Getting started with Tehama Room Creation
Have you completed the Getting Started with Joining Tehama Guide? If not, please go back and do so before proceeding.
Purpose
So far you have joined Tehama, creating your own Tehama organization (if necessary).
This guide provides the basic steps necessary in order to create, configure and connect to a Room running within Tehama Service.
If you need to create a Room:
Read through the Choose a Room type section to help you understand which type of Room to create. Choose the type of Room that applies best to your situation, then proceed to:
- Create and connect a Standard Room;
- Create and connect a Domain Join Room; or
- Create a Service-provider Room
If you have received an invitation to connect a Service-provider Room:
If you have received an invitation to join a Standard or a Service-provider Room:
Choose a Room type
Read through these scenarios and identify which Room type fits your organization's needs:
- Standard Room
There are a couple of use-cases that are best served by a Standard Room:
- Room for a Remote Workforce
"I want a Room that my organization owns and that is connected to my private network (either a physical or an internet-based network). My organization is the primary organization doing work in the Room, though I can invite other organizations to join the Room if I need to." - Room for a Service Consumer
"I want a Room that my organization owns and that is connected to my private network (either a physical or an internet-based network). I will invite my service provider's organization to join the Room. They will be the primary organization doing work in the Room, though I can invite other organizations to join the Room if I need to."
Network access options: Currently, Standard Rooms support three types of network access:
- 'Multi-Path', which allows you to connect to multiple private networks, or none, and provides access to the internet;
- 'Tehama Gateway', which requires you to connect to one private network and provides access to the internet; and
- 'Internet-Only', which only provides access to the internet.
See Create and connect a Standard Room for instructions to create and connect a Room of this type. - Room for a Remote Workforce
- Domain Join Room
This is the use-case for a Domain Join Room:
- "I want a Room that I own and that is connected to my physical private network, and that is joined to my network's domain, giving read-only access to the domain's objects, such as users and policies, to the Room. The Room's members' Tehama login usernames (email addresses from my network's domain) will be used as the login usernames for the Desktops in the Room to which they are assigned. Policies in my network's domain will be applied automatically to the Desktops in the Room. I require only Desktops of type "Tehama Windows Desktops" and my organization will be the only organization in the Room."
NOTE: Read through the Domain Join Room Requirements and Limitations section in the Room Domain Join User Guide to be sure that this type of Room is right for your organization.
DISCLAIMER: The Domain Join Beta feature is still undergoing development and is provided 'as-is', without any warranties or support, and Tehama will not be liable for any loss of data. See the Room Domain Join User Guide for more information about this new beta Room feature.
By default, the ability to create a Domain Join Room is disabled. Submit a support ticket to Tehama Support expressing your wish to create a Room of this type. Tehama Support will enable the feature and assist you through the Room creation process.
Network access options: Currently, Domain Join Rooms support only one type of network access:
- 'Tehama Gateway', which requires you to connect to one private network and provides access to the internet.
See Create and connect a Domain Join Room for instructions to create and connect a Room of this type. - "I want a Room that I own and that is connected to my physical private network, and that is joined to my network's domain, giving read-only access to the domain's objects, such as users and policies, to the Room. The Room's members' Tehama login usernames (email addresses from my network's domain) will be used as the login usernames for the Desktops in the Room to which they are assigned. Policies in my network's domain will be applied automatically to the Desktops in the Room. I require only Desktops of type "Tehama Windows Desktops" and my organization will be the only organization in the Room."
- Service-provider Room a special case of a Standard Room
This is the use-case for a Service-provider Room:
- "I want a Room that my organization owns and that is connected to another organization's private network (either a physical or an internet-based network). This second organization is the consumer of my services and is referred to as the connected organization. If necessary, the connected organization can invite other organizations to join the Room."
Network access options: Currently, Standard Rooms, of which Service-provider Room is a special type, support three types of network access:
- 'Multi-Path', which allows you to connect to multiple private networks, or none, and provides access to the internet;
- 'Tehama Gateway', which requires you to connect to one private network and provides access to the internet; and
- 'Internet-Only', which only provides access to the internet.
There are two steps to create and connect a Service-provider Room:- Create a Service-provider Room
This step is done by the Service-provider organization, who will own the Room. - Connect a Service-provider Room
This step is done by the Service-consumer organization, who will control access in the Room.
- "I want a Room that my organization owns and that is connected to another organization's private network (either a physical or an internet-based network). This second organization is the consumer of my services and is referred to as the connected organization. If necessary, the connected organization can invite other organizations to join the Room."
Create and connect a Standard Room:
Instructions to create a Standard Room and connect my network to it
"I am creating a Room, connecting it to my network, and then (optionally) inviting another organization to join and use the Room."
- My organization will be responsible for all costs incurred in the Room, and will have control over what services/tools are provisioned in the Room.
- My organization will control access to my network, which means control over which other organizations (if any) and which members will have access to the Room and what assets are accessible through this Room.
- My organization will choose, and implement, the type of network access in the Room: 'Multi-Path', which allows you to connect to multiple private networks, or none, and provides access to the internet; 'Internet-Only', which only provides access to the internet; and 'Tehama Gateway', which requires you to connect to one private network and provides access to the internet.
- I can invite members of my organization to become members of the Room.
