Connectivity with Citrix SD-WAN appliances

After configuring sites on SD-WAN Orchestrator for On-premises, establish connectivity between Citrix SD-WAN appliances on the sites with SD-WAN Orchestrator for On-premises. You can establish connectivity in one of the following ways:

  • One-way Authentication: The SD-WAN appliance authenticates SD-WAN Orchestrator for On-premises. On enabling one-way authentication, you must download the SD-WAN Orchestrator for On-premises certificate and upload it on the SD-WAN appliance.

  • Two-way Authentication: The SD-WAN authenticate each other using the exchanged certificates. On enabling two-way authentication, you must upload the SD-WAN appliance certificate on SD-WAN Orchestrator for On-premises and also SD-WAN Orchestrator for On-premises certificate on the SD-WAN appliance.

  • No Authentication: The connectivity is established between the SD-WAN Orchestrator for On-premises and SD-WAN appliances with no authentication. You need not use the SD-WAN Appliance or SD-WAN Orchestrator for On-premises Certificate. You can use No Authentication when you have a secure network such as MPLS.


It is recommended to use only one-way authentication or two-way authentication. In the case of no Authentication, you have to choose the secure DNS server.

You can configure connectivity with each site manually or use the automated zero-touch deployment.


Citrix SD-WAN 11.3.0 is the minimum sofware version required for an appliance to connect to SD-WAN Orchestrator for On-premises.

Zero-touch deployment

Zero-touch deployment is an automated process to configure connectivity between the appliances and SD-WAN Orchestrator for On-premises. The NITRO API running in the back-end handles download and upload of certificates. It downloads the certificate from SD-WAN Orchestrator for On-premises, logs in to the SD-WAN appliance, and uploads the certificate. It also downloads the SD-WAN appliance certificate and uploads it on SD-WAN Orchestrator for On-premises.


Zero-touch deployment is supported on SD-WAN appliances running with the 11.2.1 release or later.

Zero-touch deployment supports only one-way authentication and two-way authentication. No authentication is not supported. If Authentication Type is enabled on Administration > Certificate Authentication page, then two-way authentication is established. If Authentication Type is disabled, then one-way authentication is established.

To configure Zero-touch deployment:

  1. Navigate to Administration > Site ZTD Settings, and click + Site.

  2. Select a site from the Site Name drop-down list and enter the Management IP address of the Citrix SD-WAN appliance.

  3. Enter the Username and Password.

  4. Select the Freshly Provisioned check box if you are adding a newly provisioned site and enter a New Password.


    For a newly provisioned site, it is mandatory to change the default password at the time of first login.

  5. Click + to add more sites.

  6. Click Add. The configuration status of the sites is displayed in the Auto Configured Sites section.

Site zero-touch deployment settings

Manual Connectivity Configuration

While configuring connectivity manually, you must download the SD-WAN Orchestrator for On-premises certificate and upload it on each appliance in the network. It involves logging into each appliance manually for uploading the certificates.

To configure connectivity manually:

  1. Navigate to Administration > Certificate Authentication and enable Authentication Type.

    When Authentication Type is enabled, the SD-WAN appliance can connect to SD-WAN Orchestrator for On-premises only through Two-way Authentication. When Authentication Type is disabled, the SD-WAN appliance can connect to SD-WAN Orchestrator for On-premises either through No Authentication, One-way Authentication, or Two-way Authentication.

  2. Click Regenerate and Download the SD-WAN Orchestrator for On-premises certificate.

  3. Choose an appliance from the Appliance Certificate section and upload the corresponding certificate downloaded from the SD-WAN appliance. For detailed information on downloading the appliance certificate, see Citrix SD-WAN Orchestrator on-premises configuration on SD-WAN appliance.


    Only .pem file type is supported.

  4. Log on to the SD-WAN appliance UI, navigate to Configuration > Virtual WAN > On-prem SD-WAN Orchestrator. Upload the certificate downloaded from SD-WAN Orchestrator for On-premises. For detailed information, see SD-WAN Orchestrator for On-premises configuration on SD-WAN appliance.

Certificate authentication

Verify Connectivity

To verify the connectivity status of the appliance, navigate to Configuration > Network Configuration Home, and check the Cloud Connectivity column corresponding to your site.

Verify connectivity


You can publish the desired software to upgrade the appliances under Infrastructure > Orchestrator Administration > Software Images > Appliance. For more information, see Publish software.

Connectivity with Citrix SD-WAN appliances