Citrix SD-WAN WANOP

How WANOP plug-in works

WANOP Client Plug-in products use your existing WAN/VPN infrastructure. A computer on which the plug-in is installed continues to access the LAN, WAN, and Internet as it did before installation of the plug-in. No changes are required to your routing tables, network settings, client applications, or server applications.

Citrix Access Gateway VPNs require a small amount of WANOP Client Plug-in-specific configuration.

There are two variations on the way connections are handled by the plug-in and appliance: transparent mode and redirector mode. Redirector is a legacy mode that is not recommended for new deployments.

  • Transparent mode for plug-in-to-appliance acceleration is very similar to appliance-to-appliance acceleration. The WANOP Client Plug-in appliance must be in the path taken by the packets when traveling between the plug-in and the server. As with appliance-to-appliance acceleration, transparent mode operates as a transparent proxy, preserving the source and destination IP address and port numbers from one end of the connection to the other.

  • Redirector mode (not recommended) uses an explicit proxy. The plug-in readdresses outgoing packets to the appliance’s redirector IP address. The appliance in turn readdresses the packets to the server, while changing the return address to point to itself instead of the plug-in. In this mode, the appliance does not have to be physically inline with the path between the WAN interface and the server (though this is the ideal deployment).

    Best Practice: Use transparent mode when you can, and redirector mode when you must.

Transparent mode

In transparent mode, the packets for accelerated connections must pass through the target appliance, much as they do in appliance-to-appliance acceleration.

The plug-in is configured with a list of appliances available for acceleration. It attempts to contact each appliance, opening a signaling connection. If the signaling connection is successful, the plug-in downloads the acceleration rules from the appliance, which sends the destination addresses for connections that the appliance can accelerate.

Figure 1. Transparent Mode, Highlighting Three Acceleration Paths

Transparent mode

Note

  • Traffic flow–Transparent mode accelerates connections between a Citrix WANOP Client Plug-in and a plug-in-enabled appliance.
  • Licensing–Appliances need a license to support the desired number of plug-ins. In the diagram, Citrix SD-WAN WANOP A2 does not need to be licensed for plug-in acceleration, because Citrix SD-WAN WANOP A1 provides the plug-in acceleration for site A.
  • Daisy-chaining–If the connection passes through multiple appliances on the way to the target appliance, the appliances in the middle must have “daisy-chaining” enabled, or acceleration is blocked. In the diagram, traffic from home-office and mobile VPN users that is destined for Large Branch Office B is accelerated by Citrix SD-WAN WANOP B. For this to work, Citrix SD-WAN WANOP A1 and A2 must have daisy-chaining enabled.

Whenever the plug-in opens a new connection, it consults the acceleration rules. If the destination address matches any of the rules, the plug-in attempts to accelerate the connection by attaching acceleration options to the initial packet in the connection (the SYN packet). If any appliance known to the plug-in attaches acceleration options to the SYN-ACK response packet, an accelerated connection is established with that appliance.

The application and server are unaware that the accelerated connection has been established. Only the plug-in software and the appliance know that acceleration is taking place.

Transparent mode resembles appliance-to-appliance acceleration but is not identical to it. The differences are:

  • Client-initiated connections only–Transparent mode accepts connections initiated by the plug-in-equipped system only. If you use a plug-in-equipped system as a server, server connections are not accelerated. Appliance-to-appliance acceleration, on the other hand, works regardless of which side is the client and which is the server. (Active-mode FTP is treated as a special case, because the connection initiating the data transfer requested by the plug-in is opened by the server.)

  • Signaling connection–Transparent mode uses a signaling connection between the plug-in and appliance for the transmission of status information. Appliance-to-appliance acceleration does not require a signaling connection, except for secure peer relationships, which are disabled by default. If the plug-in cannot open a signaling connection, it does not attempt to accelerate connections through the appliance.

  • Daisy-chaining–For an appliance that is in the path between a plug-in and its selected target appliance, you must enable daisy-chaining on the Configuration: Tuning menu.

Transparent mode is often used with VPNs. The WANOP Client Plug-in Plug-in is compatible with most IPSec and PPTP VPNs, and with Citrix Access Gateway VPNs.

The following figure shows packet flow in transparent mode. This packet flow is almost identical to appliance-to-appliance acceleration, except that the decision of whether or not to attempt to accelerate the connection is based on acceleration rules downloaded over the signaling connection.

Figure 2. Packet flow in transparent mode

Transparent mode flow

  1. The user’s application opens a TCP connection to the server, sending a TCP SYN packet.

    Src: 10.0.0.50, Dst: 10.200.0.10

  2. The WANOP Plug-in looks up the destination address and sees that it matches a subnet accelerated by the appliance. It attaches WANOP options to the TCP header of the SYN packet. No addresses are changed.

