Citrix NetScaler EE Installation And Configuration Manual

Sd-wan

page of 1026

/ 1026
Bookmarks

Quick Links

Download this manual

NetScaler SD-WAN 9.1

Jun 13, 20 17

T he NetScaler SD-WAN product was formerly called "CloudBridge". Refer to the links below to access CloudBridge

documentation.

CloudBridge

CloudBridge 9.0 CloudBridge 8.1 CloudBridge 8.0 CloudBridge 7.4 CloudBridge 7.4 CloudBridge 7.3

For information on NetScaler SD-WAN WO 9.1 installation, deployment, and feature conﬁguration, please

refer

CloudBridge 7.4

NetScaler SD-WAN

Overview

What's New

Release Notes

NetScaler SD-WAN 9.1.1 Release Notes

NetScaler SD-WAN 9.1.2 Release Notes

Before You Begin

System Requirements

Acquiring the NetScaler SD-WAN Software Packages

NetScaler SD-WAN Software Packages and Appliance Models

NetScaler SD-WAN Appliance Packages

Preparing for Your Deployment

Installation and Configuration Information Checklist

Deployment

Installing and Deploying a SD-WAN VPX Standard Edition on VMware ESXi

Setting up the Master Control Node (MCN) Site

Adding and Configuring the Branch Sites

Conﬁguration

Configuring Virtual WAN Service

Configuring the Virtual Path Service Between the MCN and Client Sites

https://docs.citrix.com

documentation.

p.1

Need help?

Do you have a question about the NetScaler EE and is the answer not in the manual?

