Delivery services allow you to configure delivery services such as the Internet, Intranet, IPsec, and LAN GRE. The delivery services are defined globally and applied to WAN links at individual sites, as applicable.
Each WAN link can apply all or a subset of the relevant services, and setup relative shares of bandwidth (%) among all the delivery services.
Virtual Path service is available on all the links by default. The other services can be added as needed.
Delivery Services are delivery mechanisms available on Citrix SD-WAN to steer different applications or traffic profiles using the right delivery methods based on business intent.
Delivery Services can be broadly categorized as the following:
Virtual Path Service: The dual-ended overlay SD-WAN tunnel that offers secure, reliable, and high-quality connectivity between two sites hosting SD-WAN appliances or virtual instances.
- Click the Setting option next to the Virtual Path service to enable the auto-bandwidth provisioning across virtual paths. Set the minimum reserved bandwidth for each virtual path in Kbps. This setting is applied to all the WAN links across all sites in the network.
Internet Service: Direct channel between an SD-WAN site and public internet, with no SD-WAN encapsulation involved. Citrix SD-WAN supports session load-balancing capability for internet-bound traffic across multiple Internet links.
Citrix Secure Internet Access: Citrix Secure Internet Access (CSIA) provides a full cloud-delivered security stack to protect users, applications, and data against all threats without compromising the employee experience.
Cloud Direct Service: A cloud service that delivers SD-WAN functionalities for all internet-bound traffic regardless of the host environment.
Intranet Service: Underlay link based connectivity from an SD-WAN site to any non-SD-WAN site.
The traffic is unencapsulated or can use any non-virtual path encapsulation such as IPsec, GRE. You can set up multiple Intranet services.
Service and bandwidth
Under Service and Bandwidth tab, you can view an internet service is created by default. The branch traffic uses the transit sites to reach the internet. This section allows you to define new delivery services and default bandwidth allocation proportion (%) across all the delivery services. The bandwidth allocation needs across delivery services might vary based on the type of link involved.
For example, if you are using multiple SaaS applications, allocate a large proportion of bandwidth on your internet links for Internet service for direct internet breakout. On your MPLS links, allocate more bandwidth for Virtual path service or Intranet Service depending on whether your SD-WAN sites have most of the traffic going to other SD-WAN sites or non-SD-WAN sites.
Based on your requirements, you can define global bandwidth share defaults across delivery services for each link type – Internet links, MPLS links, and Private Intranet links.
The default values can be overridden on individual links. While configuring WAN links, you can choose to use these global defaults or configure link specific service bandwidth settings. Configuration of a non-zero bandwidth share is required for any delivery service to be enabled and active on a link.
Citrix Secure Internet Access
Citrix Secure Internet Access (CSIA) service is a Citrix owned service. Citrix Secure Internet Access provides a full cloud-delivered security stack to protect users, applications, and data against all threats without compromising the employee experience. Any Citrix SD-WAN appliances can tunnel the traffic to the CSIA service.
The CSIA service is available under Configuration > Delivery Services > Service and Bandwidth > Secure Internet Access Service (at network level).
The CSIA service link is only visible if you are an SD-WAN Orchestrator customer and have CSIA entitlement.
Before enabling the CSIA service on Citrix SD-WAN, adhere to the following prerequisites:
Have deployed an SD-WAN overlay, with at least two sites running.
Limit the deployment to a single routing domain (default routing domain).
In Citrix SD-WAN route tables, identify the current default routes (0.0.0.0/0) in the network and their associated cost (ensure these routes do not have a lower route cost than the CSIA route, which is configured with a default cost 45).
Create Citrix Secure Internet Access service
To create a CSIA service, first adjust the provisioning on the CSIA service at the global level by enabling a bandwidth percentage for the internet link type, and readjust the overall internet link provisioning from the virtual path service. Click Save.
At a global level, without the provisioning value for the CSIA service, the SIA site automated IPsec provisioning will FAIL.
