Delivery services allow you to configure delivery services such as the Internet, Intranet, IPsec, and LAN GRE. The delivery services are defined globally and applied to WAN links at individual sites, as applicable.
Each WAN link can apply all or a subset of the relevant services, and setup relative shares of bandwidth (%) among all the delivery services.
Virtual Path service is available on all the links by default. The other services can be added as needed.
Delivery Services are delivery mechanisms available on Citrix SD-WAN to steer different applications or traffic profiles using the right delivery methods based on business intent.
Delivery Services can be broadly categorized as the following:
- Virtual Path Service: The dual-ended overlay SD-WAN tunnel that offers secure, reliable, and high-quality connectivity between two sites hosting SD-WAN appliances or virtual instances.
- Internet Service: Direct channel between an SD-WAN site and public internet, with no SD-WAN encapsulation involved. Citrix SD-WAN supports session load-balancing capability for internet-bound traffic across multiple Internet links.
Intranet Service: Underlay link based connectivity from an SD-WAN site to any non-SD-WAN site.
The traffic is unencapsulated or can use any non-virtual path encapsulation such as IPsec, GRE. You can set up multiple Intranet services.
Service and bandwidth
Under Service and Bandwidth tab, you can view an internet service is created by default. The branch traffic uses the transit sites to reach the internet. This section allows you to define new delivery services and default bandwidth allocation proportion (%) across all the delivery services. The bandwidth allocation needs across delivery services might vary based on the type of link involved.
For example, if you are using multiple SaaS applications, allocate a large proportion of bandwidth on your internet links for Internet service for direct internet breakout. On your MPLS links, allocate more bandwidth for Virtual path service or Intranet Service depending on whether your SD-WAN sites have most of the traffic going to other SD-WAN sites or non-SD-WAN sites.
Based on your requirements, you can define global bandwidth share defaults across delivery services for each link type – Internet links, MPLS links, and Private Intranet links.
The default values can be overridden on individual links. While configuring WAN links, you can choose to use these global defaults or configure link specific service bandwidth settings. Configuration of a non-zero bandwidth share is required for any delivery service to be enabled and active on a link.
Cloud direct service
Cloud Direct service delivers SD-WAN functionalities as a cloud service through reliable and secure delivery for all internet-bound traffic regardless of the host environment (data center, cloud, and internet).
Cloud Direct Service:
- Improves network visibility and management.
- Enables partners to offer managed SD-WAN services for business critical SaaS applications to their end customers.
Cloud direct service offers the following advantages:
- Redundancy: Uses multiple internet WAN links and provides a seamless failover.
- Link aggregation: Uses all internet WAN links at the same time.
- Intelligent load-balancing across WAN connections from different providers:
- Measuring packet loss, jitter and throughput.
- Custom application identification.
- Application requirement and circuit performance matching (adapt to real-time network conditions).
- SLA-grade Dynamic QoS Capability to internet circuit:
- Dynamically adapts to varying circuit throughput.
- Adaption through a tunnel at ingress and egress endpoints.
- Rerouting VOIP calls between circuits without dropping the call.
- End-to-end monitoring and visibility.
To configure sites for Cloud Direct Service, from customer level, navigate to Configuration > Delivery Services > Service & Bandwidth, then click the setting icon next to the Cloud Direct Service.
Click + Cloud Direct Service to add sites.
You can choose the Region and select the sites accordingly.
Click Review to view the sites that you have selected and then click Save.
You can view that the site is created with the following detail:
- Site Status: Shows the status whether the site is deployed or not. If deployed, the status would hint whether the Cloud Direct site is online or not.
- Site Name: Displays the site name for which the Cloud Direct feature is being deployed.
- Platform: For the selected site, corresponding appliance model name is auto populated and displayed here, such as – 210-SE.
- Billing Status: Displays Billing status.
- Licensed Cloud Direct Bandwidth (Mbps): Displays Cloud Direct subscription bandwidth information. The subscription bandwidth is associated with the licensing for the Cloud Direct service.
