Professional Documents
Culture Documents
Nerateall
Nerateall
com
CloudBridge 7.4
http://docs.citrix.com/content/docs/en-us/cloudbridge/7-4.html
Oct. 27, 2016
citrix.com 1
CloudBridge 7.4
Features
Compression
XenApp/XenDesktop Acceleration
HTTP Acceleration
TCP Flow-Control Acceleration
Traffic Shaping
Traffic Classification
Link Definitions
Secure Traffic Acceleration
How HTML5 Works
Video Caching
Monitoring with AppFlow
Internet Protocol Version 6 (IPv6) Acceleration
SCPS Support
Automatically Configuring CloudBridge Devices
CloudBridge Connector
Show (10)
Release Notes
Citrix CloudBridge 7.4 Release
CloudBridge 7.4.6 Release Notes
FAQs
Acceleration
CIFS and MAPI
Compression
Monitoring with AppFlow
RPC over HTTPS
SCPS
Secure Peering
SSL Acceleration
The CloudBridge Plug-in
Traffic Shaping
Video Caching
Show (6)
citrix.com 2
CloudBridge 1000 and 2000 Appliances with Windows Server
Supported Features
Hardware Platforms
Initial Configuration
Deployment Modes
CloudBridge VPX
CloudBridge VPX Usage Scenarios
System Requirements and Provisioning
Installing CloudBridge Virtual Appliances on XenServer
Installing CloudBridge Virtual Appliances on VMware ESX
Installing CloudBridge Appliances on the Microsoft Hyper-V Platform
Installing the CloudBridge Virtual Appliances on Amazon AWS
Supported Modes
Show (2)
NITRO API
General API Usage
Usage Scenarios
Error Handling
API Reference
Reference Material
Graphical User Interface
Command Line Reference
Glossary
citrix.com 3
About CloudBridge
Citrix CloudBridge appliances optimize your WAN links, giving your users maximum responsiveness and throughput at
any distance. A CloudBridge appliance is easy to deploy, because it works transparently. A twenty minute installation
accelerates your WAN traffic with no other configuration required. You do not have to change your applications, servers,
clients, or network infrastructure. You can, however change them after CloudBridge installation without affecting traffic
acceleration. A CloudBridge appliance needs reconfiguration only when your WAN links change.
CloudBridge products work in pairs, one at each end of a link, to accelerate traffic over the link. The transformations
done by the sender are reversed by the receiver.
However, one appliance (or virtual appliance) can handle many links, so you do not have to dedicate a pair to each
connection.
An enterprise typically has one CloudBridge appliance per site (larger appliances at larger sites, smaller ones at smaller
sites), though a company with numerous branch offices might have multiple appliances at its central data center.
A link from a site with a CloudBridge appliance to a site that does not have a CloudBridge appliance functions normally,
but its traffic is not accelerated.
CloudBridge features include robust compression for brisk performance over relatively slow links, and lossless flow
control to deal with congestion. TCP optimizations overcome the main limitations of problematic links, and application
optimization does away with the limitations of applications designed for high-speed, local networks. An autodetection
feature makes deployment quick and easy.
The Citrix CloudBridge product line protects your productivity by providing reliable WAN and Internet link performance
through a set of multiple, interlocking optimizations, each reinforcing the others. To provide maximum productivity
across your entire enterprise, there are CloudBridge products for every need, from the largest data center though the
smallest branch office and even the individual laptop.
Features at a Glance
Feature Benefits
Compression
Increases speed by reducing transfer size
Delivers compression ratios of up to 10,000:1
Works at LAN speeds for maximum performance
Reduces bandwidth requirements
Application independent
Increases robustness
citrix.com 4
Zero-config
Traffic Management
Traffic shaper optimizes link usage
Prevents rogue applications from interfering with other traffic
Traffic classifier allows advanced control and reporting
Application Acceleration
HTTP
Network Filesystems (CIFS/SMB)
Video Caching (Video over HTTP)
Email Acceleration (MAPI)
SSL Acceleration
Integration
CloudBridge Plug-in Windows client
CloudBridge Connector IPSec VPN
CloudBridge with Windows Server integrated appliances
CloudBridge VPX virtual machine for XenServer, VMware vSphere,
Hyper-V, Amazon AWS
The following are some of the key benefits of our CloudBridge product line.
