Zero touch 编辑
Note
The Zero Touch Deployment service is supported only on select Citrix SD-WAN appliances:
- SD-WAN 110 Standard Edition
- SD-WAN 210 Standard Edition
- SD-WAN 410 Standard Edition
- SD-WAN 2100 Standard Edition
- SD-WAN 1000 Standard Edition (reimage required)
- SD-WAN 1000 Enterprise Edition (Premium Edition) (reimage required)
- SD-WAN 1100 Standard Edition
- SD-WAN 1100 Premium (Enterprise) Edition
- SD-WAN 2000 Standard Edition (reimage required)
- SD-WAN 2000 Enterprise Edition (Premium Edition(reimage required)
- SD-WAN 2100 Enterprise Edition (Premium Edition)
- SD-WAN AWS VPX instance
Zero-touch deployment Cloud Service is a Citrix operated and managed cloud-based service which allows discovery of new appliances in the Citrix SD-WAN network, primarily focused on streamlining the deployment process for Citrix SD-WAN at branch or cloud service office locations. The zero-touch deployment Cloud Service is publicly accessible from any point in a network via public Internet access. The zero-touch deployment Cloud Service is accessed over the Secure Socket Layer (SSL) Protocol.
The zero-touch deployment Cloud Services securely communicate with back-end Citrix services hosting stored identification of Citrix customers who have purchased Zero Touch capable devices (for example SD-WAN 410-SE, 2100-SE). The back-end services are in place to authenticate any Zero Touch Deployment request, properly validating association between the Customer Account and the Serial Numbers of Citrix SD-WAN appliances.
ZTD High-Level Architecture and Workflow:
Data Center Site:
Citrix SD-WAN Administrator – A user with Administration rights of the SD-WAN environment with the following primary responsibilities:
Configuration creation using Citrix SD-WAN Center Network Configuration tool, or import of configuration from the Master Control Node (MCN) SD-WAN appliance
Citrix Cloud Login to initiate the Zero Touch Deployment Service for new site node deployment.
Note
If your SD-WAN Center is connected to the internet through a proxy server, you have to configure the proxy server settings on the SD-WAN Center. For more information, see Proxy Server Settings for Zero Touch Deployment.
Network Administrator – A user responsible for Enterprise network management (DHCP, DNS, internet, firewall, and so on)
- If necessary, configure firewalls for outbound communication to FQDN sdwanzt.citrixnetworkapi.net from SD-WAN Center.
Remote Site:
Onsite Installer – A local contact or hired installer for on-site activity with the following primary responsibilities:
Physically unpack the Citrix SD-WAN appliance.
Reimage non-ZTD ready appliances.
Required for: SD-WAN 1000-SE, 2000-SE, 1000-EE, 2000-EE
Not required for: SD-WAN 410-SE, 2100-SE
Power cable the appliance.
Cable the appliance for internet connectivity on the Management interface (for example MGMT, or 0/1).
Cable the appliance for WAN link connectivity on the Data interfaces (for example apA.WAN, apB.WAN, apC.WAN, 0/2, 0/3, 0/5, and so on).
Note
The interface layout is different for each model, so reference the documentation for identification of data and management ports.
The following prerequisites are required before starting any Zero Touch Deployment service:
Actively running SD-WAN promoted to Master Control Node (MCN).
Actively running SD-WAN Center with connectivity to the MCN through Virtual Path.
Citrix Cloud Login credentials created on https://onboarding.cloud.com (reference the instruction below on account creation).
Management network connectivity (SD-WAN Center and SD-WAN Appliance) to the Internet on port 443, either directly or through a proxy server.
(optional) At least one actively running SD-WAN appliance operating at a branch office in Client Mode with valid Virtual Path connectivity to MCN to help validate successful path establishment across the existing underlay network.
The last prerequisite is not a requirement, but allows the SD-WAN Administrator to validate that the underlay network allows Virtual Paths to be established when the Zero Touch Deployment is complete with any newly added site. Primarily, this validates that the appropriate Firewall and Route policies are in place to either NAT traffic accordingly or confirm the ability for UDP port 4980 can successfully penetrate the network to reach the MCN.
Zero Touch Deployment Service Overview:
The Zero Touch Deployment Service works in tandem with the SD-WAN Center to provide an easier deployment of branch office SD-WAN appliances. SD-WAN Center is configured and used as the central management tool for the SD-WAN Standard and Enterprise (Premium) Edition appliances. To use the Zero Touch Deployment Service (or zero-touch deployment Cloud Service), an Administrator must begin by deploying the first SD-WAN device in the environment, then configure and deploy the SD-WAN Center as the central point of management. When the SD-WAN Center, release 9.1 or later, is installed with connectivity to the public internet on port 443, SD-WAN Center automatically initiates the Cloud Service and install the necessary components to unlock the Zero Touch Deployment features and to make the Zero Touch Deployment option available in the GUI of SD-WAN Center. Zero Touch Deployment is not available by default in the SD-WAN Center software. This is purposely designed to make sure that the proper preliminary components on the underlay network are present before allowing an Administrator to initiate any on-site activity involving Zero Touch Deployment.
