Citrix Cloud and Gateway Service optimization
With the Citrix Cloud and Gateway Service optimization feature enhancement, you can detect and route traffic destined for the Citrix Cloud and Gateway Service. You can create policies to either break the traffic out to internet directly or, to send it via a backhaul route over the virtual path. In the absence of this feature, when the default route is virtual path, gateway service will hairpin back to the customer’s Data Center and then would go out to Internet adding unnecessary latency. In addition to that, you now get visibility into Citrix Gateway service and Citrix Cloud traffic and can create QoS policies to prioritize it over the virtual path.
The Citrix Cloud and Gateway Service breakout feature is enabled by default in Citrix SD-WAN software version 11.2.1 and above.
For Citrix SD-WAN software version below 11.3.0, the first packet detection and classification of Citrix Cloud and Gateway Service traffic is performed only if the Citrix Cloud and Gateway Service breakout feature is not disabled.
For Citrix SD-WAN software version 11.3.0 and above, the first packet detection and classification of Citrix Cloud and Gateway Service traffic is performed irrespective of whether the Citrix Cloud and Gateway Service breakout feature is enabled or not.
Note
You can configure the Citrix Cloud and Gateway Service optimization only through the Citrix SD-WAN Orchestrator service.
Citrix SD-WAN Orchestrator traffic optimization is introduced from Citrix SD-WAN software version 11.2.3 or higher. The goal is to provide a more granular classification, and thus, separately identify Citrix SD-WAN Orchestrator traffic and other dependent services’ traffic from Citrix Cloud, and provide an Internet breakout option. As a result, customers can now choose to optimize only the Citrix SD-WAN Orchestrator traffic.
On selecting the Citrix Cloud check box, the Citrix SD-WAN Orchestrator and dependant critical services check box is preselected. This allows all Citrix Cloud Web UI and API traffic (including that of Orchestrator and dependent services) in the firewall and takes internet breakout.
Also, you can choose to select only Citrix SD-WAN Orchestrator and dependant critical services check box and disable other traffic to give the privilege of bypassing firewall just to Orchestrator related traffic seamlessly.
Citrix Cloud and Gateway Service categories
Following are the traffic categories used for classification and optimization purposes:
-
Citrix Cloud: Enable to detect and route traffic destined for Citrix Cloud Web UI and APIs.
-
Citrix SD-WAN Orchestrator and dependant critical services:
-
Citrix SD-WAN Orchestrator: Enables direct internet breakout of heartbeat and other traffic required to establish and maintain connectivity between Citrix SD-WAN appliance and Citrix SD-WAN Orchestrator.
-
Citrix Cloud Download Service: Enables direct internet breakout for download of appliance software, configuration, scripts, and other requirements onto the Citrix SD-WAN appliance.
-
-
-
Citrix Gateway Service: Enable to detect and route traffic (control and data) destined for Citrix Gateway Service.
-
Gateway Service Client Data: Enables direct internet breakout of ICA data tunnels between clients and Citrix Gateway Service. It requires high bandwidth and low latency.
-
Gateway Service Server Data: Enables direct internet breakout of ICA data tunnels between Virtual Delivery Agents (VDAs) and Citrix Gateway Service. It requires high bandwidth and low latency and only relevant in VDA resource locations (VDA to Citrix Gateway Service connections).
-
Gateway Service Control Traffic: Enables direct internet breakout of the control traffic. No specific QoS considerations.
-
Gateway Service Web Proxy Traffic: Enables direct internet breakout of the Web proxy traffic. It requires high bandwidth but latency requirements might vary.
-
Prerequisites
Ensure that you have the following:
-
To perform the Citrix Cloud and Gateway Service breakout, an Internet service has to be configured on the appliance. For more information on configuring an Internet service, see Internet access.
-
Ensure that the Management interface has internet connectivity. If the dedicated management interface is not connected, ensure that in-band management is enabled and outbound management traffic has internet connectivity.
-
You can use the Citrix SD-WAN web interface to configure the management interface settings.
-
Ensure that the management DNS is configured. To configure management interface DNS, at site level navigate to Configuration > Appliance Settings > Network Adapter. Under the DNS Settings section, provide the primary and secondary DNS server detail and click Save.
