Citrix SD-WAN Orchestrator for On-premises 11.1

Connectivity with Citrix SD-WAN appliances

After configuring sites on Citrix SD-WAN Orchestrator for On-premises, establish connectivity between Citrix SD-WAN appliances on the sites with Citrix SD-WAN Orchestrator for On-premises. You can establish connectivity in one of the following ways:

  • One-way Authentication: The SD-WAN appliance authenticates Citrix SD-WAN Orchestrator for On-premises. On enabling one-way authentication, you must download the Citrix SD-WAN Orchestrator for On-premises certificate and upload it on the SD-WAN appliance.

  • Two-way Authentication: The SD-WAN authenticate each other using the exchanged certificates. On enabling two-way authentication, you must upload the SD-WAN appliance certificate on Citrix SD-WAN Orchestrator for On-premises and also Citrix SD-WAN Orchestrator for On-premises certificate on the SD-WAN appliance.

  • No Authentication: The connectivity is established between the Citrix SD-WAN Orchestrator for On-premises and SD-WAN appliances with no authentication. You need not use the SD-WAN Appliance or Citrix SD-WAN Orchestrator for On-premises Certificate. You can use No Authentication when you have a secure network such as MPLS.

Note

It is recommended to use only one-way authentication or two-way authentication. In the case of no Authentication, you have to choose the secure DNS server.

You can configure connectivity with each site manually or use the automated zero-touch deployment.

Note

Citrix SD-WAN 11.3.0 is the minimum software version required for an appliance to connect to Citrix SD-WAN Orchestrator for On-premises.

Zero-touch deployment

Zero-touch deployment is an automated process to configure connectivity between the appliances and Citrix SD-WAN Orchestrator for On-premises. You can establish the connectivity automatically using non-cloud zero-touch deployment or cloud brokered zero-touch deployment settings.

Non-Cloud zero-touch deployment

Non-Cloud zero-touch deployment settings allow you to configure Citrix SD-WAN Orchestrator for On-premises information on SD-WAN appliances. The NITRO API running in the back-end handles download and upload of certificates. It downloads the certificate from Citrix SD-WAN Orchestrator for On-premises, logs in to the SD-WAN appliance, and uploads the certificate. It also downloads the SD-WAN appliance certificate and uploads it on Citrix SD-WAN Orchestrator for On-premises.

Note

Non-Cloud zero-touch deployment is supported on SD-WAN appliances running with the 11.3.0 release or later.

Zero-touch deployment supports only one-way authentication and two-way authentication. No authentication is not supported. If Authentication Type is enabled on Administration > Certificate Authentication page, then two-way authentication is established. If Authentication Type is disabled, then one-way authentication is established.

You can either add sites manually or import a CSV file to add multiple sites simultaneously.

To configure Non-cloud zero-touch deployment settings, navigate to Administration > ZTD Settings > Non-Cloud ZTD, and click + Site.

Site zero-touch deployment settings

Note

You can also access Non-cloud zero-touch deployment settings for each site from Network Configuration Home page. Click the action icon for the site and select Non-cloud ZTD.

Network Config Home: Non-cloud zero-touch deployment

Select a site from the Site Name drop-down list and enter the Management IP address of the Citrix SD-WAN appliance. Provide the appliance user name and Password. Select the Freshly Provisioned check box if you are adding a newly provisioned site on which the default password has not been changed. Provide the New Password. The default password is changed to the new password during this zero-touch deployment process.

Note

For a newly provisioned site, it is mandatory to change the default password at the time of first login.

Add site for non-cloud zero-touch deployment

Click + to continue to add more sites.

You can also import a CSV file to add multiple sites simultaneously. A sample downloadable template is available in the UI. Download it and provide the site details.

Download sample CSV file

Sample CSV template

  • Appliance Name: The site name configured during site configuration. For more information, see Site Configuration.
  • Appliance Username: The user name configured on the site appliance.
  • Appliance Password: The corresponding password for the site appliance.
  • Is password expired: Determines if the appliance is freshly provisioned. If the value is True, provide the Appliance New Password.
  • Appliance New Password: The password for freshly provisioned appliances. If the Is password expired value is True, provide the Appliance new password.
  • Is Primary Appliance: If High Availability (HA) is configured, the active appliance must have the value True and standby appliance must have the value False. If HA is not configured, the value must be True.

Click Import, select the CSV file and click Upload.

Import CSV file

Upload CSV file

The configuration status of the sites is displayed, you can choose to delete sites individually or Delete All if sites are not required for zero-touch deployment.

Zero-touch deployment configuration status

Cloud brokered zero-touch deployment (Preview)

Cloud brokered zero-touch deployment uses Citrix SD-WAN Orchestrator service as a broker between Citrix SD-WAN Orchestrator for On-premises and the Citrix SD-WAN appliances. Citrix SD-WAN Orchestrator for On-premises sends a cloud zero-touch deployment configuration package to Citrix SD-WAN Orchestrator service. The cloud zero-touch deployment configuration package consists of the following information:

  • On-prem identity information
  • Authentication type
  • On-prem certificate
  • Appliance details (List of serial numbers)

Citrix SD-WAN Orchestrator service stores the information received from Citrix SD-WAN Orchestrator for On-premises. When an appliance contacts the Citrix SD-WAN Orchestrator service with its serial number, the acquired intelligence of Citrix SD-WAN Orchestrator service determines that the appliance has to be managed by Citrix SD-WAN Orchestrator for On-premises. Citrix SD-WAN Orchestrator service passes on the Citrix SD-WAN Orchestrator for On-premises details to the appliance. Citrix SD-WAN appliance sends its certificate to Orchestrator service. Citrix SD-WAN Orchestrator service receives and stores the appliance certificate.

