SAAM2197BU Deployment Deep Dive: Best Practices … · Deployment Deep Dive: Best Practices and...
Transcript of SAAM2197BU Deployment Deep Dive: Best Practices … · Deployment Deep Dive: Best Practices and...
Adarsh KesariSenior Systems EngineerKevin SheehanCustomer Success Architect
SAAM2197BU
#VMworld #SAAM2197BU
Deployment Deep Dive: Best Practices and Troubleshooting of Workspace ONE
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#SAAM2197BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Best Practices and Troubleshooting of Workspace ONE
1 Architectural Considerations
2 Basics of Troubleshooting
3 Troubleshooting Single Sign-on
4 Diagnosing Device Issues
5 Common Errors and Misconfigurations
#SAAM2197BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Architectural Considerations for Identity Manager Deployments
• 3 primary models for deployment
– Cloud Hosted Model
– On Premises Model (all internal components)
– On Premises Model (DMZ based components)
• Appropriate choice will be based on:
– Authentication requirements
– Edge technologies deployed
– Organization perspective on cloud hosted solutions
• Remember, there a dozens ways to build/integrate/secure/access a Workspace ONE implementation!
– Every implementation will vary based on components
#SAAM2197BU CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
AirWatch 9.1 – Windows Based Identity Manager
Model 1 – Lightweight deployment of Identity Manager to support WS1 App
• Use cases limited to WorkspaceONE app as:
– A replacement for AirWatch app catalogweb clip
– An enrollment agent with adaptive management
– Container for unmanaged devices – 1st and 3rd party apps with AirWatch SDK
• No need to manage elastic search, ehcache, rabbitMQ
• Management & Configuration through Getting Started wizard
• 3rd Party IdP Integration is supported
Model 2 – Deployment of full Identity Manager feature set in a new cluster (available 9.1 FP1)
• Use cases extend beyond Workspace ONE app such as:
– Identity management and app federation (web apps in IDM)
– Mobile Single-Sign On
– Conditional Access
– Multifactor (VMware Verify or 3rd party)
– Virtual apps and desktops
– Integrated Windows Authentication (IWA)
• Management and Configuration as with Linux IDM Appliance
• 3rd Party IdP Integration is supported
#SAAM2197BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
AirWatch
Tenant
Identity
Manager
Tenant
IDM
ConnectorAD
AirWatch
Cloud
Connector
View
Connection
Server
AD
CS
Workspace ONE High Level Architecture
Cloud Model
Access
Point
(UAG)
WS
1
App
DMZ Internal NetworkSaaS
Apps
Public
App
Stores
Mobile
Device
#SAAM2197BU CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
Identity
Manager
Appliance AD
AirWatch
Cloud
ConnectorView
Connection
Server
Workspace ONE High Level Architecture
Internal Components
Access
Point
(UAG)
AW DS
DMZ Internal Network
SaaS
Apps
Public
App
Stores
AirWatch
CN
#SAAM2197BU CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Identity
Manager
Appliance
AD
AirWatch
Cloud
Connector View
Connection
Server
Workspace ONE High Level Architecture
DMZ based components
Access
Point
(UAG)
AW DS
DMZ Internal NetworkSaaS
Apps
Public
App
Stores
IDM
Connector
AirWatch
CN
Best Practice!
#SAAM2197BU CONFIDENTIAL 8
VMworld 2017 Content: Not fo
r publication or distri
bution
Connector
only
LAN DMZ
PORT 443, PCoIP
Simplified Port Considerations for Workspace ONE
#SAAM2197BU CONFIDENTIAL 9
Horizon
TCP 443
Kerberos /
Header based
VMworld 2017 Content: Not fo
r publication or distri
bution
Identity Manager Port Diagrams
• Not every component will be used in any given implementation
• New components and features will necessitate new ports in/outbound
• Key details and the most up to date material available at:
– https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-network-ports.html
#SAAM2197BU CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
For Integrated Windows Authentication (IWA) Ports:
Port Description
TCP 389 LDAP Query
TCP/UDP 88 Kerberos Authentication
TCP/UDP 464 Computer Object Password renewal
"AD over LDAP" TCP 389
"AD over LDAPS" TCP 636
“AD Global Catalog“ TCP 3268 & 3269
TCP/UDP 88
TCP 5262
TCP 443
Appliance Admin TCP 8443, 22
