Introduction to Tehama
If you read only one page before getting started with Tehama, read this one.
First a few key concepts
Tehama's main concepts are organizations, users, Rooms and Desktops.
An organization is a company's home base in Tehama.
An organization contain Rooms. Rooms contain Desktops.
Users are members of organizations, and members of Rooms within their organizations, and are assigned to Desktops within those Rooms.
A Room manages access to a subset of the resources and assets in your company's network. A Room determines both what resources and assets can be accessed from its Desktops and who can access those resources and assets.
Desktops are secure, virtual machines that have access to a subset of the resources and assets in your company's network, as determined by the Room they belong to. Users connect to and perform their work on their assigned Desktops.
Organizations are the main account concept. An organization is generally created by and maps to a single company.
Think of your Tehama organization as your company's home office. All your employees log into your organization to do their work, just as they would come into the office.
Large enterprises may want to create more than one organization in order to have separate billing but let's not worry about that for now.
Organizations have a group of users that are called the organization's 'members'. These are users that have been invited and are trusted by the organization. Each member is given an organization role. There are four predefined roles - "Org Admin", "Org Manager", "Room Manager", or "Staff". (Coming soon - customized roles that suit your specific needs for your users.) An organization member's role controls what they can do on behalf of the organization and within a Room. A member's role can be changed as circumstances require.
An organization has only one member with the "Org Administrator" role, usually abbreviated to "Org Admin". This member has full responsibility and control over the organization. The first person from your company to be invited into the organization creates both the organization account and a user account and automatically becomes the Org Admin. The Org Admin user can "step down" by selecting another organization member to become the new Org Admin. (The old Org Admin becomes an Org Manager.)
An organization can have multiple "Org Managers", invited by the Org Admin or by other Org Managers. These members can perform most of the actions that the Org Admin user can, except for things like viewing usage details, for example.
An organization can also have multiple "Room Managers", invited by the Org Admin or by Org Managers. These members can perform most of the actions that Org Managers can, but only within Rooms in the organization that they are members of.
All other members in an organization are "Staff" members, invited by the Org Admin or by Org/Room Managers.
An organization contains Rooms. As stated above, a Room manages access to the resources and assets, both private and public, that will be worked on through the Room's Desktops. See more on Rooms below.
An organization can keep track of its members, its Rooms, and their Desktops through the Activity Stream, an audit trail of events, and through filterable and downloadable Reports which provide an overview of your organization.
An organization has configurable settings that let you configure your Tehama experience, including your authentication strategy, your support plan and your Room policies. You can also set up webhooks to send events that occur in your organization to an external log tool, like Splunk.
Everyone with a Tehama login ID is a user. Once you are invited to join Tehama, you will be asked to complete your personal profile as one of the first steps. A user is always the member of an organization. (If an individual needs to belong to more than one organization, they should use a unique login ID for each organization.)
A user belongs to Rooms within their organization. A user in a Room is called a 'Room member'. Users don't have to be a Room member, but most are.
Users are assigned to Desktops in their Rooms. They connect to these Desktops, from Tehama, to perform their work.
A Room is the most important concept in Tehama. It enables an organization to easily create a secure and audited virtual private extension of a network in which remote people work. Essentially, a Room manages access to the resource and assets in your company's network. A Room determines both what resources and assets can be accessed from its Desktops and who can access those resources and assets.
We sometimes call this a cleanroom, since it's a good analogy. You can create a Room for your remote workforce, configuring the Room to give your workers the access to your network that they require. Alternately, you can create a Room to use for a research project, configuring the Room to limit access to only those workers who are approved to work on the project, and to isolate it from the main part of your network. There are many possibilities.
A Room is a container with a set of tools and services running within it. Examples of these include Desktops, Firewall Rules, Secrets Vault, File Vault, App Vault and Auditing Applications. The only way the services and tools can discover the resources available, is through the connection the Room provides.
A Room is connected to a network, either a private network or a public network (e.g., resources in the cloud).
