Embed Size (px)
Citation preview
Migrating to VMware Workspace ONE Access 20.01 Connectors
Modified OCT 2020JAN 2020VMware Workspace ONE AccessVMware Workspace ONE Access 20.01
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Copyright ©
2020 VMware, Inc. All rights reserved. Copyright and trademark information.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 2
Contents
1 Migrating to VMware Workspace ONE Access 20.01 Connectors 4
2 Migrating to Latest Connector on a Windows Server Running Workspace ONE Access 19.03 6
3 Use the Migration Dashboard to Migrate to Workspace ONE Access 20.01 Connectors 7
4 Resetting Virtual Apps Usage Option in Workspace ONE Access 17
5 Troubleshooting Migration to Workspace ONE Access 20.01 Connectors 19
VMware, Inc. 3
Migrating to VMware Workspace ONE Access 20.01 Connectors 1If you are upgrading to Workspace ONE® Access™ (formerly known as VMware Identity Manager™) 20.01, to use the new Workspace ONE Access 20.01 connectors you need to install one or more 20.01 connectors and migrate your existing directories to the new connectors. You cannot upgrade older connector versions to 20.01.
The new Workspace ONE Access 20.01 connector is a collection of enterprise services that can be installed individually or together on Windows servers. It includes the following services:
n Directory Sync service: Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service
n User Auth service: Password (cloud deployment), RSA SecurID (cloud deployment), and RADIUS (cloud deployment)
n Kerberos Auth service: Kerberos authentication for internal users
To migrate to the new 20.01 connectors from legacy connectors, you migrate your directories. When you migrate the directories, all data, including authentication methods and identity providers, is migrated.
Requirements for Migration
n The Workspace ONE Access 20.01 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApps integrations). If your environment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.01 connectors.
To integrate Horizon, Horizon Cloud, or Citrix applications and desktops, use VMware Identity Manager connector (Windows) version 19.03. To integrate ThinApp packaged applications, use VMware Identity Manager connector (Linux) version 2018.8.1.0.
n You need one or more Windows servers to install 20.01 connectors. The enterprise services can be installed together on one server or separately on different servers. See Installing Workspace ONE Access Connector for requirements.
VMware, Inc. 4
The Windows servers for the 20.01 connectors must be separate from your legacy connector servers. During the migration process, you will switch between using the old connectors and the new connectors to test the migration. The 19.03 legacy connector servers must be running during the migration process. Do not uninstall the 19.03 connectors until the migration is complete.
Note The 20.01.01 Patch Release lets you use a Windows server that has a 19.03 connector installed. See Chapter 2 Migrating to Latest Connector on a Windows Server Running Workspace ONE Access 19.03.
n All existing connectors in your tenant must be version 19.03. If you have any older connectors, upgrade them to 19.03 first.
n If you have an on-premises instance of the Workspace ONE Access service, upgrade the service to 20.01 before migrating to 20.01 connectors.
n During migration, you must migrate all the directories in your tenant to the 20.01 connector. You cannot choose to migrate only some of the directories.
n After migration, you can use only the new 20.01 connectors. You cannot have a mix of older connector versions and 20.01 connectors in your environment.
n If you have 19.03.0.1 connectors installed and you are planning to migrate them, consider migrating to connector version 20.10 instead of 20.01.x. There is a known issue with migration from connector version 19.03.0.1 to version 20.01.x if your Workspace ONE Access directory of type Active Directory over LDAP or IWA has the External ID option set to any attribute other than the default value of objectGUID. When you migrate the directory as part of connector migration, all users will be deleted and added back. As a result, all users will be logged out and will have to log in again. You will also have to reconfigure user entitlements.
Note If you are using the on-premises Workspace ONE Access service, keep in mind that the connector version must be equal to or lower than the service version.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 5
Migrating to Latest Connector on a Windows Server Running Workspace ONE Access 19.03
2When you cannot procure a new Windows server to migrate to Workspace ONE Access 20.01, you can install 20.01.0.1 Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector. You can then migrate your legacy connector.
The directions to install a new connector on a separate Windows server and migrate your existing directories to the new connectors is the recommended migration path. If you are using an existing Windows server installed with the 19.03 connector, before you install any of these services, you must increase the CPU and memory on the machine. Two versions of the connector will be running until the migration is complete.
You must increase the CPU and memory to meet the needs of both 19.03 and 20.01.0.1 connectors per the Sizing guidelines. If Kerberos authentication is running on the Windows server and you are installing Kerberos, use a custom port for Kerberos when you install 20.01.01.
