Identity Manager Cluster

As a follow up on my previous post (see here) I want to focus on how to create an Identity Manager Cluster.

This is my setup:

  • 1 Identity Manager (idm0)1 in DMZ, already behind a load balancer.
  • FQDN is changed from to
  • Connectors in LAN are setup and configured for AD/Radius authentication and Horizon integration.

As you can see from the image above, everything is setup, except for the Identity Manager cluster. Identity Manager 2 and 3 are not in place yet.

To finalise the high available setup, the Identity Manager cluster in DMZ must be created. VMware recommends a 3-node cluster, because Elastic search has a known limitation with 2-node clusters. For more info, see here.

To create the cluster, follow these steps:

  1. Create DNS A-record and PTR (reverse lookup) for idm02.
  2. Create DNS A-record and PTR (reverse lookup) for idm03.
  3. Shutdown idm01.
  4. Shutdown both connectors.
  5. Snapshot idm01 (to be able to revert to the current situation in case anything goes wrong).
  6. Backup the sql database (or shutdown and snapshot sql).
  7. Clone idm01 to idm02.
  8. Clone idm01 to idm03.
  9. Start idm01.
  10. Start connector1.
  11. Start connector2.
  12. Wait until idm01 and connectors are fully booted and operational.
  13. Change ip address and hostname/FQDN on idm02 in the vAPP properties of the cloned appliance and power on the vm.
  14. Change ip address and hostname/FQDN on idm03 in the vAPP properties of the cloned appliance and power on the vm.
  15. Check the Elasticsearch cluster by executing this command on the idm appliances: curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true’.
  16. Verify AD and Horizon synchronization (in my case an extra reboot of the connector appliances was needed)

In case anything goes wrong and you have to revert:

Shutdown idm02 and idm03
Revert snapshot on idm01


On Premises VMware Identity Manager High Available architecture in a single ​da​tacenter

When designing Horizon Apps and VDI environments, VMware Identity Manager more and more becomes an essential part of it. It acts as a central portal providing single sign on access for users to their desktops and applications. Depending on location or permissions authorisation might be more or less restrictive.

In this blogpost I will describe the architecture of VMware Identity Manager as part of a Horizon environment with redundant components in a single datacenter.  I decided to write  an article about this, because I was somehow confused by the existing documentation and it was difficult to  find best practices for this setup. Special thanks goes to Peter Bjork (@thepeb), VMware Principal System Engineer and VMware Identity Manager and Unified Access Gateway Specialist, for providing me the right information and reviewing this document.

The most common use case I come across is this one:

  • Internal users working on thin clients need access to Horizon virtual desktops and applications.
  • Internal users with laptops or workstations want to access their virtual desktops and applications through the Identity Manager user portal.
  • External access to desktops and applications, secured with MFA, should be provided via the same Identity Manager portal.
  • Users connecting from the corporate network authenticate using Active Directory username and password.

Next to these business needs another important requirement is that within a single datacenter SPOFs should be eliminated.

High Level architecture

To meet these requirements, following configuration is needed:

  • Two load balanced internal connection servers (1 and 2) with SAML authentication allowed.
  • Two load balanced external connection servers (3 and 4) with SAML authentication required and Workspace One Mode enabled.
  • Two load balanced Unified Access Gateways in DMZ.
  • Three load balanced Identity Manager Appliances in DMZ with two connectors in LAN.
  • Two IDM connectors to sync AD users/groups, authenticate users against AD and connect with Radius server for MFA authentication.
  • Internal DNS A-record vdi.corp.local matching the load balancers vip of the internal connection servers.
  • Internal DNS A-Record vdiuag.corp.local matching the load balancers vip of the external connection servers.
  • Internal DNS A record (split DNS required) matching the load balancers vip of the IDM appliances in DMZ. Both A and PTR records are required.
  • Public DNS A-record for the Unified Access Gateways (UAG) matching the load balancers vip of the UAG’s.
  • Public DNS -record for external access to the IDM portal

The two internal connection servers will service requests coming from thin clients and users working laptops or workstations on the corporate network. SAML authentication (between IDM and connection servers) will be configured and set to allowed (not required). The reason for not requiring SAML is that thin clients will access the connection servers directly, bypassing IDM. They will authenticate directly to the connection server with their AD username and password. Users working on  a laptop or workstation however, will first browse to the IDM portal and start their desktop or application from there. Authentication between IDM and Horizon is SAML.
Both connection servers 1 and 2 will be load balanced. Thin clients will be configured with the load balanced url (vdi.corp.local)

The IDM portal will be setup in DMZ.  Users sessions from the external network as well as from the internal network will all pass via this IDM portal. For HA reasons three appliances are needed.
To setup the IDM cluster the database must be SQL. The internal Postgress database is not supported in this scenario. To avoid SPOF, the SQL database should be hosted on a SQL Always On Cluster.

