Citrix SD-WAN Orchestrator

WAN-Optimization settings

You can configure WAN Optimization settings like KeyStore, Windows Domain, SSL Profiles, CA Certificates, Certificate Key Pairs, and Secure Peering for each site, through Citrix SD-WAN Orchestrator service. To configure WAN optimization settings, from the site-level, navigate to Configuration > WAN-OP Settings.

Citrix SD-WAN Orchestrator service supports WAN Optimization settings for SD-WAN PE appliances running the software version 11.3.1 or higher.

KeyStore Settings

You can enable KeyStore settings by selecting the Enable KeyStore Password check box. Set the KeyStore password by updating the KeyStore Open Password and the Confirm New Keystore Password fields and then click Save. To disable KeyStore settings, clear the Enable KeyStore Password check box.

The key store password secures the security keys and settings of the SD-WAN appliance. Every time the SD-WAN appliance restarts, the key store is automatically closed. You must then open the key store for secure acceleration to resume.

Keystore settings

Windows Domain

You can join the server-side Citrix SD-WAN appliance to a domain that the Windows file server and Exchange server are a part of. This makes the SD-WAN appliance a trusted member of the Windows security system.

To add a server-side SD-WAN appliance to a domain name:

  1. In the Windows Domain section, update the Domain Name, User Name, and Password fields.

  2. Click Save.

Windows domain

To add the users to a domain name:

  1. In the Delegate Users section, click Add.
  2. Update the Domain Name, User Name, and Password fields.
  3. Click Save. The user profile appears in the list with basic information such as the domain to which the user is connected, and so on.

You can also edit or remove an end-user profile by navigating to the Actions column and clicking the 3 dots.

Windows domain

SSL Profiles

Citrix SD-WAN Orchestrator service supports all SSL related configuration of the SD-WAN PE appliances for security and usability. On the SD-WAN Premium (Enterprise) Edition, service classes are configured by Citrix SD-WAN Orchestrator service and therefore, you cannot attach any SSL profiles. To accommodate the expression of SSL profile mapping to a service class, the work flow for SSL profiles is changed to allow for attaching Service classes in the profile node.

To create SSL profile on a new SD-WAN PE appliance:

  1. Navigate to Configuration > WAN-OP Settings > SSL Profiles and then click Add. Create the SSL Profile.
  2. On the SSL Profile page, provide a profile name and select the Service Classes that are associated to this profile. Choose the Proxy Type and provide relevant data.
  3. Provide all the other data on the SSL Profile page.
  4. Click Save.

SSL profiles

After you create the SSL profile and associate it with a service class, you can view the SSL profile information as shown below.

SSL profiles

Limitation

While configuring an SSL profile, the SSL profile gets attached to all rules in a service class. If you need to attach the SSL profile selectively to a particular rule, the service class configuration is split into detailed rules for further selection.

CA Certificates

You can install CA certificates through Citrix SD-WAN Orchestrator service. To add a CA certificate:

  1. In the CA Certificates section, click Add.
  2. Update the Certificate Key Pair Names field.
  3. Choose an input method – File Upload or Paste Text based on your requirement.
  4. Click Save.

CA certificates

You can also edit or remove a CA certificate by navigating to the Actions column and clicking the 3 dots.

CA certificates

Certificate Key Pairs

You can add Certificate Key pairs through Citrix SD-WAN Orchestrator service.

To add an SSL Certificate key pair:

  1. In the Certificate Key Pairs section, click Add.
  2. Update the Certificate Key Pair Names and the Key Password fields.
  3. Choose an input method – File Upload or Paste Text based on your requirements. When you select the File Upload method, you can select a configuration file to upload the Certificate key and the Private key. The allowed file types are .pem, .der, .pfx, and .crt.

    CA certificates

    When you choose the Paste Text method, you can update the Certificate key and the Private key details manually.

  4. Choose an input format – Combined Certificate/Private Key or Separate Certificate/Private Key based on your requirement. In case of .pem and .der file formats, there are separate upload boxes for certificate and key.

  5. Click Save.

    CA certificates

You can also edit or remove a Certificate-key pair by navigating to the Actions column and clicking the 3 dots.

CA certificates

Secure Peering

Secure communications with the Citrix SD-WAN WANOP appliances require that you generate OpenSSL credentials, including a CA Certificate and a Certificate/Key pair, and select a verification method. You can optionally change the OpenSSL cipher specification.

You can enable the secure peering settings by clicking the edit icon in the Secure Peering Certificate and Keys section and selecting the Enable Secure Peering check box.

  • Certificate Configuration
    • Private CA: When you choose this option, Citrix SD-WAN Orchestrator service automatically generates the certificates and keys. You can securely connect to the peer SD-WAN appliances of other sites by providing the appliance details in the Connected Peers section.

    Secure peering

    • CA Certificate: When you choose this option, you can install the certificates and keys as per your requirements.

    Secure peering

In the Listen On and Connect To section, you can connect multiple SD-WAN appliances by providing the IP address and port details. Click +Connect To and provide the details as required, and click Connect.

Secure peering

WAN-Optimization settings