reviewer's guide for on-premises vmware identity manager: vmware identity manager … › sites...

TECHNICAL WHITE PAPER – AUGUST 2017

REVIEWER’S GUIDE FOR ON-PREMISES VMWARE IDENTITY MANAGERVMware Identity Manager 2.9.x

T E C H N I C A L W H I T E PA P E R | 2

REVIEWER’S GUIDE FOR ON-PREMISES VMWARE IDENTITY MANAGER

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Overview of VMware Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

On-Premises Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Key On-Premises Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

What’s New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

On-Premises Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Exercise A1: Verify Recommended Minimum Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Exercise A2: Configure DNS Records and IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Exercise A3: Gather Deployment Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Exercise A4: Download the VMware Identity Manager OVA File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Exercise A5: Set Up the VMware Identity Manager Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . 16

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Exercise B1: Configure the VMware Identity Manager Virtual Appliance . . . . . . . . . . . . . . . . . . . . . 24

Exercise B2: Set Up Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Exercise B3: Update the SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Exercise B4: Join Domain for Windows Authentication with Active Directory . . . . . . . . . . . . . . . 36

Exercise B5: Set Up Network Ranges (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Exercise B6: Configure Virtual Appliance Settings (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Exploring the Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Exploring VMware Identity Manager Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Exercise C1: Explore the Administrator Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Exercise C2: Explore the End-User Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Applying Custom Branding (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Exercise C3: Apply Custom Branding to the Administration Console and Sign-In Screen . . .44

Exercise C4: Apply Custom Branding to the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Adding a Web Application and Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Exercise C5: Add a Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Exercise C6: Create Categories to Manage Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Exercise C7: Entitle Users and Groups to Access Web Applications . . . . . . . . . . . . . . . . . . . . . . . 54

Exercise C8: Verify That Web Applications Launch from the User Portal . . . . . . . . . . . . . . . . . . 56



Integrating the View Component of Horizon 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Overview of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Exercises for View Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Exercise D1: Prepare for View Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Exercise D2: Configure the View Application Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

Exercise D3: Configure SAML Authentication in View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Exercise D4: Review Entitlements to View Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Exercise D5: Launch View Resources from the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Integrating a ThinApp Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Overview of ThinApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Exercises for ThinApp Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Exercise E1: Prepare for ThinApp Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Exercise E2: Configure the ThinApp Application Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Exercise E3: Grant Entitlements Based on ThinApp Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Exercise E4: Grant Entitlements Based on Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Exercise E5: Launch ThinApp Packages from the User Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Integrating Citrix XenApp and XenDesktop Published Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Overview of XenApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Exercises for Citrix Published Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Exercise F1: Prepare for Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Exercise F2: Configure the Citrix Published Application Option . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Exercise F3: Review Entitlements to Citrix Published Applications . . . . . . . . . . . . . . . . . . . . . . . . 88

Exercise F4: Launch Citrix Published Applications from the User Portal . . . . . . . . . . . . . . . . . . . 91

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Appendix: Terminology Used in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

About the Author and Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95



IntroductionVMware Identity Manager™ extends your infrastructure to provide a seamless single sign-on (SSO) experience to web, mobile, software-as-a-service (SaaS), and legacy applications. With VMware Identity Manager, you can build a self-service catalog of applications and virtual desktops that your end users can access from any supported device. As an IT professional, you can use VMware Identity Manager to deliver, manage, and secure enterprise assets, and support bring-your-own-device (BYOD) initiatives from a central location.

PurposeThe Reviewer’s Guide for On-Premises VMware Identity Manager 2.9 and later explores VMware Identity Manager (formerly known as VMware Workspace Portal) and introduces its benefits, key features, architecture, and components. The guide includes exercises to evaluate the features in the context of relevant use cases.

Note: This guide provides the information you need to set up and operate a basic VMware Identity Manager on-premises deployment for evaluation, not production. To deploy a production environment, select On-Premise from the drop-down menu on the VMware Identity Manager Documentation page, as shown in Figure 1.

Figure 1: Accessing Documentation Online for On-Premises VMware Identity Manager

Audience

This guide is for IT professionals and product evaluators who want to install VMware Identity Manager and are familiar with VMware vSphere®. Both current and new administrators of VMware Identity Manager can benefit from using this guide. Familiarity with networking concepts, such as Active Directory, identity management, directory services, and Simple Mail Transfer Protocol (SMTP), is assumed. Knowledge of other technologies, such as VMware ThinApp®, VMware Horizon® 7, Citrix application virtualization, and RSA SecurID, is also helpful.

https://www.vmware.com/products/identity-manager


http://www.vmware.com/products/workspace-portal/

https://www.vmware.com/support/pubs/vidm_pubs.html

http://www.vmware.com/products/vsphere.html

http://www.vmware.com/products/thinapp/

http://www.vmware.com/products/horizon-view/



Overview of VMware Identity ManagerVMware Identity Manager provides support for both administrators and end users. It streamlines administrator tasks with features such as application provisioning and conditional access controls. It empowers employee productivity by providing supported applications on any supported device with one-touch login, a mechanism that provides SSO from an authorized device to enterprise resources. Other features that enhance the end-user experience include a self-service catalog of applications and virtual desktops, SSO for SaaS, web, and native mobile applications when deployed to mobile devices.

Note: VMware Identity Manager is offered as an on-premises solution and as a cloud-based service. This guide describes only the on-premises offering. For information about the cloud-based service, see VMware Identity Manager.

Both the on-premises and cloud-based solutions provide an administration console and a user portal. Figure 2 shows the administration console, a central place for your IT team to manage user provisioning and access policies with Active Directory, federated identity management, and user analytics.

Figure 2: VMware Identity Manager Administration Console

https://www.vmware.com/products/identity-manager/



Figure 3 shows the user portal, a web page that presents your end users with the self-service catalog accessible using SSO.

Figure 3: VMware Identity Manager Supports User Portal Features

On-Premises Editions

VMware Identity Manager is available as a component in some editions of VMware Horizon 7 and as a standalone product. The on-premises editions are available in the following VMware software:

• VMware Identity Manager Standard Edition

– Included in Horizon 7 Advanced and Enterprise Editions

– Provides SSO to View desktops and Horizon 7 Remote Desktop Session Host (RDSH), ThinApp, and SaaS applications

– Ready for integration into VMware AirWatch® environments for mobile and SaaS applications

• VMware Identity Manager Advanced Edition

– Included in VMware AirWatch Blue and Yellow Enterprise Mobility Management Suites and VMware Workspace™ Suite

– Includes VMware AirWatch device and registration

– Includes AirWatch Console to manage certificate-based authentication and provide device-specific adaptors for VMware Identity Manager

For more information, see the following references:

– VMware Product Guide

– VMware Product Evaluation

– Purchasing VMware Identity Manager

– VMware Identity Manager Product and Packaging

http://www.vmware.com/files/pdf/vmware-product-guide.pdf

http://www.vmware.com/try-vmware

https://www.vmware.com/products/identity-manager/pricing.html

https://www.vmware.com/files/pdf/products/identity-manager/vmware-identity-manager-faq.pdf



Key On-Premises Features

VMware Identity Manager is delivered as a virtual appliance that requires vSphere and VMware vCenter Server® for appliance management. VMware Identity Manager includes the following key benefits.

• Enterprise SSO – Simplify business mobility with the included identity provider (IdP). The IdP integrates with existing on-premises identity providers so that you can combine applications and resources from multiple sources into a single VMware Identity Manager catalog. Enterprise SSO provides the following benefits:

– Eliminates the need for users to remember multiple user names and passwords

– Provides a central location to instantly disable user access to all resources, which protects against data leakage

– Integrates with existing identity providers, or you can use only the included identity provider

– Includes support for virtual desktops, ThinApp packages, and Citrix published applications, as well as Windows, web-based, SaaS, and native mobile applications

• Application store – Build a branded application store that matches your corporate identity. The application store provides the following benefits:

– Works with legacy on-premises Windows or web-based applications, SaaS applications, and native mobile applications

– Includes a responsive HTML5 application launcher that supports any device with a web browser that supports HTML5

– Provides a self-service catalog that is sortable by category and favorite resource

– Includes user analytics, capacity management, and licensing planning

– Supports the ability to customize colors, logos, backgrounds, and other design elements of a branded application store

• Identity management with adaptive access – Maintain trust between users, devices, and the cloud. Identity management provides the following benefits:

– Establishes trust with mobile devices through the VMware AirWatch device registration feature

– Supports one-touch login to third-party public applications and internally developed applications

– Provides registered device certificates, managed timeouts, and complex passwords, culminating in stronger security than simple passwords alone

– Enforces security policies for conditional access between managed and unmanaged devices

– Supports multiple Active Directory domains, forests, and trust configurations

http://www.vmware.com/products/vcenter-server.html



What’s New

VMware Identity Manager 2.9.1 includes the following new features since the last release (2.8.1).

Authentication and Access Authentication and access features include the following enhancements:

• Office 365 conditional access enhancements – VMware Identity Manager already provides conditional access control for Office 365 clients that use modern authentication. For Office 365 clients that use legacy user name and password authentication, VMware Identity Manager now includes enhanced conditional access policies that increase security and reduce risk of data loss. The enhanced conditional access policies control clients such as native iOS and Android email applications, older versions of Microsoft Office, and email clients such as Thunderbird. This feature works for managed and unmanaged devices.

• Group-based conditional access policies – Now you can apply different policies for authentication based on a user’s group membership, such as requiring multifactor authentication only for contractors.

• Configurable login experience – You can now configure the login experience to let your users provide their email address, employeeID, or other attributes, such as a username.

• Custom branding – You can now use color transparency for background images.

• SAML enhancements – Support for HTTP POST SAML binding when configuring third-party identity providers and encrypted SAML responses is now included. Generate a Certificate Signing Request (CSR) from the Administration Console, and use it for generating a certificate from a certificate authority for SAML signing.

