Citrix SD-WAN

New user interface for SD-WAN appliances

A new User Interface (UI) is introduced for SD-WAN appliances. The new UI is built using the latest UI technologies. The new UI design improves the security, has an improved look and feel, it is more performant, secure, and responsive. But the new UI has retained the flow and page layout of each feature from the legacy UI.

The new UI is applicable only for the customers using the following appliances:

Appliance Release
Citrix SD-WAN 110 SE 11.1.1 onwards
Citrix SD-WAN 210 SE 11.2.1 onwards
Citrix SD-WAN 410 SE 11.3.0 onwards
Citrix SD-WAN SE VPX 11.3.0 onwards

Note

  • Provisioning the Citrix SD-WAN 210-SE, 410 SE, or VPX SE as an MCN redirects you to the legacy UI.
  • All local users with an Admin role and remote admin users can access the new user interface. Remote user accounts are authenticated through RADIUS or TACACS+ authentication servers. It is mandatory to change the default admin user account password while provisioning the SD-WAN appliance. The default password is the serial number of the SD-WAN appliance and is mandated to change on first time after logon to the device.

Default password

The legacy UI is maintained for backward compatibility and is deprecated. The legacy UI can be accessed using the URL https: // < ip-address >/cgi-bin/login.cgi. The user name and password for the user admin remains the same across both (new/legacy) user interfaces, and first time login procedures can be done using either interface. Additional users will be supported in future versions of the new UI.

Citrix SD-WAN new user interface

The new UI can be accessed using Google Chrome (version 81), Mozilla Firefox, Microsoft Edge (version 81+), and Legacy Microsoft Edge (version 44+) browsers.

NOTE

Microsoft Internet Explorer, Apple Safari, and other browsers are not supported.

To access the new UI page, perform the following:

  1. Open a new browser tab and navigate to https: // < management-ip > to access the new UI on the SD-WAN appliance. If you are accessing an IPv6 address, enter https://<[IPv6 address]>.

    Example: https://[fd73:xxxx:yyyy:26::9]

Note

In the scenario where the In-band management is enabled, the interface IP address can be provided in < management-ip > to access the new UI. The In-band management can be enabled on multiple trusted interfaces that are enabled to be used for IP services. You can access the UI using the management IP and in-band virtual IPs.

  1. Provide the user name and password. Click Sign In.

The Citrix SD-WAN user interface page appears.

New user interface

Once you have successfully logged in, you can see the navigation panel is on the left side. Also, you can see a notifications banner on the dashboard if there are any warnings or errors.

New user interface warning message

The left navigation sidebar can be hidden or made visible on click of the hamburger icon. The hamburger icon on the top left corner provides links to the dashboard, basic/advanced settings, monitoring, and management related options.

Hamburger-icon

The user menu on the top right corner displays the logged-on user details. You can open the legacy user interface in a new browser tab by clicking the Open Legacy SD-WAN UI option. Click the bell icon for any notifications.

Menu-icon

Dashboard

The Dashboard page displays the following basic information of the SD-WAN appliance as a tile view:

  • Site – Displays the site information with Management IP Address and Site Name
  • Model – Displays the Model/Sub Model Name and Serial Number
  • Version – Displays Software and Hardware version
  • Uptime - Displays Appliance Uptime, Citrix Virtual WAN Service Status and Orchestrator Connectivity Status.
  • High Availability - Displays the local and peer appliance HA status and the last HA update received time.
  • Metered Links – Displays the usage and billing details for links on which metering is enabled.

New user interface dashboard

Basic settings

The SD-WAN appliance Basic Settings include the following entities configuration. The new UI provides a separate page for configuring each entity individually.

  • Management and DNS
  • Interface Settings
  • Date and Time
  • RADIUS Server
  • TACACS+ Server

Management and DNS

From the Management and DNS page, you can configure the management interface IP address and DNS settings. For more information, see Configure Management IP Address.

The management interface allow list is an approved list of IP addresses or IP domains that have permission to access your management interface. An empty list allows Management Interface to be accessed from all networks. You can add IP addresses to ensure that the management IP address is accessible only by the trusted networks.