Questions and answers

Summary of Contents for Citrix NetScaler EE

Page 1 Installing and Deploying a SD-WAN VPX Standard Edition on VMware ESXi Setting up the Master Control Node (MCN) Site Adding and Configuring the Branch Sites Conﬁguration Configuring Virtual WAN Service Configuring the Virtual Path Service Between the MCN and Client Sites https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 2 Standby WAN Links Secure Web Gateway Use Cases - Virtual Route Forwarding Deploying SD-WAN in Gateway Mode Deploying SD-WAN in PBR mode (Virtual Inline Mode) Building a SD-WAN Network https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 3 How T o Configure IPsec T unnel Between SD-WAN and T hird-Party Devices How T o Add IKE Certificates How T o View IPSec T unnel Configuration IPSec Monitoring and Logging https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 4 DHCP Client and Server Management Link State Propagation Multiple Net Flow Collectors Network Objects QoS Fairness With RED SNMP MIBs MPLS QoS Queues NetScaler SD-WAN Center 9.1 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 5 Standard and WANOP Editions can be accomplished by deploying a single Enterprise Edition at the branch ofﬁce. See the Licensing section, for more information about the license options available for using NetScaler SD-WAN platform editions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 6 Release Notes Oct 0 9, 20 16 T his release notes describes the new features, enhancements, known issues, and ﬁxed issues applicable to Citrix NetScaler SD-WAN software release 9.1 for the SD-WAN Standard Edition and Enterprise Edition appliances. For information about the previous product called CloudBridge Virtual WAN and CloudBridge Enterprise Editions, see the CloudBridge Virtual WAN Administration Guide.
Page 7 When the queue timestamp expires, the queued event is processed, and the entry is removed from the queue. In the case of data expiry, a duplicate entry already present in the event queue does not allow the rekey https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 8 Issue ID 640507: Auto secure peering feature will not work over T LS1.2 until support is added to Data Path Access. Currently T LS1.2 support is limited to Management Path Access only. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 9 - Workaround: Upgrade to version 9.0 ﬁrst and then to 9.0.1. Release 9.0 Issue ID 608355 : When Citrix XenServer private networks are deployed for CloudBridge VW VPX along with CloudBridge WAN Optimization VPX, the ‘Checksum.SendForceSW’ parameter available through the support.html page on the WAN OPT web interface must be turned off.
Page 10 Note T his release note document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin. T he [# XXXXXX] labels for issue descriptions are internal tracking IDs used by the SD-WAN support team.
Page 11 Diagnostics ﬁles. Expected Behavior: All diagnostic ﬁles should be removed when you click Erase All Files. Workaround: Use the Erase button to delete individual ﬁles. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.11...
Page 12 Jan 17, 20 17 T hese release notes describe the new features, enhancements, known issues, and ﬁxed issues applicable to Citrix NetScaler SD-WAN software release 9.1.2. T he list of known issues is cumulative, that is, it includes issues that are newly found in this release and also issues from previous releases.
Page 13 IP/TCP ports. Workaround: Reboot the appliance for secure peering functionality to work. Gateway IP address of CB-VW is not getting Changed even after moving the CB to another network(different DHCP server) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.13...
Page 14 Client WAN Links is now displayed under Manage Appliance > Local Network Settings. Support for enhanced Match Criteria Rules through VLAN ID and Routing. Ability to configure three Multiple Net Flow Collectors. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.14...
Page 15 WAN Links become unavailable. For more information about each of these supported features, refer to the topics listed on the left navigation panel. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.15...
Page 16 T he following table lists all the appliance models supported in NetScaler SD-WAN 9.1. release: Platf orm Edition License Model Standard VPX VPX-10-VW, VPX-20-VW, VPX-50-VW, VPX-100-VW Standard 400 400-010-VW, 400-020-VW, 400-050-VW https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.16...
Page 17 Returning and Reallocating Licenses To return or reallocate a license, you must use the Citrix NetScaler SD-WAN Licensing Portal. You also have the option to use the Licensing Portal for license allocation. For instructions, see the Knowledge Base article entitled, “My Account All...
Page 18 SD-WAN VPX-SE - PBR Deployment in the Branch Office Deployment scenarios not supported for 9.1 Remote License server deployed in Data Center (data/apA Ports) Import SD-WAN VPX-SE license on XenServer/ESXi 9.1 Local License Remote License https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.18...
Page 19 3. SD-WAN VPX-SE - PBR deployment in the Branch ofﬁce. Deployment scenarios not supported f or 9.1 4. Remote license server deployed in Data Center reachable through the data/apA Ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.19...
Page 20 3. Save your changes by clicking Apply Settings. Remote License 1. In the SD-WAN web management interface, navigate to Conf iguration > Appliance Settings > Licensing. 2. Select Remote and enter the Remote Server-IP address details. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.20...
Page 22 ﬁle. It is important to complete the second upgrade step locally on every appliance, otherwise some functionality will be missing. Refer to the upgrade instructions in the following sections. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.22...
Page 23 Upgrade Procedure 1. On the MCN appliance, navigate to Conf iguration > Virtual WAN > Change Management. 2. Obtain applicable cb-vw_<APPLIANCE-MODEL>_9.1.0.X.tar.gz file for all sites in the Virtual WAN network from Citrix download page for NetScaler SD-WAN Release 9.1 at: https://www.citrix.com/downloads/netscaler-sd-wan.html...
Page 24 Click Choose File to provide the CB-VW-PKG- 9.1.0.X.UPG ﬁle. c. Click Upload and Upgrade. 5. Perform operating system software update on the MCN appliance and all other appliances in the network using the CB-VW-PKG-9.1.0.x.upg ﬁle. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.24...
Page 25 If the license ﬁle is not present or available, re-upload the license ﬁle to the appliance and then re-apply it. Note Intermittent SSO session might be timed out, when accessing the WAN Optimization node. - Workaround: Please re-login and continue. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.25...
Page 26 -> Miscellaneous -> Switch Console. b. Obtain applicable cb-vw_<APPLIANCE-MODEL>_9.1.0.X.tar.gz ﬁle for the MCN device. For example; If NetScaler SD-WAN 1000 EE is chosen to be MCN, obtain the c b-vw_CB1000_9.1.0.X.tar.gz from the Citrix download page for NetScaler SD-WAN 9.1.0 release.
Page 27 Editor. Export the configuration to Change Management. 4. Navigate to Change Management through Conf iguration > Virtual WAN > Change Management. 5. Obtain applicable cb-vw_<APPLIANCE-MODEL>_9.1.0.X.tar.gz file from Citrix product downloads page at: https://www.citrix.com/downloads/netscaler-sd-wan.html for all sites in the Virtual WAN network defined in the configuration.
Page 28 (ping should fail initially and after 20 minutes, it should succeed). 8. Install the Standard Edition or Enterprise Edition license for each site appliance through Conﬁguration > Appliance Settings > Licensing. 9. Enable Citrix Virtual WAN Service on MCN appliance through Conﬁguration > Virtual WAN >Enable/Disable/Purge Flows > Enable. Warning On the 1000/2000 appliances, the following warning message appears.
Page 29 Verify that the serial console is connected and proceed with the conversion process. How To Convert With USB Stick To upgrade the appliance with USB stick: 1. Insert the enclosed USB stick into the Citrix SD-WAN appliance. 2. Connect to the serial console of the appliance. 3. Reboot the appliance.
Page 30 T he above steps should be executed during the applaince reboot process. T he key strokes should happen during BIOS post stage as described in step 4. 5. When BIOS loads, choose PNY USB 2.0 FD 1100 to boot. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.30...
Page 31 Ref erences For licensing about the NetScaler and NetScaler SD-WAN products, see the support link at: http://support.citrix.com/article/ctx131110 For Documentation and Release Notes information about NetScaler SD-WAN, see; http://support.citrix.com/proddocs and docs.citrix.com. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.31...
Page 32 5. Click Upload. Select Accept and click on Install to proceed. 6. Install the Enterprise Edition License. 7. Perform Local Change Management on the appliance using the downloaded active package in step 2 above. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.32...
Page 33 Before You Begin Oct 0 4 , 20 16 T his section outlines the hardware and software requirements for deploying Citrix NetScaler SD-WAN Standard and Enterprise Editions, and deﬁnes the platform dependencies. Also provided is a summary and overview of the SD- WAN appliance installation and deployment procedures.
Page 34 T he NetScaler SD-WAN Management Web Interface is supported on the following browsers: - Mozilla Firefox 35.0+ (Recommended version 43.x) - Google Chrome 40.0+ (Recommended version 49.x) Supported browsers must have cookies enabled, and JavaScript installed and enabled. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.34...
Page 35 NetScaler SD-WAN 1000 WS-WANOP NetScaler SD-WAN VPX-WANOP (Virtual Appliance) To download the NetScaler SD-WAN software packages, go to the following URL: http://www.citrix.com/downloads.html Instructions for downloading the software are provided on this site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.35...
Page 36 NetScaler SD-WAN Sof tware Packages T here is a different Citrix NetScaler SD-WAN software package for each supported SD-WAN appliance model. You will need to acquire the appropriate package for each appliance model you plan to incorporate into your network.
Page 37 T he below ﬁgure illustrates NetScaler SD-WAN 5100-SE Appliance model. NetScaler SD-WAN VPX Virtual Appliances (SD-WAN VPX-SE) Citrix NetScaler SD-WAN 9.1 supports the following SD-WAN VPX Virtual Appliance (VPX-SE) models: SD-WAN VPX-SE MODEL APPLIANCE TYPE ROLE SD-WAN VPX 10-SE Virtual Appliance...
Page 38 SD-WAN network. If you are updating the conﬁguration for an existing SD- WAN deployment, the MCN automatically distributes and activates the appropriate appliance package on each of the existing clients, as soon as the virtual paths to the clients become operational. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.38...
Page 39 Oct 0 4 , 20 16 It is strongly recommended that before beginning the installation, you ﬁrst read through the Citrix CloudBridge Virtual WAN Deployment Planning Guide. T his article discusses the essential Virtual WAN concepts and features, and provides guidelines for planning your deployment.
Page 40 10. Enable the SD-WAN Service on each of the SD-WAN appliances in your network. 11. Use the Monitoring pages to verify the activation and check for any existing or potential conﬁguration issues. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.40...
Page 41 - SD-WAN Appliance Model (for each appliance to be deployed) - Deployment Mode (MCN or Client) - Topology - Gateway MPLS - GRE Tunnel information - Routes - VLANs - Bandwidth at each site for each circuit https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.41...
Page 42 SD-WAN VPX on XenServer, see NetScaler SD-WAN VPX in the document entitled, Citrix CloudBridge 7.4 Product Documentation, available on the Citrix Documentation Portal at this location: (http://docs.citrix.com/). T he following section outlines the requirements and prerequisites for installing a NetScaler SD-WAN VPX-SE and deploying it in your SD-WAN environment.
Page 43 Before you can install and deploy a SD-WAN VPX-SE 9.1 as a client appliance, the SD-WAN Master Control Node (MCN) and existing client nodes must be upgraded to Virtual WAN version 8.1 or above. For information on updating and upgrading your CloudBridge (SD-WAN) deployment, please refer to the Citrix CloudBridge 9.0.0 Release Notes, available on the Citrix Documentation Portal (http://docs.citrix.com/).
Page 44 For SD-WAN VPX-SE, bridges are not created by default for the data interface (for example, eth1 and eth2). Deployments that are supported for hardware SD-WAN Appliances are also supported for SD-WAN VPX-SE. SD-WAN VPX- https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.44...
Page 46 SD-WAN VPX for WAN Optimization. T he primary differences when installing and conﬁguring a SD-WAN VPX-SE virtual appliance from SD-WAN WANOP VPX, are as follows: Download the following installation ﬁles from the Citrix NetScaler downloads site (http://www.citrix.com/downloads.html). Note Remote licenses are supported for SD-WAN VPX-SE.
Page 47 SD-WAN VPX-SE Virtual Appliance resides. <gateway> is the Gateway IP Address of the SD-WAN VPX-SE Virtual Appliance will use to communicate with external networks. 4. Restart the SD-WAN VPX-SE Virtual Appliance VM. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.47...
Page 49 (VPX-SE) and a SD-WAN (WAN Optimization) VPX are very similar. For instructions on installing a SD-WAN WANOP VPX on XenServer, see the chapter entitled, “CloudBridge VPX,” in the document entitled, Citrix CloudBridge 7.4 Product Documentation, available on the Citrix Documentation Portal (http://docs.citrix.com/). See also, Differences Between a SD-WAN VPX-SE and WANOP VPX Installation.
Page 50 WAN VPX-SE. (By default, SD-WAN VPX-SE uses DHCP). Determine the Gateway IP Address the SD-WAN VPX-SE will use to communicate with external networks. Note the subnet mask for the network in which the SD-WAN VPX-SE will reside. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.50...
Page 51 Deployment Oct 0 4 , 20 16 Refer to the following topics for SD-WAN VPX deployment related information: Installing and Deploying SD-WAN VPX on ESxi Configuring Management IP Address https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.51...
Page 52 1. Install the VMware vSphere Client. 2. Install and deploy the SD-WAN VPX-SE OVF Template. 3. Conﬁgure the SD-WAN VPX-SE Management IP Address. 4. Connect and test the deployment. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.52...
Page 53 4. After the installation completes, start the vSphere Client program. T he VMware vSphere Client VMware vSphere Client login page displays, prompting you for the ESXi server login credentials. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.53...
Page 54 User name: Enter the server Administrator account name. T he default is root. - Password Password: Enter the password associated with this Administrator account. 6. Click Login. Login. T his displays the vSphere Client vSphere Client main page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.54...
Page 55 T he next step is to install and deploy the SD-WAN VPX-SE OVF template and set up the Virtual Machine. T he following section provides instructions for these procedures. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.55...
Page 56 F ile and then select Deploy OVF Templat e... Deploy OVF Templat e... from the drop-down menu. T his displays the ﬁrst page of the Deploy OVF Templat e Deploy OVF Templat e wizard, the Source Source page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.56...
Page 57 Browse to the location of the .ova ﬁle you downloaded earlier to the local PC, and select it. 4. Click Next Next . T his imports the selected .ova ﬁle and displays the OVF Templat e Det ails OVF Templat e Det ails page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.57...
Page 58 5. T his page displays some basic information regarding the OVF template you just imported. 6. Click Next Next . T his proceeds to the End User License Agreement End User License Agreement page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.58...
Page 59 7. Click Accept Accept , and then click Next Next . T his proceeds to the Name and Locat ion Name and Locat ion page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.59...
Page 60 Invent ory folder, and can be up to 80 characters in length. . 9. Click Next Next . T his displays the Disk Format page. T he SD-WAN VPX-VW Virtual Machine requires 39.1 GB of disk space. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.60...
Page 61 12. Accept the default settings, and click Next. T his proceeds to the Net work Mapping Net work Mapping page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.61...
Page 62 13. Accept the default (VM Net work VM Net work) and click Next Next . T his proceeds to the Ready to Complete page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.62...
Page 63 Depending on the conditions present on your server, the deployment can take from several minutes to a few hours to complete. When the SD-WAN VPX Virtual Machine has been successfully created, a success message displays. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.63...
Page 64 VMs, the Invent ory Invent ory page displays. T he next step is to conﬁgure the SD-WAN VPX Management IP Address. T he following section provides instructions for this procedure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.64...
Page 65 To use DHCP, the DHCP server must be present and available in the SD-WAN. For instructions on identifying the acquired Management IP Address, see Displaying the DHCP-assigned Management IP Address for the VPX. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.65...
Page 66 Basic T asks section of the Get t ing St art ed Get t ing St art ed tab page, click P ower on t he virt ual machine P ower on t he virt ual machine (green play https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.66...
Page 67 Invent ory page tab bar at the top of the main page area. Selecting this tab displays and enables access to the CLI console for the VM. As the new VM starts up, a series of status messages display in the console. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.67...
Page 68 T his turns control of your mouse cursor over to the VM console, and enables console mode. Note To release console control of your cursor, press the Ctrl and Alt keys simultaneously. 5. Log into the VM console. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.68...
Page 69 T his displays the console Welcome Welcome screen. 6. Enter the following command line at the console prompt: management_ip T his switches to the management_ip CLI in the console, and displays the set_management_ip prompt. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.69...
Page 70 CB VPX-VW Virtual Appliance resides. - <gateway> is the Gateway IP Address the SD-WAN VPX-SE Virtual Appliance will use to communicate with external networks. T his stages but does not apply the interface settings. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.70...
Page 71 Ret urn at the console prompt, and then press Ct rl+ Alt t o regain cont rol of t he cursor. Ct rl+ Alt t o regain cont rol of t he cursor. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.71...
Page 72 T his shuts down the guest operating system and powers off the VM. When the shutdown completes, the P ower on P ower on t he virt ual machine option (green play button) becomes available. t he virt ual machine https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.72...
Page 73 P ower on t he virt ual machine (green right-arrow) to restart the VM. You can view the progress of the start up process in the Console Console tab page for the VM. When the startup process completes, the login prompt displays. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.73...
Page 75 Invent ory tree (left pane). T his displays the Inventory page for the SD-WAN VPX-SE VM. 2. If you have not already done so, power on the new Virtual Machine. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.75...
Page 76 Alt keys simultaneously. 5. Press Ent er Ent er to display the console login login prompt. Press Ent er Ent er once or twice to display the console login ogin prompt. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.76...
Page 77 7. Record the Management IP Address for the SD-WAN VPX-SE VM. Note T he DHCP server must be present and available in the SD-WAN, or this step cannot be completed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.77...
Page 78 T his completes the deployment of the SD-WAN VPX-SE Virtual Machine. T he ﬁnal step is to connect to the new SD-WAN VPX-SE and test the deployment. Instructions are provided in the next section. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.78...
Page 79 It is strongly recommended that you change the default password as soon as possible. Be sure to record the password in a secure location, as password recovery might require a conﬁguration reset. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.79...
Page 80 Virtual Appliance before adding it to your SD-WAN network. For instructions on completing the next step, please proceed to the section, Setting the Date and T ime on an Appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.80...
Page 81 9. (Optional) Conﬁgure High Availability for the MCN site. 10. (Optional) Conﬁgure Virtual WAN security and encryption. 11. Name and save the MCN site conﬁguration. Instructions for each of these tasks are provided in the following sections. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.81...
Page 82 T here can be more than one MCN, but only one can be active at any given time. T he below ﬁgure illustrates the basic roles and context of the MCN (data center) and client (branch node) appliances for a Virtual WAN Edition deployment. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.82...
Page 83 Administ rat or Int erf ace . T his displays the Administrator Interface page in the middle pane. 4. Select the Miscellaneous Miscellaneous tab. T his displays the Miscellaneous administrative settings page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.83...
Page 84 MCN Console mode, and terminates the current session. A success message displays, along with a countdown status indicating the number of seconds remaining before the session terminates. After the countdown completes, the session is terminated and the login page appears. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.84...
Page 85 7. Enter the Administrator user name and password, and click Login Login. - Default Administrator user name: admin - Default Administrator password: password After logging in, the Dashboard Dashboard displays, now indicating that the appliance is in MCN mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.85...
Page 86 T he next step is to open a new conﬁguration and add the MCN site to the Sites table, and begin conﬁguring the new MCN site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.86...
Page 87 Switching the Management Web Interface to MCN Console Mode, for instructions on changing the console mode. T his displays the Conﬁgurat ion Edit or Conﬁgurat ion Edit or main page (middle pane). https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.87...
Page 88 3. Click Add Add in the Sit es Sit es bar to begin adding and conﬁguring the MCN site. T his displays the Add Sit e Add Sit e dialog box. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.88...
Page 89 T his adds the new site to the Sit es Sit es tree, and displays the Basic Set t ings Basic Set t ings conﬁguration form for the new site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.89...
Page 90 To save the current conﬁguration package, do the following: 1. Click Save As Save As (at the top of the Conﬁgurat ion Edit or Conﬁgurat ion Edit or middle pane). https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.90...
Page 91 If you are saving the conﬁguration to an existing package, be sure to select Allo w Ov e rwrite Allo w Ov e rwrite before saving. 3. Click Save Save . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.91...
Page 92 3. Click + + to the right of Int erf ace Groups Int erf ace Groups . T his adds a new blank group entry to the table and opens it for editing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.92...
Page 93 8. Click + + to the right of Virt ual Int erf aces Virt ual Int erf aces . T his reveals the Name Name and the VLAN ID VLAN ID lds. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.93...
Page 94 To add more pairs, click + + next to Bridge Pairs Bridge Pairs again. 12. Click Apply Apply . T his applies your settings and adds the new Virtual Interface Group to the table. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.94...
Page 95 VIPs for the site. 13. To add more Virtual Interface Groups, click + + to the right of the Int erf ace Groups Int erf ace Groups branch, and proceed as above. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.95...
Page 96 T he Virtual IP Address must include the full host address and netmask. Note You can click + + again to add more Virtual IP Address entries before applying your settings. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.96...
Page 97 Virt ual IP Addresses table. 5. To add more Virtual IP Addresses, click + + to the right of the Virt ual IP Addresses Virt ual IP Addresses branch, and proceed as above. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.97...
Page 98 3. Conﬁgure the GRE Tunnel settings. Enter the following: - Name Name – Enter a name for the new GRE tunnel, or accept the default. T he default uses the following naming format: Appliance-Tunnel-<number> https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.98...
Page 99 5. To conﬁgure additional GRE Tunnels, click + + to the right of the GRE T unnels GRE T unnels branch label, and proceed as above. T he next step is to conﬁgure the WAN links for the MCN site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.99...
Page 100 2. Click + + to the right of the WAN Links WAN Links branch to add a new WAN link. T his opens the Add WAN Link Add WAN Link dialog box. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.100...
Page 101 T his displays the WAN Links WAN Links table, adds the new unconﬁgured link to the table, and opens the Basic Set t ings Basic Set t ings conﬁguration form for the link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.101...
Page 102 8. Click the grey Advanced Set t ings Advanced Set t ings section bar. T his opens the Advanced Set t ings Advanced Set t ings form for the link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.102...
Page 103 MT U Size (byt es) – Enter the largest raw packet size (in bytes), not including the Frame Cost. 10. Click the grey Eligibilit y Eligibilit y section bar. T his opens the Eligibilit y Eligibilit y settings form for the link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.103...
Page 104 Met ered Link settings form for the link. 13. (Optional) Select Enable Met ering Enable Met ering to enable metering for this link. T his displays the Enable Met ering Enable Met ering settings ﬁelds. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.104...
Page 105 17. Click + + to the right of the Access Int erf aces branch t o add an int erf ace. Access Int erf aces branch t o add an int erf ace. T his adds a blank entry to the table and opens it for editing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.105...
Page 106 - P roxy ARP – Select the checkbox to enable. If enabled, the Virtual WAN Appliance replies to ARP requests for the - P roxy ARP Gateway IP Address, when the gateway is unreachable. 19. Click Apply Apply . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.106...
Page 107 You have now ﬁnished conﬁguring the new WAN link. Repeat these steps to add and conﬁgure additional WAN links for the site. T he next step is to add and conﬁgure the routes for the site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.107...
Page 108 T he default value is 5. - Service T ype Service T ype – Select the service type for the route from the drop-down menu for this ﬁeld. T he options are as follows: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.108...
Page 109 Gat eway IP Addres s – Enter the Gateway IP Address for this route. 4. Click + + to the left of the new entry. T his opens the Eligibility Settings form for the route. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.109...
Page 110 Enabling and Configuring Virtual WAN Security and Encryption (Optional). If you do not want to conﬁgure these features at this time, you can proceed directly to the section Naming, Saving, and Backing Up the MCN Site Conﬁguration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.110...
Page 112 T his enables High Availability for the site, and enables the ﬁrst level of ﬁelds for conﬁguring. A red asterisk ( * ) indicates a required ﬁeld where you must enter a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.112...
Page 113 HA IP Int erf aces . T his adds a new blank entry in the HA IP Int erf aces HA IP Int erf aces table, and enables the entry for editing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.113...
Page 114 7. Click + + to the left of the new HA IP Int erf aces HA IP Int erf aces entry. T his displays the Ext ernal T racking Ext ernal T racking table, as shown in. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.114...
Page 115 Enter the IP Address of the external device that will respond to ARP requests regarding the state of the primary MCN appliance. 10. Click Apply Apply . T his adds the new High Availabilit y High Availabilit y conﬁguration settings to the MCN site conﬁguration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.115...
Page 116 T his opens the branch and displays the Global Securit y Set t ings Global Securit y Set t ings conﬁguration form. 2. Click Edit (pencil icon) to enable editing for the form. 3. Enter your global security settings. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.116...
Page 117 You must then log back into the system, and repeat the conﬁguration procedure from the beginning. For that reason, it is strongly recommended that you save the conﬁguration package often, or at key points in the conﬁguration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.117...
Page 118 1. Click Save As Save As (at the top of the Conﬁgurat ion Edit or Conﬁgurat ion Edit or middle pane). T his opens the Save As Save As dialog box. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.118...
Page 119 You have now completed the MCN site conﬁguration, and created a new SD-WAN conﬁguration package. You are now ready to add and conﬁgure the branch sites. Instructions are provided in Adding and Conﬁguring the Branch Sites. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.119...
Page 120 T his includes the Net work Map Net work Map information in the conﬁguration package, and opens a ﬁle browser for specifying the name and location for saving the conﬁguration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.120...
Page 121 Co nﬁ gura tio n Edito r . You can then save the imported package to your Management Web Interface workspace for future use. Instructions are provided in the section Importing a Backed up Conﬁguration Package into the Conﬁguration Editor. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.121...
Page 122 Import ) and then opening (Open (Open) a conﬁguration previously backed up to your local PC. 2. Click Open Open. T his displays the Open Conﬁgurat ion Package Open Conﬁgurat ion Package dialog box. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.122...
Page 123 T his opens the speciﬁed Conﬁguration Package and loads it into the Co nﬁ gura tio n Edito r Co nﬁ gura tio n Edito r for editing, only. T his does not stage or activate the selected conﬁguration to the local appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.123...
Page 124 2. In the Conﬁgurat ion Edit or Conﬁgurat ion Edit or menu bar, click Import . Import . T he Import Virt ual WAN Conﬁgurat ion Virt ual WAN Conﬁgurat ion dialog box appears. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.124...
Page 125 However, the contents of the saved version of the current package will not be overwritten until you explicitly save the modiﬁed package. If you use Save As Save As to https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.125...
Page 126 Note If a package of the same name already exists in your workspace, then the Na m e Na m e Co nﬂ ict Co nﬂ ict dialog box displays. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.126...
Page 127 T his also enables the Import Import button in the Name Conﬂict Name Conﬂict dialog box. Click Import Import to complete the import operation. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.127...
Page 128 Cloning the site is optional. T he Virtual WAN appliance models must be the same for both the original and the cloned sites. You cannot change the speciﬁed appliance model for a clone. If the appliance model is different for a site, you must manually add the site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.128...
Page 130 Secure Key – T his is a hexadecimal key of 8 to 32 digits used for encryption and membership veriﬁcation in the SD- WAN Appliance. By default, this ﬁeld is preﬁlled with an automatically generated security key. Accept the default or enter a custom key in hexadecimal format. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.130...
Page 131 5. Enter the basic settings for the site, and click Apply Apply . T he next step is to add and conﬁgure the Virtual Interface Groups for the new site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.131...
Page 132 3. Click + + to the right of Int erf ace Groups Int erf ace Groups . T his adds a new blank group entry to the table and opens it for editing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.132...
Page 133 7. Click + + at the left edge of the new blank entry. T his reveals the Virt ual Int erf aces Virt ual Int erf aces and Bridge Pairs Bridge Pairs ﬁelds. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.133...
Page 134 VLAN ID for this Virtual Interface Group. 10. Click + + to the right of Bridge Pairs Bridge Pairs . T his adds a new Bridge Pairs Bridge Pairs entry and opens it for editing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.134...
