Citrix SD-WAN Orchestrator service introduces the following new features and enhancements:
January 13, 2021
Network Location Service (NLS) is a Citrix Cloud service that determines if the user connecting to Citrix Virtual Apps and Desktops is from the internal network. You can configure NLS for all sites within the network or specific sites through Citrix SD-WAN Orchestrator service. Using NLS, you can avoid manually configuring IP addresses of Citrix SD-WAN deployed locations.
You can enable NLS at the network level under Configuration > Delivery Services > Network Location Service.
Citrix SD-WAN Orchestrator service UI update
The look and feel of the Citrix SD-WAN Orchestrator service UI is changed to reflect the new color and font as per Citrix rebranding.
The screenshots in the Citrix SD-WAN Orchestrator service documentation might still reflect an earlier UI and will be updated in the upcoming releases.
December 17, 2020
Citrix SD-WAN Orchestrator service supports the Palo Alto Networks and Check Point hosted firewall integration on SD-WAN 1100 platform.
At site level configuration, the following UI changes are made:
Basic Settings is renamed to Site Configuration.
The Gateway ARP Timer (ms) and Host ARP Timer (ms) fields under Basic Settings > Site Details are now grouped under Advanced Settings > ARP.
The tabs under Advanced Settings are now listed as submenu options. The accordions under individual Advanced Settings tabs are now displayed as tabs under the respective submenu options. All the submenu options now display secondary breadcrumbs.
The Virtual Paths tab under Advanced Settings is renamed to Delivery Services and moved as a submenu option under Advanced Settings.
The Routing tab under Advanced Settings is renamed to Dynamic Routing.
Citrix SD-WAN 11.3 Release: Citrix SD-WAN 11.3 release is now supported in Citrix SD-WAN Orchestrator service.
You can configure a Citrix SD-WAN appliance that supports Wi-Fi as a Wi-Fi Access Point, eliminating the need to maintain an extra access point appliance to create a WLAN. The devices on your LAN can connect to Citrix SD-WAN appliance through Wi-Fi.
The following two variants of Citrix SD-WAN 110 platform support Wi-Fi and can be configured as an access point:
- Citrix SD-WAN 110-WiFi-SE
- Citrix SD-WAN 110-LTE-WiFi
You can configure and manage Citrix SD-WAN appliances that are configured as Access Points through the Citrix SD-WAN Orchestrator service service. Citrix SD-WAN Orchestrator service service also allows you to view Wi-Fi related reports such as connected devices, data utilized, usage, and authentication failure logs at both network level and individual site level.
There are 2 geography SKUs to support 110 Wi-Fi SE and 110 LTE Wi-Fi SE, one for US or Canada and the other for Rest of World (ROW).
Citrix SD-WAN 410 SE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses.
The Action When Security Profiles Cannot be Inspected drop-down list is introduced to define an action for the packets that match a firewall rule and engage a security profile but temporarily cannot be inspected by the Edge Security subsystem. If you select Ignore, then the relevant firewall rule is treated as not matched and the next firewall rule in order is evaluated. If you select Drop, the packets matching the relevant firewall rule, are dropped.
IPS profiles allow you to enable a combination of IPS rules for a specific set of sites within the network. When an IPS profile is enabled, it inspects the network traffic only for the sites with which the IPS profile is associated and the IPS rules enabled within that profile. You can create IPS profiles on Citrix SD-WAN Orchestrator service services at the network level under Configuration > Security > Intrusion Prevention.
You can add new File Types and MIME Types for Anti-Malware scanning. If Anti-Malware denies access to a website, you can set an external server location to redirect users. The users can be redirected to the default redirect page provided by Citrix SD-WAN Orchestrator service or you can create a custom redirect page.
For the Web filtering security functionality, the following safe browsing options are added under the Advanced Options:
- Enforce safe search on popular search engines
- Enforce restrict mode on YouTube
- Force searches through kid-friendly search engine
You can now configure Secure Sockets Layer (SSL) inspection for the traffic flowing to and from your organization. SSL inspection intercepts, decrypts, and scans the HTTPS and secure SMTP traffic for malicious content. You can create SSL rules as part of security profiles and define conditions for the traffic to undergo SSL inspection.
SSL inspection can be configured through Citrix SD-WAN Orchestrator. The SSL Inspection option is newly added under Configuration > Security and Configuration > Security Profile > New Security Profile.
