Lab Architecture
We have simplified the architecture to limit the scope for this lab. Let's take a look at what are the different components involved.
1. Components and sub-systems
Main Console (192.168.110.10)
- Windows 2012R2 Server for Active Directory (AD), Domain Name System (DNS), and Certificate Authority (CA).
vidm-01a (192.168.110.14)
- Windows 2012R2 Server for hosting the VMware Identity Manager service. This server will communicate with the sql-01a server where the VMware Identity Manager database will be installed.
- Not joined to corp.local domain.
conn-01a (192.168.110.15)
- Windows 2012R2 Server for hosting the VMware Identity Manager Connector. This server will be responsible for using a domain service account to sync users and groups and provide authentication methods that require a domain joined account, such as Kerberos.
- Joined to corp.local domain.
sql-01a (192.168.110.13)
- Windows 2012R2 Server for hosting the SQL database which will be utilized by the VMware Identity Manager service installed on vidm-01a.
- Joined to corp.local domain.
2. Use Case and Requirements
For this exercise, the following use cases apply:
- Utilize the VMware Identity Manager Connector for syncing Active Directory users and groups to VMware Identity Manager
- Utilize the VMware Identity Manager Connector domain joined service account to perform Kerberos Authentication for Windows 10 devices
For these use cases, the following requirements and decisions are made:
- The VMware Identity Manager service IS NOT required to be domain joined: The VMware Identity Manager Connector will be domain joined and will handle syncing users and authentication.
- The VMware Identity Manager Connector IS domain joined: Since we are relying on the Connector to sync users from Active Directory and handle authentication, the Connector server will be domain joined.
The benefits of this setup are:
- Reduced Firewall Requirements: The VMware Identity Manager service can sit in your DMZ while the VMware Identity Manager Connector can be installed on the intranet in outbound-only mode, not requiring inbound port 443 to be opened to provide secure Active Directory user-sync and authentication for your external users.
- Eliminate Domain Joined Servers in DMZ: The VMware Identity Manager service can remain unjoined while relying on the VMware Identity Manager Connector to handle user-sync and authentication.