Earlier this year (2020) Citrix released v11.1 of their SD-WAN firmware and then in May 2020 Citrix released an update, v11.1.1

The Citrix SD-WAN documentation states “Citrix SD-WAN provides an unparalleled experience for mission and business critical applications delivered from any location with comprehensive security that protects users, applications and data across the branch, network and cloud” and this is broadly true.

But as with everything there are always improvement that can be made and faults to be corrected.

So… What I’ve tried to do below, is pick out a few features and fixes I think are of note in these v11.1 and v11.1.1 releases. (You can read the full list in the release notes, links to those are at the bottom of this document.)

Firstly within the v11.1.0 release

Microsoft Office 365 beacon service

  • Citrix SD-WAN supports Microsoft Office 365 beacon probing capability to help determine the best link to be used for Office 365. The probes determine the latency (round-trip-time) involved in reaching Office 365 endpoints through each WAN link, enabling network administrators to identify the best link to be used for O365 traffic.
    • This is nice and for the plethora of O365 users out there to be directed to the nearest front door is excellent. However, I do not believe this to be dynamic and as such if the link you initially select encounters issues you won’t be directed to an alternative and better link. Hopefully something to come in the future.

Also point of note… Citrix SD-WAN Orchestrator deployments only.

ICA session reconnect

  • Citrix SD-WAN supports ICA session reconnects with HDX Insight NSAP virtual channel. If you lose the connection, the connection reconnects without re-entering the login credentials.
    • Another nice feature enhancement, further enhancing the “Citrix on Citrix” message and with the increase in remote working and Citrix recent Citrix SD-WAN for CMD (Citrix Managed Desktops) it improves performance and reliability for the user.

Azure Virtual WAN – Hub-to-Hub communication

  • Azure Virtual WAN customers can now leverage Microsoft’s global backbone network for inter-region hub-to-hub communication (Global transit network architecture). This enables branch to Azure, branch-to-branch over Azure backbone, and branch to hub (in all Azure regions) communication.
    • In my simple mind this needs further explanation. So simply put Microsoft have Standard and Basic “Azure Virtual WAN” products. If you purchase the Standard Azure Virtual WAN you can then connect your Citrix SD-WAN (either DC or remote site) to that Azure Virtual WAN using IPSec tunnel and this magic routing happens.

A point of note is that if you install a Citrix SD-WAN VPX in Azure then this automatic routing doesn’t happen, you have to set up your own routes which may or may not add further complexity depending on your Azure infrastructure and knowledge 😊

Multiple WAN link support for Microsoft Virtual WAN connectivity

  • Citrix SD-WAN supports multiple WAN links in primary and secondary fashion to establish an IPsec tunnel towards Azure Hubs. This provides link level redundancy at the site.
    • A nice follow on from the above feature. If you are becoming more reliant on the IPSec tunnel to resources in Azure then being able to integrate 2 WAN links and set them up for failover helps.😊

PKI enhancement – certificate distribution

  • Citrix SD-WAN supports appliance authentication for static and dynamic virtual paths using Public Key Infrastructure (PKI) as an additional security feature.
    • Security is important and as we grow our WAN infrastructures to include Home workers (using new Citrix SD-WAN 110-LTE-WiFi) ensuring the security of the Virtual paths between the appliances becomes more important.

Certificate authentication, allows organisations to use certificates issued by their private Certificate Authority (CA) to authenticate appliances. The appliances are authenticated before establishing the virtual paths. For example, if a branch appliance tries to connect to the data centre and the certificate from the branch does not match with the certificate that the data centre expects, the virtual path is not established.

I will have to look further into this on exactly how one would manage these certificates but the latter point here could be built into a theft security mechanism, maybe. If a device is stolen or moved from its intended site administrators can revoke the device certificate and it will no longer establish connections to the network.