Page 135 VIPs for the site. 13. To add more Virtual Interface groups, click + + to the right of the Int erf ace Groups Int erf ace Groups branch, and proceed as above. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.135...
Page 136 2. Click + + to the right of the Virt ual IP Addresses Virt ual IP Addresses branch to add an address. T his opens the form for adding and conﬁguring a new Virtual IP Address. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.136...
Page 137 Virt ual IP Addresses table. 5. To add more Virtual IP Addresses, click + + to the right of the Virt ual IP Addresses Virt ual IP Addresses branch, and proceed as above. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.137...
Page 138 LAN GRE T unnels . T his adds a new blank LAN GRE Tunnel entry to the table and opens it for editing. 3. Conﬁgure the LAN GRE Tunnel settings. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.138...
Page 139 5. To conﬁgure additional LAN GRE Tunnels, click + + to the right of the LAN GRE T unnels LAN GRE T unnels branch label, and proceed as above. T he next step is to conﬁgure the WAN links for the branch site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.139...
Page 140 2. Click + + to the right of the WAN Links WAN Links branch to add a new WAN link. T his opens the Add WAN Link Add WAN Link dialog box. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.140...
Page 141 T his displays the WAN Links WAN Links table, adds the new un-conﬁgured link to the table, and opens the Basic Set t ings Basic Set t ings conﬁguration form for the link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.141...
Page 142 - Avoid using burst speeds that surpass the Committed Rate. - For Internet WAN link paths, be sure to add the Public IP Address. 8. Click the grey Advanced Set t ings Advanced Set t ings section bar. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.142...
Page 143 Advanced Set t ings for the link. 10. Click the grey Eligibilit y Eligibilit y section bar. T his opens the Eligibilit y Eligibilit y settings form for the link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.143...
Page 144 14. Conﬁgure the metering settings for the link. Enter the following: - Dat a Cap (MB) Dat a Cap (MB) – Enter the data cap allocation for the link, in megabytes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.144...
Page 145 Access Int erf aces branch to add an interface. T his adds a blank entry to the table and opens it for editing. 18. Enter the Access Int erf aces Access Int erf aces settings for the link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.145...
Page 146 T his applies your settings and adds the new Access Interface entry to the Access Int erf aces Access Int erf aces table. You have now ﬁnished conﬁguring the new WAN link. Repeat these steps to add and conﬁgure additional WAN links for the https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.146...
Page 148 T his opens the Rout es Rout es table for editing and adds a blank route entry to the table. 3. Enter the route conﬁguration information and click Apply Apply . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.148...
Page 149 Opt imizat ion section in the Conﬁgurat ion Edit or Opt imizat ion Conﬁgurat ion Edit or, and save the modiﬁed conﬁguration. For instructions, proceed to Enabling and Conﬁguring WAN Optimization. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.149...
Page 150 T his enables High Availability for the site, and enables the ﬁrst level of ﬁelds for conﬁguring. A red asterisk ( * * ) indicates a required ﬁeld where you must enter a non-default value. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.150...
Page 151 HA IP Int erf aces. T his adds a new blank entry in the HA IP Int erf aces HA IP Int erf aces table, and enables the entry for editing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.151...
Page 152 7. Click + + to the left of the new HA IP Int erf aces HA IP Int erf aces entry. T his displays the Ext ernal T racking Ext ernal T racking table. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.152...
Page 153 T his adds a new blank entry to the table and opens it for editing. 9. Enter the External Tracker IP Address. Enter the IP Address of the external device that will respond to ARP requests regarding the state of the primary client https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.153...
Page 154 10. Click Apply Apply . T his adds the new High Availabilit y High Availabilit y conﬁguration settings to the branch site conﬁguration. . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.154...
Page 155 (trashcan icon). 2. Click the Clone Clone icon to the right of the branch site name in the tree. T his opens the Clone Sit e Clone Sit e conﬁguration page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.155...
Page 156 T he Clo ne Clo ne button remains unavailable until you have entered all of the required values, and the new site conﬁguration is error-free. 6. (Optional.) Save your changes to the conﬁguration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.156...
Page 157 Repeat the steps up to this point for each branch site you want to add. After you have ﬁnished adding all of the sites, the next step is to check the conﬁguration for Audit Alerts, and make corrections or additions as needed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.157...
Page 158 Resolving all of the Audit Alerts (if any), completes the Sit es Sit es phase of the conﬁguration. T he next step is to save the completed Sit es Sit es conﬁguration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.158...
Page 159 Save As (at the top of the Conﬁgurat ion Edit or Conﬁgurat ion Edit or middle pane). T his opens the Save As Save As dialog box,. 2. Enter the conﬁguration package name. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.159...
Page 160 T he next step is to conﬁgure the Virtual Paths and Virtual Path Service between the MCN and the client sites. Instructions are provided in the Conﬁguring the Virtual Path Service Between the MCN and Client Sites. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.160...
Page 161 Conﬁguring High Availability To conﬁgure HA: 1. Navigate to the SD-WAN web management interface at: Conﬁguration > Virtual WAN > Conﬁguration Editor > Sites (MCN) > DC. Click Enable High Availability. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.161...
Page 163 To monitor HA conﬁguration: Login to the SD-WAN web management interface for the Active and Standby MCN appliance's for which high-availability is implemented. View high-availaiblity status under the Dashboard tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.163...
Page 164 For Network Adapter details of Active and Standby HA appliances, navigate to Conﬁguration > Appliance Settings > Network Adapters > Ethernet tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.164...
Page 165 IP SLA monitoring can be conﬁgured at the router to disable PBR, if the next appliance is not reachable. T his allows the router to fall back to perform a route lookup and forward packets appropriately. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.165...
Page 166 WAN Links, both appliances must be connected to them. In more complex scenarios, where multiple routers might be using VRRP, non-routable VLANs are recommended to ensure the LAN side switch and routers are reachable at layer 2. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.166...
Page 167 It is recommended that Fail-to-Wire mode be used on ports that are auto ‐ negotiated, as this will increase failover time. T he following illustration shows an example of the Fail-to-Wire deployment. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.167...
Page 168 HA protects against all failures. In all scenarios, HA is valuable to preserve the continuity of SD-WAN network during a system failure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.168...
Page 169 SD-WAN network. NetScaler SD-WAN Management Web Interface Installing the Virtual WAN Appliance Packages Preparing the Virtual WAN Appliance Packages Connecting the Client Appliances to Your Network Setting up the SD-WAN Appliances https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.169...
Page 170 - Click + (plus sign) next to a branch in the tree to reveal the available pages for that branch topic. - Click a page name to display that page in the page area. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.170...
Page 171 If the resize bar is not available for a page, you can click and drag the right edge of your browser to display the full page. Management Web Interf ace Navigation Tree Hierarchy https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.171...
Page 172 T he Dashboard page displays the following basic information for the appliance: System status Virtual Path service status Local appliance software package version information T he below ﬁgure shows a sample Master Control Node (MCN) appliance Dashboard display. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.172...
Page 174 Conﬁguration Editor operations. In addition, at the far right edge of the menu bar is the View Tutorial link button for initiating the Conﬁguration Editor tutorial. T he tutorial steps you https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.174...
Page 175 Interface running on both the MCN and on all client node appliances. Use this to upload, stage, and activate the appropriate Virtual WAN Appliance Package on a local appliance to be added to your Virtual WAN. You can also use this https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.175...
Page 176 T he Change Management wizard contains the following navigation elements: Page area – T his displays the forms, tables, and activity buttons for each page of the Change Management wizard. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.176...
Page 177 Activation step. Click Activate Staged to proceed directly to the Activation page and initiate activation of the currently staged conﬁguration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.177...
Page 178 At the bottom of this page, you will see a table listing the individual sites and appliances. At the far right of the table in the Download Package column, are links for the Active (if available) and Staged Appliance Packages. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.178...
Page 179 T his opens the NetScaler SD-WAN Management Web Interface Login screen on the client appliance. 8. Enter the Administrator user name and password and click Login. T he default Administrator user name is admin ; the default password is password . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.179...
Page 180 10. Open the System Maintenance branch in the navigation tree (left pane), and select Local Change Management. T his displays the Local Appliance Change Process Upload page for uploading an Appliance Package. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.180...
Page 181 T he upload process takes a few seconds to complete. When completed, a status message displays (left middle of page), stating Upload complete. 14. Click Next. T his uploads the speciﬁed software package, and displays the Local Change Management Activation page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.181...
Page 182 T his activates the newly-installed package and, if this is not an initial deployment, starts the Virtual WAN Service on the client appliance. T his process takes several seconds, during which a progress status message displays. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.182...
Page 183 Audit Alert icon, along with a status message indicating that the Virtual WAN Service is currently inactive or disabled. In this case, you must manually enable the service, as described in Enabling the Virtual WAN Service. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.183...
Page 184 T he below ﬁgure shows a sample client Dashboard page displaying the alert icon and status message. T he ﬁnal step to complete an initial SD-WAN deployment, is to enable the Virtual WAN Service. Instructions are provided in the section Enabling the Virtual WAN Service. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.184...
Page 185 Appliance Packages. To do this, you will use the Change Management wizard in the Management Web Interface on the MCN. Instructions are provided in the section Generating and Staging the SD-WAN Appliance Packages. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.185...
Page 186 To export the conﬁguration package to Change Management, do the following: 1. In the Conﬁguration Editor page, click Export (at the top of the page). T his opens the Export Conﬁguration dialog box. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.186...
Page 187 Instructions are provided in the next section. You are now ready to upload the SD-WAN software packages to the MCN Appliance, and prepare the Appliance Packages for distribution to the client nodes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.187...
Page 188 3. In the left pane, open the Virtual WAN section, and select Change Management. T his displays the ﬁrst page of the Change Management wizard, the Change Process Overview page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.188...
Page 189 4. Click Begin. T his displays the Change Preparation page for uploading and verifying the speciﬁed conﬁguration and software package(s). https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.189...
Page 190 6. In the Conﬁguration ﬁeld drop-down menu, select the new conﬁguration package that you just exported to Change Management. 7. Click Next. T he selected conﬁguration is submitted for veriﬁcation, and the Veriﬁcation results page displays. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.190...
Page 191 8. Click OK. T his dismisses the Veriﬁcation page and proceeds to the License page. 9. Select I accept the End User License Agreement and click OK. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.191...
Page 192 - Generates an Appliance Package for each appliance model identiﬁed in the selected conﬁguration. - Adds the new Appliance Packages to the list of available packages in the Site-Appliance table. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.192...
Page 193 A goldenrod Transf er Progress status bar displays as the transfer proceeds. When the staging operation completes, the Site-Appliance table is populated with the newly-staged Appliance Packages information. 12. Click Next. T his proceeds to the Activation tab Activate page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.193...
Page 194 If this is not an initial conﬁguration, this activates the new conﬁguration and the appropriate Appliance Package on the MCN appliance. T he appropriate Appliance Package is then distributed to and automatically activated on each client in https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.194...
Page 195 T he next step is to copy the conﬁguration package to the Local Appliance Staging area, in preparation for staging and activating the conﬁguration package on the MCN. Do the following: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.195...
Page 196 T his copies the package to the local Appliance Staging area, and displays a progress status message. After a few seconds, the copy operation completes, and the Local Change Management Activation screen displays. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.196...
Page 197 T his displays a dialog box asking you to conﬁrm the activation operation. d. Click OK. T his initiates activation of the staged conﬁguration package. T his process takes several seconds, during which a progress status message displays. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.197...
Page 198 When the activation completes, a status message displays stating Activation complete, and the Done button is enabled. e. Click Done. T his proceeds to the Management Web Interface Dashboard page, where you can view the activation results. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.198...
Page 199 ﬁnal step, enabling the Virtual WAN Service. You have now completed the preparation of the SD-WAN Appliance Packages on the MCN. Proceed to Connecting the Client Appliances to Your Network. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.199...
Page 200 Connect one end of an Ethernet cable to a port conﬁgured for WAN on the SD-WAN Appliance, and the other end of the cable to the WAN router. T he next step is for the branch Site Administrators to install and activate the appropriate SD-WAN Appliance Package on their respective clients. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.200...
Page 201 For instructions on installing a SD-WAN Virtual Appliance (SD-WAN VPX), see the following sections: About SD-WAN VPX. Installing and Deploying a SD-WAN VPX-VW on ESXi. Differences Between a SD-WAN VPX-SE and SD-WAN WANOP VPX Installation. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.201...
Page 202 T he NetScaler SD-WAN 1000-SE Management Port is the bottom far right port labeled MGMT, on the back of the chassis. T he default IP Address for the Management Port is 192.168.100.1. T he below ﬁgure shows the location of the NetScaler SD-WAN 1000-SE Management Port. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.202...
Page 203 T he NetScaler SD-WAN 5100-SE Management Port is the bottom-left port labeled 0/1, on the front of the chassis. T he default IP Address for the Management Port is 192.168.100.1. T he below ﬁgure shows the location of the NetScaler SD-WAN 5100-SE Management Port. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.203...
Page 204 Conﬁguring the Management IP Address for the SD-WAN VPX-SE. Also see the section Setting the Management IP Addresses for the Appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.204...
Page 205 Conﬁguring the Management IP Address for the SD-WAN VPX-SE Differences Between a SD-WAN VPX-SE and SD-WAN WANOP VPX Installation. SD-WAN hardware appliance – See the section Setting the Management IP Address for a Hardware SD-WAN Appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.205...
Page 206 5. On the PC, open a browser and enter the default IP Address for the appliance. Note It is recommended that you use Google Chrome browser when connecting to a SD-WAN Appliance. Enter the following IP Address in the address line of the browser: 192.168.100.1 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.206...
Page 207 It is strongly recommended that you change the default password as soon as possible. Be sure to record the password in a secure location, as password recovery might require a conﬁguration reset. After you have logged into the Management Web Interface, the Dashboard page displays, as shown below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.207...
Page 208 - System Maintenance When you select the Conﬁguration tab, the Appliance Settings branch automatically opens, with the Administrator Interf ace page preselected by default, as shown in the below ﬁgure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.208...
Page 209 8. In the Appliance Settings branch of the navigation tree, select Network Adaptors. T his displays the Network Adaptors settings page with the IP Address tab preselected by default, as shown in the below ﬁgure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.209...
Page 210 12. Change the network interface settings on your PC back to the original settings. Note Changing the IP Address for your PC automatically closes the connection to the appliance, and terminates your login session on the Management Web Interface. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.210...
Page 211 After verifying the connection, do not log out of the Management Web Interface. You will be using it to complete the remaining tasks outlined in the subsequent sections. You have now set the Management IP Address of your SD-WAN Appliance, and can connect to the appliance from any location in your network. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.211...
Page 212 4. Under the System Maintenance branch, select Date/Time Settings. T his displays the Date/T ime Settings page, as shown below. 5. Select the time zone from the Time Zone ﬁeld drop-down menu at the bottom of the page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.212...
Page 213 If your console session times out or you log out of the Management Web Interface before saving your conﬁguration, any unsaved conﬁguration changes will be lost. You must then log back into the system, and repeat the conﬁguration procedure from the beginning. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.213...
Page 214 T his displays the Appliance Settings page, with the User Accounts tab preselected by default. 2. Select the Miscellaneous tab (far right corner). T his displays the Miscellaneous tab page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.214...
Page 215 T his resets the session Timeout interval, and displays a success message when the operation completes. After a brief interval (a few seconds), the session is terminated and you are automatically logged out of the Management Web Interface. T he Login page page appears. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.215...
Page 216 5. Enter the Administrator user name ( admin ) and password ( password ), and click Login. T he next step is to upload and install the SD-WAN software license ﬁle on the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.216...
Page 217 3. In the main menu bar, select the Conﬁguration tab. T his displays the Conﬁguration navigation tree in the left pane, and automatically opens the Appliance Settings branch in the tree. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.217...
Page 218 4. In the Appliance Settings branch, select Licensing. T his displays the Licensing page. 5. Click Choose File. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.218...
Page 219 If you have not already downloaded the NetScaler SD-WAN software packages to a PC connected to your network, please do so now. For information on acquiring and downloading the software packages, see Acquiring the SD-WAN Software Packages. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.219...
Page 220 Upon DHCP lease expiration, appliances might re-initiate DHCP discovery protocol, if current DHCP server is not reachable. Appliances will acquire new IP addresses with a delay of 8 minutes. T he gateway IP address is not modified in the GUI https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.220...
Page 221 CLI. It is updated after the reboot process is completed. Recommendation Always assign permanent lease for DHCP addresses assigned to SD-WAN appliances (physical/virtual). T his will allow appliances to have predictable management IP address. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.221...
Page 222 T he following topics provide information about how to conﬁgure Virtual path service between MCN and branch sites, and enabling WAN optimization. Conﬁguring Virtual WAN service Conﬁguring virtual path between MCN and branch sites Enabling and conﬁguring WAN optimization https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.222...
Page 223 If the Virtual WAN Service is currently disabled, this displays the Enable Virtual WAN Service page, as shown below. If the service is already enabled, this displays the Enable/Disable/Purge Flows page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.223...
Page 224 T his page also presents options for enabling/disabling speciﬁc paths and Virtual Paths in your network, as well as an option to purge all ﬂows. T his completes the installation and activation of the SD-WAN on the MCN and branch site client appliances. You can now https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.224...
Page 226 3. Click + next to the Virtual Paths branch label. T his opens the Virtual Paths conﬁguration section (child branch) for the MCN site branch in the tree. T his section https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.226...
Page 227 Def ault Sets, and also customize the conﬁguration for a speciﬁc site and Virtual Path. Note To add more static Virtual Paths for a site, you must do so manually. Instructions for manually adding a static Virtual Path are included in the steps below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.227...
Page 228 Paths child branch label. If the + icon is not present, click the Paths label directly. T his reveals the Add (+) button for adding a Virtual Path. T he Add icon is located to the right of the Paths branch label. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.228...
Page 229 Specify the following from the available drop-down menus: Note Depending on how the WAN links are conﬁgured for the sites, some ﬁelds will be read-only. Fields that are conﬁgurable provide a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.229...
Page 230 9. Click Edit (pencil icon), to the right of the MCN-to-client Virtual Path label. T his opens the Virtual Path Service conﬁguration form for editing. 10. Conﬁgure the settings for the Virtual Path, or accept the defaults. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.230...
Page 231 - Tracking IP Address – Enter a Virtual IP Address on the Virtual Path that can be pinged to determine the state of the path. - Reverse Tracking IP Address – If Reverse Also is enabled for the Virtual Path, enter a Virtual IP Address on the path https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.231...
Page 232 15. Drill down to the Paths settings conﬁguration form for any client site Virtual Path you want to conﬁgure. To navigate to the Paths settings form for the client site, do the following: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.232...
Page 233 Follow the same steps as you did to conﬁgure the Virtual Paths for the MCN site. 17. ( Optional) Click the minus sign (– ) to the left of the client site branch label. T his closes the conﬁgured client site branch in the tree. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.233...
Page 234 Preparing the SD-WAN Appliance Packages on the MCN. SD-WAN Edition – T his Edition does not include the WAN Optimization features. You can now proceed directly to Preparing the SD-WAN Appliance Packages on the MCN. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.234...
Page 235 - Def aults – T he Def aults branch contains the following child branches, which in turn contain one or more forms for conﬁguring their respective sets and settings: * Def aults Features * Def aults Tuning Settings * Def aults Application Classiﬁers (set) * Def aults Service Classes (set) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.235...
Page 236 In this example, the branch site BR-01_K is included, because the site is conﬁgured for a CB 1000-VW appliance. T he following section provides instructions for enabling WAN Optimization for your Virtual WAN, and conﬁguring the Def aults sets and settings. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.236...
Page 237 Def aults Application Classiﬁers (set) Def aults Service Classes (set) T he following sections provide instructions for enabling WAN Optimization and conﬁguring each of these Def aults sets and settings. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.237...
Page 238 T his loads the selected package into the Conﬁguration Editor and opens it for editing. If you have a valid and current license that includes WAN Optimization features, the Optimization section will be available in the Conﬁguration Editor. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.238...
Page 239 T he Optimization section tree contains a branch for the Def aults settings, and a branch for each eligible client node (branch site) in the current conﬁguration. Optimization is supported for 1000-EE and 2000-EE clients, only. Consequently, https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.239...
Page 240 Select the checkbox to select WAN Optimization for enabling. T his also opens the other options in the form for editing, and reveals the Apply and Revert buttons. Note https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.240...
Page 241 However, you can customize the Optimization conﬁguration for a speciﬁc branch, as outlined in the section, Conﬁguring Optimization for a Branch Site. T he Features conﬁguration form contains two sections: - WAN Optimization Features https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.241...
Page 242 SMB3. 9. Click Apply. T his enables and adds the selected Def ault Features to the conﬁguration package. T he next step is to conﬁgure the Optimization default Tuning Settings. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.242...
Page 243 - Def ault MSS – Enter the default size (in octets) for the MSS for TCP segments. - Enable Connection Timeout – Select this to enable automatic termination of a connection when the idle https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.243...
Page 244 4. Click Apply. T his applies the modiﬁed Tuning Settings to the Def aults conﬁguration. T he next step is to conﬁgure the default set of WAN Optimization Application Classiﬁers. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.244...
Page 245 Continuing in the Def aults branch of the Optimization section of the Conﬁguration Editor, click + next to the Application Classiﬁers branch. T his opens the Application Classiﬁers table, displaying the default set of Application Classiﬁers. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.245...
Page 246 2. To conﬁgure an existing Application Classiﬁer, click Edit (pencil icon), in the Edit column of that classiﬁer entry. T his opens a pop-up Edit settings form for conﬁguring the selected Application Classiﬁer. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.246...
Page 247 Click the trashcan icon in the Delete column of an Application Classiﬁer entry to remove that entry from the table. - To add an Application Classiﬁer to the set: a. Click + to the right of the Application Classiﬁer branch label. T his displays the Add conﬁguration form. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.247...
Page 248 T his adds the new Application Classiﬁer to the set, and dismisses the Add conﬁguration form. T he next step is to conﬁgure the default set of WAN Optimization Service Classes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.248...
Page 249 T he modiﬁed default Service Classes set and individual Service Class settings you conﬁgure are automatically applied as the defaults to any branch site included in the Optimization section tree. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.249...
Page 250 FT P control channel. * memory – Select this policy to specify memory as the location for storing the trafﬁc history used for https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.250...
Page 251 AppFlow interface works with any AppFlow collector to generate reports. T he collector receives detailed information from the appliance, using the AppFlow open standard (http://www.appﬂow.org). For more information on AppFlow, please see the Citrix CloudBridge 7.4 Product documentation available on the citrix documentation portal http://docs.citrix.com/.
Page 252 Enter the Source IP Address in the Source IP Address ﬁeld. f. Click + to the right of the Source IP Address you just entered. T his adds the speciﬁed IP Address to the Source IP Address table. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.252...
Page 253 Click the trashcan icon in the Delete column of a Service Class entry in the table to remove that entry. - To add an Service Class to the set: a. Click + to the right of the Service Class branch label. T his displays the Add conﬁguration form. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.253...
Page 254 Naming, Saving, and Backing Up the MCN Site Conﬁguration. You have now completed the Def aults section conﬁguration, and can begin conﬁguring the Optimization sets and settings for the branch sites. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.254...
Page 255 3. Click + to the left of the branch label for the Optimization settings you want to conﬁgure. For example, click + next to the Features branch label to open that conﬁguration category. Opening a category displays the Override Def aults option for that category. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.255...
Page 256 From this point on, the conﬁguration process for each branch site Optimization category is the same as for the corresponding Def aults section category. For instructions on conﬁguring a particular category of sets or settings, see the appropriate section listed below: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.256...
Page 257 You have now completed conﬁguring the Optimization section sets and settings for your Virtual WAN. T he next step is to prepare the Virtual WAN Appliance Packages for distribution to the client nodes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.257...
Page 258 OS Partition Version – T his is the version of the OS partition currently active on the appliance. T he below ﬁgure shows a sample Dashboard page for the MCN, and MCN Appliance information. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.258...
Page 260 3. Open the Show drop-down menu next to the Show ﬁeld. In addition to the Paths statistics, the Show menu also offers several additional options for ﬁltering and viewing statistical information. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.260...
Page 262 T his determines the number of entries to display in the Flows table. T he options are: 50, 100, 1000. 5. (Optional) Enter search text in the Filter ﬁeld. T his ﬁlters the table results so that only entries containing the search text display in the table. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.262...
Page 263 If so, a horizontal scroll bar displays beneath the table. Slide the scroll bar to the right to view the truncated section of the table and reveal the Toggle Columns button. If the scroll bar is not available, try resizing the width of your browser window until the scroll bar is revealed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.263...
Page 264 Click a checkbox to select or deselect a column. c. Click Apply (above the top right corner of the table). T his dismisses the selection options, and refreshes the table to include only the selected columns. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.264...