For private networks, this connection is established in one of two ways:
- by establishing a VPN IPSec connection between your Room and your private network. This kind of network access is referred to as 'Multi-Path'. It allows multiple connections from multiple private networks to your Room. (Note that, as with 'Tehama Gateway' access, firewalls in private networks must be opened up sufficiently for connectivity to be established.)
- or by installing a Tehama Gateway (at least one and optionally two if you go for the 'Multiple Gateways' option) somewhere in the infrastructure of the network being connected to. This Gateway works in conjunction with a Tehama Gateway Service running in the Room. This kind of network access is referred to as 'Tehama Gateway'. (Note that firewalls in private networks must be opened up sufficiently for connectivity to the Tehama Gateway Service to be established.)
For public networks, e.g.: access to resources in the cloud, can be achieved through the 'Multi-Path' network access type, simply make this your Room's network access type and do not add any connections. You can also achieve this kind of network access by creating a Room with a type of access called 'Internet Only', which does not allow the possibility of adding connections to private networks in the future.
For both public and private network access, configure what exactly can be accessed via the Room's firewall rules and secrets vault.
In most Tehama Rooms, one organization handles both sets of responsibilities.
The Service-provider Room type described in the Getting Started Guide is an example of a Room with two organizations that split these responsibilities between them.
There are two distinct sets of responsibilities in a Room:
- The Room's "owner" responsibilities. The organization that creates the Room takes on the "owner" responsibilities. The organization agrees to pay for the Room and has control over what services/tools (like Desktops) are provisioned into the Room.
- The Room's "connected" or "access owner" responsibilities. The organization that connects their company's public or private network to the Room takes on the "connected" responsibilities. The organization controls which other organizations and which members have access to the Room and what assets are accessible through this Room. This organization is in charge of configuring and maintaining Multi-Path VPN IPSec connection(s) between the Room and their private network(s), if they choose the 'Multi-Path' type of Room network access; or of installing and maintaining a Tehama Gateway in their infrastructure/private network, if they choose the 'Tehama Gateway' type of Room network access. They also maintain the Room's firewall rules and secrets vault.
An organization can also join a Room as a Room "user" organization. A Room "user" organization's members can use the Room, with permission, to work on Desktops they are assigned to, but the organization has no responsibilities in the Room.
A Tehama Desktop is a virtual computer that is hosted in a Room. It is a workspace from which you can securely work with assets of the connected organization for the Room - the rules the connected organization puts in place in the Room define what assets are available from its Desktops. Desktops are either Windows-based or Linux-based.
Desktops can be spun up when needed and removed when you no longer need them.
Users connect to their Desktops securely through the Tehama Web UI - a quick and easy process. Each period a user is logged in to a Desktop is called a Desktop session. Tehama provides the ability for your Org and Room Managers to audit each session. The start time and duration of each session is readily available in the Activity Stream. The sessions can be viewed live, and, if you enable the option, recordings of the session are available after the fact.
Image of Tehama Organizations, Members and Rooms with Tehama Gateway and Internet-Only connectivity
Image of Tehama Organizations, Members and Rooms with Multi-Path connectivity
Next some basic components
Tehama has the following basic components for you to interact with.
Tehama Web UI
The Tehama Web UI provides an intuitive user interface for Organization/Room/Desktop administration tasks and also provides a secure access point from which users connect to their Desktops.
Access the Tehama Web UI from a browser.
We mentioned the Tehama Gateway in the Room section above. A Tehama Gateway establishes a secure channel between a Tehama Room and the private network of the Room's connected organization. All network traffic from the Room flows through this Gateway. The Gateway is installed in the private network.
Use of a Tehama Gateway instance is only necessary if you want your Room to be able to access the private network of your Room's connected organization (constrained by your Room's firewall settings) through 'Tehama Gateway' network access. An alternative form of private network access is 'Multi-Path' network access, which does not require a gateway, and allows connectivity to multiple private networks from a single Room.
The Tehama Client is a desktop application that lives on the computer from which you connect to your virtual Tehama Desktop sessions. Its purpose is to launch and host these sessions.
(The Tehama Client uses Teradici PCoIP technology.)
Now that you understand the key concepts and have some idea of the basic components involved, let's Get Started!