Citrix SD-WAN

Zero touch

Note

The Zero Touch Deployment service is supported only on select Citrix SD-WAN appliances:

  • SD-WAN 110 Standard Edition
  • SD-WAN 210 Standard Edition
  • SD-WAN 1100 Standard Edition
  • SD-WAN 2100 Standard Edition
  • SD-WAN AWS VPX instance

Zero-touch deployment Cloud Service is a Citrix operated and managed cloud-based service which allows discovery of new appliances in the Citrix SD-WAN network, primarily focused on streamlining the deployment process for Citrix SD-WAN at branch or cloud service office locations. The zero-touch deployment Cloud Service is publicly accessible from any point in a network via public Internet access. The zero-touch deployment Cloud Service is accessed over the Secure Socket Layer (SSL) Protocol.

The zero-touch deployment Cloud Services securely communicate with back-end Citrix services hosting stored identification of Citrix customers who have purchased Zero Touch capable devices (for example 2100-SE). The back-end services are in place to authenticate any Zero Touch Deployment request, properly validating the association between the Customer Account and the Serial Numbers of Citrix SD-WAN appliances.

For more information, see the Citrix SD-WAN Orchestrator service Zero touch deployment topic.

ZTD High-Level Architecture and Workflow:

Data Center Site:

Citrix SD-WAN Administrator – A user with Administration rights of the SD-WAN environment with the following primary responsibilities:

  • Citrix Cloud Login to initiate the Zero Touch Deployment Service for new site node deployment.

Network Administrator – A user responsible for Enterprise network management (DHCP, DNS, internet, firewall, and so on).

Remote Site:

Onsite Installer – A local contact or hired installer for on-site activity with the following primary responsibilities:

  • Physically unpack the Citrix SD-WAN appliance.

  • Reimage non-ZTD ready appliances.

    • Required for: SD-WAN 1000-SE, 2000-SE, 1000-EE, 2000-EE

    • Not required for: SD-WAN 410-SE, 2100-SE

  • Power cable the appliance.

  • Cable the appliance for internet connectivity on the Management interface (for example MGMT, or 0/1).

  • Cable the appliance for WAN link connectivity on the Data interfaces (for example apA.WAN, apB.WAN, apC.WAN, 0/2, 0/3, 0/5, and so on).

    Note

    The interface layout is different for each model, so reference the documentation for identification of data and management ports.

    Zero-touch deployment

The following prerequisites are required before starting any Zero Touch Deployment service:

  • Actively running SD-WAN promoted to Master Control Node (MCN).

  • Citrix Cloud Login credentials created on https://onboarding.cloud.com (reference the instruction below on account creation).

  • Management network connectivity (SD-WAN Appliance) to the Internet on port 443, either directly or through a proxy server.

  • (Optional) At least one actively running SD-WAN appliance operating at a branch office in Client Mode with valid Virtual Path connectivity to MCN to help validate successful path establishment across the existing underlay network.

The last prerequisite is not a requirement, but allows the SD-WAN Administrator to validate that the underlay network allows Virtual Paths to be established when the Zero Touch Deployment is complete with any newly added site. Primarily, this validates that the appropriate Firewall and Route policies are in place to either NAT traffic accordingly or confirm the ability for UDP port 4980 can successfully penetrate the network to reach the MCN.

Zero-touch deployment1

Zero Touch Deployment Service Overview:

To use the Zero Touch Deployment Service (or zero-touch deployment Cloud Service), an Administrator must begin by deploying the first SD-WAN device in the environment.

After a working SD-WAN environment is up and running registration into the Zero Touch Deployment Service is accomplished through creating a Citrix Cloud account login. Logging into the Zero Touch Service authenticates the Customer ID associated with the particular SD-WAN environment.

When the SD-WAN Administrator initiates a site for deployment using the zero-touch deployment process, you have the option to pre-authenticate the appliance to be used for zero-touch deployment by pre-populating the serial number, and initiating email communication to the on-site installer to begin on-site activity.

The Onsite Installer receives email communication that the site is ready for Zero Touch Deployment and can begin the installation procedure of powering on and cabling the appliance for DHCP IP address assignment and internet access on the MGMT port. Also, cabling in any LAN and WAN ports. Everything else is initiated by the zero-touch deployment Service and progress is monitored by using the activation URL. In the event the remote node to be installed is a cloud instance, opening up the activation URL begins the workflow to automatically install the instance in the designated cloud environment, no action is needed by a local installer.

The Zero Touch Deployment Cloud Service automates the following actions:

Download and Update the zero-touch deployment Agent if new features are available on the branch appliance.

  • Authenticate the branch appliance by validating the serial number.

  • Push the configuration file specific for the targeted appliance to the branch appliance.

  • Install the configuration file on the branch appliance.

  • Push any missing SD-WAN software components or required updates to the branch appliance.

  • Push a temporary 10 Mbps license file for confirmation of Virtual Path establishment to the branch appliance.

  • Enable the SD-WAN Service on the branch appliance.

More steps are required of the SD-WAN Administrator to install a permanent license file on the appliance.

Note

While performing a branch configuration that already has the same version of appliance software used in MCN, the zero-touch-deployment process will not download the appliance software file again. This change is applicable for fresh factory shipped appliances, appliances reset to factory defaults, and configuration reset administratively. If there is the configuration reset, select the Reboot after revert check box to initiate the zero-touch deployment process.

The appliance configuration can be validated using the Configuration > Virtual WAN > View Configuration page.

Zero-touch deployment license validates page

The appliance license file can be updated to a permanent license using the Configuration > Appliance Settings > Licensing page.

Zero-touch deployment license config page

After uploading and installing the permanent license file, the Grace License warning banner disappears and during the license install process no loss in connectivity to the remote site will occur (zero pings are dropped).

Zero touch