- If desired, I can invite other organizations to join the Room, for example the organization of my service provider; these organizations are referred to as user organizations; they can propose their organization members to become members of the Room; I can approve their proposals and assign them Desktops.
- Members of the Room will be able to access assets in my network securely through Desktops in the Room.
(If you do not have a Tehama organization account, contact ~~Tehama Support~~ to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)
Only the Org Admin user and Org/Room Managers of an organization can create a Room and connect to it. Check the description of your custom role, to see if you can perform these actions.
- Log in to the Tehama Web UI.
- Select the ROOMS tab in the navigation bar.
- Click the NEW button at the top right. The CREATE ROOM dialog will appear.
- Select Standard Room.
- Click CONTINUE. The fields for a Standard Room will appear on the dialog.
- Enter a name in the Room Name field.
- Select "Your Organization" in the Connect this room to field.
- OPTIONAL: Check the box beside Create Free Trial Room to make this Room a "Trial Room". If you leave this box unchecked, you will be billed for this Room.
Note: this option is only visible to those organizations who are eligible for a free trial Room. If your organization is not eligible for a free trial Room, then you will not see this option, and you will be billed for the Room.
The TCU usage within a Trial Room is offset by the Trial TCU credits allocated to your organization. If the TCU usage in the Trial Room is over the number of available Trial TCU credits, then you will be billed for the difference. - Select your preferred region in the Region field.
This is the region in which you want this Room's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Room.
Note: Not all Desktop specifications/images are available in all regions. Read through the list of supported Desktop specifications/images by region in the Desktops User Guide before selecting a region. - OPTIONAL: Check the box beside Include the File Vault in this room to include a File Vault in this Room.
Note: You can opt to enable/disable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide.) - OPTIONAL: Check the box beside Allow users to download files, except any containing sensitive data as determined by our Data Loss Prevention system, onto their local desktops to allow users to download files from the File Vault to their local desktops through the File Vault interface in the Tehama Web UI.
Note: This option is only visible if you opted to enable the File Vault in the previous step.
Note: As with the File Vault feature itself, you can opt to enable/disable this File Vault sub-option after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide. Note, you must enable the File Vault feature flag to see this sub-option in the Room Settings interface. - OPTIONAL: Check the box beside Include the App Vault in this room to include an App Vault in this Room.
Note: You can opt to enable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable App Vault section in the Rooms User Guide. - Click CONTINUE at the bottom of the CREATE ROOM dialog.
This will start a guided process to configure and create your Room and connect it to your organization's network.
Observe that a page has appeared in the Tehama Web UI with your Room name and your Room description at the top.
This is your Room interface page. It is a little empty right now while the room is still being created.
Right now it should be displaying the NETWORK ACCESS CONFIGURATION modal. - On the NETWORK ACCESS CONFIGURATION modal:
Select one of the following three options.
-
- Multi-Path
Choose this if you want your Room to connect to multiple private networks, or none and also access the internet (as with the other options, constrained by your Room's firewall settings and optionally by DNS Filtering).
This option requires you to connect your networks to the Room through an IPSec VPN connection.
If you select this option:
- Click the CONTINUE button.
- Proceed to step 15.
- Multi-Path
- or
- Tehama Gateway
Choose this if you want your Room to connect to one network, your organization's private network, and also access the internet (as with the other options, constrained by your Room's firewall settings).
This option requires you to install a Tehama Gateway (at least one) somewhere in your network's infrastructure.
If you select this option:
- Click the CONTINUE button.
- Proceed to step 16.
- Tehama Gateway
- or
- Internet only
Choose this if you only want your Room to access the internet, for example to connect to applications and services in the cloud (as with the other options, constrained by your Room's firewall settings).
If you select this option:
- Proceed to step 17.
- Internet only
-
- If you selected Multi-Path as your network access method ...
Observe that your Room interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
Proceed as follows:
- Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
The purpose of this page is to show your Room's infrastructure details and network connection details and status.
See the Room/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
Initially, you will see a BUILD ROOM INFRASTRUCTURE button. - Click the BUILD ROOM INFRASTRUCTURE button to build your Room's infrastructure.
You will incur the cost of the Room when the Room's infrastructure begins to build.
After clicking on the button, you will see the following Room status while the infrastructure is building:
- Creating Room
After the Room has completed building, that status will disappear, and the infrastructure details, like the Room IP and ports, will appear, along with lists of the network connections and DNS resolvers in the Room.
Initially, the lists of network connections and DNS resolvers on the page will be empty. Without connections, your Room will only be able to provide access to the internet (controlled by your Room's firewall rules and DNS Filtering). - Add connections to your private network(s) to your Room. See the Multi-Path Room - Add and Manage Connections guide for guidance. *
*If you're not comfortable configuring the Multi-Path IPSec VPN connections in your network yourself and need an IT person to help, you can, in a Standard Room, opt to add connections/DNS resolvers until after you have invited another person to your organization, so they can help. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar. ↩ - Add DNS Resolvers to your Room. See the Multi-Path Room - Add and Manage DNS Resolvers guide for guidance. **
**Similarly, you can wait for an IT person to help you add DNS resolvers. ↩ - Proceed to step 18.
- Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
- If you selected Tehama Gateway as your network access method ...
Observe the GATEWAY modal appear on the Room interface page.
It has the heading Gateway near the top of the page, followed by the heading Access Key, and the button DONE at the bottom of the modal.
