Citrix SD-WAN Orchestrator

What’s new

October 14, 2021

Enhancements

Configuration and Management

Diagnostics

You can run an iPerf diagnostic test using SD-WAN Orchestrator service. The iPerf third party tool is manually installed on the Data Center and Branch hosts. It provides more control over the type of diagnostic traffic sent, the direction in which the diagnostic traffic flows, and the path on which the diagnostic traffic flows.

[ SDW-20162 ]

Packet Capture on the Management Interface of SD-WAN Orchestrator is supported.

[ SDW-19827 ]

Platform and systems

Provider audit log and Network audit log enhancements:

The Provider Audit logs and Network Audit logs pages are enhanced with the following options:

  • Source IP - This field displays the IP address of the endpoint from which an SD-WAN feature is configured. This field is displayed on the Audit logs page and the Audit Info page.

  • Export as CSV - This option enables you to export the audit logs to a CSV format.

  • What changed - This section displays the logs of all the changes made to the features through the UI. Enable the Log Payloads toggle button to view this section on the Audit Info page. Currently, this section is available on the Network Audit Info page.

[ SDW-19219 ]

API Enhancements

Site Address Resolution

When a Site is created using API, the site address is automatically obtained using the latitude and longitude values, passed as part of site creation, using Google Maps API.

[ SDW-20654 ]

Fixes

SDWANHELP-2395: Scrolling option for Audit logs is disabled when the payload is huge.

SDWANHELP-2329: At the site level, the Quality reports generated for one day duration does not show complete data. The issue is seen intermittently.

September 30, 2021

Enhancements

Configuration and Management

IP rules

IP Protocol field under QoS Policies > IP Rules is renamed to Protocol and allows selection from a list of protocol names. To use a protocol number, select Number from the Protocol drop-down list and enter the value in the Protocol Number field.

[ SDW-19597 ]

License expiry email alert

Email notifications are sent to all the administrators every day well before their license expires. The email notification explains the impact of license expiry on the network and insists to renew the licenses before they expire.

The notification email contains details such as license access code, details of affected sites, expiry date, and the number of days remaining for license expiry.

Email notifications are also sent on impending trial period expiry and grace period expiry.

[ SDW-18427 ]

Network quality report

The format of the Network quality report has been enhanced for a better readability and ease of navigation.

[ SDW-11028 ]

Delivery Services and Bandwidth Allocation

The Delivery services page is enhanced to have a new look and feel. At the network level, the data remains the same. There is a change in how the data is represented.

The Delivery Services and Bandwidth Allocation (previously known as Service & Bandwidth) pages are available as a sub options under Configuration > Delivery Channels.

The Network location service is available as a sub option under Configuration.

[ SDW-10742 ]

License

Automatic license assignment

The licenses get automatically assigned when a new site is added or when the bandwidth or platform or software edition of an existing site is modified. For the automatic license assignment to get triggered, the customer must have retrieved the licenses, added license access codes, and unused licenses are available.

[ SDW-18569 ]

Miscellaneous

Application and DNS settings

You can now create custom applications based on the domain name under App & DNS Settings > Domains & Apps > Domain Name Based Apps. Previously, to create domain name-based applications, you had to navigate to App & DNS Settings > Custom Apps and select the Domain Name Based check box.

You can view the list of predefined applications under the App & DNS Settings > Domains & Apps > Pre-classified Apps tab. You can search for a specific predefined application using the search bar or filter the results based on the application family.

While creating the application route, QoS policy, and Firewall policy, the custom applications that get listed under the Match Criteria section as Application is now renamed to Apps & Domains.

[ SDW-19458 ]

Platform and systems

Show Tech Support Bundle

You now have an option to create Show Tech Support (STS) bundle from the network level. The STS bundle contains important real-time system information such as access logs, diagnostic logs, firewall logs that help troubleshoot issues in the SD-WAN appliances.

To create STS bundle at the network level, navigate to Troubleshooting > STS Bundle and select a site for which to create or download the STS bundle.

[ SDW-13344 ]

Fixes

SDWANHELP-2388: Staging process fails on Citrix SD-WAN Orchestrator service. This issue occurs when there is a missing primary WAN link configuration for the Intranet service. The error message displayed on the UI is Index 1 out of bounds for length 1.

SDW-21937: Users are unable to upload a JSON configuration file of size 102.29 MB (greater than 7 MB) on the Configuration > Networking Config Home page of the UI. This issue occurs when the configuration file is not zipped and the name is anything except config.json.

September 16, 2021

Enhancements

Configuration and Management

WAN Optimization settings

Citrix SD-WAN Orchestrator service allows you to configure the following WAN optimization settings:

  • KeyStore
  • Windows domain
  • SSL profiles
  • CA certificates
  • Certificate key pairs
  • Secure peering

This feature is supported only on SD-WAN PE appliances running 11.3.1 or later versions.

[ SDW-14538 ]

Platform and systems

Temperature statistics

The Temperature section is newly introduced at the site level under Dashboard > Devices. You can view the temperature of the system, CPU, and the disks in degree Celsius from the Temperature section.

[ SDW-20641 ]

Fixes

SDWANHELP-2354: The UI incorrectly displays an error when the dynamic virtual paths value is set to more than 8, although the maximum allowed limit is 32. This issue is observed on VPXL and 4100 SE appliances.

SDWANHELP-2317: The Staging process fails when users upgrade their Citrix SD-WAN appliances to 11.4.1 version. The UI displays the status as Staging Failed (Failed to download script files).

SDW-21751: The Staging process slows down due to an issue in the distribution of configuration packages and the backup process.

SDW-14057: In the time interval between Staging and Activation, the policy names shown in reporting and logs might be incorrect or they are shown as Unknown.

September 2, 2021

Enhancements

Configuration and Management

Delivery Services

Citrix SD-WAN Orchestrator service introduces the following delivery services at the site level:

  • Internet Service: You can define an Internet service setting at a global default level or for a specific site. You can set up only one Internet service from the site level.
  • Intranet Service: You can define an Intranet service setting for a specific site. You can set up multiple Intranet services from the site level.

[ SDW-12944 ]

Licensing

You can view the date and time at which the software maintenance expires in the Software Maintenance column under Administration > License > License View tab.

[ SDW-18299 ]

Miscellaneous

LACP support

The 802.3AD Link Aggregation Control Protocol (LACP) protocol based negotiations are now supported. The LACP is a standard protocol and provides additional functionality for LAGs.

[ SDW-13778 ]

Usability

LACP LAG Group reports

You can now view the details of the interfaces that are configured with LAG and LACP under Reports > Appliance Reports > LACP LAG Group.

[ SDW-13780 ]

Fixes

SDWANHELP-2332: It is longer time than expected to fulfill the entitlement requests initiated by the customers. The issue is seen intermittently.

SDWANHELP-2314: When a site is moved from one region to another, the exceptions are not handled successfully and therefore causes data inconsistency in SD-WAN services.

SDWANHELP-2230: When a site creation API request is made, the Citrix SD-WAN Orchestrator service displays the site but the site is nullified.

SDWANHELP-2112: Information associated with regions might get lost during some configuration changes.

SDWANHELP-1973: Sometimes, displaying different statistics during one day and more takes time. This is more observable for one week and more. In some of the cases, the request does not get completed in time and the UI then shows - no statistics available.

SDWANHELP-1764: You cannot Stage and Activate a new configuration change. The memory and CPU fields are assigned some default values and that cannot be changed as there is no option available in the SD-WAN Orchestrator UI currently. This issue occurs as the default values vary from customer to customer.

SDW-18835: On trying to configure management port 1/4 as a data port in the Fallback Configuration through the Citrix SD-WAN Orchestrator service, the error message Exceptions must derive from BaseException is displayed.

SDW-18807: Upload of new Hosted Firewall VM image is failing in Citrix SD-WAN Orchestrator service.

SDW-18505: Citrix SD-WAN Orchestrator displays the real time report of all the configured VRRP instances. However, if a VRRP instance is enabled or disabled through Orchestrator, the VRRP real time report is not displayed.

SDW-17763: An error message is displayed when a Start or Stop action is attempted on a PPPoE session and the Start/stop operation is failing.

August 19, 2021

Enhancements

Configuration and Management

Citrix SD-WAN 11.4.1 release

Citrix SD-WAN 11.4.1 release is supported in Citrix SD-WAN Orchestrator service.