• Default launch option for Horizon applications and desktops – Users can now choose their launch preferences to browser or native client when launching applications and desktops. Administrators can also configure settings globally to enforce the same behavior for all users.

• Access policy – Improved access policy now includes support for Horizon desktops and applications.

• Custom ID mapping for Horizon Cloud – Just like with SAML applications, support has been added for additional user name formats between VMware Identity Manager and VMware Horizon Cloud.

• Directory and Horizon performance – You can now sync Active Directory and Horizon more frequently, as short as every 15 minutes.

Deployment Deployment features include the following enhancements:

• VMware Identity Manager for Windows (with AirWatch) – The VMware Identity Manager server is now available on Windows and included with VMware AirWatch installer.

• VMware Identity Manager Enterprise System Connector for Windows with AirWatch – You can now install the VMware Identity Manager Connector on Windows. The Enterprise System Connector installer includes the option to install VMware AirWatch Cloud Connector™ or the VMware Identity Manager Connector. For more information, see the VMware AirWatch 9.1 Release Notes.

• Migration from AirWatch Cloud Connector to VMware Identity Manager Connector for connecting to AD and LDAP – If you are using AirWatch Cloud Connector to connect to Active Directory and want to migrate to the VMware Identity Manager Connector to take advantage of additional capabilities, such as MFA, Horizon, and Citrix integrations, click the configuration. All application entitlements are preserved with this change.

• Citrix XenApp and XenDesktop integration – Because Citrix no longer supports Citrix Web Interface, Citrix XenApp and XenDesktop integration has been migrated to use the Citrix StoreFront SDK.

https://my.air-watch.com/help/9.1/en/Content/Release_Notes/Help_Release_Notes.htm



On-Premises Architecture

The VMware Identity Manager on-premises offering is based on a single virtual appliance that contains all necessary services for it to be accessed both internally and externally from the Internet.

Figure 4: VMware Identity Manager On-Premises Virtual Appliance

An on-premises VMware Identity Manager installation includes the following components:

• Single virtual appliance in an OVA format – Packaged as an OVA file that can be deployed with vSphere, vSphere Client, or vCenter Server to any supported version of VMware ESXi™

• Administration Console and User Portal – Accessible from any supported web browser

• Windows agent for View in Horizon hosted application deployment – Required only if you plan to implement the View feature

• Citrix XenApp Integration Broker for Citrix XenApp farms – Required only if you plan to implement the Citrix feature

• Windows agent for ThinApp package deployment – Required only if you plan to implement the ThinApp feature

• APIs – Govern how the applications communicate with each other, enable data to move between applications, and enable applications to take actions on behalf of other applications

http://www.vmware.com/products/esxi-and-esx.html

T E C H N I C A L W H I T E PA P E R | 1 0


InstallationThese exercises guide you through installing a basic on-premises VMware Identity Manager deployment for evaluation. The exercises are sequential and build on one another, so make sure to complete each exercise in the order presented.

• Exercise A1: Verify Recommended Minimum Requirements

• Exercise A2: Configure DNS Records and IP Addresses

• Exercise A3: Gather Deployment Information

• Exercise A4: Download the VMware Identity Manager OVA File

• Exercise A5: Set Up the VMware Identity Manager Virtual Appliance

Exercise A1: Verify Recommended Minimum RequirementsBefore you begin installation, make sure that your environment meets the recommended minimum requirements for optimal performance of your basic on-premises VMware Identity Manager deployment.

1. Compatibility with vSphere and vCenter Server

VMware vSphere is a virtualization solutions suite that manages large collections of infrastructure elements, such as the CPU, storage, network, and data center. The vSphere Client is a Windows application that you can use to configure a VMware ESXi host and to operate its virtual machines. VMware vCenter Server, a component of the vSphere suite, provides centralized management of virtual machines and ESXi servers. You can also use an ESXi server for your VMware Identity Manager deployment.

VMware Identity Manager supports the following versions of vSphere and ESXi:

HOST VERSIONS

vSphere (includes vCenter Server) 5.0 U3, 5.1 U2, 5.5

ESXi 5.0 U2 and later, 5.1 and later, 5.5 and later, 6.0 and later

Table A1: Supported Server Versions

2. Minimum hardware requirements for the ESXi server

Make sure that the resources available to the ESXi server running your VMware Identity Manager virtual appliance meet the minimum requirements. Storage requirements vary, depending on the number of users.

COMPONENT RECOMMENDED MINIMUM REQUIREMENT

Processor 2 Intel Quad Cores, 3.0 GHz, 4 MB cache

RAM 16 GB DDR2 1066 MHz, ECC and registered

On-board LAN One 10/100/1000 Base-TX port

Storage 500 GB

Table A2: Recommended Minimum Hardware Requirements

Note: To avoid time drift between virtual appliances, use an NTP server to configure the ESXi server to use time synchronization.

http://www.vmware.com/products/esxi-and-esx.html



3. Minimum requirements for the virtual appliance

The minimum requirements for the VMware Identity Manager virtual appliance are as follows:

COMPONENT RECOMMENDED MINIMUM VCPU

RECOMMENDED MINIMUM RAM

RECOMMENDED MINIMUM DISK SPACE

Virtual appliance 2 vCPU 6 GB 36 GB

Table A3: Recommended Minimum Requirements for the Virtual Appliance

4. Requirements for network configuration

VMware Identity Manager connects to your existing Active Directory infrastructure so that you can synchronize user and group authentication and management. Active Directory must be accessible in the same LAN as the VMware Identity Manager virtual appliance. If the View or ThinApp option is enabled, the VMware Identity Manager server must join the Windows domain for synchronization to take place.

COMPONENT REQUIREMENT

DNS record and IP address Provided by network administrator

Firewall port For users outside the enterprise network, inbound firewall port 443 must be open to access VMware Identity Manager

Table A4: Requirements for Network Configuration

5. Database storage

VMware Identity Manager includes an internal PostgreSQL database that you can use for storage while testing. The database supports a basic deployment of up to 1,000 users and does not require additional configuring.

Note: For full-scale production, high availability, load balancing, or failover, provide an external database. You can convert and scale the internal PostgreSQL database to an external database at any time.



6. Ports

The ports you need for VMware Identity Manager depend on your deployment scenario. For the exercises in this guide, VMware Identity Manager joins the Active Directory domain to synchronize users and groups, and connects to a ThinApp repository.

PORT SOURCE TARGET DESCRIPTION

443 VMware Identity Manager virtual appliance

VMware Identity Manager virtual appliance

HTTPS


catalog.vmwareidentity.com HTTPSAccess to cloud catalog

443 Browsers VMware Identity Manager virtual appliance

HTTPS

8443 Browsers VMware Identity Manager virtual appliance

Administrator portHTTPS


SMTP TCP port to relay outbound mail

389, 636, 3268, 3269

VMware Identity Manager virtual appliance

Active Directory Default values shown; ports are configurable


Database Default value for the PostgreSQL database is 5432; the Oracle default value is 1521


RSA SecurID system Default value shown; port is configurable


DNS server TCP or UDPEach VMware Identity Manager virtual appliance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22

88, 135, 465 VMware Identity Manager virtual appliance

Domain controller TCP or UDP Active Directory domain authentication traffic from VMware Identity Manager to Active Directory

389, 443 VMware Identity Manager virtual appliance

View server Access to Horizon View server


ThinApp repository Access to ThinApp repository

Table A5: Default Ports



7. Web browser compatibility

The VMware Identity Manager Administration Console is a web-based application that is installed with VMware Identity Manager. You can use the following web browsers to access the Administration Console:

WEB BROWSER OPERATING SYSTEM

Internet Explorer 11 Windows

Google Chrome 42.0 and later Windows and Mac OS X

Mozilla Firefox 40 and later Windows and Mac OS X

Safari 6.2.8 and later Mac OS X

Table A6: Supported Web Browsers

For more information, see VMware Identity Manager Connector Installation and Configuration and VMware Product Interoperability Matrices.

After verifying that your environment meets the requirements for deployment, proceed to the next exercise to configure DNS records and IP addresses.

Exercise A2: Configure DNS Records and IP AddressesYou can use existing DNS entries for VMware Identity Manager or create new ones. A static IP address, and forward and reverse DNS entries are required.

Address records (A records) map domain names to the IP addresses of their domain hosts. PTR records provide the required reverse lookup by mapping static IP addresses to domain and host names. Because every organization administers its DNS records and IP addresses differently, ask your network administrator for a DNS record and IP address before you begin installation.

You can use the following sample DNS records as a guide, replacing them with your own data.

EXAMPLE 1: FORWARD DNS RECORD AND IP ADDRESS

Domain Name Source Type IP Address

my-identitymanager.company.com A 10.28.128.3

EXAMPLE 2: REVERSE DNS RECORD AND IP ADDRESS

IP Address Source Type Domain Name

128.28.10.in-addr.arpa IN PTR my-identitymanager.company.com

Table A7: Examples of Forward and Reverse DNS Records and IP Addresses

Note: If you plan to explore the ThinApp option, DNS host names that are over 15 characters or contain underscores can cause failures when synchronizing ThinApp packages. For more information, see the VMware Identity Manager Documentation.

After verifying that the reverse DNS lookup is properly configured, proceed to the next exercise to gather the information needed during deployment.

https://www.vmware.com/support/pubs/identitymanager-pubs.html

http://www.vmware.com/resources/compatibility/sim/interop_matrix.php




Exercise A3: Gather Deployment InformationUse the following checklist to gather the network information you need during the installing process.