December 03, 2020
You can now configure and deploy Citrix SD-WAN PE appliances through Citrix SD-WAN Orchestrator service. As part of PE Phase-1 development, you can now configure WAN Optimization Configurations like Features, Tuning, Applications, and Rules through Citrix SD-WAN Orchestrator service. Deployment of SD-WAN PE appliances is also now possible through Citrix SD-WAN Orchestrator service.
- The Citrix SD-WAN PE appliances are only supported on 1100, 2100, 5100, and 6100 platforms.
- Citrix SD-WAN PE Support through Citrix SD-WAN Orchestrator service is currently only available for SD-WAN software version of 22.214.171.124.
November 12, 2020
Citrix SD-WAN Orchestrator service provides the ability to select the default routing domain for the site. Routing domain settings can either be global or site-specific. Also, you can enable/disable the virtual paths auto-bandwidth provisioning for all WAN links.
October 29, 2020
Routing policies help to enable traffic steering. You can now configure Application Routes and IP Routes at the site level to steer traffic.
For prepaid customers, the hybrid billing model is introduced. With the hybrid billing model, a customer’s network can support both perpetual and annual subscription licenses.
October 21, 2020
Citrix SD-WAN 11.2.2 Release: Citrix SD-WAN 11.2.2 release is now supported in Citrix SD-WAN Orchestrator service.
October 15, 2020
You can view the MPLS Queues real-time statics on the Citrix SD-WAN Orchestrator service. You can also view the direction, no of packets, delta packets, and mismatched DSCP packets for Intranet and Virtual path services.
For MPLS queues, you can view the access interface, IP address, proxy address, interface MAC address, and ARP details associated with the MPLS queue.
October 1, 2020
Domain name based custom applications are supported in Application Routing, Application Rule, and Firewall Profiles. To use a custom name based application, the match criteria must be listed as Application while creating Application Route and Firewall Policy.
Citrix SD-WAN Orchestrator service allows you to view the detailed HDX reports grouped by site, user, and session, and categorized based on Quality of Experience (QoE). The metrics that impact the QoE calculation are also available for monitoring.
You can now add sites for the Zscaler service. When a site is added, an IPsec tunnel is established between the SD-WAN site and Zscaler Enforcement Nodes (ZENs) in Zscaler’s cloud network. ZENs inspect the traffic bi-directionally and enforce security and compliance policies. While adding a site you can either automatically pick the ZENs based on the geo-location lookup of IP addresses of WAN links or manually select the ZENs. One ZEN is configured as the Primary and the other as the secondary. If the link to the primary ZEN goes down, the secondary ZEN takes over and provides high availability.
Citrix SD-WAN Orchestrator service supports the following types of DNS services:
- Static: Intercepts the DNS requests destined to the SD-WAN IP address and forwards it to the specified DNS servers. You can create internal, ISP, google or any other open source DNS service.
- Dynamic: Intercepts the DNS requests destined to the SD-WAN IP address and redirects it to one of the DNS servers learned from the DHCP based WAN links. If the WAN link goes down, another DHCP based WAN links DNS server is chosen. This feature is useful in the deployment where ISPs allow DNS requests only to DNS servers hosted by them.
You can choose a DNS proxy service for in-band management. InBand Management DNS drop-down list is introduced under Basic Settings > Interfaces. The DNS proxy services added under Advanced Settings > DNS, get listed under the InBand Management DNS drop-down list.
Zero-touch deployment along with the in-band management feature enables provisioning and configuration management through designated data ports. Zero-touch deployment is now supported on the designated data ports and there is no need to use a separate management port for zero-touch deployment. Citrix SD-WAN Orchestrator service also allows to fail over management traffic seamlessly to the management port when the data port goes down and conversely.
September 16, 2020
The Show Tech Support (STS) Bundle contains important real-time system information such as access logs, diagnostics logs, firewall logs. The STS bundle is used to troubleshoot issues in the SD-WAN appliances. You can now create and download the STS bundles from the Citrix SD-WAN Orchestrator service.
The unique Differentiated Services Code Point (DSCP) tag field is added along with the Enable Encryption check box. Each WAN link requires a unique Virtual IP Address (VIP) to create the WAN link and a unique DSCP tag corresponding to the provider’s queuing scheme. The Enable Encryption check box helps to enable/disable the encryption for every custom MPLS, private Intranet, and public Internet Inter-Link Communication Group.
September 3, 2020
Role based access control (RBAC) regulates access to Citrix SD-WAN Orchestrator service resources based on the roles assigned to individual users. RBAC allows users to access only the data that their role demands and restricts any other data.
Roles can be assigned at Provider and Customer level under Administration > User Settings. Users can be assigned with a role from the following list of predefined roles.