Multi-MCN providers and tenants

The Domain name mapping feature is introduced in a multi-MCN Partner network. When you add or edit a Tenant, you can configure a domain name for the Tenant. The domain name is unique across Tenants under that provider. If the domain name is not configured, any user added through Citrix Cloud (Identity and Access Management > Administration) will be added as a provider-level admin. Domain name mapping is available only for multi-MCN network Partners. It is not available for regular Partners.

[ SDW-18144 ]

Miscellaneous

Virtual path settings for the link

You can customize bandwidths for virtual paths and dynamic virtual paths associated with a WAN link. This feature is useful when some sites display performance degradation signs due to bandwidth issues.

[ SDW-9760 ]

SD-WAN Orchestrator

Syslog server settings

Citrix SD-WAN Orchestrator service supports the configuration of Syslog server settings for SD-WAN appliances. By enabling Syslog settings, you can send system alerts and event details of the SD-WAN appliances to an external syslog server.

[ SDW-13990 ]

Fixes

SDW-20861: Adding PAC File URL containing wildcards was not supported. The PAC File URL validation is now updated to allow wildcards in customized PAC File URLs.

SDW-20845: Public Internet, Private Intranet, and MPLS links can form paths only with their own link type. But Active Member Paths under Delivery Services lists paths with different link types.

July 29, 2021

Enhancements

Configuration and Management

Site-specific firewall settings

You can configure firewall settings at the site level. These settings provide security to all the SD-WAN appliances on a specific site. The following site-specific override settings are introduced in the UI:

  • Source Route Validation
  • FTP ALG
  • Max Connections Per Source
  • Max New Connections Per Source
  • Use Global Connection Timeouts

[ SDW-19140 ]

Miscellaneous

ECMP load balancing

Citrix SD-WAN Orchestrator service supports ECMP load balancing for the following delivery services:

  • Citrix Secure Internet Access
  • Zscaler
  • IPsec

[ SIAS-60 ]

Platform and systems

Real time statistics

The Real time statistics > Routes report available at the network level and site level is enhanced to include the ECMP Group column that contains ECMP group information.

[ SDW-18622 ]

Export as PDF and CSV

The Export as CSV and Export as PDF options are introduced on the following UI pages. You can use these options to export the network reports as a CSV or PDF file:

[ SDW-5253 ]

SD-WAN Orchestrator

Network Configuration Home

The Network Config Home page is revamped to enhance the user experience. The following enhancements are made:

  • The page displays the total number of sites in the network and also segregates them based on the connectivity status as numbered links. Clicking the numbered links displays the filtered results.
  • The deployment-related options such as current deployment, deployment history, change management settings which were available on the Network Config Home page are now available under the newly introduced Deployment page.
  • The options such as Batch Add Sites, Deploy config/software are now displayed under More….

Network Config Home

Network Dashboard

The Network Dashboard page is revamped to enhance the user experience. The following enhancements are made:

  • The page displays the total number of sites in the network and also segregates them based on the connectivity status as numbered links. Clicking the numbered links displays the filtered results.
  • The +New Site option is removed.
  • The option to filter the sites based on continent and country is removed.

Network Dashboard

[ SDW-20440 ]

Cloud Direct report

Cloud Direct report is enhanced to have a new look and feel. At the site level and network level, the data within the report remains the same. There is a change in how the data is represented.

The tabs that were displayed under the Cloud Direct report are now available as suboptions in the left navigation. The Site Overview and WAN Link tabs are grouped under Performance. Monthly reports are displayed under SaaS Optimization. The Events tab is now represented as a suboption.

Cloud Direct Report

[ SDW-20408 ]

WAN optimization app groups and rules - Enhancements

Citrix SD-WAN orchestrator service introduces the Reset to Defaults button on the UI. You can select this button to retrieve the list of default WAN optimization application groups and rules.

[ SDW-19867 ]

Usability

Verify Configuration

The Verify Config option available on the Network Config Home and Deployment pages is enhanced for a better user experience. The following enhancements are introduced as part of the Verify Config functionality:

  • When you click Verify Config, the Configuration results page containing the total number of audit errors and warnings is displayed.

  • Configuration results are segregated based on the audit type (error or warning). Clicking the numbers fetches the filtered results. Detailed information of the errors and warnings such as type, scope, and message are displayed in a tabular format.

  • Clicking Verify Config for the second time displays the same results when the configuration was last verified along with the date and time stamp. You can click Verify Again to rerun the validation.

[ SDW-20289 ]

Static NAT policies for IPv6 Internet service

Citrix SD-WAN Orchestrator service supports static NAT policies for IPv6 Internet service from Citrix SD-WAN 11.4.0 release onwards. With this enhancement, while creating a static NAT policy, you can either enter the outside IP address manually or enable Auto Learn via PD. When Auto Learn via PD is enabled, the SD-WAN appliance receives delegated prefixes from the upstream delegating router through DHCPv6 Prefix Delegation.

[ SDW-18296 ]

Fixes

SDW-19345: Staging operation with Cloud Direct service fails when the site name contains spaces.

SDW-18163: Monthly report for Cloud Direct service is not getting displayed on the UI.

SDW-20215: When the Verify Config action fails to take effect, the UI displays an incorrect error message Failed to fetch verification token.

SDW-20513: License Usage Insight reports are not displayed on the provider level UI.

SDW-13626: QoS class report for Cloud Direct service displays incorrect data.

SDW-12427: Site-specific application routes for Cloud Direct service are getting applied to all the sites.

July 15, 2021

Enhancements

Role settings

Users with the Provider-Master-Admin-All role can create and assign custom roles at the customer level. The customer administrators can assign these custom roles created by the provider administrator to its users.

[ SDW-18146 ]

Licenses

While allocating licenses from the License View tab, under the All Unlicensed category, selecting multiple sites is disabled. You can select only one site at a time.

[ SDW-20325 ]

Route summarization

Citrix SD-WAN Orchestrator service introduces an enhancement to the route summarization functionality. With this enhancement, you have an option to add summary routes without specifying the gateway IP address.

[ SDW-19404 ]

Site Reports: IPsec

The IPsec reports provide the real-time report of the IPsec tunnel configurations on your network.

[ SDW-12076 ]

Site Reports: Routing Protocols

The Routing Protocols report provides the details of the parameters associated with the routing protocols. You can choose the protocol from View drop-down list a routing domain from Routing Domain drop-down list as needed. To view the current data, click Retrieve Latest Data.

[ SDW-12075 ]

Site selection component

Usability of the site selection component in the following configurations is improved:

  1. Partial site upgrade
  2. Network location service
  3. Routing policies
  4. QoS Policies
  5. Import route profile
  6. Export route profile
  7. Proxy Auto Config
  8. Intrusion prevention
  9. Firewall policies
  10. Application settings
  11. Zscaler service

[ SDW-16895 ]

Fixes

SDW-18766: Using the ping utility for All Sites, when you ping an IPv6 address, the error message Invalid IP address is displayed.

SDW-18163: Monthly report for Cloud Direct service is not getting displayed on the UI.

SDWANHELP-2239: Configuration of primary and secondary WAN links on an IPsec tunnel fails.

July 01, 2021

Enhancements

ICMP probing

Citrix SD-WAN Orchestrator service now supports ICMP probing. It enables administrators to determine Internet reachability to/from the SD-WAN appliance and the destination host. The following ICMP services are introduced in the UI:

  • Determine Internet reachability from link using ICMP probes
  • IPv4 ICMP endpoint Address
  • Probe Interval (in seconds)
  • Retries

[ SDW-19292 ]

Override global transit node settings

You can now override the global transit node settings and choose to enable or disable spoke-to-spoke forwarding and route export only on selected control transit nodes.

[ SDW-19276 ]

Fixes

SDW-19920: Sorting based on site name does not work in the window that pops up on clicking Assign in License view tab under Administration > Licensing.

SDW-19792: Whenever a new license is retrieved using License Access Codes or is assigned for a device, Citrix SD-WAN Orchestrator service software maintenance date does not get extended.

SDW-19574: When there is a failure in upgrading a customer’s account to production, the UI does not display the failure message.

SDW-19367: For customers having only perpetual license, Citrix SD-WAN Orchestrator service software maintenance date is not set resulting in indefinite usage of appliance software.

SDW-19340: Citrix SD-WAN Orchestrator service license expiration status does not get updated even after updating the license.