- Enabled links count: Displays the count of WAN links enabled for this service.
- Actions: You can either choose to delete the Cloud Direct site configuration created for this SD-WAN appliance or view the Cloud Direct site configuration and WAN link details in read-only mode.
Click the site entry and you can edit the subscription bandwidth and make changes to WAN link being selected for this service. Also, you can edit Ingress (upload) and Egress (download) speeds for Cloud Direct service on each of the selected WAN links.
- By-default, it picks first four internet WAN links.
- Cloud Direct Ingress (upload) and Egress (download) speed value must not be greater than the subscription bandwidth value.
You can create application objects for application-based routes. Create the application route by including the corresponding applications, which must be steered through Cloud Direct service. For more information, see Routing policies.
There are other settings available for Internet and Intranet services, which can be customized by using the setting icon that displayed against each service.
Click + New Service and select a Service Type. Depending on the add-on delivery service that you would like to create, choose the required service type, and proceed with the configuration.
Internet Service is available by default as part of the Delivery services. You can configure the internet service route cost relative to other delivery services. You can also preserve the route to internet from the link even if all the associated paths are down.
You can create multiple intranet services. Once the intranet service is created at the global level, you can reference it at the WAN Link level. Provide a Service Name, select the desired Routing Domain and Firewall Zone. Add all the intranet IP addresses across the network, that other sites in the network might interact. You can also preserve the route to intranet from the link even if all the associated paths are down.
You can configure SD-WAN appliances to terminate GRE tunnels on the LAN.
- Service Type: Select the service that the GRE tunnel uses.
- Name: Name of the LAN GRE service.
- Routing Domain: The routing domain for the GRE tunnel.
- Firewall Zone: The firewall zone chosen for the tunnel. By default, the tunnel is placed into the Default_LAN_Zone.
- MTU: Maximum transmission unit — the size of the largest IP datagram that can be transferred through a specific link. The range is from 576 to 1500. Default value is 1500.
- Keep alive: The period between sending keep alive messages. If configured to 0, no keep alive packets is sent, but the tunnel stays up.
- Keep alive Retries: The number of times that the Citrix SD-WAN Appliance sends keep alive packets without a response before it brings the tunnel-down.
- Checksum: Enable or disable Checksum for the tunnel’s GRE header.
- Site Name: The site to map the GRE tunnel.
- Source IP: The source IP address of the tunnel. This is one of the Virtual Interfaces configured at this site. The selected routing domain determines the available Source IP addresses.
- Public Source IP: The source IP if the tunnel traffic is going through NAT.
- Destination IP: The destination IP address of the tunnel.
- Tunnel IP/Prefix: The IP address and Prefix of the GRE Tunnel.
- Tunnel Gateway IP: The next hop IP Address to route the Tunnel traffic.
- LAN Gateway IP: The next hop IP Address to route the LAN traffic.
The Zscaler Cloud Security Platform provides a series of security check posts in more than 100 data centers around the world. By simply redirecting the internet traffic to the Zscaler service, you can immediately secure your stores, branches, and remote locations.
Citrix SD-WAN Orchestrator provides partner authentication to Zscaler Cloud. An IPsec tunnel is established to redirect internet traffic to the Zscaler. All the sites are connected to Zscaler, by default.
Provide the following details to authenticate Zscaler (Partner login information):
- User Name: Enter the name of the user.
- Password: Enter the password.
Cloud Name: Enter the cloud name that is available in the URL that admins use to log into the Zscaler service.
To maximize operational efficiency, Zscaler built global multi-cloud infrastructure with high scalability. An organization is provisioned on one cloud and its traffic is processed by that cloud only.
- API Key: Enter the Partner Integration Citrix SD-WAN Key.
Once the authentication is successful, provide the bandwidth allocation for the Zscaler Service. By default, all the sites with global_default WAN-link configurations are configured with Zscaler Service. Link-specific WAN-link configuration for Zscaler Service allows you to specify different bandwidth allocation other than the global allocation.
