SAAM2197BU Deployment Deep Dive: Best Practices … · Deployment Deep Dive: Best Practices and Troubleshooting of Workspace ONE VMworld 2017 Content: Not for publication or distribution

Adarsh KesariSenior Systems EngineerKevin SheehanCustomer Success Architect

SAAM2197BU

#VMworld #SAAM2197BU

Deployment Deep Dive: Best Practices and Troubleshooting of Workspace ONE

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#SAAM2197BU CONFIDENTIAL 2



bution

Best Practices and Troubleshooting of Workspace ONE

1 Architectural Considerations

2 Basics of Troubleshooting

3 Troubleshooting Single Sign-on

4 Diagnosing Device Issues

5 Common Errors and Misconfigurations




bution

Architectural Considerations for Identity Manager Deployments

• 3 primary models for deployment

– Cloud Hosted Model

– On Premises Model (all internal components)

– On Premises Model (DMZ based components)

• Appropriate choice will be based on:

– Authentication requirements

– Edge technologies deployed

– Organization perspective on cloud hosted solutions

• Remember, there a dozens ways to build/integrate/secure/access a Workspace ONE implementation!

– Every implementation will vary based on components




bution

AirWatch 9.1 – Windows Based Identity Manager

Model 1 – Lightweight deployment of Identity Manager to support WS1 App

• Use cases limited to WorkspaceONE app as:

– A replacement for AirWatch app catalogweb clip

– An enrollment agent with adaptive management

– Container for unmanaged devices – 1st and 3rd party apps with AirWatch SDK

• No need to manage elastic search, ehcache, rabbitMQ

• Management & Configuration through Getting Started wizard

• 3rd Party IdP Integration is supported

Model 2 – Deployment of full Identity Manager feature set in a new cluster (available 9.1 FP1)

• Use cases extend beyond Workspace ONE app such as:

– Identity management and app federation (web apps in IDM)

– Mobile Single-Sign On

– Conditional Access

– Multifactor (VMware Verify or 3rd party)

– Virtual apps and desktops

– Integrated Windows Authentication (IWA)

• Management and Configuration as with Linux IDM Appliance

• 3rd Party IdP Integration is supported




bution

AirWatch

Tenant

Identity

Manager

Tenant

IDM

ConnectorAD

AirWatch

Cloud

Connector

View

Connection

Server

AD

CS

Workspace ONE High Level Architecture

Cloud Model

Access

Point

(UAG)

WS

1

App

DMZ Internal NetworkSaaS

Apps

Public

App

Stores

Mobile

Device




bution

Identity

Manager

Appliance AD

AirWatch

Cloud

ConnectorView

Connection

Server


Internal Components

Access

Point

(UAG)

AW DS

DMZ Internal Network

SaaS

Apps

Public

App

Stores

AirWatch

CN




bution

Identity

Manager

Appliance

AD

AirWatch

Cloud

Connector View

Connection

Server


DMZ based components

Access

Point

(UAG)

AW DS

DMZ Internal NetworkSaaS

Apps

Public

App

Stores

IDM

Connector

AirWatch

CN

Best Practice!




bution

Connector

only

LAN DMZ

PORT 443, PCoIP

Simplified Port Considerations for Workspace ONE


Horizon

TCP 443

Kerberos /

Header based



bution

Identity Manager Port Diagrams

• Not every component will be used in any given implementation

• New components and features will necessitate new ports in/outbound

• Key details and the most up to date material available at:

– https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-network-ports.html




bution

https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-network-ports.html

For Integrated Windows Authentication (IWA) Ports:

Port Description

TCP 389 LDAP Query

TCP/UDP 88 Kerberos Authentication

TCP/UDP 464 Computer Object Password renewal

"AD over LDAP" TCP 389

"AD over LDAPS" TCP 636

“AD Global Catalog“ TCP 3268 & 3269

TCP/UDP 88

TCP 5262

TCP 443

Appliance Admin TCP 8443, 22

Email outDNS TCP/UDP 53FQDN, App Catalog, VMware Verify TCP 443OCSP TCP 80Syslog UDP/TCP 514 or TCP 1514Log Insight TCP 9543(NTP (ESXi host) UDP 123)Approval flow integration

TCP 445

ELASTICSEARCH TCP 9300

EHCACHE TCP 40002, 40003

vPostgres TCP 9400

Integration Broker

Integration Broker SSOAPI Server

RADIUS

Connection Server

For more details on Horizon ports look at the VMware Horizon 7 Network Ports doc:http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-user-computing-network-ports-diagram.pdf #SAAM2197BU CONFIDENTIAL

11



bution

http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-user-computing-network-ports-diagram.pdf

