SSL Compression with Citrix SD-WAN WANOP plug-in

The Citrix SD-WAN WANOP Plug-in is always used as the client-side unit and thus requires no additional SSL configuration other than installing credentials for the SSL signaling (secure peering) connection. The main difference between SSL compression on the plug-in and the appliance is that the plug-in is unable to encrypt the user data in the disk based compression history.

Caution: Because disk based compression history on the Plug-in is not encrypted, it retains a clear-text record of potentially sensitive and ephemeral encrypted communications. This lack of encryption is potentially dangerous on computers for which physical access is not controlled. Therefore, Citrix recommends the following best practices:

  • Do not use Certificate Validation: None on your appliances. (Note that, in this case, the appliance refuses to allow compression with plug-ins that do not have appropriate certificates.)

  • Install certificates only on systems that can be verified to meet your organization’s requirements for physical or data security (for example, laptops that use full-disk encryption).

The Citrix SD-WAN WANOP Plug-in supports both SSL split proxy and SSL transparent proxy. The plug-in ships without certificate-key pairs for the SSL signaling connection. If desired, the same credentials can be used by all plug-ins, or each plug-in can have its own credentials.

The plug-in does not attempt SSL compression unless credentials have been installed.

The plug-in inherits its crypto license from the appliance.

SSL Compression with Citrix SD-WAN WANOP plug-in