Citrix SD-WAN WANOP 10.2 Manual

Table of Contents

Quick Links

Download this manual

Citrix SD-WAN WANOP 10.2

Citrix Product Documentation | docs.citrix.com

October 27, 2020

Table of Contents

Troubleshooting

Need help?

Do you have a question about the SD-WAN WANOP 10.2 and is the answer not in the manual?

Questions and answers

Summary of Contents for Citrix SD-WAN WANOP 10.2

Page 1 Citrix SD-WAN WANOP 10.2 Citrix Product Documentation | docs.citrix.com October 27, 2020...
Page 2: Table Of Contents
Sites with one WAN router Sites with multiple WAN routers Appliance failure handled in various deployment modes Supported mode and feature matrix Configure Citrix SD-WAN WANOP plug-in with Access Gateway VPNs Deploy SD-WAN WANOP VPX on Microsoft Azure SD-WAN WANOP upgrading procedure Initial Configuration...
Page 3 Monitoring and Troubleshooting Group Mode When to Use Group Mode How Group Mode Works Enabling Group Mode Forwarding Rules Monitoring and Troubleshooting Group Mode Customizing the Ethernet ports How High-Availability Mode Works Cabling Requirements © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 4 RPC over HTTPS SCPS Secure peering SSL Acceleration Citrix SD-WAN WANOP plug-in Traffic shaping Upgrade (OS) Process Video caching Office 365 Acceleration Compression HTTP acceleration How HTML5 works Internet Protocol version 6 (IPv6) acceleration © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 5 Office 365 acceleration SCPS support Secure traffic acceleration Secure peering CIFS, SMB2, and MAPI Configure Citrix SD-WAN WANOP appliance to optimize secure Windows traffic Configure CIFS and SMB2/SMB3 acceleration Configure MAPI acceleration SSL compression How SSL compression works Configure SSL compression...
Page 6 Citrix SD-WAN WANOP client plug-in Hardware and software requirements How WANOP plug-in works Deploy appliances for use with plug-ins Customize plug-in’s MSI file Deploy plug-ins on Windows Citrix SD-WAN WANOP plug-in GUI © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 7 Optimize Citrix Receiver for HTML5 Deployment modes Adaptive transport interoperability XenServer 6.5 upgrade Maintenance Diagnostics Troubleshooting CIFS and MAPI Citrix SD-WAN WANOP plug-in RPC over HTTPS Video caching XenApp and XenDesktop acceleration © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 8: About Citrix Sd-Wan Wanop
A link from a site with a Citrix SD-WAN WANOP appliance to a site that does not have a Citrix SD-WAN WANOP appliance functions normally, but its traffic is not accelerated.
Page 9 Safeguarding the responsiveness of their connections requires advanced network acceleration. The Citrix SD-WAN WANOP product line protects your productivity by providing reliable WAN and In- ternet link performance through a set of multiple, interlocking optimizations, each reinforcing the oth- ers.
Page 10 SD-WAN WANOP allows it to send, without ever dropping a packet, and this data is placed on the link at exactly the right rate to keep the link full without overflowing. By eliminating excess data, Citrix SD- WAN WANOP is not forced to discard it. Without Citrix SD-WAN WANOP, the dropped packets have to be sent again, causing unnecessary delays.
Page 11 Auto detection for minimal configuration. Because the solution is double-ended, requiring that a Citrix SD-WAN WANOP product be present at both ends of the link, deployment would seem to im- pose a burden on remote offices, especially ones without dedicated IT staff. However, Citrix SD-WAN WANOP is designed to be very easy to install and maintain.
Page 12 The capabilities of products that run on your own hardware, such as the Citrix SD-WAN WANOP Plug- in and Citrix SD-WAN WANOP VPX, depend on the speed of the hardware and the amount of system resources that you dedicate to acceleration.
Page 13 How acceleration works: The pipeline To see how the Citrix SD-WAN WANOP appliance works, take a close look at the diagram of the traffic- flow pipeline. As you can see, there are two pipelines: 1.
Page 14 Citrix SD-WAN WANOP compressor. The compressor is very fast, allowing high compres- sion ratios to be maintained at full WAN speeds. With Citrix SD-WAN WANOP processing, a file that compresses at a 100:1 ratio can easily be sent over a 1 Mbps link with an overall throughput of 100 Mbps.
Page 15 Auto-detection and packet-level transformation The auto-detection algorithm inserts TCP header options to announce the presence of a Citrix SD-WAN WANOP appliance and to facilitate negotiation. These options are in the range of 24-31. The following packet-level transformations are used: •...
Page 16 Citrix SD-WAN WANOP appears to be a bridge device. Packets entering on one bridge port ap- pear to exit the other one. Of course, Citrix SD-WAN WANOP transforms data in a variety of ways, so in many cases the packet exiting the second port is not identical to the one that entered the first port, but that is how it appears to the rest of the network.
Page 17: Get Started With Citrix Sd-Wan Wanop
Acceleration Enhances Performance when Traffic Passes through Two Appliances For sites with only one WAN network, these criteria can be met by placing the Citrix SD-WAN WANOP appliance inline with the WAN. In more complex sites, other options are available. Some, such as WCCP support, are available on all models.
Page 18: Select An Appliance Based On Capacity
When evaluating your options, consider the importance of keeping various segments of your network up and running in the event that a device fails or has to be disabled. For inline deployments, Citrix rec- ommends an Ethernet bypass card. This card, which is optional on Citrix SD-WAN WANOP appliances, has a relay that closes if the appliance fails, allowing packets to pass through even if power is lost or removed.
Page 19 10-30 SD-WAN WANOP 800 20-100 SD-WAN WANOP 2000 , 2000WS 100-300 SD-WAN WANOP 3000 300-500 SD-WAN WANOP VPX 20-350 SD-WAN WANOP 4000 750-2,500 SD-WAN WANOP 5000 3,500-5,000 Table 2. XenApp/XenDesktop User Capacity © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 20 5000 Data lifetime at 100% link utilization SD-WAN WANOP 8 days 19 hours SD-WAN WANOP 47 days 4.7 days 2000, 2000WS SD-WAN WANOP 239 days 24 days 2.4 days 6 hours 5000 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 21: Select The Deployment Mode Based On Datacenter Topology
VPNs affects the placement of the appliance in your network. Access Gateway appliances support Citrix SD-WAN WANOP TCP optimizations, enabling accelerated VPN connections when Citrix SD-WAN WANOP appliances are deployed with Access Gateway. Overview of deployment modes The appliance can be deployed in the following modes: Forwarding modes •...
Page 22: Sites With One Wan Router
WANOP Plug-in. In transparent mode, the Plug-in initiates connections in essentially the same way as the Citrix SD-WAN WANOP appliance, keeping the original IP address and port number of the connection and adding Citrix SD-WAN WANOP options to the TCP/IP headers of selected packets.
Page 23 Citrix SD-WAN WANOP 10.2 For a site with only one WAN router, the main issue in deployment is to allow the Citrix SD-WAN WANOP appliance to work in harmony with the router. The following figure shows the recommended deploy- ment modes for a single router. Compare it to your router cabling to find the best mode for your environment.
Page 24: Sites With Multiple Wan Routers
If sites C and D always use the direct path, C-D or D-C, when sending traffic to each other, everything is fine. However, packets that take the © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 25 • Multiple Bridges. An appliance with two accelerated bridges, or accelerated pairs, (for example, apA and apB), allows two links to be accelerated in inline mode. The two links can be fully inde- pendent, load-balanced, or primary/backup links. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 26 One end of the link can use virtual inline mode while the other end uses group mode. The two ends of a link do not have to use the same forwarding mode. Sites with Only One WAN Link Cannot Have Asymmetric Routing Problems © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 27: Appliance Failure Handled In Various Deployment Modes
Appliance failure handled in various deployment modes November 22, 2018 Citrix SD-WAN WANOP appliances have safeguards against loss of connectivity in case of software, hardware, and power failures. These safeguards are mode-dependent. In inline mode, appliances maintain network continuity in the event of hardware, software, or power failure.
Page 28 Combi- tions, Units WITH Ether- Bypass Cards Config. Inline Virtual WCCP- WCCP- Multiple High Group Inline Bridges Avail. Mode Citrix SD- WANOP Plug-in Inline Virtual Inline WCCP- WCCP- Multiple Bridges High Avail. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 29 Cards Supported Combi- tions, Units WITH- Ether- Bypass Cards Config. Inline Virtual WCCP- WCCP- Multiple High Group Inline Bridges Avail. Mode Citrix SD- WANOP Plug-in Inline Virtual Inline WCCP- WCCP- Multiple Bridges © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 30: Configure Citrix Sd-Wan Wanop Plug-In With Access Gateway Vpns
Citrix SD-WAN WANOP Plug-in check box. 2. Make sure that the IP addresses used by the Citrix SD-WAN WANOP (redirector IP and manage- ment IP) have access enabled in the Network Resources section on the Access Policy Manager page.
Page 31 VPN. All VPN traffic with a local destination is accelerated. VPN traffic with a remote destination is not accelerated. Non-VPN traffic can also be accelerated. One-Arm VPN Acceleration, Option B © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 32: Deploy Sd-Wan Wanop Vpx On Microsoft Azure
Citrix SD-WAN WANOP as a standalone VPX in Azure Cloud. However, you can deploy Citrix SD-WAN WANOP VPX along with Citrix ADC VPX in Azure cloud infras- tructure. The Citrix ADC uses cloud connector to create an IPsec tunnel, while the Citrix SD-WAN WANOP VPX accelerates the connections, providing LAN-like performance for applications.
Page 33 You could also deploy Citrix SD-WAN WANOP and Citrix ADC appliance in two-box mode or it could both be VPX. On the Azure cloud VNET, the Citrix SD-WAN WANOP VPX is deployed in one-arm (PBR) mode with the Citrix ADC VPX.
Page 34 1. In Microsoft Azure, navigate to Home > Marketplace > Networking, search for Citrix SD-WAN WANOP and install it. 2. On the Citrix SD-WAN WAN OP page, from the drop-down list select Resource Manager and click Create. The Create Citrix SD-WAN WAN Optimization page appears.
Page 35 Citrix SD-WAN WANOP 10.2 5. In the Citrix SD-WAN WANOP settings section, configure the setting for the Citrix SD-WAN WANOP VPX as per your requirements. Click OK. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 36 Citrix SD-WAN WANOP 10.2 6. The configuration that you provided in previous steps is validated and applied. If you have con- figured correctly, the validation passed message appears. Click OK. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 37: Sd-Wan Wanop Upgrading Procedure
Citrix SD-WAN WANOP 10.2 7. After successful deployment, navigate to Virtual Networks to view the Citrix SD-WAN WANOP VPX. You can further configure the virtual machine parameters using the settings option. SD-WAN WANOP upgrading procedure February 1, 2019 This section provides information about downloading and upgrading the Citrix SD-WAN WAN Opti- mization (WANOP) software packages.
Page 38 Citrix SD-WAN WANOP 10.2 Note: Before you download the software, you must obtain and register a Citrix SD-WAN software li- cense. For information, see Licensing. Download the software packages To download the Citrix SD-WAN WANOP software packages, go to the URL;...
Page 39: Initial Configuration
After checking the connections, you are ready to deploy the SD-WAN appliances on the network. The appliance shipped from Citrix has default IP addresses configured on it. To deploy the appliance on the network, you must configure the appropriate IP addresses on the appliance to accelerate the network traffic.
Page 40: Prerequisites
My Account All Licensing Tools - User Guide. Installing the hardware After you receive the hardware appliance from Citrix, you need to install it in the network. To install the SD-WAN 4100/5100 appliance hardware, follow the installation procedure at Installing the Hardware.
Page 41: Deployment Worksheet
Your Value Description Management Subnet Gateway IP 10.199.79.254 Default gateway address serving the management subnet. Subnet Mask 255.255.255.128 Subnet mask for management subnet. Xen Hypervisor 10.199.79.225 IP address of Xen IP address Hypervisor. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 42 NetScaler IP 172.17.17.2 NetScaler IP address address on external traffic subnet. External 172.17.17.10 Traffic to this IP Signaling IP address is address load-balanced between the signaling IP addresses of the accelerators. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 43 UDP. T13, T14 (Not used) T15, T16 (Inline) Ports 10/5, 10/6 If multiple links used by link #2 are used with inline mode, these ports are used for link #2. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 44: Configuring The Appliance
