VMware Workspace ONE Community
j0nn1e
Contributor
Contributor

Identity Manager / Enterprise Systems Connector / Airwatch SaaS

Hi together,

I'm pretty new to Airwatch and the Identity Manager, so sorry for the stupid questions.

Since last October im responsible for our infrastructure and i try to clean up the whole system.

We got a Yellow und Blue Supscription from Airwatch and at the moment i try evaluate the identity manager feature for us.

So in the past there has been so much chaos in the system, respectively on our Windows Server 2008 R2 which host our Active Directory.

On the old System i can see there is an IIS with Airwatch Sutes, there is a Cloud Connector that fails to update since months, und there are some Portforwardings at 443 und 2020 from the Firewall to this old Server. My guess is that, there mutliples way to connect to VMWare are mixed up and nothing works right.

So i studied lots of Howto's from VMware to find the right way but there some ambiguities. Maybe you can help me.

I set up a new Server 2012 R2 to start clean.

From the Vmware Docs i found out that the "Enterprise Integration Services" is the old Connector (with IIS) and the new one is called "Enterprise Systems Connector" with the ACC und Identity Manager Connector. so far so good.

I've installed the Connector at the Server und activated it with the activation code from the Identity Manager Console. I've imported Groups and Users. Allfine.

But i can't login with any user at domain.vmwareidentity.eu ? Password or User wrong.

If i test the Connection from the Airwatch Console at "Directory Services" or Enterprise Systems Connector all fine, Connection is OK.

So here my Questions:

- If i understand it right the ACC connects at Port 443 outgoing to VMWare. There is no need for a Portforwarding into our DMZ or? What bothers me is that the connector from the identity manager refers to "srv-airwatch.Domain.local" ? So it looks like i need to publish the SRV for the connector ? see attachment.

- Do i need the VMware Tunnel Feature? If i understand it right its to publish interal Ressources through VPN with Mobiles Clients but its necessary for Identity Manager oder Airwatch itself, right? Because this Test fails.

- where does airwatch get its user from? Also from the ACC Connector? Because when i reconfigure the Groups & Users in the Identity Manager Console, the Users are deleted temporary. But nothing happens at the Airwatch Console with the Users. so iam a little bit confused? From the Directory services Tab under Settings?

- What means "integrated" IDP ?See attachment

- I set the Directory Attribut to the UPN, because in the future all Employee's should use only there Emaiaddress to login for everything.

Thanks

Jonny

Reply
0 Kudos
1 Reply
dthacker82
Contributor
Contributor

What do your Policies look like under Identity & Access Management? That is where you will set which authentication methods are called. It sounds like you've setup the connector correctly, you just haven't modified your default policy to look for the directory password instead of the local password.

Don't worry about the domain naming of the connector; it's fine for authentication purposes. A directory doesn't have to match a tenant domain name.

Airwatch maintains its' own users, but it synchronizes the information from active directory. We manually provision our users from AD into AW, so I'm not as well-versed with your options on importing users into AW as I am Identity Manager.

The VMware Tunnel feature allows applications to have a secure channel back to a host network. From my understanding, this isn't necessary with the SaaS version of VIDM (I have the on-prem version and I do utilize the VMware Tunnel.)

Reply
0 Kudos