SD-WAN configuration for CMD Integration

Citrix SD-WAN is a next-generation WAN edge solution that accelerates digital transformation with flexible, automated, and secure connectivity and performance for SaaS, cloud, and virtual applications to ensure an always-on workspace experience.

Citrix SD-WAN is the recommended and best way for organizations to connect to Citrix Managed Desktops (CMD) with a quick and easy set-up. For more information, see Citrix blog.


  • Easy to set up SD-WAN in CMD through a guided and automated workflow
  • Always-on, high performance connectivity through advanced SD-WAN technologies
  • Benefits across all connections (VDA-to-DC, user-to-VDA, VDA-to-cloud, and user-to-cloud)
  • Reduces latency compared to backhauling traffic to the data center
  • Traffic management to ensure Quality of Service (QoS)

    • QoS across HDX/ICA traffic streams (single-port HDX AutoQoS)
    • QoS between HDX and other traffic
    • HDX QoS fairness between users
    • End-to-end QoS
  • Link bonding delivers more bandwidth for faster performance
  • High Availability (HA) with seamless link failover and SD-WAN redundancy on Azure
  • Optimized VoIP experience (packet racing for reduced jitter and minimal packet loss, QoS, local break-out for reduced latency)
  • Major cost savings and much faster and easier to deploy compared to ExpressRoute


To evaluate these new capabilities, the following pre-requisites must be adhered to:

  1. You must have an existing SD-WAN network with Orchestrator entitlement. If you don’t have an existing SD-WAN network then you must set up one using SD-WAN Orchestrator. For more details, see configuring a Master Control Node (MCN).

  2. You must have a subscription to CMD.
  3. Currently, this integration support is only available for customers. If you are a partner or an MSP and must try this service then you must subscribe to CMD as a customer. Only then this integration can be enabled.
  4. To use SD-WAN features (such as QoS for MSI, application visibility), the Network Location Service (NLS) must be configured for all the SD-WAN sites in your network.
  5. You must have a DNS server and AD either deployed where the client endpoints are present (co-located in your data center environment, which would also have the MCN) or you can also utilize Azure Active Directory (AAD).
  6. The DNS server must be capable of resolving both internal (private) and external (public) IPs.
  7. Make sure that the FQDN is whitelisted in the firewall. This is the FQDN for network location service which is critical in sending traffic over the SD-WAN virtual path.

For the list of cloud services that has to be whitelisted on the firewall, see Prerequisites for Orchestrator usage.

Deployment architecture

High level deployment

Any deployment would feature the following entities:

  • An on-premises location hosting the SD-WAN appliance which can either be deployed in branch mode or as an MCN. This location contains the client machines, active directory, and DNS. However, you can also choose to use Azure’s DNS and AD. In most scenarios the on-premises location serves as an on-prem data center and houses the MCN.

  • CMD cloud service: This entity provides:

    • The UI for enabling and monitoring SD-WAN connectivity for CMD.
    • Creates SD-WAN virtual machine instances in Azure.
    • Manages their lifetime.
    • Bundles SD-WAN instance costs with CMD costs for customer billing.
    • Configures the local networking environment (subnets, local routing, firewall rules and so on) for SD-WAN instances.
    • Supplies SD-WAN instance information to the SD-WAN Orchestrator to provide and consume SD-WAN monitoring and other operational data.
  • SD-WAN Orchestrator: SD-WAN Orchestrator provides the UI for SD-WAN management:

    • Including management of instances deployed in CMD.
    • Implements initial provisioning for CMD SD-WAN instances.
    • Implements restrictions on SD-WAN instance management to reflect the CMD configuration.
    • Integrates with CMD to provide and consume SD-WAN monitoring and other operational data.
  • Virtual and physical SD-WAN appliances: Virtual and physical SD-WAN appliances run as multiple instances within the cloud (VMs), on-premises in the data center, and in the branches (physical appliances or VMs) to provide connectivity among these locations and to/from the public Internet.

    SD-WAN instance in CMD subscription is created as a single or a set of virtual appliances (if there was HA deployment) by CMD cloud service in Azure within the realms of CMD subscription. SD-WAN appliances in other locations (DC and branches) are created by the customer. All of these SD-WAN appliances are managed (in terms of configuration and software upgrades) by SD-WAN administrators through the SD-WAN Orchestrator.

  • CMD VDA, Connector - Uses the CMD SD-WAN appliance as a gateway to all resources outside of the CMD VNet, including enterprise on-prem resources, certain Azure services, and SaaS applications on the public Internet.