Under the Gateway heading, you will find a text link Show User Guide to the Tehama Gateway - Installation and Management. This guide contains instructions on how to install a Tehama Gateway in your private network.
Under the Access Key heading, you will find the Access Key for your Room, ready to be copied, downloaded or regenerated. The Access Key is required to connect the Gateway to your Room.
Proceed as follows:
- Install a Tehama Gateway in your private network, and connect it to your Room, using one of the following installation methods: *
You will incur the cost of the Room when you connect a Tehama Gateway to it, causing the Room's infrastructure to begin building.
- Install the Tehama Gateway from an AWS AMI
- Install the Tehama Gateway from an automated-script
- Install the Tehama Gateway using Docker
When these instructions tell you retrieve the Access Key, copy or download it from the GATEWAY modal.
* Note that if you're just trying out Tehama you can just install the Tehama Gateway in a temporary location and have your IT people move it later.
If you're not comfortable installing the Tehama Gateway yourself and need an IT person to help, you can, in a Standard Room, opt to delay the installation of the Tehama Gateway until after you have invited another person to your organization, so they can help. Just click DONE to move on. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar. ↩
Tehama Gateway Network Limitations
Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
If you have the following situation:- the Tehama Gateway is on a supported network; and
- a resource is on the 172.31.x.x network
- Click DONE.
Observe that your Room interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE. - Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
The purpose of this page is to show your Room's infrastructure details and network connection details and status.
See the Room/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
Your Room status will be one of the following, depending on how far along your gateway installation is:
- Pending Gateway Connection, while waiting for your installed gateway to attempt a connection.
- Creating Room, while the Room's infrastructure is building, triggered by the first gateway connection attempt it receives.
- Connected, after the Room's infrastructure has completed building, and a successful gateway connection has been made.
Note on the Multiple Gateways Feature:After your Room is successfully built and connected to a Tehama Gateway, you can choose to enable the 'Multiple Gateways' option (see sidebar note) and install and connect a second gateway. Follow the same gateway installation instructions found in step a, above.- The 'Multiple Gateways' feature provides redundancy for a Room's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Org Admin role), Org Managers and Room Managers who are members of the Room who are members of the organization that owns the Room (which is your organization in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Room.
Note: The Access Key asked for by the installation instructions in step a is now available from this STATUS page, through the View or Regenerate link. Use the same Access Key for both your primary gateway and, if you choose to install one, your second gateway.
Observe that your Room interface page will sprout another tab: CONFIGURE (You may need to refresh your browser page to see it.)
See the Tehama Gateway Room Connectivity User Guide for more information about Rooms with this network access type. - Proceed to step 18.
- Install a Tehama Gateway in your private network, and connect it to your Room, using one of the following installation methods: *
- If you selected Internet Only as your network access method ...
Observe a new checkbox appear on the NETWORK ACCESS CONFIGURATION modal, with the text:
- Build room when finish button is pressed
and notice the text on the button at the bottom of the modal is now FINISH, instead of CONTINUE.
Proceed as follows:
- Decide whether or not to build the Room at this time.
You will incur the cost of the Room when the Room's infrastructure begins to build.
-
- Leave the checkmark in place beside Build room when finish button is pressed, if you are willing to accept responsibility for the cost of the Room at this point. Clicking FINISH when this checkbox is checked will cause the Room's infrastructure to begin building.
- Click in the checkbox to remove the checkmark, if you want to delay the creation of the Room. You can initiate the build of the Room's infrastructure from the Room's STATUS page at a later time.
-
- Click FINISH.
Observe that your Room interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE. - Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
The purpose of this page is to show your Room's infrastructure details and network connection details and status.
See the Room/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
Note: If you did not opt to build the room in step a, you will see a BUILD button.
- Click the BUILD ROOM INFRASTRUCTURE button to build your Room's infrastructure.
You will incur the cost of the Room when the Room's infrastructure begins to build.
While the Room is building, you will see the following Room status:
- Creating Room
After the Room has completed building, you will see the following Room status:
- Built
After the Room has completed building, the page will display the ROOM INFORMATION, including infrastructure details, like the Room IP and ports.
Observe that your Room interface page will sprout another tab: CONFIGURE (You may need to refresh your browser page to see it.)
See the Internet-Only Room Connectivity User Guide for more information about Rooms with this network access type. - Click the BUILD ROOM INFRASTRUCTURE button to build your Room's infrastructure.
- OPTIONAL: Configure your Room and Desktop settings.
You will need to configure your Room and Desktop settings to provide, or deny, your users access to Tehama features. Settings include access to Tehama features like Windows or Linux Desktops, or Desktop session recordings.
You can choose to do this later.
Navigate to the Room's SETTINGS page:
- Click on the Room's CONFIGURE tab.
- Select the SETTINGS sidebar item
- Proceed to configure the settings in your Room as desired.
- set the Desktop idle session timeout.
- enable/disable the Multi-Gateway feature.
- enable/disable Linux Desktops.
- enable/disable Windows Desktops.
- enable/disable Desktop session recordings.
- enable/disable the App Vault. You may have already configured this when you created your Room.
- enable/disable the File Vault. You may have already configured this when you created your Room.
You can find instructions for configuring your Room settings in the Room Desktop Settings section and in the Room Feature Settings section in the Rooms User Guide.
You have now created a Room, connected your network to it, and, optionally, configured your Room settings.