Page 265 T he report types are listed as branches in the navigation tree, just below the Flows branch. T he available report types are as follows: - Perf ormance Reports - QoS Reports - Usage Reports - Availability Reports - Appliance Reports 3. Select the report options. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.265...
Page 266 In addition to the various types of reports, for each report type there are numerous options and ﬁlters for reﬁning report results. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.266...
Page 267 Click a feature name in the table below to view the list of how-to articles for that feature. Virtual Routing and Forwarding Enabling RED for QoS Fairness Deployment Dynamic Routing DHCP Client and Server Management Route Filters IPsec T ermination and Monitoring Secure Web Gateway Configuration https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.267...
Page 268 For a Public Internet link, only one primary and secondary access interfaces can be created. For a Private Intranet/MPLS link, one primary and secondary access interface can be created per routing domain. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.268...
Page 269 4. Click the Def ault checkbox to make that Routing Domain the default for the Site. Click Apply to save the changes. Note Unchecking Enable for a Routing Domain will make it unavailable for use at the Site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.269...
Page 271 For detailed instructions, see conﬁguring routes. 3. After you conﬁgure routes, validate the route tables for the conﬁgured routing domain by navigating to Conﬁguration → Virtual WAN → View → Routes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.271...
Page 272 1. In the Conﬁguration Editor, navigate to Connections → [Site Name] → Intranet Services → [Intranet Service Name] → Basic Settings click the Edit () icon. 2. Choose a Routing Domain from the drop-down menu. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.272...
Page 273 Virtual Interfaces. For detailed instructions, see conﬁguring interface groups. Note After Virtual Interfaces are associated with a speciﬁc Routing Domain, only those interfaces will be available when using that Routing Domain. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.273...
Page 274 2. Choose a Routing Domain from the dropdown menu when conﬁguring Virtual IP Addresses. For detailed instructions, see conﬁguring Virtual IP addresses. T he Routing Domain you choose determines which Virtual Interfaces are available from the drop-down menu. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.274...
Page 275 2. Click the Identity checkbox for a Virtual IP Address to use it for IP services. For example; Identity is used as the Source IP Address to communicate with BGP neighbors. For more information, click the help icon in the GUI. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.275...
Page 276 SD-WAN appliance deactivates the GRE Tunnel. Refer to the conﬁguring GRE tunnels on the MCN site for more information. For more information about securing web gateway using GRE tunnels, see; Secure Web Gateway https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.276...
Page 277 1. In the Conﬁguration Editor, navigate to Sites → [Client Site Name] → WAN Links → [WAN Link Name] → Access Interf aces. 2. Choose a Routing Domain from the drop-down menu when conﬁguring an Access Interface. For detailed instructions, see conﬁguring WAN links and Access Interfaces. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.277...
Page 278 For more information about creating rules, see How to Create Rules. T he SD-WAN system provides 17 classes (0-16). Classes 0-3 are predeﬁned for Citrix HDX QoS prioritization. To use this feature, enable the following options: WAN Opt imizat ion, available under Opt imizat ion WAN Opt imizat ion Opt imizat ion >...
Page 279 * Sust ained Share % Sust ained Share % : T he maximum share of virtual-path bandwidth after the initial period. Interactive classes use the remaining bandwidth after the real-time trafﬁc has been serviced. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.279...
Page 280 Bulk trafﬁc is serviced after real-time and interactive trafﬁc are serviced. Typically, a bulk class gets a lower sustained share % than an interactive class. 8. Click Apply Apply . Note Save the conﬁguration, export it to the change management inbox, and initiate the change management process. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.280...
Page 281 1. In the Conﬁguration Editor, navigate to Global Global > Applicat ions Applicat ions . T he default list of applications appears. 2. Click the add (+) icon. 3. Enter the application name. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.281...
Page 282 Es tim a te MOS . Note Enable the Track Performance option under Rules to estimate MOS for applications and display it in SD-WAN Center. For more information about rules, see How to Create Rules. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.282...
Page 283 DSCP : T he DSCP DSCP tag in the IP header to match against the trafﬁc. * VLAN VLAN : T he VLAN ID VLAN ID to match against the trafﬁc. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.283...
Page 284 9. Click the LAN t o WAN LAN t o WAN tile, to conﬁgure LAN to WAN behavior for this rule. * Class Class : Select a class with which to associate this rule. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.284...
Page 285 Large Packet s section of the screen. * Drop Limit Drop Limit : Length of time after which packets waiting in the class scheduler are dropped. Not applicable for a bulk class. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.285...
Page 286 Enable Packet s Resequencing: Sequences the packets into the correct order at the destination. * Hold T ime Hold T ime : T ime interval for which the packets are held for resequencing, after which the packets are sent to the https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.286...
Page 287 FT P data transfer and automatically apply the rule settings to the detected port. 12. Click Apply Apply . Note Save the conﬁguration, export it to the change management inbox, and initiate the change management process. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.287...
Page 288 Deploying SD-WAN in PBR mode (Virtual Inline Mode) Dynamic Paths for Branch to Branch Communication Static WAN Paths Building an SD-WAN Network Routing for LAN Segementation Utilizing Enterprise Edition Appliance to Provide WAN Optimization Services Only https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.288...
Page 289 An SD-WAN deployed in Gateway mode acts as a Layer 3 device and cannot perform fail-to-wire. All interfaces involved will be conﬁgured for “Fail-to-block”. In the event of appliance failure, the default gateway for the site will also fail, causing an outage until the appliance and default gateway are restored. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.289...
Page 290 Internet – 20 Mbps Internet – 2 Mbps Network IP Address - 192.168.31.0/24 Route Service Type - Local If any Gateway IP Address - 192.168.30.2 VLANs If any If any https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.290...
Page 291 Conf igurat ion Edit or - > Sit es Sit es , and click the "+ " Add + " Add button. 2. Populate the fields as shown below. 3. Keep default settings unless instructed to change. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.291...
Page 292 To populat e WAN links based on physical rat e and not on burst speeds using Int ernet link 1. Navigate to WAN Links WAN Links , click the “+ ” “+ ” button to add a WAN Link for the Internet link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.292...
Page 293 Access Int erf aces , click the “+ ” “+ ” button to add interface detail specific for the MPLS link. 4. Populate Access Interface for IP and gateway addresses as shown below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.293...
Page 294 Conf igurat ion Edit or - > Sit es Sit es , and click the "+ " Add + " Add button. 2. Populate the fields as shown below. 3. Keep default settings unless instructed to change. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.294...
Page 295 3. Refer to the sample “Remote Site Inline Mode” topology above and populate the Interface Groups fields as shown below. 1. Create a Virtual IP address on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.295...
Page 296 3. Navigate to Access Interfaces, click the “+ ” “+ ” button to add interface details specific for the MPLS link. 4. Populate Access Interface for IP address and gateway as shown below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.296...
Page 297 By default, the system will generate paths for WAN Links deﬁned as access type Public Internet. You would be required to use the auto-path group function or enable paths manually for WAN Links with an access type of Private Internet. Paths https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.297...
Page 298 MPLS links can be enabled by clicking on the Add operator (in the green rectangle). After completing all the above steps, proceed to Preparing the SD-WAN Appliance Packages on the MCN topic. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.298...
Page 299 - Local and Remote WAN links and their bandwidths in both directions, their subnets, Virtual IP Addresses and Gateways from each link, Routes, and VLANs. Deployment T able (example diagram shown below) Data Center Topology – PBR mode (Virtual Inline Mode) Branch Topology – Inline Mode https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.299...
Page 300 10.10.12.0/24, 10.10.13.0/24, etc) through any of the physical interfaces: No additional routes Route 0/1/0.1 – 192.168.1.1 on VLAN 10 were added 0/1/0.2 – 192.168.2.1 on VLAN 20 192.168.1.10/24 – MPLS (VLAN10) VLANs If any 192.168.2.10/24 – Internet (VLAN20) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.300...
Page 301 5. Populate Routes if there are additional subnets in the LAN infrastructure. 1. Navigate to Configuration Editor - > Sites, and click the "+" Add button. 2. Populate the fields as shown below. 3. Keep default settings unless instructed to change. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.301...
Page 302 1. Create a Virt ual IP Address Virt ual IP Address on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.302...
Page 303 Access Int erf aces , click the “+” button to add interface detail specific for the MPLS link. 4. Populate Access Interface for MPLS Virtual IP and gateway addresses as shown below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.303...
Page 304 On the Data center site, add a route on the SD-WAN SEE appliance to reach the LAN Subnets (10.10.11.0/24, 10.10.12.0/24, 10.10.13.0/24, etc) through any of the physical interfaces: 0/1/0.1 – 192.168.1.1 on VLAN 10 0/1/0.2 – 192.168.2.1 on VLAN 20 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.304...
Page 306 Virtual Interface “MPLS” configured con Bridge Pair 1/1 and 1/2. 4. Refer to the sample “Remote Site Inline Mode” topology above and populate the Interface Groups ﬁelds as shown below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.306...
Page 307 1. Create a Virtual IP address on the appropriate subnet for each WAN Link. VIPs are used for communication between two SD-WAN appliances in the Virtual WAN environment. To populate WAN links based on physical rate and not on burst speeds using Internet link https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.307...
Page 308 Access Int erf aces , click the “+ + ” button to add interface details specific for the MPLS link. 4. Populate Access Interface for Virtual IP address and gateway as shown below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.308...
Page 309 After completing conﬁguration for DC and Branch sites, you will be alerted to resolve audit error on both DC and BR sites. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.309...
Page 311 Creat e an Aut opat h Group Creat e an Aut opat h Group 1. Click on the [+] sign next to Autopath Groups. 2. Configure the Autopath Group created as per requirement and click Apply. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.311...
Page 312 No two Autopath Groups can be marked as default. If marked would lead to an Audit Error. After mapping the Autopath Group to the Virtual Paths of Intranet WAN, the paths should be automatically https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.312...
Page 313 1. Select the Virtual Paths under WAN Links for respective sites and no Autopath Group would be mapped. 2. Click the [+] sign next to Paths to add Virtual Paths manually. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.313...
Page 314 3. Select the Virtual Paths WAN Links for each site. After manually adding the virtual paths for WAN links with access type Private Intranet, it gets populated under Paths (highlighted). https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.314...
Page 315 After completing all the above steps, proceed to Preparing the SD-WAN Appliance Packages on the MCN topic. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.315...
Page 316 • Default route (0.0.0.0/0) deﬁned. Used for pass-through trafﬁc not captured by the SD-WAN overlay route table, or utilized at the MCN to instruct clients sites to forward all trafﬁc back to MCN node for back-haul of internet trafﬁc. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.316...
Page 317 Branch t o Branch Communicat ion Using Dynamic Pat hs SD-WAN Net work wit h Dynamic Pat h SD-WAN Net work wit h Dynamic Pat h Dynamic virtual paths are used for large scale deployments, such as Enterprises https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.317...
Page 318 Virt ual Pat h → Dynamic Virt ual Pat h Dynamic Virt ual Pat h. a) Enable Dynamic Virt ual Pat hs Dynamic Virt ual Pat hs . b) Set the maximum number of dynamic paths. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.318...
Page 319 Configuration determines when a Dynamic Virtual Path is active or down. Configure sample packet count (pps) or bandwidth (kbps) within a timeframe. Can be set Globally or with WAN Link configured at the Intermediate Node. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.319...
Page 320 MCN. Once this option is enabled, branch SD-WAN nodes become aware of other branch subnets and all the trafﬁc destined to other branches is forwarded to MCN. MCN routes it to the correct destination. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.320...
Page 321 T he conﬁguration of the VLAN-to-VLAN associations is achieved through the MCN’s Conﬁguration Editor in the SD-WAN management web interface. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.321...
Page 322 CE (Customer Edge) Router -> PBR Router -> SD-WAN -> PBR Router -> LAN CE (Customer Edge) Router -> PBR Router - > WAN OPT - > PBR Router- > LAN https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.322...
Page 323 Int ranet Services . Click the [+ ] [+ ] sign to add an Intranet Service. b) Select the WAN Link(s) WAN Link(s) for Intranet Service, and then click Apply Apply . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.323...
Page 324 T he PBR router needs to be conﬁgured to redirect trafﬁc as per the deployment steps provided. For more information about conﬁguring WAN Optimization, refer to the CloudBridge 9.1 documentation at: Enabling- conﬁguring-wan-optimization https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.324...
Page 325 Apply to enable OSPF. T he routes advertise or redistribute the SD-WAN virtual path routes to peer routes with whom adjacency or peering is established so that the peer routes are aware of being able to reach those network preﬁxes https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.325...
Page 326 11. In the Hello Int erval Hello Int erval ﬁeld, enter the amount of time to wait between sending Hello protocol packets to directly connected neighbors (10 seconds is the default). https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.326...
Page 327 SD-WAN virtual path routes to peer routes with whom adjacency or peering is established so that the peer routes are aware of being able to reach those network prefixes through the SD-WAN network. 3. Click Apply Apply to enable BGP. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.327...
Page 328 Pa s s w o rd ﬁeld, enter a password for MD5 authentication of BGP sessions (authentication is not required). Pa s s w o rd Note Conﬁguring Route Reﬂectors and Confederations for iBGP is not supported in a NetScaler SD-WAN network. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.328...
Page 329 You can select importing and exporting eBGP learned routes on peer devices. Also, SD-WAN static, virtual path learned routes can be conﬁgured to advertise to eBGP peers. For more information, refer to the following use cases: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.329...
Page 330 Implementing OSPF in one-arm topology OSPF T ype5 to T ype1 deployment in MPLS Network SD-WAN and non SD-WAN (third-party) appliance OSPF deployment Implementing OSPF using SD-WAN network with high-availaiblity setup https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.330...
Page 331 SD-WAN appliance becomes active, the neighbor router selects SD-WAN routes and automatically begins forwarding trafﬁc through SD-WAN network. Additional PBR or WCCP conﬁguration is not required any longer. P rerequisit es: P rerequisit es: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.331...
Page 332 OSPF Type5 to Type1 Deployment in MPLS Network T he following deployment mode is provided to avoid loop formation in an MPLS network conﬁgured using SD-WAN appliances. T he illustration below describes the standard MPLS network implementation. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.332...
Page 333 If the IPHOST routes advertised by BR1 SD-WAN appliance are installed by the MCN router ME-DC_Router and not added as static routes as mentioned above, there is a possibility of loop formation if the OSPF participating interface (172.58.6.x) between ME-BR1_Router and ME-DC_Router goes down. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.333...
Page 334 To conﬁgure OSP F export ed rout e weight under Basic OSP F Set t ings To conﬁgure OSP F export ed rout e weight under Basic OSP F Set t ings https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.334...
Page 335 Site A, then using virtual path between DC to Branch sites to get to the Branch. If that fails, it will use MPLS2 to get to Branch site. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.335...
Page 336 4. At step 10, Virtual WAN paths go down between DC and BR1 appliance and traffic should flow normally as before the SD-WAN network was configured. Trafﬁc ﬂow can be observed in the SD-WAN GUI under Monit oring Monit oring->F lows F lows . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.336...
Page 337 14. Verify that the hit count increases for OSPF routes with low cost under view Monit or- Monit or->St at ist ics St at ist ics ->Rout es Rout es . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.337...
Page 338 Route filtering between OSPF and BGP during redistribution is not supported. Either all (or) none of the routes learned from OSPF are advertised to BGP peers and vice-versa. Route aggregation is not supported. Only a Max of 16 BGP peers (including iBGP and eBGP) can be configured. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.338...
Page 339 Provides underlay route learning to communicate with remote site local subnets when the virtual path is down between two sites while the Virtual WAN appliance is still up and running. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.339...
Page 340 Va lue (s ) Va lue (s ) T he Order in which ﬁlters are prioritized. T he ﬁrst ﬁlter that a route matches to will be Order applied to that route. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.340...
Page 341 None Include ignored. None Enabled Click the checkbox to Enable this ﬁlter. Otherwise the ﬁlter is ignored None Clone Click the Clone icon to make copy of an existing Filter. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.341...
Page 342 WAN side of a NetScaler SD-WAN appliance. You can secure site-to-site IPsec Tunnels terminating on an SD-WAN appliance by using a 14 0 -2 Level 1 FIPS certiﬁed IPsec cryptographic binary. SD-WAN also supports resilient IPsec tunneling using a differentiated virtual path tunneling mechanism. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.342...
Page 343 4. Apply the created Virtual Path Default Set to the MCN node. T his automatically applies the same default set to all Client nodes that have Virtual Path to the MCN. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.343...
Page 345 Choose a service type from the drop-down menu. Type If the service type is Intranet, choose from the list of conﬁgured T ext string intranet services in the drop-down menu. If the service type is LAN, Name https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.345...
Page 346 AES 256-bit Life tim e (s ) : Enter the preferred duration, in seconds, for an IKE Life tim e (s ) 3600 seconds (default) security association to exist. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.346...
Page 347 Inte grity Algo rithm : Choose an algorithm as the hashing Inte grity Algo rithm algorithm to use for HMAC veriﬁcation from the drop-down menu. SHA-256 IPsec and IPsec Protected Network Settings https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.347...
Page 348 De s tina tio n IP/Pre ﬁ x : Enter the Destination IP and Preﬁx of the network De s tina tio n IP/Pre ﬁ x IP address trafﬁc the IPsec Tunnel will protect. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.348...
Page 350 Oct 0 4 , 20 16 To implement certiﬁcates for IKE negotiation: 1. Navigate to Sit es Sit es → Cert iﬁcat es Cert iﬁcat es and add any necessary certiﬁcates. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.350...
Page 351 3. Select IPsec Tunnels from the drop-down menu to view the IPsec Tunnel conﬁguration. 4. Each virtual path will show its own IPsec tunnel status as shown below. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.351...
Page 353 2. Create Email and Syslog alerts for IPsec tunnel state reporting. * Supports IPSEC_T UNNEL as one of the Event types which allows you to conﬁgure Email and Syslog Severity Filters. How To Monitor IPSec Tunnel Events https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.353...
Page 354 1. Navigate to Conﬁguration → System Maintenance → Diagnostics → Events. 2. Add events based on the “IPSEC_TUNNEL” object type. Create ﬁlters for all IPsec related events. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.354...
Page 355 3. Enter the IP Address and Subnet of the new Network Object. 4. Click Apply to save the settings. To edit the Network Object’s name, double-click on the name of the Network Object and enter a new name. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.355...
Page 356 2 Navigate to Conﬁguration→ Appliance Settings → Network Adapters → Ethernet tab. T he ports that are administratively down are indicated by a red asterisk (*) in the Ethernet Interf ace Settings list. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.356...
Page 358 1. Navigate to Conﬁguration→ Appliance Settings → Net Flow→ Netﬂow Host Settings page. Click the Enable Netﬂow checkbox, and enter the IP Address, and Port numbers for up to three Net ﬂow Hosts, then click Apply Settings to save the changes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.358...
Page 359 2. Save the newly imported conﬁguration and then make further conﬁguration changes. Navigate to the DC_vWAN > WAN Links > DC_INET > Settings node and notice that the WAN Links settings have a new option called Metered Links. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.359...
Page 360 WAN link. Let’s set some low values so that we can more easily trigger these settings. Set the Data Cap to 1 MB, Cycle to Monthly and start date 03/01/2016, then click Apply. 5. Save and Export the new conﬁguration to the Change Management Inbox. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.360...
Page 362 T he top banner appears on every page alerting when threshold is reached at 50, 75, 90 and 100% usage (always updating with the latest). T he WAN Link Metering Report on the Usage Reports page provides mode granular detail of usage. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.362...
Page 363 3. Navigate to Monitoring → Statistics. Click Show → WAN Link to view WAN Links and results ﬁltered by the Routing Domain. 4. Navigate to Conﬁguration → Virtual WAN → View Conﬁguration. Notice that wherever conﬁguration information for the following attributes is displayed, the Routing Domain is also displayed: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.363...
Page 364 A Path that has at least one Standby WAN Link as an endpoint is considered a backup Path. All functions for Paths are supported regardless of whether or not a Path is conﬁgured as a backup Path. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.364...
Page 365 1. In the Conﬁguration Editor, choose Client from the DHCP drop-down menu under [Site Name] → Interf ace Groups → Virtual Interf aces. Note T he physical interface in the interface group should be a non-bridged pair on a single interface. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.365...
Page 366 3. Click the Autodetect Public IP checkbox to enable the MCN to detect the Public IP Address used by the Client. T his is required when DHCP Client mode is conﬁgured for the WAN Link. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.366...
Page 367 Domain Name, and deﬁne the IP Address range by entering a Start IP Address and an End IP Address. Note T he server IP address pool should be within the management network. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.367...
Page 368 If you plan to use DHCP Relay service on an appliance conﬁgured for High Availability (HA), do not conﬁgure the service on both the Active and Standby appliances. Doing so will lead to duplicate IP addresses on the deﬁned management network. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.368...
Page 369 2. You can request to renew the IP, which refreshes the lease time. You can also choose to Release Renew, which will issue a new IP address with a new lease. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.369...
Page 370 Random Early Detection (RED) prevents trafﬁc queues from ﬁlling up and causing tail-drop actions. It prevents needless queuing by the virtual path scheduler, without affecting the throughput that a TCP connection can achieve. How To Use RED https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.370...
Page 371 → Rules → Select Rule, for example; (VOIP). 2. Expand the LAN to WAN pane. Under LAN to WAN section, click the Enable RED checkbox to enable it for TCP based rules. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.371...
Page 373 Allows MPLS providers to identify trafﬁc based on DSCP markings so that class of service can be applied by the provider. Note If you have existing MPLS conﬁgurations and would like to implement the Private MPLS Access Type, please contact Citrix Support for assistance.
Page 374 2. Under the Basic Settings, there is now a new MPLS Queues tab. Click + Add to add speciﬁc MPLS Queues. T hese should correspond with the queues deﬁned by the Service Provider. Field Description MPLS Queue Name T he MPLS queue name https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.374...
Page 375 MPLS WAN Link. You may choose to set the individual MPLS Queues to Inherit the chosen Autopath Group or choose an alternate from the Autopath Group drop- down menu for each MPLS Queue. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.375...
Page 376 T he Autopath Group deﬁned is the same for the MCN and Client appliance. T his allows the system to build the Paths automatically. At the MCN site you can also expand the WAN Link associated with the virtual path. View Permitted Rate and Congestion f or WAN Links https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.376...
Page 377 Go to Monitor > Statistics, and select WAN Link from the Show drop-down menu. Monitor MPLS Queues Go to Monitor > Statistics, and select MPLS Queues from the Show drop-down menu. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.377...
Page 378 T he ideal solution to enforce security without adding cost, complexity, or latency is to route all branch Internet trafﬁc from the Citrix NetScaler SD-WAN appliance to the Zscaler Cloud Security Platform. With the addition of Zscaler to your SD-WAN network, you can create granular security policies for users using a central Zscaler console, and the policies are applied consistently whether the user is at the data center site or branch site.
Page 379 (Primary and Secondary) to transmit traffic to. GRE keep alive messages can be used to determine the health of the tunnels. Conﬁguring GRE Events in SD-WAN Web Interf ace To conﬁgure internet service: 1. Navigate to Connections - Internet Services. Conﬁgure internet service. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.379...
Page 380 T he ZEN IP address (Tunnel destination IP, 199.168.148.131 shown below) must be conﬁgured with Service-Type Internet. T his is required so that trafﬁc destined towards Zscaler is accounted from the Internet service. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.380...
Page 381 GRE keep alive messages are supported. A new field called Public Source IP that provides the NAT address of the GRE Source address is added to the NetScaler SD-WAN GUI interface (in the case when SD-WAN appliance T unnel Source is NAT ted by an intermediate device). https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.381...
Page 382 You must download the following SNMP ﬁles before you can start monitoring a NetScaler SD-WAN appliance: CIT RIX-COMMON-MIB.txt APPACCELERAT ION-SMI.txt APPACCELERAT ION-PRODUCT S-MIB.txt APPACCELERAT ION-T C.txt APPACCELERAT ION-ST AT US-MIB.txt https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.382...
Page 383 Support for the Q-BRIDGE-MIB and the IP-MIB provides support for the network mapping application in SolarWinds. References For additional information about adding SNMP manager, configuring SNMP View/Alarm, and adding SNMP server, see the CloudBridge 7.4 documentation at: http://docs.citrix.com/content/dam/docs/en-us/cloudbridge/7-3/downloads/en.cloudbridge.cb-wrapper-73-con.pdf https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.383...
Page 384 SD-WAN Standard Edition 4000 and 5100 SD-WAN Enterprise Edition 1000 and 2000 SD-WAN VPX Models T he Citrix compliance regulatory models for NetScaler SD-WAN appliances are: SD-WAN 400, 800, 1000 - CB 504-2 SD-WAN 410- 512-2 SD-WAN 2000 (all editions): NS 6xCu ...
Page 385 Note: T his section applies to the following appliances: NetScaler SD-WAN WANOP 400, 800, 1000, 2000, and 3000, 4000, 5000, 1000 WS, 2000 WS, VPX 2, 6, 10, 20, 50, 100, 200, https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.385...
Page 386 On each power supply, a bicolor LED indicator shows the condition of the power supply. T he LEDs of the AC power supplies for each appliance are different from the LEDs of the other appliances. Table 2. LED Power Supply Indicators https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.386...
Page 387 No power to any power supply. Flashing RED No power to this power supply. Flashing BLUE Power supply is in standby mode. BLUE Power supply is functional. Power supply failure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.387...
Page 388 Ports are used to connect the appliance to external devices. Citrix NetScaler SD-WAN appliances support RS232 serial ports, 10/100/1000Base-T copper Ethernet ports, ﬁber 1G SFP ports and 10-gigabit ﬁber SFP+ ports. All Citrix NetScaler SD- WAN appliances have a combination of some or all of these ports. For details on the type and number of ports available on your appliance, see the section describing that platform.
Page 389 Nov 30 , 20 16 Citrix NetScaler SD-WAN ﬁeld replaceable units (FRU) are SD-WAN components that can be quickly and easily removed from the appliance and replaced by the user or a technician at the user's site. T he FRUs in a SD-WAN appliance can include an AC power supply and a solid-state drive.
Page 390 Make sure that the appliance has a direct physical connection to earth ground during normal use. When installing or repairing an appliance, always connect the ground circuit first and disconnect it last. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.390...
Page 391 Figure 1. Removing the Existing AC Power Supply 2. Carefully remove the new power supply from its box. 3. On the back of the appliance, align the power supply with the power supply slot. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.391...
Page 392 Connect the power supply to a power source. If connecting all power supplies, plug separate power cords into the power supplies and connect them to separate wall sockets. Note: SD-WAN 4000/5000 appliances emit a high-pitched alert if one power supply fails or if you connect only one power https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.392...
Page 393 To silence the alarm, press the small red button on the back panel of the appliance. T he disable alarm button is functional only when the appliance has two power supplies. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.393...
Page 394 Important: When you insert the drive, make sure that the Citrix product label is at the top if the drive is inserted horizontally or at the right if the drive is inserted vertically.
Page 395 T o seat the drive, close the handle flush with the rear of the appliance so that the hard drive locks securely into the slot. Important: When you insert the drive, make sure that the Citrix product label is at the top.
Page 396 Sd-WAN 3000 Series. A full-sized 1U appliance suitable for the largest branch offices and medium-sized datacenters, the 3000 Series has three accelerated bridges and supports WAN speed of 50-155 Mbps. T he Citrix Compliance Regulatory Models are as follows: SD-WAN 400 WANOP: CB 504-2...
Page 397 Apr 10 , 20 17 T he Citrix NetScaler SD-WAN 400 and 800 platforms each have a dual-core processor and 8GB of memory. T hese platforms have a bandwidth of up to 6 Mbps and up to 10 Mbps, respectively.
