Instructions to create a Standard Enclave and connect my network to it

"I am creating an Enclave, connecting it to my network, and then (optionally) inviting another organization to join and use the Enclave."

(If you do not have a Tehama organization account, contact ~~Tehama Support~~ to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)

1. Log in to the Tehama Web UI.
   
   
2. Select the EnclaveS tab in the navigation bar.
   
   
3. Click the NEW button at the top right. The CREATE Enclave dialog will appear.
   
   
4. Select Standard Enclave.
   
   
5. Click CONTINUE. The fields for a Standard Enclave will appear on the dialog.
   
   
6. Enter a name in the Enclave Name field.
   
   
7. Select "Your Organization" in the Connect this Enclave to field.
   
   
8. OPTIONAL:    Check the box beside Create Free Trial Enclave to make this Enclave a "Trial Enclave". If you leave this box unchecked, you will be billed for this Enclave.
   
   
   Note: this option is only visible to those organizations who are eligible for a free trial Enclave. If your organization is not eligible for a free trial Enclave, then you will not see this option, and you will be billed for the Enclave.
   
   The TCU usage within a Trial Enclave is offset by the Trial TCU credits allocated to your organization. If the TCU usage in the Trial Enclave is over the number of available Trial TCU credits, then you will be billed for the difference.
   
   
   
9. Select your preferred region in the Region field.
   
   This is the region in which you want this Enclave's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Enclave.
   
   
   Note: Not all Desktop specifications/images are available in all regions. Read through the list of supported Desktop specifications/images by region in the Desktops User Guide before selecting a region.
   
   
   
10. OPTIONAL:    Check the box beside Include the File Vault in this Enclave to include a File Vault in this Enclave.
    
    
    Note: You can opt to enable/disable this Enclave feature after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable File Vault section in the Enclaves User Guide.)
    
    
    
11. OPTIONAL:    Check the box beside Allow users to download files, except any containing sensitive data as determined by our Data Loss Prevention system, onto their local desktops to allow users to download files from the File Vault to their local desktops through the File Vault interface in the Tehama Web UI.
    
    
    Note: This option is only visible if you opted to enable the File Vault in the previous step.
    
    Note: As with the File Vault feature itself, you can opt to enable/disable this File Vault sub-option after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable File Vault section in the Enclaves User Guide. Note, you must enable the File Vault feature flag to see this sub-option in the Enclave Settings interface.
    
    
    
12. OPTIONAL:    Check the box beside Include the App Vault in this Enclave to include an App Vault in this Enclave.
    
    
    Note: You can opt to enable this Enclave feature after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable App Vault section in the Enclaves User Guide.
    
    
    
13. Click CONTINUE at the bottom of the CREATE Enclave dialog.
    
    This will start a guided process to configure and create your Enclave and connect it to your organization's network.
    
    Observe that a page has appeared in the Tehama Web UI with your Enclave name and your Enclave description at the top.
    
    This is your Enclave interface page. It is a little empty right now while the Enclave is still being created.
    
    Right now it should be displaying the NETWORK ACCESS CONFIGURATION modal.
    
    
14. On the NETWORK ACCESS CONFIGURATION modal:
    
    Select one of the following three options.
    
    
    • • Multi-Path
        Choose this if you want your Enclave to connect to multiple private networks, or none and also access the internet (as with the other options, constrained by your Enclave's firewall settings and optionally by DNS Filtering).
        
        This option requires you to connect your networks to the Enclave through an IPSec VPN connection.
        
        If you select this option:
        
        
        • Click the CONTINUE button.
        • Proceed to step 15.
    • or
      
      
      • Tehama Gateway
        Choose this if you want your Enclave to connect to one network, your organization's private network, and also access the internet (as with the other options, constrained by your Enclave's firewall settings).
        
        This option requires you to install a Tehama Gateway (at least one) somewhere in your network's infrastructure.
        
        If you select this option:
        
        
        • Click the CONTINUE button.
        • Proceed to step 16.
    • or
      
      
      • Internet only
        Choose this if you only want your Enclave to access the internet, for example to connect to applications and services in the cloud (as with the other options, constrained by your Enclave's firewall settings).
        
        If you select this option:
        
        
        • Proceed to step 17.
    
    
    
15. If you selected Multi-Path as your network access method ...
    
    Observe that your Enclave interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
    
    Proceed as follows:
    
    
    1. Click on the Enclave's CONNECTION tab, then select the STATUS sidebar item to navigate to the Enclave's STATUS page. You may be directed there automatically.
       
       The purpose of this page is to show your Enclave's infrastructure details and network connection details and status.
       
       See the Enclave/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
       
       Initially, you will see a BUILD Enclave INFRASTRUCTURE button.
       