After the migration is finished, you can stop the 19.03 connector and uninstall it.
VMware, Inc. 6
Use the Migration Dashboard to Migrate to Workspace ONE Access 20.01 Connectors
3Migrate your existing directories to the Workspace ONE Access 20.01 connectors using the Migration Dashboard. The migration process is a staged approach that lets you test your environment with the new connectors before finishing the migration.
The migration process includes the following stages:
n Install 20.01 Connectors
Install the new 20.01 connectors, which contain the Directory Sync, User Auth, and Kerberos Auth services. At a minimum, install the Directory Sync and User Auth service. Install the Kerberos Auth service if you have the Kerberos authentication method configured.
n Migrate to New Connectors
In this stage, you migrate all your directory data using the Migrate Directory wizard. Most of the required information is pre-populated from your environment but you enter some sensitive values such as the directory Bind user password.
Migrating the directories in this stage does not change any of your existing directory, authentication method, or identity provider configurations. You are still using the old connectors. The changes will take effect only after you go to the Preview stage in the next step.
n Preview
In the Preview stage, you preview your environment with the new 20.01 connectors. The new Directory Sync, User Auth, and Kerberos Auth services from the 20.01 connectors perform directory sync and user authentication. All authentication methods except for Kerberos are in outbound mode.
The Preview stage is intended for you to test your environment thoroughly with the new services. Verify that directory sync, user authentication, and application launch are working as expected.
In the Preview stage, you cannot make any changes to your directories, authentication methods, or identity providers, or add new ones.
VMware, Inc. 7
From the Preview stage, you can roll back to using the old connectors. When you roll back, the directory data that you migrated in the previous stage is still maintained. If you make any changes later to any of your existing directories, authentication methods, or identity providers, ensure that you migrate the directory data again.
n Complete Migration
When you are satisfied with testing your new environment, complete the migration. After you complete the migration, you cannot roll back to using the old connectors.
Prerequisites
n Review requirements in Chapter 1 Migrating to VMware Workspace ONE Access 20.01 Connectors.
n Verify that all the connectors in your environment are version 19.03. If any connectors are an older version, upgrade them to 19.03.
n Prepare one or more Windows servers for the 20.01 connectors. These servers must be different from your 19.03 connector servers. For an exception to this requirements, see Chapter 2 Migrating to Latest Connector on a Windows Server Running Workspace ONE Access 19.03.
See Systems Requirements in Installing Workspace ONE Access Connector 20.01.
n If you have an on-premises Workspace ONE Access service instance, upgrade it to 20.01 before migrating the connectors.
n If you have the RSA SecurID authentication method configured for any of your directories, clear the Node Secret in the RSA Security console.
n If any IDPs are associated with multiple directories, modify the configuration so that each IDP is only associated with one directory.
n Ensure that the directory sync process is not running for any of the directories before starting the migration process.
n If you enabled the People Search feature, ensure that the photo sync process is not running for any of the directories before starting the migration process.
n If you are migrating a 19.03.x connector with no directory associated with it, be aware that when you select the Workspace ONE Access Connector 20.01 option in Step 5, the migration is considered complete and the 19.03.x connector is deleted from the service. If you decide later that you want to use legacy connectors and change your connector selection using the Reset Virtual Apps Usage button, the 19.03.x connector will not be displayed. You will need to reinstall the 19.03.x connector to reactivate it with the service.
Procedure
1 Click the Identity & Access Management tab.
The migration page appears.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 8
2 Review the requirements and click Yes.
The Directory Migration dashboard appears.
3 In the Directory Migration dashboard, click the Get Started link in the Install 20.01 Connector(s) section.
4 In the Connectors page, click New.
5 In the Virtual Apps Usage Confirmation dialog box, select Use Workspace ONE Access Connector 20.01 if you do not plan to use virtual apps (Horizon, Horizon Cloud, and Citrix integrations).
If you plan to use virtual apps, select Legacy Connectors to exit the migration process. Virtual apps are only supported with legacy connectors.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 9
Important Make your choice carefully, considering your business needs. If you want to change your selection later, you can do so only up to a certain point in the migration process. See Chapter 4 Resetting Virtual Apps Usage Option in Workspace ONE Access.
6 Follow the Add New Connector wizard to download the connector installer and the required configuration file, then install the 20.01 connector.
