VMware Workspace ONE Community
jahos_
Enthusiast
Enthusiast
Jump to solution

IDM 2.8 integrated with Access Point 2.8 FQDN change

Hi,

I am trying to integrate Access Point as reverse proxy in DMZ with Idm in LAN. Both versions are 2.8.

After fighting a lot of issues, I came to the point that everything works correctly and I just have to change FQDN. Here it fails.

Public cert (idm.corp.com) has been uploaded to access point and another public cert (idm.localcorp.com) to idm. Certificates are valid.

The necessary firewall rules are open between idm and access point in dmz.

When I change the FQDN I always get the error message: error on changing manager URL and error on changing IDP URL.

Anyone can help me on this?

Reply
0 Kudos
1 Solution

Accepted Solutions
pbjork
VMware Employee
VMware Employee
Jump to solution

1. In DMZ you deploy vIDM appliance (not required to be in DMZ but makes a lot of sense).

     1.1 vIDM appliance must have external FQDN as host name (this way change FADN not needed)

     1.2 add trusted certificate to vIDM

     1.3 Add a new connector

     1.4 Internal DNS should point to vIDM appliance

2. deploy Connector only appliance in LAN

     2.1 Deploy appliance with an internal host name

     2.2 enter connector activation code from step 1.2

     2.3 Now this connector can be joined to the domain if use cases requires

3. Add the connector to your built-in identity provider

     3.1 In Identity Providers - Built in add the connector and make sure Password (cloud deployment) is activated

     3.2 In your access policies make sure Password (cloud deployment) is used as AuthN method

4. Deploy Access Point using the PowerShell option, Using PowerShell to Deploy VMware Access Point

     4.1 "proxyDestinationUrl" must be external FQDN, if AP is not connected to external DNS so it cannot resolve FQDN can you add it to the hosts file using "hostEntry1"

     4.2 Point external DNS to point to Access Point

View solution in original post

Reply
0 Kudos
5 Replies
pbjork
VMware Employee
VMware Employee
Jump to solution

I'm afraid your design might not work.. You cannot change FQDN if the only reverse proxy is an Access Point.. The reason is traffic through Access Point must be external only. For example, /admin access is denied through Access Point.. Internal traffic must be routed directly to VMware Identity Manager appliance and not via Access Point.. So split DNS is a requirement.

When you try to change FQDN on VMware Identity Manager it must be able to do a roundtrip to it self, see more info: Workspace Portal - Trouble Changing the FQDN - Horizon Tech Blog - VMware Blogs

If an AP is in-front of VMware Identity Manager, AP will deny this roundtrip traffic..

Valid deployment methods are still a few..

1. VMware Identity Manager appliance should be deployed with public FQDN as its appliance name (if public domain name != AD domain name you can now not join the domain using VMware Identity Manager. A separate connector appliance is needed in that case)

2. VMware Identity Manager <-> Load Balancer <-> Access Point is another deployment modell.. Now the FQDN is owned by LB so VMware Identity Manager can do a roundtrip when changing FQDN

Reply
0 Kudos
jahos_
Enthusiast
Enthusiast
Jump to solution

Thanks for the info Peter. This explains a lot!

Reply
0 Kudos
jahos_
Enthusiast
Enthusiast
Jump to solution

Could you explain a little bit more how to setup the first option (with AP as reverse proxy)?

When I add a separate connector for AD authentication, the logon page is redirected to the ip address of the connector, which is internal. Of course this does not work from the outside.

Reply
0 Kudos
pbjork
VMware Employee
VMware Employee
Jump to solution

1. In DMZ you deploy vIDM appliance (not required to be in DMZ but makes a lot of sense).

     1.1 vIDM appliance must have external FQDN as host name (this way change FADN not needed)

     1.2 add trusted certificate to vIDM

     1.3 Add a new connector

     1.4 Internal DNS should point to vIDM appliance

2. deploy Connector only appliance in LAN

     2.1 Deploy appliance with an internal host name

     2.2 enter connector activation code from step 1.2

     2.3 Now this connector can be joined to the domain if use cases requires

3. Add the connector to your built-in identity provider

     3.1 In Identity Providers - Built in add the connector and make sure Password (cloud deployment) is activated

     3.2 In your access policies make sure Password (cloud deployment) is used as AuthN method

4. Deploy Access Point using the PowerShell option, Using PowerShell to Deploy VMware Access Point

     4.1 "proxyDestinationUrl" must be external FQDN, if AP is not connected to external DNS so it cannot resolve FQDN can you add it to the hosts file using "hostEntry1"

     4.2 Point external DNS to point to Access Point

Reply
0 Kudos
jahos_
Enthusiast
Enthusiast
Jump to solution

Thanks a lot Peter. Great explanation and I got it working now.

Apparently it was step 3 where I got lost.

Reply
0 Kudos