VMware Workspace ONE Community
skywalker76
Contributor
Contributor
‎08-16-2017 03:43 PM

Installing VIDM/Mobile SSO on-premises - advice needed

Hello experts,

I'm in the process of setting up VIDM on-premises for our production platform as we will use mobile SSO for iOS & Android devices in our Office365 deployment with Airwatch. All connections will come from devices located on the internet.

However, I'm having a nightmare trying to locate all the information required on the architecture level. I'm hoping that someone can help clarify a few things for me here as it's not at all clear in the official guides.

Regarding port 5262 used for Android Mobile SSO, our network team requires the use of a reverse proxy (for obvious reasons) but from my understanding we are talking about an incoming TCP connection from the Android tunnel app straight through to the VIDM servers and is thus terminated on the appliance level. For this to work, do we need to simply forward the ports via our RP to the VIDM cluster? Security will not like this...

I'm referencing the extract below as there is absolutely nothing else written about this in any of the VMWare official guides Smiley Sad

pastedImage_2.png

Regarding Mobile SSO for iOS, I'm aware that it uses a built-in KDC on VIDM so do I also need to do TCP/UDP port forwarding for port 88? Again, very little information posted about this anywhere...do I need to create a public DNS record that points to our VIDM LB so that the iOS clients are able to find the KDC? What can I put as the realm? Considering that everything is located on the same box, does it need to be different to the public DNS already created as in idm.company.com instead of kdc.company.com?

We will also install UAG for intranet browsing purposes, can this be used as a Reverse Proxy to reach the VIDM servers - any documentation on that?

Thanks in advance for your help!

Labels (2)
0 Kudos
1 Reply
J4yJ4y
Enthusiast
Enthusiast
‎12-29-2017 04:43 AM

Q: Regarding Mobile SSO for iOS, I'm aware that it uses a built-in KDC on VIDM so do I also need to do TCP/UDP port forwarding for port 88?

A: Yes, port forwarding required.

Q: What can I put as the realm?

A: KDC realm is initiated when initializing the KDC on the vIDM. Often the AD or DNS domain name is used as realm , but this is not required.

Make it recognizable. Realm is set in Upper case.

Q: do I need to create a public DNS record that points to our VIDM LB so that the iOS clients are able to find the KDC?

A: Yes, more here: Using the Built-in KDC .....KDC requires special syntax DNS SRV records, see example in linked page.

Q: We will also install UAG for intranet browsing purposes, can this be used as a Reverse Proxy to reach the VIDM servers - any documentation on that?

A: yes, UAG can be reverse proxy for vIDM.
more here: Unified Access Gateway Landing Page and https://docs.vmware.com/en/Unified-Access-Gateway/3.2/uag-32-deploy-config-guide.pdf

0 Kudos