To map the site to the CSIA service, click the setting (gear) icon next to the Citrix Secure Internet Access Service. The SIA Service link takes you to the CSIA Service dashboard page.
Creating an SIA service internally creates an automatic INTRANET service with the routing domain chosen during the CSIA site configuration and Preserve route to Intranet service which is the ignore WAN link status knob automatically.
Click the + Site option to add a site for the CSIA service.
IPsec and GRE tunnels are supported currently.
Tunnel Type: The tunnel type defaults to IPsec. Additional types are added later.
Regions: Select the regions from the drop-down list. You can select a maximum of two regions. The regions are the points of presence (POPs) that has the CSIA service.
You can select all regions/groups or the default option along with the site as needed. Click Review and then Save the configuration. By default, the regions are auto selected and can be manually overridden. Choosing Auto selects the closest 2 PoPs for the IPsec tunnel (based on the geo location of the site created in Citrix SD-WAN Orchestrator). Maximum of 2 PoPs are selected for creating a redundant ACTIVE-STANDBY tunnel to the 2 different PoPs.
Ensure to configure the proper site address of the branch in the site level configuration so that the closest PoP selection can be automated.
Select the site that must be automatically provisioned from Citrix SD-WAN site to the CSIA Cloud PoP(s) and click Review.
Verify your settings and click Save.
If the tunnel type is GRE, you need to provide the GRE Tunnel IP/Prefix input and save the configuration.
Once the site is added and if the service provisioning was provided in the Delivery Services section, the site provisioning is successful (status indicates that Site Provisioning Success).
Before deploying the configuration, you can also configure the application routes to direct traffic to this service.
After adding the site successfully, verify, stage, and activate the configuration to enable the IPsec tunnel establishment between Citrix SD-WAN and the CSIA cloud PoP. At the network level, navigate to Configuration > Network Config Home > click Deploy Config/Software.
Click Stage and Activate and ensure the deployed sites indicate the status that Activation Complete.
The IPsec tunnel gets deployed after successful activation of the configuration. If there is a failure to connect to the CSIA network/adding a site or if the tunnel is in a bad state, click Refresh to reprovision or retry connectivity.
Once the tunnels are configured successfully and UP, the info icon provides the details of CSIA tunnel configuration and status. You can verify the tunnel state with local and remote endpoint. Also, the tunnel status with the statistics of packets inbound and outbound.
You can also verify the status of the IPsec tunnel by selecting the specific site from the Reports > Real Time > Statistics > IPSec Tunnel > click Retrieve Latest Data.
You can Edit or Delete a site specific CSIA configuration using the Actions column. To delete all CSIA configured sites at once, click Delete All.
Once the tunnels are configured, you need to steer the traffic to those tunnels. Traffic redirection can be steered through routes (application routes) assigned to a certain service. Create the application route by including the corresponding applications, which must be steered through the CSIA service.
For CSIA, you can select the default application group or create an application group and assign to CSIA service. Perform one of the following actions as required:
Click the Default SIA Group link and you can select the All Apps check box under the Default CSIA Group.
Under Application Group Match Criteria section, select the Application Type and the Application from the drop-down list and click Add.
Click Save to configure the selected match criteria and based on your selection, the traffic can be tunneled to CSIA.
For the Traffic Steering setting, the defaults value with a route cost is 45. If you have Internet Service or a backhaul route configured in this environment, those routes need to be configured with a higher route cost so that CSIA redirection takes precedence. For instance, if Internet Service is enabled, you can edit the settings (gear icon) and set a higher route cost.
You must perform another Stage and Activate from the Network Config Home page if you have not configured this during the initial setup of CSIA service.
Any user device in this SD-WAN network that is deployed with Cloud Connector software agents also must be steered accordingly.
To avoid double redirection (once through Cloud Connector proxy and again through SD-WAN tunnels), you can configure a custom application to filter any traffic destined for the CSIA gateway and reporter nodes, along with other know TCP ports expected to be used by the Cloud Connectors and bypass them from tunnel usage. This allows users of managed devices with Cloud Connector to freely come and go to the SD-WAN site. Manged devices, which Cloud Connector can make use of Internet Service while unmanaged devices make use of the tunnels for redirection.
