

Workspace ONE Access service (cloud)

Workspace ONE Access service host (on-premises installations)

443 HTTPS Default port; required

Applies to Directory Sync service, User Auth service, and Kerberos Auth service


Workspace ONE Access service load balancer (on-premises installations)

443 HTTPS Applies to Directory Sync service, User Auth service, and Kerberos Auth service

Browsers Workspace ONE Access connector

443 HTTPS Required for Kerberos Auth service


Active Directory 389, 636, 3268, 3269

Default ports; these ports are configurable

Applies to Directory Sync service. Also applies to User Auth service if password authentication is used.


DNS server 53 TCP/UDP Every connector instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

Applies to Directory Sync service, User Auth service, and Kerberos Auth service.


Domain controller 88, 464, 135, 445

TCP/UDP Applies to Directory Sync service and Kerberos Auth service


VMware, Inc. 8

Source Destination Port Protocol Notes


RSA SecurID system 5500 Default port; this port is configurable

Applies to User Auth service if RSA SecurID is used


syslog server 514 UDP Default port; this port is configurable

Port for external syslog server, if configured. Applies to Directory Sync service, User Auth service, and Kerberos Auth service

Workspace ONE Access Cloud IP Addresses

See https://kb.vmware.com/s/article/68035 for the list of Workspace ONE Access cloud service IP addresses to which the Workspace ONE Access connector must have access.

DNS Records and IP Addresses Requirements

A DNS entry and a static IP address are required for the connector. Before you begin your installation, obtain the DNS record and IP address to use and configure the network settings of the Windows server.

Ensure that you select an appropriate, user-friendly host name for the connector server if you intend to install the Kerberos Auth service. The Workspace ONE Access connector host name is visible to end users when Kerberos authentication is configured.

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 1-4. Example of Forward DNS Records and IP Addresses

Domain Name Resource Type IP Address

myconnector.example.com A 10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 1-5. Example of Reverse DNS Records and IP Addresses

IP Address Resource Type Host Name

10.28.128.3 PTR myconnector.example.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.


VMware, Inc. 9

https://kb.vmware.com/s/article/68035

Load Balancer

A load balancer is required if you want to configure high availability for Kerberos authentication.

Time Synchronization

Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly. Set up time synchronization using an NTP server.


VMware, Inc. 10

Prerequisites for Installing the Workspace ONE Access Connector

2Before you install the Workspace ONE Access connector, complete the prerequisites that apply to your installation scenario.

n Verify that your Windows server meets the requirements listed in Chapter 1 Systems Requirements.

n If you are installing the Kerberos Auth service:

n Join the Windows server to the Active Directory domain.

n Perform the connector installation as a domain user that is also part of the administrator group on the Windows server on which you are installing.

n During installation, specify the domain user account to use to run the Kerberos Auth service.

n (Kerberos Auth service only) For the installer to be able to browse to and validate domains and users during installation:

n The Windows server must be domain joined.

n The Computer Browser service might need to be enabled and running to browse domains.

n NetBIOS over TCP/IP must be enabled.

n A master browser system should be configured on the network.

n Broadcast traffic should be enabled on the network.

n If you plan to configure proxy server settings, you need the proxy server host name or IP address, port, and, if the proxy server requires authentication, a user name and password.

n If you plan to configure a syslog server, you need the syslog server's fully-qualified domain name or IP address, and port.

You can set up any of the standard syslog servers available. The connector must be able to reach the syslog server on the configured port, for example, 514 (UDP).

n A trusted SSL certificate is required for the Kerberos Auth service only. The certificate can be uploaded during installation or later. See Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only) for requirements.

VMware, Inc. 11

Installing the Workspace ONE Access Connector 3To install the Directory Sync, User Auth, or Kerberos Auth services, run the Workspace ONE Access connector installer on a Windows server that meets all the requirements and select the services you want to install.

You can choose between a quick, default installation that uses default values for most settings or a custom installation that lets you configure various settings.

Default Installation Custom Installation

Uses the following default ports:

n User Auth Service: 8090

n Directory Sync Service: 8080

n Kerberos Auth Service: 443

Note These are the ports the services run on. Inbound connectivity is required for the Kerberos Auth service port only.

Lets you specify custom ports for the enterprise services

Note These are the ports the services run on. Inbound connectivity is required for the Kerberos Auth service port only.

Auto-generates a self-signed certificate for the connector Lets you install a trusted SSL certificate for the connector (required for Kerberos Auth Service)

Lets you upload trusted root certificates to the truststore

Note If your on-premises Workspace ONE Access service instance has a self-signed certificate that you installed, you must upload its root, and, if required, intermediate certificate to establish trust between the enterprise services and the Workspace ONE Access service instance.

Lets you configure a proxy server

Lets you configure a syslog server

Regardless of the type of installation you choose, you can run the installer again later and modify all the settings as needed.

Prerequisites

n See Chapter 2 Prerequisites for Installing the Workspace ONE Access Connector.

n As part of the installation process, you download files from the Workspace ONE Access console. You might need to use a browser other than Internet Explorer to download the files. Default Internet Explorer settings might prevent you from downloading the files.

VMware, Inc. 12

Procedure

1 Download the Workspace ONE Access connector installer and a configuration file from the Workspace ONE Access console.

a Log in to the Workspace ONE Access console as the System domain admin.

Tip In cloud deployments, the System domain admin is the admin whose credentials you receive when you get your Workspace ONE Access tenant. In on-premises deployments, the System domain admin is the admin user that is created when you install a Workspace ONE Access instance.

b Navigate to the Identity & Access Management > Setup > Connectors page.

c Click New.

d In the Virtual Apps Usage confirmation dialog box, review the information, then select Workspace ONE Access Connector 20.01.