Two IDM connectors will be installed in the trusted network. These connectors handle AD authentication requests, sync AD users and groups, provide access to the Horizon environment and sync Horizon Pools and assignments. Only outbound connections over TCP port 443 will occur  between these connectors in the trusted network and the IDM appliances in DMZ. A load balancer in front of the two IDM connectors is not required, unless you are planning on doing kerberos authentication (which is out-of-scope here). Also, make sure each IDM node is accessible by both connectors.
On both connectors the PasswordIdpAdapter and RadiusAdapter must be enabled and configured.
In IDM, create an AD Integrated Windows Authentication directory. The connectors bind to AD using this directory. To configure outbound-only mode, associate the connectors with the built-in identity provider.

REMARK: only 1 connector can do AD sync. In case this connector is not available the other connector should be manually selected. Authentication will be done by both connectors.

In IDM two network zones will be configured: an internal one and an external one. The connection server url matching the internal zone will be set to vdi.corp.local.
The url matching the external network zone will be This dns record should be publicly available.

Two Unified Access Gateways will be setup in DMZ behind the load balancer. These appliances provide external access to the Horizon desktops and applications. IDM will redirect request coming from the external network to the load balancer’s vip of the UAG’s. Authentication will be handled by IDM.
Configure the following URL’s on the UAG’s:
Connection server URL = vdiuag.corp.local.
Tunnel URL =
Blast External URL =
PCOIP External URL = <public ip>:4172

To force and redirect all external user requests to the IDM portal, you must set SAML authentication to Required on the two external connection servers (3 and 4) and enable Workspace One Mode. On the UAG appliances set the Horizon URL to vdiuag.corp.local or the load balancers vip of the external connection servers. As a result, users trying to access the UAG servers ( directly from the Horizon client, will be redirected to the IDM portal, honouring all authentication requirements such as MFA for external users.

For detailed info on how to configure the different components, see the following links to the VMware documentation:

IDM installation:

IDM connector configuration:

IDM connector high availability configuration:

Configure IDM connector in outbound mode only:

Configure multiple client access url’s:


Sometimes you want to create shortcuts to published application on endpoints or within a virtual desktop in your VMware Horizon environment.
How you can do this, I explained already in another blog post.

Currently you can configure shortcuts also from the Horizon administrator. For more info, see

The annoying problem with this setup is, although you configure the Horizon client for sso (through GPO or registry settings) it still prompts you for username and password.

If you want to configure SSO and avoid users to enter there credentials again, follow these steps:

When you start the Horizon client and connect to your published applications a prefs.txt file is created in “%appdata%\VMware\VMware Horizon View Client”. This file saves the connection settings for subsequent logons. By modifying this file and making sure it is available before the connection is made, sso can be achieved.
Start the Horizon client for the first time. Add server name, click right and select “autoconnect to this server”. Open %appdata%\VMware\VMware Horizon View Client\prefs.txt and make note of serverGuid and AutoConnectServerName.

Next we will create a custom prefs.txt file:
Create a new text file and name it prefs.txt.
Copy the lines below to the text file.
Change the text in bold with the serverGUid and AutConnectServerName you noted above.

<?xml version=”1.0″?>
<RecentServer serverName=”yourconnectionserverurl” lastLogInAsCurrentUser=”true” serverGuid=”a531e098-cb4c-4fe7-af52-5a3a166843e5“></RecentServer>
<LastLoginAsCurrentUser loginAsCurrentUser=”true”/>
<AutoConnectServer AutoConnectServerName=”yourconnectionserverurl“/>

Copy this file at each user logon (using UEM, login script or GPO preferences) to %appdata%\VMware\VMware Horizon View Client