Compression Overcomes Low Link Speeds. The most obvious problem with wide-area network (WAN) links and Internet
links is their low bandwidth compared to local-area networks (LANs). A 1 Mbps WAN has only 1% of the throughput of a 100
Mbps LAN. How do you overcome low link bandwidth? With compression. A compression ratio of 100:1 enables a 1 Mbps
link to transfer data as quickly as a 100 Mbps. This speedup factor is achieved whenever the following criteria are met:
citrix.com 5
The LAN segments of the link must have flow control that is independent of the WAN segment, because the
different segments handle data at different rates.
Multiple compression engines must be used to handle the different needs of different kinds of traffic.
Interactive traffic requires relatively little bandwidth but is very sensitive to delay, while bulk-transfers are
very sensitive to bandwidth but are insensitive to delay.
TCP Protocol Acceleration Overcomes Congestion. Any attempt to send traffic faster than the link speed results in
congestion, which results in many problems caused by high packet losses and high queuing latency.
Lossless flow control. The TCP/IP protocol has no flow control to slow senders down directly, and the absence of this
necessary control mechanism makes packet losses and excessive queuing delays normal, even on mission-critical
links. (If anything, this problem is getting worse over time, as papers on the phenomenon of bufferbloat attest.)
A CloudBridge appliance solves this problem by providing the flow control that was omitted from the TCP/IP protocol.
Unlike ordinary quality of service (QoS) solutions, which simply reallocate packet loss, CloudBridge provides lossless
flow control that controls the rate at which the endpoint senders transmit data, instead of allowing senders to transmit
data at any speed they like, and dropping packets when they send too much. Each sender transmits only as much data
as CloudBridge allows it to send, without ever dropping a packet, and this data is placed on the link at exactly the right
rate to keep the link full without overflowing. By eliminating excess data, CloudBridge is not forced to discard it. Without
CloudBridge, the dropped packets have to be sent again, causing unnecessary delays. Lossless flow control also
eliminates delays caused by excessive buffering. Lossless flow control is the key to maximum responsiveness on a
busy link, enabling a link that was once congested to the point of unusability at 40% utilization to remain productive and
responsive at 95% utilization.
Eliminating distance-based unfairness. Links with high latency or packet losses are difficult to use at full bandwidth,
especially with ordinary TCP variants such as TCP Reno. The consequences are excessive delays and difficulty in
getting the bandwidth that you are paying for. The longer the link distance, the worse the problem becomes.
CloudBridge TCP protocol acceleration minimizes these effects, allowing intercontinental and even satellite links to run
at full speed.
Traffic Shaping Manages Bandwidth Automatically. On the output side, a fair-queuing-like algorithm ensures that each
connection is independently queued and given its fair share of the link bandwidth. Traffic-shaping policies allow different
services to be given higher or lower precedence.
Applications and protocols designed for use on local-area networks are notorious for poor performance over wide-area
networks, because the designers did not consider the effects of long speed-of-light delays on their protocols. For
example, a simple Windows file system (CIFS) operation can take up to 50 round trips as messages pass back and
forth across the network. In a wide-area network with a 100 ms round-trip time, 50 round trips cause a delay of five
seconds.
Although speed-of-light delays are a fundamental limitation, application optimizations can perform the same operations
in a smaller number of round-trips, usually through speculative operations. Where the original application would issue
one command at a time and wait for it to complete before issuing the next one, it is often perfectly safe to issue a series
of commands without waiting. In addition, data transfers can be accelerated through a combination of pre-fetching, read-
ahead, and write-behind operations. By packing as many operations as possible into a single round trip, performance
can be increased tenfold or more.
