With the increase in enterprise adoption of mission-critical SaaS applications and distributed workforce, it becomes highly critical to reduce latency and congestion that is inherent in traditional methods of backhauling traffic through the Data Center.
Citrix SD-WAN allows direct internet break out of SaaS applications such as Office 365.
However, if there are explicit web proxies configured on the enterprise deployment all traffic, including SaaS application traffic, are steered to the web proxy making it difficult for classification and direct internet breakout.
The solution is to exclude SaaS application traffic from being proxied by customizing the enterprise PAC (Proxy Auto-Config) file.
Citrix SD-WAN 11.0 allows proxy bypass and local Internet breakout for Office 365 application traffic by dynamically generating and serving custom PAC file.
Link aggregation allows you to support port redundancy. In this case, two or more ports can be grouped to work as a single port to send out the traffic at any given time.
LACP mainly supports Active and Backup. That means one port always is in active mode and when the current active port goes down, the other port stays up.
The active and back-up support relaying on the DPDK package for LACP functionality. The LACP feature is available only on DPDK supported platforms except VPX and VPXL.
Disable if Data Cap reached option is introduced in 11.0 release.
- If the Disable if Data Cap reached check box is selected, then the metered link and all its related paths will be disabled until the next billing cycle, if the data usage reaches the data cap.
- By default, the Disable if Data Cap reached check box will be unchecked state, where it retains the current mode or state set for the metered link to be continued after data cap is reached until the next billing cycle.
A new Authentication input field is introduced in the APN settings form. There are 4 possible values for this new field - None, PAP, CHAP, PAPCHAP.
The authentication field has been added for APN settings in the:
- SD-WAN Center UI
- SD-WAN appliance UI
- REST API
Use the Packet Capture option to intercept the data packet that is traversing over the selected active interfaces present in the selected site.
Active interfaces are available for packet capture in the selected site. Select an interface or add interfaces from the drop-down list. At least one interface needs to be selected to trigger a packet capture.
Note: The ability to run packet capture across all the interfaces at once helps to speed up the troubleshooting task.
Citrix SD-WAN allows you to manage the SD-WAN appliance in two ways, out-band management and in-band management. Out-band management allows you to create a management IP using a port reserved for management, which carries management traffic only.
In-band management allows you to use the SD-WAN data ports for management, which carries both data and management traffic, without having to configure an addition management path.
From 11.0 release onwards, the Random Early Detection (RED) is set to ON by default for ICA traffic.
The Cloud Direct service delivers SD-WAN functionalities as a cloud service through reliable and secure delivery for all internet-bound traffic regardless of the host environment (data center, cloud, and internet).
The Cloud Direct service improves network visibility and management. It enables partners to offer managed SD-WAN services for business critical SaaS applications to their end customers.
Palo Alto networks deliver cloud-based security infrastructure for protecting remote networks. It provides security by allowing organizations to set up regional, cloud-based firewalls that protect the SD-WAN fabric.
Prisma Access service for remote networks allows you to onboard remote network locations and deliver security for users.
To connect your remote network locations to the Prisma Access service, use the Palo Alto Networks next-generation firewall. You can also use a third-party, IPSec-compliant device including SD-WAN, which can establish an IPsec tunnel to the service.
Citrix SD-WAN appliances can connect to the Palo Alto cloud service (Prisma Access Service) network through IPsec tunnels. The appliance can connect from SD-WAN appliances locations with minimal configuration.
In HDX reporting page, you can view the following report types:
- HDX Site Stats
- HDX Summary (applicable for both HDX information channel available and unavailable sessions)
- HDX User Sessions (applicable for only HDX information channel available sessions only)
- HDX Apps (applicable for only HDX information channel available sessions only)
Enable HDX User Reporting option is newly added in the SD-WAN configuration editor. Enabling this option generates newly added user-based reports (HDX Summary, HDX User Sessions, and HDX Apps) and these reports are available in SD-WAN Center. This is not applicable for the HDX Site Stats report.
Enable HDX User Reporting option is available at global level and site level similar to enable DPI option.
You can use OSPF tags to prevent routing loops during mutual redistribution between OSPF and other protocols.
Specifying different tags for SD-WAN and BGP learned routes allows these routes to be installed in the OSPF routing table.
When Citrix SD-WAN learns a route prefix through virtual paths, OSPF protocol, or BGP protocol, the following default preference order is introduced at the same time:
- OSPF -150
- BGP – 100
- SD-WAN – 250
Other details such as Site Path, Optimal Route, Summarized or Summary route are included in the Route Statistics report.
BGP protocol uses the AS path length attribute to determine the best route. The AS path length indicates the number of autonomous systems traversed in a route. Citrix SD-WAN uses the BGP AS path length attribute to filter and import routes.
Citrix SD-WAN Center
Previously, a pre-defined appliance certificate was used which was already installed in the SD-WAN Center.
With Citrix SD-WAN 11.0 release, you can regenerate the appliance certificate on the MCN which replaces the pre-defined certificate and then install on SD-WAN Center.
Security Admin role is added to SD-WAN Center. A security administrator has the read-write access only for the Firewall and security-related settings in the Config Editor, while having read-only access to the other sections.
You can deploy Citrix SD-WAN on Azure from Citrix SD-WAN Center.
Citrix SD-WAN for Azure enables organizations to have a direct secure connection from each branch to the applications hosted in Azure eliminating the need to backhaul cloud bound traffic through a data center.
Platforms, scalability, and deployments
6K node scale for network
Citrix SD-WAN 11.0 supports a network of up to 6000 sites with a maximum of 128 regions in a tiered network architecture.
Deploying Citrix SD-WAN SE VPX on Google Cloud Platform (GCP) enables organizations to establish a direct and highly secure connection from each branch to the applications hosted in GCP. This eliminates the need to backhaul cloud bound traffic through the Data Center.
The key benefits of using Citrix SD-WAN on GCP are:
- Create direct connections from every branch site to GCP.
- Make sure an always-on connection to GCP.
- Extend your secure perimeter to the cloud.
- Evolve to a simple and easy to manage a branch network.
The available Small Form-factor Pluggable (SFP) ports on 1100 appliances can be used with fiber optic Y-Cables to enable high availability for Edge Mode deployment.
On the 1100 SE and PE appliance the splitter cable split end connects to fiber ports of two 1100 appliances. The fiber ports are configured in a high availability pair.
The following APIs are introduced:
Monitoring API for Appliance HA status.
Mobile Broadband APIs for sim pin summary and sim pin operations.
Configuration editor APIs for proxy auto configuration file settings and site proxy auto configuration file settings.
SD-WAN Center reports APIs for HDX apps and HDX sessions.
SD-WAN Center reports APIs for HDX summary.