New user interface for SD-WAN appliances
A new User Interface (UI) is introduced for SD-WAN appliances. The new UI is built using the latest UI technologies. The new UI design improves the security, has an improved look and feel, it is more performant, secure, and responsive. But the new UI has retained the flow and page layout of each feature from the legacy UI.
From Citrix SD-WAN 11.4 release onwards, the New UI is enabled, by default, on all the Citrix SD-WAN appliances that are configured as clients.
- Provisioning the Citrix SD-WAN appliances as an MCN redirects you to the legacy UI.
- All local users with an Admin role and remote admin users can access the new user interface. Remote user accounts are authenticated through RADIUS or TACACS+ authentication servers. It is mandatory to change the default admin user account password while provisioning the SD-WAN appliance. The default password is the serial number of the SD-WAN appliance and is mandated to change on first time after logon to the device.
The legacy UI is maintained for backward compatibility and is deprecated. The legacy UI can be accessed using the URL https: // < ip-address >/cgi-bin/login.cgi. The user name and password for the user admin remains the same across both (new/legacy) user interfaces, and first time login procedures can be done using either interface. Additional users will be supported in future versions of the new UI.
Citrix SD-WAN new user interface
The new UI can be accessed using Google Chrome (version 81), Mozilla Firefox, Microsoft Edge (version 81+), and Legacy Microsoft Edge (version 44+) browsers.
Microsoft Internet Explorer, Apple Safari, and other browsers are not supported.
To access the new UI page, perform the following:
Open a new browser tab and navigate to https: // < management-ip > to access the new UI on the SD-WAN appliance. If you are accessing an IPv6 address, enter
In the scenario where the In-band management is enabled, the interface IP address can be provided in < management-ip > to access the new UI. The In-band management can be enabled on multiple trusted interfaces that are enabled to be used for IP services. You can access the UI using the management IP and in-band virtual IPs.
- Provide the user name and password. Click Sign In.
The Citrix SD-WAN user interface page appears.
Once you have successfully logged in, you can see the navigation panel is on the left side. Also, you can see a notifications banner on the dashboard if there are any warnings or errors.
The left navigation sidebar can be hidden or made visible on click of the hamburger icon. The hamburger icon on the top left corner provides links to the dashboard, basic/advanced settings, monitoring, and management related options.
The user menu on the top right corner displays the logged-on user details. You can open the legacy user interface in a new browser tab by clicking the Open Legacy SD-WAN UI option. Click the bell icon for any notifications.
The Dashboard page displays the following basic information of the SD-WAN appliance as a tile view:
- Site – Displays the site information with Management IP Address and Site Name
- Model – Displays the Model/Sub Model Name and Serial Number
- Version – Displays Software and Hardware version
- Uptime - Displays Appliance Uptime, Citrix Virtual WAN Service Status and Orchestrator Connectivity Status.
- High Availability - Displays the local and peer appliance HA status and the last HA update received time.
- Metered Links – Displays the usage and billing details for links on which metering is enabled.
The SD-WAN appliance Basic Settings include the following entities configuration. The new UI provides a separate page for configuring each entity individually.
- Management and DNS
- Interface Settings
- LACP LAG Group
- Date and Time
- RADIUS Server
- TACACS+ Server
Management and DNS
From the Management and DNS page, you can configure the management interface IP address and DNS settings. For more information, see Configure Management IP Address.
The management interface allow list is an approved list of IP addresses or IP domains that have permission to access your management interface. An empty list allows Management Interface to be accessed from all networks. You can add IP addresses to ensure that the management IP address is accessible only by the trusted networks.
To add or remove an IPv4 address to the allowed list, you must access the SD-WAN appliance management interface using an IPv4 address only. Similarly, to add or remove an IPv6 address to the allowed list, you must access the SD-WAN appliance management interface using an IPv6 address only
Enter the IP address, Subnet mask, and Gateway IP address for the appliance that you want to configure. Under the DNS Settings section, provide the primary and secondary DNS server detail and click Save.
The Interface Settings page displays the Ethernet port configuration data. The ports that are down are indicated as a red dot against the MAC address.
