Citrix SD-WAN WANOP

Office 365 acceleration

Citrix SD-WAN WANOP optimizes WAN to provide consistent user experience for business applications across branch offices and remote sites.

Microsoft Office 365 is a software-as-a-service (SaaS) application, which provides the Microsoft’s Office suite of enterprise-grade productivity applications. This application is hosted on the cloud and is delivered on demand to users.

The Office 365 acceleration feature allows the branch offices to gain the optimization benefits that Citrix SD-WAN WANOP provides for Microsoft Office 365 application.

Use case

When the WAN segment is considerably slower than the internet segment, and Microsoft’s Office 365 servers are closer to the larger office than the branch-office.

Topology

The branch-office Office 365 traffic is sent over the WAN to the main office, and then forwarded to Office 365 servers through the Internet. The segment between the branch office and main office is accelerated.

Note

The segment between the main office and Microsoft Office 365 servers is not accelerated. It is advised that the main office connects to the closest Office 365 server.

localized image

How it works?

Citrix SD-WAN WANOP SSL acceleration can decrypt and accelerate Office 365 traffic, providing compression. In short, Office 365 branch-office acceleration can be thought of as a special case of RPC-over-HTTPS acceleration.

Procedure

  1. Create secure peering between the branch and main office Citrix SD-WAN WANOP appliances.

  2. Generate proxy certificates / private key in domain certification authority (CA).

  3. Add all required CA’s in Citrix SD-WAN WANOP.

    1. CA, Intermediate CA’s, root CA of the Microsoft certificates.

    2. Proxy certificates/Private keys generated for office 365 URL’s.

      Note

      To avoid security alerts on your browsers, the proxy certificates must be signed by your Windows domain’s CA server, which makes it acceptable to any domain user.

  4. Create SSL split proxy profile and bind the split proxy to service class (web (internet- secure)).

  5. Initiate the office 365 connection and check the Accelerated connections.

    Warning

    Branch office devices that are not part of the domain will display security warnings unless you install the certificates manually. Firefox users also have to install the certificates manually, since Firefox does not honor the device’s certificate store.

Configure Office 365 acceleration

To configure office 365 acceleration:

  1. Set up a secure peering relationship between the two Citrix SD-WAN WANOP appliances, as described in Secure Peering

  2. Create a new certificate.

    Note

    The server-side Citrix SD-WAN WANOP appliance serves as an intermediary between Office 365 and the clients, so these certificates will be signed by the server-side domain controller but it refers to the Office 356 domains.

    1. Log on to the Certificate Authority Server for your Windows domain.

    2. If necessary, add the snap-ins for Certification Authority, Certificate Template and Certificates.

    3. Navigate to Certificate Templates > Web Server Properties > Security and select all the options.

    4. Navigate to Certificates > Personal > Certificates (Computer) > All Tasks > Request New Certificate.

      localized image

    5. In the Certificate Enrolment window, click Next.

    6. In the Select Certificate Enrolment Policy window, select Active directory enrolment policy.

    7. In the Active Directory Enrolment Policy window, select Web Server > Details > Properties.

      localized image

  3. Copy information from Office365 certificates into your new certificates. You will end up with a single certificate from three Office365 certificates. Proceed as follows:

    1. In a browser, such as Chrome, enter the url - https://login.microsoftonline.com.

      Note

      Do not log in.

    2. Click the padlock icon on the URL bar and select Connection > Certificate Information > Details.

      Note

      These instructions are for the Chrome browser; the procedure is the same for other browsers also.

    3. Click Subject Alternative Name, this will reveal a list of DNS names such as “login.microsoftonline.com.” Copy the information in the text box below it.

      localized image

    4. Return to your new certificate’s Certificates Properties window. Add the alternative names in the Value field with Type as DNS to match each alternative name in the Microsoft certificate.

      localized image

    5. Repeat the process of discovering Subject Alternate Names and adding them to your certificate for https://outlook.office365.com, https://portal.office.com, https://office.live.com, and https://sharepoint.com (the SharePoint URL is customer-specific).