Email outDNS TCP/UDP 53FQDN, App Catalog, VMware Verify TCP 443OCSP TCP 80Syslog UDP/TCP 514 or TCP 1514Log Insight TCP 9543(NTP (ESXi host) UDP 123)Approval flow integration
TCP 445
ELASTICSEARCH TCP 9300
EHCACHE TCP 40002, 40003
vPostgres TCP 9400
Integration Broker
Integration Broker SSOAPI Server
RADIUS
Connection Server
For more details on Horizon ports look at the VMware Horizon 7 Network Ports doc:http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-user-computing-network-ports-diagram.pdf #SAAM2197BU CONFIDENTIAL
11
VMworld 2017 Content: Not fo
r publication or distri
bution
For Integrated Windows Authentication (IWA) Ports:
Port Description
TCP 389 LDAP Query
TCP/UDP 88 Kerberos Authentication
TCP/UDP 464 Computer Object Password renewal
"AD over LDAP" TCP 389
"AD over LDAPS" TCP 636
“AD Global Catalog“ TCP 3268 & 3269
DNS TCP/UDP 53OCSP TCP 80Syslog UDP/TCP 514 or TCP 1514Log Insight TCP 9543(NTP (ESXi host) UDP 123)
ELASTICSEARCH TCP 9300
EHCACHE TCP 40002, 40003
vPostgres TCP 9400
Integration Broker
Integration Broker SSO
API ServerRADIUS
Connector Only
vIDM
TCP 443 when using legacy Connector deployment
Email outDNS TCP/UDP 53FQDN, App Catalog, VMware Verify TCP 443OCSP TCP 80Syslog UDP/TCP 514 or TCP 1514Log Insight TCP 9543(NTP (ESXi host) UDP 123)Approval flow integration
TCP 443 when using outbound only Connector deployment
Connection Server
#SAAM2197BU CONFIDENTIAL
12
VMworld 2017 Content: Not fo
r publication or distri
bution
TCP 443
Integration Broker
Integration Broker SSO
TCP 80 or 443
TCP 80 or 443 (XML)
TCP 443
STA* (80 or 443)TCP 443 (HTML)
TCP 443 (HTML)TCP 1494 (ICA)TCP 2598 (Session Reliability)
Note:
For external Access Citrix uses a Secure Ticketing Authority (STA) to enhance security. This is normally on Port 80 or 443, check with the Citrix Admin team.
The Citrix XML Service normally runs on Port 80 or 443, but can be changed to any port, it was normal to do this on legacy Citrix environment. Check the XML port with the Citrix Admin team.
A single Integration Broker can host multiple XenApp environments and the SSO function or you can split the SSO function to a separate VM.
Integration Broker and Integration Broker SSO can all run on the same server.
TCP 1494 (ICA)TCP 2598 (Session Reliability)
Windows Desktops / RDSH Hosts
TCP 5985 / 5986
WinRM / PS Remoting
TCP 80 or 443
#SAAM2197BU CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
Basics of Troubleshooting
Troubleshooting within the Identity Manager Console
• Dashboard
• Log Bundles
• Real-time log monitoring
• Key logs for review
#SAAM2197BU CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting in the Identity Manager Console
• System Diagnostics Dashboard
– First place to verify functionality
• Only available in on-premises deployments of IDM
• Provides health information on:
– Cluster status
– Connectors
– FQDN configuration
– Database connectivity
• Type and health
– Certificates
#SAAM2197BU CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting in the Identity Manager Console
• Reports Dashboard
– Granular information on use of IDM over the past 90 days
• Available in both on-premises and hosted deployments
• Provides health information on:
– Recent Activity
– Application usage
– Application Entitlements
– Devices accessing IDM
• Full Audit events
– Useful for troubleshooting network ranges, SAML errors, etc.
#SAAM2197BU CONFIDENTIAL 16
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting in the Identity Manager Console
• Log Bundles
– Very useful but large set of logs from the system
– More logs available from on-premises deployments
– Downloaded as a tar.gz
– Hosted deployments require ticket opened with support. Provide support with at least:
• Tenant name
• User name
• Application name
• Approximate time of failure/issue
#SAAM2197BU CONFIDENTIAL 17
VMworld 2017 Content: Not fo
r publication or distri
bution
Accessing Logs With a Tool Such as WinSCP
• On Linux, Root user needs to access logs, but by default can’t log in
• Enable root log-in by:
vi /etc/ssh/sshd_config
PermitRootLogin yes
/etc/init.d/ssh restart
• Path to log files
/opt/vmware/horizon/workspace/logs
• Open with local editor such as Notepad++
• Windows Installation does not require these steps!