How Citrix Cloud and Gateway Service optimization works
-
The Citrix SD-WAN appliance downloads a list of application signatures using the cloud service API.
-
When a request for the Citrix Cloud and Gateway Service application arrives, the application is classified on the first packet using the signatures.
-
Once the Citrix Cloud and Gateway Service traffic is classified, the auto created application route and firewall policies take effect and breaks out the traffic directly to the Internet.
-
The Citrix Cloud and Gateway Service use Quad9 by default for forwarding DNS requests.
Traffic flow with/without breakout enabled
-
Without breakout enabled:
-
With breakout enabled:
If you use a cloud security stack (for example - Zscaler, Check Point, Palo Alto) to process internet traffic, the Gateway Service receives packets from the public IP address of that security stack, instead of the SD-WAN branch. This defeats Direct Workload Connection and thus, packets to the cloud-hosted SD-WAN will not be able to take Virtual Path. For more information, see Direct Workload Connection.
By enabling breakout, the Gateway Service receives packets directly from the SD-WAN branch. Dynamic Virtual Paths come up between the SD-WAN branch and the cloud-hosted SD-WAN and the traffic goes via this virtual path between the two sites. For more information on enabling the Dynamic Virtual Paths, see Setup dynamic paths for branch to branch communication.
By enabling breakout, traffic required to establish and maintain connectivity between Citrix SD-WAN devices and Citrix SD-WAN Orchestrator will no longer be backhauled through the data center. The traffic reaches Citrix SD-WAN Orchestrator by directly breaking out to internet from the branches where the Citrix SD-WAN devices are located.
Configure Gateway Service breakout
The Citrix Cloud and Gateway Service breakout policy allows you to specify which category of Citrix Cloud and Gateway Service traffic you can directly break out from the SD-WAN branch.
The Citrix Cloud and Citrix Gateway Service options are available under Citrix Gateway and Citrix Cloud Optimization settings.
Citrix applications can access several services in the Citrix Cloud. For details, see System and Connectivity Requirements.
In the Citrix SD-WAN Orchestrator service, by-default every network has the Citrix Cloud and Gateway Service route. To navigate, go to Network Configuration > Routing > Routing Policies > Application Routes.
You cannot delete the route but you can configure the settings as required. The Citrix Cloud and Gateway Service are enabled by-default.
Transparent forwarder for Citrix Cloud and Gateway Service
The SD-WAN branch breaks out for the Citrix Cloud and the Gateway Service begins with a DNS request. The DNS request going through the Citrix Cloud and Gateway Service domains have to be steered locally. If Citrix Cloud and Gateway Service Internet break out is enabled, the internal DNS routes are determined. Citrix Cloud and Gateway Service DNS requests are forwarded to open source DNS service Quad 9 by default. Quad 9 DNS service is secure, scalable, and has multi pop presence. You can change the DNS service if necessary.
To add a DNS server, at site level, navigate to Configuration > Advanced Settings > DNS. Under Site Specific DNS Servers section, click + DNS Server.
Transparent forwarders for Citrix Cloud and Gateway Service applications are created at every SD-WAN branch that has Internet service and Citrix Cloud and Gateway Service breakout enabled.
To add a specific DNS forwarding rule, click + App Specific DNS Forwarding Rule under NDS Transparent Forwarder section. With this configuration, you can choose to change the default Quad9 DNS transparent forwarder for Citrix Cloud and Gateway Service Applications.
-
Application: Select the Citrix Cloud and Gateway Service application from the Application drop-down list.
-
DNS Server: Select the DNS server that you created under Site Specific DNS Servers from the drop-down list.
Monitoring
You can monitor the Citrix Cloud and Gateway Service real-time statistics and usage report as the following:
- Real-time Statistics
- Real-time Firewall Connections
- Usage
Troubleshooting
The connectivity errors are logged in SDWAN_dpi.log file. To download the log file, navigate to Troubleshooting > Device Logs, select the required site, choose the log file, and click Download.
You can also verify the device alerts. To verify, navigate to Network > Alerts.