Your organization is both the Room's owner organization and its connected organization (owner+connected). See the Roles User Guide for more information on organization roles in Rooms.
More information on Rooms can be found in the Rooms User Guide.
Be sure to continue getting started with the Getting Started with Tehama Administration Guide.
Note: The Administration Guide will show you the steps to carry out the following basic and necessary organization and Room set up:
As the organization that created and connected a Standard Room:
- Add members to your organization.
- Add (user) organizations to the Room (optional).
- Add members to the Room.
- Approve/reject proposed members to the Room from other organizations in the Room.
- Configure Firewall Rules (and optionally DNS Filtering) in the Room.
- Add Secrets to the Room.
- Create Desktop templates in the Room.
Create and connect a Domain Join Room
Instructions to create a Domain Join Room and connect my network to it
"I am creating a Room, connecting it to my organization's network, and then connecting my network's domain to the Room."
- My organization will be responsible for all costs incurred in the Room, and will have control over what services/tools are provisioned in the Room.
- My organization will control access to my network.
- My organization will implement network access in the Room of type 'Tehama Gateway', which requires you to connect to one private network and provides access to the internet.
- I can invite members of my organization to become members of the Room.
- Members of the Room will be able to access assets in my network securely through Desktops in the Room.
- The Room's members' Tehama login usernames (email addresses) are used as the login usernames for the Desktops in the Room to which they are assigned.
- Any policies found in the Room's organization's network domain will be applied automatically to the Desktops in the Room. Note: Tehama Windows Desktops in domain joined Rooms inherit their privileges from the domain.
DISCLAIMER: The Domain Join Beta feature is still undergoing development and is provided 'as-is', without any warranties or support, and Tehama will not be liable for any loss of data. See the Room Domain Join User Guide for more information about this new beta Room feature.
By default, the ability to create a Domain Join Room is disabled. Submit a support ticket to Tehama Support expressing your wish to create a Room of this type. Tehama Support will enable the feature and assist you through the Room creation process.
(If you do not have a Tehama organization account, contact Tehama Support to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)
Only the Org Admin user and Org/Room Managers of an organization can create a Room and connect to it. Check the description of your custom role, to see if you can perform these actions.
Before starting, read through the Domain Join Room Requirements and Limitations.
- Log in to the Tehama Web UI.
- Select the ROOMS tab in the navigation bar.
- Click the NEW button at the top right. The CREATE ROOM dialog will appear.
- Select Domain Join Room.
- By default, the ability to create a Domain Join Room is disabled. Click on the text "submit a request ticket" found under the Domain Join Room option in the CREATE ROOM dialog to submit a ticket to Tehama Support. Express your wish to create a Domain Join Room in the ticket. Tehama Support will enable the feature and assist you through the Room creation process.
- By default, the ability to create a Domain Join Room is disabled. Click on the text "submit a request ticket" found under the Domain Join Room option in the CREATE ROOM dialog to submit a ticket to Tehama Support. Express your wish to create a Domain Join Room in the ticket. Tehama Support will enable the feature and assist you through the Room creation process.
- Click CONTINUE. The Create Room page will appear with the fields for a Domain Join Room.
- Enter a name in the Room Name field.
- Select your preferred region in the Region field.
This is the region in which you want this Room's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Room.
Note: Not all Desktop specifications/images are available in all regions. Read through the list of supported Desktop specifications/images by region in the Desktops User Guide before selecting a region. - OPTIONAL: Check the box beside Include the File Vault in this room to include a File Vault in this Room.
Note: You can opt to enable/disable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide.) - OPTIONAL: Check the box beside Allow users to download files, except any containing sensitive data as determined by our Data Loss Prevention system, onto their local desktops to allow users to download files from the File Vault to their local desktops through the File Vault interface in the Tehama Web UI.
Note: As with the File Vault feature itself, you can opt to enable/disable this File Vault sub-option after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide. Note, you must enable the File Vault feature flag to see this sub-option in the Room Settings interface. - OPTIONAL: Check the box beside Include the App Vault in this room to include an App Vault in this Room.
Note: You can opt to enable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable App Vault section in the Rooms User Guide. - Click CREATE at the bottom of the CREATE ROOM page. You will see the Room Status page.
This will start a guided process to configure and create your Room and connect it to your organization's network. - Establish a Gateway Connection:
The Room Status page gives you the information you need to install a Gateway in your private network.
Here you will find the Access Key for your Room, ready to be regenerated, downloaded or copied. The Access Key is required to connect the Gateway to your Room.
- Use one of the following installation methods to install your gateway
Tehama Gateway Network Limitations
Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
If you have the following situation:- the Tehama Gateway is on a supported network; and
- a resource is on the 172.31.x.x network
- Install the Tehama Gateway from an AWS AMI
- Install the Tehama Gateway from an automated-script
- Install the Tehama Gateway using Docker
Connecting a Tehama Gateway to your new Room will cause your new Room's infrastructure to begin building.
You will incur the cost of the Room when you connect it to a Tehama Gateway, causing the Room's infrastructure to begin building. - Configure your network firewall (assuming your network has one) to open access in your network's Domain Controller(s) (DC) to the list of ports found in section Ports to open for Room to DC communication of the Room Domain Join User Guide, so that the Domain Join components in your Tehama Room can communicate with your DC(s) (via the Gateway).