SDW-19307: Citrix SD-WAN Orchestrator service license end date gets reset incorrectly when the Set License For Customer API is called on a production upgraded customer account.

SDW-19238: When there is a failure in assigning licenses, the UI does not display the failure message under Administration > Licensing.

SDW-19237: For customers having both perpetual and subscription licenses, assigning subscription license to a device might fail.

SDW-19171: The Assign option is not available for sites in the Site View tab under Administration > Licensing even when licenses are available.

SDW-19168: Assigning licenses to multiple sites simultaneously fails to update the correct count in Licenses Available and Assigned To Sites columns of the License View tab under Administration > Licensing.

SDW-18721: After importing valid production entitlements, Upgrade to production option is made available under Licensing even before assigning the license to the appliance.

SDW-19873: When the software package download fails due to intermittent network connectivity and the device has the same software package in its recovery partition, stage operation fails. The issue is observed only when Stage operation is performed before the device connects to Citrix SD-WAN Orchestrator service.

SDW-18654: In some rare cases, the Deployment page shows incorrect appliance change management status.

SDW-17047: In real-time statistics, when a customer’s site is deployed in high availability mode then DHCP server/relay data, IGMP data, PPPoE data, and DNS data are incorrect and stale data.

SDW-16968: For In-band high availability, the GUI does not have an option to select the direction of the Destination Rule with Service Type as Any resulting in failure of the outbound rules. The error message [EC818] At Site site-name: service type ‘any’ may not be used when direction is outbound.

June 17, 2021

Enhancements

Citrix SD-WAN 11.4.0a Release

Citrix SD-WAN 11.4.0a release is supported in Citrix SD-WAN Orchestrator service.

[ SDW-19785 ]

Citrix SD-WAN 11.3.2 Release

Citrix SD-WAN 11.3.2 release is supported in Citrix SD-WAN Orchestrator service.

[ SDW-19038 ]

Audit logs

The provider level and network level audit log pages have been enhanced with the following capabilities:

  • Search: Ability to search for an audit activity based on a keyword.
  • Filtering: Run an audit log search by filtering based on user, feature, and time range. For network level logs, you can also filter by the site.
  • Audit Info: Select the info icon on the Action column to navigate to the Audit info section. This section provides the following information:
    • Method: HTTP request method of the invoked API.
    • Status: Result of the API request. You see an error message when the API request fails.
    • Payload message: Body of the request message sent through API.
    • URL: HTTP URL of the revoked API.
  • Log payloads: By default, this option is disabled. When enabled, the request body of the API message is displayed in the Audit Info section.

[ SDW-18937 ]

Member path statistics API (Preview)

Member path statistics API is modified to allow the API client to specify the fields of interest. The specified fields are returned in the response payload.

[ SDW-18903 ]

Fixes

SDW-14759: If you perform staging on a Citrix SD-WAN appliance with an inbuilt LTE modem before the appliance comes online, then the staging fails.

SDW-19162: Virtual path details under the QoS reports for Bulk traffic show null-null instead of showing valid virtual path details.

SDW-17994: The GUI displays the usage percentage for WAN link metering even when Approximate Data Used (MD) is not configured.

SDW-17896: MTU size for the IPsec tunnel was displayed as 1430 KB instead of 1430 Bytes.

SDW-18067: When the starting date is a future date, the WAN link metering reports displayed a negative value for Days Elapsed instead of 0.

May 27, 2021

Fixes

SDW-18573: When you override the application routing policy for the O365Optimize_InternetBreakout application group from Site Configuration page, an error message Cannot set 'set_site_office_365_policy' multiple times is displayed on clicking Verify. If you see this error message, but have not explicitly created application routing policy from Site Configuration page, it can be because the network configuration is generated using database migration.

SDWANHELP-2140: The software versions listed in the Software Version drop-down list under Configuration > Network Configuration Home does not specify the build type. The issue is fixed and the software versions are annotated (GA or HOTFIX) to specify the build type.

SDW-19240: Pushing the syslog settings from Citrix SD-WAN Orchestrator service to the Citrix SD-WAN appliance removes the existing SNMP settings on the appliance.

May 13, 2021

Enhancements

ECMP load balancing

Equal Cost Multi-Path (ECMP) groups allow you to group multiple routes, with the same cost, destination, and service type. ECMP load balancing ensures:

  • Distribution of traffic over multiple equal-cost connections.

  • Optimal usage of available bandwidth.

  • Dynamic transfer of traffic to other ECMP member route, if a route becomes unreachable.

  • ECMP groups can be formed over Virtual Paths and Intranet services.

Appliance settings - IPv6 address support

The following configurations support IPv6 addresses:

Notification settings

You can now define a notification profile by enabling and configuring email alerts and HTTPS messages. The notification profiles are further used in configuring alerts. Alerts for different events are configured by defining the frequency, severity type, and trigger rules for the alerts.

Site Reports: PPPoE

The PPPoE report provides status information of the configured virtual interface with the PPPoE static or dynamic client mode. It allows you to manually start or stop the sessions for troubleshooting purposes.

Fixes

SDW-18374: If the number of MPLS queues on two sites in the network do not match, EC 310 audit errors are displayed.

SDW-18305: The DHCP server instance crashes, if the data type for the TFTP server address in DHCP Option set (IPv4 and IPv6) is set as String using Custom Option.

SDW-16128: Although the changes made in the SSID profiles are inherited by SSIDs created using the SSID profiles, the changes do not reflect in the Citrix SD-WAN Orchestrator service GUI.

SDW-13046: When you roll back the network software version to lower than version 11.2, sites configured as Advanced Edition (AE) fail to stage with the message - Package extraction failure. This is because AE is supported from version 11.2 and above.

SDW-17638: For custom roles created with feature access set to No Access, the Citrix SD-WAN Orchestrator service GUI displays the default feature configuration instead of hiding the feature or displaying a 403 error message.

April 29, 2021

Enhancements

Intelligent Path selection

Citrix SD-WAN Orchestrator allows you to choose the best WAN link based on the latency count, to manage Office 365 application traffic. As part of this enhancement, Citrix SD-WAN Orchestrator service introduces the Enable O365 Intelligent Path Selection option.

The O365 metrics report introduces the following columns:

  • Lowest Latency (ms): The lowest latency count of the WAN link for a selected time period.
  • WAN Link Selected: The number of times the WAN link was chosen for Office 365 optimization.

  • Total Decisions Taken: Total number of times a decision to choose a WAN link is taken, for the selected time interval.

Office 365 Categories

Citrix SD-WAN 11.4.0 provides a more granular classification of the Allow and Optimize Office 365 categories, enabling selective bookending to improve the performance of network-sensitive Office 365 traffic. Directing network-sensitive traffic to SD-WAN in the cloud (Cloud Direct or an SD-WAN VPX on Azure), or from an at-home SD-WAN device to an SD-WAN at a nearby location with more Internet connectivity, enables QoS and superior connection resilience compared to simply steering the traffic to the nearest Office 365 front door, at the cost of an increase in latency. A bookended SD-WAN solution with QoS reduces VoIP dropouts and disconnects, reduces jitter, and improves media-quality mean opinion scores for Microsoft Teams.

The Optimize category is classified into the following sub-categories:

  • Teams Realtime
  • Exchange Online
  • SharePoint Optimize

The Allow category is classified into the following sub-categories:

  • Teams TCP Fallback
  • Exchange Mail
  • SharePoint Allow
  • O365 Common

SIA Connector Internet Breakout

You can now use the Enable SIA Collector Internet Breakout option to avoid double redirection of traffic through the Cloud Connector proxy and SD-WAN tunnels. A custom application is created to filter any traffic destined for the CSIA gateway and reporter nodes, along with other known TCP ports expected to be used by the Cloud Connectors and bypass them from tunnel usage.

Network Admin and Security Admin roles (Preview)

Citrix SD-WAN Orchestrator service supports the following roles:

  • Provide-Network-Admin: An administrator who can only view and edit the network related information.
  • Provider-Security-Admin: An administrator who can only view and edit the security related information.
  • Customer-Network-Admin: A customer administrator who can only view and edit network related information.
  • Customer-Security-Admin: A customer administrator who can only view and edit security related information.