• Just access file system
#SAAM2197BU CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
Key Log Files to Review
• Connector.log
– Requests received from the Web interface - specifically authentications handled by the Connector (user/pass, RADIUS, Legacy Certificate, Kerberos). Each log entry includes the request URL, timestamp, and exceptions
• Horizon.log
– Output messages for service based authentication adapters, service providers, and general tenant health info
• Greenbox.log
– Events related to the unified user portal. For UI specific issues, you may find more information here
#SAAM2197BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
Health Check API Calls
• Appliance Health Check:
– /SAAS/API/1.0/REST/system/health
– https://{url}/SAAS/API/1.0/REST/system/health
– Example: https://ksheehan.vmwareidentity.com/SAAS/API/1.0/REST/system/health
• Connector Health Check:
– /hc/API/1.0/REST/system/health
– https://{url}/hc/API/1.0/REST/system/health
– Example: https://svr-02.kbs.local/hc/API/1.0/REST/system/health
#SAAM2197BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
Using SAML Tracer to Troubleshoot SSO
• Add in for Firefox
• Various similar tools just as effective
• Process for troubleshooting:
– Launch SAML Tracer
– Navigate to Identity Manager portal
– Navigate to SSO based web app
– Return to SAML tracer to review results and any errors
• Typical problems:
– NameID format mismatch
– Date/time sync issues between IDM and SaaS app
– Misconfiguration of encryption
#SAAM2197BU CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting IDM Access Issues
• IdP Not Found
– Usually due to policies not set correctly
– Verify the platform, network ranges and authentication methods
– Remember the first policy that matches will be applied!
• Coming from MacOS using Safari, the higher policy of MacOS or Web Browserwill be applied
• Use the handles on left of policy to re-order
– Make sure Connector is available
– Make sure Outbound Connectorhas been configured
– Network Ranges on Hosted IDM Determined by your egress IP to Internet
• Check the Audit logs to determine address
#SAAM2197BU CONFIDENTIAL 22
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting Mobile SSO for iOS
• Profile issues
• Certificates
• UPN mismatch
• Kerberos Realm notproperly configured
• App Bundle ID’s not added to the SSO Profile
– Always add: com.apple.SafariViewService and com.apple.mobilesafari
• On Prem KDC initialization and configuration
#SAAM2197BU CONFIDENTIAL 23
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting and Common Issues for iOS SSO
Double and triple check certificates in integration
points between AW and IDM as well
as in iOS profiles
Ensure Realm is UPPERCASE in AW
device profile
Ensure Device enrollment is showing a Device
Management profile with Kerberos and SCEP
definitions, as well as KDC root certificate
#SAAM2197BU CONFIDENTIAL 24
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting and Common Issues for iOS SSO
Troubleshooting Mobile SSO
Use Xcode from App Store and a GSS debugging profile over
USB to capture log data from iOS device to KDC
Load the "GSS Debugging" profile onto your iOS device.
Look for Notice messages – indicates Kerberos Traffic
Lack of Notice messages or errors will highlight where to
look for issues (DNS resolution, port 88 not open, mis-
matched DN in certificate, etc)
#SAAM2197BU CONFIDENTIAL 25
VMworld 2017 Content: Not fo
r publication or distri
bution
On Premises KDC Initialization and Configuration
Mobile SSO for iOS with on premises IDM has specific requirements:
• Initialization of KDC on appliance
• Configuration of DNS entriesfor Kerberos Realm
• Inbound port 88 access to IDM appliance
• Configuration of certificate templateand integration with Certificate Authority
#SAAM2197BU CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
Troubleshooting Mobile SSO for Android
• Applications not set for proxy
– Must force all apps to use Proxy to the certproxy service
• Proxy destination not set
– certproxy.vmwareidentity.com:5262 for hosted IDM
• Tunnel Config in AirWatch
– Does not need full appliance deployment, only dummy data if not using tunnel
• Tunnel not started on device
– Look for Tunnel icon to appear in status bar of Android device
#SAAM2197BU CONFIDENTIAL 27
VMworld 2017 Content: Not fo
r publication or distri
bution
Accelerate Your Knowledge of Workspace ONE
Date Title Session # Speaker
Tuesday, 11:00am Transformation of the Digital Workspace SAAM3157SU Tony Kueh
Tuesday, 12:30pm Introduction to Access Management in Workspace ONE SAAM2288BU Josue Fontanez
Prab Kalra
Tuesday, 3:30pm Enable Simple, Secure Access to your Horizon and Citrix Virtual Desktops
and Apps with Workspace ONE
SAAM1150BU Greg Armanini
Matt Coppinger
Tuesday, 5:00pm Securing Access and Protecting Information in Office 365 with Workspace
ONE
SAAM2291BU Camilo Lotero
Adarsh Kesari
Wednesday, 2:00pm Deployment Deep Dive: Best Practices and Troubleshooting of Workspace
ONE
SAAM2197BU Kevin Sheehan
Adarsh Kesari
Wednesday, 3:30pm Secure and Seamless Access to all of your Applications with Conditional
Access and Mobile SSO in Workspace ONE
SAAM2204BU Vikas Jain
Prab Kalra
Thursday, 10:30am VMware on VMware: Winning a Single Sign-On Solution with VMware
Workspace ONE
SAAM1321BU Robert Coggins
Josue Fontanez
Thursday, 1:30pm Simplify Management and Security of your Mobile Apps with Workspace
ONE
SAAM2294BU Vikas Jain
Vinay Jain
#SAAM2197BU CONFIDENTIAL 28
Also join us for Quick Talks, Expert Discussions, and Hands-on-Labs!!!
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution