This is not new article or new information , its just collection from other posts and update the URLs of guides , and its only to configure port 443
What is VMware Workspace Access?
VMware Workspace ONE Access, is VMware identity or Access provider with Single sign-with unified app catalog that combines applications and desktops in a single, aggregated workspace. To enhance security and experience It also provide conditional access multi-factor authentication (MFA) support so Users can then access the desktops and applications regardless of where they are based with secure way. With fewer management points and flexible access, workspace one Access reduces the complexity of IT administration.
Workspace ONE Access deployment
Workspace ONE Access is not designed to face the Internet by itself, During deployment, the Workspace ONE Access instance is set up inside the internal network. If you want to provide access to the service for users connecting from outside networks, you must install a load balancer or a reverse proxy, such as Apache, Nginx, or F5, in the DMZ, So You must change the FQDN to use a publicly available URL. When you change the FQDN, all client access is redirected to this public FQDN. Only the Workspace ONE Access admin pages are still accessible using the internal hostname, such as https://workspace.corp.local:8443
If you do not use a load balancer or reverse proxy, you cannot expand the number of Workspace ONE Access instances later. You might need to add more instances to provide redundancy and load balancing. The following diagram shows the basic deployment architecture that you can use to enable external access.
Workspace ONE Access Load Balancer Settings to Configure
Load balancer settings to configure include enabling X-Forwarded-For headers, setting the load balancer time-out correctly, and enabling sticky sessions. In addition, SSL trust must be configured between the Workspace ONE Access connector machine and the load balancer.
- X-Forwarded-For Headers :You must enable X-Forwarded-For headers on your load balancer.
- Load Balancer Timeout : The value is set in minutes. If the timeout setting is too low, you might see this error, “502 error: The service is unavailable”.
- Enable Sticky Sessions :You must enable the sticky session setting on the load balancer if your deployment has multiple Workspace ONE Access machines.
- Do not block session cookies : Do not block session cookies by adding rules to the load balancer. Adding such rules to the load balancer can result in inconsistent behavior and failed requests. Mostly you will notice that when you try to add connector and fail
- WebSocket support : must have WebSocket support to enable secure communication channels between connector instances and the Workspace ONE Access nodes. .
- Ciphers with forward secrecy :to support iOS App Transport Security requirements , the load balancer must have ciphers with forward secrecy. The following ciphers meet this requirement:
ECDHE_ECDSA_AES and ECDHE_RSA_AES in GCM or CBC mode
Workspace ONE Access Configuration Guide with F5
You can now download the updated step-by-step guide for Load Balancing VMware Workspace ONE Access (old name : Identity Manager)
https://www.f5.com/pdf/solution-center/f5-big-ip-vmware-workspaceone-integration-guide.pdf
You can also read up on setting up a 3-Node Cluster with VMware Identity Manager.
Monitor Workspace ONE access with F5 Guide
The basic F5 health monitor information is as follows:
Send String:
GET /SAAS/API/1.0/REST/system/health/heartbeat HTTP/1.1\r\nHost: <LB_FQDN>\r\nConnection: Close\r\n\r\n
NOTE: Remove the “<>” if you copy/paste into your health monitor.
Receive String:
ok$
Receive Disable String:
404
F5 Monitor Creation Procedure:
Here is how to create this within the F5 BIG-IP.
- Login as administrator to your F5 BIG-IP appliance.
- Browse to Monitors under the Local Traffic tab in the left hand menu.
- Click the CREATE button in the upper left to start the creation of a new health monitor.
- Give it a name such as ViDM_Monitor or something similar and provide a description as needed.
- Select HTTPS as type. This will set the parent monitor to https and open up the “Configuration” screen with options for Send String, Receive String, and Receive Disable String among the many shown.
- Use the following for the Send String.
