WSTEP integration requires the on-premises installation of a PKIaaS Virtual Machine in the customer's LAN. Once installed, this PKIaaS Virtual Machine:

Performs LDAPS queries against the Domain Controllers in an Active Directory forest.
Establishes an outbound connection with the Entrust Cloud.

The Windows devices send WSTEP requests directly to the PKIaaS service hosted in the Entrust cloud. See below for the main integration scenarios.

Deploying a single PKIaaS Virtual Machine for multiple Active Directory forests
Deploying multiple PKIaaS Virtual Machines for Active Directory forests in different networks

Deploying a single PKIaaS Virtual Machine for multiple Active Directory forests

A single PKIaaS Virtual Machine can handle any number of Active Directory forests, provided the virtual machine can connect with each forest as explained in Network requirements for the PKIaaS Virtual Machine.

images/download/attachments/240933688/WSTEP-version-4-modificationdate-1708407825745-api-v2.png

Deploying multiple PKIaaS Virtual Machines for Active Directory forests in different networks

When a single PKIaaS Virtual Machine cannot communicate with all forests, multiple PKIaaS Virtual Machines are required, as illustrated in the diagram below.

images/download/attachments/240933688/2WSTEP-version-4-modificationdate-1708407869193-api-v2.png

In any case, configuring multiple Active Directory forests:

Requires the domain controllers of each Windows forest to be prepared as explained in this document.
Requires the root domain of each Windows Forest to be added to the PKIaaS portal.
Does not require two-way transitive trusts.