Citrix SD-WAN

Backhaul Internet

The Citrix SD-WAN solution can backhaul Internet traffic to the MCN site or other branch sites. Backhaul indicates that the traffic destined for the Internet is sent back through another predefined site that can access the Internet. It is useful for networks that do not allow Internet access directly because of security concerns or the underlay networks topology. An example would be a remote site that lacks an external firewall where the on-board SD-WAN firewall does not meet the security requirements for that site. For some environments, backhauling all remote site internet traffic through the hardened DMZ at the Data Center might be the best approach to providing Internet access to users at remote offices. This approach does however have its limitations to be aware of following and the underlay WAN links size appropriately.

  • Backhaul of internet traffic adds latency to internet connectivity and is variable depending on the distance of the branch site for the data center.

  • Backhaul of internet traffic consumes bandwidth on the Virtual Path and is accounted for in sizing of WAN links.

  • Backhaul of internet traffic might over-subscribe the Internet WAN link at the Data Center.

Backhaul DC MCN

All Citrix SD-WAN devices can terminate up to eight distinct Internet WAN links into a single device. Licensed throughput capabilities for the aggregated WAN links are listed per respective appliance on the Citrix SD-WAN data sheet.

The Citrix SD-WAN solution supports the backhaul of internet traffic with the following configuration.

  1. Enable Internet Service at the MCN site node, or any other site note where Internet Service is desired.


    Enable Internet Service and Export routes if all other sites are in the WAN to WAN forwarding group.

  2. On the branch nodes where internet traffic is backhauled, manually add a route to direct all default traffic to the Virtual Path Service. The next hop is denoted as the MCN, or intermediary site.

    Backhaul internet routes

  3. Verify that the route table of the branch site does not have any other lower cost routes that would steer traffic other than the desired backhaul route.

    Verify route table

Backhaul Internet