Multi-Tenancy (sub-domains)

Posted on 6th October 2016

Foldr v4 allows you to run multiple independent instances of Foldr for any number of subdomains.  Each subdomain / customer tenant instance is licenced and configured separately and provides the ability to support environments that run numerous Active Directory domains from a single virtual appliance or cluster of appliances.

Typical usage scenarios for multi-tenant mode would be a service provider providing hosted file access services to multiple customers.  Each tenant organisation (customer) would access Foldr using their dedicated tenant subdomain.  i.e.

https://apples.yourdomain.com
https://oranges.yourdomain.com

Multi-tenant mode can only be managed from the virtual appliance console using the following commands.

Enable multi-tenant mode

To enable multi-tenant mode:

tenant-enable

Create a new tenant

To create a tenant:

tenant-add “name-of-customer” subdomain

For example, to create a tenant called Apples Corp that will use the subdomain apples.  The use of quote marks as shown is important when creating a multi-worded tenant name:

The tenant and the default built-in security groups will be created automatically:

List all tenants

To list all tenants and show the user count for each instance:

tenant-list

Remove a tenant

To remove a tenant:

tenant-remove subdomain

Please note that this does not remove any user files.  Just the tenant subdomain and it’s configuration.

Tenants in an Infrastructure and Client Access Deployment

If you have deployed Foldr with infrastructure and client access appliances, each appliance in the deployment should firstly be placed into multi-tenancy mode by running ‘tenant-enable’.  Once this has been done you can create your tenants as required on one of the appliances.

Syncing Tenants (IMPORTANT)

After creating your tenants you must synchronise the tenant’s encryption keys across all other Foldr appliances before the tenant subdomains are usable.  The following command should be run from the Foldr appliance upon which all the tenants were created on.

The STATUS column when running tenant-list should state ‘OK’, if the appliance is missing the keys you must run tenant-sync from another appliance that can provide them.  If you attempt to run tenant-sync from an appliance with missing keys, an error will be displayed and the sync operation will be aborted.

In the example below, Pears Corp (https://pears.yourdomain.internal) is currently unusable on this system due to missing encryption keys:

Tenant-sync command example :

tenant-sync appliance-ip-1 appliance-ip-2 appliance-ip-3 -p password

The -p argument used above is optional and will only work if all appliances are using the same fadmin password. Otherwise you will be asked to provide a password for each appliance individually.

This command ensures that all appliances use the same encryption and hashing keys for individual tenants. For correct operation these keys must be synced between all client access appliances. It is also recommended that you sync them with your infrastructure appliances as well but this is not vital.

Disable multi-tenant mode

To disable multi-tenant mode:

tenant-disable

DNS & multi-tenant mode

DNS must be correctly configured, both internally and externally for multi-tenant mode to work correctly.  If one does not already exist, a lookup zone should be created for the domain name and Host / A records created for each tenant.  Each A record must be configured to resolve to the IP address of the Foldr appliance.

It is also vital that the preferred and secondary DNS servers that are configured on the Foldr appliance can resolve all customer Active Directory domains that are used.  Also all paths (LDAP servers, shares, home folders and so on) must configured fully qualified.

Configuring & Licensing Tenants

The administrative fadmin account can configure each tenant by browsing to:

https://tenant-subdomain.yourdomain.com/settings

The tenant instance can then be configured as normal.

NOTE – The default /settings page at https://IP-address-of-Foldr/settings serves no purpose in multi-tenant mode and should not be used.

Delegated Administration – tadmin (Tenant Admin)

When each new tenant is created, a new administrative account is also created which has permissions to make configuration changes solely within that tenant instance.

The tadmin account has lower privileges than fadmin, and as such cannot make system wide changes.  For example, tadmin cannot power off/reboot the appliance or adjust the network/time settings or install an SSL certificate.  The following menu options are hidden from tadmin:

  • Appliance
  • Infrastructure
  • Proxy PAC
  • Customise
  • Certificates

Changing tadmin’s Password

The password can be changed for the tadmin account by using the Change Password tab within the tenant’s Foldr Settings >> General administration area.

i.e. https://tenant-subdomain.yourdomain.com/settings

Resetting tadmin’s Password

If the tadmin account password needs to be reset, this can be done on the appliance console (logged in as fadmin) using the following command:

tenant-reset-password subdomain

Once reset, the password is set to ‘password’ (without quotes)

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, [email protected]