Getting started with Tehama Installation
Have you completed the Getting Started with Joining Tehama Guide? If not, please go back and do so before proceeding.
Purpose
This guide provides the basic steps necessary in order to create, configure and connect to a Room running within Tehama Service.
Here are some typical scenarios to help you understand the flexibility provided by Tehama PSM. Choose one that applies best to your situation.
Typical Room creation scenarios
These scenarios result from your organization wanting to create a Room and invite another organization to either complete the configuration of the Room or to join it to deliver services.
- I am a consumer of services and want to create a Room and invite a provider to deliver services where they need access to assets or services running on my infrastructure.
See Creation Scenario #1. - I am a service provider and I want to invite my consumer to create a Room that I will use to deliver service.
See Creation Scenario #2.
Room Creation Scenario 1:
"I am creating a Room, connecting it to my organization and then inviting another organization to join and use the Room."
(If you do not have a Tehama organization account, contact Tehama Support to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)
Only the Admin user and Org/Room Managers of an organization can create a Room and connect to it.
- Log in to the Tehama Web UI.
- Select the ROOMS tab in the navigation bar.
- Click the NEW button at the top right. The CREATE ROOM dialog will appear.
- In the CREATE ROOM dialog:
(a) Give the Room a name.
(b) Select Connect this room to --> "Your Organization".
(c) You may opt to select the Create Free Trial Room option. If you leave this option unselected, you will be billed for this Room. (This option is only visible to those organizations who are eligible for a free trial Room. The TCU usage within the Trial Room is offset by the Trial TCU credits allocated to your organization. If the TCU usage in the Trial Room is over the number of available Trial TCU credits, then you will be billed for the difference.)
(d) Select Region --> the region in which you want this Room's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Room.
Note: Windows and Linux Desktop specifications with the GPU memory configuration option are not available in all regions. If this is an option you require, read through the list of regions offering GPU in the Desktops User Guide before selecting a region.
(e) Check the box beside Include the File Vault in this room to include a File Vault in this Room. (You can opt to enable/disable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide.)
(f) Check the box beside Include the App Vault in this room to include an App Vault in this Room. (The App Vault (Beta) feature is not yet generally available. It currently has been enabled on a limited set of Tehama organizations. If you do not see this checkbox, then the feature has not been enabled (made available) for your organization. Contact Tehama Support to find out more about the future availability of this feature. See the App Vault User Guide for more information about this new beta feature.)
(g) Click CONTINUE.
This will start a guided process to configure and create your Room and, if you so choose, connect it to your organization's network. - The Desktop Settings - Network Access Configuration dialog will appear.
(a) Decide whether or not to grant Desktop Administrator privileges to Desktop users.
This is an important question that asks whether you want users of Desktops provisioned in the Room to have admin access to their Desktops. This decision is unfortunately not reversible.
Attention: This setting is a global setting for your Room and will impact ALL Desktop users within your Room, including the Admin user for your organization and users with the Tehama Super Admin role from the Tehama Support team.- If you wish to grant administrator privileges to Desktop users, place a checkmark beside Give Desktop Administrator Privileges. (Please read the information on the screen carefully before making this decision.)
- If you do not wish to grant administrator privileges to Desktop users, leave the check box blank.
(b) Select one of the options in the Network Access Mode dropdown field.
- You have two options:
- Internet only
Choose this if you only want your Room to connect to applications and services in the cloud (constrained by your Room's firewall settings).
Since the default value for Network Access is 'Tehama Gateway', to choose this option:- Click on the dropdown Network Access Mode field to open it.
- Select the 'Internet Only' option.
The Status page will change to reflect your choice of 'Internet Only' mode.
NOTE: When network access is set to 'Internet Only', Tehama denies all UDP traffic apart from DNS lookup.
- Internet only
- or
- Tehama Gateway
Choose this if you want your Room to connect to your organization's private network (as with the 'Internet only' option, constrained by your Room's firewall settings).
This is the default option. You do not have to do anything to choose this option when creating a Room.
This option requires you to install a Tehama Gateway (at least one) somewhere in your network's infrastructure.
- Tehama Gateway
- If you selected Internet Only as your network access method ...
You will see a FINISH button and a checkbox giving you the option to build your new Room's infrastructure as soon as you click FINISH. This checkbox is enabled by default.
You will incur the cost of the Room when the Room's infrastructure begins to build.
If you are willing to accept responsibility for the cost of the Room, leave the checkmark in place beside Build room when finish button is pressed. Otherwise, click in the checkbox to remove the checkmark.