       
    2. Click the BUILD Enclave INFRASTRUCTURE button to build your Enclave's infrastructure.
       
       You will incur the cost of the Enclave when the Enclave's infrastructure begins to build.
       
       After clicking on the button, you will see the following Enclave status while the infrastructure is building:
       
       
       • Creating Enclave
       
       After the Enclave has completed building, that status will disappear, and the infrastructure details, like the Enclave IP and ports, will appear, along with lists of the network connections and DNS resolvers in the Enclave.
       
       Initially, the lists of network connections and DNS resolvers on the page will be empty. Without connections, your Enclave will only be able to provide access to the internet (controlled by your Enclave's firewall rules and DNS Filtering).
       
       
    3. Add connections to your private network(s) to your Enclave. See the Multi-Path Enclave - Add and Manage Connections guide for guidance. ^*
       
       
       *If you're not comfortable configuring the Multi-Path IPSec VPN connections in your network yourself and need an IT person to help, you can, in a Standard Enclave, opt to add connections/DNS resolvers until after you have invited another person to your organization, so they can help. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar.↩
       
       
       
    4. Add DNS Resolvers to your Enclave. See the Multi-Path Enclave - Add and Manage DNS Resolvers guide for guidance. ^**
       
       
       **Similarly, you can wait for an IT person to help you add DNS resolvers.↩
       
       
       
    5. Proceed to step 18.
    
    
    
16. If you selected Tehama Gateway as your network access method ...
    
    Observe the GATEWAY modal appear on the Enclave interface page.
    
    It has the heading Gateway near the top of the page, followed by the heading Access Key, and the button DONE at the bottom of the modal.
    
    Under the Gateway heading, you will find a text link Show User Guide to the Tehama Gateway - Installation and Management. This guide contains instructions on how to install a Tehama Gateway in your private network.
    
    Under the Access Key heading, you will find the Access Key for your Enclave, ready to be copied, downloaded or regenerated. The Access Key is required to connect the Gateway to your Enclave.
    
    Proceed as follows:
    
    
    1. Install a Tehama Gateway in your private network, and connect it to your Enclave, using one of the following installation methods: ^*
       
       You will incur the cost of the Enclave when you connect a Tehama Gateway to it, causing the Enclave's infrastructure to begin building.
       
       
       • Install the Tehama Gateway from an AWS AMI
       • Install the Tehama Gateway from an automated-script
       • Install the Tehama Gateway using Docker
       
       When these instructions tell you retrieve the Access Key, copy or download it from the GATEWAY modal.
       
       
       * Note that if you're just trying out Tehama you can just install the Tehama Gateway in a temporary location and have your IT people move it later.
       
       If you're not comfortable installing the Tehama Gateway yourself and need an IT person to help, you can, in a Standard Enclave, opt to delay the installation of the Tehama Gateway until after you have invited another person to your organization, so they can help. Just click DONE to move on. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar.↩
       
       
         Tehama Gateway Network Limitations
       Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
       If you have the following situation:

       • the Tehama Gateway is on a supported network; and
       • a resource is on the 172.31.x.x network

       then a workaround would be to create a NAT on the network to NAT the address of the resource to an address that Tehama can see, like 10.x.x.x or something similar.
    2. Click DONE.
       
       Observe that your Enclave interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
       
       
    3. Click on the Enclave's CONNECTION tab, then select the STATUS sidebar item to navigate to the Enclave's STATUS page. You may be directed there automatically.
       
       The purpose of this page is to show your Enclave's infrastructure details and network connection details and status.
       
       See the Enclave/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
       
       Your Enclave status will be one of the following, depending on how far along your gateway installation is:
       
       
       • Pending Gateway Connection, while waiting for your installed gateway to attempt a connection.
       • Creating Enclave, while the Enclave's infrastructure is building, triggered by the first gateway connection attempt it receives.
       • Connected, after the Enclave's infrastructure has completed building, and a successful gateway connection has been made.
       
       
         Note on the Multiple Gateways Feature:

       • The 'Multiple Gateways' feature provides redundancy for an Enclave's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Org Admin role), Org Managers and Enclave Managers who are members of the Enclave who are members of the organization that owns the Enclave (which is your organization in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Enclave.
       After your Enclave is successfully built and connected to a Tehama Gateway, you can choose to enable the 'Multiple Gateways' option (see sidebar note) and install and connect a second gateway. Follow the same gateway installation instructions found in step a, above.
       
       Note: The Access Key asked for by the installation instructions in step a is now available from this STATUS page, through the View or Regenerate link. Use the same Access Key for both your primary gateway and, if you choose to install one, your second gateway.
       
       
       Observe that your Enclave interface page will sprout another tab: CONFIGURE(You may need to refresh your browser page to see it.)
       
       See the Tehama Gateway Enclave Connectivity User Guide for more information about Enclaves with this network access type.
       