User roles

  1. CMD Administrator: Decides to use SD-WAN connectivity and obtains the necessary networking information from the SD-WAN administrator (or another network administrator role):

    • Starts the configuration of SD-WAN connectivity through CMD UI.
    • Once SD-WAN connectivity is fully enabled, manages CMD catalogs using SD-WAN connectivity.
    • Together with the SD-WAN Administrator, monitors SD-WAN connectivity and takes more actions as necessary.
  2. SD-WAN administrator: Provides SD-WAN configuration information to CMD Administrator:

  • Activates SD-WAN instances in CMD to enable connectivity to other network elements; performs additional configuration activities.
  • Together with the SD-WAN administrator, monitors SD-WAN connectivity and takes additional actions as necessary.

Interaction between different entities and user roles within the CMD-SDWAN integration

Access management for SD-WAN CMD integration

  • Both CMD and SD-WAN Orchestrator rely on Citrix Cloud IDAM to identify users as having Read-Only or Read-Write access.
  • In addition, the SD-WAN Orchestrator has the capability to assign similar access rights to users exclusively within the Orchestrator. The two authorization mechanisms are combined with the OR logic: it is sufficient to have admin access rights either in Citrix Cloud or in SD-WAN Orchestrator to get access to SD-WAN configuration management.

Deployment and configuration

Typical deployment and the entities involved

In a typical deployment a customer would have the Citrix SD-WAN appliance (H/W or VPX) deployed as an MCN in their data center/large office. The customer data center would usually host on-prem users and resources such as AD and DNS servers. In some scenarios the customer can use Azure Active Directory services (AADS) and DNS, both of which are supported by Citrix SD-WAN and CMD integration.

Within the Citrix Managed Azure subscription, the customer needs to deploy the Citrix SD-WAN virtual appliance and VDA’s. The SD-WAN appliances are managed through the SD-WAN Orchestrator. However, for the purpose of this integration the SD-WAN appliance within the Citrix Managed Azure subscription is configured via CMD UI/workflow. Once the SD-WAN appliance gets configured it connects to the existing Citrix SD-WAN network and further tasks such as configuration, visibility, and management are handled through the SD-WAN Orchestrator. Both SD-WAN Orchestrator and Citrix Managed Desktop service (CMD) communicate with each other using API’s.

The third component in this integration is the network location service which allows internal users to bypass the gateway and connect to the VDA’s directly, reducing latency for internal network traffic. For phase 1 of this integration the network location service needs to be configured manually. For more information, see Network location service (NLS).


  1. After you followed all the pre-requisites highlighted in the pre-requisites section, the first item that must be configured is the DNS. This must be configured in the SD-WAN Orchestrator. You need admin rights to configure DNS on the Orchestrator. To configure DNS, navigate to Configuration > App & DNS Settings > DNS Servers in the Orchestrator GUI and click +DNS Server. Enter the primary and secondary DNS in the ensuing screen.

    Add DNS server

    As highlighted in the Deployment and configuration section above, the AD and DNS is present in the on-premises location acting as the data center and in a deployment featuring SD-WAN it is available behind the SD-WAN that is on the LAN network. It’s the AD/DNS IP that you must configure here. In case you are using Azure Active Directory service/DNS, configure 168.63. 129.16 as the DNS IP.

    If you are making use of an on-premises AD/DNS, check if you can ping the IP of your DNS from your SD-WAN appliance. You can do this by navigating to Troubleshooting > Diagnostics. Check the check box against Ping in the ensuing screen and initiate a ping from the LAN interface/Default interface of the SD-WAN appliance to the IP of your AD/DNS.

    LAN interface default

    If the ping succeeds then it signifies that your AD/DNS can be reached successfully. If not, then there is a routing issue in your network which is preventing reachability to your AD/DNS. If possible, try to host your AD and SD-WAN appliance on the same LAN segment. In case there is still an issue, reach out to your network admin. Without completing this step successfully, the catalog creation step will not succeed and you are likely got an error message stating Global DNS IP not configured.


    Ensure that the DNS is capable of resolving both internal and external IP’s.

  2. Log in to the Citrix Managed Desktop (CMD) UI. You can view the following screen:

    CMD login screen

    Click Network Connections to create network connectivity between your on-prem resources and CMD subscription. Click + Add Connection.

    Add connection

    The SD-WAN option is only be enabled if you meet the following requirements:

    • You must have an existing SD-WAN network with Orchestrator entitlement. If you don’t have an existing SD-WAN network then set up one using SD-WAN Orchestrator. For more details, see Configuring a Master Control Node (MCN).

    • You must have a subscription to CMD.