    Src: 10.0.0.50, Dst: 10.200.0.10

  3. The appliance notes the SYN options and recognizes that this is an accelerable connection. It strips the options from the packet and allows it to pass through to the server. No addresses are changed.

    Src: 10.0.0.50, Dst: 10.200.0.10

  4. The server accepts the connection and responds with a TCP SYN-ACK packet.

    Src: 10.200.0.10, Dst: 10.0.0.50

  5. The appliance tags the SYN-ACK packet with a TCP header option that shows that acceleration will take place.

    Src: 10.200.0.10, Dst: 10.0.0.50

  6. The WANOP Plug-in receives the SYN-ACK packet. The options in the packet headers indicate that the connection is accelerated. The Plug-in strips the options and passes the SYN-ACK packet to the application. The connection is now fully open and accelerated.

Redirector mode

Redirector mode works differently from transparent mode in the following ways:

  • The WANOP Client Plug-in Plug-in software redirects the packets by addressing them explicitly to the appliance.

  • Therefore, the redirector-mode appliance does not have to intercept all of the WAN-link traffic. Because accelerated connections are addressed to it directly, it can be placed anywhere, as long as it can be reached by both the plug-in and the server.

  • The appliance performs its optimizations, then redirects the output packets to the server, replacing the source IP address in the packets with its own address. From the server’s point of view, the connection originates at the appliance.

  • Return traffic from the server is addressed to the appliance, which performs optimizations in the return direction and forwards the output packets to the plug-in.

  • The destination port numbers are not changed, so network monitoring applications can still classify the traffic.

The below figure shows how the Redirector mode works.

Figure 1. Redirector Mode

Wanop client plug in acceleration

The below figure shows the packet flow and address mapping in redirector mode.

Figure 2. Packet Flow in Redirector Mode

Packet flow redirect mode

  1. The user’s application opens a TCP connection to the server, sending a TCP SYN packet.

    Src: 10.0.0.50, Dst: 10.200.0.10

  2. Citrix SD-WAN WANOP Plug-in looks up the destination address and decides to redirect the connection to the appliance at 10.200.0.201.

    Src: 10.0.0.50, Dst: 10.200.0.201

    (10.200.0.10 is preserved in a TCP option field. Options 24-31 are used for various parameters.)

  3. The appliance accepts the connection and forwards the packet to the server (using the destination address from the TCP options field), and giving itself as the source.

    Src: 10.200.0.201, Dst: 10.200.0.10

  4. The server accepts the connection and responds with a TCP SYN-ACK packet.

    Src: 10.200.0.10, Dst: 10.200.0.201

  5. The appliance rewrites the addresses and forwards the packet to the Plug-in (Placing the server address in an option field).

    Src: 10.200.0.201, Dst: 10.0.0.50

  6. The connection is now fully open. The client and server send packetsback and forth via the appliance.

    While the addresses are layered in Redirector mode the desitnation port numbers are nit (though the ephemeral port number may be). The data is not encapsulated. Redirector mode is a proxy, not a tunnel.

    There is no 1:1 relationship between packets (though in the end, the data received is always identical to the data sent). Compression may reduce many input packets into a single packet. CIFS acceralation will perform speculative read-ahead and white-behind operations. Also, if packets are dropped between appliace and the Reperter plug-in, the retransmission is handled by the appliance, noyt the server, using advanced recovery algorithms.

How the plug-in selects an appliance

Each plug-in is configured with a list of appliances that it can contact to request an accelerated connection.

The appliances each have a list of acceleration rules, which is a list of target addresses or ports to which the appliance can establish accelerated connections. The plug-in downloads these rules from the appliances and matches the destination address and port of each connection with each appliance’s rule set. If only one appliance offers to accelerate a given connection, selection is easy. If more than one appliance offers to accelerate the connection, the plug-in must choose one of the appliances.

The rules for appliance selection are as follows:

  • If all the appliances offering to accelerate the connection are redirector-mode appliances, the leftmost appliance in the plug-in’s appliance list is selected. (If the appliances were specified as DNS addresses, and the DNS record has multiple IP addresses, these too are scanned from left to right.)

  • If some of the appliances offering to accelerate the connection use redirector mode and some use transparent mode, the transparent-mode appliances are ignored and the selection is made from the redirector-mode appliances.

  • If all of the appliances offering to accelerate the connection use transparent mode, the plug-in does not select a specific appliance. It initiates the connection with WANOP Client Plug-in SYN options, and whichever candidate appliance attaches appropriate options to the returning SYN-ACK packet is used. This allows the appliance that is actually in line with the traffic to identify itself to the plug-in. The plug-in must have an open signaling connection with the responding appliance, however, or acceleration does not take place.

  • Some configuration information is considered to be global. This configuration information is taken from the leftmost appliance in the list for which a signaling connection can be opened.

How WANOP plug-in works