LACP LAG group
The Link Aggregation Groups (LAG) functionality allows you to group two or more ports on your SD-WAN appliance to work together as a single port. This ensures increased availability, link redundancy, and enhanced performance.
Earlier, only the Active-Backup mode was supported in LAG. From 11.3 release onwards, the 802.3AD Link Aggregation Control Protocol (LACP) protocol based negotiations are supported. The LACP is a standard protocol and provides more functionality for LAGs.
In Active-Backup mode, at any time only one port is active and the other ports are in backup mode. The active and backup supports rely on the Data Plane Development Kit (DPDK) package for LAG functionality.
With the LACP, you can send the traffic through all the ports simultaneously. As a benefit, you get more bandwidth along with the link redundancy mechanism. The LACP implementation supports the Active-Active mode. Now with the Active-Backup mode, you also can select full LACP Active-Active mode from the SD-WAN UI.
The LAG functionality is available only on the following DPDK supported platforms:
- Citrix SD-WAN 110 SE
- Citrix SD-WAN 210 SE
- Citrix SD-WAN 410 SE
- Citrix SD-WAN 1100 SE/PE
- Citrix SD-WAN 4000, 4100, and 5100 SE
- Citrix SD-WAN 6100 SE
The LAG functionality is not supported on VPX/VPXL platforms.
You can create a maximum of 4 LAGs with a maximum of 4 ports grouped in each LAG on the Citrix SD-WAN appliances.
For the Citrix SD-WAN 210 and 410 appliances, a maximum of 3 LAGs and for the Citrix SD-WAN 110 appliance, a maximum of 2 LAGs can be created.
To view LAG details navigate to Basic Settings > LACP LAG Group.
You can view LACP LAG details such as the current state, system, and port priority details of active and partner ports.
Date and Time
From the Date and Time settings page, you must set the date and time on the appliance. For more information, see Set date and time.
You can configure an SD-WAN appliance to authenticate user access with one or more RADIUS servers.
To configure the RADIUS server:
Select the Enable RADIUS check box.
Enter the Server IP Address and Authentication Port. A maximum of three server IP addresses can be configured.
To configure an IPv6 address, ensure that the RADIUS server is also configured with an IPv6 address.
Enter the Server Key and confirm.
Enter the Timeout value in seconds.
You can also test the RADIUS server connection. Enter the User Name and Password. Click Verify.
You can configure a TACACS+ server for authentication. Similar to RADIUS authentication, TACACS+ uses a secret key, an IP address, and the port number. The default port number is 49.
To configure the TACACS+ server:
Select the Enable TACACS+ check box.
Enter the Server IP Address and Authentication Port. A maximum of three server IP addresses can be configured.
To configure an IPv6 address, ensure that the TACACS+ server is also configured with an IPv6 address.
Select PAP or ASCII as the Authentication Type.
PAP: Uses Password Authentication Protocol (PAP) to strengthen user authentication by assigning a strong shared secret to the TACACS+ server.
ASCII: Uses ASCII character set to strengthen user authentication by assigning a strong shared secret to the TACACS+ server.
Enter the Server Key and confirm.
Enter the Timeout value in seconds.
You can also test the TACACS+ server connection. Enter the User Name and Password. Click Verify.
The SD-WAN appliance Advanced Settings include the following entities configuration.
- Citrix Virtual WAN Service
- High Availability
- Mobile Broadband
- Fallback Configuration
- HTTPS Certificate
- On-prem Orchestrator
Citrix Virtual WAN service
The CItrix Virtual WAN Service page allows you to enable/disable the Citrix Virtual WAN Service. For more information, see Configure Virtual WAN Service.
From the High Availability page, you can toggle between active and standby state for an SD-WAN high availability (HA) setup. The high availability status is available in the dashboard (if high availability is configured). For more information, see High Availability Mode.
The Citrix SD-WAN appliances such as the Citrix SD-WAN 210 SE LTE and 110 LTE Wi-Fi appliances have a built-in internal LTE modem. You can also connect an external 3G/4G USB modem on the following Citrix SD-WAN appliances.
- Citrix SD-WAN 210 SE
- Citrix SD-WAN 210 SE LTE
- Citrix SD-WAN 110 SE
- Citrix SD-WAN 110 LTE Wi-Fi SE
CDC Ethernet, MBIM, and NCM are the three types of external USB modems supported.
