Appliance settings

Citrix SD-WAN Orchestrator allows you to configure the appliance settings, at the site level and push it to the remote appliances.

You can configure the user, network adapters, NetFlow, AppFlow, and DNS settings.

If HA is configured, select the primary or secondary appliance for which you want to change the appliance settings.

Select HA device

Administrative interface

The administrative interface allows you to add and manage the local and remote user accounts. The remote user accounts are authenticated through the RADIUS or TACACS+ authentication servers.

Manage users

You can add new user accounts for the site. To add a new user, navigate to Configuration > Appliance Settings > Administrator Interface > Manage Users, and click +User.

Manage users

Provide the following details:

  • User Name: The user name for the user account.
  • New Password: The password for the user account.
  • Confirm Password: Reenter the password to confirm it.
  • User level: Select one of the following account privileges:
    • Admin: An Admin account has read-write access to all the settings. An admin can perform configuration and software update to the network.
    • Viewer: A Viewer account is a read-only account with access to Dashboard, Reporting, and Monitoring sections.
    • Network Admin: A Network Administrator has read-write access to the Network setting and read-only access for other settings.
    • Security Admin: A Security Administrator has read-write access for the Firewall / Security related settings read-only access for other settings.

      Note

      Security administrator has the authority to disable the write access to the firewall for other users (Admin/Viewer).

Add user

To delete a user, select a user name and click Delete Selected User. The user account and the local files are deleted.

Change local user password

To change the local user password, navigate to Configuration > Appliance Settings > Administrative Interface > User Accounts > Change Local User Password and provide the following values:

  • User Name: Select a user name for which you want to change the password from the list of users configured at the site.
  • Current Password: Enter the current password. This field is optional for admin users.
  • New Password: Enter a new password of your choice.
  • Confirm Password: Reenter the password to confirm it.

Change local user password

RADIUS authentication server

RADIUS enables remote user authentication on the appliance. To use RADIUS authentication, you must specify and configure at least one RADIUS server. Optionally, you can configure redundant backup RADIUS servers, up to a maximum of three. The servers are checked sequentially. Ensure that the required user accounts are created on the RADIUS authentication server.

To configure RADIUS authentication, navigate to Configuration > Appliance Settings > Administrative Interface > RADIUS, and click Enable RADIUS.

Note

You can either enable RADIUS or TACACS+ authentication on a site. You cannot enable both at the same time.

Provide the host IP address of the RADIUS server and the authentication port number. The default port number is 1812. Enter a Server key and confirm it, it is a secret key used to connect to the RADIUS server. Specify the time interval to wait for an authentication response from the RADIUS server. The timeout value must be less than or equal to 60 seconds.

Note

The Server Key and Timeout settings are applied to all the configured servers.

RADIUS settings

TACACS+ authentication server

TACACS+ enables remote user authentication on the appliance. To use TACACS+ authentication, you must specify and configure at least one TACACS+ server. Optionally, you can configure redundant backup TACACS+ servers, up to a maximum of three. The servers are checked sequentially. Ensure that the required user accounts are created on the TACACS+ authentication server.

To configure TACACS+ authentication, navigate to Configuration > Appliance Settings > Administrative Interface > TACACS+ and click Enable TACACS+.

Note

You can either enable RADIUS or TACACS+ authentication on a site. You cannot enable both at the same time.

  1. Select the encryption method to send the user name and password to the TACACS+ server.
  2. Provide the host IP address of the TACACS+ server and the authentication port number. The default port number is 49.
  3. Enter a Server key and confirm it, it is a secret key used to connect to the TACACS+ server.
  4. Specify the time interval to wait for an authentication response from the TACACS+ server. The timeout value must be less than or equal to 60 seconds.

Note

The Authentication type, Server Key, and Timeout settings are applied to all the configured servers.

TACACS+ settings

NetFlow host settings

NetFlow Collectors collect IP network traffic as it enters or exits an SD-WAN interface. You can determine the source and destination of traffic, class of service, and the causes for traffic congestion using NetFlow data. For more information, see Multiple NetFlow Collector.

You can configure up to three NetFlow hosts. To configure NetFlow host settings, navigate to Configuration > Appliance Settings > NetFlow Host Settings. Select Enable NetFlow and provide the IP Address, and Port number of the NetFlow host.

NetFlow host settings

Network adapters

You can manually change the IP address, subnet mask, or gateway IP address of the appliance or enable DHCP. You can also configure a pair of primary and secondary static DNS server IP addresses. For more information, see Domain name system.

To configure the network adapter settings, navigate to Configuration > Appliance Settings > Network Adapter.

Network adapters

AppFlow host settings

AppFlow and IPFIX are flow export standards used to identify and collect application and transaction data in the network infrastructure. This data gives better visibility into application traffic utilization and performance.

The collected data, called flow records are transmitted to one or more IPv4 collectors. The collectors aggregate the flow records and generate real-time or historical reports. For more information, see AppFlow and IPFIX.

To configure AppFlow Host Settings, navigate to Configuration > Appliance Settings > AppFlow Host Settings and click Enable. Specify the data update interval, in minutes, at which the AppFlow reports are exported to the AppFlow / IPFIX collector.

Choose one of the following AppFlow dataset templates:

  • TCP only for HDX: Collects and sends multi-hop data of ICA connections to the AppFlow collector.
  • HDX: Collects and sends HDX insight data of ICA connections to the AppFlow collector.

You can configure up to four AppFlow / IPFIX collectors. For each collector specify the following parameters:

  • IP Address: The IP address of the external AppFlow / IPFIX collector system.
  • Port: The port number on which the external AppFlow / IPFIX collector system listens. The default value is 4739. You can change the port number depending on the collector used.
  • AppFlow: Sends flow records, as per IPFIX template 613, to IPFIX collectors.
  • Application Flow Info: Sends flow records, as per IPFIX templates 611 and 612, to IPFIX collectors.
  • Citrix ADM: Use Citrix ADM as the AppFlow collector. Provide the user name and password to seamlessly log in into Citrix ADM and store flow data.

Note

Citrix ADM currently does not support IPFIX collection.

AppFlow host settings

SNMP

SNMP is used for exchanging management information between network devices. SNMPv1 is the first version of the SNMP protocol. SNMPv2 is the revised protocol, which includes enhancements in protocol packet types, transport mappings and MIB structure elements. SNMPv3 defines the secure version of the SNMP. SNMPv3 protocol also facilitates remote configuration of the SNMP entities.

The SNMP agent collects the management information from the appliance locally and sends it to the SNMP manager whenever it is queried. If the agent detects an emergency event on the appliance, it sends out a warning message to the manager without waiting to be queried for data. This emergency message is called a trap. Enable the required SNMP version agents, the corresponding traps, and provide the required information. For more details see, SNMP.

To configure SNMP settings, navigate to Configuration > Appliance Settings > SNMP

SNMP

Appliance settings