After a working SD-WAN environment is up and running registration into the Zero Touch Deployment Service is accomplished through creating a Citrix Cloud account login. With SD-WAN Center able to communicate with the zero-touch deployment service, the GUI exposes the Zero Touch Deployment options under the Configuration tab. Logging into the Zero Touch Service authenticates the Customer ID associated with the particular SD-WAN environment and registers the SD-WAN Center, in addition to unlocking the account for further authentication of zero-touch deployment appliance deployments.
Using the Network Configuration tool in SD-WAN Center, the SD-WAN Administrator will then need to use the templates or clone site capability to build out the SD-WAN Configuration to add new sites. The new configuration is used by the SD-WAN Center to initiate the deployment of zero-touch deployment for the newly added sites. When the SD-WAN Administrator initiates a site for deployment using the zero-touch deployment process, he or she has the option to pre-authenticate the appliance to be used for zero-touch deployment by pre-populating the serial number, and initiating email communication to the on-site installer to begin on-site activity.
The Onsite Installer receives email communication that the site is ready for Zero Touch Deployment and can begin the installation procedure of powering on and cabling the appliance for DHCP IP address assignment and internet access on the MGMT port. Also, cabling in any LAN and WAN ports. Everything else is initiated by the zero-touch deployment Service and progress is monitored by using the activation URL. In the event the remote node to be installed is a cloud instance, opening up the activation URL begins the workflow to automatically install the instance in the designated cloud environment, no action is needed by a local installer.
The Zero Touch Deployment Cloud Service automates the following actions:
Download and Update the zero-touch deployment Agent if new features are available on the branch appliance.
Authenticate the branch appliance by validating the serial number.
Authenticate that the SD-WAN Administrator accepted the site for zero-touch deployment using the SD-WAN Center.
Pull the configuration file specific for the targeted appliance from the SD-WAN Center.
Push the configuration file specific for the targeted appliance to the branch appliance.
Install the configuration file on the branch appliance.
Push any missing SD-WAN software components or required updates to the branch appliance.
Push a temporary 10 Mbps license file for confirmation of Virtual Path establishment to the branch appliance.
Enable the SD-WAN Service on the branch appliance.
More steps are required of the SD-WAN Administrator to install a permanent license file on the appliance.
Note
While performing a branch configuration that already has the same version of appliance software used in MCN, the zero-touch-deployment process will not download the appliance software file again. This change is applicable for fresh factory shipped appliances, appliances reset to factory defaults, and configuration reset administratively. If there is the configuration reset, select the Reboot after revert check box to initiate the zero-touch deployment process.
Zero touch deployment device procedure
The following procedure detail the steps required to deploy a new site using the Zero Touch Deployment Service. Have a running MCN and one client node already working with proper communication to SD-WAN Center, and established Virtual Paths confirming connectivity across the underlay network. The following steps are required of the SD-WAN Administrator to initiate the deployment of zero touch:
How to configure zero touch deployment service
The SD-WAN Center has the functionality to accept requests from newly connected appliances to join the SD-WAN Enterprise network. The request is forwarded to the web interface through the zero touch deployment service. Once the appliance connects to the service, configuration and software upgrade packages are downloaded.
Configuration workflow:
Access SD-WAN Center > Create New site configuration or Import the existing configuration and save it.
Log in to Citrix Cloud to enable zero-touch deployment service. The Zero Touch Deployment menu option is now displayed in the SD-WAN center web management interface.
In SD-WAN Center, navigate to Configuration > Zero Touch Deployment > Deploy New Site.
Select an appliance, click Enable, and click Deploy.
Installer receives the activation email > Enter the serial number > Activate > Appliance is deployed successfully.
To configure Zero Touch Deployment service:
Install SD-WAN Center with enabled Zero Touch Deployment capabilities:
Install SD-WAN Center with DHCP assigned IP address.
Verify that SD-WAN Center is assignment a proper management IP address and network DNS address with connectivity to the public internet across the management network.
Upgrade the SD-WAN Center to the latest SD-WAN software release version.
With proper internet connectivity, the SD-WAN Center initiates the zero-touch-deployment Cloud Service and automatically download and install any firmware updates specific to zero-touch deployment, if this Call Home procedure fails the following Zero Touch Deployment option will not be available in the GUI.
Read the Terms and Conditions, and then select I acknowledge that I have read and agree to the above Terms and Conditions.
Click the Login to Citrix Workspace Cloud button if a Citrix Cloud account has already been created.