For more information on configuring LTE using the legacy GUI, see the following topic:
- Configure LTE functionality on 210 SE LTE appliance
- Configure LTE functionality on 110-LTE-WiFi appliance
- Configure external USB LTE modem
For an internal LTE modem, insert the SIM card into the SIM card slot of the Citrix SD-WAN appliance. Fix the antennas to the Citrix SD-WAN appliance. For more information, see Installing the LTE antennas and power on the appliance.
Citrix SD-WAN 110-LTE-WiFi appliance has two standard (2FF) SIM slots. To use Micro (3FF) and Nano (4FF) size SIMs, use a SIM adapter. Snap the smaller SIM into the adapter. You can obtain the adapter from Citrix as a Field Replaceable Unit (FRU) or from the SIM provider. Hot-swapping of SIM for the internal LTE modem is supported only on the Citrix SD-WAN 110-LTE-WiFi appliance.
Perquisites for external LTE modem:
- Use the supported USB LTE dongles. The supported dongle hardware models are Huawei E3372h, Verizon USB730L, and AT&T USB800.
- Ensure that a SIM card is inserted into the USB LTE dongle. The CDC Ethernet LTE dongles are pre-configured with a static IP address, this interferes with the configuration and cause connection failure or intermittent connection, if the SIM card is not inserted.
- Before inserting a CDC Ethernet LTE dongle into the SD-WAN appliance, connect the external USB stick to a Windows/Linux machine and ensure that the internet is working properly with proper APN and Mobile Data Roaming configuration. Ensure that the Connection mode of the USB dongle is changed from the default value Manual to Auto.
- The Citrix SD-WAN appliances support only one USB LTE dongle at a time. If more than one USB dongle is plugged in, unplug all the dongles and plug in only one dongle.
- The Citrix SD-WAN appliances do not support user name and password for USB modems. Ensure that the user name and password feature are disabled on the modem during setup.
- Unplugging or rebooting an external MBIM dongle impacts the internal LTE modem data session. This is an expected behavior.
- When an external LTE modem is plugged-in, the SD-WAN appliance takes about 3 minutes to recognize it.
To view the mobile broadband status, select the modem type.
The following are some useful status information:
- Modem Type: Select the modem type as External or Internal. Internal modem shows the status under Mobile Broadband > Status page. All the other sections such as SIM preference, APN settings, Enable/Disable the modem, Reboot modem, and Refresh SIM are available under Mobile Broadband > Operations page.
- Active SIM: At any given time, only one SIM can be active. Displays the SIM that is currently active.
- Operating Mode: Displays the modem state.
- SIM Capabilities: Displays whether the SIM is supported or not.
- Model: Displays the mobile broadband module name.
If you select the External modem, it shows the status of the external modem. But if the external modem is not configured, it shows a warning message as Selected Modem is not configured on this device.
Device details for CDC Ethernet external modem.
Device details for MBIM and NCM external modems. The Modem Mode field displays the external dongle type.
SIM details are displayed for MBIM and NCM external modems only.
Mobile broadband operations
Operations that are supported on internal and external modems:
|Operations||Internal modem||External modem - CDC Ethernet||External modem - MBIM and NCM|
|SIM preference||Yes - For appliances that support dual SIM||No||No|
You can insert dual SIMs on a Citrix SD-WAN 110-LTE-WiFi appliance. At any given time, only one SIM is active. Select the SIM preference:
- SIM One preferred: If two SIMs are inserted, on boot-up the LTE modem uses SIM One, if available. When the LTE modem is up and running it uses whichever SIM (SIM One or SIM Two) is useable at that moment and will continue to use it until the SIM is active.
- SIM Two preferred: If two SIMs are inserted, on boot-up the LTE modem uses SIM Two, if available. When the LTE modem is up and running it uses whichever SIM (SIM One or SIM Two) is useable at that moment and will continue to use it until the SIM is active.
- SIM One: Only SIM One is used, irrespective of the SIM state on both the SIM slots. SIM One is always active.
- SIM Two: Only SIM Two is used, irrespective of the SIM state on both the SIM slots. SIM Two is always active.