You can change the management IP address by connecting a computer to the appliance through ei- ther the Ethernet port or the serial console. Assigning a Management IP Address through the Ethernet Port August 28, 2019 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 45 3. Click Done. A screen showing the Installation in Progress… message appears. This process takes approximately 2 to 5 minutes, depending on your network speed. 4. A Redirecting to new management IP message appears. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 46: Assigning A Management Ip Address Through The Serial Port
3. Log on to the shell prompt of the appliance with the following default credentials: Password: nsroot. 4. At the logon prompt, run the following command to open the Management Service Initial Net- work Address Configuration menu: networkconfig © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 47: Provisioning The Appliance
If you receive a #SESS_CORRUPTED error at any time during these procedures, click Logout, clear your browser cache, close your browser, and open it again. To configure the appliance by using the configuration wizard: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 48 The address of the Management Service VM that you use to perform most system management tasks. This must be a valid address on the management network. • Netmask—(Item M3 on your worksheet). The subnet mask of the management network. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 49 6. Click Upload in the Update Licenses section. 7. Navigate to the folder that contains the license file and open the file. 8. Click Add License and upload the license file provided by Citrix. The license is added to the appliance, as shown in the following figure.
Page 50 Basic configuration is complete. Next, perform deployment-mode-specific configuration (such as for WCCP mode). Note: After the wizard completes, the appliance is configured for the basic setup. To configure the ap- pliance for a specific deployment scenario, see © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 51: Deployment Modes
Not appliance Inline or Pass-through Not appliance Appliance Virtual Inline or L2 WCCP Appliance Appliance Direct (UI access) Appliance (VIP) Appliance High-Availability. Proxy mode Appliance (WCCP GRE Packet) Appliance WCCP GRE Mode © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 52 SD-WAN plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE tunnels (used by group mode). • Deprecated modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used in new installations. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 53: Customizing The Ethernet Ports
(high availability), and less commonly with high availability. Currently, Citrix recommends WCCP mode, with a single router and without high availability, for most deployments. Use inline mode when WCCP is not available. Although not all of the following modes are recommended currently, they are all supported: •...
Page 54: Port Parameters
• To secure the UI on ports with IP addresses, select HTTPS instead of HTTP on the Configuration: Administrator Interface: Web Access page. • Inline mode works even if a bridge has no IP address. All other modes require that an IP address be assigned to the port. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 55: Accelerated Bridges (Apa And Apb)
Ethernet Bypass and Link-Down Propagation Bypass cards are standard on some models and optional on others. Citrix recommends that you pur- chase appliances with bypass cards for all inline deployments. The bypass feature is wired as if a cross-over cable connected the two ports, which is the correct be- havior in properly wired installations.
Page 56: Motherboard Ports
Partner Unit field on the Monitoring: Optimization: Connections page. If no motherboard port is enabled, the appliance uses the IP address of Accelerated Pair A. The Primary port is used for: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 57: Vlan Support
Primary and Aux1. The bridged ports provide acceleration, while the motherboard ports are some- times used for secondary purposes. Most installations use only the bridged ports. Some SD-WAN units have only the motherboard ports. In this case, the two motherboard ports are bridged. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 58: Ethernet Bypass And Link-Down Propagation
If carrier is lost on one of the bridge ports, the carrier is dropped on the other bridge port to ensure that the link-down condition is propagated to the device on the other side of the appliance. Units that © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 59: Accelerating An Entire Site
To reserve the appliance’s accelerated bandwidth for a particular group of systems, such as remote backup servers, you can install the appliance on a branch network that includes only those systems. This is shown in the following figure. Figure 1. Inline Mode, Accelerating Selected Systems Only © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 60: Configuring And Troubleshooting Inline Mode
2 is presented. • The standard WCCP documentation calls WCCP clients “caches.” To avoid confusion with actual caches, Citrix generally avoids calling a WCCP client a “cache.” Instead, WCCP clients are typically called “appliances.” • This discussion uses the term “router” to indicate WCCP-capable routers and WCCP-capable switches.
Page 61 WCCP mode supports multiple routers and both GRE vs. L2 forwarding. Each router can have multiple WAN links. Each link can have its own WCCP service group. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 62 Service Group Tracking. If a packet arrives on one service group, output packets for the same connec- tion are sent on the same service group. If packets arrive for the same connection on multiple service groups, output packets track the most recently seen service group for that connection. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 63 For more information about deploying SD-WAN appliances as a cluster, WCCP Clustering. WCCP Specification For more information about WCCP, see Web Cache Communication Protocol V2, Revision 1, http:// tools.ietf.org/html/draft-mclaggan-wccp-v2rev1-00. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 64: Wccp Mode (Non-Clustered)
Configuring the router for WCCP is very simple. WCCP version 2 support is included in all modern routers, having been added to the Cisco IOS at release 12.0(11)S and 12.1(3)T. The best router- © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 65 Configure the Router The appliance negotiates WCCP-GRE or WCCP-L2 automatically. The main choice is between unicast operation (in which the appliance is configured with the IP address of each router), or multicast oper- © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 66 Following is a Cisco IOS example: config term ip wccp version ip wccp group-address 225.0.0.1 Repeat the following three lines for each WAN interface © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 67 6. In the Router Addressing field (if you are using unicast) or the Multicast Address field (if you are using multicast), type the router’s IP address. Use the IP for the router port used for WCCP communication with the appliance. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 68 “Level-2,” or, with “Auto,” as determined by the first router in the service group to connect. • For an incompatibility, an alert announces that the router “has incompatible router forwarding.” For Router Assignment: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 69 WCCP mode is established or lost. Figure 1. WCCP Log Entries (format varies somewhat with release) Router Status—On the router, the “show ip wccp” command shows the status of the WCCP link: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 70 • If no connections are shown, but the appliance reports that it is connected to the router, and the WCCP monitoring page shows no errors, the issue is probably with the router con- figuration. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 71: Wccp Clustering
WCCP cluster has twice the perfor- mance of a single appliance, delivering both redundancy and improved performance. In addition to adding more appliances as your site’s needs increase, you can use Citrix’s “Pay as You Grow” feature to increase your appliances’ capabilities through license upgrades.
Page 72 Without WCCP clustering, as much capacity and fault-tolerance would require a pair of SD-WAN 4000- 500 appliances in high availability mode. Only one of these appliances is active at a time. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 73 IP addresses configured on the appliance for the service group. In practice, the router’s IP ad- dress for the interface that connects it to the appliance should be used. The router’s loopback IP cannot be used. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 74 0x00 00 nn 00. The number of bits to set to one is log2(mask size): if mask size is 16, set 4 bits to one. So with a mask size of 16 and a /24 subnet, set the © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 76 WCCP protocol, each member of the cluster has information about all the others, so this infor- mation can be monitored from any appliance in the cluster. Your router can also provide status information. See your router documentation. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 77: Virtual Inline Mode
Note: Use virtual inline mode only when both inline mode and WCCP mode are impractical. Do not mix inline and virtual inline modes within the same appliance. However, you can mix virtual inline and WCCP modes within the same appliance. Citrix does not recommend virtual inline mode with routers that do not support health monitoring.
Page 78: Configuring Packet Forwarding On The Appliance
1. It must forward both incoming and outgoing WAN traffic to the SD-WAN appliance. 2. It must forward SD-WAN traffic to its destination (WAN or LAN). 3. It must monitor the health of the appliance so that the appliance can be bypassed if it fails. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 79 Important: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy-based routing do not support health-checking. The health-monitoring feature is relatively new.
Page 80 172.68.1.5 255.255.255.0 ip policy route-map wan_side_map interface FastEthernet1/0 ip address 192.168.1.5 255.255.255.0 ip classless ip route 0.0.0.0 0.0.0.0 171.68.1.1 ip access-list extended client_side permit ip 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255 ip access-list extended wan_side © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 81 192.168.2.5 255.255.255.0 ip classless ip route 0.0.0.0 0.0.0.0 171.68.2.1 ip access-list extended client_side permit ip 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255 ip access-list extended wan_side permit ip 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255 route-map wan_side_map permit 20 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 82: Virtual Inline For Multiple-Wan Environments
WAN link used. The below figure shows a simple multiple-WAN link deployment example. The two local-side routers redirect traffic to the local appliance. The FE 0/0 ports for both routers are © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 83: Virtual Inline Mode And High-Availability
If only one direction is forwarded, acceleration cannot take place. To test health-checking, power down the appliance. The router should stop forwarding traffic after the health-checking algorithm times out. Group Mode August 28, 2019 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 84: When To Use Group Mode
• WCCP mode, in which traffic from two or more links is sent to the same appliance by WAN routers, by means of the WCCP protocol. • Virtual inline mode, in which your routers send traffic from two or more links through the same appliance (or high-availability pair). © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 85: How Group Mode Works
Do not accelerate- If a group member fails, its bypass card closes, allowing traffic to pass through with- out acceleration. Because an unaccelerated path introduces asymmetric routing, the other members of the group also go into pass-through mode when they detect the failure. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 86: Enabling Group Mode
