The following are tasks you must perform before you can add a new tenant.
Assign Tenant Hosts (ESX servers)
The management interface must be reachable from the Service Provider network and be defined in the Service Provider DNS. You must also configure an account on the hosts for access to APIs.
Create a Mount Point
On the NFS storage subsystem, create a mount point for the tenant to host their desktops. Configure NFS permissions to have at a minimum the tenant desktop host IP and the IPs of the Resource Manager appliances. It is recommended that for ease of use, allow the entire management appliance subnet and hosts subnet.
Configure Backhaul (VPN/MPLS)
If the tenant requires backhaul then configure VPN access (IPSEC Tunnel, MPLS Circuit) from the tenant network back to the customers network that houses, for example, their AD, DNS, and DHCP as well as any other applications required by the virtual desktop users.
Define Tenant Network & VLAN
If the tenant has backhaul, work with the tenant to identify an internal subnet that is not in use in their infrastructure to be used for the virtual desktops. Otherwise assign an appropriate subnet and VLAN to the tenant network. This VLAN must be assigned to a vSwitch in both of the Management ESX Hosts as well as all desktop hosts assigned to the tenant.
Define or Install a DNS Server for the Tenant
There must be a DNS server available from the tenant network which can be used to resolve the name of the domain so that the tenant can authenticate.
Allocate IP Addresses in the Tenant Network
Allocate up to seven IP addresses in the tenant network. Allocate two IP addresses for management appliances plus a third for the shared IP and another three if the tenant requests access via the dtRAM. If the tenant has backhaul to a DHCP server you may optionally need a seventh IP for a DHCP relay service.
Define or install Tenant Active Directory
The tenant must configure their Active Directory as defined in the installation guide. It is highly recommended that you confirm the values using an AD tool such as AD Explorer:
A Tenant may opt to only allow two required users:
Service Account - read only access for authentication
Domain Join Account - domain join privilege to add VMs to AD
If accounts are restricted as defined above then set the tenant policy fabric.ad.validateSysPrepUserPrivs to false. See Configure Policiesfor more information.
Determine if the Tenant Requires a Certificate
If so, the customer must provide the service provider with the necessary certificate files in Apache SSL format. See Certificatesfor more information.