       
    4. Proceed to step 18.
    
    
    
17. If you selected Internet Only as your network access method ...
    
    Observe a new checkbox appear on the NETWORK ACCESS CONFIGURATION modal, with the text:
    
    
    • Build Enclave when finish button is pressed
    
    and notice the text on the button at the bottom of the modal is now FINISH, instead of CONTINUE.
    
    Proceed as follows:
    
    
    1. Decide whether or not to build the Enclave at this time.
       
       You will incur the cost of the Enclave when the Enclave's infrastructure begins to build.
       
       
       • • Leave the checkmark in place beside Build Enclave when finish button is pressed, if you are willing to accept responsibility for the cost of the Enclave at this point. Clicking FINISH when this checkbox is checked will cause the Enclave's infrastructure to begin building.
         or
         • Click in the checkbox to remove the checkmark, if you want to delay the creation of the Enclave. You can initiate the build of the Enclave's infrastructure from the Enclave's STATUS page at a later time.
       
       
       
    2. Click FINISH.
       
       Observe that your Enclave interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
       
       
    3. Click on the Enclave's CONNECTION tab, then select the STATUS sidebar item to navigate to the Enclave's STATUS page. You may be directed there automatically.
       
       The purpose of this page is to show your Enclave's infrastructure details and network connection details and status.
       
       See the Enclave/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
       
       
       Note: If you did not opt to build the Enclave in step a, you will see a BUILD button.
       
       

       • Click the BUILD Enclave INFRASTRUCTURE button to build your Enclave's infrastructure.
         
         You will incur the cost of the Enclave when the Enclave's infrastructure begins to build.
       
       While the Enclave is building, you will see the following Enclave status:
       
       
       • Creating Enclave
       
       After the Enclave has completed building, you will see the following Enclave status:
       
       
       • Built
       
       After the Enclave has completed building, the page will display the Enclave INFORMATION, including infrastructure details, like the Enclave IP and ports.
       
       Observe that your Enclave interface page will sprout another tab: CONFIGURE(You may need to refresh your browser page to see it.)
       
       See the Internet-Only Enclave Connectivity User Guide for more information about Enclaves with this network access type.
    
    
    
18. OPTIONAL: Configure your Enclave and Desktop settings.
    
    You will need to configure your Enclave and Desktop settings to provide, or deny, your users access to Tehama features. Settings include access to Tehama features like Windows or Linux Desktops, or Desktop session recordings.
    
    You can choose to do this later.
    
    Navigate to the Enclave's SETTINGS page:
    
    
    1. Click on the Enclave's CONFIGURE tab.
    2. Select the SETTINGS sidebar item
    3. Proceed to configure the settings in your Enclave as desired.
       • set the Desktop idle session timeout.
       • enable/disable the Multi-Gateway feature.
       • enable/disable Linux Desktops.
       • enable/disable Windows Desktops.
       • enable/disable Desktop session recordings.
       • enable/disable the App Vault. You may have already configured this when you created your Enclave.
       • enable/disable the File Vault. You may have already configured this when you created your Enclave.
    
    
    You can find instructions for configuring your Enclave settings in the Enclave Desktop Settings section and in the Enclave Feature Settings section in the Enclaves User Guide.
    
    

You have now created an Enclave, connected your network to it, and, optionally, configured your Enclave settings.

Your organization is both the Enclave's owner organization and its connected organization (owner+connected). See the Roles User Guide for more information on organization roles in Enclaves.

More information on Enclaves can be found in the Enclaves User Guide.

Be sure to continue getting started with the Getting Started with Tehama Administration Guide.

Instructions to create a Domain Join Enclave and connect my network to it

"I am creating an Enclave, connecting it to my organization's network, and then connecting my network's domain to the Enclave."

(If you do not have a Tehama organization account, contact Tehama Support to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)

Before starting, read through the Domain Join Enclave Requirements and Limitations.

1. Log in to the Tehama Web UI.
   
   
2. Select the EnclaveS tab in the navigation bar.
   
   
3. Click the NEW button at the top right. The CREATE Enclave dialog will appear.
   
   
4. Select Domain Join Enclave.
   • By default, the ability to create a Domain Join Enclave is disabled. Click on the text "submit a request ticket" found under the Domain Join Enclave option in the CREATE Enclave dialog to submit a ticket to Tehama Support. Express your wish to create a Domain Join Enclave in the ticket. Tehama Support will enable the feature and assist you through the Enclave creation process.
     
     
5. Click CONTINUE. The Create Enclave page will appear with the fields for a Domain Join Enclave.
   
   
6. Enter a name in the Enclave Name field.
   
   
7. Select your preferred region in the Region field.
   
   This is the region in which you want this Enclave's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Enclave.
   
