What’s New

The Citrix SD-WAN release 10 version 1 introduces the following new features and enhancements:

Product rebranding

  • The NetScaler SD-WAN product name is rebranded to Citrix SD-WAN.
  • All references to the product terms, Cloudbridge, and NetScaler are applicable to Citrix SD-WAN.
  • The Enterprise Edition (EE) platform is rebranded to Premium Edition (PE). The Enterprise Edition appliance web management interface is now rebranded to Premium Edition (PE).
  • The software image files are now renamed to ctx-sdw from ns-sdw except the cb-vw<>.tar.gz file.

Application centric enhancements

Auto qos with single port multi-stream ICA

  • In release 10 version 1, the SD-WAN Standard Edition appliance can differentiate each ICA data stream in multi-stream ICA even in a single-port configuration. This feature is available from release 9 version 3 for the WANOP and Premium editions of SD-WAN. Each ICA stream is classified as a separate application with its own default QoS class for prioritization.
  • For single-port Multi-Stream ICA functionality to work properly with Standard Edition, you need to have:

    • Citrix SD-WAN release 10 version 1.
    • Version 7.17 or above of the Virtual Delivery Agent (VDA) for Citrix Virtual Apps (XenApp) or Citrix Virtual Desktops (XenDesktop). See, XenDesktop, XenApp, and Citrix Receiver for supported release versions. For information about HDX Insights, see HDX Insights](/en-us/netscaler-mas/12-1/analytics/hdx-insight.html).

Configuration and license management

Change Management Process

Scalability is achieved by defining regions and managing regions using the Region Controller Nodes (RCN). The MCN manages the RCNs in the network and the RCN manages the client sites in its region, allowing the user to centrally manage large scale Enterprise / MSP deployments.

  • In Citrix SD-WAN release 10 version 1, the software upgrade process using the tar.gz file is improved to increase speed and reduce disk usage compared to the tar.gz file upgrade process in the previous release versions. These improvements are observed when upgrading from Citrix SD-WAN release 10 version 1 to a newer version of the software using the tar.gz files.

    • Change management and Single Step Upgrade integration.
    • Lower packaging time and disk usage for later SD-WAN software release upgrades (tar.gz).

Centralized licensing


Support for appliance to choose license with bandwidth level/configured bandwidth.

  • Addresses CSP licensing model use case.
  • More license grace period:

    • In addition to existing grace period functionality, the license file/configuration removal is added in release version 10.1.
    • If appliance is licensed and license file or license configuration is removed then appliance enters 30 day grace period.
  • When the selected license rate does not match configured WAN link rate following message is displayed for licensing events:
    • Message: The total configured permitted rate (LAN to WAN) NNNN (Kbps) must not exceed twice the License Rate which is NNNN (Kbps), Severity: WARNING, Events: Syslog, Email.

Configurable ARP times

In some deployments, SD-WAN is overloaded by access points and sends ARP requests too frequently (every second). To prevent this, you can now configure ARP timers (MS) during site configuration.

  • Current default value of 1000 MS is supported.
  • Configurable range: 1000 MS to 180000 MS is supported.
  • Not applicable to management port.

See, Configurable ARP times

Security enhancements

Two factor authentication on SD-WAN Center

Two-factor authentication (TFA) presents two authentication factors to gain access to Citrix SD-WAN Center for both local and remote user accounts. It introduces an extra layer of security in the Citrix SD-WAN Center login sequence. The first level of authentication for a local user account is achieved by using the password configured on Citrix SD-WAN Center. For more information, see user accounts. The first level of authentication for a remote user account is achieved by using the primary RADIUS or TACACS+ authentication server. For more information, see Primary authentication. An extra secondary RADIUS or TACACS+ authentication server can be configured for both local and remote user accounts to enable two-factor authentication. For more information, see secondary authentication.

IPsec configuration

New service types for Intranet are added for the IPsec tunnel configuration.

  • Default
  • Microsoft Azure Virtual WAN
  • Zscaler
  • Citrix SaaS Gateway

Cloud services

Add on Services to cloud Citrix SD-WAN 10.1 supports Secure IPsec tunnel branch connectivity to Microsoft Azure Virtual WAN.

  • Microsoft Azure virtual WAN and Citrix SD-WAN provides simplified network connectivity management across hybrid cloud workloads. You can automate the deployment of branch networks to the Azure WAN and configure branch traffic management policies with on premises solutions to automatically connect to Azure.
  • Citrix SD-WAN deployment in Microsoft Azure virtual WAN allows you to automatically connect and configure on premise SD-WAN devices. The built-in dashboard interface provides instant troubleshooting insights that can save time and provides view for large scale site-to-site connectivity. For more information about configuring Citrix SD-WAN appliances in Microsoft Azure Virtual WAN.
  • SaaS Gateway Service - The Citrix SD-WAN SaaS Gateway Service delivers SD-WAN functionality as a service through reliable and secure delivery for all internet-bound traffic regardless of the host environment (datacenter, cloud, and internet). This improves network visibility and management. It enables partners to offer managed SD-WAN services and business critical SaaS applications to their end customers. See SD-WAN SaaS gateway service.
  • SD-WAN Secure Web Gateway to Palo Alto Networks: Global Protect Cloud Service (GPCS). See, SD-WAN web gateway service.

Default state tracking

  • In release 10 version 1, firewall connection states are always tracked and tracking cannot be disabled. By default, you cannot enforce proper states or validate checksums.
  • Connection timeouts are configurable in the SD-WAN GUI globally, under Global > Network Settings section, or at Site level under Connections > Firewall > Settings > Advanced section. The configuration is applied depending on the connection state. In earlier release versions, if connection tracking is not enabled, then connections stay in untracked state for which default timeout value is 30 secs.