NOTE: Tehama denies all UDP traffic apart from DNS lookup to internet destinations not controlled by the gateway, by default. Override in your Room's firewall settings if necessary. - Use one of the following installation methods to install your gateway
- Click CONNECT. The Room Status page will display the status and the Room connection information.
Through the lifetime of your Room, you will be able to access this page by clicking on the Room's CONNECTION tab, then selecting the STATUS sidebar item to navigate to what is now the Room's STATUS page.
At this point your Room status should be one of the following:
- Pending Gateway Connection (yellow); or
- Connected (green).
When you see the Room Status turn Connected (green), it means that your Room infrastructure has built and the Room is connected to your Tehama Gateway. Wait until the Room Status is green before proceeding to the next step.
Note on the Multiple Gateways Feature:From the STATUS page, you can both monitor your Room's status and configure your network access.- The 'Multiple Gateways' feature provides redundancy for a Room's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Org Admin role), Org Managers and Room Managers who are members of the Room who are members of the organization that owns the Room (which is your organization in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Room.
You can regenerate the Room's access key.
You can enable/disable the 'Multiple Gateways' option (see sidebar note).
You can trigger automated Gateway version updates (if an update is available).
See the Room/Desktops Connectivity - Types, Status and Settings guide for help.
This page also provides you with the opportunity to configure the "Domain Information" for the Room. This important step sets up the Trust between your network's domain and your Tehama Room. Continue to the next step to begin setting up the Trust. - Click CONNECT TO DOMAIN. You will see the Connect to Domain page.
- Enter your network's domain information in the following fields:
- Domain name e.g.: name.tehama.io
- Search base e.g.: DN=Users,DC=onprem,DC=com
- Admin account name e.g.: myadminuser
- Admin account password e.g.: adminpassw0rd
- Service account name e.g.: myserviceuser
- Service account password e.g.: servicepassw0rd
- Click CONNECT. Your Room will connect to your network's domain.
Note: You will not be able to perform any Room administration, such as adding members or creating/assigning Desktop templates, while you are waiting for the Room to connect to your domain. - Observe that the navigation bar will have changed to display: ROOMS -> <your room name> Your Room interface page will sprout four tabs (in addition to the CONNECTION tab already present), MEMBERS, CONFIGURE, AUDIT and CONDITIONS OF USE.
- Click on the Room's CONFIGURE tab, then select the SETTINGS sidebar item to navigate to the Room's SETTINGS page. This page shows your Room's settings. Proceed to configure the settings in your Room as desired.
You can find instructions for configuring your Room settings in the Room Desktop Settings section and in the Room Feature Settings section in the Rooms User Guide.
You have now created a Room, connected your network to it and connected it to your network's domain. Your organization is both the Room's owner organization and its connected organization (owner+connected). See the Roles User Guide for more information on organization roles in Rooms.
More information on Rooms can be found in the Rooms User Guide.
More information on Domain Join Rooms can be found in the Room Domain Join User Guide.
Be sure to continue getting started with the Getting Started with Tehama Administration Guide.
Note: The Administration Guide will show you the steps to carry out the following basic and necessary organization and Room set up:
As the organization that created and connected a Domain Join Room:
Create a Service-provider Room
Instructions to create a Service-provider Room
"I'm creating a Room and requesting another organization, my service-consumer, to connect it to their network."
- My organization will be responsible for all costs incurred in the Room, and will have control over what services/tools are provisioned in the Room.
- The connected organization, my service-consumer, will control access to their network, which means control over which other organizations (if any) and which members will have access to the Room and what assets are accessible through this Room.
- The connected organization, my service-consumer, will choose, and implement, the type of network access in the Room: 'Multi-Path', which allows you to connect to multiple private networks, or none, and provides access to the internet; 'Internet-Only', which only provides access to the internet; and 'Tehama Gateway', which requires you to connect to one private network and provides access to the internet.
- I can propose members of my organization to become members of the Room; the connected organization can approve my proposals.
- If desired, the connected organization can invite other organizations to join the Room; these organizations are referred to as user organizations; they can propose their organization members to become members of the Room; the connected organization can approve their proposals; I can assign them Desktops.
- Members of the Room will be able to access assets in the connected organization's network securely through Desktops in the Room.
(If you do not have a Tehama organization account, contact Tehama Support to discuss joining Tehama. Steps to join Tehama can be found in the Getting Started with Joining Tehama Guide.)
Only the Org Admin user and Org/Room Managers of an organization can create a Room and invite another organization to connect to it. Check the description of your custom role, to see if you can perform these actions.
- Log in to the Tehama Web UI.
- Select the ROOMS tab in the navigation bar.
- Click the NEW button at the top right. The CREATE ROOM dialog will appear.
- Select Standard Room.
- Click CONTINUE. The fields for a Standard Room will appear on the dialog. (a Service-provider Room is a special case of a Standard Room.)
- Enter a name in the Room Name field.
- Select "Third-Party Organization (Invite)" in the Connect this room to field.
- OPTIONAL: Check the box beside Create Free Trial Room to make this Room a "Trial Room". If you leave this box unchecked, you will be billed for this Room.
Note: this option is only visible to those organizations who are eligible for a free trial Room. If your organization is not eligible for a free trial Room, then you will not see this option, and you will be billed for the Room.
