Citrix SD-WAN Orchestrator for On-premises 14.4

Connectivity with Citrix SD-WAN appliances

After configuring sites on Citrix SD-WAN Orchestrator for On-premises, establish connectivity between Citrix SD-WAN appliances on the sites with Citrix SD-WAN Orchestrator for On-premises. You can establish connectivity in one of the following ways:

  • One-way Authentication: The SD-WAN appliance authenticates Citrix SD-WAN Orchestrator for On-premises. On enabling one-way authentication, you must download the Citrix SD-WAN Orchestrator for On-premises certificate and upload it on the SD-WAN appliance.

  • Two-way Authentication: The SD-WAN authenticate each other using the exchanged certificates. On enabling two-way authentication, you must upload the SD-WAN appliance certificate on Citrix SD-WAN Orchestrator for On-premises and also Citrix SD-WAN Orchestrator for On-premises certificate on the SD-WAN appliance.

  • No Authentication: The connectivity is established between the Citrix SD-WAN Orchestrator for On-premises and SD-WAN appliances with no authentication. You need not use the SD-WAN Appliance or Citrix SD-WAN Orchestrator for On-premises Certificate. You can use No Authentication when you have a secure network such as MPLS.

Note

It is recommended to use only one-way authentication or two-way authentication. In the case of no Authentication, you have to choose the secure DNS server.

You can configure connectivity with each site manually or use the automated zero-touch deployment.

Note

Citrix SD-WAN 11.3.0 is the minimum software version required for an appliance to connect to Citrix SD-WAN Orchestrator for On-premises.

Zero-touch deployment

Zero-touch deployment is an automated process to configure connectivity between the appliances and Citrix SD-WAN Orchestrator for On-premises. You can establish the connectivity automatically using non-cloud zero-touch deployment or cloud brokered zero-touch deployment settings.

Non-Cloud zero-touch deployment

Non-Cloud zero-touch deployment settings allow you to configure Citrix SD-WAN Orchestrator for On-premises information on SD-WAN appliances. The NITRO API running in the back-end handles download and upload of certificates. It downloads the certificate from Citrix SD-WAN Orchestrator for On-premises, logs in to the SD-WAN appliance, and uploads the certificate. It also downloads the SD-WAN appliance certificate and uploads it on Citrix SD-WAN Orchestrator for On-premises.

Note

Non-Cloud zero-touch deployment is supported on SD-WAN appliances running with the 11.3.0 release or later.

Zero-touch deployment supports only one-way authentication and two-way authentication. No authentication is not supported. If Authentication Type is enabled on Administration > Certificate Authentication page, then two-way authentication is established. If Authentication Type is disabled, then one-way authentication is established.

You can either add sites manually or import a CSV file to add multiple sites simultaneously.

To configure Non-cloud zero-touch deployment settings, navigate to Administration > ZTD Settings > Non-Cloud ZTD, and click + Site.

Site zero-touch deployment settings

Note

You can also access Non-cloud zero-touch deployment settings for each site from Network Configuration Home page. Click the action icon for the site and select Non-cloud ZTD.

Network Config Home: Non-cloud zero-touch deployment

Select a site from the Site Name drop-down list and enter the Management IP address of the Citrix SD-WAN appliance.

Enabling the Use ZTD Interface option ensures that the ZTD interface is used for Non-cloud ZTD, if the ZTD interface is enabled on SD-WAN Orchestrator for On-premises.

Note

  • Ignore the Use ZTD Interface option, if ZTD interface is not enabled on SD-WAN Orchestrator for On-premises.
  • Enable the Use ZTD Interface option when SD-WAN appliance can access the ZTD interface IP address but cannot access the Management IP address.
  • Not selecting the Use ZTD Interface option after enabling ZTD interface, does not mean that the Management Interface IP address is used for communication between SD-WAN appliance and SD-WAN Orchestrator for On-premises. The Use ZTD Interface option is used only for initial configuration of the appliance using Non-Cloud ZTD.

Provide the appliance user name and Password. Select the Freshly Provisioned check box if you are adding a newly provisioned site on which the default password has not been changed. Provide the New Password. The default password is changed to the new password during this zero-touch deployment process.

Note

For a newly provisioned site, it is mandatory to change the default password at the time of first login.

Add site for non-cloud zero-touch deployment

Click + to continue to add more sites.

