Contents x
    ControlUp for Multi-Tenancy Environments
      • Print
      • Dark
        Light
      • PDF
      Contents

      ControlUp for Multi-Tenancy Environments

        • Print
        • Dark
          Light
        • PDF
        Article Summary

        ControlUp now includes full support for multi-tenancy environments. Service Providers (SP) and tenants operate in separate, isolated environments. This means that tenants' monitoring systems are not reliant on the domain controller of the SP, which allows for the segregation of the network and ensures that tenants see only data that is relevant to them. The isolation between SP and tenants ensures that tenants can maintain control over their own data and applications, without having to worry about interference or unauthorized access from other tenants.

        In this article, we explain the general concept of the new multi-tenancy feature in version 8.8 and we will walk you through the setup of a multi-tenancy environment in which a SP can set up a ControlUp organization and allow a tenant to use it and connect its own data sources, such as managed machines and extensions.

        Prerequisites

        • ControlUp version 8.8 or higher

        And if you are an existing customer moving to MSP mode, you also must:

        These steps are detailed below.

        Overview

        • There is a network separation between tenant domains a.local and b.local (they don't know each other)
        • The only component that leaves the tenant network and connects to the management network are the ControlUp Monitors (see chapter below).
        • Outbound Internet connectivity from the console and monitors still apply in multi-tenancy mode.
        • Each tenant is considered a Site by a Service Provider. Each site needs to be set up by the SP in the Real-Time DX Console)
        • As the tenant accesses the management organization, the SP must ensure to configure the Security Policy accordingly. Tenant permissions for viewing data are managed via the View Folder permission in Security Policy. Ideally, each Tenant is configured under a folder in the organizational tree.
        • If the Security Policy is configured accordingly (see Step 6), Solve only shows tenants the data that is relevant to them

        Architecture Overview

        DesiredState.drawio 3.png

        Required Inbound / Outbound Rules

        SourceDestinationProtocol / Port
        ControlUp ConsoleControlUp MonitorTCP 40706 (RPC, WMI)
        ControlUp Console / MonitorsControlUp AgentTCP 40705
        ControlUp Console / MonitorsControlUp Cloud ServerTCP 443
        ControlUp Console / MonitorsPrimary Domain Controllers, other Domain ControllersTCP 389, 88, 53
        ControlUp Console / MonitorsControlUp extensions (VMware Horizon, CVAD etc.)Various
        ControlUp MonitorSolve CloudTCP 443
        ControlUp Monitor (Management Network)ControlUp Monitors (Tenant)TCP 40706 (RPC, WMI)
        ControlUp Monitors (Tenant)ControlUp Monitors (Management Network)TCP 40706 (RPC, WMI)

        How to Set Up a Multi-Tenancy Environment

        Step 1: Multi-Tenancy Configuration

        1. Open the Real-Time DX Console in the management network.
        2. Right-click the ControlUp organization > Properties > Advanced Authentication.
        3. Ensure that the organization uses Advanced Authentication. Your organization uses Advanced Authentication if the Enable Advanced Authentication checkbox is grayed out. If the box is unchecked, you need to set up Advanced Authentication.
          image.png
        4. After Advanced Authentication has been enabled, remove all monitors in your ControlUp environment, if installed. This is a prerequisite as you will not be able to switch to multi-tenancy mode
        5. Once all monitors have been removed, click Monitoring Status > Monitors Settings > Advanced Settings and select Enable Multi-Tenancy mode
          image.png

        Step 2: Export the Advanced Authentication Certificate

        1. On a machine in the management network, open the Certificate Manager (certlm.msc)
        2. Under Personal > Certificates, right-click the controlupcert_[NameOfMSPOrg] > All Tasks > Export
        3. Follow the instructions on the screen and export the certificate to a file
        4. Copy this file to any tenant machine that runs the console

        Step 3: Import the Certificate on All Tenant Console Machines

        Before you can link your tenant to the multi-tenancy organization, you need to import the certificate to the Certificate Store.