Azure virtual WAN service
Microsoft Azure Virtual WAN and Citrix SD-WAN provide simplified network connectivity and centralized management across cloud workloads. This service provides automatic configuration of branch appliances to connect to the Azure Virtual WAN and configure branch traffic management policies according to your business requirements.
Provide the Azure Service Principal information to map any Citrix SD-WAN sites to Azure Virtual WAN. Before configuring the sites to Azure Virtual WAN service, you need to create the Azure Virtual WAN Hubs with site-to-site connectivity gateway resource in your respective Azure region. Site-to-site connections are established between Citrix SD-WAN appliances and Azure.
Only the Virtual WAN hubs created in the Azure portal for your subscription are listed for mapping.
As part of mapping Citrix SD-WAN branches to Azure Virtual WANs, a branch site needs to be associated with Azure WAN resources to establish IPsec tunnels with the Azure Virtual Hubs using the preselected IPsec IKE/IPsec settings. The Sites and Azure backbone routes are learned over BGP by default. When Citrix SD-WAN branch sites have multiple internet WAN links configured, two WAN links are automatically chosen to provide redundancy. The chosen Citrix SD-WAN software must have the support to switch between primary and secondary IPsec tunnels, which are supported from the 11.1 release onwards.
One Citrix SD-WAN site can connect to multiple Azure Virtual Hubs in the same or different Azure regions.
Certain Citrix SD-WAN appliances have resource limitation on the number of IPsec tunnels that can be supported. Hence the configuration mapping might fail, if the Citrix SD-WAN appliance tunnel count restrictions are not met.
The following are the IPsec tunnel limit per SD-WAN platform:
|SD-WAN appliances||IPsec Tunnels supported|
|4100, 5100, 6100||256|
|210, 410, 1000, 2000||8|
Mapping of Citrix SD-WAN sites to Azure Virtual WAN hubs might take some time since it involves downloading IPsec configuration from Azure. The branch mapping status shows as Configuration Downloaded after the branch configuration is downloaded. It is recommended to refresh the site status before you activate the configuration to see the updated status.
The following diagram describes the high-level workflow of Orchestrator and Azure Virtual WAN connection.
To associate sites with Azure WAN resources:
From Citrix SD-WAN Orchestrator, navigate to Delivery Services > Service and Bandwidth at network level. Click setting option next to Azure Virtual WAN.
You must provide the subscription bandwidth (in %) for the Azure Virtual WAN service. You can reserve the subscription bandwidth both at global and site level.
Provide Azure Tenant ID, Application ID, Secret Key, and Subscription ID (also known as service principal). If the credentials are not correct, then the authentication fails and further action is not allowed. Click Save.
After authentication is successful, you must associate a branch site with Azure Virtual WAN resources to establish IPsec tunnels. One Branch can be connected to multiple Hubs within an Azure Virtual WAN resource and one Azure Virtual WAN resource can be connected with multiple branch sites.
Click + Site to add a site.
The + Site option will be disabled if you have not reserved the subscription bandwidth.
Provide the following details:
Azure Virtual WAN - Select the Azure Virtual WAN from the drop-down list that is associated with the subscription. Same site cannot be connected to multiple WANs.
Azure Hubs - Select the Azure hubs. Only Azure Virtual WANs with Azure Virtual hubs are listed for mapping. You can add multiple hubs connected to the same site.
The Azure Virtual WAN field only list out those virtual WANs that has a corresponding hub already created.
Select Region/Groups – You can select all or selective region/groups.
Select Sites – You can select all or selective sites that you want for mapping.
ALB Internal IP – The Azure Load Balancer (ALB) IP input is required if the particular site is an Azure VPX and deployed in a High Availability (HA) mode. Else this field is optional.
Once the site is deployed, you can see the following information:
Info - Displays the Azure Virtual WAN Tunnel configuration details and status.