ITEM YOUR NETWORK INFORMATION

• VMware Identity Manager fully qualified domain name (FQDN)

Workspace Network Information

• IP address of virtual appliance

• DNS server name

• Default gateway address

• Netmask or prefix

Active Directory Domain Controller

• Active Directory server name

• Active Directory FQDN

• Base DN (Distinguished Name, such as OU=myUnit, DC=myCorp, DC=com)

• Bind DN user name and password for AD over LDAP

• Active Directory user name and password with rights to join to the domain

Optional SSL Certificate

• SSL certificate (you can also add the SSL certificate after deployment)

• Private key

Workspace License Key

• VMware Identity Manager license key (entered in the VMware Identity Manager Administration Console in Appliance Settings > License after installation is complete)

External Database Information, If Any

Database host name

Port

User name

Password



ITEM YOUR NETWORK INFORMATION

Administration Password

• VMware Identity Manager administrator account password (create new)

• Virtual appliance root account password (create new)

Table A8: Deployment Information Checklist

For more information about private keys, see the Generating certificates for use with the VMware SSL Certificate Automation Tool (2044696) knowledge base article.

After you finish gathering the information needed to install the VMware Identity Manager virtual appliance, proceed to the next exercise to download the OVA file.

Exercise A4: Download the VMware Identity Manager OVA FileThe VMware Identity Manager package files are contained in an OVA file.

1. On the VMware All Downloads web page, scroll down to Desktop & End-User Computing.

2. For VMware Identity Manager, click Download Product, select a version, and click Go to Downloads.

3. On the Product Downloads tab, click Download Now to download the OVA file.

For more information, see the VMware Identity Manager Documentation.

After downloading the VMware Identity Manager OVA file, proceed to the next exercise to set up the VMware Identity Manager virtual appliance.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2044696

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2044696

https://my.vmware.com/web/vmware/downloads




Exercise A5: Set Up the VMware Identity Manager Virtual ApplianceYou are ready to deploy the OVA file and set up the VMware Identity Manager virtual appliance. You can start this exercise at any time after downloading.

Note: Throughout this guide, the terms OVF template and OVA file are interchangeable.

1. Make sure that you use one of the following clients to deploy the OVA file:

• vSphere Client

• vSphere Web Client

2. In the vSphere Client or vSphere Web Client, right-click the vCenter object, and select Deploy OVF Template.

Figure A1: Deploy the VMware Identity Manager OVF File

Note: For this screenshot, a vSphere Web Client is used.

3. On the Select template page of the Deploy OVF Template wizard, click Browse to locate the OVA file.

Figure A2: Select the Template



4. Navigate to the downloaded OVF file, and click Open.

Figure A3: Open the OVA File

5. On the Select name and location page, enter a unique, case-sensitive name to identify this VMware Identity Manager virtual machine, select a location for the template, and click Next.

Figure A4: Name the Template and Select Where to Deploy



6. On the Select a resource page, select the resource in which to run the OVF template, and click Next.

Figure A5: Select Where to Run VMware Identity Manager

7. On the Review details page, verify the data, and click Next.

|

Figure A6: Verify the OVA File Details



8. On the Accept license agreements page, read the agreement, click Accept, and click Next.

Figure A7: Review and Accept the End User License Agreement

9. On the Select storage page, select a destination datastore for the VMware Identity Manager virtual appliance files, select the Thin Provision virtual disk format, and click Next.

Figure A8: Set the Storage Location



10. On the Setup networks page, indicate the networks for VMware Identity Manager to use, and click Next.

Figure A9: Indicate the Source and Destination Networks



11. On the Customize template page, click the down arrow for Networking Properties, customize the settings for your deployment, and click Next.

Figure A10: Customize Application and Networking Properties

a. Application – Set the following two options:

• Customer Experience Improvement Program – By default, this option is enabled to assist VMware to improve product quality. To disable this option, deselect the check box.

• Timezone setting – Select the appropriate time zone from the drop-down menu.

b. Networking Properties – To configure a static IP address, provide the following information. If you do not enter an address, Dynamic Host Configuration Protocol (DHCP) is used.

• DNS – Enter the domain name servers for this virtual machine, separated by commas if more than one.

• Default Gateway – Enter the default gateway address for this virtual machine.

• Domain Name – Enter the domain name for this virtual machine.

• Domain Search Path – Enter the domain search path for this virtual machine, separated by commas or spaces if more than one.



• Host Name (FQDN) – Enter the FQDN name for this virtual machine, such as VIDM.company.com. Underscores and special characters are not supported. For more information, see Naming conventions in Active Directory for computers, domains, sites, and OUs.

• IP Address – Enter the IP address for this interface.

• Netmask – Enter the netmask or prefix for this interface.

12. On the Ready to complete page, review the settings, and click Finish. Completion can take a few minutes.

Figure A11: Review the Settings and Complete the Deployment

13. When deployment completes, return to the vSphere Web Client, select the VMware Identity Manager virtual appliance that you just deployed, and select Power On.

Figure A12: Power On the Virtual Appliance

https://support.microsoft.com/en-ca/kb/909264

https://support.microsoft.com/en-ca/kb/909264



14. Wait until the virtual appliance finishes booting, which can take a few minutes. When complete, the blue Welcome window displays the URLs to access the VMware Identity Manager virtual appliance.

Figure A13: Welcome to the VMware Identity Manager Appliance

After successfully deploying the VMware Identity Manager OVA file, proceed to the next section to start initial configuration of VMware Identity Manager.





ConfigurationThis section walks you through the initial configuration process of your deployment. The exercises are sequential and build on one another, so make sure to complete each exercise in the order presented.

• Exercise B1: Configure the VMware Identity Manager Virtual Appliance

• Exercise B2: Set Up Active Directory Configuration

• Exercise B3: Update SSL Certificates

• Exercise B4: Configure Join Domain

• Exercise B5: Set Up Network Ranges

• Exercise B6: Configure VA Settings

Exercise B1: Configure the VMware Identity Manager Virtual ApplianceWith the networking data that you gathered using the Deployment Information Checklist, you can configure the VMware Identity Manager virtual appliance.

1. Open a web browser and navigate to the first URL in the Welcome window to start the VMware Identity Manager Setup wizard.

a) Your site link: https://<hostname.example.com>

b) Your administrative services link: https://<hostname.example.com>:8443

Figure B1: Use the VMware Identity Manager Setup Wizard URL



2. On the Get Started page of the VMware Identity Manager Appliance Setup wizard, click Continue.

Figure B2: Get Started in the VMware Identity Manager Appliance Setup Wizard

3. On the Set Passwords page, set the passwords for the appliance administrator account, appliance root account, and remote user account, and click Continue. The passwords must be at least six characters.

Figure B3: Set Passwords



4. On the Select Database page, select Internal Database, and click Continue.

The internal database is provided for reviewing and testing the product. An external database is recommended for production and migrating from earlier versions of VMware Identity Manager. You can transfer from an internal database to an external database at any time after installation. For more information, see VMware Identity Manager Connector Installation and Configuration.

Figure B4: Select the Database

5. Wait until the Setup is complete page is displayed. You can wait until the administration console is automatically displayed, or click Log in to the administration console.

Figure B5: Complete the Setup

Note: The Continue button is grayed out and inactive at this stage.


After finishing the VMware Identity Manager Get Started wizard, proceed to the next exercise to configure Active Directory.





Exercise B2: Set Up Active Directory You are ready to set up Active Directory, including Users, Groups, LDAP, IWA, Bind, and Directory PUSH settings. It is recommended that you also set up User Attributes to specify which users synchronize to the VMware Identity Manager directory. The order in which you set up User Attributes is not crucial, but must be done eventually.

1. Log in using the administrator credentials that you created earlier.

Figure B6: Log In Using Administrator Credentials

1. On the Identity & Access Management tab, click Manage > Directories > Add Directory, and select Add Active Directory Over LDAP/IWA from the drop-down menu.

Figure B7: Add Active Directory



2. On the Add Directory page, accept the default settings for the Directory Name and Directory Sync and Authentication sections.

Figure B8: Add the Directory Information

a. Directory Name – Indicate the directory name.

b. Directory Sync and Authentication – Select the connector that syncs users from Active Directory to the VMware Identity Manager directory.

• Sync Connector – Select the synchronization connector.

• Authentication – Select Yes to enable the connector to perform authentication.

• Directory Search Attribute – Select the account attribute that contains the user name. You can use the User Principal Name or sAMAccountName. This example uses sAMAccountName.



3. Scroll down the Add Directory page, accept the defaults for the Server Location and Certificates, and enter information for Bind User Details. When finished, click Save & Next.

Figure B9: Add the Directory Sync and Authentication Information

a. Server Location – Select to use the DNS Service Location records to locate the Active Directory domains.

b. Certificates – Select to require Secure Active Directory to use your SSL certificate from your domain controllers. For this test deployment, leave the requirement to use SSL unselected.

c. Bind User Details – Do the following:

• Base DN – Enter the DN from which to start account searches (such as OU=myUnit, DC=myCorp, DC=com).

• Bind DN – Enter the DN of the account that can search for users (such as CN=administrator, CN=users, DC=com).

• Bind DN Password – Enter the Active Directory account password for the account that can search for users (see Bind DN user name and password for AD over LDAP in Gather Deployment Information).

• Click Test Connection to verify the connection. A Connection is Successful banner appears at the top of the window.



4. On the Select the Domains page, click Next.

Figure B10: Select the Domains

5. On the Map User Attributes page, verify that the correct attributes are mapped, and click Next.

Note: Unless you use non-standard names for your Active Directory user attributes, you can accept the default settings for the user attributes required to synchronize with Active Directory, which are lastName, firstName, email, and userName. If you used non-standard names when you set up Active Directory, edit the defaults to match.

Figure B11: Review User Attribute Mappings



6. On the Select the groups (users) you want to sync page, verify that Sync nested group members is selected, and click the green plus sign to add groups to synchronize.

