Citrix SD-WAN

Citrix SD-WAN Orchestrator on-premises configuration on Citrix SD-WAN appliance

Citrix SD-WAN Orchestrator on-premises is the on-premises software version of the Citrix SD-WAN Orchestrator service. Citrix SD-WAN Orchestrator on-premises provides a single-pane of glass management platform for Citrix partners to manage multiple customers centrally, with suitable role based access controls.

You can establish a connection between your Citrix SD-WAN appliance and Citrix SD-WAN Orchestrator on-premises by enabling Orchestrator connectivity and specifying the Citrix SD-WAN Orchestrator on-premises identity.

Note

  • Zero-Touch Deployment will not work if On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is configured on the SD-WAN appliances.
  • The Citrix SD-WAN Orchestrator on-premises on SD-WAN appliance is lost, if the Citrix SD-WAN Orchestrator on-premises configuration on SD-WAN appliance configured in Citrix SD-WAN release 11.2 and downgraded to release 10.2.7. Downgrading from release 11.2 to release 10.2.7 is not supported. The workaround is to reconfigure the Citrix SD-WAN Orchestrator on-premises identity after the downgrade.

To enable Citrix SD-WAN Orchestrator on-premises connectivity:

  1. In the appliance UI, navigate to Configuration > Virtual WAN > On-prem SD-WAN Orchestrator.

  2. Select Enable On-prem SD-WAN Orchestrator Connectivity check box.

    Note

    From Citrix SD-WAN 11.2.1 release onwards, the SD-WAN Appliance and On-prem SD-WAN Orchestrator Certificates, On-prem SD-WAN Orchestrator Domain, Authentication Type, and Advanced Configuration options are introduced.

    Citrix SD-WAN Orchestrator on-premises advanced config

  3. Enter either the Citrix SD-WAN Orchestrator on-premises IP address or Domain or both (IP address and domain) for configuration.

    If customer configures only Domain, then they must ensure to add DNS record in their Local DNS server and must configure DNS Server IP Address on SD-WAN Appliances. To configure, navigate to Configuration > Network Adapters > IP Address.

    For example, if the Citrix SD-WAN Orchestrator on-premises Domain is configured as citrix.com. then you must create DNS record in DNS Server for the below FQDN and Citrix SD-WAN Orchestrator on-premises IP Address:

    • download.citrix.com
    • sdwanzt.citrix.com
    • sdwan-home.citrix.com

    In advanced configuration:

    For example: If the Citrix SD-WAN Orchestrator on-premises domain is configured as citrix.com, Download Management Service Domain is configured as download.citrix.com, and the Statistics Management Service Domain is configured as statistics.citrix.com. Then you must create DNS record in DNS Server for the below FQDN and corresponding IP Address:

    • download.citrix.com
    • sdwanzt.citrix.com
    • statistics.citrix.com

    Citrix SD-WAN Orchestrator on-premises advanced config details

    Citrix SD-WAN Orchestrator on-premises might support running services like download, statistics on independent server instance, to enable better scalability for large networks. You can select the Advanced Configuration and configure the Download Management Service and Statistic Management service.

    Select the Advanced Configuration check box and provide the following details:

    • Download Management Service IP/Domain: Provide the IP address /domain that helps offload SD-WAN software and configuration download aspects, to an independent server instance, to enable better scalability for large networks.

    • Statistic Management Service IP/Domain: Provide the IP address/domain that helps offload collection and management of SD-WAN statistics from devices, to an independent server instance, to enable better scalability for large networks.

  4. Select the Authentication Type. The following are the authentications types that are supported between the SD-WAN appliance and Citrix SD-WAN Orchestrator on-premises connectivity:

    • No Authentication – No authentication between the Citrix SD-WAN Orchestrator on-premises and SD-WAN appliance, and there is no need to use the SD-WAN Appliance or On-prem SD-WAN Orchestrator Certificate. But you can use this option if you have a secure network such as MPLS.

    • One-way Authentication – On selecting the One-way Authentication type, you must upload the Citrix SD-WAN Orchestrator on-premises certificate. Download the certificate from Citrix SD-WAN Orchestrator on-premises and click Upload. SD-WAN appliance trusts the Citrix SD-WAN Orchestrator on-premises using the uploaded certificates.

    • Two-way Authentication – Citrix SD-WAN Orchestrator on-premises and Appliance certificates have to be exchanged with each other. For Two-way Authentication, you must regenerate, download, and upload the SD-WAN appliance certificate on the Citrix SD-WAN Orchestrator on-premises. SD-WAN appliance and Citrix SD-WAN Orchestrator on-premises trusts each other using the exchanged certificates.

    Note

    It is recommended to use only One-way Authentication or Two-way Authentication. In the case of No Authentication, ensure that the DNS is secure from DNS attacks.

    If the Citrix SD-WAN Orchestrator on-premises Authentication Type is disabled, then Appliance can connect to Citrix SD-WAN Orchestrator on-premises either via No Authentication or One-way Authentication or Two-way Authentication mode.

    If the Citrix SD-WAN Orchestrator on-premises Authentication Type is enabled, then Appliance can only connect to Citrix SD-WAN Orchestrator on-premises via Two-way Authentication.

    While disabling Authentication Type in Citrix SD-WAN Orchestrator on-premises from enable state, existing appliances in One-way Authentication mode goes to disconnected state. Customers have to change the appliance Authentication Type to Two-way Authentication and upload the SD-WAN Appliance certificate to the Citrix SD-WAN Orchestrator on-premises to get it connected.

    Note

    • Generated certificates are X509 self-signed certificates.
    • Customer must regenerate the certificates if the certificate is expired or compromised.
    • Validity of the certificate is 10 years.
    • You can view the certificate details such as, fingerprint, start date, and end date
    • Customer must ensure that the certificates are regenerated and exchanged between Citrix SD-WAN Orchestrator on-premises and SD-WAN appliance to avoid loss of appliance connectivity with Citrix SD-WAN Orchestrator on-premises.

    Citrix SD-WAN Orchestrator on-premises authentication type

  5. Click Apply Settings.

To disable the Citrix SD-WAN Orchestrator on-premises connectivity clear Enable On-prem SD-WAN Orchestrator Connectivity option and click Apply Settings. To convert Citrix SD-WAN Orchestrator on-premises managed network to either Cloud Orchestrator or MCN Managed network, you need to disable Citrix SD-WAN Orchestrator on-premises Connectivity and must perform the configuration reset. To reset configuration, navigate to Configuration > System Maintenance > Configuration Reset.

Upgrade and Downgrade

  • After upgrading the SD-WAN appliance from 11.1.1/11.2.0/10.2.7 to 11.2.1 software version, you must exchange both the appliance and the Citrix SD-WAN Orchestrator on-premises certificates.

  • After Downgrading the SD-WAN appliance from 11.2.1 to 11.1.1/11.2.0/10.2.7 software version, you must apply identity settings again on the Citrix SD-WAN appliance UI. If any issues related to Citrix SD-WAN Orchestrator on-premises Configuration or SD-WAN Appliance Connectivity, disable the Citrix SD-WAN Orchestrator on-premises connectivity and then enable the Citrix SD-WAN Orchestrator on-premises Connectivity again.

The On-prem SD-WAN Orchestrator Authentication Type must be disabled to manage the SD-WAN appliances running 10.2.7/11.1.1/11.2.0 software version.

Citrix SD-WAN Orchestrator on-premises configuration on Citrix SD-WAN appliance

In this article