Tehama Gateway Room Connectivity User Guide
The purpose of this article is to describe the network connectivity provided by a Tehama Gateway Room.
Overview
'Tehama Gateway Room' is a short way of referring to a Tehama Room that has network access type 'Tehama Gateway'.
Find out what your Room's network access type is from the Room's connection page. See section View a Room's network access setting in Room/Desktop Connectivity - Types, Status and Settings for details.
The 'Tehama Gateway' network access type securely connects the Room to a private network through a software agent (binary) that you install in your private network to enable a secure encrypted connection between the Room's Tehama Gateway infrastructure and your private network. It also provides access to applications and services in the internet.
This software agent is referred to as the "Tehama Gateway", or simply as the "Gateway".
Tehama Gateway is one of Tehama's three network access options, the others being Internet-Only and Multi-Path.
A Tehama Gateway Room requires a Gateway to be connected and can only be connected to one private network.
An Internet-Only Room does not need a Gateway, but does not allow any access to private networks.
Multi-Path does not require a Gateway, and provides both internet access and the option to add connections to multiple private networks.
Use of a Gateway is one of the ways Tehama has of providing access to your Room. It provides access to the private network of your Room's connected organization, as well as to applications and services in the cloud (constrained by your Room's firewall settings). The Room also accesses the internet through the Gateway.
Both Standard Rooms and Domain Join Rooms support the "Tehama Gateway" network access type.
Construct a Tehama Gateway Room and connect it to a Tehama Gateway:
First ensure that you are able to meet the requirements for a Multi-Path Room:
Then:
Here are the actions you can perform within a Tehama Gateway Room's interface:
View the connection details for the Room:
- View a Tehama Gateway Room's status
- View a Tehama Gateway Room's Router IPs and Ports
- View a Tehama Gateway Room's Multiple Gateways setting
- View the Gateway table for a Tehama Gateway Room
Manage the Room's Gateway(s):
Here are the actions to install and manage Gateway instances in your private network:
These are links to Tehama Gateway - Installation and Management.
Install a Gateway in your network and configure your network's firewall:
- Install the Tehama Gateway from an AWS AMI
- Install the Tehama Gateway from an automated-script
- Install the Tehama Gateway using Docker
- Firewall Configuration
Verify and monitor connectivity between the Gateway in your network and your Room:
- Verify Connectivity with Tehama from the Tehama Web UI
- Tehama Gateway Diagnostic Tool
- Tehama Gateway Troubleshooting
- Tehama Gateway Log and Setup File Collection
- View/Regenerate the Access Key
- Test Connections
- Best Monitoring Practices
Keep your Gateway version up-to-date:
- Update a Tehama Gateway
- Automated update for modern Gateway versions (3.0.0 and later)
- Manually Triggered update for modern Gateway versions (3.0.0 and later)
- Command line update for legacy Gateway versions (before 3.0.0)
- Command line update for modern Gateway versions (3.0.0 and above)
- Command line update for Gateways running inside a Docker container
Tehama Gateway Room Requirements and Limitations
Requirements:
- You must have a Tehama organization.
- You must have a private network.
- Your network must support the installation of a 'Tehama Gateway', the software agent (binary), within its infrastructure. See the installation methods for requirements for each type of installation.
- If installing via the automated-script, choose a host that meets the minimum specifications and can be configured as directed in 'Configure your Gateway host (for automated-script-installations' in Tehama Gateway - Installation and Management.
- If installing using Docker, choose a host that meets the minimum specifications and can be configured as directed in 'Configure your Gateway host (for automated-script-installations' in Tehama Gateway - Installation and Management.
- If installing via the automated-script, choose a host that meets the minimum specifications and can be configured as directed in 'Configure your Gateway host (for automated-script-installations' in Tehama Gateway - Installation and Management.
- You must be willing to open your network's firewall (if you have one set up) to allow communication with your Tehama Room.
Limitations:
- A Tehama Gateway Room requires a Gateway to be connected to function.
- A Tehama Gateway Room can only be connected to one private network.
