Multi-Tenant VMware Cloud User Guide

Learn how to effectively manage multiple tenants in your VMware cloud environment.

Table of Contents

Overview: Two-Factor Authentication Setup for Cloud Director: Prerequisites: Procedure: What to do next: Microsoft Licensed Virtual Machines: Deploying a new Windows Server Virtual Machine: Installing Microsoft Applications: Remote Desktop Services Licensing: Tenant App: Multi-Site Cloud Director * Support:

Overview:

This document provides an overview of how-to steps to set up a Resource Pool environment within US Signal. It includes Two-factor Authentication for Cloud Director setup instructions. This guide also delivers answers to technical questions surrounding the necessary steps for the deployment, installation, and activation of Microsoft products offered under the licensing agreement. Additionally, this guide includes instructions on how to configure Multi-site Cloud Director.

Please note that ADFS is optional and if you are using an identity provider that supports Security Assertion Markup Language (SAML) such as Duo, Okta, AzureAD, or others. Then 2FA may be integrated directly to Cloud Director without configuring ADFS.

Two-Factor Authentication Setup for Cloud Director:

Below is a high-level outline of what steps customers can take to setup Active Directory Federation Services with Two-Factor Authentication for their Cloud Director Organization (requires Two-Factor to already be deployed within their domain).

*Customer acknowledges that the steps below are for reference only and are based on testing performed solely by US Signal using Cloud Director v10.1. Configuration and setup using these steps is done so at the customer’s own choice and does not guarantee full protection against security risk. The customer’s internally defined security practices should be maintained at all times.

Prerequisites:

  • This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.
  • Verify that you have access to an SAML 2.0 compliant identity provider.
  • Verify that you receive the required metadata from your SAML identity provider. You must import the metadata to Cloud Director either manually or as an XML file. The metadata must include the following information:
    • The location of the single sign-on service
    • The location of the single logout service
    • The location of the service’s X.509 certificate

Procedure:

  1. From the main menu ( ), select Administration. 

2. Under Identity Providers, click SAML.

3. Click Edit.

4. On the Service Provider tab, enter the Entity ID. The Entity ID is the unique identifier of your organization to your identity provider. You can use the name of your organization, or any other string that satisfies the requirements of your SAML identity provider.

Important: Once you specify an Entity ID, you cannot delete it. To change the Entity ID, you must do a full SAML reconfiguration for your organization. For information about Entity IDs, see Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) 2.0.

5. Click the Metadata link to download the SAML metadata for your organization. The downloaded metadata must be provided as-is to your identity provider.

6. Review the Certificate Expiration date and, optionally, click Regenerate to regenerate the certificate used to sign federation messages. The certificate is included in the SAML metadata, and is used for both encryption and signing. Either or both encryption and signing might be required depending on how trust is established between your organization and your SAML identity provider.

7. On the Identity Provider tab, enable the Use SAML Identity Provider toggle.

8. Copy and paste the SAML metadata you received from your identity provider to the text box, or click Upload to browse to and upload the metadata from an XML file.

9. Click Save.

What to do next:

  • Configure your SAML provider with Cloud Director metadata. See your SAML identity provider documentation and the Cloud Director Installation and Upgrade Guide.
  • Import users and groups from your SAML identity provider. See Managing Users, Groups and Roles.

Microsoft Licensed Virtual Machines:

The following section will outline the self-service deployment and activation process of licensed Microsoft Windows Server virtual machines and vApps into the US Signal Cloud Director environment.

Deploying a new Windows Server Virtual Machine:

1. Log into your Cloud Director environment with a user account designated with Organization Administrator access and select the Data center card in which you will be spinning up a new Virtual Machine.

2. Confirm that Virtual Machines is selected from the left panel and select New VM.

a. Enter the desired Name and Computer Name.

b. In the list of server templates available for deployment, select which OS version you would like to deploy into your environment. Ensure to choose a template located in the same region as your Resource Pool for a faster deployment process. Notice the template naming format contains the data center location preceding the Operating System version and Storage profile. For Example, GRR is in Grand Rapids and DTW is in Detroit.

c. Under the available templates, the storage policy can be selected by checking the “Use custom storage policy” check box then selecting your desired policy.

d. Click “Ok” to create the VM.

i. Once the VM has been created, if you would like to modify the resources assigned to the virtual machine you can modify the number of CPUs, memory amount, and hard drive size by clicking “Details” within the Virtual Machine card. Inside the Details menu, the resource options can be modified within the Hardware section.

ii. After network connectivity has been established for Windows 2012, 2016, and 2019 Virtual Machines, the server will be automatically activated with Microsoft.

