September 30, 2021

It's Time to Upgrade to the Latest Version of the VMware Workspace ONE Access Connector

This post describes the new architecture of the Workspace ONE Access 21.08 connector and how it supports syncing with VMware Horizon and Citrix resources. An overview of the migration process from 19.03 to 21.08 is included, along with a video walk-through of the process.

We are excited to announce the release of version 21.08 of the VMware Workspace ONE Access connector and on-premises Workspace ONE Access appliance, made available earlier this month. The latest version of the Workspace ONE Access connector is an essential tool for both SaaS and on-premises variants of Workspace ONE Access. This connector allows integrating with your on-premises directories, authentication methods, and virtual desktop infrastructure.

New Connector Architecture

Because the functions of the connector are so crucial to any Workspace ONE Access infrastructure, when we released version 20.01 at the beginning of last year, we switched the architecture of the connector from being monolithic, incorporating all functions, to using microservices for each of the functions. This allowed us to rewrite the services for better performance, lower resource consumption, and added flexibility for setting up high availability and redundancy.

One of the important functions that did not make it into last year’s releases was the capability to sync your VMware Horizon and Citrix resources, and this meant that customers were required to stay on the last monolithic release, which was VMware Identity Manager 19.03.01. The end of life for that version got extended to the end of 2021 to allow customers to plan and test the migration to the freshly released architecture with 21.08. Additionally, we changed the way we integrate with RSA SecureID to now leverage a REST API–based integration. We urge everyone to start testing version 21.08 now to be ready when 19.03.01 runs out of support.

The functions are split into the following microservices:

  • Directory Sync service: Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service
  • User Auth service: Provides connector-based authentication methods, including password (cloud deployment), RSA SecurID (cloud deployment), and RADIUS (cloud deployment)
  • Kerberos Auth service: Provides Kerberos authentication for internal users
  • Virtual App service: Syncs virtual apps from VMware Horizon and Citrix deployments to the Workspace ONE Access service

Compatibility with Horizon Cloud Service

Workspace ONE Access cloud tenants and on-premises Workspace ONE Access 21.08 appliances are compatible with the new connector. There are some scenarios that are excluded from the new service, however. If you are using Horizon Cloud on IBM or Horizon Cloud on Microsoft Azure with Single Pod Broker the upgrade is not supported, as described in the document Migrating to VMware Workspace ONE Access Connector 21.08.

Upgrade Dos and Don’ts

To upgrade, customers using any of the 20.x connectors can just install the update on their existing connectors to add the new functionality. Be sure to update all connectors to the latest version because mixed use of 20.x and 21.08 services is not supported.

For the VMware Identity Manager 19.03.01 connector, the migration to Workspace ONE Access 21.08 is a wizard-driven process, which guides you through each required step.

The main upgrade steps and challenges are:

  • Installation of the new connector on the same or preferably a new Windows Server 2012 R2 or later machine
    Important: Both 19.03.01 and 21.08 need to be installed and running at the same time during migration. Do not uninstall 19.03.01 before installing the 21.08 connector.
    Make sure to install the certificate chain (intermediate/root) for any internal Certificate Authority used for your Horizon Connection Server or other endpoints during the connector installation.
  • Migration of the directories synced to Workspace ONE Access and the association of the directory and authentication method with built-in IDPs (identity providers) and Workspace IDPs
    Important: If you added several directories to the built-in IDP, you need to split them into separate IDPs to start the migration.
  • Migration of the virtual apps collections to leverage the new connector for syncing resources
  • Preview stage, which allows you to test out the functionality of the new setup and services and verify that directory sync, virtual apps sync, user authentication, and application launch are working as expected
  • Choice of whether to rollback or complete the migration

The following video walks you through the migration process.


If you want to revert to the old connector for some reason after finishing the migration you can reset the connector selection in Workspace ONE Access and redo the installation and configuration for VMware Identity Manager 19.03.01.

Security Improvements in This Latest Release

The new Workspace ONE Access 21.08 connector is compatible with the Workspace ONE Access Cloud service and the on-premises Workspace ONE Access appliance version 21.08 and later versions only. Besides the new connector support for virtual apps and the RSA SecurID updates, this latest release of Workspace ONE Access brings many security improvements, to adhere to your compliance standards.

  • Encrypted connection to the external database
    You can now add encryption when you configure a Microsoft SQL database for the first time or later. To enable encryption, the Microsoft SQL server must be configured with a root or intermediate certificate.
  • Updated password complexity rules for admin users
    Password complexity rules have changed to incorporate a minimum of 8 characters and password complexity standards.
  • Syslog over TCP or UDP
    Now you can choose between two standard protocols for connecting to Syslog servers: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To use TCP, TLS (Transport Layer Security) must be enabled for data encryption to provide secure communication. TCP over TLS is the default option.
  • Deactivated break-glass URL endpoint by default
    The break-glass URL endpoint, https://<fqdn>.com/SAAS/login/0, allows system domain administrators to authenticate into Workspace ONE Access. To ensure a higher standard of security, this endpoint is deactivated by default, starting in version 21.08. To re-enable this endpoint during emergency situations you can use CLI commands.

Additional Resources

For more information about Workspace ONE Access and the Connector 21.08, you can explore the following resources:

Filter Tags

Horizon Workspace ONE Access Blog Announcement Intermediate Deploy App & Access Management Identity / Access Management Secure Remote Access