The top button reads either, Do not accelerate when member failure is detected or Con- tinue to accelerate when member failure is detected. The “Do not accelerate…” setting always works and does not block traffic, but if any member fails, the other group members © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 87: Forwarding Rules
If traffic arrives first at the appliance that owns the connection, it is accelerated and forwarded nor- mally. If it arrives first at a different appliance in the group, it is forwarded to its owner over a GRE © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 88: Monitoring And Troubleshooting Group Mode
Two things should be checked in a group-mode installation: • That the two appliances have entered group mode, which can be determined on either appli- ance’s Configuration: Advanced Deployments: Group Mode page. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 89: Customizing The Ethernet Ports
Auxiliary1 or Aux1 (or apA.2 if no bypass card is present) Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2) Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2) Table 1. Ethernet Port Names © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 90: How High-Availability Mode Works
(several seconds) between the failure of the primary appliance and the failover to the secondary appliance. Users experience the closing of open connections, but they can open new © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 91: Cabling Requirements
Both appliances in an high availability pair must meet the following criteria: • Have identical hardware, as shown by on the System Hardware entry on the Dashboard page. • Run exactly the same software release. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 92: Management Access To The High-Availability Pair
6. Click the Configure high availability Virtual IP Address link and assign a virtual IP address to the apA interface. This address will be used later to control both appliances as a unit. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 93: Updating Software On A High-Availability Pair
Verify that the installation succeeded. The primary appliance should show that the secondary appliance exists but that automatic parameter synchronization is not work- ing, due to a version mismatch. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 94: Saving/Restoring Parameters Of An High Availability Pair
7. Log on to Appliance A’s GUI and reenable high availability on the Configuration: Advanced De- ployments: High Availability (high availability) tab. The appliance get its parameters from the primary. 8. Plug in the network cable removed in step 2. Both appliances are now restored and synchronized. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 95: Troubleshooting High Availability Pairs
Group convergence can only be verified from the WCCP monitoring page. There is no separate GUI page under the monitoring section for the Two Box Mode. • If WCCP process running on the Standard Edition appliance reboots multiple times within © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 96 ONE Ethernet Interface configured. Do not enable the WCCP Listener on a BRIDGED Pair. It is intended to be enabled on the ONE-ARM interface between the SD-WAN SE and SD-WAN WANOP appliances. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 97 This enables SDWAN-SE to act as a single pane for configuration of APPFLOW and other data process- ing configuration attributes such as Service Class, Application Classifiers. The configuration done on the SDWAN-SE reflects on the SDWAN-WO configuration, maintaining seamless APPFLOW functional- ity support. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 98 SD-WAN WANOP already discovered by Citrix Application Delivery Management (ADM), if used in Two Box Mode, should be isolated and not configured using Citrix ADM until this mode is turned off. This is because the configuration of WANOP for traffic processing is managed by the SD-WAN SE appliance in the Two Box Mode.
Page 99: Faqs
Compression • CIFS and MAPI • RPC over HTTP • SCPS • Secure Peering • SSL Accleration • CitrixSD-WAN WANOP Plug-in • Traffic Shaping • Upgrade • Video Caching • Office 365 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 100: Acceleration
What are the basic requirements of acceleration? Acceleration requires a Citrix SD-WAN WANOP device at both ends of the connection, the connection must use the TCP protocol, and all packets for the connection must pass through both the Citrix SD- WAN WANOP devices.
Page 101 • Optionally, the status of the Pre Domain Join Check utility should pass. How can I verify if the Citrix SD-WAN WANOP appliance is ready to add a user as a delegate user? You can verify the user by using the Check delegate user utility on the Windows domain page. If the status for all the parameters does not have any error messages, the appliance is ready to add the user as a delegate user.
Page 102: Compression
Do I need make the branch side Citrix SD-WAN WANOP appliance join the domain for accelerating encrypted MAPI? No. You do not need to make the make the branch side Citrix SD-WAN WANOP appliance join the domain for accelerating encrypted MAPI.
Page 103 WAN instead of the actual string, and the appliance on the other end looks up the reference and copies it into the output stream. What is the maximum achievable compression ratio? The maximum achievable compression ratio on a Citrix SD-WAN WANOP appliance is approximately 10,000:1. What is the expected compression ratio? Overall compression ratio is the average of all attempts to compress the data streams on the link.
Page 104: Rpc Over Https
No. The appliance has only default applications, and not default service classes. You must create the service class for an application. Does the appliance provide any SSL compression benefits to the RPC over HTTPS connections? © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 105: Scps
Is MAPI over HTTP different from RPC over HTTPS? Yes. MAPI over HTTP is a new protocol supported on Microsoft Exchange Server 2013 SP1 or later. What is the difference between RPC over HTTPS settings on client-side and server-side Citrix SD- WAN WANOP appliances? Except for creating a service class and adding RPC over HTTPS applications to it, you do not need any additional configuration on a client-side Citrix SD-WAN WANOP appliance.
Page 106: Secure Peering
What happens when you enable secure peering on an appliance at one end of the link? When you enable secure peering on a Citrix SD-WAN WANOP appliance at one end of the link, the other appliance detects it and attempts to open an SSL signaling tunnel. If the two appliances successfully authenticate each other over this tunnel, the appliances have a secure peering relationship.
Page 107: Ssl Acceleration
With non-compressed connections, acceleration adds options to the packet’s TCP header, but leaves the packet payload intact. These options allow the Citrix SD-WAN WANOP devices at each end of the connection to communicate with each other. In addition, the TCP sequence number is adjusted to pre- vent routing issues or appliance failure from mixing accelerated packets and non-accelerated packets in the same connection.
Page 108: Citrix Sd-Wan Wanop Plug-In
January 25, 2019 What methods can I use to the install the Citrix SD-WAN WANOP plug-in on my computer? You can use any of the following methods to install the Citrix SD-WAN WANOP plug-in on your com- puter: • Standalone installation: Run the Microsoft Installer (msi) file.
Page 109 Do I need to install a Concurrent (CCU) license on Citrix SD-WAN WANOP 2000, 3000, and VPX appliances to use the Citrix SD-WAN WANOP plug-in? Yes. You must install a CCU license on Citrix SD-WAN WANOP 2000, 3000, and VPX appliances to use the Citrix SD-WAN WANOP plug-in.
Page 110 Do I need install a CCU license on Citrix SD-WAN WANOP 4000 and 5000 appliances to use the Citrix SD-WAN WANOP plug-in? No. You do not need to install a CCU license on Citrix SD-WAN WANOP 4000 and 5000 appliances to use the Citrix SD-WAN WANOP plug-in. The appliance base license is sufficient for the Citrix SD-WAN WANOP plug-in to connect to these appliances.
Page 111 WANOP plug-in and appliance? Citrix recommends that you configure an RTT value that is greater than any RTT (ping time) on the local LAN, but less than the RTT for any remote user. The default value of 20 milliseconds is adequate for most networks.
Page 112 • Citrix SD-WAN WANOP plug-in with Citrix SD-WAN WANOP appliance in WCCP mode using ICA proxy. • Citrix SD-WAN WANOP plug-in with Citrix SD-WAN WANOP 4000 or 5000 appliance. In this de- ployment, the management port (0/1) is connected to the management network, and the sig- naling IP address is on a different network.
Page 113: Traffic Shaping
What is Citrix SD-WAN WANOP Traffic Shaping? Citrix SD-WAN WANOP traffic shaping uses a group of policies to set the priority of different link traffic and send traffic onto the link at a rate close to, but no greater than, the link speed. Unlike acceleration, which applies only to TCP/IP traffic, the traffic shaper handles all traffic on the link.
Page 114: Upgrade (Os) Process
Weighted fair queuing includes the option of giving some traffic a higher priority (weight) than others. Traffic with a weight of two receives twice the bandwidth of traffic with a weight of one. In a Citrix SD-WAN WANOP configuration, the weights are assigned in traffic-shaping policies.
Page 115 DHCP is enabled by none Adapter Management default default IP address for WANOP Upgrade support on supported not supported. Fresh none existing standalone SD-WAN 10.1 XVA WANOP VPX on image should be XenServer imported © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 116 This upgrade is supported. Prerequisite for this upgrade is to have the hosting XenServer Hypervisor (on physical SD-WAN appliance) to have XenServer version 6.2 / 6.5 or higher version. This can be verified by using the Configuration tab. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 117 XenServer 6.0 version). 1. While upgrading this appliance to SD-WAN 10.1 release, the following error message would oc- cur. 2. Upgrade XenServer to 6.5, using “ns-sdw-xen65-pkg_v1.5.upg” (this can be downloaded from Citrix Download website. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 118 3. If SD-WAN WO does not have 9.0 or later version, then upgrade to XenServer 6.5 would not hap- pen. The below error message would appear. 4. Let us assume, the user have upgraded the WO version to 10.0.2 now. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 121 Check the firewall settings on the Client, Server and Router. When WANOP VPX or Client/Server are hosted as VM, make sure that checksum is disabled on the end hosts VM. Example Linux Commands: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 122: Video Caching
Caching and compression are complementary technologies, because anything that is not cached, is compressed, achieving the benefits of both. Can I partition the appliance’s total memory between the video cache and other Citrix SD-WAN WANOP features? No.
Page 123 The first viewer of a given video stream does not benefit from the video caching feature, but subsequent views are delivered at the LAN speed from the Citrix SD-WAN WANOP appliance, with the additional benefit of reduced WAN usage.
Page 124 Can Citrix SD-WAN WANOP compression (using an HTTP Service Class policy) be used with Video Caching? Yes. When the cached objects are present in both Citrix SD-WAN WANOP compression history and the video cache, the content is served from the cache on a cache hit, and fetched from the server (and compressed) on a cache miss.
Page 125 Yes. Non-video HTTP traffic (even though it is intercepted by the proxy), is not included in the video caching GUI statistics. Do I need to configure apA as well as apB interfaces with a valid IP address on a Citrix SD-WAN WANOP appliance? No.
Page 126 What happens when I upgrade the Citrix SD-WAN WANOP appliance from release 6.x to 7.y and video caching is enabled? The existing Citrix SD-WAN WANOP DBC history is lost and a separate partition for video caching is created. What happens when I downgrade the Citrix SD-WAN WANOP appliance from release 7.y to 6.x and video caching is enabled? Citrix SD-WAN WANOP DBC and Video Caching history is preserved.
Page 127: Office 365 Acceleration
If the browser or app does not contain the CA certificate, it displays an error or warning and the connections from that client or App will be blocked. To avoid such issues, select Exclude List option as part of SSL profile configuration. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 128 The connections get blocked if exclude list is not enabled. 7. What happens if the Data Center side Citrix SD-WAN WANOP does not have root or intermediate CA’s? The connections are blocked or the Office 365 application pages which require the missing root or intermediate CA’s are partially loaded.