Caution The Workspace ONE Access Connector 20.01.x does not support Virtual Apps (Horizon, Horizon Cloud, Citrix, and ThinApps integrations). Do not install the 20.01.x connector if you plan to integrate Virtual Apps. To use Virtual Apps, select Legacy Connectors and install the 19.03 or earlier connector. To integrate Horizon, Horizon Cloud, or Citrix applications and desktops, use VMware Identity Manager connector (Windows) version 19.03. To integrate ThinApp packaged applications, use VMware Identity Manager connector (Linux) version 2018.8.1.0.

Note The Virtual Apps Usage Confirmation dialog box appears the first time you install a new connector in your tenant. If you want to change your selection later, you can use the Reset Virtual Apps Usage button that appears subsequently on the Connectors or Legacy Connectors page. See Resetting Virtual Apps Usage Option in Workspace ONE Access for more information.

e Review the information in the confirmation dialog box, then click Proceed Anyway if you want to proceed.

The Add New Connector wizard appears.


VMware, Inc. 13

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/workspaceoneaccess_connector_migration_2001/GUID-C5F85B54-AA90-4052-B1AE-B0CD54DED405.html

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/workspaceoneaccess_connector_migration_2001/GUID-C5F85B54-AA90-4052-B1AE-B0CD54DED405.html

f In the Add New Connector wizard, click GO TO MYVMWARE.COM.

The My VMware web page appears in a new window. Keep the wizard open as you will return to it after downloading the installer.

g Log in to https://my.vmware.com with your My VMware login and download the Workspace ONE Access Connector Installer.exe file.

h Return to the Workspace ONE Access console and click Next in the Add New Connector wizard.

i Generate the configuration file by creating a password and clicking Download Configuration File.

The password must have a minimum of 14 characters and include an uppercase character, a lowercase character, a numeric digit, and a special character. All characters must be visible, printing ASCII characters.

The configuration file is used to establish communication between the enterprise services you install and the Workspace ONE Access tenant. The file is named es-config.json by default.

Caution The configuration file contains sensitive information such as the tenant URL, tenant ID, the client ID and client secret for each of the enterprise services, and the password hash. It is critical that you do not share the file or expose it publicly.

j After downloading the configuration file, click Next in the wizard.

2 Copy the installer and configuration files to the Windows server on which you want to install the services.

3 Double-click the installer file to run the Workspace ONE Access connector installation wizard.

4 On the Welcome page, click Next.


VMware, Inc. 14

The installer verifies prerequisites on the server. If .NET Framework is not installed, you are prompted to install it and to restart the server. After restarting, run the installer again to resume the installation process.

5 Read and accept the license agreement, then click Next.

6 Select the services you want to install.

By default, the services are installed in C:\Program Files. To change the installation folder, click Change and select the folder.

7 Click Next.


VMware, Inc. 15

8 If the latest, major version of the Java Runtime Environment (JRE™) is not already installed on the Windows server, the following pop-up appears.

Click Yes to install JRE. The installation takes a few minutes. Existing JRE versions are not deleted when the required version is installed.

9 On the Specify Configuration File page, select the configuration file that you downloaded from the Workspace ONE Access console, enter the password that you set, then click Next.

If the configuration file is in the same folder as the installer and has the default name es-config.json, it appears in the text box automatically.


VMware, Inc. 16

10 Select between Default and Custom installation.


VMware, Inc. 17

11 If you selected Default installation, follow these steps.

a (Kerberos Auth service only) On the Specify Service Account page, specify the user name and password of the domain user account to use to run the Kerberos Auth service.

Note If you are unable to locate domains or users when you click Browse, verify that you have met all the prerequisites.

Note The Specify Service Account page appears only if you are installing the Kerberos Auth service.

b Click Next.

c In the Ready to Install the Program page, review your selections, then click Install.

The installation takes a few minutes.


VMware, Inc. 18

12 If you selected Custom installation, follow these steps.

a In the Specify Proxy Server Information page, enter a proxy server, if required.

The enterprise services access Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must enter a proxy server.

1 Select the Enable Proxy check box.

2 Enter the host name or IP address of the proxy server.

3 Enter the proxy server port.

4 If the proxy server requires authentication, select Basic/Windows and enter the user name and password for the proxy server.

b Click Next.


VMware, Inc. 19

c On the Specify Syslog Server page, if you want to use an external syslog server to store application-level event messages, select the Enable Syslog option and enter the syslog server's IP address or FQDN, and port.

Note Only application-level events are exported to the syslog server. Operating system events are not exported.

d Click Next.


VMware, Inc. 20

e On the Install Trusted Root Certificates page, upload root or intermediate CA certificates to the truststore, if required.

The connector will be able to establish secure connections to servers and clients whose certificate chain includes any of these certificates. Scenarios for uploading certificates to the truststore include:

n (On-premises installations only) If your on-premises Workspace ONE Access service instance has a self-signed certificate that you installed, you must upload its root, and, if required, intermediate certificate to establish trust between the enterprise services and the Workspace ONE Access service instance.

n (Kerberos Auth service only) If you deploy multiple instances of the Kerberos Auth service behind a load balancer, you must install the load balancer's root CA certificate on the connector instances to establish trust between the connectors and the load balancer.

You can also upload trusted root certificates later, after installation.

f Click Next.


VMware, Inc. 21

g Review the default ports that the enterprise services run on, and specify different ports if these ports are being used by other applications.

Inbound connectivity is required for the Kerberos Auth service port only. It is not required for the User Auth or Directory Sync service ports.


VMware, Inc. 22

h (Kerberos Auth service only) On the SSL Certificate for Kerberos Auth Service page, select the certificate to use for the connector server.

A trusted SSL certificate signed by a public or internal CA is required for the Kerberos Auth service. If you do not upload a trusted SSL certificate during installation, a self-signed certificate is auto-generated. You can upload a trusted SSL certificate later.

n To upload a trusted SSL certificate, select the Would you like to use your own SSL certificate? check box, click Browse, and select the certificate file.

The certificate file must be in PEM or PFX format. If you upload a PEM file, also upload the private key. If you upload a PFX file, also specify the certificate password. For information about certificate requirements, see Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only).

n To use the auto-generated, self-signed certificate, deselect the Would you like to use your own SSL certificate? check box.

