Delivery services allow you to configure delivery services such as the Internet, Intranet, IPsec, and LAN GRE. The delivery services are defined globally and applied to WAN links at individual sites, as applicable.
Each WAN link can apply all or a subset of the relevant services, and setup relative shares of bandwidth (%) among all the delivery services.
Virtual Path service is available on all the links by default. The other services can be added as needed.
Delivery Services are delivery mechanisms available on Citrix SD-WAN to steer different applications or traffic profiles using the right delivery methods based on business intent.
Delivery Services can be broadly categorized as the following:
Virtual Path Service: The dual-ended overlay SD-WAN tunnel that offers secure, reliable, and high-quality connectivity between two sites hosting SD-WAN appliances or virtual instances.
- Internet Service: Direct channel between an SD-WAN site and public internet, with no SD-WAN encapsulation involved. Citrix SD-WAN supports session load-balancing capability for internet-bound traffic across multiple Internet links.
Intranet Service: Underlay link based connectivity from an SD-WAN site to any non-SD-WAN site.
The traffic is unencapsulated or can use any non-virtual path encapsulation such as IPsec, GRE. You can set up multiple Intranet services.
Service and bandwidth
Under Service and Bandwidth tab, you can view an internet service is created by default. The branch traffic uses the transit sites to reach the internet. This section allows you to define new delivery services and default bandwidth allocation proportion (%) across all the delivery services. The bandwidth allocation needs across delivery services might vary based on the type of link involved.
For example, if you are using multiple SaaS applications, allocate a large proportion of bandwidth on your internet links for Internet service for direct internet breakout. On your MPLS links, allocate more bandwidth for Virtual path service or Intranet Service depending on whether your SD-WAN sites have most of the traffic going to other SD-WAN sites or non-SD-WAN sites.
Based on your requirements, you can define global bandwidth share defaults across delivery services for each link type – Internet links, MPLS links, and Private Intranet links.
The default values can be overridden on individual links. While configuring WAN links, you can choose to use these global defaults or configure link specific service bandwidth settings. Configuration of a non-zero bandwidth share is required for any delivery service to be enabled and active on a link.
Cloud direct service
Cloud Direct service delivers SD-WAN functionalities as a cloud service through reliable and secure delivery for all internet-bound traffic regardless of the host environment (data center, cloud, and internet).
Cloud Direct Service:
- Improves network visibility and management.
- Enables partners to offer managed SD-WAN services for business critical SaaS applications to their end customers.
Cloud direct service offers the following advantages:
- Redundancy: Uses multiple internet WAN links and provides a seamless failover.
- Link aggregation: Uses all internet WAN links at the same time.
- Intelligent load-balancing across WAN connections from different providers:
- Measuring packet loss, jitter and throughput.
- Custom application identification.
- Application requirement and circuit performance matching (adapt to real-time network conditions).
- SLA-grade Dynamic QoS Capability to internet circuit:
- Dynamically adapts to varying circuit throughput.
- Adaption through a tunnel at ingress and egress endpoints.
- Rerouting VOIP calls between circuits without dropping the call.
- End-to-end monitoring and visibility.
To configure sites for Cloud Direct Service, from customer level, navigate to Configuration > Delivery Services > Service & Bandwidth, then click the setting icon next to the Cloud Direct Service.
Click + Cloud Direct Service to add sites.
You can choose the Region and select the sites accordingly.
Click Review to view the sites that you have selected and then click Save.
You can view that the site is created with the following detail:
- Site Status: Shows the status whether the site is deployed or not. If deployed, the status would hint whether the Cloud Direct site is online or not.
- Site Name: Displays the site name for which the Cloud Direct feature is being deployed.
- Platform: For the selected site, corresponding appliance model name is auto populated and displayed here, such as – 210-SE.
- Billing Status: Displays Billing status.
- Licensed Cloud Direct Bandwidth (Mbps): Displays Cloud Direct subscription bandwidth information. The subscription bandwidth is associated with the licensing for the Cloud Direct service.