Page 129: Compression
Compression December 14, 2018 Citrix SD-WAN WANOP compression uses breakthrough technology to provide transparent multilevel compression. It is true compression that acts on arbitrary byte streams. It is not application-aware, is © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 130 Compression engines are limited by the size of their compression history. Traditional compression algorithms, such as LZS and ZLIB, use compression histories of 64 KB or less. Citrix SD-WAN WANOP appliances maintain at least 100 GB of compression history. With more than a million times the com- pression history of traditional algorithms, the Citrix SD-WAN WANOP algorithm finds more matches and longer matches, resulting in superior compression ratios.
Page 131 Adaptive, zero-config operation: To serve the different needs of different kinds of traffic, Citrix SD-WAN WANOP appliances use not one but five compression engines, so the needs of everything from the most massive bulk transfer to the most latency-sensitive interactive traffic can be accommodated with ease.
Page 132 • Memory, meaning that memory based compression is enabled but disk based compression is not. This setting is rarely used, because the appliance automatically selects memory or disk if both types of compression are enabled. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 133 T1 link if the LANs on both sides use Gigabit Ethernet, or slightly less than 100 Mbps if there is any Fast Ethernet equipment in the LAN paths between endpoints and appliances. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 134 2. Transfer the same data stream a second time and note the effect on compression. Compression reports in premium edition Citrix SD-WAN Premium (Enterprise) edition does not have a view for showing compression reports on a per protocol or application basis through WANOP service classes, which have the protocol or application association.
Page 135: Http Acceleration
Compression ratio (Top 10 service classes): In the Citrix SD-WAN appliance GUI, you can check the connection details and the compression ratio (per service-class dashboard) by navigating to Monitoring > WAN Optimization. This auto selects the Dashboard node and provides an overview in the form of dashboard.
Page 136 Citrix SD-WAN WANOP 10.2 Compression HTTP is an ideal application for Citrix SD-WAN WANOP multi-level compression. Static content, including standard HTML pages, images, video, and binary files, receives variable amounts of first-pass compression, typically 1:1 on pre-compressed binary content, and 2:1 or more on text-based content.
Page 137: How Html5 Works
The WebSocket protocol communicates over TCP ports 80 and 443. This facilitates communication in environments that use firewalls to block non-web Internet connections. Additionally, WebSocket has its own fragmentation mechanism. A WebSocket message can be sent as multiple WebSocket frames. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 138 Sec-Websocket-extensions: <List of extensions server accepts for session.> Sec-Websocket-version: <Version of websocket protocol that the server supports.> The following figure shows the sequence of messages exchanged between a client and a server: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 139: Internet Protocol Version 6 (Ipv6) Acceleration
IPv6 addresses this issue by using 128-bit addresses and a hexadecimal label to identify the network interfaces of devices on an IPv6 network. Because IPv6 supports far more IP addresses than does IPv4, organizations and applications are gradually introducing support for the IPv6 protocol. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 140 IPv6 Acceleration feature. By default, IPv6 is disabled on the appliance. To enable IPv6 acceleration on a Citrix SD-WAN WANOP appliance, navigate to Configuration > Appliance Settings > Feature page and enable the IPv6 Ac- celeration feature.
Page 141 Top Applications: The Top Applications page provides granularity in the time frame that you can use to graphically represent the traffic throughput of various applications served by the Citrix SD-WAN appliance. By default, traffic throughput is displayed by the last minute. However, you can change the time frame by selecting Last Minute, Last Hour, Last Day, Last Week, or Last Month from the list available on the Title bar of the page.
Page 142 If the appliance has sent data to an application using IPv6 protocol, a series depicting each application using IPv6 protocol is also plotted on this graph. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 144: Link Definitions
A link definition specifies which traffic is associated with the defined link, the maximum bandwidth to allow for traffic received on the link, and the maximum bandwidth for traffic © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 145 1. apA.1, one of the two ports on the accelerated bridge. 2. apA.2, the other port on the accelerated bridge. 3. If the system has dual accelerated bridges, apB.1 and apB.2 also exist. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 146: Manage Link Definitions In Traffic Shaping
Link Speed— Link speed always refers to the speed of the physical link. In the case of a WAN link, it is the speed of the WAN segment that terminates in the building with the Citrix SD-WAN WANOP appliance. The speed of the other end of the link is not considered. For example, the following figure shows a network of four appliances.
Page 147: Configure Link Definitions
Any, a wildcard entry that always matches. When a field consists of a list, such as a list of IP subnets, the list entries are ORed together. That is, if any element matches, the list as a whole is considered to be a match. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 148 When all else fails, WCCP-GRE can be used, and the router can use a different service group for each WAN link, allowing the Citrix SD-WAN WANOP unit to tell the link traffic apart in by service group.
Page 149 • The Dst is only examined on packets exiting the appliance. Inline links Most Citrix SD-WAN WANOP appliances use a simple inline deployment, where each accelerated bridge serves just one WAN link. This is the simplest mode to configure. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 150 3. Set the incoming and outgoing bandwidth limits to 95% of the nominal Ethernet speed (95 mbps or 950 mbps). 4. Verify that a rule exists that specifies the LAN Ethernet adapter, which in this example is apA.2. 5. Click Create. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 151 The configuration is similar to the simple inline link configuration, but the site has a second link, a T1 link to the corporate WAN, in addition to the ADSL Internet link. The Citrix SD-WAN WANOP appliance has two accelerated bridges, one for each WAN link.
Page 152: Manage And Monitor Using Citrix Application Delivery Management
Configuration: Advanced Deployments page.) Manage and monitor using Citrix Application Delivery Management February 22, 2019 Citrix SD-WAN WANOP AppFlow support enables flexible, customized monitoring of your Citrix SD- WAN WANOP appliances. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 153: Citrix Cloud Connector
//www.appflow.org).Citrix ADM allows you to monitor, manage, and view analytics of the Citrix SD-WAN appliances in your network. Citrix ADM supports a wide range of devices and can present a more complete view of your network. The Citrix SD-WAN WANOP appliance has an extensive view of WAN traffic, including detailed statistics about XenApp/XenDesktop traffic, it provides key insights into the WAN user experience.
Page 154 The WAN optimization feature of the Citrix SD-WAN WANOP appliance accelerates traffic, providing LAN-like performance for applications running across enterprise datacenters and clouds. In addition to using Citrix Cloud Connector between a datacenter and a cloud, you can use it to connect two datacenters for a high-capacity secure and accelerated link.
Page 155 GRE IP header and, an ESP trailer is inserted at the end of the encrypted payload. Peers in the Citrix Cloud Connector tunnel use the Internet Key Exchange version (IKE) protocol (part of the IPSec protocol suite) to negotiate secure communication, as follows: •...
Page 156 • add lb vserver <cbvpxonaws_vs_name> ANY * * -l2Conn ON -m MAC</span> To add the Citrix SD-WAN WANOP VPX instance on AWS as a service and bind it to the load bal- ancing virtual server by using the command line interface:...
Page 157: Configure Cloud Connector Tunnel
Configure cloud connector tunnel November 22, 2018 To configure the Citrix Cloud Connector tunnel, use the configuration utility of both the Citrix VPX appliances to perform the following tasks: • Create an IPSec profile—An IPSec profile entity specifies the IPSec protocol parameters, such as IKE version, encryption algorithm, hash algorithm, and PSK, to be used by the IPSec protocol in the Citrix Cloud Connector tunnel.
Page 158 • apply ns pbrs To create an IPSEC profile by using the configuration utility: 1. Navigate to System > Citrix Cloud Connector > IPSec Profile. 2. In the details pane, click Add. 3. In the Add IPSec Profile dialog box, set the following parameters: •...
Page 159: Configure Cloud Connector Tunnel Between Two Datacenters
AWS cloud appears on the configuration utility. The current status of the Citrix Cloud Connector tunnel is indicated in the Configured Citrix SD- WAN WANOP pane. A green dot indicates that the tunnel is up. A red dot indicates that the tunnel is down.
Page 160 To understand how a Citrix Cloud Connector tunnel is configured between two different datacen- ters, consider an example in which a Cloud Connector tunnel is set up between Citrix appliance CB_4000/5000-1 in datacenter DC1 and Citrix appliance CB_4000/5000-2 in datacenter DC2.
Page 161 IP address of the Citrix Cloud Connector tunnel = 203.0.210.30* GRE Tunnel Details Name = Cloud_Connector_DC1-DC2 IPSec Profile Details Name = Cloud_Connector_DC1-DC2, Encryption algorithm = AES, Hash algorithm = HMAC SHA1 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 162 Citrix Cloud Connector tunnel Cloud_Connector_DC1-DC2 Local endpoint IP address of the Citrix Cloud Connector tunnel = 10.10.6.30, Remote endpoint IP address of the Citrix Cloud Connector tunnel = 203.0.113.30* GRE Tunnel Details © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 163 Following is the traffic flow in the Citrix Cloud Connector tunnel: 1. Client CL1 sends a request to server S1. 2. The request reaches the Citrix virtual appliance NS_VPX_CB_4000/5000-1 running on Citrix SD- WAN WANOP appliance CB_4000/5000-1. 3. NS_VPX_CB_ 4000/5000-1 forwards the packet to one of the SD-WAN WANOP instances running on the Citrix SD-WAN WANOP appliance CB_4000/5000-1 for WAN optimization.
Page 164: Configure Cloud Connector Tunnel Between A Datacenter And Aws/Azure
You can configure a cloud connector tunnel between a datacenter and AWS, or Azure cloud. Consider an example in which a Citrix Cloud Connector tunnel is configured between Citrix SD-WAN WANOP appliance CB_DC-1, which is deployed in WCCP/PBR one-arm mode in a datacenter, and AWS cloud.
Page 165 Citrix SD-WAN WANOP 10.2 Note: The settings in the example would also work for any type of Citrix SD-WAN WANOP deployment. This setting in this example includes policy based routes instead of netbridge for allowing the desired subnet’s traffic to pass through the Citrix Cloud Connector tunnel.
Page 166 The following table lists the settings on AWS cloud in this example. Entity Name Details IP address of server S1 10.20.6.90 Settings on NS_VPX-AWS NSIP address 10.20.1.20 Public EIP address mapped to 203.0.1.120* the NSIP address © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 167 Note: AWS does not support L2 mode. Therefore, it is necessary to have only L3 mode enabled on both the endpoints. For proper communication between CL1 and S1, L3 mode is enabled on NS_VPX_CB-DC and NS_VPX- © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 168 Routes Network Gateway Routes on server S1 Route for reaching client CL1 10.10.6.X/24 Tunnel endpoint SNIP address of NS_VPX-AWS = 10.10.6.1 Routes on Citrix virtual appliance NS_VPX-AWS © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 169 2. The request reaches the Citrix virtual appliance NS_VPX_CB-DC running on Citrix SD-WAN WANOP appliance CB_DC-1. 3. NS_VPX_CB-DC forwards the packet to one of the Citrix SD-WAN WANOP instances running on the Citrix SD-WAN WANOP appliance CB_DC-1 for WAN optimization. After processing the packet, the Citrix SD-WAN WANOP instance returns the packet to NS_VPX_CB-DC.
Page 170: Office 365 Acceleration