    6. Create a Common Name for your new certificate. The example above shows a common name as “Office365 proxy.”

      localized image

    7. In the Private Key tab, select Make private key exportable.

    8. Click OK, Enroll, and Finish.

  4. Export the certificate.

    1. Under Certificates > Personal > Certificates, select the above created proxy certificate, and then select All Tasks > Export.

      localized image

    2. The Certificate Export Wizard appears. Click Next.

    3. In Export Private Key, select the option Yes, export the private key and click Next.

      localized image

    4. Retain the default values for the export file format.

    5. Type and confirm the password, export the private key, and save the certificate as loginportal.pfx.

  5. Export your certificates.

    1. In the Certificate Export Wizard, click Next. In Export Private Key, select the option No, do not export the private key. Click Next.

      localized image

    2. Retain the default values for the export file format.

    3. Type and confirm the password, and export the private key and certificate, saving the file to a file to a file name such as office365_keys.pfx.

  6. Download the public keys of the root CA and Intermediate CAs of the Microsoft certificates.

    1. From the browser, navigate to https://login.microsoftonline.com. Click the padlock icon in the browser. Navigate to Connection > Certificate Information > Certification Path.

    2. Select the root certificate (the one at the top of the list), and then click View Certificate > Details > Copy to File. The Certificate Export Wizard appears. Click Next.

      localized image

    3. Enter the file name and save the file.

      Note

      Alternatively, you can use Wireshark or OpenSSL to get the root and intermediate CA names and get the certificates from ‘AUTHENTIC’ source (for example, Windows SSL store).

    4. Repeat step 6 to save the root and intermediate CA’s of the following domains:

      1. login.microsoftonline.com

      2. portal.office.com

      3. outlook.office356.com

      4. *.sharepoint.com

      5. office.live.com

  7. Add all the Office 365 server CA’s, proxy certificate/key pairs, and private keys to the server-side Citrix SD-WAN WANOP appliance. The CA’s are added using the CA Certificates tab on the Certificates and Keys page. Certificates and certificate/key pairs are added on the Certificate/Key Pairs tab.

    localized image

    localized image

  8. Create an SSL split-proxy profile and bind the split proxy to the Web (Internet-Secure) service class.

    1. Navigate to Configuration > Secure Acceleration > SSL Profile > Add Profile.

    2. Enter the profile name of your choice. Select Profile Enabled, Parse Subject Alternative Names, and Split Proxy.

    3. Under Server-Side Proxy Configuration > Verification Store, select Use all configured CA stores.

    4. Under Client-side Proxy Configuration > Certificate/Private Key, select the cert/private key pair you created and exported previously (the one shown in the example as loginportal.pfx). Select Build Certificate Chain. Select the CA associated with the certificate/key pair under Certificate Chain Store.

      localized image

  9. Bind the created SSL profile to the Internet (Web-Secure) service class. Navigating to Configure > Optimization Rules > Service Classes and add the SSL profile to the SSL profile list.

  10. Enable acceleration and disk-based compression for the Internet (Web-Secure) service class.

  11. Initiate an Office 365 session from your browser.

    The connection is accelerated. In the browser, the certificate should display your root CA, not the actual Office 365 certificate, as the server-side appliance’s CA certificate.

    localized image

  12. On the appliance Monitoring > Connections page, verify that the Office 365 connections are compressed and are receiving SSL acceleration.

    localized image

    Note

    Firefox does not accept the device’s certificates by default, but has its own certificate store. Therefore, credentials accepted in the normal Windows domain behavior by other browsers, and by the device as a whole, must be installed manually into Firefox. To install certificates into Firefox, follow the procedure in the section, Installing certificates to Firefox.

Install the certificates to Firefox

To Install the server-side appliance’s proxy certificate to the Firefox certificate store:

  1. In the Firefox browser navigating to Options > Advanced > Certificate > View Certificates > Authorities > Import.

  2. Upload the local CA proxy certificate, select all the options in the Downloading Certificate wizard and click OK.

    localized image

Office 365 acceleration