- Enabled links count: Displays the count of WAN links enabled for this service.
- Actions: You can either choose to delete the Cloud Direct site configuration created for this SD-WAN appliance or view the Cloud Direct site configuration and WAN link details in read-only mode.
Click the site entry and you can edit the subscription bandwidth and make changes to WAN link being selected for this service. Also, you can edit Ingress (upload) and Egress (download) speeds for Cloud Direct service on each of the selected WAN links.
- By-default, it picks first four internet WAN links.
- Cloud Direct Ingress (upload) and Egress (download) speed value must not be greater than the subscription bandwidth value.
You can create application objects for application-based routes. Create the application route by including the corresponding applications, which must be steered through Cloud Direct service. For more information, see Routing policies.
There are other settings available for Internet and Intranet services, which can be customized by using the setting icon that displayed against each service.
Click + New Service and select a Service Type. Depending on the add-on delivery service that you would like to create, choose the required service type, and proceed with the configuration.
Internet Service is available by default as part of the Delivery services. You can configure the internet service route cost relative to other delivery services. You can also preserve the route to internet from the link even if all the associated paths are down.
You can create multiple intranet services. Once the intranet service is created at the global level, you can reference it at the WAN Link level. Provide a Service Name, select the desired Routing Domain and Firewall Zone. Add all the intranet IP addresses across the network, that other sites in the network might interact. You can also preserve the route to intranet from the link even if all the associated paths are down.
You can configure SD-WAN appliances to terminate GRE tunnels on the LAN.
- Service Type: Select the service that the GRE tunnel uses.
- Name: Name of the LAN GRE service.
- Routing Domain: The routing domain for the GRE tunnel.
- Firewall Zone: The firewall zone chosen for the tunnel. By default, the tunnel is placed into the Default_LAN_Zone.
- MTU: Maximum transmission unit — the size of the largest IP datagram that can be transferred through a specific link. The range is from 576 to 1500. Default value is 1500.
- Keep alive: The period between sending keep alive messages. If configured to 0, no keep alive packets is sent, but the tunnel stays up.
- Keep alive Retries: The number of times that the Citrix SD-WAN Appliance sends keep alive packets without a response before it brings the tunnel-down.
- Checksum: Enable or disable Checksum for the tunnel’s GRE header.
- Site Name: The site to map the GRE tunnel.
- Source IP: The source IP address of the tunnel. This is one of the Virtual Interfaces configured at this site. The selected routing domain determines the available Source IP addresses.
- Public Source IP: The source IP if the tunnel traffic is going through NAT.
- Destination IP: The destination IP address of the tunnel.
- Tunnel IP/Prefix: The IP address and Prefix of the GRE Tunnel.
- Tunnel Gateway IP: The next hop IP Address to route the Tunnel traffic.
- LAN Gateway IP: The next hop IP Address to route the LAN traffic.
The Zscaler Cloud Security Platform provides a series of security check posts in more than 100 data centers around the world. By simply redirecting the internet traffic to the Zscaler service, you can immediately secure your stores, branches, and remote locations.
Citrix SD-WAN Orchestrator provides partner authentication to Zscaler Cloud. To authenticate, click the Settings icon next to Zscaler listed under the Delivery Services column.
Enter your User Name and Password.
Cloud Name: The cloud name that is available in the URL that administrators use to log into the Zscaler service. In the following example, help.zscaler.com is the URL and Zscaler.com is the Cloud name.
To maximize operational efficiency, Zscaler built global multi-cloud infrastructure with high scalability. An organization is provided access to a particular Zscaler cloud to log in to their admin portal. And the same Zscaler cloud is responsible to process traffic initiated from that organization.
API Key: The Partner Integration Citrix SD-WAN Key.
Click +Site to add a site for Zscaler service. An IPsec tunnel is established between the SD-WAN site and Zscaler Enforcement Nodes (ZENs) in Zscaler’s cloud network. ZENs inspect the traffic bi-directionally and enforce security and compliance policies.
Automatic Pop selection: When selected, the SD-Orchestrator automatically picks the Primary and secondary ZEN closest to your site based on the geo-location lookup of IP addresses of WAN links. When cleared, select the ZENs manually.
Primary Zscaler Region: The region to which the primary ZEN belongs.
Primary Zscaler Pop: The primary ZEN.
Secondary Zscaler Region: The region to which the secondary ZEN belongs.
Secondary Zscaler Pop: The secondary ZEN.
Select the Regions and Sites.
Review and Save the configuration. After adding the site successfully, verify, stage, and activate the configuration. The IPsec tunnels get deployed after successful activation of the configuration. The info icon provides the details of Zscaler tunnel configuration and status. If there is a failure to connect to the Zscaler network/adding a site, click Refresh to retry connectivity.
Allocate the bandwidth for the Zscaler Service. Link-specific WAN-link configuration for the Zscaler Service allows you to specify different bandwidth allocation other than the global allocation.
You can Edit or Delete a site specific Zscaler configuration using the Actions column. To delete all Zscaler configured sites at once, click Delete All.
Citrix SD-WAN appliances can negotiate fixed IPsec tunnels with third-party peers on the LAN or WAN side. You can define the tunnel end-points and map sites to the tunnel end-points.
You can also select and apply an IPsec security profile that define the security protocol and IPsec settings.
To configure an IPsec tunnel:
Specify the service details.
- Service Name: The name of the IPsec service.
- Service Type: Select the service that the IPsec tunnel uses.
- Routing Domain: For IPsec tunnels over LAN, select a routing domain. If the IPsec Tunnel uses an intranet service, the intranet service determines the routing domain.
- Firewall Zone: The firewall zone for the Tunnel. By default, the Tunnel is placed into the Default_LAN_Zone.
Add the tunnel end-point.
- Name: When Service Type is Intranet, choose an Intranet Service the tunnel protects. Otherwise, enter a name for the service.
- Peer IP: The IP address of the remote peer.
- IPsec Profile: IPsec security profile that define the security protocol and IPsec settings.
- Pre Shared Key: The pre-shared key used for IKE authentication.
- Peer Pre Shared Key: The pre-shared key used for IKEv2 authentication.
- Identity Data: The data to be used as the local identity, when using manual identity or User FQDN type.
- Peer Identity Data: The data to be used as the peer identity, when using manual identity or User FQDN type.
- Certificate: If you choose Certificate as the IKE authentication, choose from the configured certificates.
Map sites to the tunnel end-points.
- Choose Endpoint: The end-point to be mapped to a site.
- Site Name: The site to be mapped to the end-point.
- Virtual Interface Name: The virtual interface at the site to be used as the end-point.
- Local IP: The local virtual IP address to use as the local tunnel end-point.
Create the protected network.
- Source Network IP/Prefix: The source IP address and Prefix of the network traffic that the IPsec tunnel protects.
- Destination Network IP/Prefix: The destination IP address and Prefix of the network traffic that the IPsec tunnel protects.
Ensure that the IPsec configurations are mirrored on the peer appliance.
For more information, see How to configure IPsec tunnels for virtual and dynamic paths.
Dynamic virtual path settings
The global dynamic virtual path settings allow admins to configure dynamic virtual path defaults across the network.
A dynamic virtual path is instantiated dynamically between two sites to enable direct communication, without any intermediate SD-WAN node hops. Similarly, the dynamic virtual path connection is removed dynamically too. Both the creation and removal of dynamic virtual paths are triggered based on bandwidth thresholds and time settings.
Click Verify Config to validate any audit error.
The following are some of the supported settings:
- Provision to enable or disable dynamic virtual paths across the network
- The route cost for dynamic virtual paths
- The QoS Profile to be used – Standard by default.
Dynamic Virtual Path Creation Criteria:
- Measurement interval (seconds): The amount of time over which the packet count and bandwidth are measured to determine if dynamic virtual path must be created between two sites – in this case, between a given Branch and the Control Node.
- Throughput threshold (kbps): The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is triggered. In this case the threshold applies to the Control Node.
- Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is triggered.
Dynamic Virtual Path Removal Criteria:
- Measurement interval (minutes): The amount of time over which the packet count and bandwidth are measured to determine if a Dynamic Virtual Path must be removed between two sites – in this case, between a given Branch and the Control Node.
- Throughput threshold (kbps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is removed.
- Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is removed.
- Wait time to flush dead virtual paths (m): The time after which a DEAD Dynamic Virtual Path is removed.
- Hold time before the recreation of dead virtual paths (m): The time after which a Dynamic Virtual Path removed for being DEAD can be recreated.
IPsec encryption profiles
To add IPsec encryption profile, navigate to Configuration > Delivery Services > select IPsec Encryption Profiles.
IPsec provides secure tunnels. Citrix SD-WAN supports IPsec virtual paths, enabling third-party devices to terminate IPsec VPN Tunnels on the LAN or WAN side of a Citrix SD-WAN appliance. You can secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 140-2 Level 1 FIPS certified IPsec cryptographic binary.
Citrix SD-WAN also supports resilient IPsec tunneling using a differentiated virtual path tunneling mechanism.
IPsec profiles are used while configuring IPsec services as delivery service sets. In the IPsec security profile page, enter the required values for the following IPsec Encryption Profile, IKE Settings, and IPsec Settings.
Click Verify Config to validate any audit error.
IPsec encryption profile information
- Profile Name: Provide a profile name.
- MTU: Enter the maximum IKE or IPsec packet size in bytes.
- Keep Alive: Select the check box to keep the tunnel active and enable route eligibility.
IKE Version: Select an IKE protocol version from the drop-down list.
Mode: Select either Main mode or Aggressive mode from the drop-down list for the IKE Phase 1 negotiation mode.
- Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
- Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
- Authentication: Choose the authentication type as Certificate or Pre-shared Key from the drop-down menu.
- Identity: Select the identity method from the drop-down list.
- Peer Identity: Select the peer identity method from the drop-down list.
- DH Group: Select the Diffie-Hellman (DH) group that are available for IKE key generation.
- Hash Algorithm: Choose a hashing algorithm from the drop-down list to authenticate IKE messages.
- Encryption Mode: Choose the Encryption Mode for IKE messages from the drop-down list.
- Lifetime (s): Enter the preferred duration (in seconds) for an IKE security association to exist.
- Lifetime (s) Max: Enter the maximum preferred duration (in seconds) to allow an IKE security association to exist.
DPD timeout (s): Enter the Dead Peer Detection timeout (in seconds) for VPN connections.
Tunnel Type: Choose ESP, ESP+Auth, ESP+NULL, or AH as the tunnel encapsulation type from the drop-down list.
- ESP: Encrypts the user data only
- ESP+Auth: Encrypts the user data and includes an HMAC
- ESP+NULL: Packets are authenticated but not encrypted
- AH: Only includes an HMAC
- PFS Group: Choose Diffie-Hellman group to use for perfect forward secrecy key generation from the drop-down menu.
- Encryption Mode: Choose the Encryption Mode for IPsec messages from the drop-down menu.
- Hash Algorithm: The MD5, SHA1, and SHA-256 hashing algorithms are available for HMAC verification.
- Network Mismatch: Choose an action to take if a packet does not match the IPsec Tunnel’s Protected Networks from the drop-down menu.
- Lifetime (s): Enter the amount of time (in seconds) for an IPsec security association to exist.
- Lifetime (s) Max: Enter the maximum amount of time (in seconds) to allow an IPsec security association to exist.
- Lifetime (KB): Enter the amount of data (in kilobytes) for an IPsec security association to exist.
Lifetime (KB) Max: Enter the maximum amount of data (in kilobytes) to allow an IPsec security association to exist.