Multi-tenant RES ONE Workspace environment
Recently I worked with 1 RES ONE Workspace / XenApp environment with 7 different customer environments in it. Within this environment 3 customers needed to login into each others environments. I optimized RES ONE Workspace to make this happen without any broken shortcuts or security problems.
In this blog a few points to look at in this sort of situation.
- Workspace Containers
- Folder redirection
The first and important thing to do is to create a Workspace Container for every customer. Add the session hosts in the container at computer control(XenApp) for the customer. Add the users or user group for the customer at Access control.
You can now set specific ROW options (Drive mapping, applications, security rules etc..) to specific customers by using Access Control and then Workspace Containers. This also helps with security making sure that the customer only gets its own application. Make sure that every setting and application has Access control / Workspace Container configured.
Folder redirection is also an important topic in a multi-tenant environment. If you redirect the Desktop folder to the home drive (Desktop to H:\Desktop) it is important to do this differently for every customer environment. So redirect Desktop to H:\Desktop-Customer1 and filter this with Access control – workspace container for customer1. Then create a second redirect for desktop for customer2 so Desktop to H:\Desktop-Customer2 and again set filtering on Workspace Container. Now if a user has access to both customer 1 and 2 environment they get a different desktop when they login. This makes sure that users won’t have broken shortcuts on their desktop. If you don’t do this, a user can create a shortcut on their desktop in customer1 environment to an application of customer1, then login to customer 2 environment and still see the shortcut to the application of customer 1 on their desktop (broken shortcut).
Example of redirect per customer:
Within RES it’s possible to work with alias in User Home Directory and User Profile directory. If we look at Java we might need to add a trusted.certs for every customer to get rid of annoying Java notifications (See Java Done Right in RES ONE Workspace) . At the files tab at User Profile Directory files need a unique name. This means we have to rename the file for each customer like in the example below:
If we would copy these files back in the profile Java would have an issue because Java looks at trusted.certs and not customer1-trusted.certs.
With RES ONE Workspace copy actions we can use Alias by using the Alias trusted.certs the file cusotmers1-trusted.certs will be renamed when copying to the user profile. Ofcourse also filter this with Workspace Containers.
The same applies to the User Home directory function, for example with a Word start up directory or Template directory.
When working in a multi-tenant environment it is important to really stand still by naming. Think about how you’re going to use naming in RES ONE Workspace. And, whatever you do, make sure that you’re consistent with the naming. Use the same name at folder redicrections, Workspace Containers, Application menu’s, etc.. This will make managing the environment a lot easier.
I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me: