The following is an implementation overview of the RAS multi-tenant architecture:
- Tenants are deployed as separate individual Farms or Sites. Tenants deployed as separate Farms are completely independent and never communicate with each other. If tenants are deployed as Sites, every Site must join the Tenant Broker separately.
- Shared resources include RAS Secure Gateways (including User Portal) and High Availability Load Balancers (HALB).
- A Tenant Farm doesn't need its own RAS Secure Gateways and HALB. However, deployments with Gateways and HALB are possible if you need them for internal connections. For example, if you have different policies for internal and external connections, you might want to install a Gateway and HALB to serve local users.
- The network configuration of a Tenant requires the Tenant Connection Broker to Tenant Broker Connection Broker connectivity. Additionally, shared RAS Secure Gateways need to communicate with servers hosting published resources and the Tenant's Connection Broker. Depending on the implemented network architecture, it might require a VLAN to VLAN connectivity, VPN, etc. These communications require only a limited number of open ports. For the complete list, see Communication ports.
- Communications with a Tenant domain are always performed from a local Tenant Connection Broker and never from the Tenant Broker infrastructure.
- Every Tenant must have a unique public domain address, which can be assigned a number of different ways. For example, a service provider can register a subdomain (e.g. Tenant1.Service-Provider.com) and assign it to a Tenant. Another approach could be using a private domain address (e.g. RAS.Tenant1.com) and have it routed to RAS Secure Gateways in the Tenant Broker. Note that different public domain addresses can resolve to the same IP address if needed.
- When a Tenant is joined to the Tenant Broker, shared RAS Secure Gateways become aware of the Tenant and its configuration and can connect to the Tenant's RAS Connection Broker(s). A route must be set for the incoming Tenant's traffic from the Internet to RAS Secure Gateways (or HALB) in the Tenant Broker.
- Tenant Broker comes with its own RAS Console allowing you to manage shared resources, Tenant objects and certificates, monitor Tenant performance, and carry out standard RAS administration tasks.
- All Tenant Themes are made available in the Tenant Broker. When user connects via a shared RAS Secure Gateway in the Tenant Broker, the corresponding Tenant Theme is presented to the user.
- Different SSL certificates can be used for different Tenants.
Tenant Broker doesn't need a license. Licenses are managed on a Tenant level.
RAS version compatibility
Parallels RAS multi-tenant architecture is available in Parallels RAS 17.1 and newer. The following limitations apply when using older versions of Parallels RAS:
- Parallels Clients older than RAS 17.1 are incompatible with shared gateways and therefore cannot be used to connect to a Tenant Farm via the Tenant Broker.
- Parallels RAS installations older than RAS 17.1 are incompatible with Tenant Broker and cannot be joined as Tenants.