The SIM Preference option is not available for the Citrix SD-WAN 210-SE LTE Wi-Fi appliance as it has only one SIM card slot.
If you have inserted a SIM card that is locked with a PIN, the SIM status is in Enabled and Not Verified state. You cannot use the SIM card until it is verified using the SIM PIN. You can obtain the SIM PIN from the carrier.
To perform SIM PIN operations, navigate to Advanced Settings > Mobile Broadband > Operations > SIM PIN status.
You can perform the following operations:
Verify SIM PIN: Click Verify. Enter the SIM PIN provided by the carrier and click Verify. The status changes to Enabled and Verified.
Enable SIM PIN: You can enable SIM PIN for a SIM that has SIM PIN disabled. Click Enable. Enter the SIM PIN provided by the carrier and click Enable. If the SIM PIN state changes to Enabled and Not Verified, it means that the PIN is not verified and you cannot perform any LTE related operations until the PIN is verified. Click Verify. Enter the SIM PIN provided by the carrier and click Verify.
Disable SIM PIN: You can choose to disable SIM PIN functionality for a SIM for which SIM PIN is enabled and verified. Click Disable. Enter the SIM PIN and click Disable.
Modify SIM PIN: Once the PIN is in Enabled and Verified state you can choose to change the PIN. Click Modify. Enter the SIM PIN provided by the carrier. Enter the new SIM PIN and confirm it. Click Modify.
Unblock SIM - If you forget the SIM PIN, you can reset the SIM PIN using the SIM PUK obtained from the carrier. To unblock a SIM, click Unblock. Enter the SIM PIN and SIM PUK obtained from the carrier and click Unblock.
The SIM card gets permanently blocked with 10 unsuccessful attempts of PUK, while unblocking the SIM. Contact the carrier service provider for a new SIM card.
To configure the APN settings, navigate to Advanced Settings > Mobile Broadband > Operations > and go to the APN settings section.
Obtain the APN information from the carrier.
Select the SIM card, enter the APN, Username, Password, and Authentication provided by the carrier. You can choose from PAP, CHAP, PAPCHAP authentication protocols. If the carrier has not provided any authentication type, set it to None.
All these fields are optional.
You can select the mobile network on Citrix SD-WAN appliances that support the internal LTE modem. The supported networks are 3G, 4G, or both.
The roaming option is enabled by default on your LTE appliances, you can choose to disable it.
Every LTE enabled appliance has a set of firmware available. You can select from the existing list of firmware or upload a firmware and apply it. If you are unsure of which firmware to use, select the AUTO-SIM option. The AUTO-SIM option allows the LTE modem to choose the most matching firmware based on the inserted SIM card.
Enable/disable modem depending on your intent to use the LTE functionality. By default, the LTE modem is enabled.
Reboots the modem. It can take up to 7 minutes for the reboot operation to complete.
Use the Refresh SIM option when the SIM card is not detect properly by the LTE-WiFi modem.
The Refresh SIM operation is applicable for the active SIM only.
You can remotely view and manage all the LTE sites in your network using the Citrix SD-WAN Center. For more information see, Remote LTE site management.
For more information on LTE configuration, see Configure LTE functionality on 110-LTE-WiFi appliance and Configure LTE functionality on 210 SE LTE appliance.
For information on configuring external LTE modem, see Configure external USB LTE modem.
The Licensing page displays the license details such as, server location, model, license type and so on.
When installing and applying a license from the SD-WAN Center, make sure that your specific appliance supports the SD-WAN appliance edition you want to enable, and that you have the correct software version available.
The Default/Fallback Configuration page displays the stored fallback configuration data. If the fallback configuration is disabled, you can enable it by switching on the Enable Fallback Configuration switch.
LTE interfaces cannot be configured with static IP address.
For more information see, Default/Fallback configuration.
HTTPS certificate is required for establishing a secured connection. The HTTPS Certificate page displays the details of the HTTPS certificate that is already installed. For more information, see HTTPS certificates.
Citrix On-prem SD-WAN Orchestrator is the on-premises software version of the Citrix SD-WAN Orchestrator service. Citrix On-prem SD-WAN Orchestrator provides a single-pane of glass management platform for Citrix partners to manage multiple customers centrally, with suitable role based access controls.