Page 398 Figure 2. Citrix NetScaler SD-WAN 400/800 appliance, back panel T he following components are visible on the back panel of a SD-WAN 400/800 appliance: Cooling fan Single power supply, rated at 200 watts, 110-240 volts Accelerated pairs of Ethernet ports (apA and apB) which function as accelerated bridges. Individual port assignments: LAN1 is apA.1, WAN1 is apA.2, LAN2 is apB.1, LAN2 is apB.2.
Page 399 NetScaler SD-WAN 1000 WANOP Mar 19, 20 18 T he Citrix NetScaler SD-WAN 1000 platform has 3 models: SD-WAN 1000-06, SD-WAN 1000-010, and SD-WAN 1000-020, with bandwidths of 6Mbps, 10Mbps, and 20Mbps, respectively. Each model is a 1U appliance with one quad-core processor and 24 gigabytes (GB) of memory.
Page 401 Apr 10 , 20 17 T he Citrix NetScaler SD-WAN 2000 platform has 3 models: SD-WAN 2000-010, SD-WAN 2000-020, and SD-WAN 2000-050, with bandwidths of 10Mbps, 20Mbps, and 50Mbps, respectively. Each model is a 1U appliance with one quad-core processor and 24 gigabytes (GB) of memory.
Page 402 Non-maskable interrupt (NMI) button, for use at the request of T echnical Support to produce a core dump. You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent unintentional activation. Single power supply, rated at 300 watts, 100-240 volts. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.402...
Page 403 Apr 10 , 20 17 T he Citrix NetScaler SD-WAN 3000 platform has 3 models: SD-WAN 3000-050, SD-WAN 3000-100, and SD-WAN 3000-155, with bandwidths of 50M bps, 100 Mbps, and 155 Mbps, respectively. Each model is a 1U appliance with one quad-core processor and 32 gigabytes (GB) of memory.
Page 404 (apA) and 1/3 and 1/4 are accelerated pair B (apB). T he following ﬁgure shows the back panel of the SD-WAN 3000 appliance. Figure 3. Citrix NetScaler SD-WAN 3000 appliance, back panel T he following components are visible on the back panel of the SD-WAN 3000 appliance: Four 600 GB removable solid-state drives.
Page 405 1 x 160 GB SSD 1 x 240 GB SSD 1 x 600 GB 4 x 600 GB SSD (dedicated 40 GB 80 GB 275 GB 1.5 T B Compression history) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.405...
Page 406 100/240 VAC, 60 Hz 60 Hz 50-60 Hz 50-60 Hz Power 200W 200W 300 W 450 W consumption (Max.) Operating 10– 35 10– 35 0– 40 0– 40 Temperature (degree Celsius) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.406...
Page 407 EN 61000-3- Class A Class A NOM, SASO, NOM, SASO, 2/-3-3, CISPR SABS, PCT SABS, PCT 22 Class A Environmental RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE certiﬁcations RoHS, WEEE https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.407...
Page 408 T CP Acceleration T raffic Shaping Video Caching Windows File System Acceleration Windows Outlook Acceleration XenApp/ XenDesktop Acceleration Group Mode High Availability Mode Inline Mode Virtual Inline Mode WCCP Mode https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.408...
Page 409 WAN 4 00 WAN 4 00 WAN 800 WAN 800 WAN 1000 WAN 1000 WAN 2000 WAN 2000 WAN 3000 WAN 3000 series series series series series series series series series series https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.409...
Page 410 In addition to differences in WAN bandwidth capabilities, the different series vary in CPU power, installed RAM, and installed disk capacity. All models use solid-state drives instead of conventional hard drives for increased speed and reliability. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.410...
Page 411 ﬂoor and has sufﬁcient airﬂow. Only trained and qualiﬁed personnel should install, maintain, or replace the appliance, and efforts should be taken to ensure that all cautions and warnings are followed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.411...
Page 412 One power cable One standard 4-post rail kit Note: If the kit that you received does not fit your rack, contact your Citrix sales representative to order the appropriate kit. In addition to the items included in the box with your new appliance, you will need the following items to complete the installation and initial configuration process.
Page 413 One empty rack unit for each SD-WAN 400, 800, 1000, 2000 and 3000 appliances. Note: You can order the following rail kits separately. Compact 4-post rail kit, which fits racks of 23 to 33 inches. 2-post rail kit, which fits 2-post racks. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.413...
Page 414 T o prevent possible explosions, replace expired batteries with the same model or a manufacturer-recommended substitute and follow the manufacturer’s instructions for battery replacement. Never remove a power supply cover or any sealed part that has the following label: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.414...
Page 415 T he handles on the left and right of the front panel of the appliance should be used only for extending the appliance out of the rack. Do not use these handles for mounting the appliance on the rack. Use the rack-rail hardware, described later, instead. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.415...
Page 416 To complete the installation, you turn on the appliance. Be sure to observe the cautions and warnings listed with the installation instructions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.416...
Page 417 3. Verify that the appliance is locked in place by pulling it all the way out from the rack. Note: T he illustration in the following figure might not represent your actual appliance. Figure 1. Rack Mounting the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.417...
Page 418 1. Insert the DB-9 connector at the end of the cable into the console port. Note: T o use a cable with an RJ-45 converter, insert the optional converter provided into the console port and attach https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.418...
Page 419 1. Connect one end of the power cable to the power outlet on the back panel of the appliance, next to the power supply. 2. Connect the other end of the power cable to a standard 110V/220V power outlet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.419...
Page 420 2. Depending on the appliance, press the ON/OFF toggle power switch or the power button to switch on the appliance. Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs you can quickly remove power from the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.420...
Page 421 Initial Conﬁguration Aug 12, 20 14 T he appliance shipped from Citrix has default IP addresses conﬁgured on it. To deploy the appliance on the network, you must conﬁgure the appropriate IP addresses on the appliance to accelerate the network trafﬁc.
Page 422 In the Worksheet, record all IP addresses and other values you would use to configure the appliance. Preferably, print out the worksheet before you start the configuration process. You should already have a SD-WAN license key from Citrix, sent in an email. If you are using remote licensing, you need the IP address of the licensing server.
Page 423 T he default gateway IP address of the appliance. Same as Subnet) the previous gateway. Syst em Set t ings Syst em Set t ings NT P Server (none) IP address of the NT P server. Citrix recommends that you https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.423...
Page 424 Port number of the licensing server. Required only when you select a remote model license type. Links Links Receive (Download) None WAN link download speed. Speed Send (Upload) Speed None WAN link upload speed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.424...
Page 425 Done . A screen showing the Installation in Progress… message appears. T his process takes approximately 2 to 5 minutes, depending on your network speed. Note: If you are configuring the appliance by connecting it to your computer through the serial console port, skip step 8 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.425...
Page 426 Licensing Server Address Licensing Server Address field. 19. In the WAN Link Definition section, specify receive and send speeds for the WAN link in the respective fields. Citrix recommends values 10% lower than the WAN bandwidth, to avoid network congestion.
Page 427 Virtual inline installations require that you configure your router to forward WAN traffic to the appliance. See Router Configuration. WCCP installations require configuration of your router and the appliance. See WCCP Mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.427...
Page 428 15. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web browser you are using. 16. Run steps 4 through 25 of the Configuring the Appliance by Connecting a Computer to the Ethernet Port procedure to complete the configuration process https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.428...
Page 429 WCCP mode, which uses the WCCP v. 2.0 protocol to communicate with the router. T his mode is easy to configure on WCCP mode, most routers. WCCP has two variants: WCCP-GRE and WCCP-L2. WCCP-GRE encapsulates the WCCP traffic within https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.429...
Page 430 SD-WAN plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE tunnels (used by group mode). Deprecat ed modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used in new Deprecat ed modes. installations. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.430...
Page 431 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present) Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2) Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.431...
Page 432 T raffic is not routed between interfaces. For example, a connection on bridge apA does not cross over to the Primary or Aux1 ports, but remains on bridge apA. All routing issues are left to your routers. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.432...
Page 433 Ethernet Bypass and Link-Down Propagation Bypass cards are standard on some models and optional on others. Citrix recommends that you purchase appliances with bypass cards for all inline deployments. T he bypass feature is wired as if a cross-over cable connected the two ports, which is the correct behavior in properly wired installations.
Page 434 Two units with multiple bridges can be used in a high-availability pair. Simply match up the bridges so that all links pass through both appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.434...
Page 435 T he Aux1 port is identical to the Primary port. If the Aux1 port is enabled and the Primary port is not, the appliance takes its identity from the Aux1 port's IP address. If both are enabled, the Primary port's IP address is the unit's identity https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.435...
Page 436 (GUI and CLI) listen only to trafﬁc on that VLAN. If no VLAN is assigned, the management interfaces listen only to trafﬁc without a VLAN. T his selection is made on the Conﬁguration: Appliance Settings: Network Adapters: IP Addresses tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.436...
Page 437 Inline mode is most effective when applied to all trafﬁc ﬂowing into and out of a site, but it can be used for only some of the site's trafﬁc. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.437...
Page 438 T his is true even if the Primary port is enabled in the GUI but not connected to a network, so the Primary port should be disabled (the default) when not in use. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.438...
Page 439 T his is done by setting the bandwidth limit slightly lower than the link speed. When this is done, link performance is ideal, with minimal latency and loss even at full link utilization. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.439...
Page 440 SD-WAN trafﬁc shaping relies on controlling the entire link, so trafﬁc shaping is not effective with this topology, because the appliance sees only a portion of link trafﬁc. Latency control is up to the bottleneck gateway, and interactive responsiveness can suffer. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.440...
Page 441 Conﬁguring and Troubleshooting Inline Mode Dec 26, 20 12 Inline mode requires only basic conﬁguration, because it is applied automatically to any packets passing through the accelerated bridge. Troubleshooting is described under . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.441...
Page 442 Sep 11, 20 14 Web Cache Communication Protocol (WCCP) is a dynamic routing protocol introduced by Cisco. Originally intended only for web caching, WCCP version 2 became a more general-purpose protocol, suitable for use by accelerators such as Citrix NetScaler SD-WAN appliances.
Page 443 It is indifferent to whether all the routers use the same service group or different routers use different service groups. Service Group T racking. If a packet arrives on one service group, output packets for the same connection are sent on Service Group T racking https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.443...
Page 444 SG for apA. If apA higher SG is up, that will be used for redirection. If that is down, apB SG will be used. Please note that apA and apB need to be on different subnet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.444...
Page 445 For sites with multiple WAN routers serviced by the same appliance, WCCP can be used to support one, some, or all of your WAN routers. Other routers can use virtual inline mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.445...
Page 446 T raffic shaping requires two service groups, one for T CP traffic and one for UDP traffic. T he difference between the two is configured on the appliance, and the router accepts this configuration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.446...
Page 447 ! Repeat the following three lines for each WAN interface ! you wish to accelerate: interface your_wan_interface ! If Reverse Path Forwarding is enabled (with an ip verify unicast ! source reachable” statement), delete or comment out the statement: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.447...
Page 448 !If the appliance is inline with one of the router interfaces, !(which is supported but not recommended), add !the following line for that interface to prevent loops: ip wccp redirect exclude in https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.448...
Page 449 11. Go to the Monitoring: Appliance Performance: WCCP page. T he Status field should change to Connected within 60 seconds. 12. Send traffic over the link and, on the Connections page, verify that connections are arriving and being accelerated. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.449...
Page 450 If the router requires a password, the password defined on the appliance must match. If the router does not require a password, the password field on the appliance must be blank. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.450...
Page 451 Number of Cache Engines: Number of routers: Total Packets Redirected: 19951 Redirect access-list: -none- Total Packets Denied Redirect: Total Packets Unassigned: Group access-list: -none- Total Messages Denied to Group: Total Authentication failures: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.451...
Page 452 WCCP cluster has twice the performance of a single appliance, delivering both redundancy and improved performance. In addition to adding more appliances as your site’s needs increase, you can use Citrix’s “Pay as You Grow” feature to increase your appliances’ capabilities through license upgrades.
Page 453 Load balancing effectiveness depends on choosing an appropriate mask value: a poor mask choice can result in poor load-balancing or even none, with all trafﬁc sent to a single appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.453...
Page 454 Using multiple WAN routers is very similar to using a single WAN router. If the previous example is changed to include two 100 Mbps links instead of one 200 Mbps link, the topology changes, but the calculations do not. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.454...
Page 455 In practice, the router's IP address for the interface that connects it to the appliance should be used. T he router's loopback IP should not be used. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.455...
Page 456 Planning Your Deployment Jan 30 , 20 14 Deploying appliances in a WCCP cluster requires more planning than does deploying a single appliance. Read the following sections carefully before proceeding. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.456...
Page 457 SD-WAN 3000-100 and the SD-WAN 4000-310, can be increased through a license upgrade. T he SD-WAN 2000-050 however, is already at the high end of the range for SD-WAN 2000 appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.457...
Page 458 IP address. Using these bits tends to allocate the same number of remote sites (not users) per local appliance. A mask that aligns with the host portion of the address instead of the subnet results in a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.458...
Page 459 “one” bits are extracted into a four-bit ﬁeld, declaring 16 buckets and a bucket numbers in the range of 0-15. If the mask value is set to zero, a default value of 0x00 00 0f 00 is used. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.459...
Page 460 HSRP or GSLB routing, because it is not guaranteed to result in identical mappings on all the routers in the service group, and therefore, packets from a single connection might be sent to two different appliances by two different routers, which causes accelerated connections to fail. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.460...
Page 461 If the designated cache itself goes ofﬂine, the role of designated cache is also reapportioned. It takes about thirty seconds for the cluster to react to the loss of a cache. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.461...
Page 462 M = log2(B) If B=16, M=4. Mask value: T he mask value is a 32-bit address mask with a number of “one” bits equal to M in the above worksheet. Often https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.462...
Page 463 IP address of router interface on port facing the appliance WCCP Protocol — (usually "Auto") DC Algorithm Use "Deterministic" if you have only two appliances or are using dynamic load balancing like HSRP or GSLB. Otherwise, use "Least Disruptive." https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.463...
Page 464 WCCP cluster. To conﬁgure the WCCP cluster, you need to perform the following tasks: Configuring the NetScaler Instances Configuring the Router Configuring the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.464...
Page 465 ! Example is for WCCP clustering using WCCP redirect in statements ! on LAN and WAN interfaces. ! This definition is appropriate for modern Cisco routers. ! Global declarations ip wccp 61 ip wccp 62 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.465...
Page 466 WAN speed, this method is practical, and is simpler than using redirect statements on every interface. Router ACLs can be used to limit redirection. For example, for initial testing, perhaps only a single remote IP address might be allowed to be redirected through WCCP. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.466...
Page 467 (or twice the number of appliances if they are SD-WAN 4000 or 5000 units), to divide the bandwidth equally among the appliances. T his latter method is most appropriate for applications with large numbers of active connections that have relatively low bandwidth requirements. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.467...
Page 469 Note: Use virtual inline mode only when both inline mode and WCCP mode are impractical. Do not mix inline and virtual inline modes within the same appliance. However, you can mix virtual inline and WCCP modes within the same appliance. Citrix does not recommend virtual inline mode with routers that do not support health monitoring.
Page 470 To specif y t he packet -f orwarding opt ion— On the Conﬁguration: Optimization Rules: Tuning page, next to Virtual Inline, select Return to Ethernet Sender or Send to Gateway. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.470...
Page 471 Important: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy-based routing do not support health-checking. T he health-monitoring feature is relatively new. It became available in Cisco IOS release 12.3(4)T .
Page 472 !- Now set the appliance as the next hop, if it’s up. set ip next-hop verify-availability 192.168.1.200 20 track 123 route-map client_side_map permit 10 match ip address client_side set ip next-hop verify-availability 192.168.1.200 10 track 123 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.472...
Page 473 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255 Note that, for access lists, ordinary masks are not used. Wildcard masks are used instead. Note that when reading a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.473...
Page 475 T he local appliance must use the default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. Virtual Inline Mode With T wo WAN Routers https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.475...
Page 476 Virtual IP address of the HA pair, not the IP address of an individual appliance, is used in the router conﬁguration tables. In this example, the local appliances must use default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. High-availability Example https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.476...
Page 477 WAN trafﬁc and outgoing WAN trafﬁc are being forwarded to the appliance. If only one direction is forwarded, acceleration cannot take place. To test health-checking, power down the appliance. T he router should stop forwarding trafﬁc after the health-checking algorithm times out. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.477...
Page 478 Figure 1. Group Mode With Redundant Links Figure 2. Group Mode With Non-Redundant Links with Possible Asymmetric Routing Figure 3. Group Mode On Nearby Campuses https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.478...
Page 479 Multiple bridges, where each link passes through a different accelerated bridge in the same appliance. LAN-level aggregation, which places an appliance (or high-availability pair) closer to the LAN, before the point where WAN traffic is split into two or more paths. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.479...
Page 480 Do not accelerat e- If a group member fails, its bypass card closes, allowing trafﬁc to pass through without acceleration. Do not accelerat e- Because an unaccelerated path introduces asymmetric routing, the other members of the group also go into pass-through mode when they detect the failure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.480...
Page 481 8. Repeat this procedure with the other members of the group. Within 20 seconds after enabling the last member of the group, the Group Mode Status line should show NORMAL, and the other group mode members should be listed with Status: On-Line and Configuration: OK. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.481...
Page 482 Do Do NOT Accelerat e When Member Failure Det ect ed NOT Accelerat e When Member Failure Det ect ed on the Group Mode tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.482...
Page 483 T he appliance on the secondary link forwards trafﬁc to the primary-link appliance, and acceleration continues undisturbed. T his conﬁguration maintains accelerated connections after the link failover. Figure 2. Forwarding Rules https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.483...
Page 484 T hat the behavior of the group-mode pair is as desired when the other member fails, and when one of the links fail, as determined by disabling the other appliance and temporarily disconnecting one of the links, respectively. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.484...
Page 485 IP address for management, in addition to each appliance's management IP address. If the primary appliance fails, the secondary appliance takes over. Failover takes approximately ﬁve seconds. High availability mode is a standard feature. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.485...
Page 486 T he two appliances synchronize their settings to ensure that the secondary is ready to take over for the primary. If the conﬁguration of the pair is changed through the browser based interface, the primary appliance updates the secondary appliance immediately. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.486...
Page 487 T he appliance uses its management IP address on apA or apB, not its virtual IP address, to communicate with the router. Upon failover, the new primary appliance establishes WCCP communication with the router. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.487...
Page 488 Without ST P, failover time is roughly ﬁve seconds. T hus, to achieve the briefest possible failover interval, disable ST P on the ports connecting to the appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.488...
Page 490 Be equipped with Ethernet bypass cards. T o determine what is installed in your appliances, see the Dashboard page. Appliances that do not support HA display a warning on the Conﬁguration: High Availability page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.490...
Page 491 IP address is mostly disabled, with most parameters grayed out. A warning message displays the reason on every page. Use the HA VIP for all management tasks. You can, however, disable the secondary appliance's HA state from its management UI. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.491...
Page 492 If this is not the case, a warning banner appears at the top of the screen, indicating the nature of the problem. Figure 1. High-availability configuration page https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.492...
Page 493 3. On the primary appliance, update the software, and then reboot. T he reboot causes a failover, and the secondary appliance becomes the primary. When the reboot is completed, HA should become fully established, because both appliances are running the same software. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.493...
Page 494 7. Log on to Appliance A’s GUI and reenable HA on the Configuration: Advanced Deployments: High Availability (HA) tab. T he appliance get its parameters from the primary. 8. Plug in the network cable removed in step 2. Both appliances are now restored and synchronized. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.494...
Page 495 Incorrect or incomplete cabling between the appliances does not allow the HA heartbeat to pass between them. T he HA/Group Mode SSL Certificates on one or both appliances are damaged or missing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.495...
Page 496 Microsoft Windows Server 2012 R2 Standard Edition. T he SD-WAN 1000 and 2000 WANOP appliances with Windows Servers are based on the Citrix branch architecture, which supports multiple virtual machines. All branch appliances contain a SD-WAN instance, a management service instance, and a Xen hypervisor.
Page 497 T he appliance has two modes, two-port mode and four-port mode, which determine how ports 1/3 and 1/4 are used. T he Citrix Compliance Regulatory Models are: SD-WAN 1000WS WANOP: CB 504-2 SD-WAN 2000WS WANOP: NS 6xCu https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.497...
Page 498 SD-WAN 1000 Appliance with Windows Server Apr 10 , 20 17 T he Citrix SD-WAN 1000 with Windows Server platform has a quad-core processor and 32 GB of memory. T his platform has a bandwidth of up to 20 Mbps.
Page 499 T he following ﬁgure shows the back panel of a SD-WAN 1000 appliance with Windows Server. Figure 2. Citrix SD-WAN 1000 appliance with Windows Server , back panel T he following components are visible on the back panel of a SD-WAN 1000 appliance with Windows Server:...
Page 500 SD-WAN 2000 Appliance with Windows Server Apr 10 , 20 17 T he Citrix NetScaler SD-WAN 2000 with Windows Server platform is a 1U appliance with one quad-core processor and 24 gigabytes (GB) of memory. T he following figure shows the front panel of the NetScaler SD-WAN 2000 appliance with Windows Server.
Page 501 Non-maskable interrupt (NMI) button, for use at the request of T echnical Support to produce a core dump. You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent unintentional activation. Single power supply, rated at 300 watts, 100-240 volts. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.501...
Page 502 Double-click the Desktop icon nic_mapping.vbs to display the mapping** * Available to the SD-WAN instance only in four-port mode. ** Available to the Windows Server only in two-port mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.502...
Page 503 T CP Acceleration T raffic Shaping Video Caching Windows File System Acceleration Windows Outlook Acceleration XenApp/ XenDesktop Acceleration Group Mode High Availability Mode Inline Mode Virtual Inline Mode WCCP Mode VLANs https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.503...
Page 504 System width EIA 310-D for 19-inch racks EIA 310-D for 19-inch racks System depth 10" (25.4 cm) 25.4" (64.5 cm) System weight 8.5 lbs (3.9 kg) 32 lbs (14.5 kg) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.504...
Page 505 FCC (Part 15 Class A), CCC, KCC, NOM, SASO, susceptibility CIT C, EAC, DoC, CE, VCCI, RCM CIT C, EAC, DoC, CE, VCCI, RCM certifications Environmental RoHS, WEEE RoHS, WEEE certifications https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.505...
Page 506 Windows Server, the port is labeled as PRI (primary) port. To complete the installation, you switch on the appliance. Be sure to observe the cautions and warnings listed with the installation instructions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.506...
Page 507 A SD-WAN 1000 or 2000 appliance with Windows Server requires one rack unit. Both are rack-mount devices that can be installed into two-post relay racks or four-post EIA-310 server racks. Verify that the rack is compatible with your appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.507...
Page 508 Apr 0 9, 20 14 SD-WAN 1000 appliance with Windows Server is not shipped with rails. You can mount the appliance to the rack by using the front mounting ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.508...
Page 509 3. Verify that the appliance is locked in place by pulling it all the way out from the rack. Note: T he illustration in the following figure might not represent your actual appliance. Figure 1. Rack Mounting the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.509...
Page 510 1. Insert the DB-9 connector at the end of the cable into the console port. On SD-WAN 1000 1000 appliance with Windows Server, the port is located on the back panel. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.510...
Page 511 A SD-WAN appliance has one power supply. A separate ground cable is not required, because the three-prong plug provides grounding. Provide power to the appliance by installing the power cord. Connect the other end of the power cable to a standard 110V/220V power outlet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.511...
Page 512 2000 appliance for Windows Server, verify that the LCD on the front panel is backlit and the start message appears Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs, you can quickly remove power from the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.512...
Page 513 After checking the connections, you are ready to deploy the SD-WAN 1000 and 2000 appliances with Windows Server on the network. T he appliance shipped from Citrix has default IP addresses conﬁgured on it. To deploy the appliance on the network, you must conﬁgure the appropriate IP addresses on the appliance to accelerate the network trafﬁc.
Page 514 In the Worksheet, record all IP addresses and other values you would use to configure the appliance. Preferably, print out the worksheet before you start the configuration process. You should already have a SD-WAN license key from Citrix, sent in an email. If you are using remote licensing, you need the IP address of the licensing server.
Page 515 Windows Server does not have access to ports 1/3 and 1/4. DNS Server None IP address of the DNS server. Citrix recommends that you specify a valid DNS server IP address. T his is a mandatory parameter. SD-WAN Conf igurat ion...
Page 516 Syst em Set t ings NT P Server (none) IP address of the NT P server. Citrix recommends that you specify a valid NT P server IP address. You can either enter the IP address or the server name. T ime Zone UT C Specify the time zone for your location.
Page 517 Use Syst em Net mask and Gat eway option. 7. Click Done Done . A screen showing the Installation in Progress… message appears. T his process takes approximately 2 to 5 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.517...
Page 518 Licensing Server Address Licensing Server Address field. 19. In the WAN Link Definition section, specify receive and send speeds for the WAN link in the respective fields. Citrix recommends values 10% lower than the WAN bandwidth, to avoid network congestion.
Page 519 Virtual inline installations require that you configure your router to forward WAN traffic to the appliance. See Router Configuration. WCCP installations require configuration of your router and the appliance. See WCCP Mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.519...
Page 520 P assword 3. Use interface AUX for Windows Server traffic. T his port has a Windows Device Description of "Citrix PV Ethernet Adapter #1: 0/2." Set it to use an IP address and network mask in the network that you chose for the Windows adapter.
Page 521 15. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web browser you are using. 16. Run steps 4 through 25 of the Configuring the Appliance by Connecting a Computer to the Ethernet Port procedure to complete the configuration process https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.521...
Page 522 WCCP mode, which uses the WCCP v. 2.0 protocol to communicate with the router. T his mode is easy to configure on WCCP mode, most routers. WCCP has two variants: WCCP-GRE and WCCP-L2. WCCP-GRE encapsulates the WCCP traffic within https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.522...
Page 523 SD-WAN plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE tunnels (used by group mode). Deprecat ed modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used in new Deprecat ed modes. installations. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.523...
Page 524 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present) Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2) Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.524...