To add or remove an IPv4 address to the allowed list, you must access the SD-WAN appliance management interface using an IPv4 address only. Similarly, to add or remove an IPv6 address to the allowed list, you must access the SD-WAN appliance management interface using an IPv6 address only

New user interface management and DNS

Enter the IP address, Subnet mask, and Gateway IP address for the appliance that you want to configure. Under the DNS Settings section, provide the primary and secondary DNS server detail and click Save.

Interface settings

The Interface Settings page displays the Ethernet port configuration data. The ports that are down are indicated as a red dot against the MAC address.

New user interface Ethernet settings

Date and Time

From the Date and Time settings page, you must set the date and time on the appliance. For more information, see Set date and time.

New user interface date and time

RADIUS Server

You can configure an SD-WAN appliance to authenticate user access with one or more RADIUS servers.

To configure the RADIUS server:

  1. Select the Enable RADIUS check box.

  2. Enter the Server IP Address and Authentication Port. A maximum of three server IP addresses can be configured.

    NOTE

    To configure an IPv6 address, ensure that the RADIUS server is also configured with an IPv6 address.

  3. Enter the Server Key and confirm.

  4. Enter the Timeout value in seconds.

  5. Click Save.

You can also test the RADIUS server connection. Enter the User Name and Password. Click Verify.

New user interface RADIUS server

TACACS+ Server

You can configure a TACACS+ server for authentication. Similar to RADIUS authentication, TACACS+ uses a secret key, an IP address, and the port number. The default port number is 49.

To configure the TACACS+ server:

  1. Select the Enable TACACS+ check box.

  2. Enter the Server IP Address and Authentication Port. A maximum of three server IP addresses can be configured.

    NOTE

    To configure an IPv6 address, ensure that the TACACS+ server is also configured with an IPv6 address.

  3. Select PAP or ASCII as the Authentication Type.

    • PAP: Uses Password Authentication Protocol (PAP) to strengthen user authentication by assigning a strong shared secret to the TACACS+ server.

    • ASCII: Uses ASCII character set to strengthen user authentication by assigning a strong shared secret to the TACACS+ server.

  4. Enter the Server Key and confirm.

  5. Enter the Timeout value in seconds.

  6. Click Save.

You can also test the TACACS+ server connection. Enter the User Name and Password. Click Verify.

New user interface TACACS+ server

Advanced settings

The SD-WAN appliance Advanced Settings include the following entities configuration.

  • Citrix Virtual WAN Service
  • High Availability
  • Mobile Broadband
  • Licensing
  • Fallback Configuration
  • HTTPS Certificate
  • On-prem Orchestrator

Citrix Virtual WAN service

The CItrix Virtual WAN Service page allows you to enable/disable the Citrix Virtual WAN Service. For more information, see Configure Virtual WAN Service.

New user interface virtual WAN service

High Availability

From the High Availability page, you can toggle between active and standby state for an SD-WAN high availability (HA) setup. The high availability status is available in the dashboard (if high availability is configured). For more information, see High Availability Mode.

New user interface HA mode

Mobile broadband

The Citrix SD-WAN appliances such as the Citrix SD-WAN 210 SE LTE and 110 LTE Wi-Fi appliances have a built-in internal LTE modem. You can also connect an external 3G/4G USB modem on the following Citrix SD-WAN appliances.

  • Citrix SD-WAN 210 SE
  • Citrix SD-WAN 210 SE LTE
  • Citrix SD-WAN 110 SE
  • Citrix SD-WAN 110 LTE Wi-Fi SE

CDC Ethernet, MBIM, and NCM are the three types of external USB modems supported.

For more information on configuring LTE using the legacy GUI, see the following topic:

For an internal LTE modem, insert the SIM card into the SIM card slot of the Citrix SD-WAN appliance. Fix the antennas to the Citrix SD-WAN appliance. For more information, see Installing the LTE antennas and power on the appliance.

Note

Citrix SD-WAN 110-LTE-WiFi appliance has two standard (2FF) SIM slots. To use Micro (3FF) and Nano (4FF) size SIMs, use a SIM adapter. Snap the smaller SIM into the adapter. You can obtain the adapter from Citrix as a Field Replaceable Unit (FRU) or from the SIM provider. Hot-swapping of SIM for the internal LTE modem is supported only on the Citrix SD-WAN 110-LTE-WiFi appliance.

