SSL Compression with Citrix SD-WAN WANOP plug-in

The Citrix SD-WAN WANOP Plug-in is always used as the client-side unit and thus requires no additional SSL configuration other than installing credentials for the SSL signaling (secure peering) connection. The main difference between SSL compression on the plug-in and the appliance is that the plug-in is unable to encrypt the user data in the disk based compression history.

Caution: Because disk based compression history on the Plug-in is not encrypted, it retains a clear-text record of potentially sensitive and ephemeral encrypted communications . This lack of encryption is potentially dangerous on computers for which physical access is not controlled. Therefore, Citrix recommends the following best practices:

  • Do not use Certificate Validation: None on your appliances. (Note that, in this case, the appliance refuses to allow compression with plug-ins that do not have appropriate certificates.)

  • Install certificates only on systems that can be verified to meet your organization’s requirements for physical or data security (for example, laptops that use full-disk encryption).

The Citrix SD-WAN WANOP Plug-in supports both SSL split proxy and SSL transparent proxy. The plug-in ships without certificate-key pairs for the SSL signaling connection. If desired, the same credentials can be used by all plug-ins, or each plug-in can have its own credentials.

The plug-in does not attempt SSL compression unless credentials have been installed.

The plug-in inherits its crypto license from the appliance.

SSL Compression with Citrix SD-WAN WANOP plug-in