   
   Note: Not all Desktop specifications/images are available in all regions. Read through the list of supported Desktop specifications/images by region in the Desktops User Guide before selecting a region.
   
   
   
8. OPTIONAL:    Check the box beside Include the File Vault in this Enclave to include a File Vault in this Enclave.
   
   
   Note: You can opt to enable/disable this Enclave feature after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable File Vault section in the Enclaves User Guide.)
   
   
   
9. OPTIONAL:    Check the box beside Allow users to download files, except any containing sensitive data as determined by our Data Loss Prevention system, onto their local desktops to allow users to download files from the File Vault to their local desktops through the File Vault interface in the Tehama Web UI.
   
   
   Note: As with the File Vault feature itself, you can opt to enable/disable this File Vault sub-option after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable File Vault section in the Enclaves User Guide. Note, you must enable the File Vault feature flag to see this sub-option in the Enclave Settings interface.
   
   
   
10. OPTIONAL:    Check the box beside Include the App Vault in this Enclave to include an App Vault in this Enclave.
    
    
    Note: You can opt to enable this Enclave feature after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable App Vault section in the Enclaves User Guide.
    
    
    
11. Click CREATE at the bottom of the CREATE Enclave page. You will see the Enclave Status page.
    
    This will start a guided process to configure and create your Enclave and connect it to your organization's network.
    
    
12. Establish a Gateway Connection:
    
    The Enclave Status page gives you the information you need to install a Gateway in your private network.
    
    Here you will find the Access Key for your Enclave, ready to be regenerated, downloaded or copied. The Access Key is required to connect the Gateway to your Enclave.
    
    
    1. Use one of the following installation methods to install your gateway
       
       
         Tehama Gateway Network Limitations
       Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
       If you have the following situation:

       • the Tehama Gateway is on a supported network; and
       • a resource is on the 172.31.x.x network

       then a workaround would be to create a NAT on the network to NAT the address of the resource to an address that Tehama can see, like 10.x.x.x or something similar.
       • Install the Tehama Gateway from an AWS AMI
       • Install the Tehama Gateway from an automated-script
       • Install the Tehama Gateway using Docker
       
       Connecting a Tehama Gateway to your new Enclave will cause your new Enclave's infrastructure to begin building.
       
       You will incur the cost of the Enclave when you connect it to a Tehama Gateway, causing the Enclave's infrastructure to begin building.
       
       
       
    2. Configure your network firewall (assuming your network has one) to open access in your network's Domain Controller(s) (DC) to the list of ports found in section Ports to open for Enclave to DC communication of the Enclave Domain Join User Guide, so that the Domain Join components in your Tehaman Enclave can communicate with your DC(s) (via the Gateway).
       
       
    NOTE: Tehama denies all UDP traffic apart from DNS lookup to internet destinations not controlled by the gateway, by default. Override in your Enclave's firewall settings if necessary.
    
    
    
13. Click CONNECT. The Enclave Status page will display the status and the Enclave connection information.
    
    Through the lifetime of your Enclave, you will be able to access this page by clicking on the Enclave's CONNECTION tab, then selecting the STATUS sidebar item to navigate to what is now the Enclave's STATUS page.
    
    At this point your Enclave status should be one of the following:
    
    
    • Pending Gateway Connection (yellow); or
    • Connected (green).
    
    When you see the Enclave Status turn Connected (green), it means that your Enclave infrastructure has built and the Enclave is connected to your Tehama Gateway. Wait until the Enclave Status is green before proceeding to the next step.
    
    
      Note on the Multiple Gateways Feature:

    • The 'Multiple Gateways' feature provides redundancy for an Enclave's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Org Admin role), Org Managers and Enclave Managers who are members of the Enclave who are members of the organization that owns the Enclave (which is your organization in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Enclave.
    From the STATUS page, you can both monitor your Enclave's status and configure your network access.
    
    You can regenerate the Enclave's access key.
    
    You can enable/disable the 'Multiple Gateways' option (see sidebar note).
    
    You can trigger automated Gateway version updates (if an update is available).
    
    See the Enclave/Desktops Connectivity - Types, Status and Settings guide for help.
    
    
    This page also provides you with the opportunity to configure the "Domain Information" for the Enclave. This important step sets up the Trust between your network's domain and your Tehaman Enclave. Continue to the next step to begin setting up the Trust.
    
    
14. Click CONNECT TO DOMAIN. You will see the Connect to Domain page.
    
    
15. Enter your network's domain information in the following fields:
    
    
    • Domain name e.g.: name.tehama.io
    • Search basee.g.: DN=Users,DC=onprem,DC=com
    • Admin account name e.g.: myadminuser
    • Admin account password e.g.: adminpassw0rd
    • Service account name e.g.: myserviceuser
    • Service account passworde.g.: servicepassw0rd
      
      
16. Click CONNECT. Your Enclave will connect to your network's domain.
    
    
    Note: You will not be able to perform any Enclave administration, such as adding members or creating/assigning Desktop templates, while you are waiting for the Enclave to connect to your domain.
    