S1. Office 365 acceleration December 14, 2018 Citrix SD-WAN WANOP optimizes WAN to provide consistent user experience for business applications across branch offices and remote sites. Microsoft Office 365 is a software-as-a-service (SaaS) application, which provides the Microsoft’s Of- fice suite of enterprise-grade productivity applications.
Page 171 Office 365 server. How it works? Citrix SD-WAN WANOP SSL acceleration can decrypt and accelerate Office 365 traffic, providing com- pression. In short, Office 365 branch-office acceleration can be thought of as a special case of RPC- over-HTTPS acceleration.
Page 172 Firefox does not honor the device’s certificate store. Configure Office 365 acceleration To configure office 365 acceleration: 1. Set up a secure peering relationship between the two Citrix SD-WAN WANOP appliances, as de- scribed in Secure Peering 2. Create a new certificate.
Page 173 These instructions are for the Chrome browser; the procedure is the same for other browsers also. c) Click Subject Alternative Name, this will reveal a list of DNS names such as “lo- gin.microsoftonline.com.” Copy the information in the text box below it. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 174 Repeat the process of discovering Subject Alternate Names and adding them to your certifi- cate for https://outlook.office365.com, https://portal.office.com, https://office.live.com, https://sharepoint.com (the SharePoint URL is customer-specific). f) Create a Common Name for your new certificate. The example above shows a common name as “Office365 proxy.” © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 175 In the Private Key tab, select Make private key exportable. h) Click OK, Enroll, and Finish. 4. Export the certificate. a) Under Certificates > Personal > Certificates, select the above created proxy certificate, and then select All Tasks > Export. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 176 In Export Private Key, select the option Yes, export the private key and click Next. d) Retain the default values for the export file format. e) Type and confirm the password, export the private key, and save the certificate as login- © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 177 Navigate to Connection > Certificate Information > Certification Path. b) Select the root certificate (the one at the top of the list), and then click View Certificate > Details > Copy to File. The Certificate Export Wizard appears. Click Next. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 178 7. Add all the Office 365 server CA’s, proxy certificate/key pairs, and private keys to the server-side Citrix SD-WAN WANOP appliance. The CA’s are added using the CA Certificates tab on the Cer- tificates and Keys page. Certificates and certificate/key pairs are added on the Certificate/Key Pairs tab.
Page 179 (the one shown in the example as loginpor- tal.pfx). Select Build Certificate Chain. Select the CA associated with the certificate/key pair under Certificate Chain Store. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 180 11. Initiate an Office 365 session from your browser. The connection is accelerated. In the browser, the certificate should display your root CA, not the actual Office 365 certificate, as the server-side appliance’s CA certificate. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 181 Firefox. To install certificates into Firefox, follow the procedure in the section, Installing certificates to Firefox. Install the certificates to Firefox To Install the server-side appliance’s proxy certificate to the Firefox certificate store: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 182: Scps Support
2. Upload the local CA proxy certificate, select all the options in the Downloading Certificate wiz- ard and click OK. SCPS support November 22, 2018 Citrix SD-WAN WANOP supports the SCPS (Space Communications Protocol Standard) TCP variant. SCPS is widely used for satellite communication. http://www.scps.org for general SCPS information.
Page 183: Secure Traffic Acceleration
Secure traffic accelration is achieved by secure peering. Several advanced functions require that the Citrix SD-WAN WANOP appliances at the two ends of the link establish a secure peer relationship with each other, setting up an SSL signaling tunnel (also called a signaling connection). These func- tions are SSL compression, signed CIFS support, and encrypted MAPI support.
Page 184 Until this is done, secure peering and compression are disabled. Generate security keys and certificates Citrix SD-WAN WANOP products are shipped without the required keys and certificates for the SSL sig- naling tunnel. You must generate them yourself. You can generate keys and certificates through your normal process for generating credentials, or with the “openssl”...
Page 185 1. Install a crypto license on the appliance. Without a crypto license, secure acceleration is not available. a) If you have not done so already, acquire crypto licenses from Citrix. b) If you are using a network license server, go to the Configuration > Appliance Settings >...
Page 186 Under CA Certificate Store Name, click the + icon and upload or paste the CA certificate for this appliance. d) Keep the default values for the Certificate Verification and SSL Cipher Specification fields unless your organization requires otherwise. e) Click Save. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 187 6. Repeat this process for your other remote appliances. 7. On the datacenter appliance, verify connectivity by going to Monitoring > Partners and Plug- ins > Secure Partners. For each remote appliance, the content of the Secure field should be © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 188: Cifs, Smb2, And Mapi
CIFS protocol for CIFS-based (Windows and Samba) file transfer and directory browsing, and Microsoft Outlook uses the MAPI protocol to access Outlook data. You can use a Citrix SD-WAN WANOP appliance to optimize the CIFS, Sever Message Block version 2 (SMB2), and MAPI connections over the network.
Page 190: Configure Citrix Sd-Wan Wanop Appliance To Optimize Secure Windows Traffic
You create a delegate user in the active directory. This user is similar to a normal user, but with special privileges. After creating the delegate user, you must configure this user on the Citrix SD-WAN WANOP appliance. The appliance uses the delegate user to authenticate on behalf of users when they access authenticated and encrypted data streams using Windows protocols, such as CIFS and MAPI.
Page 191 Citrix SD-WAN WANOP 10.2 appliance or Citrix SD-WAN WANOP Plug-in, but only the datacenter appliance joins the Windows do- main. For purposes of CIFS or MAPI acceleration, the remote appliance acts as a slave to the datacen- ter appliance, being controlled over the secure SSL tunnel between the two. Therefore, the delegate user credentials do not leave the datacenter.
Page 192 Requirements to add a Citrix SD-WAN WANOP appliance to the Windows security system To optimize traffic for secured Windows signed SMB and encrypted MAPI traffic, your Citrix SD-WAN WANOP deployment must meet the following requirements before you add the appliance to the Win- dows security infrastructure: •...
Page 193 Add a Citrix SD-WAN WANOP appliance to the Windows security infrastructure To optimize secure Windows traffic, the Citrix SD-WAN WANOP appliance must be a part of the Win- dows security system and must authenticate itself with the security system or domain. As shown in the below figure, to make the appliance a part of the Windows security system, you must make the appliance join a domain (using administrative credentials).
Page 194 To make sure that the Citrix SD-WAN WANOP appliance optimizes the CIFS and MAPI traffic (including traffic encapsulated as RPC over HTTPS), you must make the appliance part of the domain that the Windows fileserver and Exchange server are a part of.
Page 195 Setting up user authentication by using Kerberos delegation involves two tasks——configuring a dele- gate user on the domain controller and then adding this user to the Citrix SD-WAN WANOP appliance. Configure a delegate user on a domain controller: Before you configure a delegate user on a Citrix SD-WAN WANOP appliance, you must configure a dele- gate user with the required properties on the domain controller.
Page 196 Citrix SD-WAN WANOP 10.2 Create a delegate user account: Create a delegate user account on the Windows domain controller so that the Citrix SD-WAN WANOP appliance can use this account on behalf of the users to authenticate them with the domain controller.
Page 197 5. From the shortcut menu, select Properties and navigate to the Attribute Editor tab, as shown in the following screen shot: 6. From the Attributes list, select servicePrincipalName, as shown in the following screen shot: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 198 Citrix SD-WAN WANOP 10.2 7. Click Edit. 8. In the Multi-valued String Editor dialog box, in the Value to add field, specify dele- gate/<User_Name>, as shown in the following screen shot: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 199 12. Click OK. 13. Open the user’s MAPI-CIFS Delegate User Properties dialog box and verify that the Delegation tab has been added to the dialog box, as shown in the following screen shot: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 200 After enabling the Delegation tab for the user, you can associate the user with services for which the user can present delegated credentials. When you add this user to the Citrix SD-WAN WANOP appli- ance, the appliance presents delegated credentials for the services associated with this account.
Page 201 4. In the Add Service dialog box, click Users and Computers. 5. In the Select Users or Computers dialog box, add the local computer to be selected, as shown in the following screen shot: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 202 Citrix SD-WAN WANOP 10.2 6. Click OK. 7. In the Add Services dialog box, from the Available services list, select cifs, as shown in the following screen shot: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 203 Citrix SD-WAN WANOP 10.2 8. If you have to set up MAPI acceleration on the Citrix SD-WAN WANOP appliance, press and hold the Ctrl key, and select the exchangeMDB service. 9. Click OK. The services you have selected are added to the Services to which this account can present delegated credentials list, as shown in the following screen shot: ©...
Page 204 After configuring the delegate user on the Active Directory server, you must configure this user on the Citrix SD-WAN WANOP appliance, so that the appliance can present this user’s delegated creden- tials to the domain. This enables the appliance to actively optimize the network traffic for the ad- vanced CIFS and MAPI acceleration features.
Page 205 You can even run this utility to identify possible issues before you attempt to join the appliance to a domain. To check the delegate user: 1. Log on to the server-side Citrix SD-WAN WANOP appliance. 2. Navigate to Configuration > Secure Acceleration > Windows tab. 3. Click the Join Windows Domain button, if present.
Page 206: Configure Cifs And Smb2/Smb3 Acceleration
• CIFS protocol acceleration—These optimizations increase CIFS performance by reducing the number of round trips needed for running a CIFS command. These optimizations are performed automatically on SMB1 and SMB2 CIFS connections that either do not use CIFS packet authenti- © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 207 Signing enabled, Citrix SD-WAN WANOP has joined domain ** SMB 1.0 SMB 2.0 SMB 2.1 SMB 3.0 Signing enabled, Citrix SD-WAN WANOP has not joined domain SMB 1.0 SMB 2.0 SMB 2.1 SMB 3.0 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 208 Citrix SD-WAN WANOP 10.2 * SMB 3.0 Support was added in release 7.4.2. ** Citrix SD-WAN WANOP does not support NTLMv2 authentication (default for Windows 7) up with SMB 1/ SMB 2/ SMB 3 and with NetApp server. Enabling Kerberos authentication allows acceleration.
Page 209 Speedup ratios of 10x are readily obtainable with CIFS acceleration, provided that your link and disks are fast enough to accommodate ten times your current transfer speeds. 50x speedup can be obtained if necessary, but is not normally enabled, because of memory consumption. Contact your Citrix rep- resentative if 10x is not sufficient.
Page 210 CIFS operations, but also to the related RPC operations. If your network uses CIFS signing, the appliance must be a trusted member of the domain. To make the appliance a trusted member of the domain, see Adding a Citrix SD-WAN WANOP Appliance to the Windows Security Infrastructure.