- Site Name – Displays the deployed site name.
- Virtual WAN – Displays the Azure Virtual WAN the corresponding site is mapped with.
- Hubs – Displays the number of hubs.
- Status – Displays the different deployment states with the final completion message. If the site is provisioned successfully, then only the IPsec tunnels can be created.
- Action – You can Edit or Delete the configured site.
Once the site is successfully provisioned, you need to perform the Verify, Stage, and Active process to create the IPsec tunnels. After activation, you can see the state of the tunnels under the Info page. If the configuration is not activated, the tunnels information will not be available.
You can also allocate different bandwidth for different sites. For this, perform a link specific configuration for the selected site. To do this, select the appropriate site > WAN Links tab > Services section. You can overwrite the global bandwidth allocation.
From 11.1.0 release onwards, Azure virtual WAN is supported multiple WAN link configurations along with hub-to-hub communication. For more information, see Hub-to-Hub Communication.
Citrix SD-WAN appliances can negotiate fixed IPsec tunnels with third-party peers on the LAN or WAN side. You can define the tunnel end-points and map sites to the tunnel end-points.
You can also select and apply an IPsec security profile that define the security protocol and IPsec settings.
To configure an IPsec tunnel:
Specify the service details.
- Service Name: The name of the IPsec service.
- Service Type: Select the service that the IPsec tunnel uses.
- Routing Domain: For IPsec tunnels over LAN, select a routing domain. If the IPsec Tunnel uses an intranet service, the intranet service determines the routing domain.
- Firewall Zone: The firewall zone for the Tunnel. By default, the Tunnel is placed into the Default_LAN_Zone.
Add the tunnel end-point.
- Name: When Service Type is Intranet, choose an Intranet Service the tunnel protects. Otherwise, enter a name for the service.
- Peer IP: The IP address of the remote peer.
- IPsec Profile: IPsec security profile that define the security protocol and IPsec settings.
- Pre Shared Key: The pre-shared key used for IKE authentication.
- Peer Pre Shared Key: The pre-shared key used for IKEv2 authentication.
- Identity Data: The data to be used as the local identity, when using manual identity or User FQDN type.
- Peer Identity Data: The data to be used as the peer identity, when using manual identity or User FQDN type.
- Certificate: If you choose Certificate as the IKE authentication, choose from the configured certificates.
Map sites to the tunnel end-points.
- Choose Endpoint: The end-point to be mapped to a site.
- Site Name: The site to be mapped to the end-point.
- Virtual Interface Name: The virtual interface at the site to be used as the end-point.
- Local IP: The local virtual IP address to use as the local tunnel end-point.
Create the protected network.
- Source Network IP/Prefix: The source IP address and Prefix of the network traffic that the IPsec tunnel protects.
- Destination Network IP/Prefix: The destination IP address and Prefix of the network traffic that the IPsec tunnel protects.
Ensure that the IPsec configurations are mirrored on the peer appliance.
For more information, see How to configure IPsec tunnels for virtual and dynamic paths.
Dynamic virtual path settings
The global dynamic virtual path settings allow admins to configure dynamic virtual path defaults across the network.
A dynamic virtual path is instantiated dynamically between two sites to enable direct communication, without any intermediate SD-WAN node hops. Similarly, the dynamic virtual path connection is removed dynamically too. Both the creation and removal of dynamic virtual paths are triggered based on bandwidth thresholds and time settings.
Click Verify Config to validate any audit error.
The following are some of the supported settings:
- Provision to enable or disable dynamic virtual paths across the network
- The route cost for dynamic virtual paths
- The QoS Profile to be used – Standard by default.
Dynamic Virtual Path Creation Criteria:
- Measurement interval (seconds): The amount of time over which the packet count and bandwidth are measured to determine if dynamic virtual path must be created between two sites – in this case, between a given Branch and the Control Node.