User settings

If a customer has a Citrix Secure Internet Access subscription along with a Citrix SD-WAN subscription, then the Administration > User Setting is common between Citrix Secure Internet Access and Citrix SD-WAN Orchestrator service. Provider-Master-Admin-All or Customer-Master-Admin role defined for Citrix SD-WAN can assign Citrix SD-WAN access level role (pre-defined or custom role) for other admin users. Similarly Customer-Master-Admin role defined for Citrix Secure Internet Access service can assign Citrix SIA level role (pre-defined or custom role) to other admin users.

Route export through Transit Node

You can now enable or disable route exporting on all the paths of a Transit Node. Enabling control transit node settings (green button), enables virtual path-to-virtual path forwarding and route exporting (WAN-to-WAN forwarding) on all the site paths. Disabling the green button enables only virtual path-to-virtual path forwarding and disables route exporting on all the site paths.

CSIA connectivity through GRE tunnel

Citrix Secure Internet Access (CSIA) service is a Citrix owned service. CSIA provides a full cloud-delivered security stack to protect users, applications, and data against all threats without compromising the employee experience. Any Citrix SD-WAN appliances can tunnel the traffic to the CSIA service. You can now choose the tunnel type as GRE or IPsec.

Site Reports: VRRP

The VRRP report provides a real-time report of the configured VRRP groups.

HDX reports

Citrix SD-WAN Orchestrator allows you to view the detailed HDX reports grouped by site, user, and session, and categorized based on Quality of Experience (QoE). The metrics that impact the QoE calculation are also available for monitoring.

Citrix SD-WAN 11.4.0 Release

Citrix SD-WAN 11.4.0 release is now supported in Citrix SD-WAN Orchestrator service.

Fixes

SDW-18374: If the number of MPLS queues on two sites in the network do not match, EC 310 audit errors are displayed.

SDW-16128: Although the changes made in the SSID profiles are inherited by SSIDs created using these SSID profiles, the changes do not reflect in the Citrix SD-WAN Orchestrator service GUI.

SDW-13046: When you roll back the network software version to lower than version 11.2, sites configured as Advanced Edition (AE) fail to stage with the message - Package extraction failure. This is because AE is supported from version 11.2 and above.

SDW-17638: For custom roles created with feature access set to No Access, the Citrix SD-WAN Orchestrator service GUI displays the default feature configuration instead of hiding the feature or displaying a 403 error message.

April 08, 2021

Enhancements

Dynamic Routing

From Citrix SD-WAN 11.3.1 release onwards, you can configure one router ID for the entire protocol and also one router ID per routing domain. With this enhancement, you can enable stable dynamic routing across multiple instances with different router IDs converging in a stable manner.

Custom roles (Preview)

Citrix SD-WAN Orchestrator service allows providers and customers to create custom roles and provide access to specific features. Only the users with Provide-Master-Admin-All or Customer-Master-Admin-All role can create custom roles under Administration > Role Settings.

Add on License for Edge Security

Citrix SD-WAN 1100 SE, SD-WAN 210 SE, 210 SE LTE, and 410 SE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses. The Advanced security add-on license is supported on 210 platforms from Citrix SD-WAN 11.3.1.1000 release onwards. The Advanced security throughput depends upon your advanced security add-on license. Advanced security throughput request beyond the throughput supported by your security add-on license is dropped.

Partial software upgrade

Citrix SD-WAN 11.3.1 partial software upgrade is supported in Citrix SD-WAN Orchestrator service.

Appliance Settings

You can now configure date and time, at the site level, through Citrix SD-WAN Orchestrator. You can either configure the date and time manually or through an NTP server and also set the time zone.

IPv6 support

Citrix SD-WAN Orchestrator service supports IPv6 addresses for the following configurations with software version 11.3.1 or above:

Management plane features:

Data plane features:

Notification settings

Alerts for different events are configured by defining the frequency, severity type, and trigger rules for the alerts. You can now define a notification profile by enabling and configuring email alerts. The notification profiles are further used in configuring alerts.

Site Reports: IGMP

The IGMP reports table provides a real-time report of the IGMP statistics and IGMP Proxy groups.

Site Reports: Metered WAN Links

The WAN Link Metering reports provide details about the metered WAN link usage. You can view the reports to get insights into the data consumption of the metered WAN links.

Zero Touch Deployment

SD-WAN Orchestrator supports zero-touch deployment and Inband management-enabled appliances with single stack or dual stack of both IPv4 and IPv6 addresses.

Fixes

SDWANHELP-1994: Upon upgrading the software from Citrix SD-WAN 11.3.0 to 11.3.1 release, an audit error EC15002 might be shown if you have a DNS proxy configured for any of the sites.

March 18, 2021

Enhancements

Retry staging

Retry staging option is now available to reinitiate staging at the sites where the staging process has failed.

Custom application

The Enable Reporting check box is newly added for the IP Protocol-based custom applications. Now you can also view the IP protocol and domain name-based custom application-defined traffic under the Reports > Usage page. The custom application option is also added as a type under the Application quality configuration page.

Add-on License for Edge Security: The add-on license enables Edge Security capabilities on Standard Edition appliances for existing and new customers. You can now get an add-on Edge Security license along with the base license. The procedure to add and allocate add on licenses to a device is similar to the existing base license workflow. Ensure that the base license is available before adding an add-on license. The Add-on License for Edge Security feature is supported on the Citrix SD-WAN 1100 appliances.

AWS Gateway Service

AWS Gateway Service is now supported as a Delivery Service. AWS Transit Gateway allows you to create and manage a single gateway to connect your Amazon Virtual Private Cloud (Amazon VPC) deployments and on-premises networks. AWS Transit Gateway Connect integrates Citrix SD-WAN and AWS Transit Gateway and simplifies the ability to build and manage global private networks. With Transit Gateway Connect, user creates a Connect attachment that establishes a Connect peer (GRE tunnel) between the Citrix SD-WAN appliance and AWS Transit Gateway. The Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance, and Border Gateway Protocol (BGP) for dynamic routing.

Interfaces

You can enable or disable a virtual interface using the Enable check box.

Site Reports: DHCP

The DHCP Server/Relay report provides the information on the interfaces that are configured as DHCP Server or Relay and its associated routing domain and status.

Site Reports: DNS

The DNS Statistics report provides the information on application name, DNS service name, DNS service status, and the number of hits to the DNS service.

Site Reports: NDP

The NDP reports provide the real-time report of the NDP configurations.

Fallback configuration

Fallback configuration ensures that the appliance remains connected to the zero-touch deployment service if there is a link failure, configuration mismatch, or software mismatch. Fallback configuration is enabled by default on the appliances that have a default configuration profile. If the fallback configuration is disabled at a site, you can enable it through the Citrix SD-WAN Orchestrator service.

Flows

You can now use the Appliance settings Flows section to perform the following action:

  • Enable/disable Citrix Virtual WAN service
  • Restart dynamic routing
  • Enable/disable virtual paths
  • Enable/disable WAN links

March 04, 2021

Enhancements

Partial Site Upgrade Setting

The Partial Site Upgrade option is newly added to upgrade or downgrade the selected sites with a different software version. Partial Site Upgrade provides the ability to test a new version before deploying to the entire network. With the Partial Site Upgrade feature, upgrades can be staggered and thereby reducing the impact of software upgrades during business hours.

Alert when site loses Orchestrator cloud connectivity: Currently, there is no record in Alerts when the site loses cloud connectivity with Citrix SD-WAN Orchestrator service. With this feature, event entries are available in Alerts whenever the site loses or regains cloud connectivity with Citrix SD-WAN Orchestrator service.

Citrix SD-WAN 11.3.1 Release: Citrix SD-WAN 11.3.1 release is now supported in Citrix SD-WAN Orchestrator service.

Fixes

SDW-16124: If the configuration is deployed after a new site has been added, Citrix SD-WAN Orchestrator service incorrectly detects this as a software upgrade and throws a warning that - Near Hitless is not possible as there needs to be at least one site supporting hitless upgrade.

February 18, 2021

Enhancements

IP rules

You can enable internet traffic policy and configure internet traffic settings under Internet Traffic Policy section. The Internet Traffic Settings enables you to transmit and receive packets for flows that match the rule over the internet.

Deployment Tracker

  • When the newly introduced Ignore Incomplete check box is enabled, the Activate check box is enabled only after all the online control nodes (MCN, RCN, Geo MCN, Geo RCN) get staged. You can choose to activate even if some of the online branch appliances are not staged. The online branch appliances that fail to get staged are ignored.

