Citrix SD-WAN Orchestrator

Appliance settings

Citrix SD-WAN Orchestrator service allows you to configure the appliance settings, at the site level and push it to the remote appliances.

You can configure the user, network adapters, NetFlow, AppFlow, SNMP, Fallback configuration, and Purge flow settings.

If HA is configured, select the primary or secondary appliance for which you want to change the appliance settings.

Select HA device

Administrative interface

The administrative interface allows you to add and manage the local and remote user accounts. The remote user accounts are authenticated through the RADIUS or TACACS+ authentication servers.

Manage users

You can add new user accounts for the site. To add a new user, navigate to Configuration > Appliance Settings > Administrator Interface > Manage Users, and click +User.

Manage users

Provide the following details:

  • User Name: The user name for the user account.
  • New Password: The password for the user account.
  • Confirm Password: Reenter the password to confirm it.
  • User level: Select one of the following account privileges:
    • Admin: An Admin account has read-write access to all the settings. An admin can perform configuration and software update to the network.
    • Viewer: A Viewer account is a read-only account with access to Dashboard, Reporting, and Monitoring sections.
    • Network Admin: A Network Administrator has read-write access to the Network setting and read-only access for other settings.
    • Security Admin: A Security Administrator has read-write access for the Firewall / Security related settings read-only access for other settings.

      Note

      Security administrator has the authority to disable the write access to the firewall for other users (Admin/Viewer).

Add user

To delete a user, select a user name and click Delete Selected User. The user account and the local files are deleted.

Change local user password

To change the local user password, navigate to Configuration > Appliance Settings > Administrative Interface > User Accounts > Change Local User Password and provide the following values:

  • User Name: Select a user name for which you want to change the password from the list of users configured at the site.
  • Current Password: Enter the current password. This field is optional for admin users.
  • New Password: Enter a new password of your choice.
  • Confirm Password: Reenter the password to confirm it.

Change local user password

RADIUS authentication server

RADIUS enables remote user authentication on the appliance. To use RADIUS authentication, you must specify and configure at least one RADIUS server. Optionally, you can configure redundant backup RADIUS servers, up to a maximum of three. The servers are checked sequentially. Ensure that the required user accounts are created on the RADIUS authentication server.

To configure RADIUS authentication, navigate to Configuration > Appliance Settings > Administrative Interface > RADIUS, and click Enable RADIUS.

Note

You can either enable RADIUS or TACACS+ authentication on a site. You cannot enable both at the same time.

Provide the host IP address of the RADIUS server and the authentication port number. The default port number is 1812. Enter a Server key and confirm it, it is a secret key used to connect to the RADIUS server. Specify the time interval to wait for an authentication response from the RADIUS server. The timeout value must be less than or equal to 60 seconds.

Note

The Server Key and Timeout settings are applied to all the configured servers.

RADIUS settings

TACACS+ authentication server

TACACS+ enables remote user authentication on the appliance. To use TACACS+ authentication, you must specify and configure at least one TACACS+ server. Optionally, you can configure redundant backup TACACS+ servers, up to a maximum of three. The servers are checked sequentially. Ensure that the required user accounts are created on the TACACS+ authentication server.

To configure TACACS+ authentication, navigate to Configuration > Appliance Settings > Administrative Interface > TACACS+ and click Enable TACACS+.

Note

You can either enable RADIUS or TACACS+ authentication on a site. You cannot enable both at the same time.

  1. Select the encryption method to send the user name and password to the TACACS+ server.
  2. Provide the host IP address of the TACACS+ server and the authentication port number. The default port number is 49.
  3. Enter a Server key and confirm it, it is a secret key used to connect to the TACACS+ server.
  4. Specify the time interval to wait for an authentication response from the TACACS+ server. The timeout value must be less than or equal to 60 seconds.

Note

The Authentication type, Server Key, and Timeout settings are applied to all the configured servers.

TACACS+ settings

NetFlow host settings

NetFlow Collectors collect IP network traffic as it enters or exits an SD-WAN interface. You can determine the source and destination of traffic, class of service, and the causes for traffic congestion using NetFlow data. For more information, see Multiple NetFlow Collector.

You can configure up to three NetFlow hosts. To configure NetFlow host settings, navigate to Configuration > Appliance Settings > NetFlow Host Settings. Select Enable NetFlow and provide the IP Address, and Port number of the NetFlow host.

NetFlow host settings

Network adapters

For Citrix SD-WAN appliances, you can manually change the management IP address and other network parameters. You can change the IPv4 address, subnet mask, gateway IP address, IPv6 address, and prefix of the appliance or obtain the IP address automatically by enabling DHCP or SLAAC (only for IPv6 addresses). For more information, see Dynamic host configuration protocol.

Note

You cannot change the IP address, if the interface is used for in-band management. For more information on in-band management, see In-band management.

