Skip to main content
Versa Networks

Configure SASE Tenants

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

You can configure a tenant to be a managed service provider (MSP) tenant. When you enable MSP on a tenant, the SASE service is automatically assigned to the tenant. You can configure multiple VPNs per SASE tenant, and you can configure logging services for SASE tenants that subscribe to the Versa SASE fabric service

This article describes how to add a new SASE tenant to a parent organization.

For information about configuring an SD-WAN tenant, see Configure a Secure SD-WAN Tenant.

MSP Tenant Overview

You can configure a tenant to be a managed service provider (MSP) tenant. When you enable MSP on a tenant, the SASE service is automatically assigned to the tenant. An MSP tenant does not own any SASE gateways itself, but it can have subtenants that have access to the gateways that are owned by the MSP tenant's parent tenant.

The following figure illustrates the hierarchy of an MSP tenant. Here, the tenant named MSP-tenant is an MSP tenant that does not own any gateways, but its parent, ACME, does own gateways. The subtenants of MSP-tenant are MSP-tenant-child1 and MSP-tenant-child2, and they have access to the gateways owned by ACME.

MSP-tenant1.png

When you create an MSP tenant, you configure it to have one of the following gateway types:

  • Shared—The MSP tenant does not own any of the gateways. This tenant is onboarded onto Director and Controller nodes, but it is not provisioned on the gateways. Any non-MSP subtenant inherits gateways from the parent tenant of an MSP tenant, that is, from the ancestor tenant that has gateways. For example, if an MSP tenant called MSP-tenant is the child of the tenant called ACME, any subtenant of MSP-tenant can access all gateways available on the ACME tenant. MSP-tenant provides its subtenants with access to ACME's gateways, even though MSP-tenant does not own any gateways itself.
  • Dedicated—The MSP tenant owns the gateways. After the tenant is created from Concerto or directly from the Director organization workflow, SSE gateways are created directly on Versa Director with the MSP tenant as the provider organization. Concerto then does the following to discover the dedicated gateways from the Director nodes:
    • Discover the Director nodes—Discover the MSP tenants that were onboarded directly to Versa Director. If an MSP tenant was created in Concerto, this operation does not apply.
    • Use the appliance discovery process to discover tho gateways owned by the MSP tenant on the Director nodes.

For MSP tenants using the dedicated gateway type, its subtenants have access only to the MSP-owned gateways retrieved from the Director node. For information about discovering appliances, see Discover VOS Devices for a Published Tenant.

You can configure an MSP tenant only for SASE tenants, not for SD-WAN tenants. However, for tenants that use both SASE and SD-WAN services, you can configure an MSP tenant as part of the SASE service configuration. For information about configuring the SD-WAN service on a tenant, see Configure a Secure SD-WAN Tenant.

You can configure multiple VPNs per SASE tenant. Also, within each VPN on a given SASE gateway, you can now configure more than one IP address pool. The multiple VPNs are isolated from other available VPNs on the tenant (unless you explicitly configure them to connect to the other VPNs). As a result, you can configure overlapping IP addresses in the VPNs.

Note: Only enterprise users who have the permission to onboard tenants can create or manage their subtenants.

You can configure logging services for SASE tenants that subscribe to the Versa SASE fabric service. You can configure the following types of logs:

  • CGNAT logs
  • DNS logs
  • Web logs (HTTP/HTTPS)

Create a SASE Tenant

  1. Go to the Tenants dashboard screen.

    tenants-dashboard-v2-highlight-border.png
     
  2. Click +Tenant. In the Create screen, in Step 1, General, enter information for the following fields.

    create-tenant-general tab.png

     
    Field Description
    Tenant Name Enter a name for the tenant.
    Enabled

    Click the slider to enable the new tenant after you create it.
     

    enabled-slider-on-border.png
    Global Tenant ID The tenant is assigned a global ID automatically. However, you can enter a different global tenant ID.
    Parent Tenant Select a parent tenant.
    Managed Service Provider (MSP) (Group of Fields)

    Click the slider to enable MSP mode for the tenant. In this mode, the SSE service is selected automatically, and you cannot deselect it. Note that if a tenant has already been deployed as a non-MSP tenant, you cannot change the tenant to an MSP tenant and then redeploy it. Also note that you can also select the Secure SD-WAN service for the MSP tenant. For more information , see Configure a Secure SD-WAN Tenant.


    create-tenant-msp-enabled.png
    • Gateway Type

    If you enable MSP mode, select the gateway type:

    • Dedicated—Create an MSP tenant that owns its gateways.
    • Shared—Create an MSP tenant that does not own any of the gateways. Note that you can change the gateway type to Dedicated later. This is the default.
    • Select Services
    • Select SASE as a Service (Security Service Edge). If you enabled MSP mode, SSE is automatically selected, and you cannot deselect it.
    • (For Releases 12.1.1 and later) SASE for SIM—Click to enable SASE for SIM for the client. This option is enabled only if you select Security Service Edge (SSE). For more information, see Configure SASE for SIM.
    Directors

    Select one or more Director nodes to associate with tenant. Then click the slider to designate a Director as the default Director. The default Director node authenticates all Administrator users, whether the users are local or internal to the Director node.

    Is-default-slider-border.png
    Controllers Select one or more Controller nodes to associate with the tenant.
    ZTP Type

    Select the type of ZTP to use:

    • Serial Number
    • URL—For on-premises SD-WAN devices
    Solution Tiers Select one or more licensing solution tiers.
    Appliance Preferred Version Select the VOS software version for the tenant to use.
  3. Click Next. In Step 2, Security Service Edge, configure the usage type. Enter information for the following fields.

    select-usage-type-v2-full-border.png
     
    Field Description
    Select Usage Type (Group of Fields)  
    • Pre-logon Enabled
    		 Click the slider to enable pre-logon for a Versa SASE client. The pre-logon connection method allows a client device to establish a VPN connection to an organization's network. Pre-logon authenticates a user on the client device and then establishes a secure connection to the organization's network.
    • VSA Client Encryption Algorithms (Group of Fields)
    		  
    • IPsec Transform

    Select an IPsec transform encryption algorithm from the list. The options are:

    • esp-aes128-md5
    • esp-aes256-md5
    • esp-nuill-md5
    • IPsec Group

    Select an IPsec group encryption algorithm from the list. The options are:

    • Diffie-Hellman Group 14—2048-bit modulus
    • Diffie-Hellman Group 15—3072-bit modulus
    • Diffie-Hellman Group 16—4096-bit modulus
    • Diffie-Hellman Group 21—521-bit elliptic curve
    • Diffie-Hellman Group 25—192-bit elliptic curve
    • Based on Bandwidth

    Click to configure the subscription usage type based on the amount of bandwidth used. This is the default.
    • Based on the Number of Users
    		 Click to configure the subscription usage type based on the number of users.

    Total Bandwidth

    If you select the usage type based on bandwidth, select the total amount of subscribed bandwidth to allocate to the tenant.

    Range: 250 Mbps through 10 Gbps

    Default: None
    Maximum Site-to-Site Tunnels

    Enter the maximum number of site-to-site tunnels allowed across all gateways.

    Range: 0 through 5000
    Default: None
  4. Click Next. In the Select Tenant Product group of fields, select the Versa Secure Access Fabric product bundles for the tenant. The Versa Secure Access Fabric product bundles combine the Versa Networks SSE and network-as-a-service solution to provide a secure network-as-a-solution service. Note that the available bundles are different depending on whether you configure the tenant based on the number of users or based on the allocated bandwidth.
  5. If, in Step 3, you configure the tenant based on the number of users, the following screen displays. Select one or both bundles. If you configured the tenant based on bandwidth, continue with Step 6.

    tenant-products-number-of-users-1-border.png
    tenant-products-number-of-users-2-border.png
    1. For the Versa Secure Internet Access (VSIA) bundle, enter information for the following fields.

      VSIA-product-details-border.png
       
      Field Description
      Versa Secure Internet Access (VSIA)

      Click to select the VSIA bundle, and then select a specific VSIA product bundle:

      • Elite
      • Essential
      • Professional
      Optional Add-ons for VSIA Professional bundle

      If you choose the VSIA Professional bundle, you can select one or more of the following:

      • API-Based Data Protection
      • Data Loss Prevention
      • Advanced Threat Protection
      Internet Protection Rules Maximum Enter the maximum number of internet protection rules that can be configured on the tenant.
      Direct Internet Access from Gateways Click the slider to enable direct internet access (DIA) from the tenant gateways.
      VSIA Subscription Information (Group of Fields)  
      • Number of VSIA Users
      		 Enter the total number of VSIA users for the tenant.
      • License Start Date
      		 Enter the start date of the VSIA license. To choose the date from the calendar, click the calendar-icon.png Calendar icon.
      • License End Date
      		 Enter the end date of the VSIA license. To choose the date from the calendar, click the calendar-icon.png Calendar icon.
    2. For the Versa Secure Private Access (VSPA) bundle, enter information for the following fields.