You can also import a CSV file to add multiple sites simultaneously. A sample downloadable template is available in the UI. Download it and provide the site details.

Download sample CSV file

Sample CSV template

  • Appliance Name: The site name configured during site configuration. For more information, see Site Configuration.
  • Appliance Username: The user name configured on the site appliance.
  • Appliance Password: The corresponding password for the site appliance.
  • Is password expired: Determines if the appliance is freshly provisioned. If the value is True, provide the Appliance New Password.
  • Appliance New Password: The password for freshly provisioned appliances. If the Is password expired value is True, provide the Appliance new password.
  • Is Primary Appliance: If High Availability (HA) is configured, the active appliance must have the value True and standby appliance must have the value False. If HA is not configured, the value must be True.

Click Import, select the CSV file and click Upload.

Import CSV file

Upload CSV file

The configuration status of the sites is displayed, you can choose to delete sites individually or Delete All if sites are not required for zero-touch deployment.

Zero-touch deployment configuration status

Cloud brokered zero-touch deployment

Cloud brokered zero-touch deployment uses Citrix SD-WAN Orchestrator service as a broker between Citrix SD-WAN Orchestrator for On-premises and the Citrix SD-WAN appliances. Citrix SD-WAN Orchestrator for On-premises sends a cloud zero-touch deployment configuration package to Citrix SD-WAN Orchestrator service. The cloud zero-touch deployment configuration package consists of the following information:

  • On-prem identity information
  • Authentication type
  • On-prem certificate
  • Appliance details (List of serial numbers)

Citrix SD-WAN Orchestrator service stores the information received from Citrix SD-WAN Orchestrator for On-premises. When an appliance contacts the Citrix SD-WAN Orchestrator service with its serial number, the acquired intelligence of Citrix SD-WAN Orchestrator service determines that the appliance has to be managed by Citrix SD-WAN Orchestrator for On-premises. Citrix SD-WAN Orchestrator service passes on the Citrix SD-WAN Orchestrator for On-premises details to the appliance. Citrix SD-WAN appliance sends its certificate to Orchestrator service. Citrix SD-WAN Orchestrator service receives and stores the appliance certificate.

Citrix SD-WAN Orchestrator for On-premises periodically fetches the appliance certificate from Citrix SD-WAN Orchestrator service. Once a secure connection is established between Citrix SD-WAN Orchestrator for On-premises and the appliance, the Citrix SD-WAN Orchestrator for On-premises pushes the configuration and relevant files to the appliances.

Cloud brokered zero-touch deployment settings are available only for customers in a customer managed setup. Provider managed setup does not support cloud brokered zero-touch deployment settings.

Prerequisites

  • Appliances need access to the following domain names to establish connection with Citrix SD-WAN Orchestrator service:
    • sdwanzt.citrixnetworkapi.net
    • download.citrixnetworkapi.net
    • trust.citrixnetworkapi.net
    • sdwan-home.citrixnetworkapi.net
  • Ensure that Citrix SD-WAN Orchestrator for On-premises always has connectivity to Citrix SD-WAN Orchestrator service to onboard SD-WAN appliances.
  • Ensure that Citrix SD-WAN appliance has connectivity to SD-WAN Orchestrator service during the initial on-boarding process and if factory reset is done on the SD-WAN appliance.

To configure Cloud brokered zero-touch deployment settings:

  1. In Citrix SD-WAN Orchestrator for On-premises, create and define sites using the guided workflow. For more information, see Site configuration.

  2. Verify and compile the configuration using the deployment tracker. For more information, see the Deployment Tracker section in Network configuration topic.

  3. Navigate to Administration > ZTD Settings > Cloud Brokered ZTD and click + Site.

    Cloud zero-touch deployment

  4. From the drop-down list select a site name and click Add. The sites are listed based on your configuration. You can select a single site or multiple sites.

    Add sites in cloud zero-touch deployment

  5. The cloud zero-touch deployment configuration is created and sent to Citrix SD-WAN Orchestrator service.

    Cloud zero-touch deployment configuration status

  6. Cable up and power on the SD-WAN appliances at the Data Center and branch sites.

  7. The appliances contact the Citrix SD-WAN Orchestrator service with their serial number.

  8. The Citrix SD-WAN Orchestrator service acts as broker between Citrix SD-WAN Orchestrator for On-premises and the appliances. It allows exchange of certificates and Citrix SD-WAN appliance establishes a secure connection with Citrix SD-WAN Orchestrator for On-premises. Once zero-touch deployment is successful, the configured site comes online and is displayed in the Orchestrator Connectivity column under Configuration > Network Config Home.