Citrix SD-WAN 210 SE and 210 SE LTE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses. To enable advanced security capabilities on a Citrix SD-WAN 210 appliance, reimage the appliance software to Citrix SD-WAN 10.2.7.17 and install the Advanced Security add-on license. For more details, see USB reimage Utility.
Activating the advanced security add-on license on the Citrix SD-WAN 210 appliance, for the first time, might take up to 20 minutes approximately.
You can now enable the first packet detection, classification, and selective routing (direct internet breakout or over the virtual path) of the traffic destined for the Citrix Cloud and Citrix Gateway Service (control and data). This feature is only available via Citrix SD-WAN Orchestrator service starting from SD-WAN version 11.2.1.
Citrix SD-WAN Orchestrator service allows you to view the real-time reports for the following security features:
- Web Filtering: Provides the real-time report of the last 1000 web (HTTP, HTTPS) events from the total number of web requests.
- Anti-Malware: Provides the real-time report of the last 1000 Anti-Malware events from the total number of the files scanned.
- Intrusion Prevention: Provides the real-time report of the last 1000 logged and blocked intrusion prevention system events from the total number of intrusion events.
The Application Settings page provides an option to disable Global Deep Packet Inspection (DPI). DPI is enabled globally, by default, for all the sites in your network. Disabling DPI stops DPI classification capability on the appliance. You can also choose to disable DPI for certain sites only by overriding the global DPI settings.
Under WAN link services, on the selection of Link Specific from the Service Bandwidth Settings drop-down list, you can see the following options are newly added:
- LAN to WAN Tag
- WAN to LAN Tag
- WAN to LAN Match
- LAN to WAN Delay
- Tunnel Header Size
- WAN to LAN Grooming
You can forward the directed broadcasts to Virtual IP subnets on the Virtual Interface with the Directed Broadcast check box.
August 12, 2020
- Dynamic virtual paths can now be enabled/disabled at the site level using the Enable Dynamic Virtual Paths check box. The ability to enable dynamic virtual paths across the network globally is retained.
- You can configure IPsec tunnel settings for dynamic virtual paths at the network level.
- The dynamic virtual path thresholds for LAN-to-WAN and WAN-to-LAN in terms of bytes per second and packets per second are introduced per WAN link.
Static Virtual Path enhancements: The Tunnel Header Sizes in Bytes and Active MTU Detect configuration options are introduced in the Virtual Path WAN link properties.
Auto-correction: In the Citrix SD-WAN Orchestrator service, the auto-correction feature is implemented in the change management workflow. The auto-correction feature is applicable for staging failure on a branch node and activation failure on any node. The maintenance mode check box is added under the Change Management Settings to perform manual troubleshooting on an appliance. Once the maintenance mode check box is cleared, the auto-correction mechanism brings the appliance in sync with the network software and configuration version.
July 15, 2020
Application Quality: Application QoE is a measure of Quality of Experience of applications in the SD-WAN network. The Application QoE score is a value between 0 and 10. The score range that it falls in determines the quality of an application. The Application QoE dashboard provides the overall Application QoE score of all the applications in your network. You can also view individual Application QoE reports.
Region configuration enhancements: You can now change the default region, provide a description for the region, and add new subnets. You can also allow non-private Virtual IP addresses within a region or from other regions to match the configured subnets.
Citrix SD-WAN releases: The following Citrix SD-WAN releases are now supported in the Citrix SD-WAN Orchestrator service:
- Citrix SD-WAN 10.2.7
- Citrix SD-WAN 11.0.3d
- Citrix SD-WAN 11.1.1a
July 6, 2020
Appliance settings: Citrix SD-WAN Orchestrator service allows you to configure the appliance settings, at the site level, and push it to the remote appliances. You can configure user, network adapters, NetFlow, AppFlow, and SNMP settings.
Link Aggregation Groups: The Link Aggregation Groups (LAG) functionality allows you to group two or more ports on your SD-WAN appliance to work together as a single port. This ensures increased availability, link redundancy, and enhanced performance. Citrix SD-WAN Orchestrator service supports simple Link Aggregation Group (ACTIVE-BACKUP).
Transit Nodes: Transit nodes reduce the cost of routing by configure sites to route data via a virtual overlay transit node. You can configure Internet or Intranet transit nodes to allow sites without internet or intranet service to route to the internet or intranet through the configured transit sites.
Firewall profile: Firewall profiles provide security by ensuring that network traffic is restricted only to a specific firewall rule depending on the match criteria and by applying specific actions. The Firewall Profile contains three sections.