- Throughput threshold (kbps): The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is triggered. In this case the threshold applies to the Control Node.
- Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is triggered.
Dynamic Virtual Path Removal Criteria:
- Measurement interval (minutes): The amount of time over which the packet count and bandwidth are measured to determine if a Dynamic Virtual Path must be removed between two sites – in this case, between a given Branch and the Control Node.
- Throughput threshold (kbps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is removed.
- Throughput threshold (pps) - The threshold of total throughput between two sites, measured over the Measurement interval, at which Dynamic Virtual Path is removed.
- Wait time to flush dead virtual paths (m): The time after which a DEAD Dynamic Virtual Path is removed.
- Hold time before the recreation of dead virtual paths (m): The time after which a Dynamic Virtual Path removed for being DEAD can be recreated.
IPsec encryption profiles
To add IPsec encryption profile, navigate to Configuration > Delivery Services > select IPsec Encryption Profiles.
IPsec provides secure tunnels. Citrix SD-WAN supports IPsec virtual paths, enabling third-party devices to terminate IPsec VPN Tunnels on the LAN or WAN side of a Citrix SD-WAN appliance. You can secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 140-2 Level 1 FIPS certified IPsec cryptographic binary.
Citrix SD-WAN also supports resilient IPsec tunneling using a differentiated virtual path tunneling mechanism.
IPsec profiles are used while configuring IPsec services as delivery service sets. In the IPsec security profile page, enter the required values for the following IPsec Encryption Profile, IKE Settings, and IPsec Settings.
Click Verify Config to validate any audit error.
IPsec encryption profile information
- Profile Name: Provide a profile name.
- MTU: Enter the maximum IKE or IPsec packet size in bytes.
- Keep Alive: Select the check box to keep the tunnel active and enable route eligibility.
IKE Version: Select an IKE protocol version from the drop-down list.
Mode: Select either Main mode or Aggressive mode from the drop-down list for the IKE Phase 1 negotiation mode.
- Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
- Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
- Authentication: Choose the authentication type as Certificate or Pre-shared Key from the drop-down menu.
- Identity: Select the identity method from the drop-down list.
- Peer Identity: Select the peer identity method from the drop-down list.
- DH Group: Select the Diffie-Hellman (DH) group that are available for IKE key generation.
- Hash Algorithm: Choose a hashing algorithm from the drop-down list to authenticate IKE messages.
- Encryption Mode: Choose the Encryption Mode for IKE messages from the drop-down list.
- Lifetime (s): Enter the preferred duration (in seconds) for an IKE security association to exist.
- Lifetime (s) Max: Enter the maximum preferred duration (in seconds) to allow an IKE security association to exist.
DPD timeout (s): Enter the Dead Peer Detection timeout (in seconds) for VPN connections.
Tunnel Type: Choose ESP, ESP+Auth, ESP+NULL, or AH as the tunnel encapsulation type from the drop-down list.
- ESP: Encrypts the user data only
- ESP+Auth: Encrypts the user data and includes an HMAC
- ESP+NULL: Packets are authenticated but not encrypted
- AH: Only includes an HMAC
- PFS Group: Choose Diffie-Hellman group to use for perfect forward secrecy key generation from the drop-down menu.
- Encryption Mode: Choose the Encryption Mode for IPsec messages from the drop-down menu.
- Hash Algorithm: The MD5, SHA1, and SHA-256 hashing algorithms are available for HMAC verification.
- Network Mismatch: Choose an action to take if a packet does not match the IPsec Tunnel’s Protected Networks from the drop-down menu.
- Lifetime (s): Enter the amount of time (in seconds) for an IPsec security association to exist.
- Lifetime (s) Max: Enter the maximum amount of time (in seconds) to allow an IPsec security association to exist.
- Lifetime (KB): Enter the amount of data (in kilobytes) for an IPsec security association to exist.
Lifetime (KB) Max: Enter the maximum amount of data (in kilobytes) to allow an IPsec security association to exist.