CloudBridge optimizations are especially effective on CIFS/SMB (the Windows file system), MAPI (the
Outlook/Exchange protocol), and HTTP.
Multiple Optimizations Enhance XenApp/XenDesktop (Citrix HDX) Performance. Because CloudBridge appliances
are Citrix products, they are especially effective at accelerating Citrix protocols, such as XenApp and XenDesktop.
Every aspect of CloudBridge acceleration comes into play with these protocols to make the remote user experience as
productive as possible.
citrix.com 6
CloudBridge appliances negotiate session options with XenApp and XenDesktop servers. This allows the CloudBridge
appliance to apply the following enhancements:
Autodetection for Minimal Configuration. Because the CloudBridge solution is double-ended, requiring that a CloudBridge
product be present at both ends of the link, deployment would seem to impose a burden on remote offices, especially ones
without dedicated IT staff. However, CloudBridge is designed to be very easy to install and maintain. A typical installation
takes about twenty minutes. The only parameters needed are the usual network parameters (such as IP address and subnet
mask), the address of a Citrix license server, and the send and receive speed of the link.
Requiring only a minimal level of configuration is possible because of autodetection, through which a CloudBridge
determines which connections can be accelerated (and which cannot), without any manual configuration. A CloudBridge
at the other end of the link is automatically detected, and the connection is then accelerated. You can add CloudBridge
appliances to your network in an ad hoc fashion. You do not even have to inform the existing appliances of the arrival of
a new one. They discover it for themselves.
A CloudBridge uses TCP header options to report its presence and to negotiate acceleration parameters with the
remote CloudBridge. Because TCP header options are part of the TCP standard, this method works very well, except in
cases where firewalls are programmed to reject all but the most common options. Such firewalls exist, but they can be
configured to allow the options used by CloudBridge to pass through.
CloudBridge operations are transparent to both the sender and receiver. The other devices in your network are not
aware that CloudBridge exists. They continue working just as they did before CloudBridge installation. This
transparency also eliminates any need to install special software on your servers or clients in order to benefit from
CloudBridge acceleration. Everything works transparently.
Every product in the CloudBridge product line provides basic CloudBridge acceleration features. Most models have
additional features as well, such as:
Video caching
Multiple accelerated bridges with Ethernet bypass feature
Monitoring and management through the GUI, CLI, SNMP, AppFlow, and Citrix Command Center
Different CloudBridge products have different capabilities. Products that support higher WAN bandwidths also support
more users and typically have more resources: more power CPU, more memory, larger disk, and more accelerated
bridges.
The capabilities of products that run on your own hardware, such as the CloudBridge Plug-in and CloudBridge VPX,
depend on the speed of the hardware and the amount of system resources that you dedicate to acceleration.
CloudBridge Architecture
Citrix CloudBridge appliances accelerate the traffic over you WAN links. To accelerate a WAN, you need at least two
CloudBridge appliances, one for each site you wish to accelerate.
The sender-side CloudBridge appliance applies a series of optimizations and transformations to your traffic, such as
compression and encryption. Many operations require that the receiver-side CloudBridge perform an inverse operation,
such as decompression or decryption, to restore the traffic to its original state.
citrix.com 7
Thus, most optimizations require that the traffic pass through two CloudBridge appliances. Some optimizations are
single-ended, and are performed by the local appliance acting alone. These optimizations include traffic shaping and
video caching.
CloudBridge appliances are largely transparent to the network. The appliance itself appears to be a bridge, not a router,
gateway, or proxy. This invisibility allows the appliance to be installed without configuring any other hardware. The
appliance optimizations are also transparent, detected only by the partner appliance at the other end of the link.