Page 211 Adding a Citrix SD-WAN WANOP Appliance to the Windows Security Infrastructure. When this requirement is met, signing is ac- celerated automatically. Otherwise, signing must be disabled (if it is not disabled already) for protocol © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 212 For a less invasive measure, use the NET USE devicename /DELETE command from the Windows command line to fully dismount the volume. In Linux, smbmount and umount fully dismount the volume. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 213: Configure Mapi Acceleration
Supported outlook exchange versions and modes Citrix SD-WAN WANOP appliances provide MAPI acceleration for Microsoft Outlook 2003-2016 and Ex- change Server 2003-2010, in the following circumstances: • Any combination of supported clients and servers (using the MAPI protocol) is supported.
Page 214 • Either encryption is disabled on Outlook, or the server-side appliance belongs to the Windows domain and has a secure peer relationship with the client-side appliance (or Citrix SD-WAN WANOP Plug-in). In the case where the appliance has joined the Windows domain, authenti- cation on the domain must be kept at the default setting (negotiate), for acceleration to work.
Page 215: Ssl Compression
MAPI format, the second transfer receives full compression. SSL compression December 14, 2018 Citrix SD-WAN WANOP SSL compression applies multisession compression to SSL connections (for example, HTTPS traffic), providing compression ratios of up to 10,000:1. Note SSL compression requires a secure peering (signaling) connection between the two appliances at the ends of the accelerated link.
Page 216: How Ssl Compression Works
Verify that your deployment and settings are consistent with your organization’s se- curity policies. Citrix recommends that you enable encryption of the compression history on each unit when you configure the secure peering signaling connection required for SSL acceleration.
Page 217 Use SSL split proxy for all other deployments. SSL transparent proxy In SSL transparent proxy mode (not to be confused with transparent mode on the Citrix SD-WAN WANOP Plug-in), the server-side appliance masquerades as the server. The server’s credentials (certificate-key pair) are installed on the server-side appliance so that it can act on the server’s behalf.
Page 218: Configure Ssl Compression
(for example, HTTPS traffic), providing a compression ratios of up to 10,000:1. For more information, Compression. For SSL compression to work, the Citrix SD-WAN WANOP appliance needs certificates from either the server or the client. To support multiple servers, multiple private keys can be installed on the appli- ance, one per SSL profile.
Page 219 On the server-side appliance, on the Monitoring: Optimization: Connections: Acceler- ated Connections tab, the Service Class column should match the service class you set up for secure acceleration, and the SSL Proxy column should list True for appropriate connections. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 220 Citrix SD-WAN WANOP 10.2 Configure a split proxy SSL profile To configure a split proxy SSL profile: 1. In the server-side Citrix SD-WAN WO appliance, navigate to Configuration > Secure Accelera- tion > SSL Profile and click Add Profile. Note You can either manually add an SSL profile or import one that is stored on your local com- puter.
Page 221 In the Protocol Version field, select the protocol versions you want to support on the client side. Note Citrix SD-WAN WO supports a combination of TLS1.0, TLS1.1 or TLS1.2, or TLS1.2 only. SSL protocols SSLv3 and SSLv2 are not supported.
Page 222 8. Click Create. Configure transparent proxy SSL profile To configure a transparent proxy SSL profile: 1. In the server-side Citrix SD-WAN WO appliance, navigate to Configuration > Secure Accelera- tion > SSL Profile and click Add Profile. Note You can either manually add an SSL profile or import one that is stored on your local com- puter.
Page 223 9. Click Create to create the service class. Updated CLI command Citrix SD-WAN WO 9.3 supports the latest TLS1.2 SSL protocol. You can choose to use TLS1.2 protocol only or any version of TLS protocols. SSL protocols SSL v3 and SSL v2, and transparent proxy SSL profiles are not supported.
Page 224 *\[-server-side-authentication { enable, disable } *\[-server-side-cert-key cert-key-pair-name “ ” *\[-server-side-build-cert-chain { enable, disable } *\[-server-side-renegotiation { disable-old-style, enable-old-style, new-style,* *compatible } *\[-client-side-protocol-version { TLS-1.2, TLS-version-any } *\[-client-side-ciphers ciphers “ ” *\[-client-side-renegotiation { © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 225 *\[-cert-chain-store use-all-configured-CA-stores, store-name “ ” *\[-cert-verification none, Signature/Expiration, Signature/Expiration/* *Common-Name-White-List, Signature/Expiration/Common-Name-Black-List } *\[-verification-store { use-all-configured-CA-stores, store-name “ ” *\[-server-side-protocol { TLS-1.2, TLS-version-any } *\[-server-side-ciphers ciphers “ ” *\[-server-side-authentication { enable, disable } © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 226: Ssl Compression With Citrix Sd-Wan Wanop Plug-In
SSL Compression with Citrix SD-WAN WANOP plug-in November 22, 2018 The Citrix SD-WAN WANOP Plug-in is always used as the client-side unit and thus requires no addi- tional SSL configuration other than installing credentials for the SSL signaling (secure peering) con- nection.
Page 227: Rpc Over Http
(for example, laptops that use full-disk encryption). The Citrix SD-WAN WANOP Plug-in supports both SSL split proxy and SSL transparent proxy. The plug- in ships without certificate-key pairs for the SSL signaling connection. If desired, the same credentials can be used by all plug-ins, or each plug-in can have its own credentials.
Page 228 Outlook clients and the Microsoft Exchange server. MAPI connections use RPCs, which are encapsu- lated by an HTTP connection. Therefore, before you configure RPC over HTTPS on a Citrix SD-WAN WANOP appliance, you must configure encrypted MAPI on the appliance.
Page 229 To verify that RPC over HTTPS Connections are being accelerated 1. Navigate to the Monitoring > Optimization > Outlook (MAPI). 2. On the Accelerated MAPI Sessions tab, verify that RPC over HTTPS connections are accelerated. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 230: Tcp Flow-Control Acceleration
WAN performance, even under harsh conditions such as high loss or extreme dis- tance. Citrix SD-WAN WANOP flow control is lossless and transparent, and it implements a broad spectrum of speed optimizations. No configuration is required, because of autodiscovery and autoconfiguration.
Page 231: Lossless And Transparent Flow Control
Acceleration operates on any TCP connection passing through two appliances (one at the sending site and one at the receiving site), or a Citrix SD-WAN WANOP appliance and a Citrix SD-WAN WANOP Plug- in. Although the above figure shows a network of two appliances, any appliance can accelerate con- nections between any number of other appliance-equipped sites simultaneously.
Page 232: Speed Optimization
Citrix SD-WAN WANOP implements a broad spectrum of WAN optimizations to keep the data flowing under all kinds of adverse conditions. These optimizations work transparently to ensure that the data arrives at its destination as quickly as possible.
Page 233 Citrix SD-WAN WANOP 10.2 Note Without Citrix acceleration, TCP throughput is inversely proportional to distance, making it im- possible to extract the full bandwidth of long-distance, high-speed links. With acceleration, the distance factor disappears, and the full speed of a link can be used at any distance. (Chart based on model by Mathis, et al, Pittsburgh Supercomputer Center.)
Page 234: Auto-Discovery And Auto-Configuration
Auto-discovery and auto-configuration December 14, 2018 In process called autodiscovery, Citrix SD-WAN WANOP units detect each other’s presence automat- ically. The appliances attach TCP header options to the first packets in each connection: the SYN packet (sent by the client to the server to open the connection), and the SYN-ACK packet (sent by the server to the client to indicate that the connection has been accepted).
Page 235: Tcp Flow Control Modes
The connection is accelerated, and the acceleration is transparent to the client, server, routers, and firewalls. TCP flow control modes December 14, 2018 TCP flow control has two modes: softboost and hardboost. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 237: Firewall Considerations
Firewall considerations November 22, 2018 The Citrix SD-WAN WANOP appliance’s use of TCP options puts accelerated traffic at risk from firewalls that have aggressive rules about denying service to connections using less-common TCP options. Some firewalls strip off the “unknown” options and then forward the packet. This action prevents acceleration but does not impair connectivity.
Page 238: Traffic Classification
Traffic classification December 14, 2018 The two main functions of a Citrix SD-WAN WANOP appliance are traffic shaping, which maximizes link usage for all types of traffic, and acceleration, which applies compression and various optimiza- tions to accelerate TCP traffic. Two basic components of both traffic shaping and acceleration are the application-classifier mechanism and the service-class mechanism.
Page 239: Application Classifier
S OCKS (Port 3128) for clarity. Applications must not have overlapping definitions. For example, if one application on your network uses TCP ports 3120 and 3128, and another application uses port 3120, only one Citrix SD-WAN WANOP application definition can include port 3120.
Page 240 The Application Classifiers page lists all the applications recognized by the SD-WAN WANOP classifier. The Application Classifiers page lists all the applications recognized by the SD-WAN WANOP classifier. Click Auto Discover to allows any Citrix published applications seen in the data stream to be © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 241: Service Classes
Differences between acceleration decisions and traffic shaping policies To make an acceleration decision, the Citrix SD-WAN WANOP appliance examines the initial SYN packet of each TCP connection to determine whether the connection is a candidate for acceleration. The SYN packet contains no payload, only headers, so the acceleration decision must be based on the contents of the SYN packet’s headers, such as the destination port or destination IP address of the connection.
Page 242 Citrix service class. Because all URL-based rules match the HTTP service class, putting the HTTP service class above them would result in the URL-based rules or published application-based rules never being used. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 243 Citrix SD-WAN WANOP 10.2 To create an RPC over HTTP service class and bind the SSL profile to it: 1. Navigate to Configuration> Optimization Rules > Service Classes and click Add. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 244 If a rule is evaluated as TRUE for a given connection, the connection is assigned to that service class. Filter rules for most service classes consist solely of a list of applications, © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 245 • You must configure and bind an SSL profile to the service class only on the datacenter- side appliance. • Only the service classes that have their filter rules direction set to unidirectional can be associated with SSL profiles. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 246: Traffic Shaping
Traffic Shaping Policies. 4. Configure a service class definition and associate the traffic shaping policy to the service class. For information on configuring service class definition, see Service Classes. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 247: Weighted Fair Queuing
• Traffic shaping is applied to the WAN link in both the sending and receiving directions, to both accelerated and non-accelerated traffic. This feature prevents congestion and increased latency even when the other side of the link is not equipped with a Citrix SD-WAN WANOP appliance. For example, Internet downloads can be prioritized and managed.
Page 248 (weight) than others. Traffic with a weight of two receives twice the bandwidth of traffic with a weight of one. In a Citrix SD-WAN WANOP configuration, the weights are assigned in traffic-shaping policies.
Page 249: Traffic Shaping Policies
• Extension of the benefits of fair queuing to all traffic A Citrix SD-WAN WANOP appliance is shipped with factory-default traffic shaping policies that span a broad range of priorities. These policies are listed in the Traffic Shaping Policies page. Apart from the Default Policy, the other factory-default policies cannot be edited or deleted.
