The Zero Touch Deployment service is supported only on the Citrix NetScaler SD-WAN Standard Edition 410 appliance from Release 9.1.1.
The Zero Touch Deployment service is a Citrix operated and managed cloud-based service which allows discovery of new appliances in the network at the remote or branch location. ZTD is publically accessible from any point on the customers network. The service is accessed over SSL.
In the backend, the ZTD service stores the identity of all customers who have deployed SD-WAN appliances (SD-WAN 410-SE). The service has access to a permanently updated list that associates a customer and the serial numbers of the SD-WAN appliances purchased by the customers.
ZTD High-Level Architecture and Workflow
Following is a list of roles required to implement the zero touch deployment service:
Zero Touch Deployment Service Overview and Procedure
The service setup or install is enabled through a Web Application designed for use as a wizard by an Installer or SD-WAN administrator to set up the new branch appliance. The installer receives an email with a link to access the activation page for installing the appliance locally or remotely.
- For a WebApp service setup, the SD-WAN Center administrator can connect to this Web Application through a browser on a device (laptop/workstation/mobile) connected to the internet.
The installer facilitates the appliance setup and configuration includes the following steps:
1. Validating and ensuring the new appliance is detected and connected to the zero touch deployment service.
- This step can be initiated by entering the serial number of the physical appliance. These details are fed into the zero touch deployment service. The installer does not need any specific authentication with the zero touch service, however the interaction must be secure since the serial number is passed in this interaction. No approval is required from the Web Management Interface. Once the appliance connects to the service, it downloads the configuration and the software upgrade package.
2. (Optional) Provide an address (city, state, country) as part of the installation process.
3. (Optional) Perform speed tests.
- Once the software and configuration are in place, the SD-WAN Administrator using the service setup determines whether this is a required step. Doing so, allows the configuration to understand the available bandwidth through each of the connected WAN links and will capture this in the local configuration for the site. The option of skipping this step is also available to the SD-WAN Center administrator.
4. (Optional) Identifying the ISPs that provide various links to the appliance.
- The step that might ease the SD-WAN Center administrators task of keeping track of providers at sites is, if the appliance was able to detect the name of the provider of each of the WAN links. The provider name is detected by doing an RDNS lookup based on the public IP address available for the link. After the provider is identified, this information is captured within the configuration and reported back to the MCN so that the links can be named by provider within the config or reporting and management systems.
5. Lodging a request to join the SD-WAN network.
- Confirmation that the request is logged with the zero touch deployment service is provided back to the service setup where the SD-WAN administrator will access the Web Management Interface.
6. Downloading the software upgrade package, if needed.
- Once the appliances are accepted into the SD-WAN network, and if a software update is required (consistency over all appliances within a given network zone), the zero touch service identifies the correct software version and pushes the configuration to the newly connected appliance.
7. Downloading the new appliance configuration sourced from the MCN.
a. Similarly, a configuration file containing the MCN IP address that is in-sync with the MCN is pushed through the zero touch deployment service down to the newly connected appliance.
The steps shown above are performed in the same sequence or order by the Installer. The service setup and configuration itself must be able to communicate with the zero touch deployment service. The zero touch deployment service then communicates with the new appliance. These steps must be completed before the new appliance can connect to the MCN and for data to be transmitted across the SD-WAN network.
In order for the zero touch service to function as expected, following is the list of requirements that should be met in order to use the zero touch deployment service:
1. The branch appliance should be powered up.
2. The branch appliance should be connected to the internet:
a. This means, the branch appliance is assigned a public IP either using DHCP (default).
b. IP assignment can be configured manually.
c. DNS is assigned to the appliance through DHCP - should be configured manually
To acheive successful zero touch deployment service, you need to follow a workflow which is secure and easy for non-technical users to implement at the branch site.
Following is the ZTD deployment capability workflow:
1. The branch appliance should be powered up.
a. If you (SD-WAN administrator) want to upload a manual configuration and software package for the appliance, you should not connect the internet cable. Instead, you proceed to install the appropriate software and configuration. The steps beyond this, is the standard procedure to enable the appliance to connect to the MCN. The branch appliance registers with the MCN and the MCN communicates the presence of this appliance with the Zero Touch Service in the cloud for consistency and visibility into the fact that the appliance is now on the Enterprise Domain.
2. Branch appliance needs a working internet connection plugged in.
3. Branch appliance needs to have internet connectivity set up with an IP address assigned to it, either using DHCP or manually.
a. If the branch appliance was pre-staged and deployed and configured with software package associated with it, which contains the details of the MCN, then the normal process of joining the SD-WAN Enterprise network follows including obtaining an IP address for the appliance through DHCP, or if one is provided manually.
b. However, if the branch appliance does not have a pre-staged software package and configuration, and if DHCP is available to obtain an IP address, then the branch appliance obtains an IP address for itself and also scans for the ZTD service IP address within the DHCP options field. If none is found using the DHCP options field then proceed with the step below.
c. Optional: Assuming that the appliance now has IP address assigned either manually or using DHCP, the branch appliance should query a well-known, local, fully qualified domain name (FQDN). For example; ztd <enterprise domain>, use Citrix as an example ztd.citrite.net – The enterprise domain name itself (citrate.net) can be obtained by the branch appliance through DHCP. The complete enterprise domain name and the IP address of the appliance should be a pre-configured with DNS entry that is set up by the Network or DNS Administrator beforehand. The IP address that is resolved should be the IP address of a private zero touch server that the branch appliance can then connect to.
d. If the appliance fails to obtain a zero touch service IP address with the DHCP options field or by querying the well-known FQDN entry, then the appliance should query the DNS entry for the public cloud-based zero touch deployment service (eg: ztd.citrix.com). This public cloud-based zero touch IP address or DNS entry must be known to the appliance (exists in the appliance code) as part of the start-up procedure.
