Active Directory with Connector Appliance

You can use Connector Appliance to connect a resource location to forests which do not contain Citrix Virtual Apps and Desktops resources. For example, in the case of Citrix Secure Private Access customers or Citrix Virtual Apps and Desktops customers with some forests only used for user authentication.

When using multi-domain Active Directory with Connector Appliance, the following restrictions apply:

• Connector Appliance cannot be used in place of Cloud Connectors in forests that contain VDAs.

Requirements

Active Directory requirements

• Joined to an Active Directory domain that contains the resources and users that you use to create offerings for your users. For more information, see Deployment scenarios for Connector Appliances in Active Directory in this article.
• Each Active Directory forest that you plan to use with Citrix Cloud must always be reachable by two Connector Appliances.
• The Connector Appliance must be able to reach domain controllers in both the forest root domain and in the domains that you intend to use with Citrix Cloud. For more information, see the following Microsoft support articles:
  • How to configure domains and trusts
  • “Systems services ports” section in Service overview and network port requirements for Windows
• Use universal security groups instead of global security groups. This configuration ensures that user group membership can be obtained from any domain controller in the forest.

Network requirements

• Connected to a network that can contact the resources you use in your resource location.
• Connected to the Internet. For more information, see System and Connectivity Requirements.

In addition to the ports listed in Connector Appliance communication, the Connector Appliance requires an outbound connection to the Active Directory domain via these ports:

Supported Active Directory functional levels

Connector Appliance has been tested and is supported with the following forest and domain functional levels in Active Directory.

Other combinations of domain controller, forest functional level, and domain functional level have not been tested with the Connector Appliance. However, these combinations are expected to work and are also supported.

Connect an Active Directory domain to Citrix Cloud by using Connector Appliance

To configure Active Directory to connect to Citrix Cloud through the Connector Appliance, complete the following steps.

1. Install a Connector Appliance in your resource location.

   You can follow the information in the Connector Appliance product documentation.

2. Connect to the Connector Appliance administration webpage in your browser by using the IP address provided in the Connector Appliance console.

3. In the Active Directory domains section, click + Add Active Directory domain.

4. Enter the domain name in the Domain Name field. Click Add.

   The Connector Appliance checks the domain. If the check is successful, the Join Active Directory dialog opens.

5. Enter the user name and password of an Active Directory user that has join permission for this domain.

6. The Connector Appliance suggests a machine name. You can choose to override the suggested name and provide your own machine name that is up to 15 characters in length.

   This machine name is created in the Active Directory domain when the Connector Appliance joins it.

7. Click Join.

   The domain is now listed in the Active Directory domains section of the Connector Appliance UI.

8. To add more Active Directory domains, select to + Add Active Directory domain and repeat the preceding steps.

9. If you have not already registered your Connector Appliance, continue with the steps as described in Register your Connector Appliance with Citrix Cloud.

If you receive an error when joining the domain, verify that your environment fulfills the Active Directory requirements and the network requirements.

What’s next

• You can add more domains to this Connector Appliance.

  Note:

  The Connector Appliance is tested with up to 10 forests.

• For resilience, add each domain to more than one Connector Appliance in each resource location.

Viewing your Active Directory configuration

You can view the configuration of the Active Directory domains and Connector Appliances in your resource locations in the following places:

• In Citrix Cloud:

  1. In the menu, go to the Identity and Access Management page.

  2. Go to the Domains tab.

     Your Active Directory domains are listed with the resource locations that they are part of.

• In the Connector Appliance webpage:

  1. Connect to the Connector Appliance webpage by using the IP address provided in the Connector Appliance console.
  2. Log in with the password you created when you first registered.
  3. In the Active Directory domains section of the page, you can see the list of Active Directory domains this Connector Appliance is joined to.

Removing an Active Directory domain from a Connector Appliance

To leave an Active Directory domain, complete the following steps:

1. Connect to the Connector Appliance webpage by using the IP address provided in the Connector Appliance console.
2. Log in with the password you created when you first registered.
3. In the Active Directory domains section of the page, find the domain you want to leave in the list of joined Active Directory domains.
4. Note the name of the machine account created by your Connector Appliance.
5. Click the delete icon (trashcan) next to the domain. A confirmation dialog appears.
6. Click Continue to confirm the action.
7. Go to your Active Directory controller.
8. Delete the machine account created by your Connector Appliance from the controller.

Deployment scenarios for using Connector Appliance with Active Directory

You can use both Cloud Connector and Connector Appliance to connect to Active Directory controllers. The type of connector to use depends on your deployment.

For more information about using Cloud Connectors with Active Directory, see Deployment scenarios for Cloud Connectors in Active Directory

Use the Connector Appliance to connect your resource location to the Active Directory forest in the following situations:

• You are setting up Secure Private Access. For more information, see Secure Private Access with Connector Appliance.
• You have one or more forests that are only used for user authentication
• You want to reduce the number of connectors required to support multiple forests
• You need a Connector Appliance for other use cases

Only users in one or more forests with a single set of Connector Appliances for all forests

This scenario applies to Workspace Standard customers or customers using Connector Appliance for Secure Private Access.

In this scenario, there are several forests that contain only user objects (forest1.local, forest2.local). These forests do not contain resources. One set of Connector Appliances is deployed within a resource location and joined to the domains for each of these forests.

• Trust relationship: None
• Domains listed in Identity and Access Management: forest1.local, forest2.local
• User logons to Citrix Workspace: Supported for all users
• User logons to an on-premises StoreFront: Supported for all users

Users and resources in separate forests (with trust) with a single set of Connector Appliances for all forests

This scenario applies to Citrix Virtual Apps and Desktops customers with multiple forests.

In this scenario, some forests (resourceforest1.local, resourceforest2.local) contain your resources (for example, VDAs) and some forests (userforest1.local, userforest2.local) contain only your users. A trust exists between these forests that allows users to log on to resources.

One set of Cloud Connectors is deployed within the resourceforest1.local forest. A separate set of Cloud Connectors is deployed within the resourceforest2.local forest.

One set of Connector Appliances is deployed within the userforest1.local forest and the same set is deployed within the userforest2.local forest.

• Trust relationship: Bi-directional forest trust, or uni-directional trust from the resource forests to the user forests
• Domains listed in Identity and Access Management: resourceforest1.local, resourceforest2.local, userforest1.local, userforest2.local
• User logons to Citrix Workspace: Supported for all users
• User logons to an on-premises StoreFront: Supported for all users