From Configuration > App & DNS Settings > click + Custom Applications to create a Custom Application to filter for Cloud Connector traffic. TCP port 443 to the public IP addresses associated with your CSIA gateway and report node. Along with additional TCP ports Cloud Connector might use.
From Configuration > Routing > Routing Policies, create an Application Route to steer traffic custom application to Internet service for the target site(s).
Cloud direct service
Cloud Direct service delivers SD-WAN functionalities as a cloud service through reliable and secure delivery for all internet-bound traffic regardless of the host environment (data center, cloud, and internet).
Cloud Direct Service:
- Improves network visibility and management.
- Enables partners to offer managed SD-WAN services for business critical SaaS applications to their end customers.
Cloud direct service offers the following advantages:
- Redundancy: Uses multiple internet WAN links and provides a seamless failover.
- Link aggregation: Uses all internet WAN links at the same time.
- Intelligent load-balancing across WAN connections from different providers:
- Measuring packet loss, jitter and throughput.
- Custom application identification.
- Application requirement and circuit performance matching (adapt to real-time network conditions).
- SLA-grade Dynamic QoS Capability to internet circuit:
- Dynamically adapts to varying circuit throughput.
- Adaption through a tunnel at ingress and egress endpoints.
- Rerouting VOIP calls between circuits without dropping the call.
- End-to-end monitoring and visibility.
To configure sites for Cloud Direct Service, from customer level, navigate to Configuration > Delivery Services > Service & Bandwidth, then click the setting icon next to the Cloud Direct Service.
Click + Cloud Direct Service to add sites. To steer specific applications through cloud direct, you can add the relevant applications from the Default Cloud Direct App Group link.
You can choose the Region and select the sites accordingly.
Click Review to view the sites that you have selected and then click Save.
You can view that the site is created with the following detail:
- Site Status: Shows the status whether the site is deployed or not. If deployed, the status would hint whether the Cloud Direct site is online or not.
- Site Name: Displays the site name for which the Cloud Direct feature is being deployed.
- Platform: For the selected site, the corresponding appliance model name is auto populated and displayed here, such as – 210-SE.
- Billing Status: Displays Billing status.
- Licensed Cloud Direct Bandwidth (Mbps): Displays Cloud Direct subscription bandwidth information. The subscription bandwidth is associated with the licensing for the Cloud Direct service.
- Enabled links count: Displays the count of WAN links enabled for this service.
- Actions: You can either choose to delete the Cloud Direct site configuration created for this SD-WAN appliance or view the Cloud Direct site configuration and WAN link details in read-only mode.
Click the site entry and you can edit the subscription bandwidth and make changes to the WAN link being selected for this service. Also, you can edit Ingress (upload) and Egress (download) speeds for Cloud Direct service on each of the selected WAN links.
- By-default, it picks the first four internet WAN links.
- Cloud Direct Ingress (upload) and Egress (download) speed value must not be greater than the subscription bandwidth value.
You can create application objects for application-based routes. Create the application route by including the corresponding applications, which must be steered through the Cloud Direct service. For more information, see Routing policies.
There are other settings available for Internet and Intranet services, which can be customized by using the settings icon that displayed against each service.
Click + Service and select a Service Type. Depending on the add-on delivery service that you would like to create, choose the required service type, and proceed with the configuration.
Internet Service is available by default as part of the Delivery services. You can configure the internet service route cost relative to other delivery services. You can also preserve the route to the internet from the link even if all the associated paths are down.
You can create multiple intranet services. Once the intranet service is created at the global level, you can reference it at the WAN Link level. Provide a Service Name, select the desired Routing Domain and Firewall Zone. Add all the intranet IP addresses across the network, that other sites in the network might interact. You can also preserve the route to intranet from the link even if all the associated paths are down.
