Citrix Cloud and Gateway Service optimization

With the Citrix Cloud and Gateway Service optimization feature enhancement, you can detect and route traffic destined for the Citrix Cloud and Gateway Service. You can create policies to either break the traffic out to an Internet directly or to send it over via a backhaul route over the virtual path. In the absence of this feature, the gateway service hairpins back to the customer’s Data Center and then would go out to Citrix Cloud adding unnecessary latency. In addition to that, you now get visibility into Citrix Gateway and Citrix Cloud traffic and can create QoS policies to prioritize it over the virtual path.

You can now enable the first packet detection, classification, and selective routing (direct Internet breakout or over the virtual path) of the traffic destined for the Citrix Cloud and Citrix Gateway Service (control and data).

Note

You can configure the Citrix Cloud and Gateway Service optimization only through the Citrix SD-WAN Orchestrator. The Citrix Cloud and Gateway Service features are supported on Citrix SD-WAN software version 11.2.1 or higher.

Citrix Cloud and Gateway Service categories

For Citrix SD-WAN traffic classification and optimization purposes, all Citrix Cloud traffics are divided into the following categories:

  • Citrix Cloud: Enable to detect and route traffic destined for Citrix Cloud Web UI and APIs.

  • Citrix Gateway Service: Enable to detect and route traffic (control and data) destined for Citrix Gateway Service.

    • Gateway Service Client Data: Enables direct internet breakout of ICA data tunnels between clients and Citrix Gateway Service. It requires high bandwidth and low latency.

    • Gateway Service Server Data: Enables direct internet breakout of ICA data tunnels between Virtual Delivery Agents (VDAs) and Citrix Gateway Service. It requires high bandwidth and low latency and only relevant in VDA resource locations (VDA to Citrix Gateway Service connections).

    • Gateway Service Control Traffic: Enables direct internet breakout of the control traffic. No specific QoS considerations.

    • Gateway Service Web Proxy Traffic: Enables direct internet breakout of the Web proxy traffic. It requires high bandwidth but latency requirements might vary.

Prerequisites

Ensure that you have the following:

  1. To perform the Citrix Cloud and Gateway Service breakout, an Internet service has to be configured on the appliance. For more information on configuring an Internet service, see Internet access.

  2. Ensure that the Management interface has internet connectivity. If the dedicated management interface is not connected, ensure that in-band management is enabled and outbound management traffic has internet connectivity.

  3. You can use the Citrix SD-WAN web interface to configure the management interface settings.

  4. Ensure that the management DNS is configured. To configure management interface DNS, at site level navigate to Configuration > Appliance Settings > Network Adapter. Under the DNS Settings section, provide the primary and secondary DNS server detail and click Save.

Gateway service DNS settings

How Citrix Cloud and Gateway Service optimization works

First packet detection and classification of Citrix Cloud and Gateway Service traffic is performed only if the Citrix Cloud and Gateway Service breakout feature is not disabled (the feature is enabled by default).

  1. The Citrix SD-WAN appliance downloads a list of application signatures using the cloud service API.

  2. When a request for the Citrix Cloud and Gateway Service application arrives, the application is classified on the first packet using the signatures.

  3. Once the Citrix Cloud and Gateway Service traffic is classified, the auto created application route and firewall policies take effect and breaks out the traffic directly to the Internet.

  4. The Citrix Cloud and Gateway Service use Quad9 by default for forwarding DNS requests.

    • Without breakout enabled:

    Without breakout enabled

    • With breakout enabled:

    With breakout enabled

If you use a cloud security stack (for example - Zscaler, Check Point, Palo Alto) to process internet traffic, the Gateway Service receives packets from the public IP address of that security stack, instead of the SD-WAN branch. This defeats Direct Workload Connection and thus, packets to the cloud-hosted SD-WAN will not be able to take Virtual Path. For more information, see Direct Workload Connection.

By enabling breakout, the Gateway Service receives packets directly from the SD-WAN branch. Dynamic Virtual Paths come up between the SD-WAN branch and the cloud-hosted SD-WAN and the traffic goes via this virtual path between the two sites. For more information on enabling the Dynamic Virtual Paths, see Setup dynamic paths for branch to branch communication.

With and without breakout enabled

Configure Gateway Service breakout

The Citrix Cloud and Gateway Service breakout policy allows you to specify which category of Citrix Cloud and Gateway Service traffic you can directly break out from the SD-WAN branch.

The Citrix Cloud and Citrix Gateway Service options are available under Citrix Gateway and Citrix Cloud Optimization settings.

Citrix applications can access several services in the Citrix Cloud. For details, see System and Connectivity Requirements.

In the Citrix SD-WAN Orchestrator, by-default every network has the Citrix Cloud and Gateway Service route. To navigate, go to Network Configuration > Routing > Routing Policies > Application Routes.

Cloud and Gateway service

You cannot delete the route but you can configure the settings as required. The Citrix Cloud and Gateway Service are enabled by-default.

Cloud and Gateway service settings

Transparent forwarder for Citrix Cloud and Gateway Service

The SD-WAN branch breaks out for the Citrix Cloud and the Gateway Service begins with a DNS request. The DNS request going through the Citrix Cloud and Gateway Service domains have to be steered locally. If Citrix Cloud and Gateway Service Internet break out is enabled, the internal DNS routes are determined. Citrix Cloud and Gateway Service DNS requests are forwarded to open source DNS service Quad 9 by default. Quad 9 DNS service is secure, scalable, and has multi pop presence. You can change the DNS service if necessary.

To add a DNS server, at site level, navigate to Configuration > Advanced Settings > DNS. Under Site Specific DNS Servers section, click + DNS Server.

Site specific settings

Transparent forwarders for Citrix Cloud and Gateway Service applications are created at every SD-WAN branch that has Internet service and Citrix Cloud and Gateway Service breakout enabled.

To add a specific DNS forwarding rule, click + App Specific DNS Forwarding Rule under NDS Transparent Forwarder section. With this configuration, you can choose to change the default Quad9 DNS transparent forwarder for Citrix Cloud and Gateway Service Applications.

NDS Transparent Forwarder

  • Application: Select the Citrix Cloud and Gateway Service application from the Application drop-down list.

  • DNS Server: Select the DNS server that you created under Site Specific DNS Servers from the drop-down list.

Monitoring

You can monitor the Citrix Cloud and Gateway Service real-time statistics and usage report as the following:

  • Real-time Statistics

Gateway service statistics1

Gateway service statistics2

  • Real-time Firewall Connections

Gateway service firewall connection1

Gateway service firewall connection2

  • Usage

Gateway service usage

Troubleshooting

The connectivity errors are logged in SDWAN_dpi.log file. To download the log file, navigate to Troubleshooting > Device Logs, select the required site, choose the log file, and click Download.

Gateway service troubleshooting

You can also verify the device alerts. To verify, navigate to Network > Alerts.

Gateway service alert

Citrix Cloud and Gateway Service optimization