Note If you use the Workspace ONE Access generated self-signed certificate, you will need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf after installation.

While you can use the self-signed certificate for testing purposes, for production usage we recommend you use trusted SSL certificates signed by a public or internal CA.

i Click Next.


VMware, Inc. 23

j (Kerberos Auth service only) On the Specify Service Account page, specify the user name and password of the domain user account to use to run the Kerberos Auth service.

Note If you are unable to locate domains or users when you click Browse, verify that you have met all the prerequisites.

Note The Specify Service Account page appears only if you are installing the Kerberos Auth service.

k In the Ready to Install the Program page, review your selections, then click Install.

The installation takes a few minutes.

13 After installation finishes successfully, verify that the services are running on the Windows server.

Service names:

n VMware Directory Sync Service

n VMware User Auth Service

n VMware Kerberos Auth Service

14 Go to the Workspace ONE Access console and refresh the Identity & Access Management > Setup > Connectors page to verify that the new services appear and are in Active state.

If the installation fails, delete both the installer and the configuration file that you downloaded from the Workspace ONE Access console, then start the installation process again.

Results

After successful installation, the enterprise services that you installed are registered with the Workspace ONE Access tenant and appear on the Connectors page in the Workspace ONE Access console.


VMware, Inc. 24

For example:

What to do next

n In the Workspace ONE Access console, configure the enterprise services you installed. For information about integrating directories using the Directory Sync service, see Directory Integration with Workspace ONE Access. For information about configuring authentication using the User Auth or Kerberos Auth service, see Managing User Authentication Methods in Workspace ONE Access.

n (Kerberos Auth service only) If you are using the Workspace ONE Access generated self-signed certificate for the Kerberos Auth service, you need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf.

While you can use the self-signed certificate for testing purposes, for production usage we recommend you use trusted SSL certificates signed by a public or internal CA. See Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only).


VMware, Inc. 25

Updating Your Workspace ONE Access Connector Installation 4You can update your Workspace ONE Access connector installation at any time to add or remove services, or to modify the existing configuration. Run the installer again to make any changes.

This chapter includes the following topics:

n Adding or Modifying Enterprise Services on the Workspace ONE Access Connector

n Deleting an Enterprise Service from the Connector

n Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only)

Adding or Modifying Enterprise Services on the Workspace ONE Access Connector

You can update your Workspace ONE Access connector installation to add or modify enterprise services at any time. Run the installer again to make any changes.

You can make the following changes:

n Add the Directory Sync, User Auth, or Kerberos Auth service

n Specify custom ports for each service

n Configure a proxy server

n Configure a syslog server

n Install trusted root certificates

n (Kerberos Auth service only) Install a trusted SSL certificate for the Kerberos Auth service

n (Kerberos Auth service only) Configure the Kerberos Auth service to run as a domain user account

Note You can also delete a service from the connector. To delete a service, run the installer again as you cannot delete a service at the same time as adding and modifying services. See Deleting an Enterprise Service from the Connector.

VMware, Inc. 26

Prerequisites

n Be aware that all the enterprise services in a connector installation are connected to the same Workspace ONE Access tenant. When you modify an existing installation to add a service, the configuration file that you downloaded from the tenant for the original installation is used automatically.

n If you are modifying the existing configuration, suspend the enterprise services from the Workspace ONE Access console first. Navigate to the Identity & Access Management > Setup > Connectors page, click the connector, click Manage and click the toggle buttons to suspend each service.

Procedure

1 Log in to the Windows server on which the Workspace ONE Access connector is installed.

2 Go to the folder containing the connector installer and double-click the Workspace ONE Access Connector Installer.exe file.


4 On the Program Maintenance page, select the Add/Remove Services option, then click Next.

5 On the Service Selection page, select the services you want to add, if any, then click Next.

6 If the Specify Configuration File page appears, select the same configuration file that you downloaded from the Workspace ONE Access tenant for the original installation.

The Specify Configuration File page appears only if you selected services to add.


VMware, Inc. 27

7 Make your changes on the appropriate pages of the wizard.

Option Action

To update the ports the enterprise services run on On the Specify Ports page, enter the port for each service. Inbound connectivity is only required for the Kerberos Auth service port. It is not required for the User Auth service and Directory Sync service ports.

Default ports:

n User Auth service: 8090

n Directory Sync service: 8080

n Kerberos Auth service: 443

To upload a trusted SSL certificate for the connector server

On the Install SSL Certificates page, select the Would you like to use your own SSL certificate? check box, click Browse, and select the certificate.

The certificate file must be in PEM or PFX format. If the file is in PEM format, also upload the key file. If the file is in PFX format, also enter the certificate password.

For more information about certificate requirements, see Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only).

Important A trusted SSL certificate is required for the Kerberos Auth service. If you do not upload a trusted SSL certificate, a self-signed certificate is auto-generated. To use this Workspace ONE Access generated self-signed certificate, you will need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf after installation.



VMware, Inc. 28

Option Action

To upload or remove trusted root certificates from the truststore

On the Install Trusted Root Certificates page:

n To upload a certificate, click Browse and select the certificate.

n To remove a certificate, select the certificate and click Remove.

n To view an installed certificate, click View Certificate.

The connector will be able to establish secure connections to servers whose certificate chain includes any of the certificates you add to the truststore. Scenarios for uploading certificates to the truststore include:

n (On-premises installations only) If your on-premises Workspace ONE Access service instance has a self-signed certificate that you installed, you must upload its root, and, if required, intermediate certificate to establish trust between the enterprise services and the Workspace ONE Access service instance.

n (Kerberos Auth service only) If you deploy multiple instances of the Kerberos Auth service behind a load balancer, you must install the load balancer's root CA certificate on the connector instances to establish trust between the connectors and the load balancer.

To specify a proxy server On the Specify Proxy Server Information page, enter a proxy server if required. The enterprise services access Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must enter a proxy server.