For installation information, see Installing Workspace ONE Access Connector 20.01. Specifically, see Prerequisites and Installing the Workspace ONE Access Connector.
Important When you install the connector, make sure you install the Directory Sync service and the User Auth service. The Kerberos Auth service is required only if you have the Kerberos authentication method configured on any of your legacy connectors.
7 When the connector installation is successfully completed, return to the Directory Migration dashboard in the Workspace ONE Access service console.
8 In the Migrate to New Connectors section, migrate all your directories, one by one.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 10
The Migrate to New Connectors section lists all the Active Directory and LDAP directories in your tenant. You must migrate all the directories listed before you can complete the migration.
Note Migrating the directories in this step does not change any of your existing directory, authentication method, or identity provider configuration and will take effect only after you preview the changes in the next step.
a Click the Migrate button next to the directory.
The Migrate Directory wizard appears. The wizard is customized to the directory you are migrating. Additional pages appear for the authentication methods that are configured on the directory.
b On the Directory page, enter the Bind user password for the directory.
The Directory Sync Host(s) list displays the new 20.01 connectors that have the Directory Sync service installed. Select one or more hosts to use to sync the directory.
c (Appears only if Kerberos auth method is configured) On the Kerberos page, specify the information required to migrate the Kerberos authentication method.
n Source Connector: The source connector is preselected. You can select another connector if the preselected connector is not available.
n Kerberos Auth Host(s): The list displays the new 20.01 connector hosts that have the Kerberos Auth service installed. Select one or more hosts to use for Kerberos authentication.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 11
d On the Password page, specify the information required to migrate the Password authentication method.
n Source Connector: The source connector is preselected. You can select another connector if the preselected connector is not available.
n Bind Password: Enter the Bind user password for the directory.
n User Auth Host(s): The list displays the new 20.01 connector hosts that have the User Auth service installed. Select one or more hosts to use for Password authentication.
e (Appears only if RADIUS authentication method is configured) On the RADIUS page, specify the information required to migrate the RADIUS authentication method.
n Source Connector: The source connector is preselected. You can select another connector if the preselected connector is not available.
n Shared secret: The shared secret for the RADIUS server.
n User Auth Host(s): The list displays the new 20.01 connector hosts that have the User Auth service installed. Select one or more hosts to use for RADIUS authentication.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 12
f (Appears only if RSA SecurID authentication method is configured) On the SecurId page, specify the information required to migrate the RSA SecurID authentication method.
n Source Connector: The source connector is preselected. You can select another connector if the preselected connector is not available.
n User Auth Host(s): The list displays the new 20.01 connector hosts that have the User Auth service installed. Select one or more hosts to use for RSA SecurID authentication.
g (Appears only if Kerberos authentication is configured) On the Identity Provider page, enter the connector load balancer's FQDN to use for the new identity provider that will be created for Kerberos authentication during migration.
The current load balancer FQDN is displayed for reference. This is the current IdP Hostname value in the directory’s identity provider page.
If you have only one 20.01 connector, and no load balancer, enter the connector's FQDN.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 13
h In the Summary page, verify your selections and click Save.
The directory migration data is saved. You can view the settings by clicking the Summary button next to the directory in the Directory Migration dashboard.
If you want to make any changes to the information you entered, click Start Over in the Summary page. This discards the migration data you entered for the directory and lets you migrate the directory again.
i Migrate the rest of the directories.
After all the directories are migrated, the Complete Migration step is enabled.
9 In the Complete Migration section, click Start Preview to start the migration process.
In the Preview stage, the new 20.01 connectors are used. Directory sync is performed by the new Directory Sync service, user authentication is performed by the new User Auth service, and Kerberos authentication is performed by the new Kerberos Auth service. You cannot make any changes to your directories, authentication methods, or identity providers, or create new ones. You can view the converted identity providers in the Identity Providers tab and the converted authentication methods in the Enterprise Authentication Methods tabs. All authentication methods except for Kerberos are in outbound mode.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 14
If the People Search feature was enabled in your deployment of the Workspace ONE Access service, you must manually sync the directories without the Safeguard settings. In the Workspace ONE Access console, select the directory in the Identity & Access Management > Directories page and click Sync > Sync without Safeguards.
Important Test your environment thoroughly in the Preview stage and verify that it is working as expected. Verify that directory sync, user login, and application launch are working.
10 If you determine that your environment is not working correctly, or if you want to make any changes to your directories, authentication methods, or identity providers, exit the Preview stage and return to using the old connectors.
