Citrix SD-WAN

Two box mode

Two box mode is a WCCP one-arm based deployment where the SD-WAN SE appliance acts as a WCCP router and the SDWAN-WANOP (4000/5000) appliances act as WCCP clients and help establish WCCP convergence. This way all the virtual path/Intranet service oriented TCP packets reaching the SD-WAN SE appliance get redirected to the SDWAN-WANOP appliance for optimization benefits by providing both SD-WAN SE and WANOP benefits for the customer traffic.

Two Box mode is supported only on the following appliance models:

  • SD-WAN SE appliances – 4000, 4100, and 5100

  • SD-WAN WANOP appliances – 4000, 4100, 5000, and 5100

    localized image

Note

High Availability and WCCP deployment modes are not accessible when Two Box mode is enabled. However, these deployment modes are available for the user to administer.

Important

  • Although the legacy WCCP deployment is disabled when Two Box Mode is enabled, the Service Group convergence can only be verified from the WCCP monitoring page. There is no separate GUI page under the monitoring section for the Two Box Mode.
  • If WCCP process running on the Standard Edition appliance reboots multiple times within a short interval of time, for example, 3 times in a minute then Service Group shuts down automatically. In such scenario, to get the WCCP convergence on the WANOP appliance, re-enable the WCCP feature in the WANOP appliance web GUI.
  • When there is a change in the WCCP configuration or WAN optimization related to configuration on the Standard Edition appliance, the external WANOP appliance reboots. For example, enabling/disabling the WCCP checkbox in the Interface Group of config editor followed by Change Management process, restarts the WANOP appliance as well.

Note

Also, note the following points to consider when implementing the two box mode:

  • When a routing domain is selected to be redirected to the WANOP appliance from the Configuration Editor, it should be added in the Interface Group for which WCCP is enabled.
  • The same routing domain’s traffic should be selected on the partner site as well. For example, MCN > Branch01 to observe WAN optimization benefits.
  • If a routing domain is selected in the interface group on which WCCP is enabled, another interface group which contains the bridged interfaces should have the same routing domain configured. Only if WCCP enabled interface group has the routing domain configured it is not enough to transmit the end-to-end traffic flowing with WAN optimization benefits.

Citrix SD-WAN standard edition

To configure two-box mode solution in the Standard Edition appliance at the DC or Branch site:

  1. In the SD-WAN SE web management interface, go to Configuration > Virtual WAN > Configuration Editor. Open an existing configuration package or create a package.

  2. In the chosen configuration package, go to the Advanced tab to view the configuration details.

  3. Open Global settings and expand Routing Domains to view that the Redirect to WANOP checkbox is enabled.

    localized image

  4. Expand DC to enable WCCP for the Virtual Interface under Interface Group settings that signify which virtual network interface the appliance is enabled for.

    localized image

  5. Expand Sites+ Add to view the Branch routing domain and interface group settings. Under the Branch site, the Redirect to WANOP checkbox is enabled for Routing Domains.

    localized image

    Note

    The WCCP listener should be enabled only for those virtual network interfaces which have only ONE Ethernet Interface configured. Do not enable the WCCP Listener on a BRIDGED Pair. It is intended to be enabled on the ONE-ARM interface between the SD-WAN SE and SD-WAN WANOP appliances.

Citrix SD-WAN WANOP configuration

To configure two-box deployment mode in the SD-WAN WANOP appliance web GUI:

  1. In the SD-WAN WANOP web management interface, go to Configuration > Appliance Settings > Advanced Deployments > Two Box Solution.

    localized image

  2. Click the Edit icon to edit the two box mode settings. Information dialog about Cache IPs is displayed. Click OK.

    localized image

  3. Enable the Two Box Enabled checkbox.

  4. Enter the Peer IP. Peer IP is the SD-WAN Standard Edition appliance IP address.

  5. Enter the user credentials and click Apply.

    localized image

Two box mode configuration and manageability

Following are some of the two box mode configuration and manageability points to consider for deployment:

