Multi-Path Room Connectivity User Guide
The purpose of this article is to describe the network connectivity provided by a Multi-Path Room.
Overview
'Multi-Path Room' is a short way of referring to a Tehama Room that has network access type 'Multi-Path'.
Find out what your Room's network access type is from the Room's connection page. See section View a Room's network access setting in Room/Desktop Connectivity - Types, Status and Settings for details.
The 'Multi-Path' network access type securely connects the Room to private networks through VPN IPSec connections. Multi-Path Rooms can support many such connections. It also provides access to applications and services in the internet.
Multi-Path is one of Tehama's three network access options, the others being Tehama Gateway, and Internet-Only.
A Tehama Gateway Room requires a Gateway to be connected and can only be connected to one private network.
An Internet-Only Room does not need a Gateway, but does not allow any access to private networks.
Multi-Path does not require a Gateway, and provides both internet access and the option to add connections to multiple private networks.
With or without connections, a Multi-Path Room is able to connect to the internet, to applications and services in the cloud (constrained by your Room's firewall settings and its DNS Filtering). This is equivalent to the functionality available in an Internet-Only Room, a Room with network access type "Internet-Only".
Add connections to your Room, in order for your Room to access the private network(s) of your Room's connected organization (constrained by your Room's firewall settings and DNS Filtering).
Add DNS resolvers to your Room, in order for your Room to convert domain names from your connected networks to IP addresses.
Construct a Multi-Path Room and connect it to your private network(s):
First ensure that you are able to meet the requirements for a Multi-Path Room:
Then:
Here are the actions you can perform within a Multi-Path Room:
Build the infrastructure for the Room, if you decided to delay doing so during the Room creation process:
View the connection details for the Room:
- View a Multi-Path Room's status
- View a Multi-Path Room's Public IP and Ports
- View a Multi-Path Room's Subnet
- View the Connections table for a Multi-Path Room
- View the DNS Resolvers table for a Multi-Path Room
Configure and manage the connections and DNS resolvers in the Room:
Multi-Path Room Requirements and Limitations
Requirements:
- You must have a Tehama organization.
- If you intend to connect to a private network:
- The network must support the IPSec VPN (IKE2) protocol.
- You must be willing to open your network's firewall (if you have one set up) to allow communication with your Tehama Room.
- The network must support the IPSec VPN (IKE2) protocol.
Limitations:
- Currently, the Multi-Path network access type is only available in Standard Rooms. If you need a Domain Join Room, you cannot connect to your networks using Multi-Path.
- While existing Rooms with Tehama Gateway' or 'Internet-Only' network access can be switched to use 'Multi-Path' network access, Rooms with Multi-Path access cannot be switched to use another type of access.
Construct and connect a Multi-Path Room
The Org Admin user and the Org Managers of an organization can create a Room. Check the description of your custom role, to see if you can perform this action.
STEP ONE
First go over the requirements and limitations for Multi-Path Rooms:
STEP TWO
Either
- Create a new Standard Room and select the network access type 'Multi-Path' during the Room creation process.
or
- Convert one of your existing Rooms with 'Tehama Gateway' or 'Internet-Only' network access to use 'Multi-Path' network access, by following the steps found under the section 'Change a Room's Network Access setting' in the Room/Desktop Connectivity - Types, Status and Settings guide.
STEP THREE
Be sure to finish building your Room's infrastructure, if you stopped the Room creation process before this step.
STEP FOUR
Form VPN IPSec connection(s) between the Room and your private network(s). See steps in Multi-Path Room - Add and Manage Connections.
Note: The installation process includes instructions to open your network firewall to allow access for your Room.
then (optionally) add DNS resolver(s) to your Room. See steps in Multi-Path Room - Add and Manage DNS Resolvers.
STEP FIVE
Configure your Room's firewall rules and DNS Filtering to allow access to the resources and applications you want to be available to your Room's Desktops.
Build a Multi-Path Room's Infrastructure
Only the Org Admin user or Org Managers and Room Managers (who are members of the Room) of a Room's connected organization (owner+connected or connected-only) can trigger the build of the Room when its network access is set to 'Multi-Path'. Check the description of your custom role, to see if you can perform this action.
This option is only available if your Room has 'Network Access' set to 'Multi-Path' and the building of your Room's infrastructure has yet to be triggered. That is, when creating the Room, you stopped the process before building the Room's infrastructure.
You will incur the cost of the Room when the Room's infrastructure begins to build.
Build your 'Multi-Path' Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the BUILD ROOM INFRASTRUCTURE button at the bottom of the page.
- If you are willing to accept responsibility for the cost of the Room, click the BUILD ROOM INFRASTRUCTURE button to proceed.
View a Multi-Path Room's status
The Org Admin user, the Org Managers and all Room members from any of the organizations in a Room can see the Room's status. Check the description of your custom role, to see if you can see the Room's status.
NOTE: The Status column in the Rooms list under the ROOMS tab will show a more generic status for each Room - Healthy, Unhealthy, Pending, Impaired, Updating or Archived. The status described here that is found on the Room's status page provides more details.
View your Multi-Path Room's status on its status page as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look at the top of the page. The Room's connection status is displayed in a status box found at the top of the page.
Status values for Multi-Path Rooms:
Multi-Path Rooms only display a status box on the Room's status page while the Room is building.