Click FINISH to proceed.
Proceed to Room Creation Scenario 1, step eight. - If you selected Tehama Gateway as your network access method ...
You will see a CONTINUE button. Click the button to proceed.
You will see the Gateway page.
The Gateway page gives you the information you need to install a Gateway in your private network and gives you the access key you will need to connect the Gateway to your Room.
Connecting a Tehama Gateway to your new Room will cause your new Room's infrastructure to begin building.
You will incur the cost of the Room when you connect it to a Tehama Gateway, causing the Room's infrastructure to begin building.
- You can either install/connect the Gateway to your Room now:
- Proceed to install the TEHAMA GATEWAY now using the Tehama Gateway User Guide instructions, which you can access by clicking on the Show User Guide link. Note that if you're just trying out Tehama you can also just install the Tehama Gateway in a temporary location and have your IT people move it later.
NOTE: Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
If you have the following situation:- the Tehama Gateway is on a supported network; and
- a resource is on the 172.31.x.x network
- Proceed to install the TEHAMA GATEWAY now using the Tehama Gateway User Guide instructions, which you can access by clicking on the Show User Guide link. Note that if you're just trying out Tehama you can also just install the Tehama Gateway in a temporary location and have your IT people move it later.
- or, if you're not comfortable doing that and need an IT person to help:
- Opt to leave installation of the TEHAMA GATEWAY until after you have invited another person to your organization so they can help. See the Organization User Guide if you need help figuring out how to invite someone but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar.
- Opt to leave installation of the TEHAMA GATEWAY until after you have invited another person to your organization so they can help. See the Organization User Guide if you need help figuring out how to invite someone but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar.
- You can either install/connect the Gateway to your Room now:
- Observe that the navigation bar will have changed to display: "ROOMS > your Room name". Your Room interface page will sprout four tabs, MEMBERS, CONNECTION, AUDIT and POLICY.
- Select the STATUS sidebar item in the CONNECTION tab. This page shows your Room's status and its current 'Network Access' selection.
At this point your Room status should be one of the following, depending on the choices you made in the previous step:
- Building or Built (for 'Internet Only' network access mode, if you opted to build above), or
- Pending Gateway Connection or Connected (for 'Tehama Gateway' network access mode).
If you opted not to build your 'Internet Only' Room during the Room creation process, you will not see any Room status. Instead you will see a BUILD button. Click this button to build your Room's infrastructure. You will incur the cost of the Room when the Room's infrastructure begins to build.
From this page you both monitor your Room's status and configure your network access.
You can change the Room's network access mode between 'Internet Only' and 'Tehama Gateway'.
If your Room's mode is 'Tehama Gateway', you can regenerate the Room's access key, enable/disable the 'Multiple Gateways' option and trigger automated Gateway version updates (if an update is available).
See the Room Connection Status Monitoring/Management User Guide for help.
Note on the Multiple Gateways Feature:- The 'Multiple Gateways' feature provides redundancy for a Room's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Admin role), Org Managers and Room Managers who are members of the Room who are members of the organization that owns the Room (which is your organization in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Room.
- Click the Room's MEMBERS tab. You should see your organization listed. Add members from your organization to the Room, if desired.
_Note, if you created the Room as a user with the Room Manager role, then you will have been automatically added to the Room as a member. - Click ADD ORGANIZATION and use it to invite your contact from the 3rd party organization.
- Optionally, you can assign a policy for that organization. See the Policies User Guide for details.
You have now created a Room, connected your network to it and invited another organization to use it. Your organization is both the Room's owner organization and its connected organization (owner+connected). The other organization is a user organization in the Room (user-only).
See the Roles User Guide for more information on organization roles in Rooms.
The other organization (the user organization) may request access for individual members. You will get notifications to approve them.
The other organization may also request Desktop templates and you will get notifications to approve them, too. Alternately, as the owner of the Room you may provision Desktops for them. See Desktops User Guide for more details.
- NOTE: You may want to set things up so that you auto approve members in the Room proposed by the other organization. This is tied to the policy you have assigned to the other organization. Click on the Room's MEMBERS tab, then click on the policy for the other organization. You will see the ASSIGN POLICY dialog. Toggle the "Auto approve proposed members" switch to "On". If you don't do this, every member added to the Room by the other organization will result in an approval request. If you do, you are trusting the other organization to add/remove members to the Room.