  • SD-WAN WANOP configurations mentioned below can be configured from SD-WAN SE configuration editor as a unified pane

    • SERVICE CLASS

    • APPLICATION CLASSIFIER

    • FEATURES

    • SYSTEM TUNING

Monitoring

You can monitor SD-WAN WANOP traffic directly using the Monitoring page of the SD-WAN SE appliance’s web UI. This allows for a single pane monitoring of both the SDWAN-SE and SDWAN-WO appliances while processing data traffic. You can view the connection details, secure partner details, and so on, under the WAN Optimization node in the SDWAN-SE UI.

localized image

Configuration

You can configure APPFLOW directly from the SDWAN-SE Configuration page under APPFLOW node. This enables SDWAN-SE to act as a single pane for configuration of APPFLOW and other data processing configuration attributes such as Service Class, Application Classifiers. The configuration done on the SDWAN-SE reflects on the SDWAN-WO configuration, maintaining seamless APPFLOW functionality support.

localized image

SD-WAN WANOP already discovered by Citrix Application Delivery Management (ADM), if used in Two Box Mode, should be isolated and not configured using Citrix ADM until this mode is turned off. This is because the configuration of WANOP for traffic processing is managed by the SD-WAN SE appliance in the Two Box Mode.

Advanced Optimizations or Secure Acceleration should be directly configured on the SDWAN-SE appliance like we would configure on the SDWAN-WO appliance. This helps maintain a single pane of configuration of configurations like Domain Join or Secure Acceleration/SSL Profile creation for Advanced optimizations or SSL Proxy.

localized image

  • Licensing should be separately managed for each of SD-WAN SE and SD-WAN WANOP appliances.

  • Software Upgrade should be separately managed for each of SD-WAN SE and SD-WAN WANOP appliances with the respective software packages. For example, tar.gz for SD-WAN SE and upgrade upg for SD-WAN WANOP.

  • Data path integration should be configured between SD-WAN SE and External WANOP appliances through the WCCP deployment mode.

    • At data path level both WCCP and Virtual WAN features are offered through data path integration between WANOP and SE externally in one-arm mode to obtain optimization benefits.

Unified Configuration and Monitoring

When you enable the two box mode with SD-WAN SE and SDWAN-WANOP appliances, you can view the configuration in the SD-WAN SE appliance similar to how you can view two box configuration with the SD-WAN-EE appliance.

  1. Go to Configuration > Virtual WAN > WAN Optimization

  2. Appflow node under Configuration > Appliance Settings

  3. WAN Optimization node under Configuration.

    This information is redirected from the SD-WAN WANOP appliance which is in Two box mode with the SD-WAN SE appliance.

    Configuration related to WANOP, such as SSL Acceleration and AppFlow can now be performed from SD-WAN SE web GUI.

    Traffic related statistics, such as Connections, Compression, CIFS/SMB, ICA Advanced, MAPI, and partners can now be monitored from SD-WAN SE web GUI under Monitoring > WAN Optimization similar to the SD-WAN Premium (Enterprise) edition appliance.

    localized image

    localized image

Management IP Address Change for SD-WAN WANOP Appliance in Two Box Mode

To change the management IP address of SDWAN-WANOP appliance in Two box mode:

  1. Execute command clear_wo_sync on the SD-WAN SE appliance. It ensures that the SD-WAN WANOP IP address information is cleared for GUI redirection.

  2. Disable and enable Two box mode config on the SD-WAN WANOP appliance. The new IP address (changed IP) of SD-WAN WANOP appliance is sent to SD-WAN SE. The new changed IP address is displayed in the URL redirection pages.

The management IP address is used for peer IP address configuration.

Disable two box mode on SD-WAN WANOP appliance

To disable or decouple the SD-WAN WANOP and SD-WAN SE appliances from the Two Box mode:

  1. Disable the Two Box mode from SD-WAN WANOP appliance.

  2. It is expected to see the SD-WAN WANOP appliance two box mode pages in the SD-WAN SE web GUI. To clear these pages, execute the command: clear_wo_sync.