Citrix SD-WAN WANOP

Office 365 Acceleration

  1. Why do we parse the SAN?

    It is tedious to create multiple profiles for FQDNS for each of the domains, to overcome this we parse the SAN from the certificates.

  2. What is an exclude list?

    An error or warning message is displayed If the browser or app does not contain the CA certificate, in such cases the client’s IP address will be added to an exclude list after few attempts to connect from browser/app (2-3 times). In the next attempt, connection is not SSL proxied and the page loads without any error or warning. The client IP address will remain in the exclude list for 48hrs. The exclude list is maintained only for split proxy.

  3. Where to check for office 365 acceleration connection information?

    Navigate to Monitoring > Connections > Accelerated Connections, check for the SSL proxy state. For connection details, click the details icon.

    localized image

  4. What happens if exclude list option is not enabled by default as part of SSL profile configuration?

    If the browser or app does not contain the CA certificate, it displays an error or warning and the connections from that client or App will be blocked. To avoid such issues, select Exclude List option as part of SSL profile configuration.

  5. What happens if the required SAN’s are not part of the configured/created proxy certificate?

    The connections will not be SSL proxied and there will be no acceleration benefits for non-proxied SSL connections.

  6. What happens when the client is not part of the domain or if the client does not have the root certificate of the domain?

    The connections get blocked if exclude list is not enabled.

  7. What happens if the Data Center side Citrix SD-WAN WANOP does not have root or intermediate CA’s?

    The connections are blocked or the Office 365 application pages which require the missing root or intermediate CA’s are partially loaded. To unblock the connections or to have these pages fully loaded, either add the appropriate CA certificates or disable the SSL profile from acceleration.

  8. How to know which clients are excluded from acceleration?

    Excluded client information can be known from logs or by using the CLI command show ssl-exclude -list.

  9. What to do when clients are excluded?

    By default, exclude list information from the appliance will be cleared after 48 hours. User can forcibly clear the exclude list information using CLI commands clear ssl-exclude-list -<all>/<Client_IP>.

  10. How to know which SSL connections(SNI’s) are not proxied?

    From the logs or by using the CLI command show ssl-non-proxied-sni, you can know the list of the non-proxied SNI’s.

  11. How to clear non-proxied SNI’s?

    Using the CLI command clear ssl-non-proxied-sni -<all>/<server name identifier>.

  12. What is the default time for client in exclude state?

    Client remains in the exclude state for 48 hrs.

  13. Can we have multiple profiles applied for a particular service class?

    Yes, we can apply service classes with multiple SSL profiles.

    To do this, on your Virtual WAN appliance navigate to Configuration > Service Class > Web (Internet-Secure) > Edit > Edit (Application) and add the available profiles.

  14. How do you check the reason for non-proxied connections?

    Check the TCP connection page, for more information check the logs. To debug the non-proxied connection issues, do the following.

    1. If the log shows no valid configuration - Set the valid configuration. For more information on configuring office 365 feature, see Office 365 Acceleration.

    2. If the log shows that certification verification failed - Add valid CA certificates to the data center side Citrix SD-WAN WANOP appliance.

    3. if the log shows client excluded - Information about excluded clients can be cleared from the appliance using the CLI command clear ssl-exclude-list -<all>/<Client_IP>.

Additional Notes

  • Logging to OneDrive client sometimes displays a warning message “spurious warning”, This is a known issue from Microsoft (https://support.microsoft.com/en-us/kb/3097938 ) and not specific to Citrix SD-WAN WANOP appliance.

  • For the office 365 redirected pages to be proxied, it is recommended to create a separate proxy certificate which contains SAN list corresponding to the certificate of the redirected pages. Create another profile with this proxy certificate and apply to the service class. Also add the relevant CA in the Citrix SD-WAN WANOP appliance.

  • Sometimes browser doesn’t show the correct CA certificates, in such cases use Wireshark or OpenSSL to get the root and Intermediate CA names and get the certificates from ‘authentic’ source (for example, windows SSL store).

  • Difference in browser behavior can be observed in accessing the office 365 applications from different browsers having no required certificates and with Exclude list option disabled.

  • When office 365 connections are SSL proxied (that means SSL proxy set to True) and in browser office 365 certificate is displayed instead of the proxy certificate, it is recommended to open the browser in in-cognitive mode and check the behavior or clear the cache and then check the behavior again.

  • Microsoft Office 365 includes many components and applications such as OneDrive, Outlook, SharePoint, Word, PPT, Excel, OneNote. All these applications have been tested and is known to work without any problems. Other applications are expected to work without any problems, too; however, this status can change over time, and you might encounter unknown problems.

Office 365 Acceleration