Construct and connect a Tehama Gateway Room
The Org Admin user and the Org Managers of an organization can create a Room. Check the description of your custom role, to see if you can perform this action.
STEP ONE
First go over the requirements and limitations for Tehama Gateway Rooms:
STEP TWO
Create a new Room and select the network access type 'Tehama Gateway' during the Room creation process.
Or, repurpose an existing Internet-Only Room, by changing its network access to 'Tehama Gateway', and so convert the Room to be a Tehama Gateway Room.
STEP THREE
Install a Gateway in your private network, using one of the installation methods found in Tehama Gateway - Installation and Management.
- Install the Tehama Gateway from an AWS AMI
- Install the Tehama Gateway from an automated-script
- Install the Tehama Gateway using Docker
Note: The installation process includes instructions to open your network firewall to allow access for your Room.
STEP FOUR
Configure your Room's firewall rules to allow access to the resources and applications you want to be available to your Room's Desktops.
View a Tehama Gateway Room's status
The Org Admin user, the Org Managers and all Room members from any of the organizations in a Room can see the Room's status. Check the description of your custom role, to see if you can see the Room's status.
NOTE: The Status column in the Rooms list under the ROOMS tab will show a more generic status for each Room - Healthy, Unhealthy, Pending, Impaired, Updating or Archived. The status described here that is found on the Room's status page provides more details.
View your Tehama Gateway Room's status on its status page as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look at the top of the page. The Room's connection status is displayed in a status box found at the top of the page.
Status values for Tehama Gateway Rooms:
Your Room status will be one of the following:
- Pending Gateway Connection, before the Room's infrastructure has begun building, while the Room is waiting for the initial connection to a gateway.
- Creating Room, while the Room's infrastructure is building, triggered by the first gateway connection attempt it receives.
- Connected, after the Room's infrastructure has completed building, and a successful gateway connection has been made.
- Gateway Connection Warning, if the Gateway connection to the Room is impaired.
- Updating Room, if the Room's infrastructure is being updated.
- Failed to Create Room, if the Room's infrastructure failed to build successfully.
View a Tehama Gateway Room's router IPs and Ports
The Org Admin user, the Org Managers and all Room members from any of the organizations in a Tehama Gateway Room can see the Room's router IPs. Check the description of your custom role, to see if you see the Room's router IPs.
A Tehama Gateway Room has two routers that support connectivity in the Room. The router IPs are the IP addresses of these routers. These addresses and the ports that the routers use are available through the Room's connection status interface.
View your Tehama Gateway Room's router IPs and ports as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the following fields found below the status box: IPs and Ports
- You must ensure that the Tehama Gateway(s) in your private network can reach these IPs at the ports shown through your network's firewall.
View a Tehama Gateway Room's 'Multiple Gateways' setting
The Org Admin user, the Org Managers and all Room members from any of the organizations in a Room can view the Room's 'Multiple Gateways' setting. Check the description of your custom role, to see if you can see the Room's 'Multiple Gateways' setting.
This option is only available if your Room has 'Network Access' set to 'Tehama Gateway'.
Note on the Multiple Gateways Feature:
The 'Multiple Gateways' feature provides redundancy for a Room's network access when the selected network access mode is 'Tehama Gateway' and the feature is enabled. It allows you to provision a second Tehama Gateway, which you must install in your network's infrastructure. The two Gateways will run simultaneously.
The 'Multiple Gateways' option is an added expense for your Room.
Access to this feature is not offered by default. Contact Tehama Support to arrange for access to this feature in your Room. Or you may enable access to this feature through the Room Settings interface. See the Enable/Disable Multi-Gateway section in the Rooms User Guide.
Options for the Multiple Gateways setting are Enabled or Disabled.
- When disabled, your Room will provide network connectivity through one Tehama Gateway, installed in your private network.
- When enabled, the Multiple Gateways feature allows you to install a second Tehama Gateway in your private network on a different host from the first. With the 'Multiple Gateways' feature enabled, network connectivity to your Room will be maintained if one of the Tehama Gateways crashes. This can be enabled/disabled by the organization that owns the Room and viewed by the Room's connected organization.