The TCU usage within a Trial Room is offset by the Trial TCU credits allocated to your organization. If the TCU usage in the Trial Room is over the number of available Trial TCU credits, then you will be billed for the difference. - Select your preferred region in the Region field.
This is the region in which you want this Room's infrastructure to be provisioned. Select a region that is geographically appropriate for the users of this Room.
Note: Not all Desktop specifications/images are available in all regions. Read through the list of supported Desktop specifications/images by region in the Desktops User Guide before selecting a region. - OPTIONAL: Check the box beside Include the File Vault in this room to include a File Vault in this Room.
Note: You can opt to enable/disable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide.) - OPTIONAL: Check the box beside Allow users to download files, except any containing sensitive data as determined by our Data Loss Prevention system, onto their local desktops to allow users to download files from the File Vault to their local desktops through the File Vault interface in the Tehama Web UI.
Note: This option is only visible if you opted to enable the File Vault in the previous step.
Note: As with the File Vault feature itself, you can opt to enable/disable this File Vault sub-option after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable File Vault section in the Rooms User Guide. Note, you must enable the File Vault feature flag to see this sub-option in the Room Settings interface. - OPTIONAL: Check the box beside Include the App Vault in this room to include an App Vault in this Room.
Note: You can opt to enable this Room feature after the Room is created by contacting Tehama Support for assistance, or through the Room Settings interface. See the Enable/Disable App Vault section in the Rooms User Guide. - Click CONTINUE at the bottom of the CREATE ROOM dialog. You will see the ADD ORGANIZATION dialog.
- Enter a name in the Organization Name field. (This is the name of the Tehama organization of your service-consumer. This will be the Room's connected organization. If they do not have an organization yet, do not worry - the process will guide them in creating one.)
- Enter a name in the Contact Name field. (This is the name of the Org Admin user or an Org Manager in your service-consumer's organization. If they do not have an organization yet, just use the name of your contact in the service-consumer's company - they will become the Org Admin in the organization when they create it.)
- Enter the email for the contact in the Contact Email field. (This is the email that your contact uses to log in to their organization. Again, if they do not have an organization yet, just use the email your contact provided to you.)
- Click SEND. An email invitation will be sent to the connected organization (your service-consumer).
- Observe that a page has appeared in the Tehama Web UI with ROOMS -> <your room name> at the top. You will continue to configure your Room on this page. This page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
The MEMBERS tab should be the default selection. You will see the both your organization and your connected organization listed in the page. Note there is a link Resend invitation next to the connected organization's name. Click on this link if you need to resend the invitation.
The CONNECTION tab is where your connected organization will be directed to connect their organization to the Room. You can observe their progress connecting to the Room on this tab.
You have now created a Room and invited another organization to finish configuring it by connecting it to their network. Your organization is the Room's owner organization (user-owner). The other organization is (going to be) the Room's connected organization (connected-only). See the Roles User Guide for more information on organization roles in Rooms.
Once the other organization has connected to the Room, they will add members to the Room. As the owner of the Room, you may provision Desktops for them. See Desktops User Guide for more details.
If the other organization has set a 'condition of use' for your organization, you'll be asked to review and accept it.
More information on Rooms can be found in the Rooms User Guide.
Be sure to continue getting started with the Getting Started with Tehama Administration Guide.
Note: The Administration Guide will show you the steps to carry out the following basic and necessary organization and Room set up available to you as the Room's user+owner organization:
As the organization that created a Service-provider Room:
Connect a Service-provider Room
Instructions to connect a Service-provider Room
"I've been invited to connect my network to a Room that was created by my service provider."
Only the Org Admin user and Org Managers of an organization can connect their organization to a Room, having received an invitation to do so from the Room's owner organization. Check the description of your custom role, to see if you can perform this action.
The steps that led you to this point are as follows:
- You received an email inviting you to connect your organization to a Room. This email contains a link.
- You opened this link in a browser; and then either
- logged in to your existing organization in the Tehama Web UI; or
- joined Tehama, creating a new user and organization account, which you then logged in to.
Now:
- You will be presented with an ACCEPT INVITE TO ROOM dialog, asking you to accept the invitation to join and connect to the Room. Click I ACCEPT.
- Navigate to your organization's ROOMS tab. You will see the name of the Room in your list of Rooms.
- Click on the Room name.
This will start a guided process to configure and create your Room and, if you so choose, connect it to your organization's network.
Observe that a page has appeared in the Tehama Web UI with your Room name and your Room description at the top.
This is your Room interface page. It is a little empty right now while the room is still being created.
Right now it should be displaying the NETWORK ACCESS CONFIGURATION modal. - On the NETWORK ACCESS CONFIGURATION modal:
Select one of the following three options.
-
- Multi-Path
Choose this if you want your Room to connect to multiple private networks, or none and also access the internet (as with the other options, constrained by your Room's firewall settings and optionally by DNS Filtering).
This option requires you to connect your networks to the Room through an IPSec VPN connection.
If you select this option:
- Click the CONTINUE button.
- Proceed to step 5.
- Multi-Path
- or
- Tehama Gateway
Choose this if you want your Room to connect to one network, your organization's private network, and also access the internet (as with the other options, constrained by your Room's firewall settings).
This option requires you to install a Tehama Gateway (at least one) somewhere in your network's infrastructure.
If you select this option:
- Click the CONTINUE button.
