With Citrix App Orchestration 2.5, private domain deployments delivering Desktops-as-a-Service (DaaS) can be orchestrated by enterprise ready, cloud scale automation from a single interface and central management domain – without a Microsoft Active Directory trust in place! This feature answers feedback from service providers that an Active Directory trust and subsequent firewall and routing requirements can become a deal breaker for highly secure, fully isolated customer deployments.
In the dedicated domain model, service providers deploy domain infrastructure and configure products to enable Desktop-as-a-Service for a specific customer. These dedicated environments often span multiple datacenters in order to deliver the best possible experience for geo dispersed customers.
App Orchestration has been designed and built to automate deployment and configuration of these environments, including those that span multiple datacenters. With App Orchestration, service providers manage customer configuration and track resource utilization from a central place – instead of managing each customer environment independently and tracking utilization out-of-band using documents. In previous versions of App Orchestration, a one way Active Directory trust was required to fully leverage this functionality with the private domain delivery model. This limitation has been addressed with zero trust domain support in App Orchestration 2.5, available today for Citrix Service Providers.
With zero trust domains, network security configuration is hardened and simplified, resulting in faster deployment cycles and reduced complexity. This highly secure, dedicated domain model stands alongside a variety of other flexible isolation modes supported by App Orchestration. These built in isolation options enable service providers to pair the right DaaS offering with the right customers based on factors such as customer size, price sensitivity and security.
Before App Orchestration 2.5 an Active Directory trust was required to orchestrate private tenant domains
In previous versions of App Orchestration, the one way trust requirement was often misunderstood. The diagram above shows the orchestration engine reaching out from the management domain to Active Directory, session machines and delivery controllers in the private tenant domain. None of those arrows require a trust. These communications are enabled by authenticating with credentials provided by administrators and stored securely in the App Orchestration database.
In all versions of App Orchestration, an agent is required on select machines in the environment such as delivery controllers and StoreFront servers. Agents periodically call back to the App Orchestration engine to see if they have any work to do – and this is where the trust requirement came into play. Earlier versions of App Orchestration required integrated Active Directory authentication to confirm the calling agent’s identity – requiring the management domain to trust the private tenant domain. The trust requirement and cross domain operations required multiple ports to be opened on the firewall and additional network routing, complicating network configuration.
Zero trust domains eliminate the Active Directory trust requirement, simplify network configuration, and improve security by introducing a domain agent
App Orchestration 2.5 zero trust domains introduce an agent that resides in the private tenant domain. Instead of using integrated Active Directory authentication, App Orchestration uses SSL client certificates to validate the agent’s identity. This change in authentication technology allows the App Orchestration API to validate agent identity without a domain trust. This is important to service providers because it reduces complexity and increases security.
Notice in the zero trust domain diagram that App Orchestration is no longer reaching out directly to Active Directory, delivery controllers or session machines in the private tenant domain. By routing these operations through the domain agent over HTTPS, App Orchestration 2.5 eliminates the need for various ports to be opened on the firewall, resulting in a simplified and strengthened network configuration that only requires port 443 outbound traffic. Service providers will be excited because they can speed up deployment and onboard tenants into secure, dedicated environments more quickly.
Start orchestrating isolated tenant domains with Citrix App Orchestration 2.5!
And there you have it, a brief history of why the one way trust requirement once existed and how great feedback from our service providers helped shape an improved design moving forward. Zero trust domains dissolve the trust requirement for good, yielding a simplified and strengthened network configuration. If you’re still building out and managing private tenant deployments by hand – save time, reduce complexity and improve security with App Orchestration 2.5 zero trust domains.
Current Citrix Service Providers on the premium edition can download App Orchestration 2.5 here.
Learn more about Citrix App Orchestration.