To configure the network adapter settings, navigate to Configuration > Appliance Settings > Network Adapter.

Network adapters

AppFlow host settings

AppFlow and IPFIX are flow export standards used to identify and collect application and transaction data in the network infrastructure. This data gives better visibility into application traffic utilization and performance.

The collected data, called flow records are transmitted to one or more IPv4 collectors. The collectors aggregate the flow records and generate real-time or historical reports. For more information, see AppFlow and IPFIX.

To configure AppFlow Host Settings, navigate to Configuration > Appliance Settings > AppFlow Host Settings and click Enable. Specify the data update interval, in minutes, at which the AppFlow reports are exported to the AppFlow / IPFIX collector.

Choose one of the following AppFlow dataset templates:

  • TCP only for HDX: Collects and sends multi-hop data of ICA connections to the AppFlow collector.
  • HDX: Collects and sends HDX insight data of ICA connections to the AppFlow collector.

You can configure up to four AppFlow / IPFIX collectors. For each collector specify the following parameters:

  • IP Address: The IP address of the external AppFlow / IPFIX collector system.
  • Port: The port number on which the external AppFlow / IPFIX collector system listens. The default value is 4739. You can change the port number depending on the collector used.
  • AppFlow: Sends flow records, as per IPFIX template 613, to IPFIX collectors.
  • Application Flow Info: Sends flow records, as per IPFIX templates 611 and 612, to IPFIX collectors.
  • Citrix ADM: Use Citrix ADM as the AppFlow collector. Provide the user name and password to seamlessly log in into Citrix ADM and store flow data.

Note

Citrix ADM currently does not support IPFIX collection.

AppFlow host settings

SNMP

SNMP is used for exchanging management information between network devices. SNMPv1 is the first version of the SNMP protocol. SNMPv2 is the revised protocol, which includes enhancements in protocol packet types, transport mappings and MIB structure elements. SNMPv3 defines the secure version of the SNMP. SNMPv3 protocol also facilitates remote configuration of the SNMP entities.

The SNMP agent collects the management information from the appliance locally and sends it to the SNMP manager whenever it is queried. If the agent detects an emergency event on the appliance, it sends out a warning message to the manager without waiting to be queried for data. This emergency message is called a trap. Enable the required SNMP version agents, the corresponding traps, and provide the required information. For more details see, SNMP.

To configure SNMP settings, navigate to Configuration > Appliance Settings > SNMP

SNMP

Fallback configuration

Fallback configuration ensures that the appliance remains connected to the zero-touch deployment service if there is a link failure, configuration mismatch, or software mismatch. Fallback configuration is enabled by default on the appliances that have a default configuration profile. You can also edit the fallback configuration as per your existing LAN network settings. For more information, see Fallback configuration.

Flows

The flows section allows you to enable or disable Citrix Virtual WAN service on the appliance. Enabling the service enables and starts the Virtual WAN daemon. An option to enable Citrix Virtual Wan Service is available if the service is disabled.

Enable virtual WAN service

Disable Citrix Virtual WAN service

The Disable Citrix Virtual WAN Service option is available if the service is enabled. Disabling the service stops the Virtual WAN daemon on the appliance.

You can choose to collect a diagnostic dump of the Virtual WAN network before disabling the Citrix Virtual WAN service.

Disable virtual WAN service

Restart dynamic routing

You can restart the dynamic route learning process through OSPF and BGP routing protocols. The restart dynamic routing option is provided for troubleshooting only.

Warning

Restarting dynamic routing might result in network outage.

Restart dynamic routing

Virtual paths

You can choose to enable or disable the virtual path between 2 sites. You can either choose the underlying individual paths, in either directions, or the overlay virtual path. Disabling individual paths, disables the entire virtual path.

Note

All paths are re-enabled after restarting the Citrix Virtual WAN Service.

Enable virtual paths

You can choose to enable or disable WAN links between 2 sites Disabling all WAN links, disables the Virtual path.

Note

All the WAN links are re-enabled after restarting the Citrix Virtual WAN Service.

Enable WAN link

Purge all current flows

Purging flows ends all the current flows, clears the flow tables, re-establishes flow connections, and repopulates the flow table.

Purge flows

Date and time

You can change the date and time of the appliance either manually or by using an NTP server. To configure date and time manually, ensure that the Use NTP server option is not selected and provide the date and time.

Date and time

If you select the Use NTP server option, then you cannot manually enter a current date and time. You can specify up to 4 NTP servers, but you must specify at least one. These act as backup NTP servers, if one server is down the appliance automatically synchronizes with the other NTP server. If you specify a domain name for an NTP server, you must also configure a DNS server unless you have already done so.

NTP server

If the time zone has to be changed, change it before setting the date and time, or else your settings do not persist. Reboot the appliance after changing the time zone.

Time zone

Appliance settings