You can configure SD-WAN appliances to terminate GRE tunnels on the LAN.
- Service Type: Select the service that the GRE tunnel uses.
- Name: Name of the LAN GRE service.
- Routing Domain: The routing domain for the GRE tunnel.
- Firewall Zone: The firewall zone chosen for the tunnel. By default, the tunnel is placed into the Default_LAN_Zone.
- MTU: Maximum transmission unit — the size of the largest IP datagram that can be transferred through a specific link. The range is from 576 to 1500. Default value is 1500.
- Keep alive: The period between sending keep alive messages. If configured to 0, no keep alive packets is sent, but the tunnel stays up.
- Keep alive Retries: The number of times that the Citrix SD-WAN Appliance sends keep alive packets without a response before it brings the tunnel-down.
- Checksum: Enable or disable Checksum for the tunnel’s GRE header.
- Site Name: The site to map the GRE tunnel.
- Source IP: The source IP address of the tunnel. This is one of the Virtual Interfaces configured at this site. The selected routing domain determines the available Source IP addresses.
- Public Source IP: The source IP if the tunnel traffic is going through NAT.
- Destination IP: The destination IP address of the tunnel.
- Tunnel IP/Prefix: The IP address and Prefix of the GRE Tunnel.
- Tunnel Gateway IP: The next hop IP Address to route the Tunnel traffic.
- LAN Gateway IP: The next hop IP Address to route the LAN traffic.
The Zscaler Cloud Security Platform provides a series of security check posts in more than 100 data centers around the world. By simply redirecting the internet traffic to the Zscaler service, you can immediately secure your stores, branches, and remote locations.
Citrix SD-WAN Orchestrator service provides partner authentication to Zscaler Cloud. To authenticate, click the Settings icon next to Zscaler listed under the Delivery Services column.
Enter your User Name and Password.
Cloud Name: The cloud name that is available in the URL that administrators use to log into the Zscaler service. In the following example, help.zscaler.com is the URL and Zscaler.com is the Cloud name.
To maximize operational efficiency, Zscaler built global multi-cloud infrastructure with high scalability. An organization is provided access to a particular Zscaler cloud to log in to their admin portal. And the same Zscaler cloud is responsible to process traffic initiated from that organization.
API Key: The Partner Integration Citrix SD-WAN Key.
Click +Site to add a site for Zscaler service. An IPsec tunnel is established between the SD-WAN site and Zscaler Enforcement Nodes (ZENs) in Zscaler’s cloud network. ZENs inspect the traffic bi-directionally and enforce security and compliance policies.
Automatic Pop selection: When selected, the Citrix SD-WAN Orchestrator service automatically picks the Primary and secondary ZEN closest to your site based on the geo-location lookup of IP addresses of WAN links. When cleared, select the ZENs manually.
Primary Zscaler Region: The region to which the primary ZEN belongs.
Primary Zscaler Pop: The primary ZEN.
Secondary Zscaler Region: The region to which the secondary ZEN belongs.
Secondary Zscaler Pop: The secondary ZEN.
Select the Regions and Sites.
Review and Save the configuration. After adding the site successfully, verify, stage, and activate the configuration. The IPsec tunnels get deployed after successful activation of the configuration. The info icon provides the details of Zscaler tunnel configuration and status. If there is a failure to connect to the Zscaler network/adding a site, click Refresh to retry connectivity.
Allocate the bandwidth for the Zscaler Service. Link-specific WAN-link configuration for the Zscaler Service allows you to specify different bandwidth allocation other than the global allocation.
You can Edit or Delete a site specific Zscaler configuration using the Actions column. To delete all Zscaler configured sites at once, click Delete All.
Citrix SD-WAN appliances can negotiate fixed IPsec tunnels with third-party peers on the LAN or WAN side. You can define the tunnel end-points and map the sites to the tunnel end-points.
You can also select and apply an IPsec security profile that define the security protocol and IPsec settings.
To configure an IPsec tunnel:
Specify the service details.
- Service Name: The name of the IPsec service.