Perquisites for external LTE modem:

  • Use the supported USB LTE dongles. The supported dongle hardware models are Verizon USB730L and AT&T USB800.
  • Ensure that a SIM card is inserted into the USB LTE dongle. The CDC Ethernet LTE dongles are pre-configured with a static IP address, this interferes with the configuration and cause connection failure or intermittent connection, if the SIM card is not inserted.
  • Before inserting a CDC Ethernet LTE dongle into the SD-WAN appliance, connect the external USB stick to a Windows/Linux machine and ensure that the internet is working properly with proper APN and Mobile Data Roaming configuration. Ensure that the Connection mode of the USB dongle is changed from the default value Manual to Auto.

Note

  • The Citrix SD-WAN appliances support only one USB LTE dongle at a time. If more than one USB dongle is plugged in, unplug all the dongles and plug in only one dongle.
  • The Citrix SD-WAN appliances do not support user name and password for USB modems. Ensure that the user name and password feature are disabled on the modem during setup.
  • Unplugging or rebooting an external MBIM dongle impacts the internal LTE modem data session. This is an expected behavior.
  • When an external LTE modem is plugged-in, the SD-WAN appliance takes about 3 minutes to recognize it.

To view the mobile broadband status, select the modem type.

New user interface mobile broadband

The following are some useful status information:

  • Modem Type: Select the modem type as External or Internal. Internal modem shows the status under Mobile Broadband > Status page. All the other sections such as SIM preference, APN settings, Enable/Disable the modem, Reboot modem, and Refresh SIM are available under Mobile Broadband > Operations page.
  • Active SIM: At any given time, only one SIM can be active. Displays the SIM that is currently active.
  • Operating Mode: Displays the modem state.
  • SIM Capabilities: Displays whether the SIM is supported or not.
  • Model: Displays the mobile broadband module name.

If you select the External modem, it shows the status of the external modem. But if the external modem is not configured, it shows a warning message as Selected Modem is not configured on this device.

Device details for CDC Ethernet external modem.

Device details for CDC Ethernet external modem

Device details for MBIM and NCM external modems. The Modem Mode field displays the external dongle type.

Device details for MBIM and NCM external modems

SIM details are displayed for MBIM and NCM external modems only.

SIM details for MBIM and NCM external modems

Mobile broadband operations

Operations that are supported on internal and external modems:

Operations Internal modem External modem - CDC Ethernet External modem - MBIM and NCM
SIM preference Yes - For appliances that support dual SIM No No
SIM PIN Yes No No
APN settings Yes No Yes
Network settings Yes No No
Roaming Yes No No
Manage firmware Yes No No
Enable/Disable modem Yes No Yes
Reboot modem Yes No No
Refresh SIM Yes No No

SIM preference

You can insert dual SIMs on a Citrix SD-WAN 110-LTE-WiFi appliance. At any given time, only one SIM is active. Select the SIM preference:

  • SIM One preferred: If two SIMs are inserted, on boot-up the LTE modem uses SIM One, if available. When the LTE modem is up and running it uses whichever SIM (SIM One or SIM Two) is useable at that moment and will continue to use it until the SIM is active.
  • SIM Two preferred: If two SIMs are inserted, on boot-up the LTE modem uses SIM Two, if available. When the LTE modem is up and running it uses whichever SIM (SIM One or SIM Two) is useable at that moment and will continue to use it until the SIM is active.
  • SIM One: Only SIM One is used, irrespective of the SIM state on both the SIM slots. SIM One is always active.
  • SIM Two: Only SIM Two is used, irrespective of the SIM state on both the SIM slots. SIM Two is always active.

Note

The SIM Preference option is not available for the Citrix SD-WAN 210-SE LTE Wi-Fi appliance as it has only one SIM card slot.

New user interface SIM preference

SIM PIN

If you have inserted a SIM card that is locked with a PIN, the SIM status is in Enabled and Not Verified state. You cannot use the SIM card until it is verified using the SIM PIN. You can obtain the SIM PIN from the carrier.

To perform SIM PIN operations, navigate to Advanced Settings > Mobile Broadband > Operations > SIM PIN status.

New user interface SIM PIN status

You can perform the following operations:

  • Verify SIM PIN: Click Verify. Enter the SIM PIN provided by the carrier and click Verify. The status changes to Enabled and Verified.