View your Room's 'Multiple Gateways' setting as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the Multiple Gateways field below the Room's status box. (If you do not see this field, then the feature is not enabled for your Room. See the Note on the Multiple Gateways Feature above. When the toggle is 'on', the feature is enabled. Otherwise, it is disabled.
Enable/Disable the 'Multiple Gateways' option in a Tehama Gateway Room
Only the Org Admin user and Org Managers and Room Managers (who are members of the Room) of a Room's owner organization (owner+connected or user+owner) can enable/disable the Room's 'Multiple Gateways' option. Check the description of your custom role, to see if you can perform this action.
See the Note on the Multiple Gateways Feature above.
This option is only available if your Room has 'Network Access' set to 'Tehama Gateway'.
The 'Multiple Gateways' option requires additional ports to be opened. Before enabling the option, see the firewall configuration options in the Firewall Configuration section in Tehama Gateway - Installation and Management. Each configuration option lists the ports you must open to support the 'Multiple Gateways' option.
The 'Multiple Gateways' option is an added expense for your Room.
Enable the Multiple Gateways option for your Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the Multiple Gateways field below the Room's status box. (If you do not see this field, then the feature is not enabled for your Room. See the Note on the Multiple Gateways Feature above.)
- You should see a toggle next to the Multiple Gateways field. (If you do not see this toggle then you do not have permission to change the setting.)
- Verify that your current Tehama Gateway instance has version greater or equal to 4.0.4. An icon will be visible next to the 'Multiple Gateways' toggle to alert you should your Gateway not have the minimum required version.
- Click on the toggle in the Multiple Gateways field. The ENABLE MULTIPLE GATEWAYS dialog will appear.
- Be sure that you want to incur the cost of this option and that you are prepared for some downtime (approximately ten minutes) for your Room while it modifies its infrastructure to support the option.
- Click ENABLE in the dialog.
NOTE: There will be downtime, approximately ten minutes, (e.g.: a loss of connectivity from the existing gateway to your Room) while the Room modifies its infrastructure to support multiple gateways. - Proceed to install/activate a second Tehama Gateway once the 'Multiple Gateways' setting is enabled as follows:
- Follow the procedure for installing a Tehama Gateway (just as was done for the Room's first gateway). See the different options for installing a Tehama Gateway in Tehama Gateway - Installation and Management:
- Install the Tehama Gateway from an AWS AMI
- Install the Tehama Gateway from an automated-script
- Install the Tehama Gateway using Docker
The above procedures all require you to use an Access Key from the Room.
You can either- Use the same Access Key that was used for the Room's first gateway, extracting it from its secure location in that gateway's host machine.
- Generate a new Access Key to use with both gateways. See the steps in the View/Regenerate an Access Key section in Tehama Gateway - Installation and Mgmt.
NOTE: Both gateways use the same Access Key. If you regenerate the Access Key, both gateways must be reconfigured/restarted to use the new Access Key. Gateway connectivity to the Room will be lost and people working on Desktops in the Room will experience downtime until this is done. This process takes approximately ten minutes.
- Follow the procedure for installing a Tehama Gateway (just as was done for the Room's first gateway). See the different options for installing a Tehama Gateway in Tehama Gateway - Installation and Management:
Disable the Multiple Gateways option for your Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the Multiple Gateways field below the Room's status box.
- You should see a toggle next to the Multiple Gateways field. (If you do not see this toggle then you do not have permission to change the setting.)
- Click on the toggle in the 'Multiple Gateways' field. The DISABLE MULTIPLE GATEWAYS dialog will come up.
- Be sure that you want to reduce your connections to one and that you are prepared for some downtime for your Room (approximately ten minutes) while it modifies its infrastructure to remove support for the option.
- Select the Tehama Gateway instance you want to remove.
- Click DISABLE.
NOTE: There will be downtime, approximately ten minutes, (e.g.: a loss of connectivity from the remaining gateway to your Room) while the Room modifies its infrastructure to remove support for multiple gateways.