You can establish a connection between your Citrix SD-WAN appliance and the Citrix On-prem SD-WAN Orchestrator by enabling Orchestrator connectivity and specifying the On-prem SD-WAN Orchestrator identity.
- The On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is an enabler for Citrix On-prem SD-WAN Orchestrator. The Citrix On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is currently not available, it is targeted for a future release.
- Zero-touch deployment will not work if On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is configured on the SD-WAN appliances.
To enable Orchestrator connectivity:
- In the appliance GUI, navigate to Advanced Settings > On-prem Orchestrator > Identity.
Select Enable On-prem SD-WAN Orchestrator Connectivity check box.
Enter either the On-prem SD-WAN Orchestrator IP address or Domain or both (IP address and domain) for configuration.
If the customer configures only Domain, then they must ensure to add DNS record in their Local DNS server and must configure DNS Server IP Address on SD-WAN Appliances. To configure, navigate to Configuration > Network Adapters > IP Address.
For example, if the On-prem SD-WAN Orchestrator Domain is configured as citrix.com. then you must create a DNS record in DNS Server for the below FQDN and On-prem SD-WAN Orchestrator IP Address:
In case of advanced configuration:
For Example: If the On-prem Orchestrator domain is configured as citrix.com, the Download Management Service Domain is configured as download.citrix.com, and the Statistics Management Service Domain is configured as statistics.citrix.com. Then you must create a DNS record in DNS Server for the below FQDN and corresponding IP Address:
On-prem Orchestrator might support running services like download, statistics on independent server instance, to enable better scalability for large networks. You can select the Advanced Configuration and configure the Download Management Service and Statistic Management service.
Select the Advanced Configuration check box and provide the following details:
Download Management Service IP/Domain: Provide the IP address /domain that helps offload SD-WAN software and configuration download aspects, to an independent server instance, to enable better scalability for large networks.
Statistic Management Service IP/Domain: Provide the IP address/domain that helps offload collection and management of SD-WAN statistics from devices, to an independent server instance, to enable better scalability for large networks.
To Regenerate, Download, and Upload the SD-WAN appliance or On-prem SD-WAN Orchestrator certificate, navigate to Advanced Settings > On-prem Orchestrator > Certificate.
If the On-prem Orchestrator Authentication Type is disabled, then Appliance can connect to the On-prem Orchestrator either via No Authentication or One-way Authentication or Two-way Authentication mode.
If the On-prem Orchestrator Authentication Type is enabled, then Appliance can only able to connect to the On-prem Orchestrator via Two-way Authentication.
While disabling Authentication Type in On-prem Orchestrator from enable state, existing appliances in One-way Authentication mode goes to disconnected state. Customers have to change the appliance Authentication Type to Two-way Authentication and upload the SD-WAN Appliance certificate to the On-prem Orchestrator to get it connected.
- Generated certificates are X509 self-signed certificates.
- Customer must regenerate the certificates if the certificate is expired or compromised.
- Validity of the certificate is 10 years.
- You can view the certificate details such as, fingerprint, start date, and end date
- Customer must ensure that the certificates are regenerated and exchanged between On-prem Orchestrator and SD-WAN appliance to avoid loss of appliance connectivity with On-prem orchestrator.
Select the Authentication Type. The following are the authentications types that are supported between the SD-WAN appliance and On-prem SD-WAN Orchestrator connectivity:
No Authentication – No authentication between the On-prem SD-WAN Orchestrator and SD-WAN appliance, and there is no need to use the SD-WAN Appliance or On-prem SD-WAN Orchestrator Certificate. But you can use this option if you have a secure network such as MPLS.
One-way Authentication – On selecting the One-way Authentication type, you must upload the On-prem Orchestrator certificate. Download the On-prem Orchestrator from the On-prem Orchestrator and click Upload. SD-WAN appliance trusts the On-prem Orchestrator using the uploaded certificates.
Two-way Authentication – On-prem Orchestrator and Appliance certificates have to be exchanged with each other. For Two-way Authentication, you must regenerate, download, and upload the SD-WAN appliance certificate on the on-prem Orchestrator. SD-WAN appliance and On-prem Orchestrator trusts each other using the exchanged certificates.