  • Enable SIM PIN: You can enable SIM PIN for a SIM that has SIM PIN disabled. Click Enable. Enter the SIM PIN provided by the carrier and click Enable. If the SIM PIN state changes to Enabled and Not Verified, it means that the PIN is not verified and you cannot perform any LTE related operations until the PIN is verified. Click Verify. Enter the SIM PIN provided by the carrier and click Verify.

  • Disable SIM PIN: You can choose to disable SIM PIN functionality for a SIM for which SIM PIN is enabled and verified. Click Disable. Enter the SIM PIN and click Disable.

  • Modify SIM PIN: Once the PIN is in Enabled and Verified state you can choose to change the PIN. Click Modify. Enter the SIM PIN provided by the carrier. Enter the new SIM PIN and confirm it. Click Modify.

  • Unblock SIM - If you forget the SIM PIN, you can reset the SIM PIN using the SIM PUK obtained from the carrier. To unblock a SIM, click Unblock. Enter the SIM PIN and SIM PUK obtained from the carrier and click Unblock.

    Note

    The SIM card gets permanently blocked with 10 unsuccessful attempts of PUK, while unblocking the SIM. Contact the carrier service provider for a new SIM card.

APN settings

  1. To configure the APN settings, navigate to Advanced Settings > Mobile Broadband > Operations > and go to the APN settings section.

    Note

    Obtain the APN information from the carrier.

  2. Select the SIM card, enter the APN, Username, Password, and Authentication provided by the carrier. You can choose from PAP, CHAP, PAPCHAP authentication protocols. If the carrier has not provided any authentication type, set it to None.

    Note

    All these fields are optional.

  3. Click Apply.

    New user interface APN settings

Network settings

You can select the mobile network on Citrix SD-WAN appliances that support the internal LTE modem. The supported networks are 3G, 4G, or both.

New user interface APN settings

Roaming

The roaming option is enabled by default on your LTE appliances, you can choose to disable it.

LTE roaming

Manage Firmware

Every LTE enabled appliance has a set of firmware available. You can select from the existing list of firmware or upload a firmware and apply it. If you are unsure of which firmware to use, select the AUTO-SIM option. The AUTO-SIM option allows the LTE modem to choose the most matching firmware based on the inserted SIM card.

Enable/Disable modem

Enable/disable modem depending on your intent to use the LTE functionality. By default, the LTE modem is enabled.

New user interface enables disable modem

Reboot modem

Reboots the modem. It can take up to 7 minutes for the reboot operation to complete.

New user interface reboot modem

Refresh SIM

Use the Refresh SIM option when the SIM card is not detect properly by the LTE-WiFi modem.

Note

The Refresh SIM operation is applicable for the active SIM only.

New user interface refresh SIM

You can remotely view and manage all the LTE sites in your network using the Citrix SD-WAN Center. For more information see, Remote LTE site management.

For more information on LTE configuration, see Configure LTE functionality on 110-LTE-WiFi appliance and Configure LTE functionality on 210 SE LTE appliance.

For information on configuring external LTE modem, see Configure external USB LTE modem.

Licensing

The Licensing page displays the license details such as, server location, model, license type and so on.

New user interface licensing

Note

When installing and applying a license from the SD-WAN Center, make sure that your specific appliance supports the SD-WAN appliance edition you want to enable, and that you have the correct software version available.

Default/Fallback configuration

The Default/Fallback Configuration page displays the stored fallback configuration data. If the fallback configuration is disabled, you can enable it by switching on the Enable Fallback Configuration switch.

New user interface fallback

Note

LTE interfaces cannot be configured with static IP address.

For more information see, Default/Fallback configuration.

HTTPS certificate

HTTPS certificate is required for establishing a secured connection. The HTTPS Certificate page displays the details of the HTTPS certificate that is already installed. For more information, see HTTPS certificates.

New user interface HTTPS certificate

On-prem Orchestrator

Citrix On-prem SD-WAN Orchestrator is the on-premises software version of the Citrix SD-WAN Orchestrator service. Citrix On-prem SD-WAN Orchestrator provides a single-pane of glass management platform for Citrix partners to manage multiple customers centrally, with suitable role based access controls.