    
    
17. Observe that the navigation bar will have changed to display: EnclaveS -> <your Enclave name> Your Enclave interface page will sprout four tabs (in addition to the CONNECTION tab already present), MEMBERS, CONFIGURE, AUDIT and CONDITIONS OF USE.
    
    
18. Click on the Enclave's CONFIGURE tab, then select the SETTINGS sidebar item to navigate to the Enclave's SETTINGS page. This page shows your Enclave's settings. Proceed to configure the settings in your Enclave as desired.
    
    
    You can find instructions for configuring your Enclave settings in the Enclave Desktop Settings section and in the Enclave Feature Settings section in the Enclaves User Guide.

You have now created an Enclave, connected your network to it and connected it to your network's domain. Your organization is both the Enclave's owner organization and its connected organization (owner+connected). See the Roles User Guide for more information on organization roles in Enclaves.

More information on Enclaves can be found in the Enclaves User Guide.

More information on Domain Join Enclaves can be found in the Enclave Domain Join User Guide.

Be sure to continue getting started with the Getting Started with Tehama Administration Guide.

Instructions to create a Service-provider Enclave

"I'm creating an Enclave and requesting another organization, my service-consumer, to connect it to their network."

(If you do not have a Tehama organization account, contact Tehama Support to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)

1. Log in to the Tehama Web UI.
   
   
2. Select the EnclaveS tab in the navigation bar.
   
   
3. Click the NEW button at the top right. The CREATE Enclave dialog will appear.
   
   
4. Select Standard Enclave.
   
   
5. Click CONTINUE. The fields for a Standard Enclave will appear on the dialog. (a Service-provider Enclave is a special case of a Standard Enclave.)
   
   
6. Enter a name in the Enclave Name field.
   
   
7. Select "Third-Party Organization (Invite)" in the Connect this Enclave to field.
   
   
8. OPTIONAL:    Check the box beside Create Free Trial Enclave to make this Enclave a "Trial Enclave". If you leave this box unchecked, you will be billed for this Enclave.
   
   
   Note: this option is only visible to those organizations who are eligible for a free trial Enclave. If your organization is not eligible for a free trial Enclave, then you will not see this option, and you will be billed for the Enclave.
   
   The TCU usage within a Trial Enclave is offset by the Trial TCU credits allocated to your organization. If the TCU usage in the Trial Enclave is over the number of available Trial TCU credits, then you will be billed for the difference.
   
   
   
9. Select your preferred region in the Region field.
   
   This is the region in which you want this Enclave's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Enclave.
   
   
   Note: Not all Desktop specifications/images are available in all regions. Read through the list of supported Desktop specifications/images by region in the Desktops User Guide before selecting a region.
   
   
   
10. OPTIONAL:    Check the box beside Include the File Vault in this Enclave to include a File Vault in this Enclave.
    
    
    Note: You can opt to enable/disable this Enclave feature after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable File Vault section in the Enclaves User Guide.)
    
    
    
11. OPTIONAL:    Check the box beside Allow users to download files, except any containing sensitive data as determined by our Data Loss Prevention system, onto their local desktops to allow users to download files from the File Vault to their local desktops through the File Vault interface in the Tehama Web UI.
    
    
    Note: This option is only visible if you opted to enable the File Vault in the previous step.
    
    Note: As with the File Vault feature itself, you can opt to enable/disable this File Vault sub-option after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable File Vault section in the Enclaves User Guide. Note, you must enable the File Vault feature flag to see this sub-option in the Enclave Settings interface.
    
    
    
12. OPTIONAL:    Check the box beside Include the App Vault in this Enclave to include an App Vault in this Enclave.
    
    
    Note: You can opt to enable this Enclave feature after the Enclave is created by contacting Tehama Support for assistance, or through the Enclave Settings interface. See the Enable/Disable App Vault section in the Enclaves User Guide.
    
    
    
13. Click CONTINUE at the bottom of the CREATE Enclave dialog. You will see the ADD ORGANIZATION dialog.
    
    
14. Enter a name in the Organization Name field. (This is the name of the Tehama organization of your service-consumer. This will be the Enclave's connected organization. If they do not have an organization yet, do not worry - the process will guide them in creating one.)
    
    
15. Enter a name in the Contact Name field. (This is the name of the Org Admin user or an Org Manager in your service-consumer's organization. If they do not have an organization yet, just use the name of your contact in the service-consumer's company - they will become the Org Admin in the organization when they create it.)
    
    
16. Enter the email for the contact in the Contact Email field. (This is the email that your contact uses to log in to their organization. Again, if they do not have an organization yet, just use the email your contact provided to you.)
    