- ANOTHER NOTE: Did you opt to leave installation of the TEHAMA GATEWAY until after you had invited another person to your organization, so they could help? Direct them to the Room's STATUS page under the CONNECTION tab. They can begin by clicking on the View or Regenerate link in the Access Key field to display the Access Key page. This page has a link to the Tehama Gateway User Guide instructions (Show User Guide) for installing and connecting a Tehama Gateway to your Room, as well as instructions for regenerating the access key.
Once connected, you will have to configure what resources are accessible from the Room. To add secrets go to the SECRETS page under the CONFIGURE tab. See the Secrets User Guide for more details. To manage the Room's firewall go to the FIREWALL RULES page under the CONNECTION tab. See the Firewall Rules User Guide for more details.
More information on Rooms can be found in the Rooms User Guide.
You can now check out the other scenarios in this guide or continue getting started with the Getting Started with Tehama Administration Guide.
Room Creation Scenario 2:
"I'm creating a Room and requesting another organization to connect it to their network."
(If you do not have a Tehama organization account, contact Tehama Support to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)
Only the Admin user and Org/Room Managers of an organization can create a Room and invite another organization to connect to it.
- Log in to the Tehama Web UI.
- Select the ROOMS tab in the navigation bar.
- Click the NEW button at the top right. The CREATE ROOM dialog will appear.
- In the CREATE ROOM dialog:
(a) Give the Room a name.
(b) Select Connect this room to --> "Third-Party Organization (Invite)".
(c) You may opt to select the Create Free Trial Room option. If you leave this option unselected, you will be billed for this Room. (This option is only visible to those organizations who are eligible for a free trial Room. The TCU usage within the Trial Room is offset by the Trial TCU credits allocated to your organization. If the TCU usage in the Trial Room is over the number of available Trial TCU credits, then you will be billed for the difference.)
(d) Select Region --> the region in which you want this Room's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Room.
Note: Windows and Linux Desktop specifications with the GPU memory configuration option are not available in all regions. If this is an option you require, read through the list of regions offering GPU in the Desktops User Guide before selecting a region.
(e) Check the box beside Include the File Vault in this room to include a File Vault in this Room. (You can opt to enable/disable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide.)
(f) Check the box beside Include the App Vault in this room to include an App Vault in this Room. (The App Vault (Beta) feature is not yet generally available. It currently has been enabled on a limited set of Tehama organizations. If you do not see this checkbox, then the feature has not been enabled (made available) for your organization. Contact Tehama Support to find out more about the future availability of this feature. See the App Vault User Guide for more information about this new beta feature.)
(g) Click CONTINUE. You will see the ADD ORGANIZATION dialog.
(h) Fill out the Organization Name, Contact Name and Contact Email. (Note that this can be an organization that already has an account in Tehama or one that does not yet have an account in Tehama. If the organization already has an account, be sure to choose a contact in the organization that is either the Admin user or an Org Manager.)
(i) Click SEND.
You will be directed to the page for your new Room (with "ROOMS > your Room name" displayed in the navigation bar). - Click the Room's MEMBERS tab. (It should be the default selection.) You should see your organization listed. Propose members from your organization to join your Room, if desired. Note, the other organization will have to approve them after connecting the Room.
_Note, if you created the Room as a user with the Room Manager role, then you will have been automatically proposed to the Room as a member.
You have now created a Room and invited another organization to finish configuring it by connecting it to their network. Your organization is the Room's owner organization (user-owner). The other organization is (going to be) the Room's connected organization (connected-only).
See the Roles User Guide for more information on organization roles in Rooms.
Once the other organization has connected to the Room, they may request Desktop templates and you will get notifications to approve them. Alternately, as the owner of the Room you may provision Desktops for them. See Desktops User Guide for more details.
If the other organization has set a policy for your organization, you'll be asked to review and accept it.
You can now check out the other scenarios in this guide or continue getting started with the Getting Started with Tehama Administration Guide.
Typical Room configuration scenarios
These scenarios result from another organization creating a Room definition and inviting you to either complete the configuration of the Room or to join it to deliver services.
- I am a consumer of services and have been invited by my service provider to finish connecting to a Room.
See Configuration Scenario #1. - I am a service provider and I have been invited to join a Room by my service consumer. See Configuration Scenario #2.
Room Configuration Scenario 1:
You've been invited to finish connecting a Room, most likely by your service provider.
Only the Admin user and Org Managers of an organization can connect their organization to a Room, having received an invitation to do so from the Room's owner organization.
The steps that led you to this point are as follows:
- You received an email inviting you to connect your organization to a Room. This email contains a link.
