AirWatch Hands-on Labs

Lab Architecture

We have simplified the architecture to limit the scope for this lab. Let's take a look at what are the different components involved.

Main Console (192.168.110.10)

Windows 2012R2 Server for Active Directory (AD), Domain Name System (DNS), and Certificate Authority (CA).

vidm-01a (192.168.110.14)

Windows 2012R2 Server for hosting the VMware Identity Manager service. This server will communicate with the sql-01a server where the VMware Identity Manager database will be installed.
Not joined to corp.local domain.

conn-01a (192.168.110.15)

Windows 2012R2 Server for hosting the VMware Identity Manager Connector. This server will be responsible for using a domain service account to sync users and groups and provide authentication methods that require a domain joined account, such as Kerberos.
Joined to corp.local domain.

sql-01a (192.168.110.13)

Windows 2012R2 Server for hosting the SQL database which will be utilized by the VMware Identity Manager service installed on vidm-01a.
Joined to corp.local domain.

For this exercise, the following use cases apply:

Utilize the VMware Identity Manager Connector for syncing Active Directory users and groups to VMware Identity Manager
Utilize the VMware Identity Manager Connector domain joined service account to perform Kerberos Authentication for Windows 10 devices

For these use cases, the following requirements and decisions are made:

The VMware Identity Manager service IS NOT required to be domain joined: The VMware Identity Manager Connector will be domain joined and will handle syncing users and authentication.
The VMware Identity Manager Connector IS domain joined: Since we are relying on the Connector to sync users from Active Directory and handle authentication, the Connector server will be domain joined.

The benefits of this setup are:

Reduced Firewall Requirements: The VMware Identity Manager service can sit in your DMZ while the VMware Identity Manager Connector can be installed on the intranet in outbound-only mode, not requiring inbound port 443 to be opened to provide secure Active Directory user-sync and authentication for your external users.
Eliminate Domain Joined Servers in DMZ: The VMware Identity Manager service can remain unjoined while relying on the VMware Identity Manager Connector to handle user-sync and authentication.