    
17. Click SEND. An email invitation will be sent to the connected organization (your service-consumer).
    
    
18. Observe that a page has appeared in the Tehama Web UI with EnclaveS -> <your Enclave name> at the top. You will continue to configure your Enclave on this page. This page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
    
    The MEMBERS tab should be the default selection. You will see the both your organization and your connected organization listed in the page. Note there is a link Resend invitation next to the connected organization's name. Click on this link if you need to resend the invitation.
    
    The CONNECTION tab is where your connected organization will be directed to connect their organization to the Enclave. You can observe their progress connecting to the Enclave on this tab.

You have now created an Enclave and invited another organization to finish configuring it by connecting it to their network. Your organization is the Enclave's owner organization (user-owner). The other organization is (going to be) the Enclave's connected organization (connected-only). See the Roles User Guide for more information on organization roles in Enclaves.

Once the other organization has connected to the Enclave, they will add members to the Enclave. As the owner of the Enclave, you may provision Desktops for them. See Desktops User Guide for more details.

If the other organization has set a 'condition of use' for your organization, you'll be asked to review and accept it.

More information on Enclaves can be found in the Enclaves User Guide.

Be sure to continue getting started with the Getting Started with Tehama Administration Guide.

Instructions to connect a Service-provider Enclave

"I've been invited to connect my network to an Enclave that was created by my service provider."

The steps that led you to this point are as follows:

• You received an email inviting you to connect your organization to an Enclave. This email contains a link.
• You opened this link in a browser; and then either
  • logged in to your existing organization in the Tehama Web UI; or
  • joined Tehama, creating a new user and organization account, which you then logged in to.

Now:

1. You will be presented with an ACCEPT INVITE TO Enclave dialog, asking you to accept the invitation to join and connect to the Enclave. Click I ACCEPT.
   
   
2. Navigate to your organization's EnclaveS tab. You will see the name of the Enclave in your list of Enclaves.
   
   
3. Click on the Enclave name.
   
   This will start a guided process to configure and create your Enclave and, if you so choose, connect it to your organization's network.
   
   Observe that a page has appeared in the Tehama Web UI with your Enclave name and your Enclave description at the top.
   
   This is your Enclave interface page. It is a little empty right now while the Enclave is still being created.
   
   Right now it should be displaying the NETWORK ACCESS CONFIGURATION modal.
   
   
4. On the NETWORK ACCESS CONFIGURATION modal:
   
   Select one of the following three options.
   
   
   • • Multi-Path
       Choose this if you want your Enclave to connect to multiple private networks, or none and also access the internet (as with the other options, constrained by your Enclave's firewall settings and optionally by DNS Filtering).
       
       This option requires you to connect your networks to the Enclave through an IPSec VPN connection.
       
       If you select this option:
       
       
       • Click the CONTINUE button.
       • Proceed to step 5.
   • or
     
     
     • Tehama Gateway
       Choose this if you want your Enclave to connect to one network, your organization's private network, and also access the internet (as with the other options, constrained by your Enclave's firewall settings).
       
       This option requires you to install a Tehama Gateway (at least one) somewhere in your network's infrastructure.
       
       If you select this option:
       
       
       • Click the CONTINUE button.
       • Proceed to step 6.
   • or
     
     
     • Internet only
       Choose this if you only want your Enclave to access the internet, for example to connect to applications and services in the cloud (as with the other options, constrained by your Enclave's firewall settings).
       
       If you select this option:
       
       
       • Proceed to step 7.
   
   
   
5. If you selected Multi-Path as your network access method ...
   
   Observe that your Enclave interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
   
   Proceed as follows:
   
   
   1. Click on the Enclave's CONNECTION tab, then select the STATUS sidebar item to navigate to the Enclave's STATUS page. You may be directed there automatically.
      
      The purpose of this page is to show your Enclave's infrastructure details and network connection details and status.
      
      See the Enclave/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
      
      Initially, you will see a BUILD Enclave INFRASTRUCTURE button.
      
      
   2. Click the BUILD Enclave INFRASTRUCTURE button to build your Enclave's infrastructure.
      
      You will incur the cost of the Enclave when the Enclave's infrastructure begins to build.
      
      After clicking on the button, you will see the following Enclave status while the infrastructure is building:
      
      
      • Creating Enclave
      
      After the Enclave has completed building, that status will disappear, and the infrastructure details, like the Enclave IP and ports, will appear, along with lists of the network connections and DNS resolvers in the Enclave.
      
      Initially, the lists of network connections and DNS resolvers on the page will be empty. Without connections, your Enclave will only be able to provide access to the internet (controlled by your Enclave's firewall rules and DNS Filtering).
      