Figure B12: Select Groups and Users to Sync

7. To narrow your search of Active Directory groups, use the search field. After you select the groups, click Save.

Figure B13: Search for Groups

Note: For this screenshot, the search term domain is used to narrow the search, and the Domain Admins and Domain Users groups were selected. This information is required for the Horizon 7 exercises, but you can do it any time after installation.



8. Verify the groups you selected, and click Next.

Figure B14: Verify the Groups and Users to Sync

Note: For this screenshot, the Domain Admins and Domain Users groups are selected.

9. On the Select the Users you would like to sync page, ensure that the users to synchronize are listed, and click Next.

Figure B15: Add and Exclude Users to Sync

a. Under Specify the user DNs, you can select the green plus sign to add user DNs to VMware Identity Manager.

b. Under Add a filter to exclude users, you can select the green plus sign to filter out users that you do not want to sync. For this screenshot, additional DNs and filters are added.



10. On the Review page, verify the users and groups, and click Sync Directory.

Figure B16: Verify the Users and Groups to Sync

11. When the synchronization completes, click Refresh Page.

Figure B17: Wait for Synchronization to Complete

12. On the Users page, verify that the synchronization of users is successful.

Figure B18: Verify User Synchronization



13. On the Groups page, verify that the synchronization of groups is successful.

Figure B19: Verify Group Synchronization


After setting up the Active Directory configuration, proceed to the next exercise to update the SSL certificate.

Exercise B3: Update the SSL CertificateWhen you first install VMware Identity Manager, a default self-signed SSL certificate is generated, which you can use for testing and evaluation. However, we recommend that you upgrade to commercial SSL certificates for the exercises in other guides in this series. Before you can complete this exercise, verify that you already have an SSL certificate from an independent certificate authority (CA), a trusted public entity that guarantees the identity of the certificate.

1. In the Administration Console, select the Appliance Settings tab, and click Manage Configuration.

Figure B20: Select Manage Configuration




2. On the Install Certificate page, copy your SSL certificate chain into the SSL Certificate Chain text box.

Figure B21: Install an SSL Certificate and Provide a Private Key

3. In the Private Key text box, copy your private key, and click Save.


After updating the SSL certificate, proceed to the next exercise to join the domain.




Exercise B4: Join Domain for Windows Authentication with Active DirectoryJoining the domain is required if you use Windows authentication (Kerberos) with Active Directory, and if you choose to integrate with the View Component of Horizon 7. If you use another authentication method and do not plan to integrate with Horizon 7, you can skip this exercise and proceed to Exercise B5: Set Up Network Ranges.

1. In the upper right of the Identity & Access Management tab, click Setup.

2. On the Connectors page, click Join Domain.

Figure B22: Join a Domain

3. In the Join Domain page, select the domain to join, log in using the administrator credentials of a Domain Administrator with access to join a machine to the domain, and click Join Domain.

Figure B23: Provide Domain Information



4. On the Connectors page, verify that the green banner appears at the top, indicating that the connector joined the domain.

Figure B24: Verify the Domain Join


After the connector is joined to the domain, proceed to the next exercise to set up network ranges.

Exercise B5: Set Up Network Ranges (Optional)You can choose to set up network ranges to restrict where users can log in from when they access their applications. The ALL RANGES network range, which includes every IP address on the Internet, was created during installation as the default. You can modify the range to include or exclude IP addresses, route traffic to specific locations, assign access policies, customize what is displayed to individual users, and determine the validation and authentication processes to use for mobile devices.

Although optional, setting network ranges is recommended for View Integration and Citrix Published Application, which are covered in other sections of this guide.

1. On the Identity & Access Management tab, select Setup > Network Ranges, and then click Add Network Range in the upper right.

Figure B25: Add a Network Range




2. On the Add Network Range page, define the range of IP addresses from which users can access applications, and click Save.

Figure B26: Define the Network Range

• Name – Name the range. In this screenshot, the network is named Corp Network.

• Description – Enter an optional description of the network range.

• IP Ranges – Enter the network range, such as 50.197.75.17 to 50.197.75.254. Note: If you do not already have a subnet, create one for all computers in your lab and use this subnet for this exercise. If you are installing VMware Identity Manager in an existing lab environment, include all subnets in your environment here. For more information about how to define a network range, see VMware Identity Manager Documentation.

3. Verify that the network range definition is correct, and click Save.

Figure B27: Verify the Network Range


After defining network ranges, you can proceed to the next exercise to configure optional virtual appliance settings.





Exercise B6: Configure Virtual Appliance Settings (Optional)Configuring the virtual appliance settings is optional if you are reviewing and testing a temporary environment, unless you want to test these specific capabilities.

Note: In a production environment, it is recommended that you configure the license and SMTP settings.

1. Log in, and click the Appliance Settings tab.

Figure B28: Select Appliance Settings

2. On the License page, enter the VMware Identity Manager license key, and click Save.

Figure B29: Enter the License



3. On the SMTP page, enter the host, port, user, and password, and click Save. SMTP enables alert notices from VMware Identity Manager.

Figure B30: Configure SMTP


After setting up the initial services, initial configuration is complete. You can proceed to the next section to explore basic functionality of VMware Identity Manager.




Exploring the BasicsVMware Identity Manager provides a variety of management tools for both IT administrators and end users. As an administrator, you can use these tools to apply your own customized branding, and add and manage web applications and entitlements.

• Exploring VMware Identity Manager Tools

• Applying Custom Branding

• Adding a Web Application, Categories, and Entitlements

Exploring VMware Identity Manager ToolsVMware Identity Manager offers multiple services and tools to you as an administrator, as well as to your end users.

• Exercise C1: Explore the Administrator Tools

• Exercise C2: Explore the End-User Tools

Exercise C1: Explore the Administrator Tools

For most exercises in this guide, you use the VMware Identity Manager Administration Console (also called the Admin Console) to set up the resource catalog of applications and desktops and oversee your users, groups, and entitlements. You can launch the Administration Console from your web browser by navigating to https://<hostname.example.com>/admin and logging in using your Active Directory administrator user name and password.

Figure C1: VMware Identity Manager Administration Console



Explore the Administration Console tabs to familiarize yourself with the location of the main features.

• Dashboard – Includes both User Engagement and System Diagnostics dashboards for quick access to information. The first thing you see is the User Engagement Dashboard, which provides an overview of the system, including how many users and groups your system has, which applications are used most, how many logins, and more. Click the down arrow on the Dashboard tab to see all dashboard options.

• Users & Groups – Provides access to all users and groups synchronized from directories, as well as those created within the system.

• Catalog – Use this tab to add and manage resources, including Horizon desktops and applications, RDSH published applications, Citrix XenApp published applications, and ThinApp packages, approvals, auditing, branding, and more.

• Identity & Access Management – Use the Manage subtab to configure directory, identity provider, password recovery, and policy options. Use the Setup subtab to manage Connector initialization, custom branding, user attributes, and network range definition options.

• Appliance Settings – Use this tab to administer the virtual appliance, licensing, and SMTP configuration settings.

For more information, see VMware Identity Manager Documentation.

After you have explored the Administration Console, proceed to the next exercise to explore the tools that VMware Identity Manager provides for your end users.

Exercise C2: Explore the End-User Tools

End users access the VMware Identity Manager User Portal to manage and launch the applications and resources that they are entitled to and have chosen to display.

1. From the Administration Console, access the User Portal by clicking the User Portal link in the drop-down menu in the upper right. Your end users log in directly to the User Portal with their Active Directory credentials.

Figure C2: Switch from the Administration Console to the User Portal




2. Explore the Catalog window – Click Catalog in the toolbar to see the resources that you as an end user are entitled to access.

Figure C3: The Catalog Page Displays the User’s Entitled Resources

Users can filter to view the latest resources added. Users click the Add link to add a resource in their Catalog to their Launcher window. Users can also add their applications to Favorites and organize them in categories.

3. Explore the Launcher window – By default, the User Portal opens to the Launcher first, which is a subset of the Catalog. The Launcher shows the resources that the end user has selected from the Catalog, such as the most often used, or the favorites. Applications can be entitled to end users as either User Activated or Automatic. Applications that are entitled as Automatic also appear on the Launcher the first time the end user logs in. Users can filter the resources and see details about each resource.

Figure C4: The Launcher Page Displays the Entitled Resources That the User Wants to See



4. To return to the Administration Console, click the Administration Console link in the drop-down menu in the upper right.

Figure C5: Switch from the User Portal to the Administration Console

After you have finished exploring the features of the Administration Console and the User Portal, proceed to the next exercise to explore the newly expanded custom branding options.

Applying Custom Branding (Optional)You can apply enterprise branding to company icons, logos, fonts, backgrounds, and titles. Customized branding is displayed in the Sign-In, User Portal, and Administration Console windows, in web browser window titles, and as background colors and text fonts.

• Exercise C3: Apply Custom Branding to the Administration Console and Sign-In Screen

• Exercise C4: Apply Custom Branding to the User Portal

Exercise C3: Apply Custom Branding to the Administration Console and Sign-In Screen

You can customize the Administration Console to display your company branding.

1. Log in to the VMware Identity Manager Administration Console.

Figure C6: Log In to the Administration Console



2. On the Identity & Access Management tab, select Setup > Custom Branding.

Figure C7: Customize Names and Logos

3. On the Names & Logos page, customize the brand name and logo, and click Save.

a. Company Name – Enter the company name to appear in the web browser window.

b. Product Name – Enter the product name to follow the company name in the web browser window.

c. Favicon – To add an icon that appears in the web browser address bar, click Upload and select the image. For best results, use a 16px by 16px JPEG, PNG, or GIF file.



4. On the Sign-In Screen page, apply your customizations in the checkboxes to the right, verify the previews to the left, and then click Save.