- Global Profiles – Global profile is an aggregation of a couple of firewall rules. The profile that you create under the Global Profiles section is applied across all the sites in the network.
- Site Specific Profiles – You can apply the defined firewall rules on certain specific sites.
- Global Override Profile – You can override both global and site-specific profiles using the Global Override Profiles.
June 11, 2020
Edge Security: The Citrix SD-WAN Edge Security capability enables advanced security on Citrix SD-WAN branch appliances. It simplifies information security management by providing a single management and reporting pane for Network Edge Security. It eliminates the need for multiple branch solutions by consolidating routing, SD-WAN, and security capabilities on a single appliance. This reduces network complexity, operational cost, and provides a more secure network edge. The Edge Security stack includes the following security functionality:
- Web filtering
- Intrusion Prevention
- The Edge Security is only supported for Citrix SD-WAN deployments managed through the Citrix SD-WAN Orchestrator service.
- External syslog server support is not available through Citrix SD-WAN Orchestrator service for Citrix SD-WAN Edge Security.
Subnet support: From release 11.2 onwards, Citrix SD-WAN UI allows /31 subnets for configuring the network address.
Metered link enhancements: The following options are introduced under Advanced WAN link settings:
Approximate Data Already Used: The approximate data already used in MB for the metered link. This is applicable only for the first cycle. To track the proper metered link usage, specify the approximate metered link usage, if the link has already been used for few days in the current billing cycle.
Disable link if Data Cap Reached: If the data usage reaches the specified data cap, the metered link and all its related paths are disabled until the next billing cycle. If this option is not selected, the metered link remains in the current state, after the data cap is reached, until the next billing cycle.
Auto-learning of Public IP address on Intranet WAN link: You can now enable Auto learning of Public IP address on Intranet WAN links, under Basic settings > WAN Link Attributes, to support DHCP on Fail-to-Wire port.
Rollout of this release is in progress, the feature is available in respective POPs as the rollout completes.
June 1, 2020
LTE firmware upgrade: You can now upgrade the LTE firmware via the Citrix SD-WAN Orchestrator service along with configuring and managing all the LTE sites in your network. While creating the site, you need to select LTE as a submodel for the SD-WAN 210 appliance/model. Currently, the LTE support is only applicable on 210 appliances. You need to set the scheduling window information to upgrade the LTE firmware corresponding to the latest selected software version.
Static inter-routing domain service: Citrix SD-WAN Orchestrator service now supports Static Inter-routing Domain service, enabling routing between Routing Domains within a site or between different sites. This eliminates the need for an external edge router to handle routing between two routing domains. The inter-routing service can further be used to set up routes, firewall policies, and NAT rules.
Citrix SD-WAN 11.1.1 Release: Citrix SD-WAN 11.1.1 release is now supported in Citrix SD-WAN Orchestrator service.
May 13, 2020
Y-cable: You can now enable Y-cable support for Citrix SD-WAN 1100 SE/PE appliances through the Citrix SD-WAN Orchestrator service. The Small Form-factor Pluggable (SFP) ports can be used with a fiber optic Y-Cable to enable the high availability feature for Edge Mode deployment.
Wrap Alerts description: The alert message contents under the Reports > Alerts > Message column are now wrapped. Earlier, the alert messages were hidden when the length of the message was greater than the width of the allocated cell size.
DHCP Client: The Dynamic Host Configuration Protocol (DHCP) Client option is now available under the Site Profile template. Hence, the sites that are created through the Site Profile, also inherits the DHCP Client option.
Citrix SD-WAN 110 appliance support: The Citrix SD-WAN 110 hardware model appliance is now supported in the Citrix SD-WAN Orchestrator service.
April 28, 2020
HA near-hitless software upgrade: The HA near-hitless software upgrade feature ensures that the network downtime, during the software upgrade (11.1.x and above) process for an HA pair, is not more than the HA switch over time.
Appliance reports (Preview): Appliance report delivers Network traffic and System usage reports. Under Appliance Reports you can view Interfaces, Network, CPU Usage, Disk Usage, and Memory Usage reports in different tabs.
Change password: Citrix SD-WAN Orchestrator service allows you to centrally change the password of all the SD-WAN appliances in your network from the Network Configuration > Home page.
Microsoft Office 365 beacon service: Citrix SD-WAN supports Microsoft Office 365 beacon probing capability to help determine the best link to be used for Office 365. The probes determine the latency (round-trip-time) involved in reaching Office 365 endpoints through each WAN link, enabling network administrators to identify the best link to be used for Office 365 traffic. The Office 365 beacon probing capability is available only via the Citrix SD-WAN Orchestrator service.