      
   3. Add connections to your private network(s) to your Enclave. See the Multi-Path Enclave - Add and Manage Connections guide for guidance. ^*
      
      
      *If you're not comfortable configuring the Multi-Path IPSec VPN connections in your network yourself and need an IT person to help, you can, in a Standard Enclave, opt to add connections/DNS resolvers until after you have invited another person to your organization, so they can help. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar.↩
      
      
      
   4. Add DNS Resolvers to your Enclave. See the Multi-Path Enclave - Add and Manage DNS Resolvers guide for guidance. ^**
      
      
      **Similarly, you can wait for an IT person to help you add DNS resolvers.↩
      
      
      
   5. Proceed to step 8.
   
   
   
6. If you selected Tehama Gateway as your network access method ...
   
   Observe the GATEWAY modal appear on the Enclave interface page.
   
   It has the heading Gateway near the top of the page, followed by the heading Access Key, and the button DONE at the bottom of the modal.
   
   Under the Gateway heading, you will find a text link Show User Guide to the Tehama Gateway - Installation and Management. This guide contains instructions on how to install a Tehama Gateway in your private network.
   
   Under the Access Key heading, you will find the Access Key for your Enclave, ready to be copied, downloaded or regenerated. The Access Key is required to connect the Gateway to your Enclave.
   
   Proceed as follows:
   
   
   1. Install a Tehama Gateway in your private network, and connect it to your Enclave, using one of the following installation methods: ^*
      
      You will incur the cost of the Enclave when you connect a Tehama Gateway to it, causing the Enclave's infrastructure to begin building.
      
      
      • Install the Tehama Gateway from an AWS AMI
      • Install the Tehama Gateway from an automated-script
      • Install the Tehama Gateway using Docker
      
      When these instructions tell you retrieve the Access Key, copy or download it from the GATEWAY modal.
      
      
      * Note that if you're just trying out Tehama you can just install the Tehama Gateway in a temporary location and have your IT people move it later.
      
      If you're not comfortable installing the Tehama Gateway yourself and need an IT person to help, you can, in a Standard Enclave, opt to delay the installation of the Tehama Gateway until after you have invited another person to your organization, so they can help. Just click DONE to move on. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar.↩
      
      
        Tehama Gateway Network Limitations
      Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
      If you have the following situation:

      • the Tehama Gateway is on a supported network; and
      • a resource is on the 172.31.x.x network

      then a workaround would be to create a NAT on the network to NAT the address of the resource to an address that Tehama can see, like 10.x.x.x or something similar.
   2. Click DONE.
      
      Observe that your Enclave interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
      
      
   3. Click on the Enclave's CONNECTION tab, then select the STATUS sidebar item to navigate to the Enclave's STATUS page. You may be directed there automatically.
      
      The purpose of this page is to show your Enclave's infrastructure details and network connection details and status.
      
      See the Enclave/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
      
      Your Enclave status will be one of the following, depending on how far along your gateway installation is:
      
      
      • Pending Gateway Connection, while waiting for your installed gateway to attempt a connection.
      • Creating Enclave, while the Enclave's infrastructure is building, triggered by the first gateway connection attempt it receives.
      • Connected, after the Enclave's infrastructure has completed building, and a successful gateway connection has been made.
      
      
        Note on the Multiple Gateways Feature:

      • The 'Multiple Gateways' feature provides redundancy for an Enclave's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Org Admin role), Org Managers and Enclave Managers who are members of the Enclave who are members of the organization that owns the Enclave (which is your organization in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Enclave.
      After your Enclave is successfully built and connected to a Tehama Gateway, you can choose to enable the 'Multiple Gateways' option (see sidebar note) and install and connect a second gateway. Follow the same gateway installation instructions found in step a, above.
      
      Note: The Access Key asked for by the installation instructions in step a is now available from this STATUS page, through the View or Regenerate link. Use the same Access Key for both your primary gateway and, if you choose to install one, your second gateway.
      
      
      Observe that your Enclave interface page will sprout another tab: CONFIGURE(You may need to refresh your browser page to see it.)
      
      See the Tehama Gateway Enclave Connectivity User Guide for more information about Enclaves with this network access type.
      
      
   4. Proceed to step 8.
   
   
   
7. If you selected Internet Only as your network access method ...
   
   Observe a new checkbox appear on the NETWORK ACCESS CONFIGURATION modal, with the text:
   
   
   • Build Enclave when finish button is pressed
   
   and notice the text on the button at the bottom of the modal is now FINISH, instead of CONTINUE.
   
   Proceed as follows:
   
   
   1. Decide whether or not to build the Enclave at this time.
      
      You will incur the cost of the Enclave when the Enclave's infrastructure begins to build.
      