Figure C8: Brand the Sign-In Screen

a. Logo – Upload your company logo as a JPEG, PNG, or GIF file at least 100 pixels high.

b. Image (Optional) – Upload an image as a JPEG, PNG, or GIF file at least 1400 x 900 pixels.

c. Background Color – Enter the hexadecimal color code, and verify the result in the preview.

d. Box Background color – Enter the hexadecimal color code, and verify the result in the preview.

e. Login button background color – Enter the hexadecimal color code, and verify the result in the preview.

f. Login button text color – Enter the hexadecimal color code, and verify the result in the preview.

5. In the upper left under Preview, verify branding of the Sign-In Screen, and then click Save.

6. Verify that your changes appear by relaunching VMware Identity Manager.


After rebranding the Administration Console Sign-In screen, proceed to the next exercise to customize the User Portal.




Exercise C4: Apply Custom Branding to the User Portal

You can create multiple customized views for end users. For example, create a view for large screens, such as laptops and monitors, and another view for small screens, such as mobile devices and tablets.

1. In the Administration Console, on the Catalog tab, select Settings > User Portal Branding.

Figure C9: Customize the User Portal

2. In the Logo section of the User Portal Branding window, upload a JPEG, PNG, or GIF file no larger than 220 x 40 pixels to create a masthead logo.

Figure C10: Apply a Logo to the Masthead



3. In the Portal section, apply your customizations, and verify using the preview on the right.

Figure C11: Customize the Portal

• Masthead Background color – Enter the hexadecimal color code.

• Masthead Text color – Enter the hexadecimal color code.

• Background Color – Enter the hexadecimal color code.

• Name and Icon Color – Enter the hexadecimal color code.

• Lettering effect – Select an effect from the drop-down menu.

• Background Highlight – Enable or disable the background highlight.

• Background Pattern – Enable or disable the background pattern.

• Image (Optional) – Click Upload, and select an image as a JPEG, PNG, or GIF file no larger than 1400 x 900 pixels.



4. If you enabled VMware Verify for two-factor authentication, in the VMware Verify section, customize the sign-in page with your company logo and verify using the preview on the right.

Figure C12: Customize VMware Verify

a. Logo – Click Upload, and select an image of your company logo no larger than 540 x 170 pixels.

b. Icon – Click Upload, and select an image of your icon no larger than 81 x 81 pixels.

5. After customizing the User Portal, click Save.

6. Verify that your changes appear by relaunching VMware Identity Manager.


After your company branding is displayed to your satisfaction, proceed to the next exercise to add a web application using the basic features of VMware Identity Manager.

Adding a Web Application and EntitlementsThese exercises introduce you to the basic processes of adding a web application, entitling user access, and verifying that end users can launch the application.

• Exercise C5: Add a Web Application

• Exercise C6: Manage Resources by Category

• Exercise C7: Entitle Users to Access the Web Application

• Exercise C8: Verify the Web Application Launches in the User Portal




Exercise C5: Add a Web Application

To add a web application to the Catalog:

1. In the Administration Console, select the Catalog tab.

2. In the upper right, click Add Applications, and from the drop-down menu, select from the cloud application catalog.

Figure C13: Go to the Cloud Application Catalog

3. From the cloud catalog, select the web application to add. In this example, Accellion is selected.

Figure C14: Select an Application to Add from the Cloud



4. On the Application Details page, customize the application information, and click Save.

Figure C15: Modify Application Details

a. Name – Enter the name of the application. For this example, the Accellion application was added.

b. Description – Provide an optional description.

c. Icon – Browse for an icon file if you want. If you do not indicate one, VMware Identity Manager displays the default icon.

d. Authentication Profile – For this test deployment, accept the default.

e. Categories – For the purposes of this exercise, leave this field blank.

5. Select Configuration on the left, provide the target URL, and then click Save.

Figure C16: Configure the Target URL



6. On the Catalog tab, verify that you can see the new application on the Catalog list.

Figure C17: Select the New Application


After you add a Web application, proceed to the next exercise to entitle users and groups to access the newly added web application.

Exercise C6: Create Categories to Manage Resources

Categories organize and help you search for applications. You can apply multiple categories to a single application.

To create categories:

1. In the Administration Console, click the Catalog tab, select an application, and click Details on the left. In the following example, Facebook is selected.

Figure C18: View Details of a Web Application




2. In the Categories text box in the lower right, add a category. This example uses Web Link.

Figure C19: Add an Application Category

3. Click the Catalog tab to return to the list of applications. The new Web Link category is now applied to Facebook.

Figure C20: Verify the Category in the Catalog



4. Click the Any Category down arrow, select the new category from the drop-down menu, and verify that VMware Identity Manager displays applications only in that category.

Figure C21: Search by Category

For more information, see VMware Identity Manager Documentation and Managing Categories for Citrix Published Resources.

After creating new categories for your web applications, proceed to the next exercise to entitle users and groups to access web applications from the User Portal.

Exercise C7: Entitle Users and Groups to Access Web Applications

You can specify which users and groups are entitled to access a web application. You can grant entitlements or synchronize to entitlements granted outside of VMware Identity Manager for the following resource types:

• Web applications – Grant entitlements in VMware Identity Manager

• ThinApp packages – Grant entitlements in VMware Identity Manager

• SaaS – Synchronize to entitlements set by the SaaS vendor

• View desktops and applications – Synchronize to entitlements set in Horizon 7

• Citrix published applications – Synchronize to entitlements set in Citrix XenApp

For web applications and ThinApp packages, you can grant entitlements per user or group or per resource type.


http://pubs.vmware.com/identity-manager-26/topic/com.vmware.wsp-resource_26/GUID-B10A800D-096B-41D7-8FE6-B09896845851.html

http://pubs.vmware.com/identity-manager-26/topic/com.vmware.wsp-resource_26/GUID-B10A800D-096B-41D7-8FE6-B09896845851.html



To add entitlements to the web application added in Exercise C5:

1. In the Administration Console, on the Catalog tab, select the web applications that you want to entitle.

2. In the lower left, click Entitlements, and in the upper right, click Add group entitlement.

Figure C22: Add Group Entitlements to the Selected Application

3. On the Add Group Entitlement page, select a group by clicking the check box, select Automatic, and then click Save. For this exercise, the ALL USERS group is selected.

Figure C23: Add Group Entitlements and Select the Deployment Type

• Automatic – Users can access the application the next time they log in to VMware Identity Manager.

• User-Activated – Users must activate the application in VMware Identity Manager before they can use it.



4. In the upper right, click Done.

Figure C24: Complete the Entitlement Process

After adding entitlements to a web application, proceed to the next exercise to verify that the end users can launch the newly added application properly.

Exercise C8: Verify That Web Applications Launch from the User Portal

Verify the end-user experience in the User Portal.

1. From the Administration Console, click the User Portal link in the drop-down menu in the upper right.

Figure C25: Switch from the Administration Console to the User Portal

2. Click the Launcher button, and then launch the application by clicking its icon. In this example, the Accellion icon is selected.

Figure C26: Launch the Application



3. Verify that the application launches properly. In this example, the Accellion is launched.

Figure C27: Verify that the Web Application Launches Properly


Upon completion of this exercise, you have now installed and configured your VMware Identity Manager virtual appliance, applied customized branding, and followed basic procedures to add a web application and entitle groups to access the web application. You are now ready to explore additional capabilities of VMware Identity Manager.




Integrating the View Component of Horizon 7At any time after VMware Identity Manager is installed and configured, you can integrate with external products and perform specialized tasks. This section describes how to configure the View Application option, which enables you to manage View resources, such as RDSH published applications and View virtual desktops and applications, through VMware Identity Manager. To perform these exercises, you must already have Horizon 7 set up.

Overview of ViewView is a component of VMware Horizon 7 that delivers virtualized and remote desktops and applications through a single platform and supports end users with access to Windows and online resources.

Integrating View with VMware Identity Manager enables you to synchronize information about your available View resources and entitlements from the View Connection Server to VMware Identity Manager. You continue to use your View deployment to entitle end users to View resources, such as View applications and desktops, and RDSH published applications and desktops. You then use VMware Identity Manager to monitor these View resources and entitlements alongside resources from other sources. Your end users can use SSO to access their View resources—as well as SaaS applications, ThinApp packages, and Citrix published applications—through the User Portal.

Exercises for View IntegrationThe following exercises help you evaluate the benefits of integrating an existing View deployment with VMware Identity Manager. The exercises are sequential and build on one another, so make sure to complete each exercise in the order presented.

• Exercise D1: Prepare for View integration

• Exercise D2: Configure the View Application Option

• Exercise D3: Configure SAML authentication in View

• Exercise D4: Launch View Desktops from User Portal

• Exercise D5: Launch View Resources from the User Portal

http://www.vmware.com/products/horizon-view



Exercise D1: Prepare for View Integration

Before starting the integration process, review the prerequisites and gather the configuration data.

1. In addition to having your evaluation VMware Identity Manager deployment set up and configured, verify that your environment meets the prerequisites.

ITEM REQUIREMENT

Horizon 7 or later Deployed and configured. See VMware Identity Manager Administrator’s Guide.

View Connection Server Deployed. See VMware Horizon 7 View Administration.Note: Reverse lookup is required for View Connection Server. If reverse lookup is not properly configured, the View integration with VMware Identity Manager fails. You must have a DNS entry and an IP address that uses reverse lookup for each View Connection Server, View Security server, and load balancer in your View setup. See Configure DNS Records and IP Addresses.

VMware Horizon Client™ or HTML5-compatible browser

If end users do not have Horizon Client or an HTML5-compatible browser, they are prompted to download Horizon Client to their endpoint the first time they launch a View resource.

Entitlements for Active Directory users and groups

Set up View pools and desktops with entitlements based on Active Directory users and groups, and verify that users and groups have proper entitlements. See VMware Identity Manager Administration Guide.