        1. On the Tenant machine, open the Certificate Manager (certlm.msc)
        2. Right-click Personal > All Tasks > Import and import the certificate
        3. Make sure to select the Mark this key as exportable checkbox
          image.png
        4. Verify that the certificate has been successfully imported
          image.png

        Step 4: Connect the Tenant with the Management Organization

        1. Open the console on the machine where you imported the certificate
        2. In the Select a ControlUp organization, click Multi-tenancy login setup
          image.png
        3. Select the certificate and click OK
          image.png
        4. Select the management organization that this tenant belongs to and click OK
          image.png
        5. The tenant will be linked to the Tenant in our backend which may take about a minute. Once the tenant is linked, select the management organization and click OK
          image.png
        6. Enter the OTP code that you receive via mail

        Step 5: Configure DNS Conditional Forwarder

        On the domain controller in the management network, add a new DNS Conditional Forwarder for each Tenant

        Step 6: Create a New Role for Each Tenant

        1. Open the console on a management machine
        2. Under Security Policy > Create a new role for each tenant
        3. Add a user or user group to the new role
        4. On the management machine, set the following permission to Allow:
          1. View Folder
          2. Shared Credentials
          3. Use Solve
            image.png

        Step 7: Add Tenant Credentials on Tenant Machine

        1. On a tenant machine, go to Settings > Credentials Store > Add Credentials Set
        2. Add the tenant user so that the multi-tenancy and tenant credentials are visible
          image.png

        Step 8: Add AD Connections

        1. In a console in the management network , go to Settings > AD Connections and add the management domain name
          image.png
        2. Each tenant needs to add its own domain in the console
          image.png

        Step 9: Create a Site for Each Tenant

        1. Create a new site for each tenant
        2. On the tenant machine, add the user account for the tenant
          image.png
        3. Once the user that was assigned the new role is added, click the Shared checkbox to make this a Shared Credential
          image.png

        Step 10: Add Monitors to Sites

        1. On the tenant machine, click Settings > Monitors > Monitors Settings
        2. Under Domain Identity, click Import Console Credentials
          image.png
        3. Once the credentials are imported, you will see the following popup
          image.png
        Important

        Do not assign the primary AD Connection to another user. The primary role should only be assigned to the management domain user.

        1. Click Shared to make this credential a Shared Credential
          image.png
        2. Once added, click Import AD Connection
          image.png
        3. You should now see both, management and tenant domains
          image.png
        4. Click Add Monitors to Site
          image.png
        5. Make sure you select the correct site and install the monitor
          image.png

        Post-Installation Tips

        Assign the MSP admin the Login Access Manager role

        Users that are assigned the Login Access Manager permission are allowed to add or remove email addresses. In version 8.8, Login Access Managers are granted the Roles Managers role automatically. Ensure that only the MSP admin is assigned the Login Access Managers role, and not the tenant admin. Assigning the tenant admin with this privilege could lead to the unauthorized addition or removal of machines in the MSP organization.

        The Roles Manager has the following permissions:

        • Force encryption on the agent settings screen
        • Edit / Reset role members
        • Add / remove roles

        Remove the View Folder Permission for Organization Members

        After following the steps mentioned earlier, you are now ready to add the tenant's resources to ControlUp. It is advisable to create a separate folder for each tenant within the organization folder and allocate all managed machines to their respective folders.

        For each tenant folder:

        • Uncheck the Inherit checkbox
        • Set the View Folder permission to Allow for the tenant that should see its own folder
        • Remove the View Folder permission for the Organization Members role
          image.png

        Troubleshooting

        Monitors unable to connect to the backend

        If monitors thrown an error such as Failed to authenticate using advanced authentication, check the following:
        image.png

        1. In the registry on your monitor machine, ensure that the value AdvancedModeCertificate located in S-1-5-20\Software\Smart-X\ControlUp\MonitorSvc contains the thumbprint of the certificate.
          image.png

        2. Full control permissions for the NETWORK SERVICE account. Learn more here.
          image.png

        Was this article helpful?
        What's Next