View/Regenerate a Tehama Gateway Room's access key
Only the Org Admin user and Org Managers and Room Managers (who are members of the Room) of a Room's connected organization (owner+connected or connected-only) can view/regenerate/copy/download the Room's 'Access Key'. Check the description of your custom role, to see if you can perform these actions.
This option is only available if your Room has 'Network Access' set to 'Tehama Gateway'.
The Room's Access Key is used to configure the connection to the Room for all the Tehama Gateways provisioned in the Room.
To view/regenerate the Access Key for your Room see the steps found in the View/Regenerate an Access Key section of Tehama Gateway - Installation and Management.
View the Gateway table for a Tehama Gateway Room
Only the Org Admin users and Org Managers and Room Managers (who are members of the Room) of a Room's owner organization and of its connected organization (owner+connected or user+owner and connected-only) can view the Room's Gateway table. Check the description of your custom role, to see if you can view the Room's Gateway table.
This option is only available if your Room has 'Network Access' set to 'Tehama Gateway'.
View the Gateway table for your Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the table of Tehama Gateways at the bottom of the STATUS page. There will be one entry for each Tehama Gateway connection provisioned for your Room. (If you do not see the table then you do not have permission to see the Gateway info in this Room - and remember that the table is only visible when 'Network Access' is set to 'Tehama Gateway'.)
Each entry provides:
- the IP of the host machine of the Tehama Gateway.
- the version of the Tehama Gateway.
If an update is pending or in progress, text indicating that will be displayed next to the version. - the status of the Tehama Gateway's connection to your Room:
-
indicates the Gateway is successfully connected to the Room and is the latest available version and is successfully connected to the Room. -
indicates that the Gateway is successfully connected to the Room but is not the latest available version. -
indicates that the Gateway is successfully connected to the Room but failed to update to the latest available version (after three attempts). -
indicates that the Gateway is not connected to the Room. (It may or may not be the latest available version.)
-
- a menu of actions that can be performed on the Tehama Gateway, depending on its current status, such as:
- 'Update':
This action is available when the Gateway is not the latest available version. Select this action to display a dialog listing the details of the latest available update. See the "Update a Room's Tehama Gateway" section below for how to trigger the update. See Tehama Gateway - Installation and Management's update section for more comprehensive details on how to update a Gateway. - 'Show error':
This action is available when the Gateway is not connected to the Room or when an attempt to update the Gateway failed. It displays the error text in a dialog.
- 'Update':
Update a Tehama Gateway Room's Gateway(s)
Only the Org Admin user of a Room's connected organization (owner+connected or connected-only) can update one of the Room's Gateways.
This option is only available if your Room has 'Network Access' set to 'Tehama Gateway'.
Update a 'Tehama Gateway' for your Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
- Click on the CONNECTION tab.
- Click on the STATUS sidebar item.
- Look for the table of Tehama Gateways at the bottom of the STATUS page. There will be one entry for each Tehama Gateway connection provisioned for your Room. (If you do not see the table then you do not have permission to update a Gateway in this Room - and remember that the table is only visible when 'Network Access' is set to 'Tehama Gateway'.)
- Locate the entry for the Tehama Gateway instance that you wish to update.
- Examine the status for the Gateway under the Status column. (See the description of the different Gateway statuses in the "View the table of Tehama Gateway(s) for a Room" section above.)
Note, you may need to refresh the page to see most current status.
When the status indicates that the Gateway is not the latest available version, you will find the 'Update' action under the three vertical dots menu in the Actions column. - Select the 'Update' action under the three vertical dots menu in the Actions column. You will see a dialog listing the details of the latest available update.
- Pick an opportune time (i.e.: when your Room is not busy) to perform the update.
- Click UPDATE in this dialog to trigger the update.
See Tehama Gateway - Installation and Management's update section for more comprehensive details on how to update a Gateway.
Enable/Disable Gateway Auto-Update in a Tehama Gateway Room
Tehama offers an automated update feature for Tehama Gateways that is enabled on a per-Room basis. When Gateway updates are detected, updates are automatically scheduled for Gateways in Rooms that have this feature enabled.
See the steps to enable/disable this feature in the Automated update for modern Gateway versions section in Tehama Gateway - Installation and Mgmt.