It is recommended to use only One-way Authentication or Two-way Authentication. If there was No Authentication, you have to choose the secure DNS server.
To disable the on-prem SD-WAN Orchestrator connectivity, uncheck Enable ON-prem SD-WAN Orchestrator Connectivity and click Apply. To convert On-prem orchestrator managed network to either Cloud Orchestrator or MCN Managed network, you need to disable On-prem SD-WAN Orchestrator Connectivity and must perform the configuration reset. To reset configuration, navigate to Configuration > System Maintenance > Configuration Reset.
Upgrade and Downgrade
After upgrading the SD-WAN appliance from 11.1.1/11.2.0/10.2.7 to 11.2.1 software version, you must exchange both appliance and On-prem Orchestrator certificates.
After Downgrading the SD-WAN appliance from 11.2.1 to 11.1.1/11.2.0/10.2.7 software version, you must apply identity settings again on the Citrix SD-WAN appliance UI. If any issues related to On-prem SD-WAN Orchestrator configuration or SD-WAN appliance connectivity, disable the On-prem SD-WAN Orchestrator connectivity and then enable the On-prem SD-WAN Orchestrator connectivity again.
The On-prem SD-WAN Orchestrator Authentication Type must be disabled to manage the SD-WAN appliances running 10.2.7/11.1.1/11.2.0 software version.
Under Monitoring section, you can view the Address Resolution Protocol (ARP), Route, Ethernet, Ethernet MAC statistics along with DHCP Client WAN Links, SLAAC WAN Links, DHCP Server/Relay, Firewall Connections, Flows, and DNS Statistics.
ARP, Route, Ethernet, and Ethernet MAC Statistics: You can see the statistics information for ARP, Route, Ethernet, and Ethernet MAC. Using the statistics information, you can verify any traffic or interface errors. For more information, see Viewing Statistical Information.
DHCP Client WAN links: The DHCP Client WAN Links page provides the status of learned IPs. You can request to renew the IP, which refreshes the lease time. You can also choose to Release Renew, which issues a new IP address with a new lease. For more details, see Monitoring DHCP client WAN links.
SLAAC WAN Links: The SLAAC WAN links page provides details about the IPv6 addresses that SLAAC assigns to the virtual interfaces. You can also select Release Renew to allow SLAAC to assign a new IP address or the same IP address with a new lease to the IPv6 client.
DHCP Server/Relay: You can use the SD-WAN appliance as either DHCP Servers or DHCP Relay agents.
- The DHCP server feature allows devices on the same network as the SD-WAN appliance’s LAN/WAN interface to obtain their IP configuration from the SD-WAN appliance.
- The DHCP relay feature allows your SD-WAN appliances to forward DHCP packets between DHCP client and server.
For more information, see DHCP server and DHCP relay.
Firewall Connections: The Firewall Connections page provides the Firewall connection statistics. You can see how the firewall policies are acting on the traffic for each Application. For more information, see Viewing Firewall Statistics.
Flows: The Flows section provides basic instructions for viewing Virtual WAN flow information. For more details, see Viewing Flow Information.
DNS Proxy Statistics: This page provides details about the configured DNS proxies. Click Refresh to get the current data. For more information, see Domain name system.
The Diagnostics section provides the options to test and investigate connectivity issues. For more information, see Diagnostics.
For the Citrix SD-WAN 110 appliance, only one diagnostic package can be present at a time. For the Citrix SD-WAN 210 appliance, a maximum of five diagnostic packages are allowed.
Use the System Maintenance section to perform maintenance activities. The System Maintenance page contains the following options:
- Delete Files: You can delete Log files, Backup files, and Archived Databases. Select the file that you want to delete from the drop-down menu and click the delete button.
- Restart System: You can restart the virtual WAN service or reboot the system.
- Local Change Management: The Local Change Management process allows you to upload a new appliance package to this individual appliance.
- Configuration Reset: You can reset the configuration. This option clears out the user data, logs, history, and local configuration data on this appliance.
- Factory Reset: Use Factory Reset option to reset the SD-WAN appliance to the shipped version.
All of these features are already explained in details in the existing SD-WAN documentation.