CloudBridge appliances can be added to the network at will, because their auto-detection and auto-negotiation features
ensure that a new appliance on the network is immediately detected by other appliances, and acceleration begins at
once.
Although the diagram above shows a network with just two appliances, a single CloudBridge appliance can
communicate with any number of partner sites. Point-to-point, hub-and-spoke, and mesh networks are all supported.
In addition to stand-alone appliances, CloudBridge acceleration products include virtual machines (the CloudBridge
VPX series) and an installable acceleration service for Windows systems (the CloudBridge Plug-in).
In network traffic, a transaction ranges from very smalla single byte of data in a telnet or SSH terminal sessionto
very large, as with FTP transfers, which often exceed a gigabyte in size. A practical accelerator has to accelerate the
entire range of transaction sizes, from interactive traffic to bulk traffic, giving the best performance and user experience
across the board. CloudBridge technology achieves this in a variety of ways.
1. The sending pipeline, which accelerates data entering the WAN from the local LAN.
2. The receiving pipeline, which accelerates data exiting the WAN and entering the local LAN.
Sending Pipeline
To understand the appliance, consider the sending pipeline one unit at a time.
1. Input buffer. Packets from the LAN are received by the appliance. Because non-TCP/IP traffic is optimized only by the
traffic shaper, non-TCP packets are diverted directly to the traffic shaper. The TCP/IP traffic (called TCP traffic from
now on) traverses the rest of the pipeline.
2. Video Cache. If the TCP traffic matches the settings for the video cache, the request is handed off to the video cache
unit.
3. LAN-side auto-detection. Other than traffic shaping, sender-side optimizations require that there be a remote
appliance as well as the local appliance. Any connections that dont pass through a remote appliance are diverted
to the traffic shaper. This action is performed by the LAN-side auto-detection logic. The actual test for a remote
appliance is done by the WAN-side auto-detection unit.
4. LAN-side flow control. CloudBridge acts as a transparent TCP proxy, receiving and acknowledging packets from the
endpoint sender on behalf of the endpoint receiver. This allows the appliance to accept large amounts of data from the
local sender very quickly, at full LAN speeds, regardless of how slowly traffic is moving over the WAN. (Normal TCP
uses end-to-end speed control, which is not agile enough to allow maximum performance.) In addition, CloudBridge
flow control is lossless, meaning that the local sender never sees a dropped packet, increasing reliability and
efficiency.
5. Application engines. CloudBridge performs specific optimizations for several protocols, including:
citrix.com 8
5.
XenApp and XenDesktop, using the ICA and CGP protocols.
Windows Filesystem (CIFS, including the SMB1 and SMB2 versions)
Outlook/Exchange (MAPI)
These optimizations reduce transaction time. This is done through rewriting, combining, and
reordering commands, using read-ahead and write-behind, using a knowledge of the protocol for
more advanced traffic shaping, and compression hinting.
6. Compression engine. Compression makes the transactions smaller, reducing the time it takes to transfer the data over
the link. The CloudBridge compressor uses multiple compression algorithms, some very efficient for small
transactions, some optimized for bulk transactions, and some for midsize transactions. Compression ratios of 10,000:
1 are readily achieved by the CloudBridge compressor. The compressor is very fast, allowing high compression ratios
to be maintained at full WAN speeds. With CloudBridge processing, a file that compresses at a 100:1 ratio can easily
be sent over a 1 Mbps link with an overall throughput of 100 Mbps.
7. Security engine. Some CloudBridge features require that the two appliances enter a secure peer relationship with
each other, and with the origin server. The security engine authenticates this peer relationship and encrypts the
accelerated data connections between them. A secure peer relationship allows the use of SSL compression and the
acceleration of encrypted XenApp/XenDesktop (ICA/CGP), Windows Filesystem (CIFS), and Outlook/Exchange
(MAPI) traffic.
