Citrix SD-WAN WANOP

Configure Citrix SD-WAN WANOP plug-in with Access Gateway VPNs

The Access Gateway Standard Edition VPN supports Citrix SD-WAN WANOP Plug-in acceleration, provided that a Citrix SD-WAN WANOP appliance is deployed with the Access Gateway appliance and the Access Gateway appliance is configured to support it.

For Citrix SD-WAN WANOP Plug-in support with other VPNs, see your VPN documentation or contact your Citrix representative.

To configure Citrix SD-WAN WANOP support, use the Access Gateway administration tool, as follows:

  1. On the Global Cluster Policies page, under Advanced Options, select the Enable TCP optimization with Citrix SD-WAN WANOP Plug-in check box.

  2. Make sure that the IP addresses used by the Citrix SD-WAN WANOP (redirector IP and management IP) have access enabled in the Network Resources section on the Access Policy Manager page.

  3. For each of these addresses, enable all protocols (TCP, UDP, ICMP) and enable Preserve TCP Options.

  4. Make sure that these same addresses are included under User Groups: Default: Network Policies on the Access Policy Manager page.

VPN support options

VPN support is simply a matter of putting the appliance on the LAN side of the VPN, as shown in the following figure. This placement ensures that the appliance receives and transmits the decapsulated, decrypted, plain-text version of the link traffic, allowing compression and application acceleration to work. (Application acceleration and compression have no effect on encrypted traffic. However, TCP protocol acceleration works on encrypted traffic.)

VPN Cabling for an Inline VPN

localized image

The following figure shows one option for accelerating one-arm VPNs. The appliance is on the server side of the VPN. All VPN traffic with a local destination is accelerated. VPN traffic with a remote destination is not accelerated. Non-VPN traffic can also be accelerated.

One-Arm VPN Acceleration, Option A

localized image

The following figure shows another option for accelerating one-arm VPNs. The appliance is on the server side of the VPN. All VPN traffic with a local destination is accelerated. VPN traffic with a remote destination is not accelerated. Non-VPN traffic can also be accelerated.

One-Arm VPN Acceleration, Option B

localized image

Important

For acceleration to be effective, the VPN must preserve TCP header options. Most VPNs do so.

Configure Citrix SD-WAN WANOP plug-in with Access Gateway VPNs