  9. Activate and Stage the configuration to push the configuration and software to the appliances.

  10. Once the configuration/software is applied, virtual paths get established and the Availability column under Configuration > Network Config Home gets updated with the appropriate virtual path status.

NOTE

Citrix SD-WAN Orchestrator for On-premises takes about 30 minutes to fetch the appliance certificate and onboard the appliances completely. To pull the appliance certificates immediately (without waiting for 30 minutes), click Pull Appliance certificates.

If necessary, you can choose to click Delete Cloud Brokered ZTD Settings. It removes information related to all sites. If you need to delete a particular site information, then click the delete icon corresponding to that site.

Delete settings in cloud zero-touch deployment

Limitations

  • SD-WAN appliances cannot connect to multiple instances of Citrix SD-WAN Orchestrator for On-premises that share cloud login credentials. For example, an SD-WAN appliance remains connected to Citrix SD-WAN Orchestrator for On-premises configured for the first time. The Citrix SD-WAN Orchestrator for On-premises details that are configured next are not pushed to the SD-WAN appliance.

  • SD-WAN appliances connected over LTE cannot establish a connection with Citrix SD-WAN Orchestrator for On-premises hosted on a private network.

ZTD Interface Settings

You can enable a Zero Touch Deployment (ZTD) interface on SD-WAN Orchestrator for On-premises. The ZTD Interface that is secured by two-way authentication provides a secure communication interface for SD-WAN appliances and SD-WAN Orchestrator for On-premises.

After enabling the ZTD Interface, new D-WAN appliances deployed through Non–Cloud ZTD and Cloud-Brokered ZTD use the ZTD Interface IP address to communicate with SD-WAN Orchestrator for On-premises.

As a prerequisite, ensure that SD-WAN Orchestrator for On-premises Virtual Machine has an additional interface, apart from the Management Interface.

ZTD interface on Citrix Hypervisor

Note

For the VMware ESXi Virtual Machine, ensure that the Virtual Machine is rebooted after adding an extra interface for ZTD.

ZTD interface on Citrix Hypervisor

Enabling ZTD Interface

In SD-WAN Orchestrator for On-premises GUI, navigate to Administration > ZTD Settings and select Enable ZTD Interface to enable ZTD interface. Provide the ZTD interface IP address, Subnet Mask, and Gateway IP address.

Select Use Management Interface for Existing Sites to ensure that SD-WAN appliances already deployed through the Non-Cloud ZTD or the Cloud Brokered-ZTD continue to connect with SD-WAN Orchestrator for On-premises using the Management Interface IP address.

Warning

If Use Management Interface for Existing Sites is not selected, SD-WAN appliances that are already deployed through the Non-Cloud ZTD or the Cloud Brokered-ZTD, lose connection to SD-WAN Orchestrator for On-premises.

ZTD interface settings

Configuring Non-Cloud ZTD using ZTD interface

If the Use Management Interface for Existing Sites option is selected, the appliances that are already deployed using Non-Cloud ZTD continue to use the Management Interface IP address to connect with SD-WAN Orchestrator for On-premises. Initiate Non-Cloud ZTD on the appliances to establish a connection with SD-WAN Orchestrator for On-premises using the ZTD Interface IP address.

Note

You can disable the Use Management Interface for Existing Sites option after all SD-WAN appliances have established connection with SD-WAN Orchestrator for On-premises through the ZTD Interface IP address.

If the Use Management Interface for Existing Sites option is not selected, SD-WAN appliances already deployed using Non-Cloud ZTD loses the connection to SD-WAN Orchestrator for On-premises. Initiate Non-Cloud ZTD on SD-WAN appliances to restore connection with SD-WAN Orchestrator for On-premises using the ZTD Interface IP address.

Configuring Cloud Brokerd ZTD using ZTD Interface

If the Use Management Interface for Existing Sites option is selected, the appliances that are already deployed using Cloud Brokered ZTD continue to use the Management Interface IP address to connect with SD-WAN Orchestrator for On-premises. To establish a connection with SD-WAN Orchestrator for On-premises using the ZTD Interface IP address, do one of the following:

  • On the SD-WAN appliances, update the IP address and certificate of SD-WAN Orchestrator for On-premises.