View resources In View, set up resources (desktops, desktop pools, hosted applications, View pools, and View Pods) in the root folder of View to enable VMware Identity Manager to query the pools and entitlements.When configuring remote settings for desktop pools, verify that you set the Automatically log off after disconnect option to 1 or 2 minutes instead of immediately.

Table D1: View Integration Requirements

2. Gather the data required for subsequent exercises.

ITEM YOUR CONFIGURATION DATA

Active Directory server FQDN

Active Directory user name and password for administrative account with rights to join to the domain

Initial View Connection Server FQDN

FQDN for client access, such as the public name

Active Directory user name and password for user account with read rights in View Administrator

Table D2: Configuration Data Worksheet for View Integration

For more information about prerequisites, see the VMware Product Interoperability Matrix.

After reviewing the prerequisites and gathering information for subsequent exercises, proceed to the next exercise to configure the View Application option.


https://www.vmware.com/support/pubs/view_pubs.html





Exercise D2: Configure the View Application Option

Configure the View Application option.

1. In the VMware Identity Manager Administration Console, on the Catalog tab, select Manage Desktop Applications > View Application.

Figure D1: Select View Application

2. If the Administration Console hangs as it is redirecting, click again.

Figure D2: Workaround When Administration Console Hangs

3. On the View Pools page, select Enable View Pools.

Figure D3: Enable View Pools



4. On the View Pools page, provide the following information, and then click Save:

Figure D4: Configure View Pools

a. Connection Server – Enter the name of the View Connection Server.

b. Username – Enter the administrator credentials that you recorded earlier.

c. Password – Enter the administrator password that you recorded earlier.

d. Using Smart Card Authentication – For the test deployment, leave this option deselected.

e. Suppress Password Popup – For the test deployment, leave this option deselected.

f. Sync Local Entitlements – Make sure the checkbox is checked.

g. Deployment Type – Use the default Automatic setting, which automatically adds applications and virtual desktops to users’ User Portal according to their View entitlements.

h. Do not sync duplicate applications – Select to avoid duplicate applications from multiple servers during synchronization.

i. Configuring 5.x Connection Server – For the test deployment, leave this option deselected.

j. Perform Directory Sync – For the test deployment, leave this option deselected.

k. Choose Viewpool Sync Frequency – Select how often and when synchronization runs. For this exercise, every hour was selected.



5. In the Last Sync panel in the lower right, click Sync Now to synchronize VMware Identity Manager and the Active Directory configuration from View.

Figure D5: Start the Synchronization

6. In the upper right, click Admin Console to return to the Administration Console.

Figure D6: Return to the Administration Console



7. Under Identity Access & Management > Setup > Network Ranges, select the range, enter the client access URL host and URL port for the View Pod, and then click Save.

Figure D7: Set the Client Access URL Host and URL Port for the View Pod


After configuring the View Application option, proceed to the next exercise to enable and configure SAML authentication in View.

Exercise D3: Configure SAML Authentication in View

SAML is a widely recognized open standard for SSO. SAML authentication enables you to launch View desktops from VMware Identity Manager. The SAML authenticator contains the trust and metadata exchange between View and the device to which clients connect. While their web browser sessions remain open, your users can log in to one system in your environment, and gain access to other systems in your environment without logging in multiple times.

To add VMware Identity Manager as a SAML authenticator:

1. Verify that the following prerequisites are met.

a. Your View instance has an SSL certificate installed.

b. View Connection Server has a root-signed certificate.

c. SAML authentication is already configured on the View Connection server.

Note: To verify, log in to VMware Horizon View Administrator and select View Configuration > Servers > Connection Servers > Edit Connection Server Settings > Authentication > SAML Authenticator Administration.

d. The VMware Identity Manager FQDN is always used in the authenticator configuration window.

2. Log in to VMware Horizon View Administrator with an administrative user account.




3. In the navigation bar to the left, select View Configuration > Servers, select the View Connection Server that you configured in Exercise D2: Configure the View Application Option, and then click Edit.

Figure D8: Select the View Configuration Server

4. On the Edit Connection Server Settings page, select the Authentication tab, select Allowed from the drop-down menu in the upper left, and click Manage SAML Authenticators.

Figure D9: Edit the Connection Server Settings



5. In the Manage SAML Authenticators dialog box, click Edit.

Figure D10: Edit a SAML Authenticator

6. In the Edit SAML 2.0 Authenticator dialog box, in the Metadata URL field, enter the FQDN of the VMware Identity Manager, accept the rest of the default information, and click OK.

Figure D11: Configure the SAML Authenticator



7. Verify that the SAML authenticator to use is displayed, accept the other default settings, and click OK.

Figure D12: Edit Connection Server Settings

8. Return to VMware Identity Manager, and click Save to complete the configuration.

Figure D13: Save the Connection Server Settings



9. On the View Pools page, review the scheduled additions, updates, and removals, and click Save and Continue.

Figure D14: Review the Scheduled Changes

10. On the Catalog tab, verify that you can access your View resources.

Figure D15: Verify View Resources in the VMware Identity Manager Catalog


After your View Connection Server is associated and synchronized with a SAML authenticator, your View resources are available to view and manage in VMware Identity Manager. Proceed to the next exercise to review entitlements.




Exercise D4: Review Entitlements to View Resources

This exercise requires that users and groups are already entitled in View, which you can now view through VMware Identity Manager.

1. In the Administration Console, on the Catalog tab, select an application with entitlements set in View.

Figure D16: Select an Application with View Entitlements

2. Examine the application entitlements. In this example, only the Office Users group is entitled to access the View hosted application.

Figure D17: Verify Application Entitlements

Note: Remember that you add or modify entitlements to View resources in View, and see them in VMware Identity Manager. Each time you make changes in View, such as adding a new resource or entitling new users or groups, synchronize to make the new data visible in VMware Identity Manager.

After adding and synchronizing entitlements, proceed to the next exercise to verify that the View resources and entitlements are accessible to your end users through their User Portal.



Exercise D5: Launch View Resources from the User Portal

Now that you have added entitlements to View applications and desktops and synchronized them to VMware Identity Manager, verify that the View resources display properly in the User Portal. For this exercise, you must have either VMware Horizon Client installed on your endpoint or an HTML5-compatible web browser. For more information, see Installing and Configuring VMware Identity Manager.

1. In the Administration Console, from the drop-down menu in the upper right, select User Portal.

Figure D18: Switch from the Administration Console to the User Portal

2. In the Launcher, right-click a View hosted application to view details and launch using your locally installed Horizon Client or web browser.

Figure D19: Launch a View Hosted Application




3. Verify that the application launches properly.

Figure D20: Verify That the View Desktop Launches Properly


Now that you have set up the View Application option and accessed View resources from VMware Identity Manager, this section is complete. You are now ready to explore additional VMware Identity Manager capabilities, such as managing ThinApp packages and Citrix published applications.




Integrating a ThinApp InfrastructureAny time after VMware Identity Manager is installed and configured, you can integrate with external products and perform specialized tasks. This section describes how to configure the ThinApp application option, which enables you to manage ThinApp packages through VMware Identity Manager. To perform these exercises, you must already have a repository of ThinApp packages.

Overview of ThinAppThinApp is an application virtualization tool that is included in VMware Identity Manager and is also available as a standalone product. ThinApp decouples a conventional Windows application from its underlying operating system and encapsulates the application files and registry entries into a single package. A ThinApp package is more portable, and the virtualized application behaves the same across different operating system configurations.

You can use ThinApp to simplify the migration of legacy Windows applications, such as applications based on Internet Explorer 6, to Windows 7 systems. You can augment security policies by deploying ThinApp packages on locked-down computers, and allow end users to run their favorite applications without compromising security. You can also deploy, maintain, and update virtualized applications on USB removable media for greater portability.

Integrating your ThinApp repository with VMware Identity Manager streamlines application management by providing ThinApp packages to end users from a unified workspace. You can deploy ThinApp packages and entitle users and groups using VMware Identity Manager. Your end users can use SSO to access their ThinApp packages—as well as View resources, SaaS applications, and Citrix published applications—through the VMware Identity Manager User Portal.

For more information, see VMware ThinApp.

Exercises for ThinApp PackagesThe following exercises help you evaluate the benefits of integrating an existing ThinApp repository with VMware Identity Manager. You must have a ThinApp repository already set up and ready to integrate with VMware Identity Manager before proceeding with the ThinApp exercises. The exercises are sequential and build on one another, so make sure to complete each exercise in the order presented.

• Exercise E1: Prepare for Integration

• Exercise E2: Configure the ThinApp Application Option

• Exercise E3: Entitle Users or Groups to ThinApp Packages

• Exercise E4: Launch ThinApp Packages from VMware Identity Manager

• Exercise E5: Launch ThinApp Packages from the User Portal





Exercise E1: Prepare for ThinApp Integration



ITEM REQUIREMENT

VMware Identity Manager Connector

Make sure that the VMware Identity Manager Connector is joined to the domain.

ThinApp repository Verify that you have a repository of ThinApp packages on a network share.Note: To use VMware Identity Manager to manage your ThinApp packages, you must build your ThinApp packages to use VMware Identity Manager. This process, which includes defining the VMware Identity Manager settings for each ThinApp package, building the package, and putting the package on a ThinApp repository, is done in the ThinApp environment and is not described in this guide. Point VMware Identity Manager to the repository and synchronize the ThinApp packages to make them available in the VMware Identity Manager catalog. You can then entitle end users and groups.

Enabled ThinApp packages Ensure that each ThinApp package is enabled for VMware Identity Manager when packaged. For more information, see Manage with VMware Horizon Application Manager in the ThinApp User’s Guide.

VMware Identity Manager for Desktops

Verify that VMware Identity Manager for Desktops is installed on each Windows desktop so that users can launch ThinApp packages. For more information, see Using VMware Identity Manager Apps Portal. Your users are prompted to download VMware Identity Manager for Desktops the first time they launch a ThinApp package, if it is not already installed.Note: ThinApp packages run only on physical and virtual Windows desktops.

