Skip to main content

Reference articleIntroduction to Tehama

  • Updated

Introduction to Tehama

If you read only one page before getting started with Tehama, read this one.

First a few key concepts

Tehama's main concepts are organizations, users, Enclaves and Desktops.

An organization is a company's home base in Tehama.

An organization contain Enclaves. Enclaves contain Desktops.

Users are members of organizations, and members of Encalves within their organizations, and are assigned to Desktops within those Enclaves.

An Enclave manages access to a subset of the resources and assets in your company's network. An Enclave determines both what resources and assets can be accessed from its Desktops and who can access those resources and assets.

Desktops are secure, virtual machines that have access to a subset of the resources and assets in your company's network, as determined by the Enclave they belong to. Users connect to and perform their work on their assigned Desktops.

 

 Organization

Organizations are the main account concept. An organization is generally created by and maps to a single company.

Think of your Tehama organization as your company's home office. All your employees log into your organization to do their work, just as they would come into the office.

Large enterprises may want to create more than one organization in order to have separate billing but let's not worry about that for now.

Organization members

Organizations have a group of users that are called the organization's 'members'. These are users that have been invited and are trusted by the organization. Each member is given an organization role. There are four predefined roles - "Org Admin", "Org Manager", "Enclave Manager", "Staff" or a custom role suits your specific needs for your users. An organization member's role controls what they can do on behalf of the organization and within an Enclave. A member's role can be changed as circumstances require. 

An organization has only one member with the "Org Administrator" role, usually abbreviated to "Org Admin". This member has full responsibility and control over the organization. The first person from your company to be invited into the organization creates both the organization account and a user account and automatically becomes the Org Admin. The Org Admin user can "step down" by selecting another organization member to become the new Org Admin. (The old Org Admin becomes an Org Manager.) 

An organization can have multiple "Org Managers", invited by the Org Admin or by other Org Managers. These members can perform most of the actions that the Org Admin user can, except for things like viewing usage details, for example. 

An organization can also have multiple "Enclave Managers", invited by the Org Admin or by Org Managers. These members can perform most of the actions that Org Managers can, but only within Enclaves in the organization that they are members of. 

All other members in an organization are "Staff" members, invited by the Org Admin or by Org/Enclave Managers.

Organization Enclaves

An organization contains Enclaves. As stated above, an Enclave manages access to the resources and assets, both private and public, that will be worked on through the Enclave's Desktops. See more on Enclaves below.

Organization Auditing

An organization can keep track of its members, its Enclaves, and their Desktops through the Activity Stream, an audit trail of events, and through filterable and downloadable Reports which provide an overview of your organization.

Organization Settings

An organization has configurable settings that let you configure your Tehama experience, including your authentication strategy, your support plan and your Enclave policies. You can also set up webhooks to send events that occur in your organization to an external log tool, like Splunk.

 

 User/Member

Everyone with a Tehama login ID is a user. Once you are invited to join Tehama, you will be asked to complete your personal profile as one of the first steps. A user is always the member of an organization. (If an individual needs to belong to more than one organization, they should use a unique login ID for each organization.)

A user belongs to Enclaves within their organization. A user in a Enclave is called a 'Enclave member'. Users don't have to be a Enclave member, but most are.

Users are assigned to Desktops in their Enclaves. They connect to these Desktops, from Tehama, to perform their work.

 

 Enclave

An Enclave is the most important concept in Tehama. It enables an organization to easily create a secure and audited virtual private extension of a network in which remote people work. Essentially, an Enclave manages access to the resource and assets in your company's network. An Enclave determines both what resources and assets can be accessed from its Desktops and who can access those resources and assets.

We sometimes call this a cleanroom, since it's a good analogy. You can create an Enclave for your remote workforce, configuring the Enclave to give your workers the access to your network that they require. Alternately, you can create an Enclave to use for a research project, configuring the Enclave to limit access to only those workers who are approved to work on the project, and to isolate it from the main part of your network. There are many possibilities.

An Enclave is a container with a set of tools and services running within it. Examples of these include Desktops, Firewall Rules, DNS Filtering, Secrets Vault, File Vault, App Vault and Auditing Applications. The only way the services and tools can discover the resources available, is through the connection the Enclave provides.

An Enclave is connected to a network, either a private network or a public network (e.g., resources in the cloud).

For private networks, this connection is achieved by establishing an IPSec connection between your Enclave and your private network. This kind of network access is referred to as 'Multi-Path'. It allows multiple connections from multiple private networks to your Enclave. (Note Firewalls in private networks must be opened up sufficiently for connectivity to be established.)

 

For public networks, e.g.: access to resources in the cloud, can be achieved through the 'Multi-Path' network access type, simply make this your Enclave's network access type and do not add any connections. 

For both public and private network access, configure what exactly can be accessed via the Enclave's firewall rules, DNS Filtering and secrets vault.

In most Tehama Enclaves, one organization handles both sets of responsibilities.

The Service-provider Enclave type described in the Getting Started Guide is an example of an Enclave with two organizations that split these responsibilities between them.

There are two distinct sets of responsibilities in an Enclave:

  • The Enclave's "owner" responsibilities. The organization that creates the Enclave takes on the "owner" responsibilities. The organization agrees to pay for the Enclave and has control over what services/tools (like Desktops) are provisioned into the Enclave. 
     
  • The Enclave's "connected" or "access owner" responsibilities. The organization that connects their company's public or private network to the Enclave takes on the "connected" responsibilities. The organization controls which other organizations and which members have access to the Enclave and what assets are accessible through this Enclave. This organization is in charge of configuring and maintaining Multi-Path IPSec connection(s) between the Enclave and their private network(s).  They also maintain the Enclave's firewall rules, DNS Filtering and secrets vault.

An organization can also join an Enclave as a Enclave "user" organization. An Enclave "user" organization's members can use the Enclave, with permission, to work on Desktops they are assigned to, but the organization has no responsibilities in the Enclave.

 

 Desktop

A Tehama Desktop is a virtual computer that is hosted in an Enclave. It is a workspace from which you can securely work with assets of the connected organization for the Enclave - the rules the connected organization puts in place in the Enclave define what assets are available from its Desktops. Desktops are either Windows-based or Linux-based.

Desktops can be spun up when needed and removed when you no longer need them.

Users connect to their Desktops securely through the Tehama Web UI - a quick and easy process. Each period a user is logged in to a Desktop is called a Desktop session. Tehama provides the ability for your Org and Enclave Managers to audit each session. The start time and duration of each session is readily available in the Activity Stream. The sessions can be viewed live, and, if you enable the option, recordings of the session are available after the fact.

Image of Tehama Organizations, Members and Enclaves with Multi-Path connectivity 

 

Next some basic components

Tehama has the following basic components for you to interact with.

Tehama Web UI

The Tehama Web UI provides an intuitive user interface for Organization/Enclave/Desktop administration tasks and also provides a secure access point from which users connect to their Desktops.

Access the Tehama Web UI from a browser.

Tehama Client

The Tehama Client is a desktop application that lives on the computer from which you connect to your virtual Tehama Desktop sessions. Its purpose is to launch and host these sessions.

(The Tehama Client uses HP PCoIP technology.)

 

Windows App / Remote Desktop Application

Both are desktop applications that live on the computer from which you connect using either one to your Tehama Azure Desktop sessions. Their purpose is to launch and host these sessions.
(The Windows App / Remote Desktop Application uses Microsoft RDP technology.)

 

 

Now that you understand the key concepts and have some idea of the basic components involved, let's Get Started!

Related articles