  • During deployment, in the case of a configuration-only update, only the sites that have configuration changes are staged and activated. For the remaining sites, the timestamp is updated and processed. The Not Needed column lists the number of sites that do not have any configuration change.

    If the software version is being changed, both configuration and software package are staged and activated on all the sites in the network.

Citrix SD-WAN VPX instance on Azure through SD-WAN Orchestrator service

Citrix SD-WAN Orchestrator service allows easy and quick deployment of a Citrix SD-WAN instance in Azure. It automates the process of provisioning an SD-WAN VPX instance in Azure while defining a cloud site. You can define the resource group, VNets/subnets, and other parameters for the template used for provisioning the SD-WAN VPX instance in Azure. The interfaces and WAN link configurations are auto populated for the Orchestrator configuration based on the resources created in Azure. You can then stage and activate the configuration on the VPX instance through Citrix SD-WAN Orchestrator service.

Site Details

The Site Details tab is added under the Deployment Tracker UI. The deployment site shows the site-specific details like SD-WAN Orchestrator Connectivity, High Availability (HA), and Software Version it is running on.

Support time range for API queries: From Citrix SD-WAN 11.3.1 release onwards, you can obtain the time range support for API queries (for Events).

Fixes

SDW-15522: While creating a site by cloning and deleting the original site leads to an error - Unable to find Site name belonging to Uiid < num >.

January 28, 2021

Enhancements

Orchestrator traffic classification and Internet breakout

Citrix SD-WAN Orchestrator traffic optimization is introduced from Citrix SD-WAN software version 11.2.3 or higher. The goal is to provide a more granular classification, and thus, separately identify Citrix SD-WAN Orchestrator service traffic and other dependent services’ traffic from Citrix Cloud, and provide an Internet breakout option. As a result, customers can now choose to optimize only the Citrix SD-WAN Orchestrator service traffic.

Firewall policies

Firewall Profiles is renamed to Firewall Policies and the Verify Config option is removed from the UI. The following accordions which were under Firewall Profiles are now displayed as tabs and the labels are changed as follows:

  • Global Override Profile is renamed to Global Override
  • Site Specific Profile is renamed to Site Specific
  • Global Profile is renamed to Global Default

Fixes

SDW-15602: In rare conditions, the Citrix SD-WAN Orchestrator service UI does not populate the standby appliance log files.

SDW-16183: The sorting of the Application Usage Network and Site Report table column was incorrect.

SDW-16244: An incorrect Short Name displayed on the Reboot/Reset dialog box.

SDW-16267: The Dynamic Routing Import/Export filters UI not updating when a site is changed.

SDW-16274: WAN Optimization software staging was not happening for Citrix SD-WAN Premium Edition (PE) devices when the appliance software version is 11.2.2.14.

January 13, 2021

Enhancements

Network Location Service

Network Location Service (NLS) is a Citrix Cloud service that determines if the user connecting to Citrix Virtual Apps and Desktops is from the internal network. You can configure NLS for all sites within the network or specific sites through Citrix SD-WAN Orchestrator service. Using NLS, you can avoid manually configuring IP addresses of Citrix SD-WAN deployed locations.

You can enable NLS at the network level under Configuration > Delivery Services > Network Location Service.

Citrix SD-WAN Orchestrator service UI update

The look and feel of the Citrix SD-WAN Orchestrator service UI is changed to reflect the new color and font as per Citrix rebranding.

Note

The screenshots in the Citrix SD-WAN Orchestrator service documentation might still reflect an earlier UI and will be updated in the upcoming releases.

Fixes

SDW-13205: In Citrix SD-WAN Orchestrator service, information under deployment history is incorrect and it might show some negative values for activated sites.

SDW-14968: When the site had three WAN links, the third WAN link was not displayed in the side picture depicting links.

SDW-15608: During the software upgrade, If the branches are connected to Citrix SD-WAN Orchestrator service through the virtual path to the control node, then it’s possible that the control nodes get activated before the branch got the command to activate.

SDWANHELP-1606: The number of x-axis ticks was wrong for 1 week which leads to repetitive days on the x-axis for graphs.

SDWANHELP-1613: The appliances which were having a slow internet connection used to time out during the staging file download operation.

December 17, 2020

Enhancements

Support for Hosted Firewall

Citrix SD-WAN Orchestrator service supports the Palo Alto Networks and Check Point hosted firewall integration on SD-WAN 1100 platform.

Site Configuration menu restructure

At site level configuration, the following UI changes are made:

  • Basic Settings is renamed to Site Configuration.

  • The Gateway ARP Timer (ms) and Host ARP Timer (ms) fields under Basic Settings > Site Details are now grouped under Advanced Settings > ARP.

  • The tabs under Advanced Settings are now listed as submenu options. The accordions under individual Advanced Settings tabs are now displayed as tabs under the respective submenu options. All the submenu options now display secondary breadcrumbs.

  • The Virtual Paths tab under Advanced Settings is renamed to Delivery Services and moved as a submenu option under Advanced Settings.

  • The Routing tab under Advanced Settings is renamed to Dynamic Routing.

Rename basic settings

Citrix SD-WAN 11.3 Release: Citrix SD-WAN 11.3 release is now supported in Citrix SD-WAN Orchestrator service.

Wi-Fi Access point

You can configure a Citrix SD-WAN appliance that supports Wi-Fi as a Wi-Fi Access Point, eliminating the need to maintain an extra access point appliance to create a WLAN. The devices on your LAN can connect to Citrix SD-WAN appliance through Wi-Fi.

The following two variants of Citrix SD-WAN 110 platform support Wi-Fi and can be configured as an access point:

  • Citrix SD-WAN 110-WiFi-SE
  • Citrix SD-WAN 110-LTE-WiFi

You can configure and manage Citrix SD-WAN appliances that are configured as Access Points through the Citrix SD-WAN Orchestrator service service. Citrix SD-WAN Orchestrator service service also allows you to view Wi-Fi related reports such as connected devices, data utilized, usage, and authentication failure logs at both network level and individual site level.

There are 2 geography SKUs to support 110 Wi-Fi SE and 110 LTE Wi-Fi SE, one for US or Canada and the other for Rest of World (ROW).

Advanced Edge security support for Citrix SD-WAN 410 SE appliance

Citrix SD-WAN 410 SE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses.

Firewall defaults

The Action When Security Profiles Cannot be Inspected drop-down list is introduced to define an action for the packets that match a firewall rule and engage a security profile but temporarily cannot be inspected by the Edge Security subsystem. If you select Ignore, then the relevant firewall rule is treated as not matched and the next firewall rule in order is evaluated. If you select Drop, the packets matching the relevant firewall rule, are dropped.

IPS Profiles

IPS profiles allow you to enable a combination of IPS rules for a specific set of sites within the network. When an IPS profile is enabled, it inspects the network traffic only for the sites with which the IPS profile is associated and the IPS rules enabled within that profile. You can create IPS profiles on Citrix SD-WAN Orchestrator service services at the network level under Configuration > Security > Intrusion Prevention.

Anti-Malware

You can add new File Types and MIME Types for Anti-Malware scanning. If Anti-Malware denies access to a website, you can set an external server location to redirect users. The users can be redirected to the default redirect page provided by Citrix SD-WAN Orchestrator service or you can create a custom redirect page.

Web filter option for advanced edition

For the Web filtering security functionality, the following safe browsing options are added under the Advanced Options:

  • Enforce safe search on popular search engines
  • Enforce restrict mode on YouTube
  • Force searches through kid-friendly search engine

SSL inspection

You can now configure Secure Sockets Layer (SSL) inspection for the traffic flowing to and from your organization. SSL inspection intercepts, decrypts, and scans the HTTPS and secure SMTP traffic for malicious content. You can create SSL rules as part of security profiles and define conditions for the traffic to undergo SSL inspection.

SSL inspection can be configured through Citrix SD-WAN Orchestrator. The SSL Inspection option is newly added under Configuration > Security and Configuration > Security Profile > New Security Profile.

Fixes

SDW-14810: In-band Management drop-down list option will be populated with IPs after a site is cloned.