You must click on the BUILD ROOM INFRASTRUCTURE button to trigger the building of the Room. You will incur the cost of the Room when the Room's infrastructure begins to build.
While the Room is building, you will see the following Room status:
- Creating Room
After the Room has successfully completed building, the status box will disappear.
If you add connections to the Room, you will be able to view each individual connection's status in the CONNECTIONS table, midway down the page.
View a Multi-Path Room's Public IP and Ports
The Org Admin user, the Org Managers and all Room members from any of the organizations in a Multi-Path Room can see the Room's public IP and ports. Check the description of your custom role, to see if you can see the Room's public IP and ports.
A Multi-Path Room has a public IP address used to establish connectivity in the Room. This address and the ports the Room uses are available through the Room's connection status interface.
View your Multi-Path Room's public IP address as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the following fields: IP and Ports
- You will use the public IP and ports in the course of forming connections to your Room from your private network(s).
View a Multi-Path Room's Subnet
The Org Admin user, the Org Managers and all Room members from any of the organizations in a Multi-Path Room can see the Room's subnet. Check the description of your custom role, to see if you can see the Room's subnet.
A Multi-Path Room has a subnet used to establish connectivity in the Room. This subnet is available through the Room's connection status interface.
View your Multi-Path Room's subnet as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the following field: Subnet
- You will use the subnet in the course of forming connections to your Room from your private network(s).
View the Connections table for a Multi-Path Room
Only the Org Admin users and Org Managers and Room Managers (who are members of the Room) of a Room's owner organization and of its connected organization (owner+connected or user+owner and connected-only) can view the Room's Connections table. Check the description of your custom role, to see if you can view the Room's Connections table.
View the Connections table for your Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the table of connections midway down the STATUS page. There will be one entry for each VPN IPSec connection you have added to your Room. (If you do not see the table then you do not have permission to see the connection info in this Room - and remember that the table is only visible when 'Network Access' is set to 'Multi-Path'.)
Each entry provides:
- the status of the connection to your Room:
- indicates the connection is healthy.; it is successfully connected to the Room.
- indicates the connection is unhealthy.; it is not connected to the Room.
- the name of the connection, which is a link you can click on to see the connection details page. You can access the EDIT button** from the connections details page.
- an 'Action' menu (three vertical dots) with the following options:
- the "View" action, to view the connection details. See the "View Connection Details" section in Multi-Path - Add and Manage Connections.
- the "Edit" action, to edit the connection details. See the "Edit a Connection" section in Multi-Path - Add and Manage Connections.
- the "Delete" action, to delete the connection. See the "Delete a Connection" section in Multi-Path - Add and Manage Connections.
Configure a Connection in a Multi-Path Room
There are two parts involved in forming a new connection in a Multi-Path Room:
- Add/initiate a new connection entry in your Multi-Path Room. This creates a unique pre-shared key. Enter your private network's public IP address and at least one target subnet and subnet name.
See the section 'Add a Connection' in the Multi-Path Room - Add and Manage Connections guide for instructions to add an entry in your Multi-Path Room. - Create a VPN IPSec connection in your private network and link it to your new connection entry using the pre-shared-key value, and the Room's IP address and subnet.
See the section 'Create a VPN IPSec Connection' in the Multi-Path Room - Add and Manage Connections guide for a list of examples of such connections with different 3rd-party private network environments.
After forming the new connection be sure to:
- configure your private network's firewall configuration to allow access to your Room's IP address and ports.
and
- configure your Room's firewall rules to allow your Room to access resources in your private network.
- optionally, configure your Room's DNS Filtering to provide an extra layer of access control on top of your firewall rules.
Manage a Connection in a Multi-Path Room
The actions to manage a connection are:
View the DNS Resolvers table for a Multi-Path Room
Only the Org Admin users and Org Managers and Room Managers (who are members of the Room) of a Room's owner organization and of its connected organization (owner+connected or user+owner and connected-only) can view the Room's DNS Resolvers table. Check the description of your custom role, to see if you can view the Room's DNS Resolvers table.
View the DNS Resolvers table for your Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the table of DNS resolvers close to the bottom of the STATUS page. There will be one entry for each DNS resolver you have added to your Room. (If you do not see the table then you do not have permission to see the DNS Resolver info in this Room - and remember that the table is only visible when 'Network Access' is set to 'Multi-Path'.)
Each entry provides:
- the name of the DNS resolver, which is a link you can click on to see the edit page. You can see the DNS resolver details from the edit page.
- a list of domains in the DNS resolver, each of which can be removed from the DNS resolver by clicking on the x beside its name. See Delete a Domain from a DNS Resolver.
- a menu of actions that can be performed on the Tehama Gateway, depending on its current status, such as:
- 'Edit':
This action lets you edit the entry. Clicking on the entry's name also provides this edit functionality. See the "Edit a DNS Resolver" section in Multi-Path - Add and Manage DNS Resolvers. - 'Delete':
This action lets you delete the entry. See the "Delete a DNS Resolver" section in Multi-Path - Add and Manage DNS Resolvers.
- 'Edit':
Add a DNS Resolver in a Multi-Path Room
The instructions to add a new DNS resolver are:
Manage a DNS Resolver in a Multi-Path Room
The actions to manage a DNS resolver are: