Choosing Between the Enterprise Server and Shared-Tenant Server

Prerequisites
You’re familiar with the Enterprise Server services.

This documentation is meant for customers who wish to understand client-server interactions in detail in their enterprise deployments. Broadly speaking, our consumer and enterprise client apps have the same functionality. However, the consumer version will readily fall back to the shared-tenant infrastructure when dedicated infrastructure isn’t available or deployed. On the other hand, the enterprise version app requires dedicated enterprise infrastructure to be present and deployed.

Therefore, we recommend most customers, even enterprise customers, to use the consumer app version, unless they want to run a dedicated enterprise server infrastructure themselves at fes.companydomain.com.

App decision matrix

User domain	The expected flows of the consumer and enterprise versions
`gmail.com`	Consumer: `always use shared-tenant-fes for all APIs` Enterprise: `error` (FlowCrypt for Enterprise can’t be used on the `gmail.com` domain. If you’ve installed this app by accident, please install the non-enterprise FlowCrypt app.)
When `fes.domain.com` isn’t deployed, not reachable, or down	Consumer: `attempt fes.domain.com but fall back to the shared-tenant-fes` Enterprise: `error` (Unreachable)
When `fes.domain.com/api/` returns an SSL error	Consumer: `attempt fes.domain.com but fall back to the shared-tenant-fes` Enterprise: `error` (SSL)
When `fes.domain.com/api/` returns an `Error 404`	Both versions: `attempt fes.domain.com but fall back to the shared-tenant-fes`
When `fes.domain.com` returns any other `4xx` or `5xx` error	Consumer: `attempt fes.domain.com but fall back to the shared-tenant-fes` Enterprise: `error` (HTTP error)
When `fes.domain.com` is deployed correctly	Both versions: `use fes.domain.com/api/ exclusively`

Flow explanations

Below you can find a detailed description of each flow described in the previous section:

always use shared-tenant-fes for all APIs flow:

The client doesn’t call fes.gmail.com.
The client sends a request to flowcrypt.com/shared-tenant-fes to retrieve the Client Configuration.
Going forward, a client uses flowcrypt.com/shared-tenant-fes anytime it needs to update the Client Configuration and continues using flowcrypt.com/shared-tenant-fes for password-protected messages and all other APIs.

attempt fes.domain.com but fall back to shared-tenant-fes flow:

The client attempts to send a request to fes.domain.com/api/ which results in a connection error.
The client falls back on flowcrypt.com/shared-tenant-fes and receives the Client Configuration.
Going forward, the client continues attempting to call fes.domain.com first, before falling back on flowcrypt.com/shared-tenant-fes anytime there is a need to update the Client Configuration and continues using flowcrypt.com/shared-tenant-fes for password-protected messages and all other APIs, for as long as fes.domain.com isn’t available.
If the Client Configuration is ever successfully retrieved from fes.domain.com, the app will start using fes.domain.com for all APIs going forward.

use fes.domain.com/api/ exclusively flow:

The client attempts to send a request to fes.domain.com/api/ which is successful.
The client retrieves the Client Configuration from fes.domain.com/api/ successfully.
Going forward, the client continues to call fes.domain.com for the Client Configuration, password-protected messages, and all other APIs.

error flow:

The client shows an error during the setup process and doesn’t allow a user to proceed.