- Proceed to step 6.
- Tehama Gateway
- or
- Internet only
Choose this if you only want your Room to access the internet, for example to connect to applications and services in the cloud (as with the other options, constrained by your Room's firewall settings).
If you select this option:
- Proceed to step 7.
- Internet only
-
- If you selected Multi-Path as your network access method ...
Observe that your Room interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE.
Proceed as follows:
- Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
The purpose of this page is to show your Room's infrastructure details and network connection details and status.
See the Room/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
Initially, you will see a BUILD ROOM INFRASTRUCTURE button. - Click the BUILD ROOM INFRASTRUCTURE button to build your Room's infrastructure.
You will incur the cost of the Room when the Room's infrastructure begins to build.
After clicking on the button, you will see the following Room status while the infrastructure is building:
- Creating Room
After the Room has completed building, that status will disappear, and the infrastructure details, like the Room IP and ports, will appear, along with lists of the network connections and DNS resolvers in the Room.
Initially, the lists of network connections and DNS resolvers on the page will be empty. Without connections, your Room will only be able to provide access to the internet (controlled by your Room's firewall rules and DNS Filtering). - Add connections to your private network(s) to your Room. See the Multi-Path Room - Add and Manage Connections guide for guidance. *
*If you're not comfortable configuring the Multi-Path IPSec VPN connections in your network yourself and need an IT person to help, you can, in a Standard Room, opt to add connections/DNS resolvers until after you have invited another person to your organization, so they can help. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar. ↩ - Add DNS Resolvers to your Room. See the Multi-Path Room - Add and Manage DNS Resolvers guide for guidance. **
**Similarly, you can wait for an IT person to help you add DNS resolvers. ↩ - Proceed to step 8.
- Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
- If you selected Tehama Gateway as your network access method ...
Observe the GATEWAY modal appear on the Room interface page.
It has the heading Gateway near the top of the page, followed by the heading Access Key, and the button DONE at the bottom of the modal.
Under the Gateway heading, you will find a text link Show User Guide to the Tehama Gateway - Installation and Management. This guide contains instructions on how to install a Tehama Gateway in your private network.
Under the Access Key heading, you will find the Access Key for your Room, ready to be copied, downloaded or regenerated. The Access Key is required to connect the Gateway to your Room.
Proceed as follows:
- Install a Tehama Gateway in your private network, and connect it to your Room, using one of the following installation methods: *
You will incur the cost of the Room when you connect a Tehama Gateway to it, causing the Room's infrastructure to begin building.
- Install the Tehama Gateway from an AWS AMI
- Install the Tehama Gateway from an automated-script
- Install the Tehama Gateway using Docker
When these instructions tell you retrieve the Access Key, copy or download it from the GATEWAY modal.
* Note that if you're just trying out Tehama you can just install the Tehama Gateway in a temporary location and have your IT people move it later.
If you're not comfortable installing the Tehama Gateway yourself and need an IT person to help, you can, in a Standard Room, opt to delay the installation of the Tehama Gateway until after you have invited another person to your organization, so they can help. Just click DONE to move on. See the Organization User Guide if you need help figuring out how to invite someone, but it's fairly easy to figure out if you just go to MEMBERS in the navigation bar. ↩
Tehama Gateway Network Limitations
Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network. In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
If you have the following situation:- the Tehama Gateway is on a supported network; and
- a resource is on the 172.31.x.x network
- Click DONE.
Observe that your Room interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE. - Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
The purpose of this page is to show your Room's infrastructure details and network connection details and status.
See the Room/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
Your Room status will be one of the following, depending on how far along your gateway installation is:
- Pending Gateway Connection, while waiting for your installed gateway to attempt a connection.
- Creating Room, while the Room's infrastructure is building, triggered by the first gateway connection attempt it receives.
- Connected, after the Room's infrastructure has completed building, and a successful gateway connection has been made.
Note on the Multiple Gateways Feature:After your Room is successfully built and connected to a Tehama Gateway, you can choose to enable the 'Multiple Gateways' option (see sidebar note) and install and connect a second gateway. Follow the same gateway installation instructions found in step a, above.- The 'Multiple Gateways' feature provides redundancy for a Room's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It can be enabled/disabled by the owner (user with Org Admin role), Org Managers and Room Managers who are members of the Room who are members of the organization that owns the Room (which is your organization in this case). It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously. Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Room.
Note: The Access Key asked for by the installation instructions in step a is now available from this STATUS page, through the View or Regenerate link. Use the same Access Key for both your primary gateway and, if you choose to install one, your second gateway.
Observe that your Room interface page will sprout another tab: CONFIGURE (You may need to refresh your browser page to see it.)
See the Tehama Gateway Room Connectivity User Guide for more information about Rooms with this network access type. - Proceed to step 8.
- Install a Tehama Gateway in your private network, and connect it to your Room, using one of the following installation methods: *
- If you selected Internet Only as your network access method ...
Observe a new checkbox appear on the NETWORK ACCESS CONFIGURATION modal, with the text:
- Build room when finish button is pressed
and notice the text on the button at the bottom of the modal is now FINISH, instead of CONTINUE.
Proceed as follows:
- Decide whether or not to build the Room at this time.
You will incur the cost of the Room when the Room's infrastructure begins to build.