1 Select the Enable Proxy check box.

2 Enter the host name or IP address of the proxy server.

3 Enter the proxy server port.

4 If the proxy server requires authentication, select Basic/Windows and enter the user name and password for the proxy server.

To specify an external syslog server to store application-level event messages

On the Specify Syslog Server Information page, select the Enable Syslog check box and enter the syslog server's IP address or FQDN, and port.

Note Only application-level events are exported to the syslog server. Operating system events are not exported.

To change the domain user account used to run the Kerberos Auth service

On the Service Account page, enter the user name and password of the domain user account in the format DOMAIN\username.

Note A domain user account is required to run the Kerberos Auth service.

8 In the Ready to Install the Program page, review your selections, then click Install.


VMware, Inc. 29

What to do next

The installation is updated. New services are registered with the Workspace ONE Access tenant. Refresh the Identity & Access Management > Setup > Connectors page in the Workspace ONE Access console to view the updated list of services.

Deleting an Enterprise Service from the Connector

You can delete any of the enterprise services from your Workspace ONE Access connector. Deleting services does not uninstall the connector. You can install the services again on the connector if needed.

Note You can also add and modify services on the connector. To add or modify services, run the installer again as you cannot add or modify services at the same time as deleting services. See Adding or Modifying Enterprise Services on the Workspace ONE Access Connector.

Procedure

1 Before deleting the service from the Windows server, delete it from the Workspace ONE Access console.

a Navigate to the Identity & Access Management > Setup > Connectors page.

b Click the connector.

c Click Manage, and delete the service.

2 Log in to the Workspace ONE Access connector server.




6 On the Service Selection page, click the drop-down arrow next to the service you want to delete and select This feature will not be available.

7 Click Next.

8 On the Ready to Modify the program page, click Remove.

Results

The service is deleted. Refresh the Identity & Access Management > Setup > Connectors page in the Workspace ONE Access console to view the updated list of services.


VMware, Inc. 30

Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only)

A trusted SSL certificate is required for Workspace ONE Access connector servers that have the Kerberos Auth service installed. For the Kerberos Auth service, the connection is inbound and end users establish SSL connections to the connector.

Requirements for the trusted SSL certificate for the Kerberos Auth service include:

n The certificate must be in either PEM or PFX format.

n If the certificate is a PEM file, you must also upload the private key.

n The certificate key length must be from 1024-3072 bits.

n Make sure that the certificate file contains the entire certificate chain in the correct order.

n The certificate must be signed by a public or internal CA.

n If you deploy multiple instances of the Kerberos Auth service to set up high availability for Kerberos authentication, a load balancer is required in front of the instances. In this case, the load balancer as well as all the connector instances must have trusted SSL certificates signed by a public or internal CA. For the load balancer certificate, use the Workspace IdP Hostname, which is set in the Workspace IdP configuration page, as the Subject DN Common Name. For each connector instance certificate, use the connector host name as the Subject DN Common Name. Alternatively, you can create a single certificate, using the Workspace Idp host name as the Subject DN Common Name, and all the connector host names as well as the Workspace Idp host name as Subject Alternative Names (SANs).

Note If you did not upload a trusted SSL certificate during installation, a self-signed certificate was auto-generated. If you want to use this Workspace ONE Access generated self-signed certificate, you will need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf.


Prerequisites

Obtain a trusted SSL certificate signed by a public or internal Certificate Authority (CA).

Procedure

1 Log in to the Workspace ONE Access connector server that has the Kerberos Auth service installed.




VMware, Inc. 31


5 Click Next until the Install the SSL Certificate for Kerberos Auth Service page appears.

6 Select the Would you like to use your own SSL certificate? check box.

7 Click Browse and select the certificate file.

The certificate file must be in PEM or PFX format. If you upload a PEM file, also upload the private key. If you upload a PFX file, also specify the certificate password.


VMware, Inc. 32

Upgrading Java on the Workspace ONE Access Connector Server

5The Workspace ONE Access connector uses the Java Runtime Environment (JRE). The JRE version required for the connector, version 1.8.231, is packaged with the connector installer. You are prompted to install this version during installation if it is not already installed on the Windows server. If you want to upgrade JRE on the connector server subsequently, make sure that you stay on version 1.8.x and follow this procedure to ensure that the Workspace ONE Access connector continues to work correctly after the JRE upgrade.

Note If JRE gets upgraded automatically on the connector server, follow steps 4-5 after the upgrade.

Procedure

1 Log in to the connector server.

2 Stop the enterprise services that are installed on the server.

Service names:




3 Install the new JRE version.

4 Verify that the JAVA_HOME environment variable points to the new JRE, and update it if needed.

5 Restart all the installed services.

VMware, Inc. 33

Increasing Java Memory for Enterprise Services 6By default, the Java heap memory is set to 1 GB each for the User Auth service and the Kerberos Auth service, and to 4 GB for the Directory Sync service. You can increase the maximum heap size for any of the services based on your requirements or if you experience memory issues.

Symptoms of memory issues include slow performance and out of memory error messages.

Procedure

1 Log in to the Windows server in which the Workspace ONE Access enterprise service is installed.

2 Navigate to the INSTALL_DIR\Workspace ONE Access\serviceName folder.

3 Open the serviceName.xml file in a text editor.

4 Change the Xmx1g entry to Xmxng where n is the maximum heap memory you want to allocate.

For example: Xmx5g

5 Save the file.

6 Restart the service.

VMware, Inc. 34

Suspending Enterprise Services 7You can temporarily suspend the Directory Sync, User Auth, and Kerberos Auth services from the Workspace ONE Access console when you need to perform maintenance activities on the connector server. Authentication or sync traffic is not directed to services that are suspended.

For example, when you need to run Windows updates on the connector server, suspend the enterprise services, run the Windows updates, then activate the enterprise services.

Procedure

1 Log in to the Workspace ONE Access console.

2 Navigate to the Identity & Access Management > Setup > Connectors page.

3 Select the connector, then click Manage.

4 Click the toggle next to each service name to suspend the services.

Results

What to do next

When you are ready to activate the services, click the toggle again.