      
      • • Leave the checkmark in place beside Build Enclave when finish button is pressed, if you are willing to accept responsibility for the cost of the Enclave at this point. Clicking FINISH when this checkbox is checked will cause the Enclave's infrastructure to begin building.
        or
        • Click in the checkbox to remove the checkmark, if you want to delay the creation of the Enclave. You can initiate the build of the Enclave's infrastructure from the Enclave's STATUS page at a later time.
      
      
      
   2. Click FINISH.
      
      Observe that your Enclave interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
      
      
   3. Click on the Enclave's CONNECTION tab, then select the STATUS sidebar item to navigate to the Enclave's STATUS page. You may be directed there automatically.
      
      The purpose of this page is to show your Enclave's infrastructure details and network connection details and status.
      
      See the Enclave/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
      
      
      Note: If you did not opt to build the Enclave in step a, you will see a BUILD button.
      
      

      • Click the BUILD Enclave INFRASTRUCTURE button to build your Enclave's infrastructure.
        
        You will incur the cost of the Enclave when the Enclave's infrastructure begins to build.
      
      While the Enclave is building, you will see the following Enclave status:
      
      
      • Creating Enclave
      
      After the Enclave has completed building, you will see the following Enclave status:
      
      
      • Built
      
      After the Enclave has completed building, the page will display the Enclave INFORMATION, including infrastructure details, like the Enclave IP and ports.
      
      Observe that your Enclave interface page will sprout another tab: CONFIGURE(You may need to refresh your browser page to see it.)
      
      See the Internet-Only Enclave Connectivity User Guide for more information about Enclaves with this network access type.
   
   
   
8. OPTIONAL: Configure your Enclave and Desktop settings.
   
   You will need to configure your Enclave and Desktop settings to provide, or deny, your users access to Tehama features. Settings include access to Tehama features like Windows or Linux Desktops, or Desktop session recordings.
   
   You can choose to do this later.
   
   Navigate to the Enclave's SETTINGS page:
   
   
   1. Click on the Enclave's CONFIGURE tab.
   2. Select the SETTINGS sidebar item
   3. Proceed to configure the settings in your Enclave as desired.
      • set the Desktop idle session timeout.
      • enable/disable the Multi-Gateway feature.
      • enable/disable Linux Desktops.
      • enable/disable Windows Desktops.
      • enable/disable Desktop session recordings.
      • enable/disable the App Vault. You may have already configured this when you created your Enclave.
      • enable/disable the File Vault. You may have already configured this when you created your Enclave.
   
   
   You can find instructions for configuring your Enclave settings in the Enclave Desktop Settings section and in the Enclave Feature Settings section in the Enclaves User Guide.
   
   

You have now connected to an Enclave owned by another organization.

Your organization is the Enclave's connected organization (connected-only). The organization that invited you to connect to the Enclave is the Enclave's owner organization (user+owner). See the Roles User Guide for more information on organization roles in Enclaves.

You can add members of your organization to the Enclave, if desired.

The owner organization can propose some of their organization members become members of the Enclave. You will get notifications to approve them.

The owner organization can then add Desktop templates for the Enclave members (both from your organization and from theirs). See Desktops User Guide for more details.

More information on Enclaves can be found in the Enclaves User Guide.

Be sure to continue getting started with the Getting Started with Tehama Administration Guide.

Instructions to join a Standard or a Service-provider Enclave

"I've been invited to join an Enclave as a third-party organization."

Your organization has been invited to join an Enclave of type Standard or Service-provider.

Your organization will be a "user" organization in the Enclave, with no special privileges.

The steps that led you to this point are as follows:

• You received an email telling you that your organization has been added to an Enclave. This email contains a link.
• You opened this link in a browser; and then either
  • logged in to your existing organization in the Tehama Web UI; or
  • joined Tehama, creating a new user and organization account, which you then logged in to.

Now:

1. Navigate to your organization's EnclaveS tab. You will see the name of the Enclave in your list of Enclaves.
   
   
2. Click on the Enclave name.
   
   
3. If the Enclave's connected organization has set a 'condition of use' for your organization, you'll be asked to review and accept it.
   
   
4. Click the Enclave's MEMBERS tab. (It should be the default selection.) You should see your organization listed. Propose members from your organization to join your Enclave, if desired. NOTE that the connected organization will have to approve them after connecting the Enclave.

You have now joined an Enclave. Your organization is a user organization in the Enclave (user-only). The organization that invited you is the Enclave's connected organization (owner+connected or connected-only). See the Roles User Guide for more information on organization roles in Enclaves.

You may propose members from your organization become members of the Enclave. The Enclave's connected organization will receive notifications to approve them. The owner organization can then add Desktop templates in the Enclave for them (or assign them to existing Desktop templates). See Desktops User Guide for more details.

More information on Enclaves can be found in the Enclaves User Guide.

Be sure to continue getting started with the Getting Started with Tehama Administration Guide.