-
- Leave the checkmark in place beside Build room when finish button is pressed, if you are willing to accept responsibility for the cost of the Room at this point. Clicking FINISH when this checkbox is checked will cause the Room's infrastructure to begin building.
- Click in the checkbox to remove the checkmark, if you want to delay the creation of the Room. You can initiate the build of the Room's infrastructure from the Room's STATUS page at a later time.
-
- Click FINISH.
Observe that your Room interface page has sprouted four tabs, MEMBERS, CONNECTION, AUDIT and CONDITIONS OF USE. - Click on the Room's CONNECTION tab, then select the STATUS sidebar item to navigate to the Room's STATUS page. You may be directed there automatically.
The purpose of this page is to show your Room's infrastructure details and network connection details and status.
See the Room/Desktop Connectivity - Types, Status and Settings guide for more information about this page.
Note: If you did not opt to build the room in step a, you will see a BUILD button.
- Click the BUILD ROOM INFRASTRUCTURE button to build your Room's infrastructure.
You will incur the cost of the Room when the Room's infrastructure begins to build.
While the Room is building, you will see the following Room status:
- Creating Room
After the Room has completed building, you will see the following Room status:
- Built
After the Room has completed building, the page will display the ROOM INFORMATION, including infrastructure details, like the Room IP and ports.
Observe that your Room interface page will sprout another tab: CONFIGURE (You may need to refresh your browser page to see it.)
See the Internet-Only Room Connectivity User Guide for more information about Rooms with this network access type. - Click the BUILD ROOM INFRASTRUCTURE button to build your Room's infrastructure.
- OPTIONAL: Configure your Room and Desktop settings.
You will need to configure your Room and Desktop settings to provide, or deny, your users access to Tehama features. Settings include access to Tehama features like Windows or Linux Desktops, or Desktop session recordings.
You can choose to do this later.
Navigate to the Room's SETTINGS page:
- Click on the Room's CONFIGURE tab.
- Select the SETTINGS sidebar item
- Proceed to configure the settings in your Room as desired.
- set the Desktop idle session timeout.
- enable/disable the Multi-Gateway feature.
- enable/disable Linux Desktops.
- enable/disable Windows Desktops.
- enable/disable Desktop session recordings.
- enable/disable the App Vault. You may have already configured this when you created your Room.
- enable/disable the File Vault. You may have already configured this when you created your Room.
You can find instructions for configuring your Room settings in the Room Desktop Settings section and in the Room Feature Settings section in the Rooms User Guide.
You have now connected to a Room owned by another organization.
Your organization is the Room's connected organization (connected-only). The organization that invited you to connect to the Room is the Room's owner organization (user+owner). See the Roles User Guide for more information on organization roles in Rooms.
You can add members of your organization to the Room, if desired.
The owner organization can propose some of their organization members become members of the Room. You will get notifications to approve them.
The owner organization can then add Desktop templates for the Room members (both from your organization and from theirs). See Desktops User Guide for more details.
More information on Rooms can be found in the Rooms User Guide.
Be sure to continue getting started with the Getting Started with Tehama Administration Guide.
Note: The Administration Guide will show you the steps to carry out the following basic and necessary organization and Room set up available to you as the Room's connected-only organization:
As the organization that connected a Service-provider Room:
- Add members to your organization.
- Add (user) organizations to the Room (optional).
- Add members to the Room (from your organization).
- Approve/reject proposed members to the Room from other organizations in the Room.
- Configure Firewall Rules (and optionally DNS Filtering) in the Room.
- Add Secrets to the Room.
Join a Standard or Service-provider Room
Instructions to join a Standard or a Service-provider Room
"I've been invited to join a Room as a third-party organization."
Your organization has been invited to join a Room of type Standard or Service-provider.
Your organization will be a "user" organization in the Room, with no special privileges.
Only the Org Admin user and Org Managers of an organization can join their organization to a Room, having received an invitation to do so from the Room's connected organization (the organization in the Room that controls access). Check the description of your custom role, to see if you can perform this action.
The steps that led you to this point are as follows:
- You received an email telling you that your organization has been added to a Room. This email contains a link.
- You opened this link in a browser; and then either
- logged in to your existing organization in the Tehama Web UI; or
- joined Tehama, creating a new user and organization account, which you then logged in to.
Now:
- Navigate to your organization's ROOMS tab. You will see the name of the Room in your list of Rooms.
- Click on the Room name.
- If the Room's connected organization has set a 'condition of use' for your organization, you'll be asked to review and accept it.
- Click the Room's MEMBERS tab. (It should be the default selection.) You should see your organization listed. Propose members from your organization to join your Room, if desired. NOTE that the connected organization will have to approve them after connecting the Room.
You have now joined a Room. Your organization is a user organization in the Room (user-only). The organization that invited you is the Room's connected organization (owner+connected or connected-only). See the Roles User Guide for more information on organization roles in Rooms.
You may propose members from your organization become members of the Room. The Room's connected organization will receive notifications to approve them. The owner organization can then add Desktop templates in the Room for them (or assign them to existing Desktop templates). See Desktops User Guide for more details.
More information on Rooms can be found in the Rooms User Guide.
Be sure to continue getting started with the Getting Started with Tehama Administration Guide.
Note: The Administration Guide will show you the steps to carry out the following basic and necessary organization and Room set up available to you as one of the Room's user-only organizations:
As the organization that joined a Standard or a Service-provider Room: