Hocshop
VMware Employee
VMware Employee

Where exactly do internal users need to connect to...?

Jump to solution

Hi all,

I thought I had this one figured out but another doubt has clouded my understanding.

I understood that, if I had multiple IDM appliances installed in the DMZ (behind a Load balancer) and IDM Connectors installed in the internal network, then internal users would need to connect to the URL of the Load Balancer in the DMZ (they would need to connect to the IDM appliances in the DMZ and not the IDM Connectors).

Is that correct?

Or does the user actually need to connect to the IDM Connector and they will be redirected through the web socket without needing to connect directly to the IDM appliance?

I ask that because there is no Load balancer in the internal network for the IDM Connectors so the user would need one of 2 things I believe:

1. Connect to a single IDM Connector but then they would have problems if that appliance was down for whatever reason

2. Configure an internal DNS Round-Robin type of setup where the user could connect to a single URL and internally that URL would be related to multiple IDM Connectors?

Anyone can help me with my doubt please (where exactly does an internal user need to connect to be able to open the Workspace portal?)?

Regards

Mark

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
mmurthy
VMware Employee
VMware Employee

Users should connect to DMZ LB with internal IP mapping to the same URL as external URL.

View solution in original post

0 Kudos
3 Replies
mmurthy
VMware Employee
VMware Employee

Users should connect to DMZ LB with internal IP mapping to the same URL as external URL.

View solution in original post

0 Kudos
ryancostello
Contributor
Contributor

Hi Mark,

It depends on the auth methods in use. If you have a built-in IdP configured and the connectors set up for outbound-only mode, then end users only need to resolve the url of LB in the DMZ. When connectors are in outbound mode the IDM service will load balance requests automatically across connectors, so no load balancer is required for internal connectors. In that scenario users don't need connect to the connector. The connector communicates with the SVAs in an outbound manner over websocket.

The caveat is if you're using kerberos for internal users. This auth method requires the clients resolve the actual connector url. If you need to make kerberos highly available then you must set the IdP hostname to the LB url, and then enable redirect and configure each connector's own hostname as the redirect url. Lastly, make sure you configure a network range so that only internal users will use this auth method.

0 Kudos
Hocshop
VMware Employee
VMware Employee

Thanks ryancostello,

Luckily I don´t need Kerberos this time but it is good to know for the future.

Regards

0 Kudos