Page 250 • Bandwidth Limit —Prevents the traffic using this policy from exceeding the specified bandwidth, stated either as a percentage of link speed or as an absolute value. Citrix recommends specifying a percentage, so that the same definition can apply to links of different speeds.
Page 251 For Citrix SD-WAN PE edition, the Bandwidth Limit parameter is disabled by default. • Set ICA priorities— If this policy is used for Citrix XenApp/XenDesktop traffic, the traffic’s internal priority for Real-time, Interactive, Bulk Transfer and Background traffic is overwrit- ten by the priority set here.
Page 252: Video Caching
Video caching improves the viewing experience for HTTP video streams, especially on slower links. The video cache is maintained on the local Citrix SD-WAN WANOP appliance. When a local user views a video that has already been cached, the appliance can deliver the cached copy at full LAN speed.
Page 253 Note Caching is now transparent. That is, the IP address of both the client and the server are main- tained end-to-end. In earlier releases, the IP address of the Citrix SD-WAN WANOP appliance was displayed as the source address. A video is cached when all of the following criteria are met: •...
Page 254: Video Caching Scenarios
• If any of the supported websites change the way they present content, the video caching benefit for those sites might not be achieved until the video caching policy file is updated. For such oc- casional changes, Citrix provides an updated video caching policy file. To use it, see Upgrading the Video Caching Policy File.
Page 255 In this use case, users access the Internet through the web browsers on their computers. Those re- quests that involve video content from an enabled site, such as Vimeo, are cached on the local Citrix SD-WAN WANOP appliance. Any subsequent access of the same video results in cache hits on the local appliance, allowing the video to be delivered at LAN speed and without waiting for the remote server.
Page 256 In this use case, users access the video web servers from the datacenter. When you enable the video caching feature on the branch-side Citrix SD-WAN WANOP appliance, the user request is served from cache of the branch-side Citrix SD-WAN WANOP appliance. This helps reduce network traffic to the datacenter Citrix SD-WAN WANOP appliance.
Page 257: Configure Video Caching
• Appliance can resolve the DNS name www.Citrix.com. • The Citrix SD-WAN WANOP apX IP address has an HTTP access in your corporate network. • If the appliance is deployed between the trunk ports of two network devices, you must spec- ify the VLAN ID with the IP address to be used by the appliance to send HTTP requests on the Network Configuration page.
Page 258 Adapters section, select an acceleration pair ( for example apA) and clik Edit. Ensure that the IP addresses, network mask, and default gateway IP addresses specified for the accelerated pair are accurate. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 259 Citrix SD-WAN WANOP 10.2 3. Navigate to the Configuration > Appliance Settings > Features page and enable Video Caching feature. A confirmation dialog box appears, click Yes. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 260 A video from an enabled website is cached as soon as a user accesses it. You can configure additional video websites that do not require URL rewrite by adding their host © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 261 3. In the Cache Status list, ensure that Enabled is selected. You can select Disabled from this list if you want to enable video caching for this site at a later time. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 262: Video Prepopulation
Video prepopulation June 26, 2020 A Citrix SD-WAN WANOP appliance can download and cache videos from your internal video server before anyone views them. This feature is useful when you want to make sure that all users get the same benefits (for example when playing a self-training video scheduled at a specific time). You can schedule static URLs from which you want to fetch videos.
Page 263 Make sure that you specify a complete URL or a video folder. 4. In the Interface field, select the accelerated bridge port to download videos from the URL. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 264 URL. Deleting this entry The entry is being deleted from the list of URLs. Failed to get Directory listing Failed to get listing from the remote directory you specified. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 265 • Refresh the status of a URL entry. • Delete a URL entry. The following flowchart shows the flow control of the processes followed when managing various activities of the video prepopulation feature. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 266 To download and cache a video immediately, navigate to Configuration > Video Caching > Prepopu- lation select the entry for the video you want to cache, and then click Start Now. Updating the status of the video takes approximately one minute. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 267 You can schedule the date and time at which you want to start downloading and caching videos from the URL to the appliance. For example, you might want to fetch videos just before you expect users to © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 268 3. From the Interface list, select the interface that you want to use for the URL entry. The list displays the interfaces that are available and configured on the appliance. 4. Click OK. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 269: Verify Video Caching
• On the Dashboard page, you can view the caching benefit, as a percentage, by hovering the cursor over the Data Reduction field on the Dashboard. You can also view the bytes served from the cache (Cached Data) under Aggregated Link Throughput. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 270 1 minute, 1 hour, 1 day, 1 week, and 1 month. This data is also displayed in a tabular format below the graph. • On the Monitoring > Optimization > Usage Graph page, you can view the cached data in the LAN Monitoring graph. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 271: Manage Video Caching Sources
That is, the cached con- nections are displayed here even if a partner Citrix SD-WAN WANOP appliance is not involved in the connection. Bandwidth Savings (%) column shows a bar graph of how much WAN band- width was saved by the transaction, whether through caching or compression.
Page 272 If your HTTP video server uses a port other than this well-known HTTP port, you must add the port number to the list of caching ports. To configure global settings for video caching: 1. Navigate to Configuration > Video Caching > Set Global Parameters. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 273: Wan Insight
WAN insight February 22, 2019 The Citrix SD-WAN WANOP appliances optimize the delivery of a large number of applications through the WAN, by improving the efficiency of data flow across the network between the datacenter and the © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 274 ADM. To enable analytics on the WAN optimization appliance: 1. In a web browser, type the IP address of the Citrix ADM (for example, http://192.168.100.1). 2. In the User Name and Password fields, enter the administrator credentials. 3. Navigate to Infrastructure > Instances > Citrix SD-WAN WO, and select the datacenter WAN...
Page 275 • AppFlow: Starts collecting data from WAN optimization instances. • TCP and WANOpt: Provides TCP and WANOpt Insight reports. • HDX: Provides HDX Insight reports. • TCP only for HDX: Provides TCP only for HDX Insight reports. 6. Click OK. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 276 3. Navigate to Analytics > WAN Insight. Note The WAN Insight option is visible only after you add an SD-WAN WO instance to Citrix ADM. You can view the following reports: • Applications - Displays the usage and performance statistics of all the applications for the selected duration.
Page 277: Asymmetric Routing
| Packets Received | Number of packets that the WAN optimization appliance has received from the network for the selected duration. | | Bytes Sent over WAN | Number of bytes that the Citrix WAN optimization appliance has sent over the WAN for the selected duration. | | Bytes Received over WAN | Number of bytes that the WAN optimization appliance received from the WAN for the selected duration.
Page 278 Client-side asymmetry occurs when packets flow from a client to the server through both the client- side and server-side Citrix SD-WAN WANOP appliances. However, on the return path the packets tra- verse the server-side Citrix SD-WAN WANOP appliance but bypass client-side Citrix SD-WAN WANOP appliance.
Page 279: Citrix Sd-Wan Wanop Client Plug-In
Citrix SD-WAN WANOP client plug-in October 15, 2019 The Citrix WANOP Client Plug-in is a software based network accelerator that runs on Windows laptops and workstations, providing acceleration anywhere, not just at offices with WANOP Client Plug-in ap- pliances. It connects to a Citrix WANOP appliance at the other end of the link.
Page 280: Hardware And Software Requirements
Citrix SD-WAN WANOP 10.2 Note The plug-in is supported by Citrix Receiver 1.2 or later, and can be distributed and managed by Citrix Receiver. Hardware and software requirements November 22, 2018 On the client side of the accelerated link, the WANOP Client Plug-in is supported on Windows desktop and laptop systems, but not on netbooks or thin clients.
Page 281: How Wanop Plug-In Works
LAN, WAN, and Internet as it did before installation of the plug-in. No changes are required to your routing tables, network settings, client applications, or server applications. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 282 Citrix SD-WAN WANOP 10.2 Citrix Access Gateway VPNs require a small amount of WANOP Client Plug-in-specific configuration. There are two variations on the way connections are handled by the plug-in and appliance: transparent mode and redirector mode. Redirector is a legacy mode that is not recommended for new deployments.
Page 283 In the diagram, traffic from home-office and mobile VPN users that is destined for Large Branch Office B is accelerated by Citrix SD-WAN WANOP B. For this to work, Citrix SD-WAN WANOP A1 and A2 must have daisy-chaining enabled.
Page 284 Transparent mode is often used with VPNs. The WANOP Client Plug-in Plug-in is compatible with most IPSec and PPTP VPNs, and with Citrix Access Gateway VPNs. The following figure shows packet flow in transparent mode. This packet flow is almost identical to appliance-to-appliance acceleration, except that the decision of whether or not to attempt to acceler- ate the connection is based on acceleration rules downloaded over the signaling connection.
Page 285 4. The server accepts the connection and responds with a TCP SYN-ACK packet. Src: 10.200.0.10, Dst: 10.0.0.50 5. The appliance tags the SYN-ACK packet with a TCP header option that shows that acceleration © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 286 • The destination port numbers are not changed, so network monitoring applications can still classify the traffic. The below figure shows how the Redirector mode works. Figure 1. Redirector Mode © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 287 Citrix SD-WAN WANOP 10.2 The below figure shows the packet flow and address mapping in redirector mode. Figure 2. Packet Flow in Redirector Mode © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 288 1. The user’s application opens a TCP connection to the server, sending a TCP SYN packet. Src: 10.0.0.50, Dst: 10.200.0.10 2. Citrix SD-WAN WANOP Plug-in looks up the destination address and decides to redirect the con- nection to the appliance at 10.200.0.201.
Page 289 • Some configuration information is considered to be global. This configuration information is taken from the leftmost appliance in the list for which a signaling connection can be opened. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 290: Deploy Appliances For Use With Plug-Ins
An appliance depends on your existing security infrastructure in the same way that your servers do. It should be placed on the same side of the firewall (and VPN unit, if used) as the servers. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 291 Acceleration can be counterproductive if the client forwards traffic to an appliance that is distant from the server, especially if this “triangle route” introduces a slow or unreliable link. Therefore, Citrix recommends that acceleration rules be configured to allow a given appliance to accelerate its own site only.
Page 292 This works well if appliance is subject to the same firewall rules as the servers. When such is the case, any connection that would succeed in a direct connection succeeds in an accelerated connection. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 293: Customize Plug-In's Msi File