    • Currently, this integration support is only available for customers. If you are a partner or an MSP and must try this service then you must subscribe to CMD as a customer, only then this integration can be enabled. Otherwise, this option remains disabled.

    In case you want to try this integration and need trial access for the SD-WAN Orchestrator then request a trial by visiting or

  3. Once you meet the conditions highlighted in the pre-requisites, click the SD-WAN tab to view the overall workflow:

    Overall workflow

  4. Enter the following details to configure the SD-WAN:

    • Deployment mode: You can see two deployment mode options - Standalone and High Availability.

      • Standalone: The deployment mode for SD-WAN can either be standalone where a single SD-WAN instance is deployed. If the SD-WAN instance fails due to either an issue with the SD-WAN firmware or the underlying Azure infra you cannot reach out to the resources deployed behind the SD-WAN instance in Azure. In other words, the instance behaves in a fail to block mode.

      • High Availability: To guard against software failure of the SD-WAN instance you might choose to deploy the instance in high availability mode which deploys two SD-WAN instances in active standby mode. Citrix recommends deploying instances in high availability mode for production networks.

    • Enter SD-WAN site name: Enter the site name to identify a site in your SD-WAN network. Make sure that the name you choose is unique and easy to recall.

    • Throughput and number of offices: Currently, only D3_V2 option is supported. D3_V2 supports up to 200 Mbps of throughput and can establish direct connectivity to 16 sites. The connections that are not direct go through the MCN.

    • Region: Select the Azure region where you want to deploy the SD-WAN instance. This needs to be the same region where you intend to deploy your CMD resources.

    • VDA subnet: VDA subnet is the subnet where you want to deploy your VDA and other CMD resources in Azure.

    • SD-WAN subnet: SD-WAN subnet is the subnet where you want to deploy your SD-WAN appliance/s.


    This integration only supports domain joined catalogs, non-domain joined aren’t supported as of today.

  5. Once you provide all the information that asked for in the previous step, the provisioning and deployment ensues and it takes around 20 odd minutes for the process to complete. During this time, the following steps take place behind the scenes:

    • A virtual SD-WAN appliance (VPX) starts to get provisioned in Azure based on the configuration chosen by you. Once provisioning succeeds, the SD-WAN VPX comes up with the chosen CPU and memory profile along with the network configuration supplied during the previous step.

    • Once provisioning succeeds, the VPX appliance reaches out to the SD-WAN Orchestrator over public Internet to request for configuration package.

    SD-WAN branch summary

  6. Once the SD-WAN branch is configured, you can view the configuration details.

    Configuration detail

  7. Once the instance is provisioned, you can see the following screen. At this point the network administrator must log into the SD-WAN Orchestrator to allow the addition of the SD-WAN VPX appliance to the network.

    Provisioned instance

  8. The network administrator must log in to the SD-WAN Orchestrator and navigate to Network configuration home page, where you can see a line item for the SD-WAN site in CMD.

    PLine item for SD-WAN site

  9. The network administrator must deploy the sites at this stage. Click the Deploy Config/Software to deploy.

    Deploy config or software

  10. Once the Deploy Config/Software step succeeds, you can see that the status on the CMD screen changes to you can now create catalogs using SD-WAN.

Network location service

With the Network Location service in Citrix Cloud, you can optimize internal traffic to the apps and desktops you make available to subscribers’ workspaces to make HDX sessions faster.

Users on both internal and external networks have to connect to VDAs through an external gateway. While this is expected for external users, internal users experience slower connections to virtual resources. The Network Location service allows internal users to bypass the gateway and connect to the VDAs directly, reducing latency for internal network traffic.


To set up the Network Location service, you configure network locations that correspond to the VDAs in your environment using the Network Location service PowerShell module that Citrix provides. These network locations include the public IP ranges of the networks where your internal users are connecting from.

When subscribers launch Virtual Apps and Desktops sessions from their workspace, Citrix Cloud detects whether subscribers are internal or external to the company network based on the public IP address of the network from which they are connecting.

  • If a subscriber connects from the internal network, Citrix Cloud routes the connection directly to the VDA, bypassing Citrix Gateway.

  • If a subscriber connects externally, Citrix Cloud routes the subscriber through Citrix Gateway as expected and then redirects the subscriber to the VDA in the internal network.


The public IP that needs to be configured in the network location service needs to be the public IP assigned to the WAN links.

Public IP assigned to the SD-WAN appliance

The public IP that needs to be configured in NLS needs to be the WAN link IPs of all the links used to send traffic over the virtual path. You can find this information by navigating to Site > Reports > Real time > Statistics > Access Interfaces.

Public IP