Go to the Identity & Access Management > Manage > Directories page, click Continue Migration, and click Abort in the Complete Migration section of the Directory Migration dashboard.
If you make any changes to your directories, authentication methods, or identity providers subsequently, make sure that you migrate the directories again in the Migrate to New Connectors section.
11 After you verify that your environment is working as expected in the Preview stage and you are ready to complete the migration, return to the Directory Migration dashboard by going to the Identity & Access Management > Manage > Directories page and clicking Continue Migration.
Caution After you complete the migration, you cannot roll back to the old connectors.
Click Complete to complete the migration.
Results
All the directories are migrated to the new 20.01 connectors. The new Directory Sync, User Auth, and Kerberos Auth services now perform directory sync and user authentication.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 15
New identity providers are created for each directory and appear in the Identity Providers tab with the name Migrated IDP for directory. The new identity providers are of type Built-in. For Kerberos authentication, a separate identity provider of type Workspace_IDP is created.
All authentication methods except for Kerberos are converted to outbound methods and are renamed with the (cloud deployment) suffix. For example, the Password authentication method is renamed to Password (cloud deployment). You can view and manage the new authentication methods from the Enterprise Authentication Methods tab.
What to do next
When the migration is completed, you can uninstall the old 19.03 connectors from the servers on which they are installed.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 16
Resetting Virtual Apps Usage Option in Workspace ONE Access 4You can use the Reset Virtual Apps Usage button to revert your Workspace ONE Access tenant to a state that allows you to change your connector selection, from the 20.01.x connector that does not support Virtual Apps to the legacy 19.03 or earlier connectors that support Virtual Apps, or the other way around. Virtual Apps refer to Horizon, Horizon Cloud, and Citrix integrations.
Beginning with the 20.01.x on-premises release and the January 2020 Cloud release, the Workspace ONE Access service supports either the 20.01.x connector or the legacy 19.03 or earlier connectors. It does not support both 20.01.x and legacy connector versions on the same tenant, therefore you must choose the type of connector based upon your needs. The 20.01.x connector includes the new Directory Sync, User Auth, and Kerberos Auth services but does not support Virtual Apps. If you want to integrate Horizon, Horizon Cloud, or Citrix apps and desktops, you must use connector 19.03 or earlier. If you want to integrate ThinApp packaged applications, you must use VMware Identity Manager connector (Linux) version 2018.8.1.0.
In a new or upgraded service installation, you select the type of connector to use when you first click NEW in the Identity & Access Management > Setup > Connectors page or Legacy Connectors page. When you make your selection, the service state is set accordingly, to use either 20.01 connectors or legacy connectors. The appropriate Connectors page appears and guides you to install that version of the connector.
If you want to change your selection subsequently, you can use the Reset Virtual Apps Usage button. Note that you cannot reset the Virtual Apps Usage option in all cases. The ability to reset the option depends on the current state of your system. For example, if you have already created directories or migrated your existing directories, you cannot reset the Virtual Apps Usage option. An appropriate error message appears that provides more information.
Note The Reset Virtual Apps Usage button is only available in the Workspace ONE Access Cloud service.
Procedure
1 Navigate to the Identity & Access Management > Setup > Connectors or Legacy Connectors page.
VMware, Inc. 17
2 Click the Reset Virtual Apps Usage button.
3 Review the information in the confirmation dialog box, then click Proceed.
The page is reset. You can now select either 20.01 or legacy connectors by clicking NEW. If the current state of your migration or installation does not allow a reset of the Virtual Apps Usage option, an error message appears instead.
4 Click NEW.
The Virtual Apps Usage Confirmation dialog box appears.
5 Make your selection and click OK.
What to do next
Continue your installation or migration.
Migrating to VMware Workspace ONE Access 20.01 Connectors
VMware, Inc. 18
Troubleshooting Migration to Workspace ONE Access 20.01 Connectors
5Use this information to troubleshoot errors that can occur during the migration to Workspace ONE Access 20.01 connectors.
n Error: When you try to migrate a directory of type Active Directory over Integrated Windows Authentication, you get the following error: Enterprise service <connector hostname>(EAS) response: Adapter configuration invalid: Authentication failed for
the given user name and password.
Solution: This error occurs if there is a time skew between the connector server clock and the domain controller clock. Update the time on the connector server. A best practice is to set up time synchronization using an NTP server.
VMware, Inc. 19
