VMware Workspace ONE Community
Hocshop
VMware Employee
VMware Employee
‎05-15-2018 09:49 AM
Jump to solution

Identity Manager Connectors

HI all,

I have 2 questions please:

If I deploy an architecture as recommended for a multi-site deployment i.e.

global load balancer

2 local site load balancers

3 identity mgr appliances in DMZ at each site

2 Identity mgr connectors in internal network of each site etc

1) Internal users will need to connect to the fqdn of the load balancer for the IDM connectors inside the network or the fqdn of the IDM apps in the DMZ?

2) In the diagram from the whitepaper, it puts the access for external clients to the IDM connectors as directly from the global load balancer to the connectors i.e. it doesn´t touch anything in the DMZ. How does the security work for this part of the connection?

I am new to this and I don´t really understand how the diagram works as the IDM appliances have the connections through the DMZ but the Connectors don´t seem to connect to the IDM appliances in the diagram.

Someone just asked me, how is it secure if the external client can jump from the global load balancer directly to the internal connector. I couldn´t answer them.

Anyone able to give me a heads up on how this works (how the client securly connects to the connectors and how the IDM app connects to the IDM connector) so I can understand better please?

I heard that the IDM connector talks through port 443 to the IDM app and nothing else. What does that signify?

Regards

Mark

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Hocshop
VMware Employee
VMware Employee
‎05-18-2018 03:49 PM
Jump to solution

Hi all,

So I investigated everywhere and I finally got the answers I was looking for.

1. Internal users will connect to the FQDN of the load balancer in the DMZ i.e. the load balancer for the IDM appliances in the DMZ.

Doing some tests I saw that even if you enter the FDQN of 1 of the connectors in a browser to try and connect to it, it will redirect you to the IDM appliances anyway.

External users obviously will connect to the FQDN of the Global Load balancer.

2. The external users will get to the global load balancer, pass to the local load balancer then to the IDM appliance in the DMZ. The IDM Connector will just sync info related to the internal connections you configure (like Active Directory, RSA authenticators etc). This sync is one-way only from Connector to IDM appliance.

The IDM Connector can send traffic from itself to the Global Load balancer in an outbound direction only (that´s why the line exists in the diagram however it would be better to put a dotted arrow instead of a solid line in the diagram).

When you check the firewall ports that are required to be opened for the IDM Connector, the only traffic that goes from browsers towards the IDM Connector is for administration purposes. There are no firewall ports required to be opened for client traffic to the IDM Connector, that´s why you would connect to the IDM appliance in the DMZ.

I hope that helps someone.

Regards

View solution in original post

0 Kudos
1 Reply
Hocshop
VMware Employee
VMware Employee
‎05-18-2018 03:49 PM
Jump to solution

Hi all,

So I investigated everywhere and I finally got the answers I was looking for.

1. Internal users will connect to the FQDN of the load balancer in the DMZ i.e. the load balancer for the IDM appliances in the DMZ.

Doing some tests I saw that even if you enter the FDQN of 1 of the connectors in a browser to try and connect to it, it will redirect you to the IDM appliances anyway.

External users obviously will connect to the FQDN of the Global Load balancer.

2. The external users will get to the global load balancer, pass to the local load balancer then to the IDM appliance in the DMZ. The IDM Connector will just sync info related to the internal connections you configure (like Active Directory, RSA authenticators etc). This sync is one-way only from Connector to IDM appliance.

The IDM Connector can send traffic from itself to the Global Load balancer in an outbound direction only (that´s why the line exists in the diagram however it would be better to put a dotted arrow instead of a solid line in the diagram).

When you check the firewall ports that are required to be opened for the IDM Connector, the only traffic that goes from browsers towards the IDM Connector is for administration purposes. There are no firewall ports required to be opened for client traffic to the IDM Connector, that´s why you would connect to the IDM appliance in the DMZ.

I hope that helps someone.

Regards

0 Kudos