VMware, Inc. 35

Configuring a Load Balancer for Kerberos Auth Service High Availability

8To configure high availability for Kerberos authentication, a load balancer is required. After you install and configure the Kerberos Auth service instances, install a load balancer in your internal network inside the firewall and add the Kerberos Auth service hosts to it.

You must also establish SSL trust between the load balancer and the Kerberos Auth service hosts, and change the IdP Hostname value in the Workspace IDP for Kerberos authentication.

Load Balancer Settings

Configure these settings on the load balancer:

n Load Balancer Timeout

You might need to increase the load balancer request timeout from the default. The value is set in minutes. If the timeout setting is too low, you might see the following error.

502 error: The service is currently unavailable

Certificate Requirements

Each Workspace ONE Access connector on which the Kerberos Auth service is installed must have a trusted SSL certificate. While you can use the Workspace ONE Access connector generated, self-signed certificate for testing purposes, for production use we recommend you use trusted SSL certificates signed by a public or internal CA.

Upload the Workspace ONE Access Connector Root Certificate to the Load Balancer

To establish trust between the load balancer and the Kerberos Auth service host, upload the connector's root CA certificate to the load balancer.

If you are using the Workspace ONE Access connector generated self-signed certificate, you can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf.

VMware, Inc. 36

Upload the Load Balancer Root Certificate to the Workspace ONE Access Connector

To establish trust between the load balancer and the Kerberos Auth service host, upload the load balancer's root CA certificate to each Kerberos Auth service host.

To upload the certificate, run the Workspace ONE Access connector installer and add the certificate on the Install Trusted Root Certificates page.

Update Authentication URL

1 In the Workspace ONE Access console, navigate to the Identity & Access Management > Manage > Identity Providers page.

2 Select the Workspace IDP that has the Kerberos authentication method configured.

3 In the IdP Hostname text box, change the host name from the connector host name to the load balancer host name.

For example: mylb.example.com


VMware, Inc. 37

Installing the Workspace ONE Access Connector in Silent Mode 9You can run the Workspace ONE Access Connector installer in silent mode to install the Directory Sync, User Auth, and Kerberos Auth enterprise services from the command line instead of using the graphical user interface. Silent installation is useful for installing on servers with no graphical user interface, installing on multiple servers using the same installation settings, or reinstalling quickly on the same server.

You can define your installation settings in an XML file and specify the file when you run the installer in silent mode. Alternatively, you can enter the installation settings directly on the command line.

To run the installer in silent mode, you run it with the /s / v /qn options. Additionally, all passwords must be entered at the command line even if you use an installation settings XML file as they are not stored in the file.

Silent mode installation runs in the background. No options are displayed and no user input is required during the installation process.


n Run the Workspace ONE Access Connector Installer in Silent Mode

n Silent Mode Installation Properties

n Creating an XML File for Silent Mode Installation

Run the Workspace ONE Access Connector Installer in Silent Mode

To install the Directory Sync, User Auth, and Kerberos Auth services from the command line instead of the graphical user interface, run the Workspace ONE Access connector installer in silent mode. You can specify installation options either in an XML file or enter them on the command-line directly.

Prerequisites

n See the installation prerequisites listed in Chapter 2 Prerequisites for Installing the Workspace ONE Access Connector.

VMware, Inc. 38

n In the Workspace ONE Access console's Identity & Access Management > Setup > Connectors page, click New to run the New Connector wizard. The wizard guides you to download the Workspace ONE Access connector installer and a configuration file that establishes communication between the connector and the tenant. The configuration file is named es-config.json by default.

While setting the password for the configuration file, make sure that it has a minimum of 14 characters and includes an uppercase character, a lowercase character, a numeric digit, and a special character. All characters must be visible, printing ASCII characters. Transfer the files to the Windows server on which you are installing the connector.

Caution The configuration file contains sensitive information such as the tenant URL, tenant ID, the client ID and client secret for each of the enterprise services, and the password hash. It is critical that you do not share the file or expose it publicly.

Note You might need to use a browser other than Internet Explorer to download the files. Default Internet Explorer settings might prevent you from downloading the files.

n If you want to specify your installation options in an XML file instead of entering them on the command line, create the XML file first. See Creating an XML File for Silent Mode Installation.

Procedure

1 Log in to the Windows server.

2 Open a command prompt window.

3 Go to the directory that contains the Workspace ONE Access connector installer.

4 Run the Workspace ONE Access connector installer in silent mode.

n If you are using an XML file to specify your installation options, run the following command:

Workspace ONE Access Connector Installer.exe /s /v” /qn

WS1_CONFIG_FILE_PASSWORD=password WS1_SETUP_CONFIG_FILE=filepath /l*v logfilepath"

n /s /v” /qn specifies silent mode.

n WS1_CONFIG_FILE_PASSWORD specifies the password of the configuration file that you downloaded from the New Connector wizard in the Workspace ONE Access console.

n WS1_SETUP_CONFIG_FILE specifies the path to your installation settings XML file.

n /l*v specifies the path to the installer log file to create.

Also, if you specified any installation options in the XML file that require a password, you must enter the password on the command line. Passwords are not stored in the XML file. For example, to specify a proxy server that requires authentication, you specify the proxy host name, port, and user name in the XML file, and enter the proxy user password on the command line.

For example:


VMware, Inc. 39


WS1_CONFIG_FILE_PASSWORD=123456 WS1_PROXY_PASSWORD=7891011

WS1_SETUP_CONFIG_FILE=C:\MyConnector\connectorinstall.xml /l*v C:\MyConnector

\connectorinstall.log”

n If you want to enter your installation options directly on the command line instead of using an XML file, run the following command:


WS1_CONFIG_FILE_PATH=configFilepath WS1_CONFIG_FILE_PASSWORD=password

OtherInstallationOptions /l*v logfilepath”

n /s /v” /qn specifies silent mode.

n WS1_CONFIG_FILE_PATH specifies the path to the configuration file that you downloaded from the New Connector wizard in the Workspace ONE Access console. The default name of the file is es-config.json.

n WS1_CONFIG_FILE_PASSWORD specifies the password of the configuration file.

n /l specifies the path to the installer log file you want to use.

n OtherInstallationOptions includes one or more of the properties listed in Silent Mode Installation Properties. You must specify the required properties. Use the format propertyname=propertyvalue.

