Citrix SD-WAN Orchestrator for On-premises configuration on Citrix SD-WAN appliance
Citrix SD-WAN Orchestrator for On-premises is the on-premises software version of the Citrix SD-WAN Orchestrator service. Citrix SD-WAN Orchestrator for On-premises provides a single-pane of glass management platform for Citrix partners to manage multiple customers centrally, with suitable role based access controls.
You can establish a connection between your Citrix SD-WAN appliance and the Citrix SD-WAN Orchestrator for On-premises by enabling Orchestrator connectivity and specifying the Citrix SD-WAN Orchestrator for On-premises identity.
Note
- Cloud Orchestrator Zero-Touch Deployment will not work if the On-prem SD-WAN Orchestrator configuration on SD-WAN appliance feature is configured on the SD-WAN appliances.
- Citrix SD-WAN Orchestrator for On-premises on the SD-WAN appliance is lost, if the Citrix SD-WAN Orchestrator for On-premises configuration on the SD-WAN appliance configured in the Citrix SD-WAN release 11.3.0 is downgraded to release 10.2.7. Downgrading from release 11.3.0 to release 10.2.7 is not supported. The workaround is to reconfigure the Citrix SD-WAN Orchestrator for On-premises identity after the downgrade.
- After downgrading the SD-WAN appliance from 11.3.0 to 11.1.1/11.2.0/10.2.7 software version, you must apply identity settings again on the Citrix SD-WAN appliance UI. If any issues related to the Citrix SD-WAN Orchestrator for On-premises configuration or SD-WAN appliance connectivity, disable the Citrix SD-WAN Orchestrator for On-premises connectivity and then enable the Citrix SD-WAN Orchestrator for On-premises connectivity again.
To enable Citrix SD-WAN Orchestrator for On-premises connectivity:
-
In the SD-WAN appliance UI, navigate to Configuration > Virtual WAN > On-prem SD-WAN Orchestrator.
-
Select Enable On-prem SD-WAN Orchestrator Connectivity check box.
-
Enter either the Citrix SD-WAN Orchestrator for On-premises IP address or Domain or both (IP address and domain) for configuration.
If the customer configures only Domain, then they must ensure to add DNS record in their Local DNS server and must configure DNS Server IP Address on SD-WAN Appliances. To configure, navigate to Configuration > Network Adapters > IP Address.
For example, if the Citrix SD-WAN Orchestrator for On-premises Domain is configured as citrix.com, then you must create a DNS record in the DNS Server for the below FQDN and Citrix SD-WAN Orchestrator for On-premises IP Address:
- download.citrix.com
- sdwanzt.citrix.com
- sdwan-home.citrix.com
In advanced configuration:
For Example: If the Orchestrator on-premises domain is configured as citrix.com, the Download Management Service Domain is configured as download.citrix.com, and the Statistics Management Service Domain is configured as statistics.citrix.com. Then you must create a DNS record in the DNS Server for the below FQDN and corresponding IP Address:
- download.citrix.com
- sdwanzt.citrix.com
- statistics.citrix.com
Orchestrator on-premises might support running services like download, statistics on independent server instance, to enable better scalability for large networks. You can select the Advanced Configuration and configure the Download Management Service and Statistic Management service.
Select the Advanced Configuration check box and provide the following details:
-
Download Management Service IP/Domain: Provide the IP address /domain that helps offload SD-WAN software and configuration download aspects, to an independent server instance, to enable better scalability for large networks.
-
Statistic Management Service IP/Domain: Provide the IP address/domain that helps offload collection and management of SD-WAN statistics from devices, to an independent server instance, to enable better scalability for large networks.
-
Select the Authentication Type. The following are the authentications types that are supported between the SD-WAN appliance and the Citrix SD-WAN Orchestrator for On-premises connectivity:
-
No Authentication – No authentication between the SD-WAN Orchestrator on-premises and the SD-WAN appliance, and there is no need to use the SD-WAN Appliance or On-prem SD-WAN Orchestrator Certificate. But you can use this option if you have a secure network such as MPLS.
-
One-way Authentication – On selecting the One-way Authentication type, you must upload the Orchestrator on-premises certificate. Download the Orchestrator on-premises certificate from Orchestrator on-premises and click Upload. SD-WAN appliance trusts the Orchestrator on-premises using the uploaded certificates.