For Integrated Windows Authentication (IWA) Ports:

Port Description

TCP 389 LDAP Query

TCP/UDP 88 Kerberos Authentication

TCP/UDP 464 Computer Object Password renewal

"AD over LDAP" TCP 389

"AD over LDAPS" TCP 636

“AD Global Catalog“ TCP 3268 & 3269

DNS TCP/UDP 53OCSP TCP 80Syslog UDP/TCP 514 or TCP 1514Log Insight TCP 9543(NTP (ESXi host) UDP 123)

ELASTICSEARCH TCP 9300

EHCACHE TCP 40002, 40003

vPostgres TCP 9400

Integration Broker

Integration Broker SSO

API ServerRADIUS

Connector Only

vIDM

TCP 443 when using legacy Connector deployment

Email outDNS TCP/UDP 53FQDN, App Catalog, VMware Verify TCP 443OCSP TCP 80Syslog UDP/TCP 514 or TCP 1514Log Insight TCP 9543(NTP (ESXi host) UDP 123)Approval flow integration

TCP 443 when using outbound only Connector deployment

Connection Server

#SAAM2197BU CONFIDENTIAL

12



bution

TCP 443

Integration Broker

Integration Broker SSO

TCP 80 or 443

TCP 80 or 443 (XML)

TCP 443

STA* (80 or 443)TCP 443 (HTML)

TCP 443 (HTML)TCP 1494 (ICA)TCP 2598 (Session Reliability)

Note:

For external Access Citrix uses a Secure Ticketing Authority (STA) to enhance security. This is normally on Port 80 or 443, check with the Citrix Admin team.

The Citrix XML Service normally runs on Port 80 or 443, but can be changed to any port, it was normal to do this on legacy Citrix environment. Check the XML port with the Citrix Admin team.

A single Integration Broker can host multiple XenApp environments and the SSO function or you can split the SSO function to a separate VM.

Integration Broker and Integration Broker SSO can all run on the same server.

TCP 1494 (ICA)TCP 2598 (Session Reliability)

Windows Desktops / RDSH Hosts

TCP 5985 / 5986

WinRM / PS Remoting

TCP 80 or 443




bution

Basics of Troubleshooting

Troubleshooting within the Identity Manager Console

• Dashboard

• Log Bundles

• Real-time log monitoring

• Key logs for review




bution

Troubleshooting in the Identity Manager Console

• System Diagnostics Dashboard

– First place to verify functionality

• Only available in on-premises deployments of IDM

• Provides health information on:

– Cluster status

– Connectors

– FQDN configuration

– Database connectivity

• Type and health

– Certificates




bution


• Reports Dashboard

– Granular information on use of IDM over the past 90 days

• Available in both on-premises and hosted deployments

• Provides health information on:

– Recent Activity

– Application usage

– Application Entitlements

– Devices accessing IDM

• Full Audit events

– Useful for troubleshooting network ranges, SAML errors, etc.




bution


• Log Bundles

– Very useful but large set of logs from the system

– More logs available from on-premises deployments

– Downloaded as a tar.gz

– Hosted deployments require ticket opened with support. Provide support with at least:

• Tenant name

• User name

• Application name

• Approximate time of failure/issue




bution

Accessing Logs With a Tool Such as WinSCP

• On Linux, Root user needs to access logs, but by default can’t log in

• Enable root log-in by:

vi /etc/ssh/sshd_config

PermitRootLogin yes

/etc/init.d/ssh restart

• Path to log files

/opt/vmware/horizon/workspace/logs

• Open with local editor such as Notepad++

• Windows Installation does not require these steps!

• Just access file system




bution

Key Log Files to Review

• Connector.log

– Requests received from the Web interface - specifically authentications handled by the Connector (user/pass, RADIUS, Legacy Certificate, Kerberos). Each log entry includes the request URL, timestamp, and exceptions

• Horizon.log

– Output messages for service based authentication adapters, service providers, and general tenant health info

• Greenbox.log

– Events related to the unified user portal. For UI specific issues, you may find more information here




bution

Health Check API Calls

• Appliance Health Check:

– /SAAS/API/1.0/REST/system/health

– https://{url}/SAAS/API/1.0/REST/system/health

– Example: https://ksheehan.vmwareidentity.com/SAAS/API/1.0/REST/system/health

• Connector Health Check:

– /hc/API/1.0/REST/system/health

– https://{url}/hc/API/1.0/REST/system/health

– Example: https://svr-02.kbs.local/hc/API/1.0/REST/system/health




bution

https://myvmware.workspaceair.com/SAAS/API/1.0/REST/system/health

https://svr-02.kbs.local/hc/API/1.0/REST/system/health

Using SAML Tracer to Troubleshoot SSO

• Add in for Firefox

• Various similar tools just as effective

• Process for troubleshooting:

– Launch SAML Tracer

– Navigate to Identity Manager portal

– Navigate to SSO based web app

– Return to SAML tracer to review results and any errors

• Typical problems:

– NameID format mismatch

– Date/time sync issues between IDM and SaaS app

– Misconfiguration of encryption




bution

Troubleshooting IDM Access Issues

• IdP Not Found

– Usually due to policies not set correctly

– Verify the platform, network ranges and authentication methods

– Remember the first policy that matches will be applied!