For example:


WS1_CONFIG_FILE_PATH=C:\ConnectorInstaller\es-config.json

WS1_CONFIG_FILE_PASSWORD=123456 ADDLOCAL=UserAuthService WS1_IS_PROXY_ENABLED=1

WS1_PROXY_HOSTNAME=myproxy.example.com WS1_PROXY_PORT=443 /l*v C:\MyConnector

\connectorinstall.log”

5 After the command completes successfully, verify that the services are running on the Windows server.

Service names:




6 Go to the Workspace ONE Access console, refresh the Identity & Access Management > Setup > Connectors page, and verify that the new services appear and are in Active state.

If the installation fails, delete both the installer and the configuration file that you downloaded from the Workspace ONE Access console, then start the installation process again.


VMware, Inc. 40

Results

After successful installation, the enterprise services that you installed are registered with the Workspace ONE Access tenant and appear on the Connectors page in the Workspace ONE Access console.

What to do next

n In the Workspace ONE Access console, configure the enterprise services you installed. For information about integrating directories using the Directory Sync service, see Directory Integration with Workspace ONE Access. For information about configuring authentication using the User Auth or Kerberos Auth service, see Managing User Authentication Methods in VMware Workspace ONE.

n (Kerberos Auth service only) If you are using the Workspace ONE Access generated self-signed certificate for the Kerberos Auth service, you need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf.

While you can use the self-signed certificate for testing purposes, for production usage we recommend you use trusted SSL certificates signed by a public or internal CA. See Uploading an SSL Certificate for the Workspace ONE Access Connector (Kerberos Auth Service Only).

Silent Mode Installation Properties

The Workspace ONE Access connector installer accepts the following properties in silent mode. You can specify the properties in an XML file or enter them directly on the command line.

Properties

Property Value Description

ADDLOCAL UserAuthService

DirectorySyncService

KerberosAuthService

The enterprise services to install. To specify multiple services, use a comma-separated list. For example:"UserAuthService,DirectorySyncService"

INSTALLDIR directoryPath The installation directory to use

Default value: C:\VMware\Silent

TARGETDIR directoryPath The installation directory to use. Enter the same value as INSTALLDIR.

Default value: C:\VMware\Silent


VMware, Inc. 41


WS1_CONFIG_FILE_PATH configFilepath The path to the configuration file that you downloaded from the Workspace ONE Access console. The default name of the file is es-config.json.

Default value: C:\Installer\es-config.json (the directory that contains the installer)

Also specify the file’s password on the command line with WS1_CONFIG_FILE_PASSWORD.

WS1_CONFIG_FILE_PASSWORD configFilePassword The password for WS1_CONFIG_FILE_PATH.

Do not add WS1_CONFIG_FILE_PASSWORD to the XML file, specify it on the command line as WS1_CONFIG_FILE_PASSWORD=password.

WS1_IS_PROXY_ENABLED 1 (use proxy)

0 (no proxy)

To use a proxy server, set the value to 1. Also specify WS1_PROXY_HOSTNAME and WS1_PROXY_PORT.

Default value: 0

WS1_PROXY_HOSTNAME proxyserverFQDNorIP Proxy server hostname (FQDN) or IP address

WS1_PROXY_PORT proxyserverPort Proxy server port

WS1_IS_PROXY_AUTHENTICATED 1 (authenticated)

0 (no authentication)

Set the value to 1 if the proxy server requires authentication. Also specify WS1_PROXY_USERNAME.

Default value: 0

WS1_PROXY_USERNAME proxyusername Proxy server user name. Also specify the proxy server password on the command line with WS1_PROXY_PASSWORD

WS1_PROXY_PASSWORD proxypassword Proxy server password. Do not add WS1_PROXY_PASSWORD to the XML file, specify it on the command line as WS1_PROXY_PASSWORD=password.

WS1_IS_SYSLOG_ENABLED 1 (use syslog)

0 (no syslog)

To use a syslog server, set the value to 1. Also specify WS1_SYSLOG_HOSTNAME and WS1_SYSLOG_PORT.

Default value: 0

WS1_SYSLOG_HOSTNAME sysloghostname Syslog server FQDN or IP address

WS1_SYSLOG_PORT syslogport Syslog server port

WS1_TRUSTSTORE_CERTS_PATH truststoreCertificatesFolder The path to the folder that contains certificates to upload to the truststore on the connector server. The certficate can also be uploaded later, after installation.

(On premises installations) If your on-premises Workspace ONE Access service instance has a self-signed certificate, upload its root, and, if required, intermediate certificate to the truststore.

WS1_USER_AUTH_PORT portnumber Port for User Auth service

Default value: 8090


VMware, Inc. 42


WS1_DIRECTORY_SYNC_PORT portnumber Port for Directory Sync service

Default value: 8080

WS1_KERBEROS_AUTH_PORT portnumber Port for Kerberos Auth service

Default value: 443

WS1_ADD_SSL_CERT 0 (self-signed certificate)

1 (SSL certificate)

Specify 1 to upload a signed SSL certificate, if required. A signed SSL certificate is required for the Kerberos Auth service. If you specify 0, a self-signed certificate is auto-generated.

Default value: 0

WS1_SSL_CERT “”

certFilepath

The path to the SSL certificate. The certificate file can be in PEM or PFX format. If the value is a PEM file, also specify WS1_PRIVATE_KEY. If the file is a PFX file, specify its password on the command line with WS1_SSL_CERT_PASSWORD.

WS1_SSL_CERT_PASSWORD certificatePassword Required if the value of WS1_SSL_CERT is a PFX file. Do not add WS1_SSL_CERT_PASSWORD to the XML file, specify it on the command line as WS1_SSL_CERT_PASSWORD=password.