-
Two-way Authentication – Orchestrator on-premises and Appliance certificates have to be exchanged with each other. For Two-way Authentication, you must regenerate, download, and upload the SD-WAN appliance certificate on the Orchestrator on=premises. SD-WAN appliance and Orchestrator on-premises trusts each other using the exchanged certificates.
Note
It is recommended to use only One-way Authentication or Two-way Authentication. In the case of No Authentication, ensure that the DNS is secure from DNS attacks.
If the Orchestrator on-premises Authentication Type is disabled, then Appliance can connect to Orchestrator on-premises either via No Authentication or One-way Authentication or Two-way Authentication mode.
If the Orchestrator on-premises Authentication Type is enabled, then Appliance can only be able to connect to Orchestrator on-premises via Two-way Authentication.
While disabling Authentication Type in Orchestrator on-premises from enable state, existing appliances in One-way Authentication mode goes to disconnected state. Customers have to change the appliance Authentication Type to Two-way Authentication and upload the SD-WAN Appliance certificate to the Orchestrator on-premises to get it connected.
Note
- Generated certificates are X509 self-signed certificates.
- Customer must regenerate the certificates if the certificate is expired or compromised.
- Validity of the certificate is 10 years.
- You can view the certificate details such as, fingerprint, start date, and end date
- Customer must ensure that the certificates are regenerated and exchanged between Orchestrator on-premises and SD-WAN appliance to avoid loss of appliance connectivity with Orchestrator on-premises.
-
-
Click Apply Settings.
To disable the Citrix SD-WAN Orchestrator for On-premises connectivity clear Enable Citrix SD-WAN Orchestrator on-premises Connectivity option and click Apply Settings. To convert Orchestrator on-premises managed network to either Cloud Orchestrator or MCN Managed network, you need to disable Citrix SD-WAN Orchestrator for On-premises Connectivity and must perform the configuration reset. To reset configuration, navigate to Configuration > System Maintenance > Configuration Reset.
Deploy Citrix SD-WAN appliances running on software versions 10.2.7, 11.1.1, or 11.2.0 with Citrix SD-WAN Orchestrator for On-premises
NOTE
To deploy Citrix SD-WAN appliances with software versions 10.2.7, 11.1.1, or 11.2.0, you need Citrix SD-WAN Orchestrator for On-premises version 11.1 or later.
- For each Citrix SD-WAN appliance with software version 10.2.7, 11.1.1 or 11.2.0, log in to the appliance web interface and perform the following:
- Navigate to Configuration > Virtual WAN > On-prem SD-WAN Orchestrator and select the Enable On-prem SD-WAN Orchestrator Connectivity check box.
- Enter the IP address of Citrix SD-WAN Orchestrator for On-premises.
- Click Apply Settings.
-
Log in to Citrix SD-WAN Orchestrator for On-premises UI. Create a site and build the configuration. Enter the serial number of each Citrix SD-WAN appliance in its respective site configuration. Save the configuration.
-
Navigate to Administration > Certificate Authentication and turn the Authentication Type toggle to OFF. Click Yes, Disable to approve the Disabled Authentication Type pop-up.
-
In the Configuration > Network Config Home page, SD-WAN appliances show as Online under the Cloud Connectivity column. This is due to Certificate Authentication disabled on Citrix SD-WAN Orchestrator for On-premises and SD-WAN appliances enabled for Citrix SD-WAN Orchestrator for On-premises connectivity with the appropriate IP address. Allow a couple minutes for the devices to be reported as Online.
-
Select a published software version (11.3.0 or higher) and click Deploy Config/Software. For more details on selecting the published software version, see Software. Stage and Activate the sites. After activation, the appliances show No in the Online column.
-
Navigate to Administration > ZTD Settings > Non-Cloud ZTD. Click +Site and add a site. Enter the management IP and login credentials for each appliance. Click + to add more sites. Click Add.
-
Click Refresh to monitor the configuration status. When the site is successfully configured, the Configuration Status column displays Site is configured successfully.
-
Navigate to the Configuration > Network Config Home page. Successfully configured sites show as Online under the Orchestrator Connectivity column.
- Follow the same process to add any additional sites. Performing the preceding steps does not impact any existing site deployments.