COP: Create Multi-Tenant Domain
    • Dark
      Light
    • PDF

    COP: Create Multi-Tenant Domain

    • Dark
      Light
    • PDF

    Article summary

    ControlUp On-Premises (COP) version 8.8 supports tenant domain creation. In COP Multi-tenancy mode, your main domain (A) contains the installed COP Server (IIS, LDS, SQL Server) and Real-Time Console. You create an additional secondary domain (B) for your tenants to login to the console by using the main domain credentials. Domain B contains an installed console, without trust between the domains, and with a firewall between both of them.

    Ports

    Most ports are blocked between the domains, except the following:

    • 443, 40706, and 9997 are allowed between domains A and B.
    • 9997 is allowed for Insights On-premises (IOP) in domain A.
    • 443 is allowed for IIS accessibility in domain A.
    • 40706 is allowed for ControlUp Monitor communication in domains A and B.

    Prerequisites

    • Windows Server 2016 or higher.
    • .NET Framework 4.8 or higher.
    • Remove all installed monitors from your ControlUp environment. This is required to set Multi-tenancy mode.

    Define the Conditional Forwarders on Domain Controllers

    1. In the DNS Manager of the DC (domain controller) machine of domain A, right-click Conditional Forwarders and select New Conditional Forwarder.

    2. Add the FQDN of the DC machine of domain B, define the IP address, make sure that the Store this Conditional Forwarder… checkbox is selected, and click OK.
      NewCondiForw

      If the entry appears with an error, ignore it and click OK. The new entry appears:
      CondForwNewEnt

    3. In the DNS Manager of the DC machine of domain B, right-click Conditional Forwarders and select New Conditional Forwarder.

    4. Add the FQDN of the DC machine of domain A, define the IP address, make sure that the Store this Conditional Forwarder… checkbox is selected, and click OK.

    Create a Multi-Tenant Installation

    After you define the Conditional Forwarders on both DC machines, perform the following steps:

    1. Open the COP Real-Time Console in domain A.
    2. In domain A, install and open a COP console.
    3. Add the FQDN or IP address of the COP Server IIS machine.
    4. Open Manage ControlUp Monitors, click Add Site and give the site a descriptive name (e.g., "Tenant").
      AddTenant
    5. Click Monitor Settings > Advanced Settings, select Enable Multi Tenancy mode and click OK.
      EnableMultiTenancy
    Note

    You can’t set or change the Organization Mode while monitors are running. To set it, you must first remove all monitors from your environment.

    1. Right-click the "Default" site (linked to machines belonging to domain A), click Add Monitors to Site, select the main monitor and click Install. After the monitor successfully deploys, it shows Running-Master status:
      TenantMonit
    2. Right-click the "Default" site, click Add Monitors to Site and add one or more monitors dedicated to the "Default" site. You must provide the primary AD connection domain identity and credentials for the multitenant domain.
      COPprimary
    Important

    The value in the Site field must remain "All". Don't assign any site to the domain identity AD connection in the upper panel, nor to the user credentials in the lower panel. If you link these to any specific site, then you can’t connect the tenant monitors to the IIS services.

    1. Click Install > Finish.

    Connect Tenant Domain Monitors

    1. In domain B, install a COP console and open it on one of the "Tenant" machines.

    2. Add the FQDN or IP address of the COP Server IIS machine on domain A.

    3. Login with the user credentials of a domain A user. The user must be part of the COP authorized users group which was defined during COP installation.

    4. Make sure that the console is connected to the COP central configuration:
      connctedtoCOP1

    5. In Manage ControlUp Monitors, deploy one or more monitors to domain B.
      DeployMonitor

    6. In Domain Identity, click Add Domain, add the FQDN and a valid credentials set for domain B and click OK. Don't set the AD connection as primary, since the domain AD connection you defined in the previous steps must remain primary.

    7. Click Test Connection to make sure the connection validates successfully.

    8. Select all the checkboxes in the Shared column to make sure the credentials are shared.

    9. Right-click the "Tenant" site, click Add Monitors to Site, select a target machine for the list of tenant site machines and click Install.
      TenantMachines

      After the monitor successfully deploys and all the data sources are connected, it shows Running status:
      TenantRun

    Add Tenant Users to Security Policy Roles

    Security Policy in COP Multi-tenancy mode

    To support Security Policy settings (Allow/Deny) in domain B (tenant), you must add the user currently logged in on the domain B machine running the COP Real-Time Console as a designated Security Policy role. You can add required domain B users to Security Policy roles only by running a PowerShell command in domain A (main).

    To add domain B users to Security Policy roles:

    1. Open the Real-Time Console in domain A as Roles Manager.
    2. Click Settings > Security > Add New Role...
    3. Assign a descriptive name (e.g., "COPAllowRole"), click Add Users/Groups, users or groups as needed, and click OK.
    4. Select the new role and click Edit... > Add Users/Groups.
    5. Add the COP authorized users group which was defined during COP installation:
      COPRole
    6. In the Security Policy pane, assign permissions (Allow/Deny) as needed to the new role.
      COPMSPSecurity
    7. Make sure a ControlUp Monitor is running on one of the domain A (main) machines. Copy the file path of the monitor service, (e.g., C:\Program Files\Smart-X\ControlUpMonitor\Version 8.8.0.1168). This directory contains ControlUp.PowerShell.User.dll. You'll invoke this DLL to run the required PowerShell command later in the following step.
    8. On the domain B (tenant) machine where you want to open the console, you need to detect the SID of the domain B user to add to the new role. Open a command prompt and run the following command with the domain B user name:
    wmic useraccount where name='UserName' list full
    

    For example:

    wmic useraccount where name='administrator' list full
    

    Result example:

    UserSID

    1. Save the user's SID value (in our example: "S-1-5-21-2367450712-110331921-1907140333-500") to a text file to use later in the following step.
    2. On the domain A (main) machine where a monitor is running, login as Roles Manager (same account as "administrator" user), open a PowerShell ISE prompt and run the following commands:
      Install-Module 'C:\Program Files\Smart-X\ControlUpMonitor\Version 8.8.0.1168\ControlUp.PowerShell.User.dll'
      $role=New-CUPolicyRoleDescription -RoleName 'COPALLOWRole'
      $permissions=@{ `
       "1B5974A1-3487-4054-8DF9-941318F7E2B6"=$true; ` # Use solve
      "5AD549BF-A0AA-4241-A5F6-B11FFBD21F3A"=$true `  # Manage solve}
      New-CUPolicyRoleMember -Role $role -SecurityIdentifier S-1-5-21-2367450712-110331921-1907140333-500 -DisplayName "ROLCOP155\Administrator"
      New-CUPolicyRoleAcl -Role $role -FolderId 00000000-0000-0000-0000-000000000000 -Entries $permissions
      Add-CUPolicyRoles -Roles $role
      Get-CUPolicyRoles
      

    For example, change the yellow highlighted values relevant to your environment as needed before you run the script:
    COPPSISE

    1. After you run the script, the domain B user is added to the "COPAllowRole" role.
      Result example:
      COPRolesAdmin

    You are now able to edit the roles permissions in the Security Policy panel in the domain B console:
    COPSecurity


    Was this article helpful?