Page 525 T raffic is not routed between interfaces. For example, a connection on bridge apA does not cross over to the Primary or Aux1 ports, but remains on bridge apA. All routing issues are left to your routers. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.525...
Page 526 Ethernet Bypass and Link-Down Propagation Bypass cards are standard on some models and optional on others. Citrix recommends that you purchase appliances with bypass cards for all inline deployments. T he bypass feature is wired as if a cross-over cable connected the two ports, which is the correct behavior in properly wired installations.
Page 527 Two units with multiple bridges can be used in a high-availability pair. Simply match up the bridges so that all links pass through both appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.527...
Page 528 T he Aux1 port is identical to the Primary port. If the Aux1 port is enabled and the Primary port is not, the appliance takes its identity from the Aux1 port's IP address. If both are enabled, the Primary port's IP address is the unit's identity https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.528...
Page 529 (GUI and CLI) listen only to trafﬁc on that VLAN. If no VLAN is assigned, the management interfaces listen only to trafﬁc without a VLAN. T his selection is made on the Conﬁguration: Appliance Settings: Network Adapters: IP Addresses tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.529...
Page 530 Inline mode is most effective when applied to all trafﬁc ﬂowing into and out of a site, but it can be used for only some of the site's trafﬁc. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.530...
Page 531 T his is true even if the Primary port is enabled in the GUI but not connected to a network, so the Primary port should be disabled (the default) when not in use. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.531...
Page 532 T his is done by setting the bandwidth limit slightly lower than the link speed. When this is done, link performance is ideal, with minimal latency and loss even at full link utilization. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.532...
Page 533 SD-WAN trafﬁc shaping relies on controlling the entire link, so trafﬁc shaping is not effective with this topology, because the appliance sees only a portion of link trafﬁc. Latency control is up to the bottleneck gateway, and interactive responsiveness can suffer. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.533...
Page 534 Conﬁguring and Troubleshooting Inline Mode Dec 26, 20 12 Inline mode requires only basic conﬁguration, because it is applied automatically to any packets passing through the accelerated bridge. Troubleshooting is described under . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.534...
Page 535 Sep 11, 20 14 Web Cache Communication Protocol (WCCP) is a dynamic routing protocol introduced by Cisco. Originally intended only for web caching, WCCP version 2 became a more general-purpose protocol, suitable for use by accelerators such as Citrix NetScaler SD-WAN appliances.
Page 536 It is indifferent to whether all the routers use the same service group or different routers use different service groups. Service Group T racking. If a packet arrives on one service group, output packets for the same connection are sent on Service Group T racking https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.536...
Page 537 For more information about deploying SD-WAN appliances as a cluster, see WCCP Clustering. For more information about WCCP, see Web Cache Communication Protocol V2, Revision 1, http://tools.ietf.org/html/draft- mclaggan-wccp-v2rev1-00. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.537...
Page 538 For sites with multiple WAN routers serviced by the same appliance, WCCP can be used to support one, some, or all of your WAN routers. Other routers can use virtual inline mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.538...
Page 539 T raffic shaping requires two service groups, one for T CP traffic and one for UDP traffic. T he difference between the two is configured on the appliance, and the router accepts this configuration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.539...
Page 540 ! Repeat the following three lines for each WAN interface ! you wish to accelerate: interface your_wan_interface ! If Reverse Path Forwarding is enabled (with an ip verify unicast ! source reachable” statement), delete or comment out the statement: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.540...
Page 541 !If the appliance is inline with one of the router interfaces, !(which is supported but not recommended), add !the following line for that interface to prevent loops: ip wccp redirect exclude in https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.541...
Page 542 11. Go to the Monitoring: Appliance Performance: WCCP page. T he Status field should change to Connected within 60 seconds. 12. Send traffic over the link and, on the Connections page, verify that connections are arriving and being accelerated. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.542...
Page 543 If the router requires a password, the password defined on the appliance must match. If the router does not require a password, the password field on the appliance must be blank. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.543...
Page 544 Number of Cache Engines: Number of routers: Total Packets Redirected: 19951 Redirect access-list: -none- Total Packets Denied Redirect: Total Packets Unassigned: Group access-list: -none- Total Messages Denied to Group: Total Authentication failures: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.544...
Page 545 WCCP cluster has twice the performance of a single appliance, delivering both redundancy and improved performance. In addition to adding more appliances as your site’s needs increase, you can use Citrix’s “Pay as You Grow” feature to increase your appliances’ capabilities through license upgrades.
Page 546 Load balancing effectiveness depends on choosing an appropriate mask value: a poor mask choice can result in poor load-balancing or even none, with all trafﬁc sent to a single appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.546...
Page 547 Using multiple WAN routers is very similar to using a single WAN router. If the previous example is changed to include two 100 Mbps links instead of one 200 Mbps link, the topology changes, but the calculations do not. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.547...
Page 548 In practice, the router's IP address for the interface that connects it to the appliance should be used. T he router's loopback IP should not be used. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.548...
Page 549 Planning Your Deployment Jan 30 , 20 14 Deploying appliances in a WCCP cluster requires more planning than does deploying a single appliance. Read the following sections carefully before proceeding. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.549...
Page 550 SD-WAN 3000-100 and theSD-WAN 4000-310, can be increased through a license upgrade. T he SD-WAN 4000-050 however, is already at the high end of the range for NetScaler 2000 appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.550...
Page 551 IP address. Using these bits tends to allocate the same number of remote sites (not users) per local appliance. A mask that aligns with the host portion of the address instead of the subnet results in a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.551...
Page 552 “one” bits are extracted into a four-bit ﬁeld, declaring 16 buckets and a bucket numbers in the range of 0-15. If the mask value is set to zero, a default value of 0x00 00 0f 00 is used. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.552...
Page 553 HSRP or GSLB routing, because it is not guaranteed to result in identical mappings on all the routers in the service group, and therefore, packets from a single connection might be sent to two different appliances by two different routers, which causes accelerated connections to fail. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.553...
Page 554 If the designated cache itself goes ofﬂine, the role of designated cache is also reapportioned. It takes about thirty seconds for the cluster to react to the loss of a cache. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.554...
Page 555 M = log2(B) If B=16, M=4. Mask value: T he mask value is a 32-bit address mask with a number of “one” bits equal to M in the above worksheet. Often https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.555...
Page 556 IP address of router interface on port facing the appliance WCCP Protocol — (usually "Auto") DC Algorithm Use "Deterministic" if you have only two appliances or are using dynamic load balancing like HSRP or GSLB. Otherwise, use "Least Disruptive." https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.556...
Page 557 WCCP cluster. To conﬁgure the WCCP cluster, you need to perform the following tasks: Configuring the NetScaler Instances Configuring the Router Configuring the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.557...
Page 558 ! Example is for WCCP clustering using WCCP redirect in statements ! on LAN and WAN interfaces. ! This definition is appropriate for modern Cisco routers. ! Global declarations ip wccp 61 ip wccp 62 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.558...
Page 559 WAN speed, this method is practical, and is simpler than using redirect statements on every interface. Router ACLs can be used to limit redirection. For example, for initial testing, perhaps only a single remote IP address might be allowed to be redirected through WCCP. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.559...
Page 560 (or twice the number of appliances if they are SD-WAN 4000 or 5000 units), to divide the bandwidth equally among the appliances. T his latter method is most appropriate for applications with large numbers of active connections that have relatively low bandwidth requirements. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.560...
Page 562 Note: Use virtual inline mode only when both inline mode and WCCP mode are impractical. Do not mix inline and virtual inline modes within the same appliance. However, you can mix virtual inline and WCCP modes within the same appliance. Citrix does not recommend virtual inline mode with routers that do not support health monitoring.
Page 563 To specif y t he packet -f orwarding opt ion— On the Conﬁguration: Optimization Rules: Tuning page, next to Virtual Inline, select Return to Ethernet Sender or Send to Gateway. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.563...
Page 564 Important: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy-based routing do not support health-checking. T he health-monitoring feature is relatively new. It became available in Cisco IOS release 12.3(4)T .
Page 565 !- Now set the appliance as the next hop, if it’s up. set ip next-hop verify-availability 192.168.1.200 20 track 123 route-map client_side_map permit 10 match ip address client_side set ip next-hop verify-availability 192.168.1.200 10 track 123 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.565...
Page 566 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255 Note that, for access lists, ordinary masks are not used. Wildcard masks are used instead. Note that when reading a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.566...
Page 568 T he local appliance must use the default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. Virtual Inline Mode With T wo WAN Routers https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.568...
Page 569 Virtual IP address of the HA pair, not the IP address of an individual appliance, is used in the router conﬁguration tables. In this example, the local appliances must use default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. High-availability Example https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.569...
Page 570 WAN trafﬁc and outgoing WAN trafﬁc are being forwarded to the appliance. If only one direction is forwarded, acceleration cannot take place. To test health-checking, power down the appliance. T he router should stop forwarding trafﬁc after the health-checking algorithm times out. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.570...
Page 571 Figure 1. Group Mode With Redundant Links Figure 2. Group Mode With Non-Redundant Links with Possible Asymmetric Routing Figure 3. Group Mode On Nearby Campuses https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.571...
Page 572 Multiple bridges, where each link passes through a different accelerated bridge in the same appliance. LAN-level aggregation, which places an appliance (or high-availability pair) closer to the LAN, before the point where WAN traffic is split into two or more paths. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.572...
Page 573 Do not accelerat e- If a group member fails, its bypass card closes, allowing trafﬁc to pass through without acceleration. Do not accelerat e- Because an unaccelerated path introduces asymmetric routing, the other members of the group also go into pass-through mode when they detect the failure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.573...
Page 574 8. Repeat this procedure with the other members of the group. Within 20 seconds after enabling the last member of the group, the Group Mode Status line should show NORMAL, and the other group mode members should be listed with Status: On-Line and Configuration: OK. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.574...
Page 575 Do Do NOT Accelerat e When Member Failure Det ect ed NOT Accelerat e When Member Failure Det ect ed on the Group Mode tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.575...
Page 576 T he appliance on the secondary link forwards trafﬁc to the primary-link appliance, and acceleration continues undisturbed. T his conﬁguration maintains accelerated connections after the link failover. Figure 2. Forwarding Rules https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.576...
Page 577 T hat the behavior of the group-mode pair is as desired when the other member fails, and when one of the links fail, as determined by disabling the other appliance and temporarily disconnecting one of the links, respectively. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.577...
Page 578 IP address for management, in addition to each appliance's management IP address. If the primary appliance fails, the secondary appliance takes over. Failover takes approximately ﬁve seconds. High availability mode is a standard feature. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.578...
Page 579 T he appliance uses its management IP address on apA or apB, not its virtual IP address, to communicate with the router. Upon failover, the new primary appliance establishes WCCP communication with the router. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.579...
Page 580 Without ST P, failover time is roughly ﬁve seconds. T hus, to achieve the briefest possible failover interval, disable ST P on the ports connecting to the appliances. Figure 2. Ethernet Port Locations (Older Models) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.580...
Page 581 Be equipped with Ethernet bypass cards. T o determine what is installed in your appliances, see the Dashboard page. Appliances that do not support HA display a warning on the Conﬁguration: High Availability page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.581...
Page 582 IP address is mostly disabled, with most parameters grayed out. A warning message displays the reason on every page. Use the HA VIP for all management tasks. You can, however, disable the secondary appliance's HA state from its management UI. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.582...
Page 583 If this is not the case, a warning banner appears at the top of the screen, indicating the nature of the problem. Figure 1. High-availability configuration page https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.583...
Page 584 3. On the primary appliance, update the software, and then reboot. T he reboot causes a failover, and the secondary appliance becomes the primary. When the reboot is completed, HA should become fully established, because both appliances are running the same software. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.584...
Page 585 7. Log on to Appliance A’s GUI and reenable HA on the Configuration: Advanced Deployments: High Availability (HA) tab. T he appliance get its parameters from the primary. 8. Plug in the network cable removed in step 2. Both appliances are now restored and synchronized. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.585...
Page 586 Incorrect or incomplete cabling between the appliances does not allow the HA heartbeat to pass between them. T he HA/Group Mode SSL Certificates on one or both appliances are damaged or missing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.586...
Page 587 SD-WAN WANOP appliances in a single package. SD-WAN 4000/5000 WANOP WAN accelerators are the high end of the Citrix NetScaler SD-WAN product line. T hey are designed to accelerate sites with WAN links with speeds in excess of 155 Mbps, especially busy datacenters that communicate with a large number of branch and regional sites.
Page 588 Note: You must keep the traffic interfaces isolated from the management interface to prevent ARP flapping and other problems. T his isolation can be achieved physically or by tagging management interface and traffic interface packets with https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.588...
Page 589 WCCP, but without the WCCP control channel. T raffic is sent to the appliance from the router, using policy-based routing (PBR) rules. T he appliance processes the traffic and returns it to the router. Figure 2. WCCP and virtual inine cabling https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.589...
Page 590 LAN allows compression to provide only a 2x speedup on a whole-link basis, because there is no way to get data onto or off of the LAN at speeds above 1 Gbps. A 10 Gbps LAN, which allows a tenfold increase in peak data rates, is https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.590...
Page 591 A SD-WAN 4000/5000 appliance has at least two non-accelerated ports. Port 0/1 is typically used for management, Port 0/2 is present but typically not used. A Light Out Management (LOM) port is also provided. An RS-232 port can be used for management. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.591...
Page 592 Apr 10 , 20 17 Citrix SD-WAN 4000 are 2U appliances. Each model has two 6-core processors for a total of 12 physical cores (24 cores with hyper-threading), and 48 gigabytes (GB) of memory. T he Citrix SD-WAN 4000 have a bandwidth of 310Mbps, 500Mbps, and 1Gbps, respectively.
Page 593 T he following components are visible on the back panel of the Citrix SD-WAN 4000 appliance: Four 600 GB removable solid-state drives, which store the appliance's compression history. T he 256 GB solid-state drive below the hard disk drive stores the appliance's software.
Page 594 Apr 10 , 20 17 Citrix SD-WAN 5000 are 2U appliances. Each model has two 6-core processors for a total of 12 physical cores (24 cores with hyper-threading), and 96 gigabytes (GB) of memory. T he Citrix SD-WAN 5000 have a bandwidth of 1.5Gbps and 2Gbps respectively.
Page 596 Citrix SD-WAN 4000/5000 ﬁeld replaceable units (FRU) are components that can be quickly and easily removed from the appliance and replaced by the user or a technician at the user's site. T he FRUs in a Citrix SD-WAN 4000/5000 appliance can include DC or AC power supplies, and solid-state and hard-disk drives.
Page 597 Power Supply Oct 23, 20 13 Citrix SD-WAN 4000/5000 appliances are conﬁgured with dual power supplies but can operate with only one power supply. T he second power supply serves as a backup. For power-supply speciﬁcations, see "Hardware Platforms," which describes the various platforms and includes a table summarizing the hardware speciﬁcations.
Page 598 T o silence the alarm, press the small red button on the back panel of the appliance. T he disable alarm button is functional only when the appliance has two power supplies. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.598...
Page 599 Important: When you insert the drive, make sure that the Citrix product label is at the top if the drive is inserted horizontally or at the right if the drive is inserted vertically.
Page 600 T o seat the drive, close the handle flush with the rear of the appliance so that the hard drive locks securely into the slot. Important: When you insert the drive, make sure that the Citrix product label is at the top.
Page 601 T CP Acceleration T raffic Shaping Video Caching Windows File System Acceleration Windows Outlook Acceleration XenApp/ XenDesktop Acceleration Group Mode Mode High Availability Mode Inline Mode Virtual Inline Mode WCCP Mode VLANs https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.601...
Page 602 Summary of Hardware Speciﬁcations Sep 12, 20 13 T he following tables summarize the specifications of the Citrix NetScaler SD-WAN 4000/5000 WANOP hardware platforms. T able 1. Cit rix T able 1. Cit rix Net Scaler SD-WAN 4 000/5000 Net Scaler SD-WAN 4 000/5000 WANOP Appliances...
Page 603 BT U per hour. BT U per hour. BT U per hour. BT U per hour. Operating 32– 104° F 32– 104° F 32– 104° F 32– 104° F 32– 104° F temperature https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.603...
Page 604 CE, VCCI, CNS, CE, VCCI, CNS, CE, VCCI, CNS, CE, VCCI, CNS, AN/NES AN/NES AN/NES AN/NES AN/NES susceptibility standards Environmental RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE compliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.604...
Page 605 Default Gateway— IP address of the router that connects the LOM port to the network. 6. Click Save. You can remotely turn off the appliance and turn it back on. T he result is similar to pressing the power button on the back https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.605...
Page 606 P ower On Syst em P ower Cycle Syst em— T urn off the appliance, and then turn it back on. P ower Cycle Syst em 4. Click Perform Action. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.606...
Page 607 ﬂoor and has sufﬁcient airﬂow. Only trained and qualiﬁed personnel should install, maintain, or replace the appliance, and efforts should be taken to ensure that all cautions and warnings are followed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.607...
Page 608 One fiber patch cable One standard 4-post rail kit Note: If the kit that you received does not fit your rack, contact your Citrix sales representative to order the appropriate kit. In addition to the items included in the box with your new appliance, you will need the following items to complete the installation and initial configuration process.
Page 609 T wo empty rack units for SD-WAN 4000/5000 appliances. Note: You can order the following rail kits separately. Compact 4-post rail kit, which fits racks of 23 to 33 inches. 2-post rail kit, which fits 2-post racks. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.609...
Page 610 T o prevent possible explosions, replace expired batteries with the same model or a manufacturer-recommended substitute and follow the manufacturer’s instructions for battery replacement. Never remove a power supply cover or any sealed part that has the following label: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.610...
Page 611 T he handles on the left and right of the front panel of the appliance should be used only for extending the appliance out of the rack. Do not use these handles for mounting the appliance on the rack. Use the rack-rail hardware, described later, instead. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.611...
Page 612 To complete the installation, you turn on the appliance. Be sure to observe the cautions and warnings listed with the installation instructions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.612...
Page 613 An assembly consists of an inner rail and a rack rail. T he supplied rail kit is 28 inches long (38 inches extended). Contact your Citrix sales representative to order a 23-inch (33 inches extended) rail kit.
Page 614 2. Slide the appliance into the rack rails, keeping the pressure even on both sides. 3. Verify that the appliance is locked in place by pulling it all the way out from the rack. Figure 5. Rack Mounting the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.614...
Page 615 Caution: SD-WAN 4000/5000 appliances do not support 1G SFP transceivers from vendors other than Citrix Systems. Attempting to install third-party 1G SFP transceivers on your SD-WAN 4000/5000 appliance voids the warranty.
Page 616 10G SFP+ transceivers, the speed is also autonegotiated. Caution: SD-WAN 4000/5000 appliances do not support 10G SFP+ transceivers provided by vendors other than Citrix Systems. Attempting to install third-party 10G SFP+ transceivers on your SD-WAN 4000/5000 appliance voids the warranty.
Page 617 1. Connect the LC-to-LC cable to the ports as shown in the figures above. 2. Insert one end of the cable into port 10/3. 3. Insert the other end of the cable into port 10/4. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.617...
Page 618 T he SD-WAN 4000/5000 appliance has two power supplies, with one serving as a backup. A separate ground cable is not required, because the three-prong plug provides grounding. Power up the appliance by installing one or both power cords. To connect the appliance to the power source https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.618...
Page 619 Note: T he appliance emits a high-pitched alert if one power supply fails or if you connect only one power cable to the appliance. T o silence the alarm, you can press the small red button located on the back panel of the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.619...
Page 620 2. Press the ON/OFF toggle power switch on the back panel of the appliance. Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs you can quickly remove power from the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.620...
Page 621 An appropriate appliance or group of appliances must be selected to support both the current and anticipated load. A deployment mode must be selected to match the requirements of your site. Other aspects must also be considered. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.621...
Page 622 Provide enough capacity for expected expansion over the life of the deployment. SD-WAN 4000/5000 appliances using the same hardware platform can have their capacity upgraded with a new license as part of the Citrix pay-as-you-grow program. SD-WAN 4000/5000 models 310, 500, and 1000 use one hardware platform, and models 1500 and 2000 use another hardware platform.
Page 623 One-arm, WCCP. T his resembles a standard SD-WAN WCCP deployment. Citrix also supports the following two modes (which are outside the scope of this document): Inline, routed. T he NetScaler instance uses routing rules instead of bridging rules to determine how to forward packets.
Page 624 Inline mode is convenient for smaller WAN networks and simpler datacenters. It is most commonly used with the SD- WAN 4000/5000 310 and 500, and more rarely with the larger appliances. Cascaded installations should use WCCP. Note: Only WCCP mode (with a single router) is currently documented. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.624...
Page 625 Optional load balancing behavior includes the use of static routing (for hand-crafted load balancing) and variations on the least-connection with AgentID and SRCIPDEST IP persistence methods used in the default conﬁguration. T he behavior for https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.625...
Page 627 10. Identified any QoS devices or proxies in the path between the local and remote sites. QoS devices should be on the WAN side of SD-WAN 4000/5000. Proxies should be on the LAN side. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.627...
Page 628 After checking the connections, you are ready to deploy the SD-WAN 4000 and 5000 appliances on the network. T he appliance shipped from Citrix has default IP addresses conﬁgured on it. To deploy the appliance on the network, you must conﬁgure the appropriate IP addresses on the appliance to accelerate the network trafﬁc.
Page 629 Model 500: T hree Models 1000 and 1500: Six Model 2000: Eight Before you start provisioning the appliance, Citrix recommends that you have the license ﬁle with you, as it is required early in the conﬁguration process. Installing the Hardware...
Page 630 IP address of the NetScaler instance's GUI and Management IP CLI interfaces. address External T raffic Subnet T 1. Router IP address 172.17.17.1 IP address of router on external traffic subnet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.630...
Page 631 When VLAN trunking is used, these are tagged VLAN2.3, VLAN2.4 VLANs crossing bridge #2. VLAN3.1, VLAN3.2, External VLANs for When VLAN trunking is used, these are tagged VLAN3.3, VLAN3.4 Bridge #1 VLANs crossing bridge #3. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.631...
Page 632 You can change the management IP address by connecting a computer to the appliance through either the Ethernet port or the serial console. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.632...
Page 633 12. From a computer on the management network, log on to the appliance by entering the new management service IP address, such as https://<Managemnt_IP_Address>, in a web browser. 13. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.633...
Page 634 14. Log on to the appliance by using the nsroot user name and the password from your worksheet. 15. T o complete the configuration process, see Provisioning the Appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.634...
Page 635 15. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web browser you are using. 16. T o complete the configuration process, see Provisioning the Appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.635...
Page 636 2. Follow these steps to configure a fully 7.3-compliant system: Acquire the following release 7.3 software distributions from the release 7.3 downloads page on My Citrix: Management service (as a .tgz file) NetScaler VM (as an .xva file) Accelerator VM (as an .xva file)
Page 637 7. Navigate to the folder that contains the license file and open the file. 8. Click Add License and upload the license file provided by Citrix. T he license is added to the appliance, as shown in the following figure.
Page 638 Basic conﬁguration is complete. Next, perform deployment-mode-speciﬁc conﬁguration (such as for WCCP mode). Note: After the wizard completes, the appliance is configured for the basic setup. T o configure the appliance for a specific deployment scenario, see Deployment Modes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.638...
Page 639 SD-WAN 4000/5000 appliances have two recommended deployment modes: WCCP and inline. T hese modes are commonly used without high availability (HA), and less commonly with HA. At this time, Citrix recommends WCCP mode, with a single router and without HA, for most deployments. Use inline mode when WCCP is not available.
Page 640 Virtual inline mode provides a solution for asymmetric routing issues faced in a deployment with two or more WAN links. Note: Citrix recommends that you do not deploy SD-WAN appliances in virtual inline mode with routers that do not support health monitoring.
Page 641 You must enable MAC Based Forwarding (MBF) Use Subnet IP address (USNIP), and Return To Ethernet Sender options on the NetScaler instance. T his section contains Citrix validated deployment topologies for virtual inline mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 642 Enable Layer 3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configure a Router https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.642...
Page 643 Enable Layer 3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configure a Router (both routers individually) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.643...
Page 644 Bind the Subnet IP Address to VLAN of Data Interface Configure Layer 4 Parameters (only if you expect connection migration between routers) Configuring VLANs for Connection Migration Configure a Router(both routers individually) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.644...
Page 645 Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configure a Router (both routers individually) Configure Routers in High Availability Setup https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.645...
Page 646 T 4. Subnet IP address 172.17.17.2 Subnet IP address for NetScaler on external traffic subnet. T 5. Subnet IP address 172.17.18.2 Subnet IP address for NetScaler on external traffic subnet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.646...
Page 647 Port used for accelerated traffic. T 9. T raffic Port 10/6 Port used for accelerated traffic. Note: Ports 10/3 and 10/4 are reserved for loopback cable. Do not configure these ports as traffic ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.647...
Page 648 Enable L3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configuring the Instance for Connection Migration https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.648...
Page 649 T o enable layer 3 mode and disable layer 2 mode by using t he command line int erf ace, run t he f ollowing commands commands > enable ns mode L3 > disable ns mode l2 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.649...
Page 650 T o enable t he Ret urn t o Et hernet Sender mode by using t he command line int erf ace, run t he f ollowing command command > set L2Param -returnToEthernetSender ENABLED https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.650...
Page 651 > add ns ip 172.17.17.2 255.255.255.0 > add ns ip 172.17.18.2 255.255.255.0 Note: Run the second command only if you are configuring the appliance for two links. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.651...
Page 652 > bind vlan 1007–IPAddress 172.17.17.2 255.255.255.0 > bind vlan 1009–IPAddress 172.17.18.2 255.255.255.0 Note: Run the second command only if you are configuring the appliance for two links. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.652...
Page 653 VLANs f or connect ion migrat ion by using t he command line int erf ace, run t he f ollowing f ollowing commands commands > unbind vlan 1009 –ifnum 10/6 > unbind vlan 1009 –IPAddress 172.17.18.2 255.255.255.0 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.653...