Monitoring and reporting

Session based HTTPS POST notification on SD-WAN appliances and SD-WAN Center

  • You can now configure event and alarm reporting for generic HTTP POST API service requests in the Citrix SD-WAN appliance GUI. The HTTP alarm and event notification configuration are similar to the email and SNMP events for events and alarms supported in SD-WAN.
  • The session based HTTP Post notification is sent to an external service; such as Service Now. The event notifications for HTTP server can be configured in the Citrix SD-WAN appliance GUI and Citrix SD-WAN Center. See, Session based HTTP notifications.

Compression reports in premium edition

Citrix SD-WAN Premium edition does not have a view for showing compression reports on a per protocol or application basis through WANOP service classes, which have the protocol or application association. If you are using a Premium edition appliance, then the only report available for compression is a connection level compression report which does not give visibility into the extent to which a protocol has been optimized or compressed. Compression reports are available in the WAN Optimization GUI which displays a break-up of all unique protocols and how reports have been optimized over a period. In the Citrix SD-WAN Premium Edition appliance GUI, for WAN Optimization, the following widgets have been added under the WAN Optimization Dashboard. Consolidated compression ratio – all traffic passing through WANOP appliance and total number of accelerated and unaccelerated connections. This allows you to monitor total traffic transmitted from LAN to WAN.

  • Compression Ratio - top 10 Service Classes.
  • Aggregated Link Throughput – LAN and WAN.

See, compression reports.


High availability and VRRP

You can reduce network downtime and traffic disruption by using both the High Availability and VRRP features on your SD-WAN network. Deploy a pair of Citrix SD-WAN appliance in Active/Standby roles along with a standby router to form the VRRP group. The VRRP group appears as a single default gateway with one virtual IP address and one virtual MAC address. When the high availability failover time is greater than VRRP failover time, the VRRP failover occurs and the router becomes the Master. The router remains as the Master until the high availability failover happens and the secondary SD-WAN appliance becomes the Master based on other VRRP attributes such as, higher priority, pre-emption and so on. For more information about high availability deployment modes, see Configure Virtual Router Redundancy Protocol and High Availability. See, High availability and VRRP.

Asymmetric routing

In Citrix SD-WAN WANOP network, when complete asymmetry occurs, the TCP connection is reset. To avoid TCP connection break and to continue sending unaccelerated traffic, an asymmetric connection list is introduced. This feature is disabled by default. You can enable this feature on both the client-side and server-side SD-WAN WANOP appliances. See, Asymmetric routing

Citrix SD-WAN Center

The Citrix SD-WAN Center Dashboard displays a subset of the common statistics at a glance.

The new menu structure has enhanced the dashboard layout, enabling easy navigation and avoiding clutter.

For a single-region deployment, the statistics are obtained from the MCN that is discovered in Citrix SD-WAN Center. For a multi-region deployment, the statistics are obtained from all the regional Citrix SD-WAN Center collectors over the past hour.

You can now view the following statistic widgets for both single-region and multi-region deployment:

  • Network Summary
  • Virtual Path Summary
  • Top Sites
  • Inventory
  • Events and Alarms
  • Top Apps
  • HDX QoE
  • Management Infra

You can also create custom dashboard as per your network analysis requirement. See, Dashboard

Graph enhancements and application statistics

In release 10 version 1, the graph view is enhanced, allowing you to view the bandwidth, virtual path trend lines for the sites. This trend line can be viewed for LAN to WAN, Virtual Paths, WAN Links, Pass through services, and other SD-WAN network traffic services.

In Application report, for every statistic, you can hover the mouse cursor over the graph icon to view a mini-graph, or click to open graph view in another window. See, Statistics

Platforms, scalability, and deployments

Citrix SD-WAN Center on Hyper-V:

The SD-WAN Center can be installed on the following platforms:

  • Hypervisor
    • VMware ESXi server, version 5.5.0 or higher
    • Citrix XenServer 6.5 or higher
    • Microsoft Hyper-V 2012 R2

New SKUs on standard edition platforms

The following new SKUs have been added to the platforms:

  • 210-SE - 100
  • 210-SE LTE -100
  • 410-SE – 300

Citric SD-WAN standard edition - default password in AWS

  • Citrix SD-WAN appliance admin user default password was saved in the mysql conf file.
  • Starting in SD-WAN release 10 version 1, the default password is removed from the mysql conf file.
  • Admin user password is set using AWS instance ID, before configuration of SD-WAN appliance.


Upgrade SD-WAN WANOP software from release version 7.3.1 to 0.3.x or latest and qualify for newer instances in AWS deployments (m4 & c4) is supported. The older instances (m3 and c3) are not available in all regions and newer upcoming regions do not support older m3 and c3 instance.

Citrix SD-WAN WANOP in Azure

Citrix SD-WAN WANOP Edition is now available in the Azure marketplace, enabling WAN optimization between enterprise datacenter/branch and Azure cloud. Since L2 mode support is not available on cloud infrastructures, you cannot deploy Citrix SD-WAN WANOP as a standalone VPX in Azure Cloud. However, you can deploy Citrix SD-WAN WANOP VPX along with SD-WAN VPX in Azure cloud infrastructure. The SD-WAN VPX uses cloud connector to create an IPsec tunnel, while the Citrix SD-WAN WANOP VPX accelerates the connections, providing LAN-like performance for applications.


  • SD-WAN Center APIs
  • Fetch events
  • Inventory and status
  • Virtual path & associated member paths


The video caching functionality is not supported in Citrix SD-WAN release 10 version 1 for the WANOP platform edition.

What’s New