Once the appliance connects to the zero touch service requesting direction and approval to connect to the SD-WAN Enterprise network, the next step is performed through the Web Management Interface, as shown below. This interaction requires the use of a Citrix signed certificate in order for the ZTD service to authenticate the newly connected appliance to ensure that the appliance connecting is a Citrix appliance and is based on the serial number obtained as part of the request.
The SD-WAN Center has the functionality to accept requests from newly connected appliances to join the SD-WAN Enterprise network. The request is forwarded to the web interface through the zero touch deployment service. Once the appliance connects to the service, configuration and software upgrade packages are downloaded.
To configure Zero Touch Deployment service:
1. In the SD-WAN Center web management interface, go to Configuration > Network Configuration > Sites. Create a configuration for a new site and save it. You can also import an existing configuration by clicking Import. This configuration is applied at the MCN site and deployed at the Branch sites.
For example, you can import configuration from an active MCN to use for the ZTD service.
Import an existing configuration, for example: ZTD_config_1_Test and Save it.
For SD-WAN 410-SE appliance, from 9.1.2 release onwards, when the cloud service is up and when the appliance is connected to the cloud service, the ZTD agent is automatically installed in SD-WAN Center and the Zero Touch Deployment menu option becomes available.
2. In SD-WAN Center, go to Zero Touch Deployment menu. If you are not logged into the Citrix Workspace Cloud account, you are prompted to Login with Citrix Workspace Cloud user credentials. Upon login, the SD-WAN Center is registered with ZTD agent.
The Zero Touch Deployment menu is displayed in the SD-WAN Center web management interface only after you login to the Citrix Workspace Cloud account to activate and register the Zero Touch Deployment service.
When the appliance is powered on the bootstrap script interacts with Zero Touch Service, downloads and installs the agent.
3. Navigate to the Zero Touch Deployment welcome page in SD-WAN Center, under the Deploy New Site tab, select the saved network configuration file.
After you select a saved configuration file, list of all the branch sites with SD-WAN 410-SE appliance configuration is displayed.
4. Select the branch sites you want to configure, click Enable, and then Deploy. The Deploy New Site window is displayed. Provide the branch site Street Address and the Installer Email address. Add additional notes, if required. Click Send Activation Link. A message indicating that The Site configuration has been deployed appears.
The network configuration for the selected branch sites from SD-WAN Center configuration file is copied into the Citrix Cloud Workspace when you select Deploy.
5. Select the Pending Activation tab. Observe the branch site information populated in the pending activation page. Notice that the Status is shown as Waiting for Installer. This status indicates that the appliance at the branch site needs to be installed.
Optionally, at this stage, you can also choose to Delete the Branch sites added to the pending activation list. Once a Branch site is deleted from the pending activation page, it will become available to be deployed in the Deploy New Site tab page. Once you choose to delete the branch site from Pending activation, the activation link send to the installer will become invalid.
It should be noted that an administrator performs the steps in the SD-WAN Center web management interface. After the administrator deploys a new site and sends an activation link, the installer at the Branch site will activate the link and provide the serial number of the SD-WAN 410-SE appliance.
6. Check your mailbox to obtain the activation link received and click on the link.
7. The page redirects to the Zero Touch Deployment Service page. Enter the Serial Number of the appliance and click Activate.
8. Go to the SD-WAN 410-SE web management interface. You can obtain the serial number of the appliance from the rear faceplate of the appliance or login to the SD-WAN 410-SE web management interface and navigate to Configuration > System Maintenance > Diagnostics > System Info tab. The serial number of the appliance is listed under System Information.
8. Enter the Serial Number of the appliance and click Activate.
9. After you click Activate, the Zero Touch Deployment Service screen displays different deployment stages as seen below.
Observe that on the Pending Activation tab page in the SD-WAN Center web management interface, the status for Branch 1 Site is displayed as Applying Config.
Ensure that the Zero Touch Deployment Service has been activated. The configuration file which was copied from the SD-WAN Center to the Citrix Cloud Workspace is now applied and activated on the Branch site which has the SD-WAN 410-SE appliance deployed.
10. In the SD-WAN Center web management interface, the Zero Touch Deployment menu now displays the activated Branch site under the Activation History tab.
11. Login to SD-WAN 410-SE web management interface and view that the Virtual WAN service is enabled and the 410-SE appliance has acquired the configuration defined in the SD-WAN Center for this Branch site.