The following are tasks you must perform before you can add a new tenant.
Assign Tenant Hosts (ESX servers)
The management interface must be reachable from the Service Provider network and be defined in the Service Provider DNS. You must also configure an account on the hosts for access to APIs.
Create a Mount Point
On the NFS storage subsystem, create a mount point for the tenant to host their desktops. Configure NFS permissions to have at a minimum the tenant desktop host IP and the IPs of the Resource Manager appliances. It is recommended that for ease of use, allow the entire management appliance subnet and hosts subnet.
Configure Backhaul (VPN/MPLS)
If the tenant requires backhaul, then configure VPN access (IPSEC Tunnel, MPLS Circuit) from the tenant network back to the customers network that houses. For example, their AD, DNS, DHCP, and any other applications required by the virtual desktop users.
Define Tenant Network and VLAN
If the tenant has backhaul, work with the tenant to identify an internal subnet that is not in use in their infrastructure to be used for the virtual desktops. Otherwise assign an appropriate subnet and VLAN to the tenant network. This VLAN must be assigned to a vSwitch in both of the Management ESX Hosts and to all desktop hosts assigned to the tenant.
Define or Install a DNS Server for the Tenant
There must be a DNS server available from the tenant network which can be used to resolve the name of the domain so that the tenant can authenticate.
Allocate IP Addresses in the Tenant Network
Allocate up to seven IP addresses in the tenant network. Allocate two IP addresses for management appliances plus a third for the shared IP and another three if the tenant requests access though the dtRAM. If the tenant has backhaul to a DHCP server you can optionally need a seventh IP for a DHCP relay service.
Define or Install Tenant Active Directory
The tenant must configure their Active Directory as defined in the installation guide. It is highly recommended that you confirm the values using an AD tool such as AD Explorer:
A Tenant can opt to allow only two required users:
- Service Account - read-only access for authentication.
- Domain Join Account - domain join privilege to add VMs to AD.
If accounts are restricted as defined above, then set the tenant policy fabric.ad.validateSysPrepUserPrivs to false. See Configure Policies for more information.
Determine If the Tenant Requires a Certificate
If so, the customer must provide the service provider with the necessary certificate files in Apache SSL format. See Certificates for more information.