Delivery service set
Delivery service set allows you to configure delivery services such as the Internet, Intranet, IPsec, and LAN GRE. The delivery services are defined at a globally and applied to WAN links at individual sites, as applicable. Each WAN link can apply all or a subset of relevant services, and setup relative shares of bandwidth (%) among all the delivery services. Virtual Path service is available on all the links by default. The other services can be added on need basis.
To configure services, in the customer configuration page, navigate to Configuration > Delivery Service Set > Service Configuration.
An internet service is created by default. The branch traffic uses the transit sites to reach the internet.
Click Add Service and select a Service Type. Depending on the add-on delivery service that you would like to create, choose the required service type, and proceed with the configuration.
Internet Service definition is made available by default as part of the Delivery service set. You can configure the route cost and transit sites.
You can add sites as Internet transit sites to enable Internet access to the sites that do not have direct Internet connectivity.
Each transit site can be assigned a route cost. The sites with internet service available will access the internet directly since the direct route would be the lowest cost routing path. Sites without internet service can route to the internet through the configured transit sites. When the internet transit sites are configured, routes to the internet through these transit sites automatically get pushed to all the sites.
For example, if San Francisco and New York are configured as internet transit sites. Routes to the internet via San Francisco and New York automatically get pushed to all the sites.
A user can create multiple intranet services. Once the intranet service is created at the global level, you can reference it at the WAN Link level.
Provide a Service Name. Select desired Routing Domain and Firewall Zone.
Intranet networks: Add all the intranet IP addresses across the network, that other sites in the network might need to interact.
Intranet transit sites: Add sites as transit sites to enable all the non-intranet sites to access the configured intranet networks. Each transit site can be assigned a route cost. The available sites with intranet service will access the intranet networks directly since the direct route would be the lowest cost routing path. Sites without intranet service can route to the intranet networks through the configured transit sites. When the transit sites are configured, routes to intranet networks through these transit sites automatically get pushed to all the sites.
For example, assume 10.2.1.0/24 is an intranet network, and Austin and Dallas are configured as transit sites. Routes to that network address through Austin and Dallas automatically get pushed to all the sites.
LAN GRE service
You can configure SD-WAN appliances to terminate GRE tunnels on the LAN.
- Name: Name of the LAN GRE service.
- Routing Domain: The routing domain for the GRE tunnel.
- Firewall Zone: The firewall zone chosen for the tunnel. By default, the tunnel is placed into the Default_LAN_Zone.
- Keep alive: The period between sending keep alive messages. If configured to 0, no keep alive packets will be sent, but the tunnel will stay up.
- Keep alive Retries: The number of times that the Citrix SD-WAN Appliance sends keep alive packets without a response before it brings the tunnel down.
- Checksum: Enable or disable Checksum for the tunnel’s GRE header.
Site Name: The site to map the GRE tunnel.
- Source IP: The source IP address of the tunnel. This is one of the Virtual Interfaces configured at this site. The selected routing domain determines the available Source IP addresses.
- Public Source IP: The source IP if the tunnel traffic is going through NAT.
- Destination IP: The destination IP address of the tunnel.
- Tunnel IP/Prefix: The IP address and Prefix of the GRE Tunnel.
- Tunnel Gateway IP: The next hop IP Address to route the Tunnel traffic.
- LAN Gateway IP: The next hop IP Address to route the LAN traffic.
If you are configuring Zscaler service, configure LAN GRE. Provide a service name, select the routing domain, firewall zone, and add site bindings. For more information about Zscaler service, see Zscaler Integration by using GRE tunnels and IPsec tunnels.
Citrix SD-WAN appliances can negotiate fixed IPsec tunnels with third-party peers on the LAN or WAN side. You can define the tunnel end-points and map sites to the tunnel end-points. You can also select and apply an IPsec security profile that define the security protocol and IPsec settings. For more information see, IPsec Profiles.
To configure IPsec tunnel:
Specify the service details.
- Service Name: Name of the IPsec service.
- Service Type: Select the service that the IPsec tunnel uses.
- Routing Domain: For IPsec tunnels over LAN, select a routing domain. If the IPsec Tunnel uses an intranet service, the intranet service determines the routing domain.
- Firewall Zone: The firewall zone for the Tunnel. By default, the Tunnel is placed into the Default_LAN_Zone.
Add the tunnel end-point.
- Name: When Service Type is Intranet, choose and Intranet Service the tunnel will protect. Otherwise, enter a name for the service.
- Peer IP: The IP address of the remote peer.
- IPsec Profile: IPsec security profile that define the security protocol and IPsec settings. For more information see, IPsec Profiles.
- Pre Shared Key: The pre shared key used for IKE authentication.
- Peer Pre Shared Key: The pre-shared key used for IKEv2 authentication.
- Identity Data: The data to be used as the local identity, when using manual identity or User FQDN type.
- Peer Identity Data: The data to be used as the peer identity, when using manual identity or User FQDN type.
- Certificate: If you choose Certificate as the IKE authentication, choose from the configured certificates.
Map the tunnel end-point to a site.
- Choose Endpoint: The end-point to be mapped to a site.
- Site Name: The site to be mapped to the end-point.
- Virtual Interface Name: The virtual interface at the site to be used as the end-point.
- Local IP: The local virtual IP address to use as the local tunnel end-point.
Create the protected network.
- Source Network IP/Prefix: The source IP address and Prefix of the network traffic that the IPsec tunnel will protect
- Destination Network IP/Prefix: The destination IP address and Prefix of the network traffic that the IPsec tunnel will protect
Ensure that the IPsec configurations are mirrored on the peer appliance.
For more information, see How to configure IPsec tunnels for virtual and dynamic paths.
You can define the bandwidth share percentage, globally, for internet, private intranet and MPLS links. While configuring WAN links, the user can choose to use these global defaults or configure link specific service bandwidth settings.
To set up the bandwidth share, navigate to Configuration > Delivery Service Set > Service Bandwidth.
Click the edit icon for an access type and set the share percentage for Virtual path, Internet and Intranet services.