Log in into the Citrix Cloud account, and upon receiving the following message of successful login, PLEASE DO NOT CLOSE THIS WINDOW UP, THE PROCESS REQUIRES ANOTHER ~20 SECONDS FOR THE SD-WAN CENTER GUI TO BE REFRESHED. The window must close on its own when it is complete.
To create a Cloud Login account follow the below procedure: Open a web browser to https://onboarding.cloud.com
Click the link for Wait, I have a Citrix.com account.
Sign in with an existing Citrix account.
Once logged into SD-WAN Center Zero Touch Deployment page, you might notice that no sites are available for zero-touch deployment because of the following reasons:
The active configuration has not been selected from the Configuration drop-down menu
All the sites for the current active configuration have already been deployed
The configuration was not built using the SD-WAN Center, but rather the Configuration Editor available on the MCN
Sites were not built in the configuration referencing zero touch capable appliances (for example 410-SE, 2100-SE, Cloud VPX)
Update the configuration to add a new remote site with a ZTD capable SD-WAN appliance using SD-WAN Center Network Configuration.
If the SD-WAN configuration was not built using the SD-WAN Center Network Configuration, import the active configuration from the MCN and begin modifying the configuration using SD-WAN Center. For Zero Touch Deployment capability, the SD-WAN Administrator must build the configuration using SD-WAN Center. The following procedure must be used to add a new site targeted for zero touch deployment.
Design the new site for SD-WAN appliance deployment by first outlining the details of the new site (that is, Appliance Model, Interface Groups usage, Virtual IP Addresses, WAN Links with bandwidth and their respective Gateways).
Important
You might notice any site node that has VPX selected as the model is also listed, but currently zero-touch deployment support is only available for the AWS VPX instance.
Note
Make sure that you are using a support web browser for Citrix SD-WAN Center
Make sure that the web browser is not blocking any pop-up windows during the Citrix Workspace Login
This is an example deployment of a branch office site, the SD-WAN appliance is deployed physically in path of the existing MPLS WAN link across a 172.16.30.0/24 network, and using an existing backup link by enabling it into an active state and terminating that second WAN link directly into the SD-WAN appliance on a different subnet 172.16.31.0/24.
Note
The SD-WAN appliances automatably assign a default IP address of 192.168.100.1/16. With DHCP enabled by default, the DHCP Server in the network might provide the appliance a second IP address in a subnet that overlaps the default. This can possibly result in a routing issue on the appliance where the appliance might fail to connect to the zero-touch deployment Cloud Service. Configure the DHCP server to assign IP addresses outside of the range of 192.168.0.0/16.
There are various different deployment modes available for SD-WAN product placement in a network. In the above example, SD-WAN is being deployed as an overlay on top of existing networking infrastructure. For new sites, SD-WAN Administrators might choose to deploy the SD-WAN in Edge or Gateway Mode deployment, eliminating the need for a WAN edge router and firewall, and consolidating the network needs of the edge routing and firewall onto the SD-WAN solution.
Open the SD-WAN Center web management interface and navigate to the Configuration > Network Configuration page.
Make sure that a working configuration is already in place, or import the configuration from the MCN.
Navigate to the Advanced tab to create a site.
Open the Sites tile to display the currently configurated sites.
Quickly built the configuration for the new site by using the clone feature of any existing site.
Populate all the required fields from the topology designed for this new branch site
After cloning a new site, navigate to the site’s Basic Settings, and verify that the Model of SD-WAN is correctly selected which would support the zero touch service.
The SD-WAN model for the site can be updated, but do be aware that the Interface Groups might have to be redefined since the updated appliance might have a new interface layout than what was used to clone.
Save the new configuration on SD-WAN Center, and use the export to the Change Management inbox option to push the configuration using Change Management.
Follow the Change Management procedure to properly stage the new configuration, which makes the existing SD-WAN devices aware of the new site to be deployed via zero touch, you must use the “Ignore Incomplete” option to skip attempting to push the configuration to the new site that still must go through the zero-touch deployment workflow.
Navigate back to the SD-WAN Center Zero Touch Deployment page, and with the new active configuration running, the new site is available for deployment.
In the Zero Touch Deployment page, under the Deploy New Site tab, select the running network configuration file
After the running configuration file is selected, the list of all the branch sites with undeployed SD-WAN devices that are supported for zero touch will be displayed.
Select the branch sites you want to configure for Zero Touch service, click Enable, and then Deploy.
A Deploy New Site pop-up window appears, where the Admin can provide the Serial Number, branch site Street Address, Installer Email address, and more Notes, if necessary.
Note
The Serial Number entry field is optional and depending if it is populated or not, results in a change in on-site activity the Installer is responsible for.
>- If Serial Number field is populated – The installer in not required to enter serial number into the activation URL generated with the deploy site command > >- If Serial Number field is left black – The installer will be responsible for entering in the correct serial number of the appliance into the activation URL generated with the deploy site command
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论