What’s New

What’s New in Release 9.3.3

The SD-WAN 9.3.3 release introduces the 210 Standard Edition appliance.

For more information, see; NetScaler SD-WAN 210-SE

What’s New in Release 9.3.0 (build 1000)

The following new features and enhancements were introduced in NetScaler SD-WAN Release 9.3.0 build 1000:

Security Fix

NetScaler SD-WAN release 9.3.0, build 1000 has new images with security fix for CVE-2017-14602.

This vulnerability is only present when the above versions are used on the following appliance models:

  • Citrix NetScaler SD-WAN model 5100 WAN Optimization appliances
  • Citrix NetScaler SD-WAN (CloudBridge) model 5000 WAN Optimization appliances
  • Citrix NetScaler SD-WAN model 4100 WAN Optimization appliances
  • Citrix NetScaler SD-WAN (CloudBridge) model 4000 WAN Optimization appliances

For additional information related to this security fix, impacted editions, and platforms, refer to the security bulletin posted at https://support.citrix.com/article/CTX228091.

What’s New in Release 9.3.0 (build 161)

The following new software, hardware features and enhancements were introduced in NetScaler SD-WAN Standard Edition, WANOP, and Enterprise Edition appliances for Release 9.3.

Application Support

HDX Traffic Identification and MSI support

  • You can enable DPI for Citrix ICA applications to classify Citrix ICA HDX sessions over any transport protocol such as TCP, UDP, CGP or HTTP.

  • You can enable ICA multi stream to allow multiple ICA streams in a session.

Application QoS Rules

  • You can now take advantage of the application DPI Engine to filter traffic flows based on application, application family, or application object match-types and apply application QoS rules to them.

Application QoE

  • You can now assess the user experience of ICA / HDX applications using the Quality of Experience (QoE) parameter. The QoE is a numeric value between 0–100, the higher the value the better the user experience. QoE is enabled by default for all ICA / HDX applications.

Alarm Enhancements

  • In NetScaler SD-WAN 9.3 the events notification system is enhanced by including a feature that allows you to configure alarms. You can now configure your SD-WAN appliance to identify alarm conditions based on your network priorities, generate alerts, and receive notifications via email, syslog or SNMP trap.

DPI support on SD-WAN Enterprise Edition Appliance

  • NetScaler SD-WAN 9.3 extends support for Deep Packet Inspection to all Enterprise Edition Appliances.

Destination NAT - Integration with Forcepoint and Zscaler for Firewall Traffic Redirection

  • In NetScaler SD-WAN 9.3, you can redirect internet (http and https) traffic from an SD-WAN appliance at the enterprise edge to the Forcepoint cloud-hosted security module through the Firewall redirect (transparent proxy by Destination NAT) feature. You can redirect HTTP traffic from port 80 to port 8081, and HTTPS traffic from port 443 to port 8443 of the nearest Forcepoint cloud proxy server. For SD-WAN 9.3, only firewall redirect feature has been implemented.

  • NetScaler SD-WAN appliances can connect to Zscaler cloud network through GRE tunnels and IPsec tunnels at the customer’s site. When implementing Zscaler using SD-WAN appliances, the following functionality is supported:

  • GRE traffic forwarding mode only to Zscaler, enabling direct Internet breakout.
  • IPsec Tunnel traffic forwarding to Zscaler.
  • Support for direct internet access (DIA) using Zscaler on a per customer site basis.
  • On some sites, you may want to provide DIA with on-premises security equipment and not use Zscaler.
  • On some sites, you may choose to backhaul all traffic another customer site and provide internet access.
  • Virtual Routing and Forwarding deployment.
  • One WAN link as part of internet services.

FIPS Compliance Mode Using NetScaler SD-WAN GUI

In NetScaler SD-WAN 9.3, FIPS mode enforces configuring FIPS compliant settings for IPsec Tunnels and IPsec settings for Virtual Paths.

  • Displays the FIPS compliant IKE Mode.
  • Displays FIPS Compliant IKE DH Group for users to select the required parameters to use when configuring the appliance in FIPS compliant mode (2,5,14 – 21).
  • Displays the FIPS compliant IPsec Tunnel Type in IPsec settings for Virtual Paths

    • IKE Hash and (IKEv2) Integrity mode, IPsec auth mode.

    • Performs audit errors for FIPS based Lifetime Settings.

NetScaler SD-WAN Center

Email Authentication Support

  • In SD-WAN Center 9.3 release, along with configuring the email settings you can also configure SMTP Authentication.

Event SNMP/Syslog Support

  • You can now configure notification settings to receive event alerts by email, SNMP traps or Syslog messages on SD-WAN Center.

SD-WAN Center Dashboard Improvements

  • The SD-WAN Center dashboard is updated to include HDX visibility, the following widgets are included:

    • Network HDX: Quality Summary
    • Network HDX: Users and Sessions
    • Network HDX: Bottom 5 Poor Sites
    • Site HDX: Users
    • Site HDX: Sessions
    • Site HDX: QoE

SD-WAN Center HDX Insight

  • You can view the Quality of Experience (QoE) of HDX applications at each site along with other HDX statistics as a report in SD-WAN Center.

Configuring Zero Touch Deployment in SD-WAN Center Using Proxy Settings

  • You can configure proxy settings for Zero Touch Deployment to function properly in SD-WAN Center, if it is connected to the internet through a proxy server.


Metering and Standby WAN Links

NetScaler SD-WAN supports enabling metered links, which can be configured such that user traffic is only transmitted on a specific Internet WAN Link when all other available WAN Links are disabled.