SDW-11941: Advanced firewall functionalities don’t work in one of the following scenarios. Also, no audit error is seen while performing the following scenarios:

  • Downgrade of 1100-AE from 11.2.0 to lower builds which do not support advanced firewall functionalities
  • Conversion of 1100-AE to 1100-SE on 11.2.0

December 03, 2020

Enhancements

Citrix SD-WAN Premium Edition (PE) Support

You can now configure and deploy Citrix SD-WAN PE appliances through Citrix SD-WAN Orchestrator service. As part of PE Phase-1 development, you can now configure WAN Optimization Configurations like Features, Tuning, Applications, and Rules through Citrix SD-WAN Orchestrator service. Deployment of SD-WAN PE appliances is also now possible through Citrix SD-WAN Orchestrator service.

NOTE

  • The Citrix SD-WAN PE appliances are only supported on 1100, 2100, 5100, and 6100 platforms.
  • Citrix SD-WAN PE Support through Citrix SD-WAN Orchestrator service is currently only available for SD-WAN software version of 11.2.2.14.

Fixes

SDW-11224: While performing the software upgrade on networks with the Cloud Direct enabled sites, the activation status for such sites gets stuck in progress even after completion.

SDW-14772: The Change Management status would not show the latest status after completing staging or activation.

SDW-14773: During activation, the Change Management did not provide a warning to users about skipping the HA near-hitless software upgrade. The issue is now fixed. The UI provides a warning to the users when the HA near-hitless software upgrade is skipped or run by skipping the selected sites.

SDW-14774: The HA near-hitless software upgrade feature would activate all HA pairs in the network even if some sites were offline. This caused the activation to fall back to single-step activation for the entire network.

The issue is now fixed. The sites that cannot undergo HA near-hitless software upgrade are ignored and the remaining HA pairs undergo two-step activation.

SDW-14775: Users were unable route the Citrix SD-WAN Orchestrator service traffic through the defined Application Route with the default internet breakout policy set to Discard and all traffic routed through the Virtual Path. When the Virtual Path was dead, the appliances were unable to reach the internet. This issue is fixed now. The SD-WAN appliances can always communicate to the internet using Default Application Routes created for SD-WAN Orchestrator Breakout, provided the user has WAN Link configured with internet service and there is internet connectivity.

November 12, 2020

Enhancements

Site default routing domain and auto-bandwidth provisioning

Citrix SD-WAN Orchestrator service provides the ability to select the default routing domain for the site. Routing domain settings can either be global or site-specific. Also, you can enable/disable the virtual paths auto-bandwidth provisioning for all WAN links.

Fixes

SDW-10283: When software upgrade to version 11.1.0.227 is done from an appliance which has Virtual WAN service disabled and is relying on only the LTE link for internet connectivity, the activation of the appliance does not complete and the appliance goes offline.

SDW-14411: An audit error occurs when you create a custom application route at the site level under Configuration > Site Configuration > Routes using the match criteria as Custom Application or Application Group.

SDW-14777: The IP addresses in an IP Group were not validated for its uniqueness.

October 29, 2020

Enhancements

Site Routing Policies

Routing policies help to enable traffic steering. You can now configure Application Routes and IP Routes at the site level to steer traffic.

Hybrid billing model

For prepaid customers, the hybrid billing model is introduced. With the hybrid billing model, a customer’s network can support both perpetual and annual subscription licenses.

Fixes

SDW-12994: When the Force Internal VIP Matching is enabled along with subnets which match the network subnets of the Virtual IP address, would cause an audit error leading to failure of deployment.

SDW-13419: In production mode, when you have licenses assigned to all sites (that is, no spare licenses), and making a change to a site’s bandwidth, platform, or appliance edition, then the site becomes unlicensed.

SDW-13931: When a perpetual user enters an add-on entitlement, Citrix SD-WAN Orchestrator service indicates that the license billing model does not match the customer billing model.

SDW-13946: When a configuration update is done for a network, a device can intermittently go into an Activation Pending state after it has been marked as Activation Complete. This occurs if the Citrix SD-WAN Orchestrator service checks for auto-correction during the period the device has marked Activation Complete and the new configuration version running on this device is yet to be received by Citrix SD-WAN Orchestrator service.

The newly issued activation command sees the version of the running software and its configuration and relays to Citrix SD-WAN Orchestrator service that auto-correction is not needed; moving the device to Activation Complete state.

October 21, 2020

Enhancements

Citrix SD-WAN 11.2.2 Release: Citrix SD-WAN 11.2.2 release is now supported in Citrix SD-WAN Orchestrator service.

October 15, 2020

Enhancements

MPLS queues real-time statistics

You can view the MPLS Queues real-time statics on the Citrix SD-WAN Orchestrator service. You can also view the direction, no of packets, delta packets, and mismatched DSCP packets for Intranet and Virtual path services.

For MPLS queues, you can view the access interface, IP address, proxy address, interface MAC address, and ARP details associated with the MPLS queue.

October 1, 2020

Enhancements

Domain name based custom applications

Domain name based custom applications are supported in Application Routing, Application Rule, and Firewall Profiles. To use a custom name based application, the match criteria must be listed as Application while creating Application Route and Firewall Policy.

HDX report

Citrix SD-WAN Orchestrator service allows you to view the detailed HDX reports grouped by site, user, and session, and categorized based on Quality of Experience (QoE). The metrics that impact the QoE calculation are also available for monitoring.

Zscaler service

You can now add sites for the Zscaler service. When a site is added, an IPsec tunnel is established between the SD-WAN site and Zscaler Enforcement Nodes (ZENs) in Zscaler’s cloud network. ZENs inspect the traffic bi-directionally and enforce security and compliance policies. While adding a site you can either automatically pick the ZENs based on the geo-location lookup of IP addresses of WAN links or manually select the ZENs. One ZEN is configured as the Primary and the other as the secondary. If the link to the primary ZEN goes down, the secondary ZEN takes over and provides high availability.

DNS settings

Citrix SD-WAN Orchestrator service supports the following types of DNS services:

  • Static: Intercepts the DNS requests destined to the SD-WAN IP address and forwards it to the specified DNS servers. You can create internal, ISP, google or any other open source DNS service.
  • Dynamic: Intercepts the DNS requests destined to the SD-WAN IP address and redirects it to one of the DNS servers learned from the DHCP based WAN links. If the WAN link goes down, another DHCP based WAN links DNS server is chosen. This feature is useful in the deployment where ISPs allow DNS requests only to DNS servers hosted by them.

You can choose a DNS proxy service for in-band management. InBand Management DNS drop-down list is introduced under Basic Settings > Interfaces. The DNS proxy services added under Advanced Settings > DNS, get listed under the InBand Management DNS drop-down list.

In-band provisioning

Zero-touch deployment along with the in-band management feature enables provisioning and configuration management through designated data ports. Zero-touch deployment is now supported on the designated data ports and there is no need to use a separate management port for zero-touch deployment. Citrix SD-WAN Orchestrator service also allows to fail over management traffic seamlessly to the management port when the data port goes down and conversely.

Fixes

SDWANHELP-1539: The default member paths for static virtual paths of MPLS are populated incorrectly based on the From and To queue names. The issue is fixed and the member paths are populated based on the From and To queue DSCP tags.

SDW-13329: Unable to perform the edit and clone operations as the action icons in the network configuration home page are grayed out.

SDW-11020: Citrix SD-WAN appliances on the Citrix SD-WAN Orchestrator service are displayed as online, even when the appliances are offline.

September 16, 2020

Enhancements

Show Tech Support bundle

The Show Tech Support (STS) Bundle contains important real-time system information such as access logs, diagnostics logs, firewall logs. The STS bundle is used to troubleshoot issues in the SD-WAN appliances. You can now create and download the STS bundles from the Citrix SD-WAN Orchestrator service.

DSCP tag and Enable Encryption

The unique Differentiated Services Code Point (DSCP) tag field is added along with the Enable Encryption check box. Each WAN link requires a unique Virtual IP Address (VIP) to create the WAN link and a unique DSCP tag corresponding to the provider’s queuing scheme. The Enable Encryption check box helps to enable/disable the encryption for every custom MPLS, private Intranet, and public Internet Inter-Link Communication Group.

Fixes

SDW-12669: Messages Display is not switching or going off unless you refresh the browser.

SDW-12822: Deleting a site operation can sometimes fail.

SDW-13001: On configuring a Transit Node, if the tertiary control node is selected once and a cost specified then that cost value keeps appearing even after clearing it.

SDW-13023: Enabling the private check box reflects a blank tooltip while creating a virtual interface under Interfaces.

SDW-13031: While creating an Interface under Virtual interfaces, against the virtual interface name field, an inline help is asking the user to select a virtual interface from an editable text box.