Table E1: ThinApp Integration Requirements

2. Gather the data required for the exercises.


User name and password of user account with read rights to the network share

Uniform Naming Convention (UNC) path to network share folder

Table E2: Configuration Data Worksheet for the ThinApp Application Option

Now that you have finished preparing for configuration, proceed to the next exercise to configure the ThinApp Application option.

https://www.vmware.com/support/pubs/thinapp_pubs.html

https://www.vmware.com/support/pubs/thinapp_pubs.html




Exercise E2: Configure the ThinApp Application Option

Enable VMware Identity Manager to locate your ThinApp packages.

1. Log in as an administrator to the VMware Identity Manager Administration Console, and on the Catalog tab, select Manage Desktop Applications > ThinApp Application.

Figure E1: Select ThinApp Application


Figure E2: Workaround When Administration Console Hangs

4. On the Packaged Apps – ThinApp page, select Enable packaged applications, and click Save.

Figure F3: Enable Packaged Applications



5. Enter the following information, and click Save.

Figure E4: Configure Packaged Applications

a. Path – Enter the path to the shared ThinApp repository using UNC format, such as \\server\share\subfolder.

b. Choose Frequency – Select the time interval for the Connector to synchronize the data. For this example, once per day was selected.

c. Choose the time – For a daily interval, as in this example, set the time to start. For a weekly interval, set the day and time of day.

d. Enable account based access – Select to enable account-based access, which is required for NetApp storage systems and other brands of DFS shares, and for Windows network shares when using the HTTP download deployment feature.

e. Share User – Enter the user name of a user account that has read access to the ThinApp repository.

f. Share Password – Enter the password for the user account.

6. Click Sync Now.

Figure E5: Start the Synchronization



7. In the upper right, click Admin Console to return to the Administration Console.

Figure E6: Return to the Administration Console

8. To filter for ThinApp packages, on the Catalog tab, select Any Application Type > ThinApp Packages.

Figure E7: Filter for ThinApp Packages

9. Verify that the ThinApp packages are listed.

Figure E8: Verify That the ThinApp Packages Are Available


When the synchronization is complete, proceed to the next exercise to grant entitlements to ThinApp packages.




Exercise E3: Grant Entitlements Based on ThinApp Packages

You can entitle users and groups to ThinApp packages in two ways: based on the ThinApp package, as shown in this exercise, or by users and groups. This exercise requires that users have VMware Identity Manager Desktop installed on their Windows desktops. Entitled users can view and launch ThinApp packages from VMware Identity Manager on their own systems. If you remove the entitlement, the user no longer sees the ThinApp package.

1. In the Administration Console, on the Catalog tab, select a ThinApp package to entitle your end users to access.

Figure E9: Select a ThinApp Package

2. Under Application Info on the left, click Entitlements, and click Add group entitlement on the right.

Figure E10: Add Group or User Entitlements



3. On the Add Entitlement page, select the groups that you want to entitle.

Figure E11: Select the Groups to Entitle

4. Under the Deployment Type drop-down menu, select the deployment type, and click Save.

Figure E12: Select the Type of Deployment

• Automatic – Users can access the ThinApp package the next time they log in to VMware Identity Manager.

• User-Activated – Users activate the ThinApp package in VMware Identity Manager before they can use it.


After granting entitlements for viewing ThinApp packages, proceed to the next exercise to grant entitlements when viewing users and groups.




Exercise E4: Grant Entitlements Based on Users and Groups

Like the previous exercise, users must have VMware Identity Manager Desktop installed on their Windows desktops. Entitled users can view and launch ThinApp packages from VMware Identity Manager on their own systems. If you remove the entitlement, the user no longer sees the ThinApp package.

1. In the Administration Console, on the Users & Groups tab, click Groups, and select a group to entitle. For this exercise, ALL USERS is selected.

Figure E13: Select a Group to Entitle

2. On the selected group page, click Add entitlement.

Figure E14: Add Entitlements to the Selected Group



3. In the Application Type drop-down menu, select ThinApp Packages, select the ThinApp package to entitle, and under Deployment, select the activation method.

Figure E15: Filter for ThinApp Packages and Select the Deployment Method

4. Click Save.


After granting entitlements to specific users or groups, proceed to the next exercise to verify that the ThinApp packages are accessible to the end users you just entitled through their User Portal.

Exercise E5: Launch ThinApp Packages from the User Portal

After you entitle users and groups to access ThinApp packages, verify that the ThinApp packages display properly in the User Portal. For this exercise, you must have the VMware Identity Manager Desktop application installed on a Windows desktop.


Figure E16: Switch from the Administration Console to the User Portal




2. Click Catalog, click a ThinApp package, and click Add. For this exercise, Adobe Reader is selected.

Figure E17: Select a ThinApp Package from the User Portal Catalog

3. Click Launcher, and click the ThinApp package that you just added.

Figure E18: Launch a ThinApp Package

4. Click the ThinApp package to verify that the application launches properly.

Figure E19: Verify That the ThinApp Package Launches Properly

For more information, see Using VMware Identity Manager Apps Portal.

Now that you have set up the ThinApp Application option and accessed ThinApp packages from VMware Identity Manager, you have completed this section. You are now ready to explore an additional VMware Identity Manager capability, managing Citrix published applications, or review View resources.

http://pubs.vmware.com/vidm-24/topic/com.vmware.ICbase/PDF/wsp-24-enduserguide.pdf



Integrating Citrix XenApp and XenDesktop Published ApplicationsAt any time after VMware Identity Manager is installed and configured, you can integrate with external products and perform specialized tasks. This section describes how to configure the Citrix Published Application option, which enables you to manage resources from Citrix products through VMware Identity Manager. To explore these exercises, you must already have a Citrix XenApp or XenDesktop deployment set up.

Overview of XenAppCitrix XenApp and XenDesktop are virtualization products hosted on groups of servers called XenApp Farms. Integrating your Citrix deployment with VMware Identity Manager enables you to leverage your existing Citrix deployment and still enjoy the productivity advantages of VMware Identity Manager. Your end users can use SSO to access their Citrix published applications—as well as SaaS applications, ThinApp packages, and RDSH published applications and desktops—through the VMware Identity Manager User Portal.

You continue to use your Citrix deployment to entitle end users to Citrix published applications. But you can use VMware Identity Manager to monitor these applications and entitlements alongside applications from other sources. No VMware code is on the Citrix server or receiver. There is also no dependency on load balancers.

Exercises for Citrix Published ApplicationsThe following exercises help you evaluate the benefits of integrating an existing deployment of Citrix with VMware Identity Manager. The exercises are sequential and build on one another, so make sure to complete each exercise in the order presented.

• Exercise F1: Prepare for Integration

• Exercise F2: Configure the Citrix Published Application Option

• Exercise F3: Review Entitlements for Citrix Published Applications

• Exercise F4: Launch Citrix Published Applications from the User Portal



Exercise F1: Prepare for Integration



ITEM REQUIREMENT

vSphere 6.0 Verify that vSphere 6.0 Update 1 or later is installed, including vCenter Server 6.0 Update 1 or later. For more information, see the VMware vSphere 6 documentation.

VMware Identity Manager Integration Broker

Verify that the VMware Identity Manager Integration Broker is installed and configured. You must have a XenApp Farm already set up and a Windows server to act as the Integration Broker before proceeding with the exercises. The Integration Broker is a standalone system that integrates VMware Identity Manager and a Citrix XenApp or Desktop infrastructure without extensive modifications to the Citrix deployment. For more information, see Installing and Configuring VMware Identity Manager.

Operating system For the Integration Broker, VMware Identity Manager supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Citrix XenApp Farm Verify that a Citrix XenApp or XenDesktop deployment is set up with XenApp published applications. VMware Identity Manager supports XenApp and XenDesktop 5.0, 6.0, and 6.5.

Citrix Receiver Verify that a platform-appropriate Citrix Receiver is installed on each supported endpoint so that your users can launch Citrix published applications from those supported devices. Citrix Receiver is required to launch Citrix published applications from VMware Identity Manager. If it is not already installed, users are prompted to download Citrix Receiver to their desktop or device the first time they launch a Citrix published application.

Table F1: Citrix Integration Requirements

2. Gather the data required for the exercises.


FQDN of the Integration Broker to synchronize with

Server port for the Integration Broker to synchronize with

Version of XenApp Farm

Transport type of your Citrix server

Port used by your Citrix server

Table F2: Configuration Data Worksheet for the Citrix Published Application Option

For more information, see Providing Access to Citrix-Published Resources in VMware Identity Manager Documentation.

Now that you have finished preparing for integration, proceed to the next exercise to enable and configure the VMware Identity Manager Citrix Published Application option.

https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-6-pubs.html

https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-6-pubs.html



http://receiver.citrix.com/





Exercise F2: Configure the Citrix Published Application Option

Configure the Citrix Published Application option to view Citrix published applications and entitlements from the VMware Identity Manager catalog. For this option, you need to define a Sync Integration Broker, which communicates between VMware Identity Manager and the Citrix XenApp or XenDesktop environment.

1. Log in as an administrator to the VMware Identity Manager Administration Console, and on the Catalog tab, select Manage Desktop Applications > Citrix Published Application.

Figure F1: Select Citrix Published Application


Figure F2: Workaround When Administration Console Hangs

3. On the Published Apps – Citrix page, select Enable Citrix-based Applications.

Figure F3: Enable Citrix-Based Applications



4. On the Published Apps – Citrix page, enter the following information for the Sync Integration Broker and the SSO Integration Broker:

Figure F4: Configure Citrix-Based Applications

a. Configure the Sync Integration Broker.

• Sync Integration Broker – Enter the FQDN of the Integration Broker to synchronize with.