      VSPA-product-details-border.png
       
      Field Description
      Versa Secure Private Access (VSPA)

      Click to choose the VSPA bundle, and then select a specific VSPA product bundle:

      • Essential
      • Professional
      Private Application Protection Rules Maximum Enter the maximum number of private application protection rules that can be configured for the tenant.
      VSPA Subscription Information (Group of Fields)  
      • Number of VSPA Users
      		 Enter the total number of VSPA users for the tenant.
      • License Start Date
      		 Enter the start date of the VSPA license. To choose the date from the calendar, click the calendar-icon.png Calendar icon.
      • License End Date
      		 Enter the end date of the VSPA license. To choose the date from the calendar, click the calendar-icon.png Calendar icon.
    3. If you select both the VSIA and VSPA product bundles, enter information for the following additional information.

      VSIA-and-VSPA-product-details-border.png
       
      Field Description
      Number of VSIA and VSPA Users Enter the total number of the tenant's VSIA and VSPA users.
      License Start Date Enter the start date of the VLIA and VSPA licenses. To choose the date from the calendar, click the calendar-icon.png Calendar icon.
      License End Date Enter the end date of the VSIA and VSPA licenses. To choose the date from the calendar, click the calendar-icon.png Calendar icon.
  6. If, in Step 3, you configure the tenant based on bandwidth, the following screen displays. Enter information for the following fields.

    select-tenant-product-1-border.png
    select-tenant-product-2-border.png
    select-tenant-product-3-border.png
     
    Field Description
    Select Product for This Tenant (Group of Fields) Select the product bundle for the tenant.
    • Versa Secure Access Fabric—Essential Bundle

    This bundle includes:

    • Versa Secure Internet Access (VSIA) Essential
    • Versa Secure Private Access (VSPA) Essential
    • Premier Secure SD-WAN
    • Versa Secure Access Fabric—Essential Plus Bundle

    This bundle includes:

    • Versa Secure Internet Access (VSIA) Essential
    • Versa Secure Private Access (VSPA) Professional
    • Premier Secure SD-WAN
    • Versa Secure Access Fabric—Professional Bundle

    This bundle includes:

    • Versa Secure Internet Access (VSIA) Professional
    • Versa Secure Private Access (VSPA) Professional
    • Premier Secure SD-WAN

    You can also choose one or more of the following options:

    • Advanced Threat Protection (Cloud Malware Sandbox with Antivirus and Artificial Intelligence/Machine Learning (AI/ML). (For Releases 12.1.1 and later) If you select this option, Advance Security Cloud displays as Step 3.
    • API-Based Data Protection
    • Data Loss Prevention

      VSAF-professional-bundle-border.png
    • Versa Secure Access Fabric—Elite Bundle

    This bundle includes:

    • Versa Secure Internet Access (VSIA) Elite
    • Versa Secure Private Access (VSPA) Professional
    • Premier Secure SD-WAN

    (For Releases 12.1.1 and later) If you select this option, Advance Security Cloud displays as Step 3.
    Internet Protection Rules Maximum

    Enter the maximum number of internet protection rules allowed.

    Default: 500

    Range: 1 through 999999
    Private Application Protection Rules Maximum

    Enter the maximum number of private application protection rules allowed.

    Default: 50

    Range: 1 through 999999
    Direct Internet Access from Gateways Click to disable direct internet access (DIA) from gateways. When this option is enabled, the SASE gateway sends all internet-bound traffic using the default route configured on it. In typical deployments, the default route sends traffic towards the enterprise data center over a site-to-site IPsec tunnel. By default, the Versa Secure Internal Access (VSIA) feature, which is included in both bundles, enables DIA for all internet-bound traffic coming from a tenant.
    Select Logging for this tenant. Configure the logging to use for the tenant.
    • Web Logs
    		 Click to select web logs.

    Click the down-arrow and then select the type of logging service to enable:

    • Advanced Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway.
    • Analytics—Send logs to the Versa Analytics cluster for processing.
    • Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
    • Domain Name System (DNS) Logs

    Click to select DNS logs.

    Click the down-arrow and then select the type of logging service to enable:

    • Advanced Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway.
    • Analytics—Send logs to the Versa Analytics cluster for processing.
    • Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
    • Carrier-Grade NAT (CGNAT) Logs

    Click to select CGNAT logs.

    Click the down-arrow and then select the type of logging service to enable:

    • Advanced Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway.
    • Analytics—Send logs to the Versa Analytics cluster for processing.
    • Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
  7. (For Releases 12.1.1 and later.) If, in Step 6, you select Versa Secure Access Fabric—Elite Bundle or Versa Secure Access Fabric—Professional Bundle as the tenant product and then select Advanced Threat Protection, the Step 3 Advance Security Cloud screen displays. In this screen, you enter the RBI and ATP/DLP cloud instance information for the regions of the tenant that you select in Step 2, Security Service Edge. ATP and RBI cloud instance information is shared with the Versa Cloud Gateway (VCG) so that the VCG can connect to the cloud service to initiate sandboxing or RBI. Enter information for the following fields.