SDW-13214: Some reports had responses in Kbps and some in Bytes. But due to the granular report changes, the Citrix SD-WAN Orchestrator service UI was expecting all the graph response to be in Kbps or KB.

SDW-13261: While creating the bridge pair as fail-to-block, there is no delete icon displayed against the Actions label.

SDW-13275: New users are getting the Access Denied error during the On-Boarding process post requesting for SD-WAN Trial.

SDW-13307: Breadcrumb Site selection was a hyperlink instead of drop-down list when logged as customer Admin.

SDW-13320: Enhanced the displayed information in the Network configuration home page.

SDW-13327: Corrected the confirmation messages for reset and reboot operations to be more user-friendly by including the site name in addition to the serial number of the box.

SDW-13367: Under Service and Bandwidth configuration, the hover text for the Service Type field refers to the NAT translation.

SDW-13373: At the site level configuration, under Advanced settings > DNS, incorrect terminology appeared (reflecting DNS Server instead of DNS Service).

SDW-13385: WAN link name validation is missing on the Citrix SD-WAN Orchestrator service UI.

September 3, 2020

Enhancements

Role Based Access Control:

Role based access control (RBAC) regulates access to Citrix SD-WAN Orchestrator service resources based on the roles assigned to individual users. RBAC allows users to access only the data that their role demands and restricts any other data.

Roles can be assigned at Provider and Customer level under Administration > User Settings. Users can be assigned with a role from the following list of predefined roles.

  • Provider-Master-Admin-All
  • Provider-Master-Admin-Tenant
  • Provider-Master-ReadOnly
  • Customer-Master-Admin
  • Customer-Master-ReadOnly-Admin
  • Provider-Support-ReadWrite
  • Provider-Support-ReadOnly
  • Customer-Support-ReadWrite
  • Customer-Support-ReadOnly

Advanced Edge Security support for Citrix SD-WAN 210 SE appliances (Preview):

Citrix SD-WAN 210 SE and 210 SE LTE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses. To enable advanced security capabilities on a Citrix SD-WAN 210 appliance, reimage the appliance software to Citrix SD-WAN 10.2.7.17 and install the Advanced Security add-on license. For more details, see USB reimage Utility.

Note

Activating the advanced security add-on license on the Citrix SD-WAN 210 appliance, for the first time, might take up to 20 minutes approximately.

Gateway Service optimization:

You can now enable the first packet detection, classification, and selective routing (direct internet breakout or over the virtual path) of the traffic destined for the Citrix Cloud and Citrix Gateway Service (control and data). This feature is only available via Citrix SD-WAN Orchestrator service starting from SD-WAN version 11.2.1.

Real-time Reports:

Citrix SD-WAN Orchestrator service allows you to view the real-time reports for the following security features:

  • Web Filtering: Provides the real-time report of the last 1000 web (HTTP, HTTPS) events from the total number of web requests.
  • Anti-Malware: Provides the real-time report of the last 1000 Anti-Malware events from the total number of the files scanned.
  • Intrusion Prevention: Provides the real-time report of the last 1000 logged and blocked intrusion prevention system events from the total number of intrusion events.

Application settings:

The Application Settings page provides an option to disable Global Deep Packet Inspection (DPI). DPI is enabled globally, by default, for all the sites in your network. Disabling DPI stops DPI classification capability on the appliance. You can also choose to disable DPI for certain sites only by overriding the global DPI settings.

WAN link services:

Under WAN link services, on the selection of Link Specific from the Service Bandwidth Settings drop-down list, you can see that the following options are newly added:

  • LAN to WAN Tag
  • WAN to LAN Tag
  • WAN to LAN Match
  • LAN to WAN Delay
  • Tunnel Header Size
  • WAN to LAN Grooming

Virtual interface enhancement:

You can forward the directed broadcasts to Virtual IP subnets on the Virtual Interface with the Directed Broadcast check box.

Fixes

SDW-12350: The WAN link access-type was not considered as part of the provisioning, which caused MPLS links, to not have the proper traffic shaping applied.

SDW-12414: If an appliance fails staging or activation, the Citrix SD-WAN Orchestrator service keeps trying to auto-correct the appliance and bring it in sync with the network in a loop. The loop continues until a new stage is issued from the UI.

SDW-12868: Activation for 11.1.1.39/11.1.1.1006/11.2.0.88 builds failing in production for fresh SD-WAN 110/210 appliance (factory reset state) due to some permission issues.

August 12, 2020

Enhancements

Dynamic Virtual Path enhancements:

  • Dynamic virtual paths can now be enabled/disabled at the site level using the Enable Dynamic Virtual Paths check box. The ability to enable dynamic virtual paths across the network globally is retained.
  • You can configure IPsec tunnel settings for dynamic virtual paths at the network level.
  • The dynamic virtual path thresholds for LAN-to-WAN and WAN-to-LAN in terms of bytes per second and packets per second are introduced per WAN link.

Static Virtual Path enhancements: The Tunnel Header Sizes in Bytes and Active MTU Detect configuration options are introduced in the Virtual Path WAN link properties.

Auto-correction: In the Citrix SD-WAN Orchestrator service, the auto-correction feature is implemented in the change management workflow. The auto-correction feature is applicable for staging failure on a branch node and activation failure on any node. The maintenance mode check box is added under the Change Management Settings to perform manual troubleshooting on an appliance. Once the maintenance mode check box is cleared, the auto-correction mechanism brings the appliance in sync with the network software and configuration version.

Fixes

SDW-9407: Once the Citrix SD-WAN Orchestrator service UI is opened for some duration, at times the UI buttons cannot be clicked.

SDW-10310: Unable to download large log files from the appliance through the Citrix SD-WAN Orchestrator service.

July 15, 2020

Enhancements

Application Quality: Application QoE is a measure of Quality of Experience of applications in the SD-WAN network. The Application QoE score is a value between 0 and 10. The score range that it falls in determines the quality of an application. The Application QoE dashboard provides the overall Application QoE score of all the applications in your network. You can also view individual Application QoE reports.

Region configuration enhancements: You can now change the default region, provide a description for the region, and add new subnets. You can also allow non-private Virtual IP addresses within a region or from other regions to match the configured subnets.

Citrix SD-WAN releases: The following Citrix SD-WAN releases are now supported in the Citrix SD-WAN Orchestrator service:

  • Citrix SD-WAN 10.2.7
  • Citrix SD-WAN 11.0.3d
  • Citrix SD-WAN 11.1.1a

Fixes

SDW-11988: For releases 11.0 and above, configuration updates to add or delete sites causes the virtual paths to go down due to network security key rotation. Although the issue is fixed, push a configuration update to synchronize the network secure key with the Citrix SD-WAN Orchestrator service. The configuration updates, post the synchronization, will not cause virtual path disruption.

SDW-11920: The Real-time Statistics table pagination icons are not rendering.

SDW-11906: The IPsec tunnels are not getting created when the type chosen is LAN.

SDW-9572: Uploading log bundles larger than 32 MB from an appliance to the Citrix SD-WAN Orchestrator service service fails.

July 6, 2020

Enhancements

Appliance settings: Citrix SD-WAN Orchestrator service allows you to configure the appliance settings, at the site level, and push it to the remote appliances. You can configure user, network adapters, NetFlow, AppFlow, and SNMP settings.

Link Aggregation Groups: The Link Aggregation Groups (LAG) functionality allows you to group two or more ports on your SD-WAN appliance to work together as a single port. This ensures increased availability, link redundancy, and enhanced performance. Citrix SD-WAN Orchestrator service supports simple Link Aggregation Group (ACTIVE-BACKUP).

Transit Nodes: Transit nodes reduce the cost of routing by configure sites to route data via a virtual overlay transit node. You can configure Internet or Intranet transit nodes to allow sites without internet or intranet service to route to the internet or intranet through the configured transit sites.

Firewall profile: Firewall profiles provide security by ensuring that network traffic is restricted only to a specific firewall rule depending on the match criteria and by applying specific actions. The Firewall Profile contains three sections.

  • Global Profiles – Global profile is an aggregation of a couple of firewall rules. The profile that you create under the Global Profiles section is applied across all the sites in the network.
  • Site Specific Profiles – You can apply the defined firewall rules on certain specific sites.
  • Global Override Profile – You can override both global and site-specific profiles using the Global Override Profiles.