(including SSL compression characteristics). This can lead to undesirable and confusing results, especially if the DNS server rotates the order of IP addresses for each request. Install the Orca MSI editor: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 294 On the Tables menu, click Property. A list of all the editable properties of the .MSI file ap- pears. Edit the parameters shown in the following table. To edit a parameter, double-click © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 295: Deploy Plug-Ins On Windows
Once you have customized the appliance list with Orca and distributed the customized MSI file to your users, the user does not need to type in any configuration information when installing the software. Deploy plug-ins on Windows December 14, 2018 © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 296 Citrix SD-WAN WANOP 10.2 The WANOP Client Plug-in is an executable Microsoft installer (MSI) file that you download and install as with any other web-distributed program. Obtain this file from the MyCitrix section of the Citrix.com website. Note The WANOP Client Plug-in user interface refers to itself as “Citrix Acceleration Plug-in Manager.”...
Page 297 Figure 2. Final Installation Screen: 4. Right-click the Accelerator icon in the task bar and select Manage Acceleration to launch the Citrix Plug-in Accelerator Manager. Figure 3. Citrix Accelerator Plug in Manager, Initial (Basic) Display: © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 298 Plug-in installation generally goes smoothly. If not, check for the following issues: Common problems: • If you do not reboot the system, the WANOP Client Plug-in will not run properly. • A highly fragmented disk can result in poor compression performance. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 299 6. Delete everything except the three lines at the top that start with semicolons, and then save the file. This will clear out any inappropriate or obsolete settings and the next installation will use default values. 7. Retry the installation. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 300: Citrix Sd-Wan Wanop Plug-In Gui
Citrix SD-WAN WANOP plug-in GUI December 14, 2018 The WANOP Client Plug-in GUI appears when you right-click the Citrix Accelerator Plug-in icon and select Manage Acceleration. The GUI’s Basic display appears first. There is also an Advanced display that can be used if desired.
Page 301 • Accelerated CIFS Connections–The number of open, accelerated connections with CIFS (Win- dows file system) servers. This is usually the same as the number of mounted network file sys- tems. Clicking More displays the same information as with accelerated connections, plus a sta- © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 302 This button starts and stops the trace. When you stop tracing, a pop-up window shows the trace files. Send them to your Citrix repre- sentative by the means he or she recommends.
Page 303 The purpose of these security credentials is to enable the appliance to verify whether the plug-in is a trusted client or not. To upload the CA certificate and certificate-key pair: 1. Select CA Certificate Management. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 304: Update Citrix Sd-Wan Wanop Plug-In
To uninstall the WANOP Client Plug-in Plug-in To uninstall the WANOP Client Plug-in, use the Windows Add/Remove Programs utility. The WANOP Client Plug-in is listed as Citrix Acceleration Plug-in in the list of currently installed programs. Select it and click Remove.
Page 305: Configure Xenapp Acceleration
Stream ICA and AutoQoS requires Session Reliability to be enabled. To optimize ICA connections for XenApp and XenDesktop release 7.0 and later,Citrix SD-WAN WANOP appliance supports Citrix Receiver for Chrome release 1.4 and later, and Citrix Receiver for HTML5 re- lease 1.4 and later.
Page 306 5. Open and use XenApp connections, between updated XenApp clients and servers, that pass through the updated Citrix SD-WAN WANOP. By default, these sessions use CGP. For ICA, on the client, under Citrix Program Neighborhood, clear the Custom ICA Connections check box. Then, right-click a connection icon, navigate to Properties >...
Page 307: Optimize Citrix Receiver For Html5
In a typical branch office and datacenter setup, shared resources like Virtual Desktop Agent (VDA) are installed on a Citrix XenServer server in the datacenter. Clients from the branch offices access these shared resources over the network by using Citrix Receiver.
Page 308 If you are using SSL encryption for connections over Citrix Receiver for HTML5, connections use ICA over SSL. To enable ICA over SSL acceleration with Citrix Receiver for HTML5, you need to configure standard SSL acceleration, which includes the appropriate destination IP address in the service class and SSL profile mapping.
Page 309: Deployment Modes
3. Navigate to the Monitoring > Optimization > ICA Advanced page.</span> 4. In the Conn Info tab, scroll down to the ICA Client and Server Information section. Entries for HTML5 connections have Citrix HTML5 client in the Product ID column, as shown in the following screen shot:...
Page 310 Citrix SD-WAN WANOP 10.2 Clients install a Citrix Receiver software product, such as Citrix Receiver for HTML5, on their local com- puters and use it to access resources in the datacenter. Connections through the pair of Citrix SD-WAN WANOP appliances are optimized.
Page 311 1. Client uses Citrix Receiver for HTML5 to send a TCP connection request to VDA on port 8008. 2. After establishing the TCP connection, the client sends a WebSocket upgrade request to VDA.
Page 312 VDA and vice versa. Similarly, if a VPN tunnel is created between a Citrix gateway plugin installed on the client and Citrix Gateway installed at the datacenter, the gateway transparently forwards all client messages, immedi- ately upon establishing a TCP connection, to VDA, and vice versa.
Page 313 Citrix SD-WAN WANOP appliances deployed in direct access mode In the direct access mode, a pair of Citrix SD-WAN WANOP appliances is installed across a branch office and the datacenter in inline mode. A client accesses VDA resources through Citrix Receiver for HTML5 over the private WAN.
Page 314 Citrix SD-WAN WANOP appliances deployed in ICA proxy mode In the ICA proxy mode, a pair of Citrix SD-WAN WANOP appliances is installed across the branch of- fice and a datacenter in inline mode. In addition, you install Citrix Gateway, which proxies VDA, at the datacenter.
Page 315 ICA Proxy mode with end-to-end SSL encryption mode is similar to ordinary ICA Proxy mode, with the difference that the connection between the Citrix Gateway and VDA is secured by SSL encryption instead of using an ICA secured connection. In this scenario, you must install appropriate certificates on the Citrix SD-WAN WANOP appliance and VDA.
Page 316 Citrix Gateway interfacing external network at the datacenter. The Citrix Gate- way plugin on the client and Citrix Gateway on the datacenter create an SSL tunnel or VPN over the network when they establish a connection. As a result, the client has a direct secure access to the VDA resources, with transparent connection through the Citrix SD-WAN WANOP appliance.
Page 317: Adaptive Transport Interoperability
WANOP offers VDA server CPU offload and enables higher XenApp and XenDesktop server scalability. When TCP is used as the data transport protocol, Citrix SD-WAN WANOP supports the optimization as described above. When using Citrix SD-WAN WANOP on network connections, choose TCP and disable EDT.
Page 318: Maintenance
9.0.x or later. If the appliances are running older software release version, up- grade to the latest software release version first. 1. In Citrix SD-WAN WANOP GUI, go to Configuration > Maintenance > Update Software. Down- load the ns-sdw-wo-<Build_No>.upg file to upgrade the appliance.
Page 319 Upgrade/Downgrade Upgrade system software There is a different Citrix SD-WAN software package for each appliance model. You need to download the appropriate SD-WAN WANOP software package for an appliance you want to include in a network and save it in your local drive.
Page 320 Licenses files, SSH parameters, and the IP addresses on the Management IP page are not copied back from the newer release to the older one. Instead, the appliance will revert to the settings that were in effect at the time the older release was upgraded. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 321: Diagnostics
This section provides diagnostic tools to identify network issues in your SD-WAN WANOP network and troubleshoot them. You can also obtain system log files, system information, and other necessary details that assist the Citrix SD-WAN Support team in diagnosing and resolving network issues. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 322 The Tracing tool is used to watch the packets flowing over the SD-WAN WANOP network. It can open each packet and identify the protocol used, the IP address of the source and destination, and other payload information. This information is used by Citrix Support team to find the root cause of network issues.
Page 323 Core files are created when the SD-WAN WANOP appliance exits abnormally or crashes. The appli- ance restarts automatically after a crash. In case of persistent crashes, acceleration is disabled but the management interface remains active. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 324 You can use the default Line Tester Server interface and port number. Click Start Server to start an iperf server on the appliance. The Line Test: CLIENT function starts an iperf client on the unit, running in TCP mode. You can also © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 325 Click Start Test to see the WAN and LAN traffic result. Ping Ping allows you to check connectivity of the network elements in your SD-WAN network. Enter the IP address of the network element and click Run Ping to see the result. © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 326 The System Info lists all the parameters that are not set to their defaults. This information is read-only. It is used by Support when some kind of misconfiguration is suspected. When you report a problem, © 1999-2020 Citrix Systems, Inc. All rights reserved.
Page 327 For Adapter apA.2, and Detailed Information For Adapter apA.1. Diagnostic Data Diagnostic Data allows you to package diagnostic data for analysis by the Citrix Support team. Select the diagnostic files required and click Start. You can then, click Retrieve File to download the zip archive, and share it with Citrix Support.
Page 328: Troubleshooting
XenApp and XenDesktop acceleration CIFS and MAPI November 22, 2018 • Issue: A domain controller is removed from the network. However, the Citrix SD-WAN WANOP appliance is not able to leave the domain. Cause: This is a known issue with the appliance.
Page 329 4. Verify that the appliance can establish secure peering with the partner appliance. 5. Verify that the Listen On section has an entry for the IP address of the intended Citrix SD- WAN WANOP appliance.
Page 330 – Update the delegate user on the Windows Domain page by providing the password for the delegate user once again. • Issue: The Time skew error message appears when you add a delegate user to the Citrix SD-WAN WANOP appliance.
Page 331: Citrix Sd-Wan Wanop Plug-In
Resolution: Run the domain precheck tool, available on the Windows Domain page, and re- solve the issues, if any. If the domain precheck tool does not report any issues, contact Citrix Technical Support for further assistance in resolving the issue.
Page 332: Rpc Over Https
Resolution: To update the signaling IP address on a WANOP 4000 or 5000 appliance, complete the following procedure: 1. Log on to the Citrix instance of the WANOP appliance. 2. Navigate to the Traffic Management > Load Balancing > Virtual Servers > BR_LB_VIP_SIG page.
Page 333: Video Caching
• Issue: After adding an entry to the list of prepopulation tasks, the status of the entry displays ERROR 403. However, the website works fine in a Web browser. Cause: The IP address of the Citrix SD-WAN WANOP apA does not have access to the video server. Resolution: To resolve this issue, verify and update the following: –...
Page 334: Xenapp And Xendesktop Acceleration
7.3.1, the ALTHTTP application is not added to this service class. As a result, even though ICA connections over Citrix Receiver for HTML5 are optimized, these are not categorized as Citrix Receiver for HTML5 connections in the ICA Monitoring pages.
Page 336 © 2020 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries.

Citrix SD-WAN WANOP 10.2 Manual

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Citrix SD-WAN WANOP 10.2

Summary of Contents for Citrix SD-WAN WANOP 10.2

Table of Contents