- You opened this link in a browser; and then either
- logged in to your existing organization in the Tehama Web UI; or
- joined Tehama, creating a new user and organization account, which you then logged in to.
Now:
- You will be presented with an ACCEPT INVITE TO ROOM dialog, asking you to accept the invitation to join and connect to the Room. Click I ACCEPT.
- Navigate to your organization's ROOMS tab. You will see the name of the Room in your list of Rooms.
- Click on the Room name.
This will start a guided process to configure and create your Room and, if you so choose, connect it to your organization's network. - The Desktop Settings - Network Access Configuration dialog will appear.
(a) Decide whether or not to grant Desktop Administrator privileges to Desktop users.
This is an important question that asks whether you want users of Desktops provisioned in the Room to have admin access to their Desktops. This decision is unfortunately not reversible.
Attention: This setting is a global setting for your Room and will impact ALL Desktop users within your Room, including the Admin user for your organization and users with the Tehama Super Admin role from the Tehama Support team.- If you wish to grant administrator privileges to Desktop users, place a checkmark beside Give Desktop Administrator Privileges. (Please read the information on the screen carefully before making this decision.)
- If you do not wish to grant administrator privileges to Desktop users, leave the check box blank.
(b) Select one of the options in the Network Access Mode dropdown field.
- You have two options:
- Internet only
Choose this if you only want your Room to connect to applications and services in the cloud (constrained by your Room's firewall settings).
Since the default value for Network Access is 'Tehama Gateway', to choose this option:- Click on the dropdown Network Access Mode field to open it.
- Select the 'Internet Only' option.
The Status page will change to reflect your choice of 'Internet Only' mode.
NOTE: When network access is set to 'Internet Only', Tehama denies all UDP traffic apart from DNS lookup.
- Internet only
- or
- Tehama Gateway
Choose this if you want your Room to connect to your organization's private network (as with the 'Internet only' option, constrained by your Room's firewall settings).
This is the default option. You do not have to do anything to choose this option when creating a Room.
This option requires you to install a Tehama Gateway (at least one) somewhere in your network's infrastructure.
- Tehama Gateway
- If you selected Internet Only as your network access method ...
You will see a FINISH button and a checkbox giving you the option to build your new Room's infrastructure as soon as you click FINISH. This checkbox is enabled by default.
You will incur the cost of the Room when the Room's infrastructure begins to build.
If you are willing to accept responsibility for the cost of the Room, leave the checkmark in place beside Build room when finish button is pressed. Otherwise, click in the checkbox to remove the checkmark.
Click FINISH to proceed.
Proceed to Room Configuration Scenario 1, step eight. - If you selected Tehama Gateway as your network access method ...
You will see a CONTINUE button. Click the button to proceed. - You will see the Gateway page.
The Gateway page gives you the information you need to install a Gateway in your private network and gives you the access key you will need to connect the Gateway to your Room.
Connecting a Tehama Gateway to your new Room will cause your new Room's infrastructure to begin building.
You will incur the cost of the Room when you connect it to a Tehama Gateway, causing the Room's infrastructure to begin building.
You can either install/connect the Gateway to your Room now:- Proceed to install the TEHAMA GATEWAY now using the Tehama Gateway User Guide instructions, which you can access by clicking on the Show User Guide link. Note that if you're just trying out Tehama you can also just install the Tehama Gateway in a temporary location and have your IT people move it later.
NOTE: Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
If you have the following situation:- the Tehama Gateway is on a supported network; and
- a resource is on the 172.31.x.x network
or, if you're not comfortable doing that and need an IT person to help: - Opt to leave installation of the TEHAMA GATEWAY until after you have invited another person to your organization so they can help. See the Organization User Guide if you need help figuring out how to invite someone but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar.
Click DONE to proceed.
- Proceed to install the TEHAMA GATEWAY now using the Tehama Gateway User Guide instructions, which you can access by clicking on the Show User Guide link. Note that if you're just trying out Tehama you can also just install the Tehama Gateway in a temporary location and have your IT people move it later.
- Observe that the navigation bar will have changed to display: "ROOMS > your Room name". Your Room's interface will sprout four tabs, MEMBERS, CONNECTION, AUDIT and POLICY.
- Select the STATUS sidebar item in the CONNECTION tab. This page shows your Room's status and its current 'Network Access' selection.
At this point your Room status should be one of the following, depending on the choices you made in the previous step:
- Building or Built (for 'Internet Only' network access mode, if you opted to build above), or
- Pending Gateway Connection or Connected (for 'Tehama Gateway' network access mode).