Fixes

SDW-7501: The bandwidth test under the diagnostics tool displays the virtual path connections between 2 sites even when there are no virtual path connections.

SDW-10335: In some rare scenarios, the delete site operation does not complete. The operation terminates prematurely, the GUI is not loaded, and rendering the network unusable in Citrix SD-WAN Orchestrator service.

SDW-11120: Importing of the config.json file that contains the sub model as LTE-WiFi, was giving an error.

June 11, 2020

Enhancements

Edge Security: The Citrix SD-WAN Edge Security capability enables advanced security on Citrix SD-WAN branch appliances. It simplifies information security management by providing a single management and reporting pane for Network Edge Security. It eliminates the need for multiple branch solutions by consolidating routing, SD-WAN, and security capabilities on a single appliance. This reduces network complexity, operational cost, and provides a more secure network edge. The Edge Security stack includes the following security functionality:

  • Web filtering
  • Anti-Malware
  • Intrusion Prevention

Note

  • The Edge Security is only supported for Citrix SD-WAN deployments managed through the Citrix SD-WAN Orchestrator service.
  • External syslog server support is not available through Citrix SD-WAN Orchestrator service for Citrix SD-WAN Edge Security.

Subnet support: From release 11.2 onwards, Citrix SD-WAN UI allows /31 subnets for configuring the network address.

Metered link enhancements: The following options are introduced under Advanced WAN link settings:

  • Approximate Data Already Used: The approximate data already used in MB for the metered link. This is applicable only for the first cycle. To track the proper metered link usage, specify the approximate metered link usage, if the link has already been used for few days in the current billing cycle.

  • Disable link if Data Cap Reached: If the data usage reaches the specified data cap, the metered link and all its related paths are disabled until the next billing cycle. If this option is not selected, the metered link remains in the current state, after the data cap is reached, until the next billing cycle.

Auto-learning of Public IP address on Intranet WAN link: You can now enable Auto learning of Public IP address on Intranet WAN links, under Basic settings > WAN Link Attributes, to support DHCP on Fail-to-Wire port.

Note

Rollout of this release is in progress. The feature is available in respective POPs as the rollout completes.

Fixes

SDW-10685: There was a difference between 11.x and 10.x builds, while creating the software package. In a result, the staging was failing for 10.2.5 and prior releases.

SDW-10738: Starting 11.1.0, a new configuration knob is added for inband management configuration on the site interface group page. This is a mandatory configuration for any appliance that needs to be managed through an inband IP. Missing this configuration in the Citrix SD-WAN Orchestrator service can cause the appliance to go offline (especially important when the 210 s and 110 s that were managed over LTE upgrade to 11.1.0).

June 1, 2020

Enhancements

LTE firmware upgrade: You can now upgrade the LTE firmware via the Citrix SD-WAN Orchestrator service along with configuring and managing all the LTE sites in your network. While creating the site, you need to select LTE as a submodel for the SD-WAN 210 appliance/model. Currently, the LTE support is only applicable on 210 appliances. You need to set the scheduling window information to upgrade the LTE firmware corresponding to the latest selected software version.

Static inter-routing domain service: Citrix SD-WAN Orchestrator service now supports Static Inter-routing Domain service, enabling routing between Routing Domains within a site or between different sites. This eliminates the need for an external edge router to handle routing between two routing domains. The inter-routing service can further be used to set up routes, firewall policies, and NAT rules.

Citrix SD-WAN 11.1.1 Release: Citrix SD-WAN 11.1.1 release is now supported in Citrix SD-WAN Orchestrator service.

Fixes

SDW-10348: In some rare scenarios, the total sites that are displayed in the Deployment History were not the same as the actual sites configured.

SDW-10378: In some rare scenarios, the staging gets stuck after deleting the GeoMCN site.

SDW-10587: While attempting network deployment from the Citrix SD-WAN Orchestrator service, 500 internal server errors were occurring.

SDW-10615: For IP Routes, when you select valid to/from links for Eligibility based on Path, an audit error occurred - Path Does Not Exist.

SDW-10713: For VPX/VPXL, there were issue in license string parsing.

SDW-10764: Corrected the validation checks about the usage of SFP ports of the SD-WAN 1100 platform when the Y-cable feature is enabled.

SDW-10777: In some rare scenarios, Citrix SD-WAN Orchestrator service was blocking changes to firmware builds even though the customer has valid software maintenance license.

SDW-10778: A configuration conversion error occurs when a WAN link is saved in the configuration without any access interface as part of it.

SDW-10811: In some rare scenarios, the routing domain is not visible in the WAN Link reports.

SDW-10812: In some rare scenarios, the routing domain is not visible in the ARP reports.

SDW-10815: Check box for optimize is not checked by default for office 365. This was the expected behavior for when the feature was designed.

SDW-10840: Added validation when the primary appliance serial number is not added but the secondary appliance serial number is added.

SDW-10844: The unknown_network error was appearing while performing staging activity during change management.

SDW-10857: WAN link specific upload and download speed got interchanged while using in Cloud Direct site.

SDW-11033: There was a possibility for staging to get stuck for networks, where few sites were deleted and staging were attempted during change management.

May 13, 2020

Enhancements

Y-cable: You can now enable Y-cable support for Citrix SD-WAN 1100 SE/PE appliances through the Citrix SD-WAN Orchestrator service. The Small Form-factor Pluggable (SFP) ports can be used with a fiber optic Y-Cable to enable the high availability feature for Edge Mode deployment.

Wrap Alerts description: The alert message contents under the Reports > Alerts > Message column are now wrapped. Earlier, the alert messages were hidden when the length of the message was greater than the width of the allocated cell size.

DHCP Client: The Dynamic Host Configuration Protocol (DHCP) Client option is now available under the Site Profile template. Hence, the sites that are created through the Site Profile, also inherits the DHCP Client option.

Citrix SD-WAN 110 appliance support: The Citrix SD-WAN 110 hardware model appliance is now supported in the Citrix SD-WAN Orchestrator service.

Fixes

SDW-10576: When the customer updates the Virtual Interface (VIF) Name under the Site Configuration > Interfaces > Sub Interfaces at the site level, the corresponding DHCP Relay VIF Name is not updated.

April 28, 2020

Enhancements

HA near-hitless software upgrade: The HA near-hitless software upgrade feature ensures that the network downtime, during the software upgrade (11.1.x and above) process for an HA pair, is not more than the HA switch over time.

Appliance reports (Preview): Appliance report delivers Network traffic and System usage reports. Under Appliance Reports you can view Interfaces, Network, CPU Usage, Disk Usage, and Memory Usage reports in different tabs.

Change password: Citrix SD-WAN Orchestrator service allows you to centrally change the password of all the SD-WAN appliances in your network from the Network Configuration > Home page.

Microsoft Office 365 beacon service: Citrix SD-WAN supports Microsoft Office 365 beacon probing capability to help determine the best link to be used for Office 365. The probes determine the latency (round-trip-time) involved in reaching Office 365 endpoints through each WAN link, enabling network administrators to identify the best link to be used for Office 365 traffic. The Office 365 beacon probing capability is available only via the Citrix SD-WAN Orchestrator service.

Fixes

SDW-9511: During staging, the change management failure always showed the message as Staging Failed.

SDW-9913: The WAN link throughput value displayed in the statistics page is less than the actual throughput value.

SDW-9973: Deleting a site does not remove the reference of the deleted site from all the global features, resulting in configuration verification failure.

SDW-9513: In the HA primary/secondary appliances, if the serial number is swapped between the primary and secondary appliances, the configuration is not pushed as per the swapped serial numbers. The configuration is pushed as per the initial serial number assignment or, in rare cases, both the appliances are treated as primary or secondary.

April 15, 2020

Fixes

SDW-10018: You might observe QoS data inconsistency between the tabular and graphical views.

SDW-9913: The WAN link throughput value displayed in the statistics page is less than the actual throughput value.

SDW-9739: You might observe that the configuration version is different on some appliances after network configuration deployment. It results in some virtual path not getting established between a branch and a control node.

SDW-9618: During the change management/configuration deployment process, the GUI allows you to continue with activation even when there are failures in the staging process. Once the activation succeeds in other appliances, the GUI incorrectly reports that the activation was successful.

SDW-9888: The WAN link usage real-time statistics table is staggered and misaligned for a WAN link configured with standby, metered, or standby with metered connection.