Metered links conserve bandwidth on links that are billed based on usage. With the metered links you can configure the links as the Last Resort link, which disallows the usage of the link until all other non-metered links are down or degraded. Set Last Resort is typically enabled when there are three WAN Links to a site (i.e. MPLS, Broadband Internet, 4G/LTE) and one of the WAN links is 4G/LTE and may be too costly for a business to allow usage unless it is absolutely necessary. Metering is not enabled by default and can be enabled on a WAN link of any access type (Public Internet / Private MPLS / Private Intranet). If metering is enabled, you can optionally configure the following:

  • data cap.
  • billing frequency (weekly/monthly).
  • start date of the billing cycle.
  • active heartbeat interval
  • interval at which a heartbeat message is sent by an appliance to its peer on the other end of the virtual path when there has been no traffic (user/control) on the path for at least a heartbeat interval.
  • configurable values: default 50ms/1s/2s/3s/4s/5s/6s/7s/8s/9s/10s.


Simplified Configuration

  • In NetScaler SD-WAN 9.3 release, the configuration editor is further simplified. The simplified basic configuration mode has two views Global and Site.

    • Using the Global tab, you can:

      • Set the global virtual WAN network encryption settings.
      • Create multiple WAN Link Templates and map it to Service Providers.
      • Create WAN Link Template for MPLS links.
      • Configure the WAN Link speeds in Mbps or Kbps.
      • Set up MPLS Queues using % or kbps.
    • The new updates in the Sites tab are:

      • Enable site as intermediate node or enable dynamic virtual path.
      • Clone Sites

Change Management

  • The change management UI is updated to make it easier and faster for the user to perform a change management operation.

  • Once touch start feature is introduced in SD-WAN 9.3 release, this allows you to easily and quickly configure your SD-WAN appliance as a Client on first time start up.

Configuration Rollback

  • The Configuration Rollback feature allows the Change Management system to detect and recover from certain software / configuration errors by reverting to the previously active software/configuration.. This feature can detect network outage and appliance crash.

Single Step Upgrade

  • In release 9.3, a single step upgrade package using the SD-WAN GUI change management option to upgrade non-SD-WAN components in the network for all applicable platform editions has been introduced. The MCN distributes all necessary software components to the sites (Branch) in the network. When the branch site receives the upgrade component files, these can be installed at scheduled time intervals. If the scheduled time is not specified, a default time which is set by MCN for all branches is used for installation.

API Reference - NITRO API

NITRO APIs (REST APIs) have been introduced in NetScaler SD-WAN release 9.3. NITRO APIs can be used for third-party software integration. NITRO APIs are introduced for Change Management, Local Change Management, and few more functionalities. Detailed API documentation is available in the product installation. APIs can be downloaded from the NetScaler SD-WAN GUI by navigating to Configuration > Appliance Settings > NITRO API and click Download Nitro API Doc.

Security Support

TLS 1.2 support

  • In NetScaler SD-WAN WANOP 9.3, to enable secure access with SSL tunnel, the latest SSL protocol TLS 1.2 is used in SSL proxy. You can choose to use TLS1.2 protocol only or use TLS1.0, TLS1.1 and TLS1.2 protocols.

  • SSL protocols SSL v3 and SSL v2 are no longer supported.

New Platform Editions

In release 9.3, two new platform editions are introduced.

  • SD-WAN WANOP 4100
  • SD-WAN WANOP 5100

Platforms - Hardware Support and Third-Party (Cloud) Application Support

Deploying SD-WAN VPX-SE appliance in AWS and Microsoft Azure

  • NetScaler SD-WAN 9.3 release supports deploying high availability Standard Edition VPX appliances in AWS and Microsoft Azure environments.

Deploying High Availability SD-WAN VPX Appliances in Linux-KVM Hypervisor

  • NetScaler SD-WAN 9.3 release supports deploying high availability VPX appliances in Linux KVM Hypervisor environments. It also supports deploying high availability VPX appliance instances on the same host.

Support for deploying SD-WAN VPX appliances in Microsoft Azure, Hyper-V 2012 R2, AWS, VMWare ESXi, and XenServer

  • NetScaler SD-WAN 9.3 release extends support for deploying SD-WAN VPX appliances in Microsoft Azure, Hyper-V 2012, AWS, VMWare ESXi, and XenServer environments.

Scalability - Routing Domain Support

  • In NetScaler SD-WAN 9.3, support for more number of routing domains and associated attributes has been added. See the list below for the supported parameters:

    • Maximum Routing Domains: 255
    • Maximum Access Interfaces per WAN Link: 64
    • Maximum BGP neighbours per site: 255
    • Maximum OSPF area per site: 255
    • Maximum Virtual Interfaces per OSPF area: 255
    • Maximum Route Learning import filters per site: 512
    • Maximum Route Learning export filters per site: 512
    • Maximum BGP routing policies: 255
    • Maximum BGP community string objects: 255

XenServer 6.5 Upgrade Support - NetScaler SD-WAN Appliances

  • XenServer versions on most appliances shipped with SD-WAN software version older than 9.1.1 are supported with XS 6.0 or 6.2. For SD-WAN 9.3 software release, you need to upgrade XenServer from 6.0 or 6.2 to 6.5. All SD-WAN appliances support this upgrade. To do the XS 6.5 upgrade, you will need to run SD-WAN software version 9.0 or newer version if you are running an older version than 9.0. After an upgrade to 9.0, it is recommended to upgrade the software to version 9.3 or latest version.

Note: Any appliance shipped with version 9.1 and later will have XS 6.5 support already.

For more information about each of these supported features, see the topics listed on the left navigation panel.