• Coming from MacOS using Safari, the higher policy of MacOS or Web Browserwill be applied

• Use the handles on left of policy to re-order

– Make sure Connector is available

– Make sure Outbound Connectorhas been configured

– Network Ranges on Hosted IDM Determined by your egress IP to Internet

• Check the Audit logs to determine address




bution

Troubleshooting Mobile SSO for iOS

• Profile issues

• Certificates

• UPN mismatch

• Kerberos Realm notproperly configured

• App Bundle ID’s not added to the SSO Profile

– Always add: com.apple.SafariViewService and com.apple.mobilesafari

• On Prem KDC initialization and configuration




bution

Troubleshooting and Common Issues for iOS SSO

Double and triple check certificates in integration

points between AW and IDM as well

as in iOS profiles

Ensure Realm is UPPERCASE in AW

device profile

Ensure Device enrollment is showing a Device

Management profile with Kerberos and SCEP

definitions, as well as KDC root certificate




bution

Troubleshooting and Common Issues for iOS SSO

Troubleshooting Mobile SSO

Use Xcode from App Store and a GSS debugging profile over

USB to capture log data from iOS device to KDC

Load the "GSS Debugging" profile onto your iOS device.

Look for Notice messages – indicates Kerberos Traffic

Lack of Notice messages or errors will highlight where to

look for issues (DNS resolution, port 88 not open, mis-

matched DN in certificate, etc)




bution

https://developer.apple.com/services-account/download?path=/iOS/iOS_Logs/GSSDebugProfile.mobileconfig

On Premises KDC Initialization and Configuration

Mobile SSO for iOS with on premises IDM has specific requirements:

• Initialization of KDC on appliance

• Configuration of DNS entriesfor Kerberos Realm

• Inbound port 88 access to IDM appliance

• Configuration of certificate templateand integration with Certificate Authority




bution

Troubleshooting Mobile SSO for Android

• Applications not set for proxy

– Must force all apps to use Proxy to the certproxy service

• Proxy destination not set

– certproxy.vmwareidentity.com:5262 for hosted IDM

• Tunnel Config in AirWatch

– Does not need full appliance deployment, only dummy data if not using tunnel

• Tunnel not started on device

– Look for Tunnel icon to appear in status bar of Android device




bution

Accelerate Your Knowledge of Workspace ONE

Date Title Session # Speaker

Tuesday, 11:00am Transformation of the Digital Workspace SAAM3157SU Tony Kueh

Tuesday, 12:30pm Introduction to Access Management in Workspace ONE SAAM2288BU Josue Fontanez

Prab Kalra

Tuesday, 3:30pm Enable Simple, Secure Access to your Horizon and Citrix Virtual Desktops

and Apps with Workspace ONE

SAAM1150BU Greg Armanini

Matt Coppinger

Tuesday, 5:00pm Securing Access and Protecting Information in Office 365 with Workspace

ONE

SAAM2291BU Camilo Lotero

Adarsh Kesari

Wednesday, 2:00pm Deployment Deep Dive: Best Practices and Troubleshooting of Workspace

ONE

SAAM2197BU Kevin Sheehan

Adarsh Kesari

Wednesday, 3:30pm Secure and Seamless Access to all of your Applications with Conditional

Access and Mobile SSO in Workspace ONE

SAAM2204BU Vikas Jain

Prab Kalra

Thursday, 10:30am VMware on VMware: Winning a Single Sign-On Solution with VMware

Workspace ONE

SAAM1321BU Robert Coggins

Josue Fontanez

Thursday, 1:30pm Simplify Management and Security of your Mobile Apps with Workspace

ONE

SAAM2294BU Vikas Jain

Vinay Jain


Also join us for Quick Talks, Expert Discussions, and Hands-on-Labs!!!



bution



bution



bution

Documents

SAAM2197BU Deployment Deep Dive: Best Practices … · Deployment Deep Dive: Best Practices and Troubleshooting of Workspace ONE VMworld 2017 Content: Not for publication or distribution