WS1_PRIVATE_KEY “”

pemKeyFile

The path to the PEM key file. Required if the value of WS1_SSL_CERT is a PEM file.

IS_NET_API_LOGON_USERNAME DOMAIN\username The domain user account to use to run the Kerberos Auth service. Use the format DOMAIN\username. Also specify the password on the command-line with IS_NET_API_LOGON_PASSWORD=password.

IS_NET_API_LOGON_PASSWORD domainUserPassword The domain user account password. Do not add IS_NET_API_LOGON_PASSWORD to the XML file, specify it on the command line as IS_NET_API_LOGON_PASSWORD =password.

Format

Use the following format to specify installation properties on the command line:

propertyname=value

For example:

WS1_IS_PROXY_ENABLED=1

or

ADDLOCAL=UserAuthService,DirectorySyncService

Use the following format to specify installation properties in an XML file:

<property name="propertyname" value="propertyvalue" />

For example:


VMware, Inc. 43

<property name="WS1_IS_PROXY_ENABLED" value="1" />

or

<property name="ADDLOCAL" value="UserAuthService,DirectorySyncService" />

Creating an XML File for Silent Mode Installation

You can define your installation options in an XML file to use with the Workspace ONE Access connector installer in silent mode. The XML file contains a list of properties and values.

Defining installation options in an XML file is not a requirement. You can enter the options directly on the command line. However, using an XML file enables you to create an installation configuration and perform multiple installations quickly using the same settings.

Procedure

1 Log in to the connector server.

2 Create an XML file named filename.xml.

3 Copy and paste the contents of the sample XML file below into your XML file.

4 Edit your XML file and modify the property values based on your installation needs.

See Silent Mode Installation Properties for information about the properties.

5 Save the file.

Example: Sample Installation Properties XML File

<?xml version="1.0" encoding="utf-8"?>

<properties>



<property name="ADDLOCAL" value="UserAuthService,DirectorySyncService,KerberosAuthService" />



<property name="INSTALLDIR" value="C:\VMware\Silent" />



<property name="TARGETDIR" value="C:\VMware\Silent" />





<property name="WS1_CONFIG_FILE_PATH" value="C:\Installer\es-config.json" />



<property name="WS1_IS_PROXY_ENABLED" value="0" />



<property name="WS1_PROXY_HOSTNAME" value="" />



<property name="WS1_PROXY_PORT" value="" />



<property name="WS1_IS_PROXY_AUTHENTICATED" value="0" />




VMware, Inc. 44



<property name="WS1_IS_SYSLOG_ENABLED" value="0" />



<property name="WS1_SYSLOG_HOSTNAME" value="" />



<property name="WS1_SYSLOG_PORT" value="" />



<property name="WS1_TRUSTSTORE_CERTS_PATH" value="C:\Installer\Certificates" />



<property name="WS1_USER_AUTH_PORT" value="8090" />



<property name="WS1_DIRECTORY_SYNC_PORT" value="8080" />



<property name="WS1_KERBEROS_AUTH_PORT" value="443" />



<property name="WS1_ADD_SSL_CERT" value="0" />





<property name="WS1_SSL_CERT" value="" />



<property name="WS1_PRIVATE_KEY" value="" />



<!-- The password will be specified through the command line argument IS_NET_API_LOGON_PASSWORD --

>

<property name="IS_NET_API_LOGON_USERNAME" value="win21021\admin" />

</properties>

What to do next

When you run the Workspace ONE Access connector installer in silent mode, use the WS1_SETUP_CONFIG_FILE=filepath argument to specify the XML file.


VMware, Inc. 45

Uninstalling the Workspace ONE Access Connector 10Uninstalling the Workspace ONE Access connector removes it from the Windows server on which it is installed. Before you uninstall the connector, delete all the enterprise services associated with it from the Workspace ONE Access console.

Prerequisites

n Verify that the enterprise services associated with the connector are not in use.

n Delete the enterprise services associated with the connector from the Workspace ONE Access console.

n Navigate to the Identity & Access Management > Setup > Connectors page.

n Click the connector you want to uninstall.

n Delete all the services listed.

Procedure

1 Log in to the Windows server on which the connector is installed.

2 Uninstall the connector in one of the following ways.

n a Go to the directory that contains the Workspace ONE Access installer and click the Workspace ONE Access Connector Installer.exe file.

b On the Welcome page, click Next.

c Select Uninstall, then click Next.

d Click Remove.

e When the connector is successfully uninstalled, click Finish to close the wizard.

n Uninstall the connector from the Control Panel.

a From the Start menu, select Control Panel.

b Under Programs, click Uninstall a program.

c Select Workspace ONE Access Connector from the list and click Uninstall.

VMware, Inc. 46

Troubleshooting the Workspace ONE Access Connector Installation

11Use the information in this section to troubleshoot your Workspace ONE Access connector installation.


n Accessing Workspace ONE Access Connector Log Files

n Creating a Workspace ONE Access Connector Log Bundle

n Updating the Workspace ONE Access Connector Host Name

n Updating Workspace ONE Access Service FQDN in Enterprise Services application.properties Files

Accessing Workspace ONE Access Connector Log Files

To debug and troubleshoot problems, you can view the Workspace ONE Access connector log files. All log files are stored on the connector server.

Type of Log File Log File Location Description

Installation log file ConnectorInstallerFolder

\Workspace_ONE_Access_Connector_

Installer.log

Messages related to installation

User Auth service log files INSTALL_DIR\Workspace ONE Access

\User Auth Service\logs\eas-

service.log

Messages related to authentication

Directory Sync service log files INSTALL_DIR\Workspace ONE Access

\Directory Sync Service\logs

\eds-service.log

Messages related to directory sync

Kerberos Auth service log files INSTALL_DIR\Workspace ONE Access

\Kerberos Auth Service\logs\eks-

service.log

Messages related to Kerberos authentication

VMware, Inc. 47

Type of Log File Log File Location Description

Enterprise services vertex logs INSTALL_DIR/User Auth Service/

logs/eas-vertx-access.log

INSTALL_DIR/Directory Sync

Service/logs/eds-vertx-

access.log

INSTALL_DIR/Kerberos Auth

Service/logs/eks-vertx-

access.log

Information about the API requests on the Enterprise services.