 

Installing Microsoft Applications:

If you have licensed a qualifying Microsoft application (SQL, Exchange, etc.) through US Signal you will have the ability to attach Microsoft install media to Cloud Director virtual machines for software installation. License keys have already been embedded into the software installation process. Note: if you are missing any of your ordered Microsoft install media from your catalog, please reach out to US Signal’s Technical Operations Center.

  1. To install media from your catalog, click “Actions” in the virtual machine card in which you would like to install the license product on and select Insert Media from the drop-down menu.
  2. Select the media you would like to attach to the virtual machine. The supported applications and versions offered through US Signal’s SPLA licenses are outlined in the FAQ section of this document. Once the media has been inserted you can log on to the VM and perform the installation of the application.
  3. Once the application installation has been completed remove the media from the virtual machine by right-clicking the virtual machine and selecting Eject CD/DVD.

Remote Desktop Services Licensing:

  1. Install the role for Remote Desktop Services on a virtual machine in the US Signal Cloud Director environment. This virtual machine will then serve as the licensing manager for your RDS environment in your US Signal cloud environment.

2. You can reference the Microsoft TechNet documentation for installing the Remote Desktop Services to ensure it fits your use case and the role is installed per vendor best practice guidelines.

3. Once the Remote Desktop Services roles is installed and you have activated the license server you will need to retrieve your Server ID, which will be provided to the US Signal Technical Operations Center during the RDS licensing process.

a. Right-click the server in RD Licensing Manager and select Properties.

b. Under the connection method tab, modify the connection method to Telephone and document the License Server ID value.

4. At this point, please work with the US Signal Technical Operations Center to install SPLA RDS license packs on your server.

a. Right-click the server in RD Licensing Manager and select Install Licenses.

b. Contact the US Signal Technical Operations Center via phone or email with the following information to complete the activation process.

Customer Name

Circuit ID License

Server ID

The contact information can be found in the FAQ section of this document and on the US Signal website.

c. US Signal will provide a License Key Pack ID, which will be entered into the field in the below screenshot. After the successful activation the RDS SALs will be available for assignment in your RD Licensing server.

Tenant App:

If you have enabled the Tenant App to gain real time insight into your resource pool utilization it can easily be accessed via the top navigation bar. Once this premium add-on has been added and collected data, you will be able to view historical and real-time utilization metrics of the Org vDC, vApps, VMs, and associated networks. The Tenant App will provide the user with data on well over 700 metrics in the dashboard to drill into, graph, compare, and export.

Use cases include, but are not limited to:

  • At-a-glance view of resources in use
  • Budget or Capacity planning – acquisitions, growth, optimization
  • Viewing if VMs in a vAPP have a snapshot and its summary
  • View over/under-utilized VMs based on CPU or Memory
  • Make size recommendations
  • Graph CPU-Ready percent to view possible CPU scheduler queue
  • Filter alerts for the entire vDC and export a “to-do” list

*Tenant App is not available as part of a Cloud Trial Promotion.

Multi-Site Cloud Director *

Please note if you have a Resource Pool in Southfield that pre-dates March 1, 2021 it is in a Cloud Director instance that is shared with Grand Rapids. Please engage your US Signal Sales representative for a Professional Services Statement of Work to migrate to the new independent Cloud Director instance at Southfield.

Configuring Multi-site Cloud Director (may also be known informally as Federation) must be performed by you from within the respective Cloud Director environment. Please refer to VMware documentation for detailed information but from a high level there are two methods.

The preferred method is to use your authenticator tool to coordinate access between the Cloud Director instances. A second option would be to export XML configurations files from each Cloud Director and upload the XML files to the opposite Cloud Director instance.

This allows on an admin on a user-by-user basis to create logins

that have access to both Cloud Directors from a single URL – however, a user must have the same user-name and password in both instances of Cloud Director. It is important to note, that not all users will have this access by default when Multi-site Cloud Director is configured allowing the customer granular control over their organization’s role-based-access-control (RBAC) policies.

*Multi-Site Cloud Director is not available as part of a Cloud Trial Promotion.

 

Support:

If you need support for any reason: Licensing Activation, Operating System Troubleshooting or Licensing Questions, please contact US Signal’s Technical Operations Centers 24x7x365.

Toll Free: 888.663.1700 / Email: toc@ussignal.com / Fax: 616.988.0414

Related Articles

OpenCloud Data Sheet

US Signal OpenCloud is an Infrastructure-as-a-Service platform that revolutionize...

Multi-Tenant VMware Cloud Director Data Sheet

US Signal Multi-Tenant Cloud resource pools are powered by VMware Cloud Director ...