• Server Port – Enter the port number for the Integration Broker to synchronize with.

• Use SSL – For this test deployment, leave the SSL check box deselected.

b. Configure the SSO Integration Broker.

• SSO Integration Broker – Enter the FQDN of the Integration Broker to synchronize with.

• Server Port – Enter the port number for the Integration Broker to synchronize with.

• Use SSL – For this test deployment, leave the SSL check box deselected.



5. Scroll down the Published Apps – Citrix page to configure the Server Farms.

Figure F5: Configure the Server Farms

• Version – Select the XenApp or XenDesktop version from the drop-down menu.

• Server name – For this test deployment, you can leave this blank.

• Servers – You can edit or reorganize in order of failover. For this exercise, only one server is used.

• Transport type – From the drop-down menu, select the same transport type used in your Citrix server configuration. Make sure that all defined servers support the selected transport type.

• Port – Enter the same port number used in your Citrix server configuration.

• SSL Relay Port – For this test deployment, you can leave this field blank.



6. Scroll to the end of the Published Apps – Citrix page, enter the following information, and click Save.

Figure F6: Configure Synchronization Settings and Save

• Deployment Type – Select Automatic for entitling your Citrix published resources (applications and desktops).

• Sync categories from server farms – Select to enable VMware Identity Manager to use the categories defined for the Citrix published applications. Note: When you synchronize, the categories created in your Citrix deployment appear in VMware Identity Manager, but not the reverse. Categories created in VMware Identity Manager never appear in your Citrix deployment. When you edit a category in your Citrix deployment, the new name is displayed in VMware Identity Manager the next time you synchronize. However, the original category name also remains in VMware Identity Manager. You can edit it or manually delete it.

• Do not sync duplicate applications – Selecting this option hides duplicates that can occur if VMware Identity Manager is set up across multiple data centers, where duplication is often likely to occur. Because this exercise uses only one server, it is not necessary to enable this option.

• Choose Frequency – Select how often to synchronize.

• Choose the time – Select the time of day to synchronize.



7. Verify that the information is accurate, and click Sync Now to synchronize the Citrix Server Farm with VMware Identity Manager.

Figure F7: Synchronize VMware Identity Manager to Citrix Server Farm


After verifying that VMware Identity Manager is synchronized with your Citrix Server Farm, proceed to the next exercise to inspect the entitlements to Citrix published applications.




Exercise F3: Review Entitlements to Citrix Published Applications

You add and modify entitlements in the Citrix infrastructure, and view them in VMware Identity Manager. Each time you make changes in the Citrix infrastructure, such as adding an application or entitling new users, you must synchronize to transfer the new data from the Citrix Server Farm to VMware Identity Manager to see the changes in VMware Identity Manager. You can sync the data manually or wait for it to happen automatically based on the frequency that you configured.

1. To see which users and groups are entitled to a specific Citrix published application, do the following.

a. On the Catalog tab, select Any Application Type > Citrix Published Applications to filter out other types.

Figure F8: Filter to View Only Citrix Published Applications

b. Select a Citrix published application, such as Calculator.

Figure F9: Select a Citrix Published Application



c. On the left, select Entitlements to view the individual and group entitlements. In this example, the Citrix Guests, Admins, and Users groups are entitled to access this application.

Figure F10: View Groups and Users Entitled to a Citrix Published Application

2. To see which Citrix published applications a specific user or group is entitled to, do the following.

a. On the Users & Groups tab, click either Users or Groups, and then select a specific user or group. For this exercise, the Citrix Users group is selected.

Figure F11: View Entitlements for a Specific Group or User



b. On the left, select Entitlements. The applications that the selected group is entitled to use are listed under Citrix Published Applications. In this example, the Citrix Users are entitled to access 23 applications.

Figure F12: View Application Entitlements for a Specific Group


After verifying that your Citrix published applications and entitlements are visible in the VMware Identity Manager Administration Console, proceed to the next exercise to create VMware Identity Manager categories for the Citrix published applications.




Exercise F4: Launch Citrix Published Applications from the User Portal

Verify that users can access Citrix published applications from their supported client devices. For this exercise, Citrix Receiver must be installed on the supported endpoint device.


Figure F13: Switch from the Administration Console to the User Portal

2. Click the Launcher button, and select All Apps to filter for Citrix Published Applications.

Figure F14: Filter for Citrix Published Applications

3. In the Launcher, select a Citrix published resource to test.

Figure F15: Launch a Citrix Published Application to Test

http://www.citrix.com/downloads/citrix-receiver.html



4. Click the Citrix published application that you selected, and verify that the application launches properly.

Figure F16: Verify That the Citrix Published Application Displays Properly

For more information, see Providing Access to Citrix Published Resources.

Now that you have set up the Citrix Published Application option and accessed Citrix resources from VMware Identity Manager, you have completed all exercises in this Reviewer’s Guide. At any time, you can return to explore the additional capabilities, such as managing View resources and ThinApp packages.

http://pubs.vmware.com/identity-manager-26/topic/com.vmware.wsp-resource_26/GUID-66F24F8D-72BE-43EA-A81C-B041AD631E4A.html



SummaryThis guide describes the main features and benefits of VMware Identity Manager, individual components, and interoperability. This guide provides exercises for setting up an evaluation deployment and exploring some main features, including integration with the View component of Horizon 7, ThinApp, and Citrix products.

Additional ResourcesFor more information about VMware Identity Manager, review the following resources:

• Introducing VMware Identity Manager (VMware blog post)

• Setting Up Applications in VMware Identity Manager

• Upgrading VMware Identity Manager Connector

• Using Identity Manager Apps Portal

• VMware Consulting Professional Services Organization

• VMware Horizon 7 (which includes the View feature)

• VMware Horizon 7 Documentation

• VMware Horizon Pricing, Packaging, and Licensing

• VMware Horizon Support Center

• VMware Identity Manager Administration Guide

• VMware Identity Manager Connector Installation and Configuration

• VMware Identity Manager Demo

• VMware Identity Manager Documentation

• VMware Identity Manager Integrations Documentation

• VMware Identity Manager OVA file download

• VMware Identity Manager overview

• VMware Identity Manager Product Page

• VMware Knowledge Base

• Enabling VMware ThinApp virtual appliances for Horizon Application Manager with the relink command (2021928) (VMware knowledge base article)

• VMware Product Evaluation

• VMware Product Guide

• VMware Product Interoperability Matrices

• VMware self-help resources

• VMware technical white papers

• VMware vCenter resources

• VMware vSphere overview

• VMware vSphere documentation

• VMware vSphere resources

• VMware Workspace Portal Rename / Product Transition FAQs

• VMware Workspace Portal – End of Availability

https://blogs.vmware.com/euc/2015/06/introducing-vmware-identity-manager-offering-cloud-based-single-sign-business-mobility.html




http://www.vmware.com/consulting

http://www.vmware.com/products/horizon-view

https://www.vmware.com/support/pubs/view_pubs.html

http://www.vmware.com/files/pdf/view/VMware-View-Pricing-Licensing-and-Upgrading-white-paper.pdf

https://www.vmware.com/support/horizon-view.html



https://www.youtube.com/watch?v=eUA2tFVKCEM


https://www.vmware.com/support/pubs/vidm_webapp_sso.html

https://my.vmware.com/web/vmware/downloads



http://kb.vmware.com/selfservice/microsites/search.do?searchString=&product=SG_VMWAREHORIZONWORKSPACE_1_2

https://kb.vmware.com/kb/2021928

https://kb.vmware.com/kb/2021928

http://www.vmware.com/try-vmware

http://www.vmware.com/files/pdf/vmware-product-guide.pdf


https://www.vmware.com/support/support-resources

http://www.vmware.com/techpapers.html

http://www.vmware.com/products/vcenter-server.html

http://www.vmware.com/products/vsphere/overview.html

http://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

http://www.vmware.com/products/vsphere/resources.html

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/workspace-one/vmw-workspace-portal-rename-faq.pdf

http://www.vmware.com/products/horizon-workspace/



Appendix: Terminology Used in This GuideThe following terms are used in this guide:

Application store The UI framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.

Catalog The VMware Identity Manager UI that displays virtual desktops and applications available to users and administrators.

Cloud A set of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.

Federated identity management The combined set of all individual security access measures, providing complex and customized authentication to enterprise resources.

Identity provider (IdP) A mechanism used in an SSO framework to automatically give a user access to a resource based on their authentication to a different resource.

One-touch login A mechanism that provides SSO from an authorized device to enterprise resources.

Virtual appliance A virtual machine created and configured by VMware to perform a product-based function.

Virtual desktop The user interface of a virtual machine that has been made available to an end user.

Virtual machine A software-based computer, running an operating system or application environment, which is located in the data center and backed by the resources of a physical computer.



About the Author and ContributorsThis version of the Reviewer’s Guide for On-Premises VMware Identity Manager was updated by Cindy Heyer Carroll, Technical Writer, End-User-Computing Technical Marketing, VMware. Appreciation for and acknowledgement of considerable contributions goes to the following subject-matter experts:

• Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

• Dean Flaming, EUC Architect, End-User-Computing Technical Marketing, VMware

• Joe Rainone, Senior Consultant, End-User-Computing Professional Services Organization, VMware

Previous versions of this Reviewer’s Guide were written by Cynthia Heyer (Cindy Heyer Carroll); Rory Clements, Senior Director, End-User-Computing Solutions Management, VMware; and Muthu Somasundaram, Product Line Marketing Manager, End-User-Computing Solutions Marketing, formerly at VMware.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at [email protected].

mailto:euc_tech_content_feedback%40vmware.com?subject=

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-RG-ONPREMIDENTMGR291-USLTR-20170807-WEB 8/17

reviewer's guide for on-premises vmware identity manager: vmware identity manager … › sites...

Documents