Page 655 Note: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy based routing do not support health checking. T he health-monitoring feature is relatively new. It was first available in Cisco IOS release 12.3(4)T .
Page 656 T his configuration redirects all matching IP traffic to the appliances. If you want to redirect only T CP traffic, you can change the access-list configuration as follows (only the remote side's configuration is shown here): ip access-list extended server_side permit tcp 10.200.51.0 0.0.0.255 10.20.20.0 0.0.0.255 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.656...
Page 657 10.20.20.0 0.0.0.255 10.200.51.0 0.0.0.255 To conﬁgure high availability between routers, see the router-speciﬁc high availably conﬁguration manual. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.657...
Page 658 3. Verify that the Accelerated Connections tab displays entries for the accelerated connections, as shown in the following screen shot. T his tab displays an entry each for all accelerated connections. Figure 1. T he Accelerated Connections tab https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.658...
Page 659 Sep 11, 20 14 Web Cache Communication Protocol (WCCP) is a dynamic routing protocol introduced by Cisco. Originally intended only for web caching, WCCP version 2 became a more general-purpose protocol, suitable for use by accelerators such as Citrix SD- WAN appliances.
Page 660 It is indifferent to whether all the routers use the same service group or different routers use different service groups. Service Group T racking Service Group T racking. If a packet arrives on one service group, output packets for the same connection are sent on https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.660...
Page 661 For more information about deploying SD-WAN appliances as a cluster, see WCCP Clustering. For more information about WCCP, see Web Cache Communication Protocol V2, Revision 1, http://tools.ietf.org/html/draft- mclaggan-wccp-v2rev1-00. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.661...
Page 662 For sites with multiple WAN routers serviced by the same appliance, WCCP can be used to support one, some, or all of your WAN routers. Other routers can use virtual inline mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.662...
Page 663 LAN interface except the appliance’s traffic interface. 2. If your router supports reverse path forwarding, disable it on this interface by changing any ip verify unicast reverse- https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.663...
Page 664 Met hod B is preferred in circumstances when the routers do not support the wccp redirect out statement. Met hod B Example Following is an example of configuring a Cisco IOS router: ! This example is for WCCP mode, not WCCP clustering https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.664...
Page 665 WAN link. T o conf igure t he accelerat ors f or WCCP mode T o conf igure t he accelerat ors f or WCCP mode https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.665...
Page 666 Default). T his is a WCCP 2.1 feature and is not supported by all routers. If the appliance has trouble connecting to the router, set this parameter back to Default. Note: You must consider the following points when configuring a Citrix SD-WAN 4000/5000 appliance: T raffic is load balanced across the accelerators on the basis of NetScaler load balancing policies.
Page 667 If no connections are shown, but the appliance reports that it is connected to the router, and the WCCP monitoring page shows no errors, the issue is probably with the router configuration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.667...
Page 668 WCCP cluster has twice the performance of a single appliance, delivering both redundancy and improved performance. In addition to adding more appliances as your site’s needs increase, you can use Citrix’s “Pay as You Grow” feature to increase your appliances’ capabilities through license upgrades.
Page 669 Load balancing effectiveness depends on choosing an appropriate mask value: a poor mask choice can result in poor load-balancing or even none, with all trafﬁc sent to a single appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.669...
Page 670 Using multiple WAN routers is very similar to using a single WAN router. If the previous example is changed to include two 100 Mbps links instead of one 200 Mbps link, the topology changes, but the calculations do not. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.670...
Page 671 In practice, the router's IP address for the interface that connects it to the appliance should be used. T he router's loopback IP should not be used. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.671...
Page 672 Planning Your Deployment Jan 30 , 20 14 Deploying appliances in a WCCP cluster requires more planning than does deploying a single appliance. Read the following sections carefully before proceeding. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.672...
Page 673 SD-WAN 3000-100 and the SD-WAN 4000-310, can be increased through a license upgrade. T he SD-WAN 2000-050 however, is already at the high end of the range for SD-WAN 2000 appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.673...
Page 674 IP address. Using these bits tends to allocate the same number of remote sites (not users) per local appliance. A mask that aligns with the host portion of the address instead of the subnet results in a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.674...
Page 675 “one” bits are extracted into a four-bit ﬁeld, declaring 16 buckets and a bucket numbers in the range of 0-15. If the mask value is set to zero, a default value of 0x00 00 0f 00 is used. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.675...
Page 676 HSRP or GSLB routing, because it is not guaranteed to result in identical mappings on all the routers in the service group, and therefore, packets from a single connection might be sent to two different appliances by two different routers, which causes accelerated connections to fail. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.676...
Page 677 If the designated cache itself goes ofﬂine, the role of designated cache is also reapportioned. It takes about thirty seconds for the cluster to react to the loss of a cache. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.677...
Page 678 M = log2(B) If B=16, M=4. Mask value: T he mask value is a 32-bit address mask with a number of “one” bits equal to M in the above worksheet. Often https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.678...
Page 679 IP address of router interface on port facing the appliance WCCP Protocol — (usually "Auto") DC Algorithm Use "Deterministic" if you have only two appliances or are using dynamic load balancing like HSRP or GSLB. Otherwise, use "Least Disruptive." https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.679...
Page 680 WCCP cluster. To conﬁgure the WCCP cluster, you need to perform the following tasks: Configuring the NetScaler Instances Configuring the Router Configuring the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.680...
Page 681 ! Example is for WCCP clustering using WCCP redirect in statements ! on LAN and WAN interfaces. ! This definition is appropriate for modern Cisco routers. ! Global declarations ip wccp 61 ip wccp 62 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.681...
Page 682 WAN speed, this method is practical, and is simpler than using redirect statements on every interface. Router ACLs can be used to limit redirection. For example, for initial testing, perhaps only a single remote IP address might be allowed to be redirected through WCCP. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.682...
Page 683 (or twice the number of appliances if they are SD-WAN 4000 or 5000 units), to divide the bandwidth equally among the appliances. T his latter method is most appropriate for applications with large numbers of active connections that have relatively low bandwidth requirements. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.683...
Page 685 Inline mode is currently recommended only for sites where WCCP is not practical, and which have a single WAN link, or have fully independent WAN links that do not use dynamic routing, load-balancing, or fail-over. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.685...
Page 687 4 -ifnum 1/7 1/8 add interfacePair 5 -ifnum 10/1 10/2 SD-WAN 5000 SD-WAN 5000 add interfacePair 1 -ifnum 10/1 10/2 add interfacePair 2 -ifnum 10/4 10/5 add interfacePair 3 -ifnum 10/6 10/7 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.687...
Page 688 NetScaler instance until we bind the NetScaler IP addresses to the VLAN. Adding such a VLAN does not require a restart. T his method is recommended for all VLANs except the management subnet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.688...
Page 689 A bypass event occurs if the NetScaler instance or the bypass daemon in Dom-0 becomes unresponsive. A bypass event is not triggered by accelerators becoming unresponsive. T he 1-Gigabit bypass ports are copper, and 10-Gigabit bypass ports are fiber ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.689...
Page 690 3. Navigate to the NetScaler instance at Configuration > NetScaler > Instances and click on the IP address of the NetScaler instance. 4. If the Citrix SD-WAN Connector Get Started page appears, ignore it. 5. Click Configuration > Network > VLANs > Add.
Page 691 9. In the remote Node IP Address field of the High Availability Setup dialog box, specify the NSIP address of the NetScaler instance of the other appliance #2 (H17 on your worksheet), as shown in the following figure. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.691...
Page 692 10. Click OK. T he appliances are now configured as a high availability pair, as shown in the following figure. Figure 3. Configuring high availability on the NetScaler instance Note: T o learn more about setting up high availability on a NetScaler instance, see the High Availability node of the Citrix eDocs website.
Page 693 Monit oring: Syst em Load page, especially during peak periods, to verify that the SD-WAN 4000/5000 is not heavily loaded. 10. Continue this process until the entire WAN is being accelerated. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.693...
Page 694 4. Generally monitor the SD-WAN 4000/5000 unit for alerts. 5. In the broker UI, use the Dashboard, the Monitoring: Remote Partners, and perhaps the Monitoring: Appliance Load pages to monitor the overall activity and load of the system. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.694...
Page 695 GUI. Checking and Correct ing Accelerat or Inst ance St at us Checking and Correct ing Accelerat or Inst ance St at us https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.695...
Page 696 T he power supply was struggling, as can be seen in both the Hardware Sensors Summary and the System Health Events log. (T he count in the System Health Events heading shows that there was only one event, the Date field shows that it https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.696...
Page 697 On rare occasions, you may wish to troubleshoot individual accelerator instances. To do this, use the following URL’s: Accelerat or Inst ance Accelerat or Inst ance https://<accelerator_ip>:4001 https://<accelerator_ip>:4002 … https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.697...
Page 698 Individual Element s of t he Updat e Bundle T he update bundles distributed by Citrix are in a simple .tgz format (a tar archive compressed with gzip). It is sometimes useful to extract individual components from the archive, rather than going back to the the Citrix Web site and downloading them individually.
Page 699 In addition to differences in WAN bandwidth capabilities, the different series vary in CPU power, installed RAM, and installed disk capacity. All models use solid-state drives instead of conventional hard drives for increased speed and reliability. T he Citrix Compliance Regulatory models for SD-WAN 400-SE and 410-SE are: SD-WAN 400-SE: CB 504-2 SD-WAN 410-SE: 512-2 For more information, see the NetScaler product platform datasheet.
Page 700 NIC1 and NIC2— Indicate network activity on the LAN1 and WAN1 ports. HDD— Indicates the status of the hard disk drive. Power— When blinking, indicates that the power supply unit is receiving power and operating normally. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.700...
Page 701 LAN1 is apA.1, WAN1 is apA.2, LAN2 is apB.1, LAN2 is apB.2. RS-232 serial console port One Aux Ethernet port and one management port T wo USB ports One Solid State Drive (SSD) SD-WAN 400 - 160 GB SSD https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.701...
Page 702 Blinking red (1Hz) - slow blinking red Fan failure. Blinking red (0.25Hz) - fast blinking Power failure. Solid blue Local UID has been activated. Use this function to locate the server in a rack mount environment. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.702...
Page 703 LAN ports and even port numbers for WAN ports. 1/1 is used for the ﬁrst LAN port, 1/2 for the ﬁrst WAN port, 1/3 for the second LAN Port, 1/4 for the second WAN port, 1/5 for the third LAN Port, and 1/6 for the third WAN Port. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.703...
Page 704 Apr 0 9, 20 14 T he following table summarizes the speciﬁcations of the SD-WAN 400 SE and 410 SE hardware platforms. Table 1. Citrix NetScaler SD-WAN 400 and 410 Platforms Summary SD-WAN 4 00 SE SD-WAN 4 10 SE...
Page 705 FCC (Part 15 Class A), CCC, KCC, NOM, CIT C, FCC (Part 15 Class A), CCC, KCC, NOM, CITC, EAC, DoC, CE, VCCI, RCM EAC, DoC, CE, VCCI, RCM certiﬁcations Environmental certiﬁcations RoHS, WEEE RoHS, WEEE, REACH (optional) 200W https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.705...
Page 706 ﬂoor and has sufﬁcient airﬂow. Only trained and qualiﬁed personnel should install, maintain, or replace the appliance, and efforts should be taken to ensure that all cautions and warnings are followed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.706...
Page 707 Ethernet cables for each additional Ethernet port that you will connect to your network One available Ethernet port on your network switch or hub for each Ethernet port you want to connect to your network A computer to serve as a management workstation https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.707...
Page 708 One empty rack unit for each SD-WAN 400 and 410 SE appliances. Note: You can order the following rail kits separately. Compact 4-post rail kit, which fits racks of 23 to 33 inches. 2-post rail kit, which fits 2-post racks. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.708...
Page 709 T o prevent possible explosions, replace expired batteries with the same model or a manufacturer-recommended substitute and follow the manufacturer’s instructions for battery replacement. Never remove a power supply cover or any sealed part that has the following label: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.709...
Page 710 T he handles on the left and right of the front panel of the appliance should be used only for extending the appliance out of the rack. Do not use these handles for mounting the appliance on the rack. Use the rack-rail hardware, described later, instead. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.710...
Page 711 To complete the installation, you turn on the appliance. Be sure to observe the cautions and warnings listed with the installation instructions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.711...
Page 712 3. Verify that the appliance is locked in place by pulling it all the way out from the rack. Note: T he illustration in the following figure might not represent your actual appliance. Figure 1. Rack Mounting the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.712...
Page 714 2. Insert the RJ-45 connector at the other end of the cable into the serial port of the computer or terminal. Connecting the Power Cable Updated: 2014-01-20 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.714...
Page 715 1. Connect one end of the power cable to the power outlet on the back panel of the appliance, next to the power supply. 2. Connect the other end of the power cable to a standard 110V/220V power outlet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.715...
Page 716 2. Depending on the appliance, press the ON/OFF toggle power switch or the power button to switch on the appliance. Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs you can quickly remove power from the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.716...
Page 717 Initial Conﬁguration Aug 12, 20 14 T he appliance shipped from Citrix has default IP addresses conﬁgured on it. To deploy the appliance on the network, you must conﬁgure the appropriate IP addresses on the appliance to accelerate the network trafﬁc.
Page 718 In the Worksheet, record all IP addresses and other values you would use to configure the appliance. Preferably, print out the worksheet before you start the configuration process. You should already have a SD-WAN license key from Citrix, sent in an email. If you are using remote licensing, you need the IP address of the licensing server.
Page 719 Setting up the SD-WAN Appliance Nov 17, 20 16 To set up your NetScaler SD-WAN Appliance hardware, see the instructions documented in the Setting up the Appliance Hardware section. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.719...
Page 720 WAN traffic to the appliance and the appliance returns it to the router. In this Virtua l inline mode , mode, the appliance appears to be a router, but it uses no routing tables. It sends the return traffic to the real router. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.720...
Page 721 SD-WAN plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE tunnels (used by group mode). Deprecated modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used in new installations. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.721...
Page 722 Accelerated Pair A (apA, with ports apA.1 and apA.2) Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2) Bridge #3 Accelerated Pair C (apC, with ports apC.1 and apC.2) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.722...
Page 723 T raffic is not routed between interfaces. For example, a connection on bridge apA does not cross over to the Primary or Aux1 ports, but remains on bridge apA. All routing issues are left to your routers. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.723...
Page 724 Ethernet Bypass and Link-Down Propagation Bypass cards are standard on some models and optional on others. Citrix recommends that you purchase appliances with bypass cards for all inline deployments. T he bypass feature is wired as if a cross-over cable connected the two ports, which is the correct behavior in properly wired installations.
Page 725 High Availability with Multiple Bridges Two units with multiple bridges can be used in a high-availability pair. Simply match up the bridges so that all links pass through both appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.725...
Page 726 Accelerated Pair A. T he Primary port is used for: Administration through the web based UI A back channel for group mode A back channel for high-availability mode https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.726...
Page 735 !- Use a ping (ICMP echo) to see if appliance is connected track 123 rtr 1 reachabilit y ! rtr 1 type echo protocol IpIcmpecho 192.168.1.200 schedule 1 life forever start-time now https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.735...
Page 736 !- Now set the appliance as the next hop, if it’s up. set ip next-hop verify-availability 192.168.1.200 20 track 123 route-map client_side_map permit 10 match ip address client_side set ip next-hop verify-availability 192.168.1.200 10 track 123 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.736...
Page 737 10 match ip address client_side set ip next-hop 192.168.2.200 ip access-list extended client_side permit tcp 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255 ip access-list extended wan_side permit tcp 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.737...
Page 749 7. Log on to Appliance A’s GUI and reenable HA on the Configuration: Advanced Deployments: High Availability (HA) tab. T he appliance get its parameters from the primary. 8. Plug in the network cable removed in step 2. Both appliances are now restored and synchronized. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.749...
Page 750 Incorrect or incomplete cabling between the appliances does not allow the HA heartbeat to pass between them. T he HA SSL Certificates on one or both appliances are damaged or missing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.750...
Page 751 4. After 5 mins the appliance restarts and the CLI is displayed. T here will be couple of reboots (apporximately, 4-5) for extracting the software image from the eUSB (sdb) and copying, programming, and re-ﬂashing to the SATADOM (sda). command COPY https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.751...
Page 752 T he appliance restarts 4 to 5 times as it extracts, copies, and initializes the boot process. 5. At the login prompt, you can start conﬁguring the appliance using the CLI or web management interface. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.752...
Page 753 Appliances Mar 22, 20 17 Citrix NetScaler SD-WAN Standard Edition 4000/5100 appliances are high-performance appliances for busy datacenters. T hese appliances combines multiple virtual accelerator instances with a single virtual instance of the NetScaler load- balancer, providing the performance of multiple SD-WAN Standard Edition appliances in a single package.
Page 754 Note: You must keep the traffic interfaces isolated from the management interface to prevent ARP flapping and other problems. T his isolation can be achieved physically or by tagging management interface and traffic interface packets with https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.754...
Page 755 WCCP, but without the WCCP control channel. T raffic is sent to the appliance from the router, using policy-based routing (PBR) rules. T he appliance processes the traffic and returns it to the router. Figure 2. Inline cabling https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.755...
Page 756 Typically only one management port is used. Accelerated Bridges Citrix NetScaler SD-WAN 4000/5100 SE appliances have multiple accelerated bridges. Different models have different numbers and types of bridge ports. T he two ports making up such a bridge are called an "accelerated pair." All current models include a built-in network bypass function.
Page 757 0/2 is present but typically not used. A Light Out Management (LOM) port is also provided. An RS-232 port can be used for management. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.757...
Page 758 Apr 10 , 20 17 Citrix NetScaler SD-WAN 4000 is a 2U appliances. Each model has two 6-core processors for a total of 12 physical cores (24 cores with hyper-threading), and 48 gigabytes (GB) of memory. T he Citrix NetScaler SD-WAN 4000 SE has a bandwidth of 300Mbps, 500Mbps, 1Gbps, and 2Gbps respectively.
Page 759 T he following components are visible on the back panel of the Citrix NetScsler SD-WAN 4000 SE appliance: Four 600 GB removable solid-state drives, which store the appliance's compression history. T he 256 GB solid-state drive below the hard disk drive stores the appliance's software.
Page 760 Apr 0 6, 20 17 Citrix NetScaler SD-WAN 5100 SE is a 2U appliance. Each model has two 6-core processors for a total of 12 physical cores (24 cores with hyper-threading), and 96 gigabytes (GB) of memory. T he Citrix NetScaler SD-WAN 5100 SE has a bandwidth of 1 Gbps, 2 Gbps, 3 Gbps, and 4 Gbps respectively.
Page 761 Summary of Hardware Speciﬁcations Sep 12, 20 13 T he following tables summarize the specifications of the Citrix NetScaler SD-WAN 4000/5100 SE hardware platforms. Table 1. Citrix NetScaler SD-WAN 4 000/5100 SE Appliances Citrix NetScaler SD-WAN 4 000/5100 SE Platf orm Perf ormance...
Page 762 0– 40° C 0– 40° C 0– 40° C Operating 0– 4921' 0– 4921' 0– 4921' 0– 4921' 0– 4921' altitude (1,500 m) (1,500 m) (1,500 m) (1,500 m) (1,500 m) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.762...
Page 763 CE, VCCI, CNS, CE, VCCI, CNS, CE, VCCI, CNS, CE, VCCI, CNS, AN/NES AN/NES AN/NES AN/NES AN/NES susceptibility standards Environmental RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE compliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.763...
Page 764 ﬂoor and has sufﬁcient airﬂow. Only trained and qualiﬁed personnel should install, maintain, or replace the appliance, and efforts should be taken to ensure that all cautions and warnings are followed. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.764...
Page 765 One fiber patch cable One standard 4-post rail kit Note: If the kit that you received does not fit your rack, contact your Citrix sales representative to order the appropriate kit. In addition to the items included in the box with your new appliance, you will need the following items to complete the installation and initial configuration process.
Page 766 T wo empty rack units for SD-WAN 4000/5000 appliances. Note: You can order the following rail kits separately. Compact 4-post rail kit, which fits racks of 23 to 33 inches. 2-post rail kit, which fits 2-post racks. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.766...
Page 767 T o prevent possible explosions, replace expired batteries with the same model or a manufacturer-recommended substitute and follow the manufacturer’s instructions for battery replacement. Never remove a power supply cover or any sealed part that has the following label: https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.767...
Page 768 T he handles on the left and right of the front panel of the appliance should be used only for extending the appliance out of the rack. Do not use these handles for mounting the appliance on the rack. Use the rack-rail hardware, described later, instead. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.768...
Page 769 To complete the installation, you turn on the appliance. Be sure to observe the cautions and warnings listed with the installation instructions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.769...
Page 770 An assembly consists of an inner rail and a rack rail. T he supplied rail kit is 28 inches long (38 inches extended). Contact your Citrix sales representative to order a 23-inch (33 inches extended) rail kit.
Page 771 3. Install the adjustable rail assembly into the rack as shown in the following ﬁgures. Use a screw to lock the rear rail ﬂange into the rack. With the screw securing the rail in place, you can optionally remove the latching spring. Figure 4. Installing the Rail Assembly to the Rack https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.771...
Page 772 2. Slide the appliance into the rack rails, keeping the pressure even on both sides. 3. Verify that the appliance is locked in place by pulling it all the way out from the rack. Figure 5. Rack Mounting the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.772...
Page 773 Some SD-WAN 4000/5000 appliances do not require SFP transceivers. Warning SD-WAN 4000/5000 appliances do not support 1G SFP transceivers from vendors other than Citrix Systems. Attempting to install third-party 1G SFP transceivers on your SD-WAN 4000/5000 appliance voids the warranty.
Page 774 5. Put the 1G SFP transceiver into its original box or another appropriate container. Warning Do not look directly into ﬁber optic transceivers or cables. T hey emit laser beams that can damage your eyes. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.774...
Page 775 10G SFP+ transceivers, the speed is also autonegotiated. Caution: SD-WAN 4000/5000 appliances do not support 10G SFP+ transceivers provided by vendors other than Citrix Systems. Attempting to install third-party 10G SFP+ transceivers on your SD-WAN 4000/5000 appliance voids the warranty.
Page 776 T o install the patch cable 1. Connect the LC-to-LC cable to the ports. 2. Insert one end of the cable into port 10/3. 3. Insert the other end of the cable into port 10/4. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.776...
Page 777 Figure 2. Inserting a console cable Note To use a cable with an RJ-45 converter, insert the optional converter provided into the console port and attach the cable to it. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.777...
Page 778 Note: T he appliance emits a high-pitched alert if one power supply fails or if you connect only one power cable to the appliance. T o silence the alarm, you can press the small red button located on the back panel of the appliance. Figure 3. Inserting a power cable https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.778...
Page 779 2. Press the ON/OFF toggle power switch on the back panel of the appliance. Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs you can quickly remove power from the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.779...
Page 780 An appropriate appliance or group of appliances must be selected to support both the current and anticipated load. A deployment mode must be selected to match the requirements of your site. Other aspects must also be considered. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.780...
Page 781 Provide enough capacity for expected expansion over the life of the deployment. SD-WAN 4000/5000 appliances using the same hardware platform can have their capacity upgraded with a new license as part of the Citrix pay-as-you-grow program. SD-WAN 4000/5100 models 300, 500, and 1000 use one hardware platform, and models 1000 and 2000 use another hardware platform.
Page 782 Inline mode is convenient for smaller WAN networks and simpler datacenters. It is most commonly used with the SD- 300 and 500, and more rarely with the larger appliances. 4 0 0 0 /510 0 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.782...
Page 783 Optional load balancing behavior includes the use of static routing (for hand-crafted load balancing) and variations on the least-connection with AgentID and SRCIPDEST IP persistence methods used in the default conﬁguration. T he behavior for https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.783...
Page 785 10. Identified any QoS devices or proxies in the path between the local and remote sites. QoS devices should be on the WAN side of SD-WAN 4000/5100. Proxies should be on the LAN side. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.785...
Page 786 After checking the connections, you are ready to deploy the SD-WAN 4000 and 5100 appliances on the network. T he appliance shipped from Citrix has default IP addresses conﬁgured on it. To deploy the appliance on the network, you must conﬁgure the appropriate IP addresses on the appliance to accelerate the network trafﬁc.
Page 787 Model 2000: Eight Before you start provisioning the appliance, Citrix recommends that you have the license ﬁle with you, as it is required early in the conﬁguration process To download a license ﬁle, complete the procedure described in the My Account All Licensing Tools - User Guide.
Page 788 You can change the management IP address by connecting a computer to the appliance through either the Ethernet port or the serial console. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.788...
Page 789 13. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web browser you are using. 14. Log on to the appliance. 15. T o complete the configuration process, see Provisioning the Appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.789...
Page 791 15. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web browser you are using. 16. T o complete the configuration process, see Provisioning the Appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.791...
Page 792 Setting up the SD-WAN Appliance Nov 22, 20 16 To set up your NetScaler SD-WAN Appliance hardware, see the instructions documented in the Setting up the Appliance Hardware section. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.792...
Page 793 SD-WAN 4000/5100 SE appliances have one recommended deployment mode: Inline. T his mode is commonly used without high availability (HA), and less commonly with HA. Citrix recommends WCCP mode supported on WANOP appliances, with a single router and without HA, for most deployments. Use inline mode when WCCP is not available.
Page 794 IP addresses. Do not change the default forwarding method. See the Virtual Inline Deployment mode instructions for more information. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.794...
Page 795 You must enable MAC Based Forwarding (MBF) Use Subnet IP address (USNIP), and Return To Ethernet Sender options on the NetScaler instance. T his section contains Citrix validated deployment topologies for virtual inline mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved.
Page 796 Enable Layer 3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configure a Router https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.796...
Page 797 Enable Layer 3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configure a Router https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.797...
Page 798 Enable Layer 3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configure a Router https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.798...
Page 799 Enable Layer 3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configure a Router https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.799...
Page 800 T 4. Subnet IP address 172.17.17.2 Subnet IP address for NetScaler on external traffic subnet. T 5. Subnet IP address 172.17.18.2 Subnet IP address for NetScaler on external traffic subnet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.800...
Page 801 Port used for accelerated traffic. T 9. T raffic Port 10/6 Port used for accelerated traffic. Note: Ports 10/3 and 10/4 are reserved for loopback cable. Do not configure these ports as traffic ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.801...
Page 802 Enable L3 Mode Enable the Return to Ethernet Sender Mode Add a Subnet IP Address Bind the Subnet IP Address to VLAN of Data Interface Configuring the Instance for Connection Migration https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.802...
