Citrix SD-WAN appliances identify and classify applications using three techniques:
- Deep Packet Inspection (DPI)
- Citrix-proprietary ICA protocol
- Application vendor APIs (e.g. Microsoft REST APIs for Office 365)
The Deep Packet Inspection (DPI) library recognizes thousands of commercial applications. This enables real-time discovery and classification of applications. Using the DPI technology, the SD-WAN appliance analyses the incoming packets and classifies the traffic as belonging to a particular application or application family.
Citrix SD-WAN appliances can also identify and classify Citrix HDX traffic for virtual apps and desktops. Citrix SD-WAN recognizes the following variations of the ICA protocol:
- Single Stream ICA (SSI)
- Multi-Stream ICA (MSI)
- ICA over TCP
- ICA over UDP/EDT
- ICA over non-standard ports (including Multi-Port ICA)
- HDX Adaptive Transport
- ICA over WebSocket (used by HTML5 Receiver)
Classification of ICA traffic delivered over SSL/TLS or DTLS is not supported in SD-WAN Standard Edition but is supported in SD-WAN Premium Edition and SD-WAN WANOP Edition. HDX priority tag based QoS is supported in SD-WAN Premium Edition.
Classification of network traffic is done during initial connections or flow establishment; therefore, pre-existing connections will not be classified as ICA. Classification of connections will also be lost when the connection table is cleared manually.
Framehawk traffic and Audio-over-UDP/RTP are not classified as HDX applications. They are reported as either “UDP” or “Unknown Protocol.”
Since release 10 version 1, the SD-WAN appliance can differentiate each ICA data stream in multi-stream ICA even in a single-port configuration. Each ICA stream is classified as a separate application with its own default QoS class for prioritization.
For Multi-Stream ICA functionality to work properly, you need to have:
- SD-WAN release 10 version 1 or above.
- Approprate versions of Citrix Virtual Apps & Desktops (formerly XenApp and XenDesktop) and the Citrix Workspace app (or its predecessor, Citrix Receiver). See the currently supported release versions at HDX Insights.
Once classified, ICA application can be used in application rules and to view application statistics similar to other classified applications.
There are five default application rules for ICA applications one each for the following priority tags:
- ICA Priority 0 (ICA Real-Time)
- ICA Priority 1 (ICA Interactive)
- ICA Priority 2 (ICA Bulk-Transfer)
- ICA Priority 3 (ICA Background)
For more information, see Rules by Application Name
As priority tag based HDX classification is not available in SD-WAN Standard Edition appliances the four App rules. ICA priority 0–3 are not in effect.
If you are running a combination of software that does not support Multi-Stream ICA over a single port, then to perform QoS you must configure multiple ports, one for each ICA stream. To classify HDX on non-standard ports as configured in XA/XD server policy, you must add those ports in ICA port configurations. Additionally, to match traffic on those ports to valid IP rules, you must update ICA IP rules.
In ICA IP and port list you can specify non-standard ports used in XA/XD policy to process for HDX classification. IP address is used to further restrict the ports to specific destination. Use ‘*’ for port destined to any IP address. IP address with combination of SSL port is also used to indicate that the traffic is likely ICA even though traffic is not finally classified as ICA. This indication is used to send L4 AppFlow records to support multi-hop reports in Citrix Application Delivery Management.
Classifying encrypted traffic
Citrix SD-WAN appliance detects and reports encrypted traffic, as part of application reporting, in the following two methods:
- For HTTPS traffic, the DPI engine inspects the SSL certificate to read the common name, which carries the name of the service (for example - Facebook, Twitter). Depending on the application architecture only one certificate may be used for several service types (for example - email, news, and so on). If different services utilize different certificates, the DPI engine would be able to differentiate between services.
- For applications that utilize their own encryption protocol, the DPI engine looks for binary patterns in the flows, for instance in case of Skype the DPI engine looks for a binary pattern inside the certificate and determines the application.
To configure application classification settings:
In the Configuration Editor, click Global > Applications > Settings.
Select Enable Deep Packet Inspection. This enables application classification on the appliance. You can, view, and monitor application statistics on the SD-WAN Center. For more information, see Application report.
By default, Enable Deep Packet Inspection collects statistics for classified data.
Select Enable Deep Packet Inspection for Citrix ICA Applications. This enables classification of Citrix ICA applications and collects statistics for user, sessions, and flow counts. Without this option enabled, some of the flavor of HDX traffic may still be classified and QoE calculated but statistics on SD-WAN center will not be available. You can, view, and monitor ICA application statistics on the SD-WAN Center. This option is enabled by default. For more information, see HDX Reports.
Select Enable Multi-stream ICA to allow multiple ICA streams in a session. This option is disabled by default and should only be enabled to provide QoS per stream type.
In DPI ICA Port, specify non-standard ports used in XA/XD policy to process for HDX classification. Do not include standard port numbers 2598 or 1494 in this list, as these are already included internally.
In DPI ICA IP, specify the IP address to be used to further restrict the ports to specific destination.
Use ‘*’ for port destined to any IP address.
You can configure application classification settings at each site individually. Click Connections, select a site and click Applications Settings. You can also choose to use the global application settings.
You can search for an application to determine the application family name. A brief description of the application is also provided.
To search for an application:
In the Configuration Editor, click Global > Applications> Search.
In the Search field type, the name of the application and hit enter.
A brief description of the Application and the Application Family name appears.
For information on applications that the SD-WAN appliance can identify using Deep Packet Inspection, see Application Signature Library.
Application objects enable you to group different types of match criteria into a single object that can be used in firewall policies and application steering. IP Protocol, Application, and Application Family are the available match types.
To create an application object:
In the Configuration Editor, click Global > Applications > Application Objects.
Click Add and, in the Name field, enter a name for the object.
Select Enable Reporting to enable viewing custom application reports in Citrix SD-WAN Center. For more information see, Application Report.
In the Priority field, enter the priority of the application object. When the incoming packets match two or more application object definitions, the application object definition with the highest priority is applied.
Click + in the Application Match Criteria section.
Select one of the following match types:
- IP Protocol: Specify the protocol, network IP address, port number, and, DSCP tag.
- Application: Specify the application name, network IP address, port number, and, DSCP tag.
- Application Family: Select an application family and specify the network IP address, port number, and, DSCP tag.
Click + to add more application match criteria.
Using Application Classification with a Firewall
The classification of traffic as applications and application families enables you to use the application, application families, and application objects as match types to filter traffic and apply firewall policy and rules. This applies for all Pre, Post, and local policies. For more information about firewall, see Stateful Firewall and NAT Support.