GET /SAAS/API/1.0/REST/system/health/heartbeat HTTP/1.1\r\nHost: <LB_FQDN>\r\nConnection: Close\r\n\r\n
NOTE: Remove the “<>” if you copy/paste the above line into your BIG-IP settings.
- Use the following for the Receive String.
ok$
- Use the following as the Receive Disable String.
404
- Leave the rest of the fields as their default settings.
- Click the FINISHED button.
Now you need to assign this to the VMware workspace ONE Access Pool for the F5 BIG-IP virtual server to utilize.
NOTE: Make sure you do this part during off-hours or scheduled down time.
- Assuming you are already logged in from above, browse to Local Traffic > Virtual Servers > Pools and select your pool of VMware Identity Manager appliances.
- Edit the Health Monitors section to remove previous active health monitors and assign your new health monitor you just created above.
- Click the UPDATE button when ready.
- Validate the new health monitor works properly and as expected by viewing the pool members status and Virtual Server status within the F5 BIG-IP admin console.
For more detail, refer to https://communities.vmware.com/t5/Workspace-ONE-Discussions/EUC-CST-Tech-Notes-Proper-VMware-Identity-Manager-Node/m-p/2748736#2667814
Troubleshooting and diagnostic the Workspace ONE Access load balancing
When you specify a new FQDN, the Workspace ONE Access virtual appliance must verify that it can communicate round-trip through the load balancer and back to itself, as shown in the following screenshot.
This is where issues can arise. If Workspace ONE Access cannot perform this round-trip communication, it refuses to change the FQDN. The appliance is attempting to access https://FQDN/SAAS/jersey/manager/api/health. If it cannot access that URL, Workspace ONE Access displays the error message Error connecting workspace url.
Check the Workspace ONE Access log located in
/opt/vmware/horizon/workspace/logs/configurator.log
and you might see a line similar to the following:
2019-10-10 11:05:46,223 ERROR (tomcat-http–44) [;;] com.vmware.horizon.svadmin.service.ApplicationSetupService – Error validating workspace url
Also in most of cases especially when we workspace ONE access deployed on premises, we start with single node and we configure load balancer , however its not following the best practice , probably it will work with single node ,then next step is to add workspace connectors , and here you will get error
Request Failed Please contact your IT administrator , probably this issue because the load balancer is not configured and need to review the settings , so be sure to solve the issues below :
- Certificate issues:
- make sure that the certificate used by the load balancer’s virtual server is correct. The
CNandsubjectAltNamemust match your FQDN.
- When you upload the certificate, make sure that you have the root CA certificate in a Base64
- Install full chain certificate in the load balancer and once installed verify it (use SSL shopper , certificate check and be sure it show all green ) :
- Use trusted certificate: one reason for unsuccessful FQDN updates is that the load balancer has invalid or untrusted certificates , Workspace ONE Access must trust the certificate. Your certificate is signed by a Certificate Authority (CA). The root CA certificate must therefore be trusted also if you use certificate signed by a lesser-known CA, you must upload the root CA certificate to the Workspace ONE Access keystore from the configuration page . This forces Workspace ONE Access to trust the certificate used on your load balancer
- make sure that the certificate used by the load balancer’s virtual server is correct. The
- if you decide to use self-sign certificating in appliance , be sure to extract the root certificate and import it in load balancer
- Verifying DNS Records :There are a few common reasons why Workspace ONE Access fails to change the FQDN. The first reason is that DNS records might be missing.
- Ensure that you have forward and reverse DNS entries pointing to your load balancer’s virtual server.
- Ensure that you have static DNS record for each Workspace ONE appliance with reverse DNS (otherwise you will get read in appliance health)
- Use
nslookupto verify all the Ips and hosts names
- Verify Workspace ONE Access Communication with Load Balancer : 443 outbound traffic is required from the Workspace ONE Access virtual appliance to the load balancer’s virtual server.
Run the command curl -v 3 -ssl https://FQDN in workspace one access appliance ,The result should help you to determine why Workspace ONE Access