- Service Type: Select the service that the IPsec tunnel uses.
- Routing Domain: For IPsec tunnels over LAN, select a routing domain. If the IPsec Tunnel uses an intranet service, the intranet service determines the routing domain.
- Firewall Zone: The firewall zone for the Tunnel. By default, the Tunnel is placed into the Default_LAN_Zone.
Add the tunnel end-point.
- Name: When Service Type is Intranet, choose an Intranet Service the tunnel protects. Otherwise, enter a name for the service.
- Peer IP: The IP address of the remote peer.
- IPsec Profile: IPsec security profile that define the security protocol and IPsec settings.
- Pre Shared Key: The pre-shared key used for IKE authentication.
- Peer Pre Shared Key: The pre-shared key used for IKEv2 authentication.
- Identity Data: The data to be used as the local identity, when using manual identity or User FQDN type.
- Peer Identity Data: The data to be used as the peer identity, when using manual identity or User FQDN type.
- Certificate: If you choose Certificate as the IKE authentication, choose from the configured certificates.
Map sites to the tunnel end-points.
- Choose Endpoint: The end-point to be mapped to a site.
- Site Name: The site to be mapped to the end-point.
- Virtual Interface Name: The virtual interface at the site to be used as the end-point.
- Local IP: The local virtual IP address to use as the local tunnel end-point.
- Gateway IP: The next hop IP address.
Create the protected network.
- Source Network IP/Prefix: The source IP address and Prefix of the network traffic that the IPsec tunnel protects.
- Destination Network IP/Prefix: The destination IP address and Prefix of the network traffic that the IPsec tunnel protects.
Ensure that the IPsec configurations are mirrored on the peer appliance.
For more information, see How to configure IPsec tunnels for virtual and dynamic paths.
Dynamic virtual path settings
The global dynamic virtual path settings allow admins to configure dynamic virtual path defaults across the network.
A dynamic virtual path is instantiated dynamically between two sites to enable direct communication, without any intermediate SD-WAN node hops. Similarly, the dynamic virtual path connection is removed dynamically too. Both the creation and removal of dynamic virtual paths are triggered based on bandwidth thresholds and time settings.
Click Verify Config to validate any audit error.
The following are some of the supported settings:
- Provision to enable or disable dynamic virtual paths across the network
- The route cost for dynamic virtual paths
- The QoS Profile to be used – Standard by default.
Dynamic Virtual Path Creation Criteria:
- Measurement interval (seconds): The amount of time over which the packet count and bandwidth are measured to determine if the dynamic virtual path must be created between two sites – in this case, between a given Branch and the Control Node.
- Throughput threshold (kbps): The threshold of total throughput between two sites, measured over the Measurement interval, at which the Dynamic Virtual Path is triggered. In this case the threshold applies to the Control Node.
- Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which the Dynamic Virtual Path is triggered.
Dynamic Virtual Path Removal Criteria:
- Measurement interval (minutes): The amount of time over which the packet count and bandwidth are measured to determine if a Dynamic Virtual Path must be removed between two sites – in this case, between a given Branch and the Control Node.
- Throughput threshold (kbps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which the Dynamic Virtual Path is removed.
- Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which the Dynamic Virtual Path is removed.
- Wait time to flush dead virtual paths (m): The time after which a DEAD Dynamic Virtual Path is removed.
- Hold time before the recreation of dead virtual paths (m): The time after which a Dynamic Virtual Path removed for being DEAD can be recreated.
IPsec encryption profiles
To add an IPsec encryption profile, navigate to Configuration > Delivery Services > select IPsec Encryption Profiles.
IPsec provides secure tunnels. Citrix SD-WAN supports IPsec virtual paths, enabling third-party devices to terminate IPsec VPN Tunnels on the LAN or WAN side of a Citrix SD-WAN appliance. You can secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 140-2 Level 1 FIPS certified IPsec cryptographic binary.
Citrix SD-WAN also supports resilient IPsec tunneling using a differentiated virtual path tunneling mechanism.