Enterprise services process standard output logs

INSTALL_DIR/User Auth Service/

logs/UserAuthService.out.log


Service/logs/

DirectorySyncService.out.log


Service/logs/

KerberosAuthService.out.log

Information about the process running the enterprise services.

Enterprise services process standard error logs


logs/UserAuthService.err.log


Service/logs/

DirectorySyncService.err.log


Service/logs/

KerberosAuthService.err.log

Error information about the process running the enterprise services.

Enterprise services process wrapper logs


logs/UserAuthService.wrapper.log


Service/logs/

DirectorySyncService.wrapper.log


Service/logs/

KerberosAuthService.wrapper.log

Information about the process running the enterprise services such as Java options and process ID.

Creating a Workspace ONE Access Connector Log Bundle

You can create a log bundle of Workspace ONE Access connector logs, which can be easily transferred to another machine or sent to support.

You can gather log bundles for one or all the enterprise services associated with the connector instance by running the scripts provided.

Procedure

1 Log in to the Windows server in which the Workspace ONE Access enterprise service is installed.

2 Navigate to the INSTALL_DIR\Workspace ONE Access\Support\scripts folder.


VMware, Inc. 48

3 Run the script based on the log bundle you want to collect.

Script Name Description

gatherUserAuthServiceLogs.bat Collects all the log files for the User Auth service in a log bundle

gatherDirectorySyncServiceLogs.bat Collects all the log files for the Directory Sync service in a log bundle

gatherKerberosAuthServiceLogs.bat Collects all the log files for the Kerberos Auth service in a log bundle

gatherLogs.bat Collects log files for all the enterprise services in a log bundle

4 Go to the folder listed in the script output to view the log bundle.

Results

A zip file named logs-hostname.zip is created in the INSTALL_DIR\Workspace ONE Access folder.

Updating the Workspace ONE Access Connector Host Name

If you change the Workspace ONE Access connector server host name after installing the connector, you must also update the Directory Sync service, User Auth service, and Kerberos Auth service installed on the connector to use the new host name.

Procedure

1 Log into the Workspace ONE Access connector server.

2 For each enterprise service (Directory Sync service, User Auth service, or Kerberos Auth service) that is installed on the server, edit the INSTALL_DIR\Workspace ONE Access\enterpriseService\conf\hostname.properties file and update the host name.

Use the following format:

{"hostName":"hostname"}

Specify hostname as a fully-qualified domain name, for example, myhost.example.com.

3 If you are using the Workspace ONE Access generated self-signed certificate for the Kerberos Auth service, regenerate the certificate by using the createCertificate.bat script.

In a command window, run the following command:

INSTALL_DIR\support\scripts\createCertificate.bat -force -install -host "hostname"

For hostname, specify the new host name of the connector as a fully-qualified domain name (FQDN).


VMware, Inc. 49

4 Restart the enterprise services.

The enterprise services start and register with the Workspace ONE Access service with the new host name.

5 In the Workspace ONE Access service console, associate the new host name with authentication methods and directories.

a Log into the Workspace ONE Access service.

b Go to the Identity & Access Management > Setup > Connectors page and verify that the new connector host name appears in the list.

c Click the Identity & Access Management > Manage > Enterprise Authentication Methods tab.

d Select the authentication method associated with the old host name and click Edit.

e In the Directory and Hosts page of the wizard, under Select Service Hosts, select the new host name and deselect the old host name.

f Click Next and save your changes.

g Repeat steps d. to f. for each authentication method that is associated with the old host name.

h Click the Directories tab.

i For each directory that is associated with the Directory Sync service whose host name you changed, make the following changes:

1 Click the directory.

2 Click Sync Settings.

3 Click the Sync Service tab.

4 Add the new host name to the Sync Services list and delete the old host name from the list.

5 Click Save.

j Go to the Identity & Access Management > Setup > Connectors page, select the connector entry with the old host name, click Manage, and delete all the services.

Updating Workspace ONE Access Service FQDN in Enterprise Services application.properties Files

In an on-premises Workspace ONE Access service installation, if you change the fully-qualified domain name (FQDN) of the Workspace ONE Access service, you also need to update the FQDN entry in the Directory Sync, User Auth, and Kerberos Auth services' application.properties files if you deployed these services before the FQDN change.


VMware, Inc. 50

One of the scenarios in which you typically change the Workspace ONE Access service FQDN is when you place the Workspace ONE Access service behind a load balancer.

Procedure

1 Log in to the Workspace ONE Access connector server.

2 For each enterprise service (Directory Sync service, User Auth service, or Kerberos Auth service) that is installed on the server, edit the INSTALL_DIR\Workspace ONE Access\enterpriseService\conf\application.properties file and make the following changes:

n If you are editing the Directory Sync service application.properties file, update the Workspace ONE Access service FQDN in the following entry:

eds.SAAS.endpoint=WorkspaceONEAccessServiceURL

For example:

eds.SAAS.endpoint=https://mysva.example.com

n If you are editing the User Auth service application.properties file, update the Workspace ONE Access service FQDN in the following entry:

eas.SAAS.endpoint=WorkspaceONEAccessServiceURL

For example:

eas.SAAS.endpoint=https://mysva.example.com

n If you are editing the Kerberos Auth service application.properties file, update the Workspace ONE Access service FQDN in the following entry:

idm.service.url=WorkspaceONEAccessServiceURL

For example:

idm.service.url=https://mysva.example.com

3 Restart the Directory Sync, User Auth, and Kerberos Auth services.


VMware, Inc. 51

Documents

Installing VMware Workspace ONE Access Connector 20.01 ......Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server