If you have two, three, or even five domains in your environment, how does this affect where you will place your Cloud Connectors for your new Citrix Cloud deployment? It can be confusing, and there are a lot of variables at play. Hopefully, this post will help you understand a little better how the Cloud Connector communication flows so you can make more informed decisions when designing your deployment.

Let’s start off with the basics, the Cloud Connectors are responsible for being the communication liaison between the Citrix Cloud control plane and your resources. Here are the main functions of the Cloud Connectors:

  • Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your resource locations. It removes the need for adding any additional AD trusts.
  • Citrix Virtual Apps and Desktops publishing: Enables publishing from resources in your resource locations.
  • Citrix Endpoint Management: Enables an enterprise mobility management (EMM) environment for managing apps and devices as well as users or groups of users.
  • Machine Catalog provisioning: Enables provisioning of machines directly into your resource locations.

As you can see, one of the main functions is handling AD queries, so if you have multiple domains do you need Connectors in each domain? Currently, Cloud Connectors cannot transverse domain-level trusts, so keep that in mind as you build out your environment.

I took some of the guesswork out of this design consideration by testing a few different options. Here are the configurations:

  • Single Domain/Single Forest
  • Single Forest/1 Parent Domain/1 Child Domain
  • Two Forests with 2-Way Trust
  • Single Forest/2 Domains with an external trust
  • Single Forest/Single domain with Azure Express Route

Below are the results of each scenario:

Single Domain / Single Forest

This is by far the simplest design that I have come across. This configuration is the most straightforward to implement, as all you will need to do is install the Connectors into your domain.

On-Premise StoreFront/Workspace: 

Citrix-Hosted StoreFront/Workspace as a Service:  

Single Forest / 1 Parent Domain / 1 Child Domain

Another simple design is having a single forest that encompasses a parent domain and possibly a child domain. The Connectors would need to be in the parent domain if that is where the users will live. To confirm that users would be able to login to the Citrix-Hosted StoreFront/Workspace as a Service, you would navigate to the Identity and Access Management portal in Citrix Cloud, click on the Domains tab, and ensure that your user domain appears here.

On-Premise StoreFront/Workspace:  

Citrix-Hosted StoreFront/Workspace as a Service:  

Two Forests with 2-Way Trust

Let’s say you have two Forests (Citrix1.lab and Citrix2.lab). The Cloud Connectors are installed on the Citrix1.lab domain and Citrix2.lab is where your end users live. You will probably notice that if you go to the Identity and Access Management portal as previously mentioned, your domains from the Citrix2.lab will not appear. If the domains do not appear, then the Citrix-Hosted StoreFront/Workspace as a Service would not be able to authenticate users against that domain because, for all it knows, it doesn’t exist. However, an on-premise StoreFront should be able to authenticate these users as there is an established trust

On-Premise StoreFront/Workspace: 

Citrix-Hosted StoreFront/Workspace as a Service:  

Single Forest / 2 Domains with External Trust

This may seem like a pretty straight-forward configuration, however, we have to keep in mind that currently the Cloud Connectors cannot transverse domain-level trusts. Because of that, if you tried to log in to either StoreFront/Workspace you would receive an error. The Citrix-Hosted StoreFront/Workspace would not allow you to log in and an on-premise StoreFront/Workspace would not enumerate resources.

On-Premise StoreFront/Workspace: 

Citrix-Hosted StoreFront/Workspace as a Service: 

Single Forest / Single Domain with an Azure Express Route

This means that now you have an on-premise datacenter with your user accounts and have created an Azure subscription to maintain your Citrix Cloud infrastructure. Between these two Resource Locations, you have set up an Azure Express Route as a VPN tunnel to ensure communication between the two. This may seem like a daunting task and a complex setup, however, it’s very straightforward to implement. You will also be pleased to know that either set-up of StoreFront/Workspace will recognize the domain as one and be able to authenticate your end users.

On-Premise StoreFront/Workspace:  

Citrix-Hosted StoreFront/Workspace as a Service:  

For further information on the Citrix Cloud Connectors and other considerations, please visit this link: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector.html

Hopefully, your Active Directory Forests/Domains match one of the scenarios above and you are able to use some of the information above to assist you in planning where the Cloud Connectors need to be deployed!

James Newton
Cloud Success Engineer