Citrix SD-WAN 110 SE

  • The Citrix SD-WAN 110 SE platform is a new branch side appliance that can be deployed in micro and small branch offices/ remote sites/ retail stores, homes, and temporary worksites.  A single box-in-branch solution helps to reduce the hardware footprint and eases branch deployment.  The new device comes in two models: · SD-WAN 110 and SD-WAN 110-LTE-WiFi.
    • Nothing to say other than an excellent new device for the small and home office deployments
  • NOTE: Release 11.1.0 on the SD-WAN 110-LTE-WiFi model does not currently support Wi-Fi capabilities, this is due later this year.

In-band management enhancements

  • Citrix SD-WAN now supports SNMP and SD-WAN Centre connectivity through in-band management interfaces. This means that separate connectivity via the designated management port is no longer required to connect SD-WAN appliances to Citrix SD-WAN Orchestrator or SD-WAN Centre.
    • Worth a quick comment as there are sites that might struggle to provide internet facing connections for both the Data links and management interface. (sites with LTE only for example) This will help.

Secondly, within the v11.1.1 release

User interface for SD-WAN 110-SE appliance

  • A new User Interface (UI) is introduced for SD-WAN appliances. The new UI is only applicable for 110 device.
    • The New UI can only be accessed by the default admin user (admin). It is mandatory to change the default admin user account password while provisioning the SD-WAN appliance. The default password is the serial number of the SD-WAN 110 device and is mandated to change on first time after logon to device.
    • Until I get access to one of these devices, I can’t make any detailed comments, however, from what I have seen in the docs.citrix.com it looks cool and is following the similar look and feel as that of Citrix SD-WAN Orchestrator.

NOTE: In the above regarding passwords..  Citrix are starting to address security concerns around the default passwords on appliances. How many of us install a Citrix ADC or SD-WAN appliance and leave the admin/nsroot/superuser password as the default, I know I do, certainly for PoC’s. So to address this, starting with the new 110, each appliance will ship with their own unique password and the UI is set to force a change on first login. Great move, I’m going to have to think up a good password I can remember 😊

USB LTE modem support

  • Citrix SD-WAN now supports external USB LTE modems that are – Global Modem Verizon USB730L, AT&T Global Modem USB800, and Huawei E3372h-510. You can connect a pre-approved/qualified 3G/4G USB modem to the USB port of the following appliances.
    • Not a lot to say really, great new feature adding extra LTE support (link of last resort etc.) Note this is for Citrix SD-WAN 110 SE/LTE • Citrix SD-WAN 210 SE/LTE only.

On-prem SD-WAN Orchestrator Identity

  • You can establish a connection between your Citrix SD-WAN appliance and Citrix SDWAN on-prem Orchestrator by enabling Orchestrator connectivity and specifying the on-prem SD-WAN Orchestrator identity.
    • If you are a fan of Citrix SD-WAN Orchestrator (which I am 😊) this is very interesting. In my personal opinion Citrix SD-WAN Orchestrator is a lot more user friendly (intuitive, I’ve heard someone once say) than the MCN configuration utility. Now, having the ability to have an “on-premises” version of Orchestrator could be a nice alternative to the Citrix Cloud based option, especially for those not in the cloud at the moment.

NOTE:

1) This is only introducing the ability to point your Citrix SD-WAN appliance at the on premises Orchestrator.

2) On premises Orchestrator is not yet available.

3) You lose the really cool and simple “Zero Touch Deployment” that cloud based Orchestrator provides 😕

That’s about it from me, for a complete list of what v11.1.1 delivered you can read the release notes:

https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-sd-wan/Citrix-SD-WAN-11-1-0-Release-Notes.pdf

https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-sd-wan/Citrix-SD-WAN-11-1-1-Release-Notes.pdf

FIND OUT MORE

If you would like to talk to someone about these releases or to find out more about Citrix SD-WAN and how it can help to address user and enterprise requirements, please call 0330 010 3443 or email hello@clouddnagroup.com.