Page 803 T o enable layer 3 mode and disable layer 2 mode by using t he command line int erf ace, run t he f ollowing commands commands > enable ns mode L3 > disable ns mode l2 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.803...
Page 804 T o enable t he Ret urn t o Et hernet Sender mode by using t he command line int erf ace, run t he f ollowing command command > set L2Param -returnToEthernetSender ENABLED https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.804...
Page 805 > add ns ip 172.17.17.2 255.255.255.0 > add ns ip 172.17.18.2 255.255.255.0 Note: Run the second command only if you are configuring the appliance for two links. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.805...
Page 806 > bind vlan 1007–IPAddress 172.17.17.2 255.255.255.0 > bind vlan 1009–IPAddress 172.17.18.2 255.255.255.0 Note: Run the second command only if you are configuring the appliance for two links. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.806...
Page 807 VLANs f or connect ion migrat ion by using t he command line int erf ace, run t he f ollowing f ollowing commands commands > unbind vlan 1009 –ifnum 10/6 > unbind vlan 1009 –IPAddress 172.17.18.2 255.255.255.0 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.807...
Page 809 Note: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy based routing do not support health checking. T he health-monitoring feature is relatively new. It was first available in Cisco IOS release 12.3(4)T .
Page 810 T his configuration redirects all matching IP traffic to the appliances. If you want to redirect only T CP traffic, you can change the access-list configuration as follows (only the remote side's configuration is shown here): ip access-list extended server_side permit tcp 10.200.51.0 0.0.0.255 10.20.20.0 0.0.0.255 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.810...
Page 811 10.20.20.0 0.0.0.255 10.200.51.0 0.0.0.255 To conﬁgure high availability between routers, see the router-speciﬁc high availably conﬁguration manual. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.811...
Page 812 3. Verify that the Accelerated Connections tab displays entries for the accelerated connections, as shown in the following screen shot. T his tab displays an entry each for all accelerated connections. Figure 1. T he Accelerated Connections tab https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.812...
Page 813 Inline mode is currently recommended only for sites where WCCP is not practical, and which have a single WAN link, or have fully independent WAN links that do not use dynamic routing, load-balancing, or fail-over. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.813...
Page 814 L2 (bridged) mode, but the accelerators are connected internally to the NetScaler instance in a one-arm conﬁguration. Inline mode is the easiest mode to conﬁgure. You connect one port of an accelerated pair to the WAN router and the https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.814...
Page 816 4 -ifnum 1/7 1/8 add interfacePair 5 -ifnum 10/1 10/2 SD-WAN 5100 SD-WAN 5100 add interfacePair 1 -ifnum 10/1 10/2 add interfacePair 2 -ifnum 10/4 10/5 add interfacePair 3 -ifnum 10/6 10/7 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.816...
Page 817 NetScaler instance until we bind the NetScaler IP addresses to the VLAN. Adding such a VLAN does not require a restart. T his method is recommended for all VLANs except the management subnet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.817...
Page 818 A bypass event occurs if the NetScaler instance or the bypass daemon in Dom-0 becomes unresponsive. A bypass event is not triggered by accelerators becoming unresponsive. T he 1-Gigabit bypass ports are copper, and 10-Gigabit bypass ports are fiber ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.818...
Page 819 4. Access the NetScaler instance on appliance #1, by specifying its IP address (M17) in a web browser. 5. Log on to the NetScaler instance. 6. In the Navigation pane, expand the System node. 7. Select the High Availability node. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.819...
Page 820 10. Click OK. T he appliances are now configured as a high availability pair, as shown in the following figure. Figure 3. Configuring high availability on the NetScaler instance Note: T o learn more about setting up high availability on a NetScaler instance, see the High Availability node of the Citrix eDocs website.
Page 821 T he SD-WAN Standard Edition 1000 and 2000 appliances combine virtualized instances of the SD-WAN appliance. T he SD-WAN Standard Edition 1000 and 2000 appliances are based on the Citrix branch architecture, which supports multiple virtual machines. All branch appliances contain a SD-WAN Standard Edition instance, a management service instance, and a Xen hypervisor.
Page 822 100 Mbps. T he following ﬁgure shows the front panel of a SD-WAN 1000-SE appliance. Figure 1. Citrix NetScaler SD-WAN 1000-SE front panel T he front panel of the SD-WAN 1000-SE appliance has a power button and ﬁve LEDs.
Page 823 Power – Indicates that the power supply units are receiving power and operating normally. T he following ﬁgure shows the back panel of a SD-WAN 1000-SE appliance. Figure 2. Citrix NetScaler SD-WAN 1000-SE appliance , back panel T he following components are visible on the back panel of a SD-WAN 1000-SE appliance:...
Page 824 NetScaler SD-WAN 2000 SE Apr 10 , 20 17 T he Citrix NetScaler SD-WAN 2000-SE platform is a 1U appliance with one quad-core processor and 24 gigabytes (GB) of memory. T he following figure shows the front panel of the SD-WAN 2000-SE appliance.
Page 825 Non-maskable interrupt (NMI) button, for use at the request of T echnical Support to produce a core dump. You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent unintentional activation. Single power supply, rated at 300 watts, 100-240 volts. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.825...
Page 826 26 L x 18.5 W x 6.5" H 32 L x 23.5 W x 7.5" H and weight 14.5 lbs 39 lbs Environment al and Regulat ory Environment al and Regulat ory https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.826...
Page 827 FCC Class A, EN 55022 Class A, EN 61000-3- FCC (Part 15 Class A), CE, C-T ick, VCCI-A, CCC, susceptibility 2/-3-3, CISPR 22 Class A KCC, NOM, SASO, SABS, PCT certifications Environmental RoHS, WEEE RoHS, WEEE certifications https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.827...
Page 828 MGMT (Blue) 0/1 (LOM/PRI) Primary 0/2 (AUX) apA LAN1 (Green) apA.1 apA WAN1 apA.2 apB LAN2 apB.1* apB WAN2 apB.2* * Available to the SD-WAN instance only in four-port mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.828...
Page 829 SD-WAN 1000-SE appliance, this port is labeled as MGMT (management) port and on SD-WAN 2000-SE appliance, the port is labeled as PRI (primary) port. To complete the installation, you switch on the appliance. Be sure to observe the cautions and warnings listed with the installation instructions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.829...
Page 830 A SD-WAN 1000-SE or 2000-SE appliance requires one rack unit. Both are rack-mount devices that can be installed into two-post relay racks or four-post EIA-310 server racks. Verify that the rack is compatible with your appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.830...
Page 831 Rack Mounting an SD-WAN 1000-SE Appliance Apr 0 9, 20 14 SD-WAN 1000-SE appliance is not shipped with rails. You can mount the appliance to the rack by using the front mounting ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.831...
Page 832 3. Verify that the appliance is locked in place by pulling it all the way out from the rack. Note: T he illustration in the following figure might not represent your actual appliance. Figure 1. Rack Mounting the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.832...
Page 833 1. Insert the DB-9 connector at the end of the cable into the console port. On 1000-SE 1000-SE appliance, the port is located on the back panel. On 2000-SE 2000-SE appliance, the port is located on the front panel. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.833...
Page 834 A SD-WAN appliance has one power supply. A separate ground cable is not required, because the three-prong plug provides grounding. Provide power to the appliance by installing the power cord. Connect the other end of the power cable to a standard 110V/220V power outlet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.834...
Page 835 3. On SD-WAN 2000-SE appliance, verify that the LCD on the front panel is backlit and the start message appears Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs, you can quickly remove power from the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.835...
Page 836 After checking the connections, you are ready to deploy the SD-WAN 1000-SE and 2000-SE appliances on the network. T he appliance shipped from Citrix has default IP addresses conﬁgured on it. To deploy the appliance on the network, you must conﬁgure the appropriate IP addresses on the appliance to accelerate the network trafﬁc.
Page 837 In the Worksheet, record all IP addresses and other values you would use to configure the appliance. Preferably, print out the worksheet before you start the configuration process. You should already have a SD-WAN license key from Citrix, sent in an email. If you are using remote licensing, you need the IP address of the licensing server.
Page 838 Windows Server does not have access to ports 1/3 and 1/4. DNS Server None IP address of the DNS server. Citrix recommends that you specify a valid DNS server IP address. T his is a mandatory parameter. SD-WAN Conf igurat ion...
Page 839 Syst em Set t ings NT P Server (none) IP address of the NT P server. Citrix recommends that you specify a valid NT P server IP address. You can either enter the IP address or the server name. T ime Zone UT C Specify the time zone for your location.
Page 840 Done . A screen showing the Installation in Progress… message appears. T his process takes approximately 2 to 5 minutes, depending on your network speed. Note: If you are configuring the appliance by connecting it to your computer through the serial console port, skip step 8 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.840...
Page 841 Licensing Server Address Licensing Server Address field. 19. In the WAN Link Definition section, specify receive and send speeds for the WAN link in the respective fields. Citrix recommends values 10% lower than the WAN bandwidth, to avoid network congestion.
Page 842 WCCP (WANOP only) and virtual inline installations connect a single accelerated bridge port to your WAN router. Virtual inline installations require that you configure your router to forward WAN traffic to the appliance. See Router Configuration. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.842...
Page 843 15. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web browser you are using. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.843...
Page 844 Setting up the SD-WAN Appliance Nov 23, 20 16 To set up your NetScaler SD-WAN Appliance hardware, see the instructions documented in the Setting up the Appliance Hardware section. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.844...
Page 845 Virtua l inline m o de , be a router, but it uses no routing tables. It sends the return traffic to the real router. Virtual inline mode is recommended when inline mode and high-speed https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.845...
Page 846 SD-WAN plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE tunnels (used by group mode). Deprecat ed modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used in new Deprecat ed modes. installations. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.846...
Page 847 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present) Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2) Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.847...
Page 848 T raffic is not routed between interfaces. For example, a connection on bridge apA does not cross over to the Primary or Aux1 ports, but remains on bridge apA. All routing issues are left to your routers. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.848...
Page 849 Ethernet Bypass and Link-Down Propagation Bypass cards are standard on some models and optional on others. Citrix recommends that you purchase appliances with bypass cards for all inline deployments. T he bypass feature is wired as if a cross-over cable connected the two ports, which is the correct behavior in properly wired installations.
Page 850 Two units with multiple bridges can be used in a high-availability pair. Simply match up the bridges so that all links pass through both appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.850...
Page 851 T he Aux1 port is identical to the Primary port. If the Aux1 port is enabled and the Primary port is not, the appliance takes its identity from the Aux1 port's IP address. If both are enabled, the Primary port's IP address is the unit's identity https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.851...
Page 852 (GUI and CLI) listen only to trafﬁc on that VLAN. If no VLAN is assigned, the management interfaces listen only to trafﬁc without a VLAN. T his selection is made on the Conﬁguration: Appliance Settings: Network Adapters: IP Addresses tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.852...
Page 853 Inline mode is most effective when applied to all trafﬁc ﬂowing into and out of a site, but it can be used for only some of the site's trafﬁc. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.853...
Page 854 T his is true even if the Primary port is enabled in the GUI but not connected to a network, so the Primary port should be disabled (the default) when not in use. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.854...
Page 855 T his is done by setting the bandwidth limit slightly lower than the link speed. When this is done, link performance is ideal, with minimal latency and loss even at full link utilization. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.855...
Page 856 SD-WAN trafﬁc shaping relies on controlling the entire link, so trafﬁc shaping is not effective with this topology, because the appliance sees only a portion of link trafﬁc. Latency control is up to the bottleneck gateway, and interactive responsiveness can suffer. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.856...
Page 857 Conﬁguring and Troubleshooting Inline Mode Dec 26, 20 12 Inline mode requires only basic conﬁguration, because it is applied automatically to any packets passing through the accelerated bridge. Troubleshooting is described under . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.857...
Page 858 Note: Use virtual inline mode only when inline mode is not possible. Do not mix inline and virtual inline modes within the same appliance. However, you can mix virtual inline and WCCP modes within the same appliance. Citrix does not recommend virtual inline mode with routers that do not support health monitoring.
Page 859 To specif y t he packet -f orwarding opt ion— On the Conﬁguration: Optimization Rules: Tuning page, next to Virtual Inline, select Return to Ethernet Sender or Send to Gateway. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.859...
Page 860 Important: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy-based routing do not support health-checking. T he health-monitoring feature is relatively new. It became available in Cisco IOS release 12.3(4)T .
Page 861 !- Now set the appliance as the next hop, if it’s up. set ip next-hop verify-availability 192.168.1.200 20 track 123 route-map client_side_map permit 10 match ip address client_side set ip next-hop verify-availability 192.168.1.200 10 track 123 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.861...
Page 862 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255 Note that, for access lists, ordinary masks are not used. Wildcard masks are used instead. Note that when reading a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.862...
Page 864 T he local appliance must use the default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. Virtual Inline Mode With T wo WAN Routers https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.864...
Page 865 Virtual IP address of the HA pair, not the IP address of an individual appliance, is used in the router conﬁguration tables. In this example, the local appliances must use default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. High-availability Example https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.865...
Page 866 WAN trafﬁc and outgoing WAN trafﬁc are being forwarded to the appliance. If only one direction is forwarded, acceleration cannot take place. To test health-checking, power down the appliance. T he router should stop forwarding trafﬁc after the health-checking algorithm times out. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.866...
Page 867 IP address for management, in addition to each appliance's management IP address. If the primary appliance fails, the secondary appliance takes over. Failover takes approximately ﬁve seconds. High availability mode is a standard feature. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.867...
Page 868 T he appliance uses its management IP address on apA or apB, not its virtual IP address, to communicate with the router. Upon failover, the new primary appliance establishes WCCP communication with the router. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.868...
Page 869 Without ST P, failover time is roughly ﬁve seconds. T hus, to achieve the briefest possible failover interval, disable ST P on the ports connecting to the appliances. Figure 2. Ethernet Port Locations (Older Models) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.869...
Page 870 Be equipped with Ethernet bypass cards. T o determine what is installed in your appliances, see the Dashboard page. Appliances that do not support HA display a warning on the Conﬁguration: High Availability page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.870...
Page 871 IP address is mostly disabled, with most parameters grayed out. A warning message displays the reason on every page. Use the HA VIP for all management tasks. You can, however, disable the secondary appliance's HA state from its management UI. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.871...
Page 872 If this is not the case, a warning banner appears at the top of the screen, indicating the nature of the problem. Figure 1. High-availability configuration page https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.872...
Page 873 3. On the primary appliance, update the software, and then reboot. T he reboot causes a failover, and the secondary appliance becomes the primary. When the reboot is completed, HA should become fully established, because both appliances are running the same software. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.873...
Page 874 7. Log on to Appliance A’s GUI and reenable HA on the Configuration: Advanced Deployments: High Availability (HA) tab. T he appliance get its parameters from the primary. 8. Plug in the network cable removed in step 2. Both appliances are now restored and synchronized. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.874...
Page 875 Incorrect or incomplete cabling between the appliances does not allow the HA heartbeat to pass between them. T he HA/Group Mode SSL Certificates on one or both appliances are damaged or missing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.875...
Page 876 It offers a combination of Virtual WAN and WAN Optimization capabilities. T he SD-WAN 1000 EE and 2000 EE appliances are based on the Citrix branch architecture, which supports multiple virtual machines. All branch appliances contain a SD-WAN instance, a management service instance, and a Xen hypervisor.
Page 877 SD-WAN 2000 EE Appliance Apr 10 , 20 17 T he Citrix NetScaler SD-WAN 2000 EE platform is a 1U appliance with one quad-core processor and 24 gigabytes (GB) of memory. T he following figure shows the front panel of the SD-WAN 2000 EE appliance.
Page 878 Non-maskable interrupt (NMI) button, for use at the request of T echnical Support to produce a core dump. You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent unintentional activation. Single power supply, rated at 300 watts, 100-240 volts. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.878...
Page 879 SD-WAN 1000 EE Appliance Apr 10 , 20 17 T he Citrix Netscaler SD-WAN 1000 EE platform has a quad-core processor and 32 GB of memory. T his platform has a bandwidth of up to 100 Mbps. T he following ﬁgure shows the front panel of a SD-WAN 1000 EE appliance.
Page 880 T he following ﬁgure shows the back panel of a SD-WAN 1000 EE appliance. Figure 2. Citrix NetScaler SD-WAN 1000 EE appliance , back panel T he following components are visible on the back panel of a SD-WAN 1000 EE appliance:...
Page 881 8.5 lbs (3.9 kg) 32 lbs (14.5 kg) Shipping dimensions 26 L x 18.5 W x 6.5" H 32 L x 23.5 W x 7.5" H and weight 14.5 lbs 39 lbs https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.881...
Page 882 FCC (Part 15 Class A), CCC, KCC, NOM, SASO, susceptibility CIT C, EAC, DoC, CE, VCCI, RCM CIT C, EAC, DoC, CE, VCCI, RCM certifications Environmental RoHS, WEEE RoHS, WEEE certifications https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.882...
Page 883 MGMT (Blue) 0/1 (LOM/PRI) Primary 0/2 (AUX) apA LAN1/WCCP (Green) apA.1 apA WAN1 apA.2 apB LAN2 apB.1* apB WAN2 apB.2* * Available to the SD-WAN instance only in four-port mode. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.883...
Page 884 SD-WAN 1000 EE appliance, this port is labeled as MGMT (management) port and on SD-WAN 2000 EE, the port is labeled as PRI (primary) port. To complete the installation, you switch on the appliance. Be sure to observe the cautions and warnings listed with the installation instructions. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.884...
Page 885 A SD-WAN 1000 EE or 2000 EE appliance requires one rack unit. Both are rack-mount devices that can be installed into two- post relay racks or four-post EIA-310 server racks. Verify that the rack is compatible with your appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.885...
Page 886 Rack Mounting a SD-WAN 1000 EE Appliance Apr 0 9, 20 14 SD-WAN 1000 EE appliance is not shipped with rails. You can mount the appliance to the rack by using the front mounting ports. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.886...
Page 887 3. Verify that the appliance is locked in place by pulling it all the way out from the rack. Note: T he illustration in the following figure might not represent your actual appliance. Figure 1. Rack Mounting the Appliance https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.887...
Page 888 1. Insert the DB-9 connector at the end of the cable into the console port. On SD-WAN 1000 1000 appliance, the port is located on the back panel. On SD-WAN 2000 2000 appliance, the port is located on the front panel. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.888...
Page 889 A SD-WAN appliance has one power supply. A separate ground cable is not required, because the three-prong plug provides grounding. Provide power to the appliance by installing the power cord. Connect the other end of the power cable to a standard 110V/220V power outlet. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.889...
Page 890 2000 appliance, verify that the LCD on the front panel is backlit and the start message appears Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs, you can quickly remove power from the appliance. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.890...
Page 891 After checking the connections, you are ready to deploy the SD-WAN 1000 and 2000 appliances on the network. T he appliance shipped from Citrix has default IP addresses conﬁgured on it. To deploy the appliance on the network, you must conﬁgure the appropriate IP addresses on the appliance to accelerate the network trafﬁc.
Page 892 In the Worksheet, record all IP addresses and other values you would use to configure the appliance. Preferably, print out the worksheet before you start the configuration process. You should already have a SD-WAN license key from Citrix, sent in an email. If you are using remote licensing, you need the IP address of the licensing server.
Page 893 Note: If you are configuring the appliance by connecting it to your computer through the serial console port, skip step 8 through step 14. 8. A Redirecting to new management IP message appears. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.893...
Page 894 Licensing Server Address Licensing Server Address field. 18. In the WAN Link Definition section, specify receive and send speeds for the WAN link in the respective fields. Citrix recommends values 10% lower than the WAN bandwidth, to avoid network congestion.
Page 895 15. T o continue the configuration, accept the certificate and continue. T he option to continue varies according to the web browser you are using. 16. Run steps 4 through 25 of the Configuring the Appliance by Connecting a Computer to the Ethernet Port procedure to complete the configuration process https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.895...
Page 896 Setting up the SD-WAN Appliance Nov 23, 20 16 To set up your NetScaler SD-WAN Appliance hardware, see the instructions documented in the Setting up the Appliance Hardware section. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.896...
Page 897 WCCP mode (WAN OP ), which uses the WCCP v. 2.0 protocol to communicate with the router. T his mode is easy to WCCP mode (WAN OP ), configure on most routers. WCCP has two variants: WCCP-GRE and WCCP-L2. WCCP-GRE encapsulates the WCCP https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.897...
Page 898 SD-WAN plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE tunnels (used by group mode). Deprecat ed modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used in new Deprecat ed modes. installations. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.898...
Page 899 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present) Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2) Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.899...
Page 900 T raffic is not routed between interfaces. For example, a connection on bridge apA does not cross over to the Primary or Aux1 ports, but remains on bridge apA. All routing issues are left to your routers. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.900...
Page 901 Ethernet Bypass and Link-Down Propagation Bypass cards are standard on some models and optional on others. Citrix recommends that you purchase appliances with bypass cards for all inline deployments. T he bypass feature is wired as if a cross-over cable connected the two ports, which is the correct behavior in properly wired installations.
Page 902 Two units with multiple bridges can be used in a high-availability pair. Simply match up the bridges so that all links pass through both appliances. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.902...
Page 903 T he Aux1 port is identical to the Primary port. If the Aux1 port is enabled and the Primary port is not, the appliance takes its identity from the Aux1 port's IP address. If both are enabled, the Primary port's IP address is the unit's identity https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.903...
Page 904 (GUI and CLI) listen only to trafﬁc on that VLAN. If no VLAN is assigned, the management interfaces listen only to trafﬁc without a VLAN. T his selection is made on the Conﬁguration: Appliance Settings: Network Adapters: IP Addresses tab. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.904...
Page 905 Inline mode is most effective when applied to all trafﬁc ﬂowing into and out of a site, but it can be used for only some of the site's trafﬁc. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.905...
Page 906 T his is true even if the Primary port is enabled in the GUI but not connected to a network, so the Primary port should be disabled (the default) when not in use. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.906...
Page 907 T his is done by setting the bandwidth limit slightly lower than the link speed. When this is done, link performance is ideal, with minimal latency and loss even at full link utilization. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.907...
Page 908 SD-WAN trafﬁc shaping relies on controlling the entire link, so trafﬁc shaping is not effective with this topology, because the appliance sees only a portion of link trafﬁc. Latency control is up to the bottleneck gateway, and interactive responsiveness can suffer. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.908...
Page 909 Conﬁguring and Troubleshooting Inline Mode Dec 26, 20 12 Inline mode requires only basic conﬁguration, because it is applied automatically to any packets passing through the accelerated bridge. Troubleshooting is described under . https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.909...
Page 910 Note: Use virtual inline mode only when both inline mode and WCCP mode are impractical. Do not mix inline and virtual inline modes within the same appliance. However, you can mix virtual inline and WCCP modes within the same appliance. Citrix does not recommend virtual inline mode with routers that do not support health monitoring.
Page 911 To specif y t he packet -f orwarding opt ion— On the Conﬁguration: Optimization Rules: Tuning page, next to Virtual Inline, select Return to Ethernet Sender or Send to Gateway. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.911...
Page 912 Important: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy-based routing do not support health-checking. T he health-monitoring feature is relatively new. It became available in Cisco IOS release 12.3(4)T .
Page 913 !- Now set the appliance as the next hop, if it’s up. set ip next-hop verify-availability 192.168.1.200 20 track 123 route-map client_side_map permit 10 match ip address client_side set ip next-hop verify-availability 192.168.1.200 10 track 123 https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.913...
Page 914 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255 Note that, for access lists, ordinary masks are not used. Wildcard masks are used instead. Note that when reading a https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.914...
Page 916 T he local appliance must use the default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. Virtual Inline Mode With T wo WAN Routers https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.916...
Page 917 Virtual IP address of the HA pair, not the IP address of an individual appliance, is used in the router conﬁguration tables. In this example, the local appliances must use default virtual inline conﬁguration (Return to Ethernet Sender). Figure 1. High-availability Example https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.917...
Page 918 WAN trafﬁc and outgoing WAN trafﬁc are being forwarded to the appliance. If only one direction is forwarded, acceleration cannot take place. To test health-checking, power down the appliance. T he router should stop forwarding trafﬁc after the health-checking algorithm times out. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.918...
Page 919 IP address for management, in addition to each appliance's management IP address. If the primary appliance fails, the secondary appliance takes over. Failover takes approximately ﬁve seconds. High availability mode is a standard feature. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.919...
Page 920 T he appliance uses its management IP address on apA or apB, not its virtual IP address, to communicate with the router. Upon failover, the new primary appliance establishes WCCP communication with the router. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.920...
Page 921 Without ST P, failover time is roughly ﬁve seconds. T hus, to achieve the briefest possible failover interval, disable ST P on the ports connecting to the appliances. Figure 2. Ethernet Port Locations (Older Models) https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.921...
Page 922 Be equipped with Ethernet bypass cards. T o determine what is installed in your appliances, see the Dashboard page. Appliances that do not support HA display a warning on the Conﬁguration: High Availability page. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.922...
Page 923 IP address is mostly disabled, with most parameters grayed out. A warning message displays the reason on every page. Use the HA VIP for all management tasks. You can, however, disable the secondary appliance's HA state from its management UI. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.923...
Page 924 If this is not the case, a warning banner appears at the top of the screen, indicating the nature of the problem. Figure 1. High-availability configuration page https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.924...
Page 925 3. On the primary appliance, update the software, and then reboot. T he reboot causes a failover, and the secondary appliance becomes the primary. When the reboot is completed, HA should become fully established, because both appliances are running the same software. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.925...
Page 926 7. Log on to Appliance A’s GUI and reenable HA on the Configuration: Advanced Deployments: High Availability (HA) tab. T he appliance get its parameters from the primary. 8. Plug in the network cable removed in step 2. Both appliances are now restored and synchronized. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.926...
Page 927 Incorrect or incomplete cabling between the appliances does not allow the HA heartbeat to pass between them. T he HA/Group Mode SSL Certificates on one or both appliances are damaged or missing. https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.927...
Page 928 VPX Express licenses. For Amazon EC2 instances, you can use either Citrix licensing or select a product with built-in licensing for the bandwidth limit you desire (2, 10, 20, or 45 Mbps).
Page 937 Login: admin Password: password admin> set adapter apa -ip 172.16.0.213 -netmask 255.255.255.0 -gateway 172.16.0.1 admin> restart admin password https://docs.citrix.com © 1999-2017 Citrix Systems, Inc. All rights reserved. p.937...

This manual is also suitable for:

Netscaler vw Netscaler se Netscaler wanop