Citrix announce SD-WAN v11.0

With Citrix SD-WAN version 11 now available to download, we thought we would look into some of the more interesting features that are included in this release.

Headline features

The feature enhancements for the new Citrix SD-WAN v11.0 release come under 3 main banners, security, cloud choice and application experience. So, looking at the v11.0 features, what is there of note?

To quote Valerie DiMartino on the Citrix Blog:

“Recent research suggests that by 2021, 94 percent of all workloads will run in some form of cloud environment. Even on-premises workloads will run in a virtualized environment. With that in mind Citrix SD-WAN v11.0 has many innovations that simplify WAN and ease the migration to cloud services, with automation and security at the forefront.”


Citrix SD-WAN v11.0 integration for Palo Alto Networks

Citrix SD-WAN can route traffic from the branch, directly to the internet via what is known as local internet breakout thus avoiding the “hairpin” traffic flow of old where internet bound traffic from the branch travels to the datacentre before exiting to the internet. This local breakout can improve user experience and reduce bandwidth consumption on expensive and sometime congested branch to datacentre WAN links.

With the Citrix SD-WAN application deep packet inspection and local firewall feature, administrators can control what traffic exits via these local breakouts. An example is the simple configuration for Office365 breakout that was introduced in a recent release of the Citrix SD-WAN firmware.

To add greater control and monitoring of applications using these local internet breakouts, Citrix has continued to develop and enhance the functionality to include integration with third party Secure Web Gateways.

With the release of v11.0, Citrix introduced support for Palo Alto Prisma Access. Configuration is simple and handled with the Citrix SD-WAN orchestration tool. It uses an IPSec tunnel to secure traffic from the branch via local internet breakout to Palo Alto Prisma Access in the cloud.

What is Palo Alto Prisma Access?

Palo Alto Prisma Access delivers cloud-based security infrastructure for protecting remote networks and mobile users. It provides security by allowing organisations to set up regional, cloud-based firewalls that protect the SD-WAN fabric. Palo Alto Prisma Access allows for central administration and policy enforcement for ALL connected branch sites, controlling and monitoring inbound and outbound traffic.

In addition to the support of Palo Alto Prisma Access for Branch Sites, Citrix are also introducing the Palo Alto Networks VM-Series next-generation firewall as a VNF on the Citrix SD-WAN 1100 Standard appliance. If you have, or are thinking of getting, a Citrix SD-WAN 1100 Standard edition series appliance, with v11.0 you will be able to add the Next Generation Palo Alto Firewall as a local virtual machine, further reducing hardware requirements at remote sites but enhancing security for the WAN traffic.

Cloud choice & Automation

Citrix SD-WAN and Microsoft Azure

The API’s are available for automated provisioning of Citrix SD-WAN instances in Azure. Now you can extend your network to Microsoft Azure faster with “One-click provisioning of resources” within your existing or new VNet (virtual network) and automation of virtual path setup through communication with the Master Control Node (MCN).

Citrix SD-WAN and Microsoft Azure

SD-WAN now offers extensions for Office 365 to help automatically maintain direct breakout. By pulling PAC files along with Office 365 data, scripts are patched automatically and served to browsers in branches regularly, allowing them to now get dynamic and automated updates to PAC files.

Google Cloud Platform Marketplace Availability

Citrix SD-WAN now extends enterprise networks to Google Cloud Platform (GCP). Available soon on the GCP Marketplace, managed centrally by Citrix Orchestrator you can deploy a VPX in an IaaS or PaaS cloud.

Your Citrix SD-WAN network can be extended by the installation of the Citrix SD-WAN virtual appliance into GCP and by doing so provide improved network reliability with link bonding/high available WAN links. Applications running in GCP such as G-Suite can be improved using Citrix SD-WAN deep packet inspection and QoS.

Application experience

Cloud Direct Service (formally known as SaaS Gateway)

To further enhance user experience Citrix is extending its SaaS support beyond the ever present Office365.

With Citrix Cloud Direct, Citrix allows you to extend the benefits of SD-WAN directly to all SaaS and cloud services and thus enabling enterprise-grade connectivity to SaaS resources for more predictable and reliable access. How? By providing “geo-diversified Points of Presence (PoP’s)” for you to connect to from your SD-WAN appliances (currently 7 in the USA and 3 in the EU). These PoP’s have dedicated private backbone paths providing automatic geographic redundancy and direct peering to over 150 premium networks and clouds. 🙂

HDX Reporting Enhancements

With the introduction of v11.0 you will be able to see individual Citrix sessions, client IP, ICA RTT, WAN latency, L4 connection state, and published apps by user. Until this release it has been necessary to use a Citrix ADC Gateway for new reports based on username, desktop name, or an HDX user’s traffic.

Other cool stuff that caught our eye…

  • New Citrix SD-WAN 6100 Introduction of the new Citrix SD-WAN 6100 appliance. Supporting up to 6Gbps full duplex with plans to go to 10Gbps. Also supports 1000 sites (virtual paths). Port configuration – 2 x 2 Port 10/1G bypass, 1 x 4 port 1G/1G, 1 x 4port 1G Cu FTW. Firmware v10.2.3 and up will support this appliance. Initial release will be Standard Edition with plans for Premium Edition in Q4 2019.
  • Port Redundancy Support for LACP on both the WAN and LAN side of the SD-WAN Appliances allows for the bonding of up to 4 interface ports to give port redundancy.
  • In-band Management The appliances can now be managed remotely through the data port which means small sites no longer need to have extra switch’s/switch ports on the LAN side to provide for the management interface.
  • Change Management Enhancements Improvements in time taken to push configurations to each branch site. For example, a deployment of 550 sites it took up to 30 minutes, now takes 6 just minutes!
  • LTE Standby/Metered Links LTE links can be set up as active and participate with other links or they can be set up as a “link of last resort” to be used only when no other links are available. If it is set up as an active link, with v11.0 a “Data Cap” can be set so that the link stops being used as and when a threshold is reached, helping to manage costs.
  • OSPF and BGP protocols Improvements in support for BGP AS Routes allows administrators to manually change the BGP AS path length on appliances so that they can become preferred or not preferred routes. Protocol preference is a Citrix SD-WAN specific feature, which is similar to router administrative distance and allows administrators to choose to use OSPF or BGP by setting a protocol preference.

Want to know more? cloudDNA’s Citrix SD-WAN practice offers a full range of services from product evaluation to on going production support and fully managed services. Give the team a call on +44 (0)330 010 3443 and make your branch users happy!