Horizon NSX-T

SAML Authentication with Workspace ONE Access: Part 1 Preparation

Introduction and Architecture

This will be a multi-part series where I setup SAML Authentication using a VMware Workspace ONE Access 20.10 server setup.

According to the VMware Horizon Feature Comparison, Workspace ONE Access is included in the Horizon 8 Advanced license available through VMUG Advantage. I’m planning on using this for my NSX Managers and Horizon Connection Servers. Here is a basic architectural setup that I’m planning on using:

I based my design off of “Workspace ONE Access Architecture Diagram for Typical Deployments.” I want to use this as an opportunity to learn how to work with the NSX-T Distributed and Gateway Firewalls as well as the NSX-T Load Balancers. To that end, I’m creating a cluster of 3 Workspace ONE Access (WSA for short) servers named dwsa1, dwsa2, and dwsa3. Although I won’t have anywhere near the capacity to justify the cluster as shown on the table below, but I need a cluster of servers to make use of the Load Balancer.

  • SAML Authentication with Workspace ONE Access: Part 1 Preparation
  • SAML Authentication with Workspace ONE Access: Part 2 Installation and Configuration
  • SAML Authentication with Workspace ONE Access: Part 3 Integration with NSX-T
  • SAML Authentication with Workspace ONE Access: Part 4 Integration with VMware Horizon

Database Preparation

I will be using a MS SQL Server database for the configuration settings. As of this writing, any Standard or Enterprise version from 2012 through 2017 can be used. Since you can use a local database user, you can host this database using a container or a full database server.

As I’m running a MS SQL Server 2019 Standard server, I set the database version to MS SQL Server 2017 as shown in the DB Creation wizard here:

When preparing the SQL Server and database user for use with Workspace ONE Access, the user should have the “db_owner” role for the created database. After the database is setup and configured, you can revoke the “db_owner” role and add the “db_datareader” and “db_datawriter” database roles to the user.

NOTE: If you are going do an upgrade to the Workspace ONE Access server, you will need to grant the “db_owner” rights again so any schema changes can be made accordingly. Rights can be readjusted after the upgrade.

One additional change to the database is to set the database Auto Growth setting. For this product, the value must be changed from it’s default value to 128 MB. This setting can be changed by viewing the database properties and selecting the “Files” tab. The setting is set by clicking on the “…” button shown in the red box below. When done, click “OK” to save the settings.

Network Configuration

Once the database user and database is created, you can prepare your network settings. I created DNS records for the three hosts and the load balanced IP. I created a new segment on my NSX-T server for the DMZ zone:

In order to leverage some of the features of the distributed firewall, I implemented a policy specifically for the Workspace ONE Access service. The firewall port requirements can be found here:

I had to create address groups and services for each of the required rules. These were added per the table listed in the link above. By using the distributed firewall feature of NSX-T, these rules are passed to every virtual host and applied at the host level. Traffic will be filtered accordingly before the packets ever touch the physical network.

These rules should allow all of the required ports and protocols to access to and from the WSA systems. There is a helpful checklist of preparation activities found in the VMware installation documentation. I’ve created a spreadsheet for you to use with all of the listed fields.

This is it for the preparation activities. The next entry will cover the installation process for the three node cluster as well as the configuration of the Load Balancer. Your comments and feedback are welcome!