    Note

    Update the certificate only if the certificates are regenerated manually, you need not update the certificate if the appliances already have the certificates.

  • Perform a factory reset and initiate Cloud Brokered-ZTD on the appliances, to establish a connection with SD-WAN Orchestrator for On-premises using the ZTD Interface IP address.

Note

You can disable the Use Management Interface for Existing Sites option after all SD-WAN appliances have established connection with SD-WAN Orchestrator for On-premises through the ZTD Interface IP address.

If the Use Management Interface for Existing Sites option is not selected, SD-WAN appliances that are already deployed using Cloud brokered ZTD lose the connection to SD-WAN Orchestrator for On-premises. To restore connection with SD-WAN Orchestrator for On-premises using the ZTD Interface IP address, do one of the following:

  • On the SD-WAN appliances, update the IP address and certificate of SD-WAN Orchestrator for On-premises.

  • Perform a factory reset and initiate Cloud Brokered-ZTD on the appliances, to establish a connection with SD-WAN Orchestrator for On-premises using the ZTD Interface IP address.

Manual Connectivity Configuration

While configuring connectivity manually, you must download the Citrix SD-WAN Orchestrator for On-premises certificate and upload it on each appliance in the network. It involves logging into each appliance manually for uploading the certificates.

To configure connectivity manually-

  1. Navigate to Administration > Certificate Authentication and enable Authentication Type.

    When Authentication Type is enabled, the SD-WAN appliance can connect to Citrix SD-WAN Orchestrator for On-premises only through Two-way Authentication. When Authentication Type is disabled, the SD-WAN appliance can connect to Citrix SD-WAN Orchestrator for On-premises either through No Authentication, One-way Authentication, or Two-way Authentication.

    Note

    In a provider managed setup, only providers can enable authentication type and regenerate the Citrix SD-WAN Orchestrator for On-premises certificate.

  2. Click Regenerate and Download the Citrix SD-WAN Orchestrator for On-premises certificate.

  3. Choose an appliance from the Appliance Certificate section and upload the corresponding certificate downloaded from the SD-WAN appliance. For detailed information on downloading the appliance certificate, see Citrix SD-WAN Orchestrator on-premises configuration on SD-WAN appliance.

    NOTE

    • Only .pem file type is supported.
    • Only customer administrators can upload the appliance certificate.
  4. Log on to the SD-WAN appliance UI, navigate to Configuration > Virtual WAN > On-prem SD-WAN Orchestrator. Upload the certificate downloaded from Citrix SD-WAN Orchestrator for On-premises. For detailed information, see Citrix SD-WAN Orchestrator for On-premises configuration on SD-WAN appliance.

Certificate authentication

Verify Connectivity

To verify the connectivity status of the appliance, navigate to Configuration > Network Configuration Home, and check the Cloud Connectivity column corresponding to your site.

Verify connectivity

Note

You can publish the desired software to upgrade the appliances under Infrastructure > Orchestrator Administration > Software Images > Appliance. For more information, see Publish software.

Fallback configuration

Fallback configuration ensures that the Citrix SD-WAN Orchestrator for On-premises connectivity that you have established with the Citrix SD-WAN appliance is retained through the appliance’s in-band management IP.

You can enable fallback configuration on Citrix SD-WAN Orchestrator for On-premises at the site level by navigating to Configuration > Appliance Settings > Fallback and click Enable Fallback Configuration.

Enable fallback configuration

For detailed information about fallback configuration, see Inband management.

Note

If you are using an appliance other than Citrix SD-WAN 110 SE, ensure that you are running SD-WAN 11.2 or a later version to enable default fallback configuration.

The following table provides the details of pre-designated WAN and LAN ports for fallback configuration on different platforms:

Platform WAN Ports LAN Ports
110 1/2 1/1
110-LTE 1/2, LTE-1 1/1
210 1/4, 1/5 1/3
210-LTE 1/4, 1/5, LTE-1 1/3
VPX 2 1
410 1/4, 1/5, 1/6 1/3 (FTB)
1100 1/4, 1/5, 1/6 1/3 (FTB)

Port settings

Connectivity with Citrix SD-WAN appliances