IPsec profiles are used while configuring IPsec services as delivery service sets. In the IPsec security profile page, enter the required values for the following IPsec Encryption Profile, IKE Settings, and IPsec Settings.
Click Verify Config to validate any audit error.
IPsec encryption profile information
- Profile Name: Provide a profile name.
- MTU: Enter the maximum IKE or IPsec packet size in bytes.
- Keep Alive: Select the check box to keep the tunnel active and enable route eligibility.
IKE Version: Select an IKE protocol version from the drop-down list.
Mode: Select either Main mode or Aggressive mode from the drop-down list for the IKE Phase 1 negotiation mode.
- Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode. Main mode is FIPS compliant.
- Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode. Aggressive mode is Non-FIPS compliant.
- Authentication: Choose the authentication type as Certificate or Pre-shared Key from the drop-down menu.
- Identity: Select the identity method from the drop-down list.
- Peer Identity: Select the peer identity method from the drop-down list.
- DH Group: Select the Diffie-Hellman (DH) group that are available for IKE key generation.
- Hash Algorithm: Choose a hashing algorithm from the drop-down list to authenticate IKE messages.
- Encryption Mode: Choose the Encryption Mode for IKE messages from the drop-down list.
- Lifetime (s): Enter the preferred duration (in seconds) for an IKE security association to exist.
- Lifetime (s) Max: Enter the maximum preferred duration (in seconds) to allow an IKE security association to exist.
DPD timeout (s): Enter the Dead Peer Detection timeout (in seconds) for VPN connections.
Tunnel Type: Choose ESP, ESP+Auth, ESP+NULL, or AH as the tunnel encapsulation type from the drop-down list. These are grouped under FIPS compliant and Non-FIPS compliant categories.
- ESP: Encrypts the user data only
- ESP+Auth: Encrypts the user data and includes an HMAC
- ESP+NULL: Packets are authenticated but not encrypted
- AH: Only includes an HMAC
- PFS Group: Choose the Diffie-Hellman group to use for perfect forward secrecy key generation from the drop-down menu.
- Encryption Mode: Choose the Encryption Mode for IPsec messages from the drop-down menu.
- Hash Algorithm: The MD5, SHA1, and SHA-256 hashing algorithms are available for HMAC verification.
- Network Mismatch: Choose an action to take if a packet does not match the IPsec Tunnel’s Protected Networks from the drop-down menu.
- Lifetime (s): Enter the amount of time (in seconds) for an IPsec security association to exist.
- Lifetime (s) Max: Enter the maximum amount of time (in seconds) to allow an IPsec security association to exist.
- Lifetime (KB): Enter the amount of data (in kilobytes) for an IPsec security association to exist.
Lifetime (KB) Max: Enter the maximum amount of data (in kilobytes) to allow an IPsec security association to exist.
Network location service
Network location service (NLS) is a Citrix Cloud service that determines if the user connecting to Citrix Virtual Apps and Desktops is from the internal network. Using NLS, you can avoid manually configuring IP addresses of Citrix SD-WAN deployed locations through the PowerShell script. For detailed information on NLS, see Citrix Workspace Network Location Service.
You can enable NLS for all sites within the network or specific sites. The site enabled for NLS shares the Public IP address of all its internet WAN links along with other site details such as geographical location, time zone with the NLS database. With these details, the network location service determines if the user connecting to Citrix Virtual Apps and Desktops is on a network front ended by Citrix SD-WAN.
If a user request is coming from a network front ended by Citrix SD-WAN, the user is connected directly to Citrix Virtual Apps and Desktops Virtual Delivery Agent bypassing the Citrix Gateway service.
To enable NLS, at the network level, navigate to Configuration > Delivery Services > Network Location Service.
Select Enable if you want to enable NLS for all sites in the network. To enable NLS for specific sites, click Add/Remove Sites. Choose the Region and select the sites accordingly.
Click Review to view the sites that you have selected and click Done. Click Deploy.