Citrix SD-WAN Orchestrator for On-premises periodically fetches the appliance certificate from Citrix SD-WAN Orchestrator service. Once a secure connection is established between Citrix SD-WAN Orchestrator for On-premises and the appliance, the Citrix SD-WAN Orchestrator for On-premises pushes the configuration and relevant files to the appliances.

Cloud brokered zero-touch deployment settings are available only for customers in a customer managed setup. Provider managed setup does not support cloud brokered zero-touch deployment settings.

Prerequisites

  • Appliances need access to the following domain names to establish connection with Citrix SD-WAN Orchestrator service:
    • sdwanzt.citrixnetworkapi.net
    • download.citrixnetworkapi.net
    • trust.citrixnetworkapi.net
    • sdwan-home.citrixnetworkapi.net
  • Ensure that Citrix SD-WAN Orchestrator for On-premises always has connectivity to Citrix SD-WAN Orchestrator service to onboard SD-WAN appliances.
  • Ensure that Citrix SD-WAN appliance has connectivity to SD-WAN Orchestrator service during the initial on-boarding process and if factory reset is done on the SD-WAN appliance.

To configure Cloud brokered zero-touch deployment settings:

  1. In Citrix SD-WAN Orchestrator for On-premises, create and define sites using the guided workflow. For more information, see Site configuration.

  2. Verify and compile the configuration using the deployment tracker. For more information, see the Deployment Tracker section in Network configuration topic.

  3. Navigate to Administration > ZTD Settings > Cloud Brokered ZTD and click + Site.

    Cloud zero-touch deployment

  4. From the drop-down list select a site name and click Add. The sites are listed based on your configuration. You can select a single site or multiple sites.

    Add sites in cloud zero-touch deployment

  5. The cloud zero-touch deployment configuration is created and sent to Citrix SD-WAN Orchestrator service.

    Cloud zero-touch deployment configuration status

  6. Cable up and power on the SD-WAN appliances at the Data Center and branch sites.

  7. The appliances contact the Citrix SD-WAN Orchestrator service with their serial number.

  8. The Citrix SD-WAN Orchestrator service acts as broker between Citrix SD-WAN Orchestrator for On-premises and the appliances. It allows exchange of certificates and Citrix SD-WAN appliance establishes a secure connection with Citrix SD-WAN Orchestrator for On-premises. Once zero-touch deployment is successful, the configured site comes online and is displayed in the Orchestrator Connectivity column under Configuration > Network Config Home.

  9. Activate and Stage the configuration to push the configuration and software to the appliances.

  10. Once the configuration/software is applied, virtual paths get established and the Availability column under Configuration > Network Config Home gets updated with the appropriate virtual path status.

NOTE

Citrix SD-WAN Orchestrator for On-premises takes about 30 minutes to fetch the appliance certificate and onboard the appliances completely. To pull the appliance certificates immediately (without waiting for 30 minutes), click Pull Appliance certificates.

If necessary, you can choose to click Delete Cloud Brokered ZTD Settings. It removes information related to all sites. If you need to delete a particular site information, then click the delete icon corresponding to that site.

Delete settings in cloud zero-touch deployment

Manual Connectivity Configuration

While configuring connectivity manually, you must download the Citrix SD-WAN Orchestrator for On-premises certificate and upload it on each appliance in the network. It involves logging into each appliance manually for uploading the certificates.

To configure connectivity manually:

  1. Navigate to Administration > Certificate Authentication and enable Authentication Type.

    When Authentication Type is enabled, the SD-WAN appliance can connect to Citrix SD-WAN Orchestrator for On-premises only through Two-way Authentication. When Authentication Type is disabled, the SD-WAN appliance can connect to Citrix SD-WAN Orchestrator for On-premises either through No Authentication, One-way Authentication, or Two-way Authentication.

    Note

    In a provider managed setup, only providers can enable authentication type and regenerate the Citrix SD-WAN Orchestrator for On-premises certificate.

  2. Click Regenerate and Download the Citrix SD-WAN Orchestrator for On-premises certificate.

  3. Choose an appliance from the Appliance Certificate section and upload the corresponding certificate downloaded from the SD-WAN appliance. For detailed information on downloading the appliance certificate, see Citrix SD-WAN Orchestrator on-premises configuration on SD-WAN appliance.

    NOTE

    • Only .pem file type is supported.
    • Only customer administrators can upload the appliance certificate.
  4. Log on to the SD-WAN appliance UI, navigate to Configuration > Virtual WAN > On-prem SD-WAN Orchestrator. Upload the certificate downloaded from Citrix SD-WAN Orchestrator for On-premises. For detailed information, see Citrix SD-WAN Orchestrator for On-premises configuration on SD-WAN appliance.

Certificate authentication

Verify Connectivity

To verify the connectivity status of the appliance, navigate to Configuration > Network Configuration Home, and check the Cloud Connectivity column corresponding to your site.

Verify connectivity

Note

You can publish the desired software to upgrade the appliances under Infrastructure > Orchestrator Administration > Software Images > Appliance. For more information, see Publish software.

Connectivity with Citrix SD-WAN appliances