    add-tenant-advance-security-cloud-tab.png
     
    Field Description
    Regions Displays the name of the region you selected in the Security Service Edge screen.
    Gateways Displays the number of gateways associates with a region.
    ATP/DLP Instance Select the ATP or DLP cloud instance for the tenant to connect to VCG. For more information, see Configure Advanced Threat Protection and Configure Data Loss Prevention in Concerto.
    ATP/DLP Authentication Token Enter the authentication token for the tenant to use to refresh the access tokens when making API requests to the cloud or private sandbox service.
    ATP/DLP Token Expiry Time Enter how often to refresh access tokens when making API requests to the cloud or private sandbox service, in seconds
    RBI Instance Select the RBI cloud instance for the tenant to connect to VCG.
    RBI Authentication Token Enter the authentication token for the tenant to use to refresh the access tokens when making API requests to the cloud for RBI service.
  8. Click Next to go to Step 3, Select Region. This screen displays the available regions and how many gateways are currently being used in each region.

    select-region-screen-v2-border.png
  9. To display information about the gateways in the region and to assign new gateways to the region, click View Details.

    region-details-v4-border.png
  10. Click in the search box to view the gateways in the region, click the checkbox next to a gateway name, and then click the Add button to add it to the region.

    region-details-v2-border.png

    The gateway is added to the region. For example:

    region-details-v3-border.png
     
  11. To display information about the gateway, including the gateway group, VPN, and client address pool name and IP address, click the down arrow next to the gateway name. For each VPN, you can configure one or more client address pool. For a gateway, you can add multiple client address pools for each VPN. To define which users are assigned to the pools, you use a secure access policy, and you can then apply access restrictions to a pool of users using the same VPN.
  12. To configure gateway information, enter information for the following fields. Note that in a single VPN on a gateway, the client pool address name and client pool addresses must be unique. However, if a gateway has multiple VPNs, you can use the same address pool name and address pool range for more than one VPN, because the VPNs do not share information. The IP addresses for each pool in a VPN must not overlap both for the selected gateway and across all gateways.

    configure-gateway-v3-border.png
     
    Field Description
    Allocated Bandwidth

    Enter the maximum amount of bandwidth that a tenant can use on the gateway.

    Range: 0 through 999999 Mbps

    Default: None
    Portal Click the slider to enable the secure access portal service on the gateway.
    Gateway Group Select a gateway group to which to assign the gateway.
    VPN

    Select one or more VPNs to assign them to the gateway. The VPN select column shows all VPNs that are available for the tenant. Note that if you configure no VPNs on a tenant, the SASE service uses a default VPN with the name tenant-name-Enterprise. Also note that because guest VPNs should not be extended to SASE gateways, they are not displayed in the VPN selection column.

    If multiple tenants are available on a tenant and you do not want to provision one of them on a gateway, select Do Not Use.
     

    gateway-do-not-use-border.png

    To assign an unused VPN to a gateway later, select it to assign to the gateway.
    Client Address Pool Name

    Enter a name for the client address pool. If you configure more than one address pool for the same VPN, the pools must have unique names. However, if multiple VPNs are available for the same gateway, you can use the same client address pool name in each VPN.
    Client Address Pool

    Enter a valid IP address range to use for the client address pool. The minimum address pool size is a /24 subnet. If you configure more than one address pool for the same VPN, the pools must have unique IP address ranges. However, if multiple VPNs are available for the same gateway, you can use the same client IP address range in each VPN.
  13. To create a group of gateways that you can then assign to a region, click Create Gateway Group . You can then assign one or more VPNs to the gateway group, as described above. To create a gateway group:
    1. Enter a name for the group.
    2. Click the plus-icon-blue-on-white.png Add icon to add gateway groups.
    3. Click Save to create the gateway groups.

      create-gateway-group-v2-border.png
       
  14. Click Next to display the Step 3, Roles screen.

    SASE-Tenant-Roles-dashboard-v3-border.png
  15. Click the checkbox next to Roles to assign all roles to the tenant, or select individual roles to assign to the tenant.
  16. Click Next. In Step 4, Review & Submit, review the information you configured.

    create-tenant-review-v3-border.png
  17. To change any of the information, click the edit-pencil-icon-blue.png Edit icon in the section, and then make the changes.
  18. Click Publish to create the tenant on the selected gateways. Click Save to save the configuration so that you can publish it later.

Supported Software Information

Releases 11.1.1 and later support all content described in this article, except:

  • Release 11.4.1 adds support for the Versa Secure Access Fabric Elite product bundle.
  • Release 12.1.1 adds support to enable pre-logon for Versa SASE clients and to add RBI and ATP/DLP cloud instance details for tenant regions. 
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Concerto
  2. Tags
    This page has no tags.