You can establish a connection between your Citrix SD-WAN appliance and the Citrix On-prem SD-WAN Orchestrator by enabling Orchestrator connectivity and specifying the On-prem SD-WAN Orchestrator identity.

Note

  • The On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is an enabler for Citrix On-prem SD-WAN Orchestrator. The Citrix On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is currently not available, it is targeted for a future release.
  • Zero-touch deployment will not work if On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is configured on the SD-WAN appliances.

To enable Orchestrator connectivity:

  1. In the appliance GUI, navigate to Advanced Settings > On-prem Orchestrator > Identity.
  2. Select Enable On-prem SD-WAN Orchestrator Connectivity check box.

    New user interface on-prem orchestrator identity

  3. Enter either the On-prem SD-WAN Orchestrator IP address or Domain or both (IP address and domain) for configuration.

    If the customer configures only Domain, then they must ensure to add DNS record in their Local DNS server and must configure DNS Server IP Address on SD-WAN Appliances. To configure, navigate to Configuration > Network Adapters > IP Address.

    For example, if the On-prem SD-WAN Orchestrator Domain is configured as citrix.com. then you must create a DNS record in DNS Server for the below FQDN and On-prem SD-WAN Orchestrator IP Address:

    • download.citrix.com
    • sdwanzt.citrix.com
    • sdwan-home.citrix.com

    In case of advanced configuration:

    For Example: If the On-prem Orchestrator domain is configured as citrix.com, the Download Management Service Domain is configured as download.citrix.com, and the Statistics Management Service Domain is configured as statistics.citrix.com. Then you must create a DNS record in DNS Server for the below FQDN and corresponding IP Address:

    • download.citrix.com
    • sdwanzt.citrix.com
    • statistics.citrix.com

    On-prem Orchestrator might support running services like download, statistics on independent server instance, to enable better scalability for large networks. You can select the Advanced Configuration and configure the Download Management Service and Statistic Management service.

    Select the Advanced Configuration check box and provide the following details:

    • Download Management Service IP/Domain: Provide the IP address /domain that helps offload SD-WAN software and configuration download aspects, to an independent server instance, to enable better scalability for large networks.

    • Statistic Management Service IP/Domain: Provide the IP address/domain that helps offload collection and management of SD-WAN statistics from devices, to an independent server instance, to enable better scalability for large networks.

  4. Click Apply.

    To Regenerate, Download, and Upload the SD-WAN appliance or On-prem SD-WAN Orchestrator certificate, navigate to Advanced Settings > On-prem Orchestrator > Certificate.

    If the On-prem Orchestrator Authentication Type is disabled, then Appliance can connect to the On-prem Orchestrator either via No Authentication or One-way Authentication or Two-way Authentication mode.

    If the On-prem Orchestrator Authentication Type is enabled, then Appliance can only able to connect to the On-prem Orchestrator via Two-way Authentication.

    While disabling Authentication Type in On-prem Orchestrator from enable state, existing appliances in One-way Authentication mode goes to disconnected state. Customers have to change the appliance Authentication Type to Two-way Authentication and upload the SD-WAN Appliance certificate to the On-prem Orchestrator to get it connected.

    Note

    • Generated certificates are X509 self-signed certificates.
    • Customer must regenerate the certificates if the certificate is expired or compromised.
    • Validity of the certificate is 10 years.
    • You can view the certificate details such as, fingerprint, start date, and end date
    • Customer must ensure that the certificates are regenerated and exchanged between On-prem Orchestrator and SD-WAN appliance to avoid loss of appliance connectivity with On-prem orchestrator.
  5. Select the Authentication Type. The following are the authentications types that are supported between the SD-WAN appliance and On-prem SD-WAN Orchestrator connectivity:

    • No Authentication – No authentication between the On-prem SD-WAN Orchestrator and SD-WAN appliance, and there is no need to use the SD-WAN Appliance or On-prem SD-WAN Orchestrator Certificate. But you can use this option if you have a secure network such as MPLS.

      New UI no authentication

    • One-way Authentication – On selecting the One-way Authentication type, you must upload the On-prem Orchestrator certificate. Download the On-prem Orchestrator from the On-prem Orchestrator and click Upload. SD-WAN appliance trusts the On-prem Orchestrator using the uploaded certificates.

