VMware Workspace ONE Cloud-Based Reference Architecture
A VMware Workspace ONE® design uses several complementary components and provides a variety of highly available services to address the identified use cases. Before we can assemble and integrate these components to form the desired service, we first need to design and build the infrastructure required.
The components in Workspace ONE, such as VMware Identity Manager™, VMware Workspace ONE® UEM (powered by VMware AirWatch®), and VMware Horizon® are available as on-premises and cloud-hosted products.
For this reference architecture, the approach taken is to use the cloud-hosted offerings of VMware Identity Manager and Workspace ONE UEM (AirWatch) and to utilize VMware Horizon® Cloud Service™ on Microsoft Azure.
Workspace ONE Logical Architecture
The Workspace ONE platform is composed of VMware Identity Manager and Workspace ONE UEM. Although each product can operate independently, integrating them is what enables the Workspace ONE product to function.
VMware Identity Manager and Workspace ONE UEM provide tight integration between identity and device management. This integration has been simplified in recent versions to ensure that configuration of each product is relatively straightforward.
Although VMware Identity Manager and Workspace ONE UEM are the core components in a Workspace ONE deployment, you can deploy a variety of other components, depending on your business use cases. For example, and as shown in the following figure, you can use VMware Unified Access Gateway™ to provide the VMware Workspace ONE® Tunnel or VPN-based access to on-premises resources.
For more information about the full range of components that might apply to a deployment, refer to the .
Figure: Sample Logical Architecture of a Workspace ONE Deployment Using Horizon Cloud Service on Microsoft Azure
Following is a description of the components shown in the Workspace ONE architecture diagram:
- VMware Workspace ONE UEM SaaS tenant – Cloud-hosted instance of the Workspace ONE UEM service. Workspace ONE UEM acts as the mobile device management (MDM), mobile content management (MCM), and mobile application management (MAM) platform.
- VMware Identity Manager SaaS tenant – Cloud-hosted instance of VMware Identity Manager. VMware Identity Manager acts as an identity provider by syncing with Active Directory to provide SSO across SAML-based applications, VMware Horizon–based apps and desktops, and VMware ThinApp® packaged apps. It is also responsible for enforcing authentication policy based on networks, applications, or platforms.
- Horizon Cloud Control Plane – A control plane that VMware hosts in the cloud for central orchestration and management of VDI desktops, RDSH-published desktops, and RDSH-published applications. Because VMware hosts the service, feature updates and enhancements are consistently provided for a software-as-a-service experience.
- Horizon Cloud Administration Console – The cloud control plane also hosts a common management user interface, which runs in industry-standard browsers. This console provides IT administrators with a single location for management tasks involving user assignments to and management of VDI desktops, RDSH-published desktops, and RDSH-published applications.
- Horizon Cloud Node – VMware software deployed to a supported capacity environment, such as Microsoft Azure cloud. Along with access to the Horizon Cloud Administration Console, the service includes the software necessary to pair the deployed node with the cloud control plane and deliver virtual desktops and applications.
- Workspace ONE native mobile app – OS-specific versions of the native app are available for iOS, Android, and Windows 10. The Workspace ONE app presents a unified application catalog across VMware Identity Manager resources and native mobile apps, allows users to easily find and install enterprise apps, and provides an SSO experience across resource types.
- VMware Enterprise Systems Connector™ – Combination of two different services (the former AirWatch Cloud Connector and VMware Identity Manager Connector) bundled within a single Windows-based installer. The Enterprise Systems Connector connects resources located in different security zones (namely, the DMZ and the LAN).
- AirWatch Cloud Connector (ACC) component – Runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization’s critical back-end enterprise infrastructure components. Organizations can leverage the benefits of Workspace ONE UEM Mobile Device Management™, running in any configuration, together with those of their existing LDAP, certificate authority, email, and other internal systems.
- VMware Identity Manager Connector component – Performs directory sync and authentication between an on-premises Active Directory and the VMware Identity Manager service. This component is available as either a Windows installer or a Linux-based virtual appliance.
- Secure email gateway – Workspace ONE UEM supports integration with email services, such as Microsoft Exchange, GroupWise, IBM Notes (formerly Lotus Notes), and G Suite (formerly Google Apps for Work). You have three options for integrating email:
- VMware Secure Email Gateway – Requires a server to be configured in the data center.
- PowerShell integration – Communicates directly with Exchange ActiveSync on Exchange 2010 or later or Microsoft Office 365.
- G Suite integration – Integrates directly with the Google Cloud services and does not need additional servers.
- Content integration – The Workspace ONE UEM Mobile Content Management solution helps organizations address the challenge of securely deploying content to a wide variety of devices using a few key actions. An administrator can leverage the Workspace ONE UEM Console to create, sync, or enable a file repository. After configuration, this content deploys to end-user devices with VMware Workspace ONE Content. Access to content can be either read-only or read-write.
- VMware Unified Access Gateway – Virtual appliance that provides secure edge services and allows external access to internal resources.
- Provision of Workspace ONE UEM Per-App Tunnels and the Tunnel Proxy to allow mobile applications secure access to internal services
- Access from Workspace ONE Content to internal file shares or SharePoint repositories by running the Content Gateway service
- Reverse proxying of web servers
- Single sign-on access to on-premises legacy web applications by identity bridging from SAML or certificates to Kerberos
- Secure external access to Horizon 7 desktops and applications