If you opted not to build your 'Internet Only' Room during the Room creation process, you will not see any Room status. Instead you will see a BUILD button. Click this button to build your Room's infrastructure. You will incur the cost of the Room when the Room's infrastructure begins to build.
From this page you both monitor your Room's status and configure your network access.
You can change the Room's network access mode between 'Internet Only' and 'Tehama Gateway'.
If your Room's mode is 'Tehama Gateway', you can regenerate the Room's access key, view the 'Multiple Gateways' option's current setting and trigger automated Gateway version updates (if an update is available).
See the Room Connection Status Monitoring/Management User Guide for help.
Note on the Multiple Gateway Feature:- The 'Multiple Gateways' feature provides redundancy for a Room's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Admin role), Org Managers and Room Managers who are members of the Room who are members of the organization that owns the Room (which is the organization that invited you to the Room, in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Room.
- Click the Room's MEMBERS tab. You should see your organization listed. Add members from your organization to the Room, if desired.
- Optionally, you can click ADD ORGANIZATION and use it to invite a contact from another 3rd party organization that needs to be a user of the Room.
- Also optionally, you can assign a policy for the owner organization (the one that invited you to connect to the Room) and any other organizations (user organizations) in the Room. See the Policies User Guide for details.
You have now connected to a Room owned by another organization. Your organization is the Room's connected organization (connected-only). The organization that invited you to connect to the Room is the Room's owner organization (user+owner). If you opted to invite yet another organization to the Room, that organization would be a user organization in the Room (user-only).
See the Roles User Guide for more information on organization roles in Rooms.
Once the owner organization requests access for individual members, you should get notifications to approve them. (Ditto requests from any user organizations, if you invited any.)
As the connected organization of the Room, but not the owner, you can make requests for Desktops that the owner organization must approve. See Desktops User Guide for more details.
- NOTE: You may want to set things up so that you auto approve members in the Room proposed by the other organization. This is tied to the policy you have assigned to the other organization. Click on the Room's MEMBERS tab, then click on the policy for the other organization. You will see the ASSIGN POLICY dialog. Toggle the "Auto approve proposed members" switch to "On". If you don't do this, every member added to the Room by the other organization will result in an approval request. If you do, you are trusting the other organization to add/remove members to the Room.
- ANOTHER NOTE: Did you opt to leave installation of the TEHAMA GATEWAY until after you had invited another person to your organization, so they could help? Direct them to the Room's STATUS page under the CONNECTION tab. They can begin by clicking on the View or Regenerate link in the Access Key field to display the Access Key page. This page has a link to the Tehama Gateway User Guide instructions (Show User Guide) for installing and connecting a Tehama Gateway to your Room, as well as instructions for regenerating the access key.
Once connected, you will have to configure what resources are accessible from the Room. To add secrets go to the SECRETS page under the CONFIGURE tab. See the Secrets User Guide for more details. To manage the Room's firewall go to the FIREWALL RULES page under the CONNECTION tab. See the Firewall Rules User Guide for more details.
More information on Rooms can be found in the Rooms User Guide.
You can now check out the other scenarios in this guide or continue getting started with the Getting Started with Tehama Administration Guide.
Room Configuration Scenario 2:
Your organization has been invited to join a Room, most likely by your service consumer.
Only the Admin user and Org Managers of an organization can join their organization to a Room, having received an invitation to do so from the Room's connected organization.
The steps that led you to this point are as follows:
- You received an email telling you that your organization has been added to a Room. This email contains a link.
- You opened this link in a browser; and then either
- logged in to your existing organization in the Tehama Web UI; or
- joined Tehama, creating a new user and organization account, which you then logged in to.
Now:
- If the Room's connected organization has set a policy for your organization, you'll be asked to review and accept it.
- Click the Room's MEMBERS tab. (It should be the default selection.) You should see your organization listed. Propose members from your organization to join your Room, if desired. NOTE that the connected organization will have to approve them after connecting the Room.
You have now joined a Room. Your organization is a user organization in the Room (user-only). The organization that invited you is the Room's connected organization (owner+connected or connected-only).
See the Roles User Guide for more information on organization roles in Rooms.
You may optionally request Desktop templates in the Room. See Desktops User Guide for more details.
More information on Rooms can be found in the Rooms User Guide.
You can now check out the other scenarios in this guide or continue getting started with the Getting Started with Tehama Administration Guide.