      New UI one-way authentication

    • Two-way Authentication – On-prem Orchestrator and Appliance certificates have to be exchanged with each other. For Two-way Authentication, you must regenerate, download, and upload the SD-WAN appliance certificate on the on-prem Orchestrator. SD-WAN appliance and On-prem Orchestrator trusts each other using the exchanged certificates.

      New UI two-way authentication

Note

It is recommended to use only One-way Authentication or Two-way Authentication. If there was No Authentication, you have to choose the secure DNS server.

To disable the on-prem SD-WAN Orchestrator connectivity, uncheck Enable ON-prem SD-WAN Orchestrator Connectivity and click Apply. To convert On-prem orchestrator managed network to either Cloud Orchestrator or MCN Managed network, you need to disable On-prem SD-WAN Orchestrator Connectivity and must perform the configuration reset. To reset configuration, navigate to Configuration > System Maintenance > Configuration Reset.

Upgrade and Downgrade

  • After upgrading the SD-WAN appliance from 11.1.1/11.2.0/10.2.7 to 11.2.1 software version, you must exchange both appliance and On-prem Orchestrator certificates.

  • After Downgrading the SD-WAN appliance from 11.2.1 to 11.1.1/11.2.0/10.2.7 software version, you must apply identity settings again on the Citrix SD-WAN appliance UI. If any issues related to On-prem SD-WAN Orchestrator configuration or SD-WAN appliance connectivity, disable the On-prem SD-WAN Orchestrator connectivity and then enable the On-prem SD-WAN Orchestrator connectivity again.

The On-prem SD-WAN Orchestrator Authentication Type must be disabled to manage the SD-WAN appliances running 10.2.7/11.1.1/11.2.0 software version.

Monitoring

Under Monitoring section, you can view the Address Resolution Protocol (ARP), Route, Ethernet, Ethernet MAC statistics along with DHCP Client WAN Links, DHCP Server/Relay, Firewall Connections, and Flows.

  • ARP, Route, Ethernet, and Ethernet MAC Statistics: You can see the statistics information for ARP, Route, Ethernet, and Ethernet MAC. Using the statistics information, you can verify any traffic or interface errors. For more information, see Viewing Statistical Information.

  • DHCP Client WAN Links: The DHCP Client WAN Links page provides the status of learned IPs. You can request to renew the IP, which refreshes the lease time. You can also choose to Release Renew, which issues a new IP address with a new lease. For more details, see Monitoring DHCP client WAN links.

  • DHCP Server/Relay: You can use the SD-WAN appliance as either DHCP Servers or DHCP Relay agents.

    • The DHCP server feature allows devices on the same network as the SD-WAN appliance’s LAN/WAN interface to obtain their IP configuration from the SD-WAN appliance.
    • The DHCP relay feature allows your SD-WAN appliances to forward DHCP packets between DHCP client and server.

    For more information, see DHCP server and DHCP relay.

  • Firewall Connections: The Firewall Connections page provides the Firewall connection statistics. You can see how the firewall policies are acting on the traffic for each Application. For more information, see Viewing Firewall Statistics.

  • Flows: The Flows section provides basic instructions for viewing Virtual WAN flow information. For more details, see Viewing Flow Information.

Diagnostics

The Diagnostics section provides the options to test and investigate connectivity issues. For more information, see Diagnostics.

Note

For the Citrix SD-WAN 110 appliance, only one diagnostic package can be present at a time. For the Citrix SD-WAN 210 appliance, a maximum of five diagnostic packages are allowed.

System maintenance

Use the System Maintenance section to perform maintenance activities. The System Maintenance page contains the following options:

  • Delete Files: You can delete Log files, Backup files, and Archived Databases. Select the file that you want to delete from the drop-down menu and click the delete button.
  • Restart System: You can restart the virtual WAN service or reboot the system.
  • Local Change Management: The Local Change Management process allows you to upload a new appliance package to this individual appliance.
  • Configuration Reset: You can reset the configuration. This option clears out the user data, logs, history, and local configuration data on this appliance.
  • Factory Reset: Use Factory Reset option to reset the SD-WAN appliance to the shipped version.

Note

All of these features are already explained in details in the existing SD-WAN documentation.

New user interface for SD-WAN appliances