8. WAN-side flow control and auto-detection. The WAN link is where traffic slowdowns occur, and if the link is congested,
packets are lost and must be retransmitted. Retransmitting packets always causes a significant delay, sometimes
lasting more one second. The WAN-side flow-control unit uses advanced retransmission elements and an advanced
TCP/IP protocol for maximum performance in both clean and troubled links. The auto-detection unit
identifies the presence of a partner CloudBridge unit on a connection-by-connection basis, which prevents
optimizations from being used where they are not wanted, and allows new appliances to be detected by the existing
ones as soon as they are added to the network. Auto-detection uses options in the TCP header field. This is normally
transparent but might be blocked by some firewalls, which need to be reconfigured.
9. Application classifier. This unit examines all the traffic flowing through CloudBridge and identifies which application or
protocol it belongs to. This information is used in reporting and by the traffic shaper.
10. Traffic shaper. To avoid congestion, excessive queuing, and other sources of avoidable delays, the traffic shaper
injects traffic onto the WAN at slightly less than the WANs data rate, to ensure that the WAN is never overrun. A
weighted fair queuing algorithm is used to ensure that all traffic gets its fair share of the link bandwidth. Traffic-shaping
policies allow different traffic types to receive different weights, so that some traffic gets more bandwidth than others.
Receiving Pipeline
The pipeline in the receiving direction is similar to the sending direction, except that instead of encrypting, it decrypts,
and instead of compressing, we have decompresses. Also, note that there is a traffic shaper in the receiving direction as
well, applying traffic-shaping policies to incoming WAN traffic, so that both directions are regulated.
On the initial packet of the connection (the SYN packet), the sending appliance attaches header options
identifying itself as a CloudBridge appliance, and also declaring other capabilities, such as compression.
This is called a tagged SYN packet.
Upon receiving a tagged SYN packet, the receiving appliance attaches header options to the SYN-ACK
packet, identifying itself in turn and announcing its capabilities.
Once the sending appliance receives the tagged SYN-ACK packet, the connection can be accelerated
according to whatever capabilities are shared by both appliances. For example, the connection is
compressed if both appliances declared support for compression.
The TCP initial sequence numbers (ISNs) in both directions are altered by adding 2,000,000,000 to the
original values. This is a precaution that prevents the connection from continuing if one appliance fails or has
a routing change that prevents it from seeing all the traffic in the connection. Once a connection is
accelerated, it must remain accelerated throughout its lifetime.
The MSS value is reduced, typically to 1380 bytes, to ensure that each packet has room for the inserted
CloudBridge TCP header options.
The IP addresses and port numbers of the connection remain unchanged.
Pre-Acknowledgement
The SYN and SYN-ACK packets flow from end to end:
The SYN packet flows from the endpoint client, through the client-side appliance, over the WAN, through the
server-side appliance, and finally to the server.
citrix.com 9
The SYN-ACK packet flows from the server, though the server-side appliance, over the WAN, through the
client-side appliance, and finally to the client.
The same is true for the final packets of the connection, the FIN, FIN-ACK, and RST packets.
Other packets, however, are pre-acknowledged. For example, when the server-side appliance receives a packet from
the server, it acknowledges it over the LAN right away, and buffers it for eventual transmission over the WAN. This
allows the server-side appliances buffers to be filled very quickly, so it always has plenty of data to use for
compression and other optimizations. (This is very different from normal TCP operation, where all acknowledgements
come from the opposite side of the WAN, making acknowledgement very slow, and forcing every segment of the
connection to move no faster than the slowest segment, greatly reducing the effectiveness of acceleration.)
Where inline mode is not practical, several other methods are available, most notably WCCP mode. These are one-
arm modes, using a single interface cable.
citrix.com 10
Release Notes
Release notes describe the enhancements, changes, bug fixes, and known issues for a particular release or build of the
Citrix CloudBridge 7.4 software.
Release highlights:
citrix.com 11
Citrix CloudBridge 7.4 Release
These release notes describe the enhancements and known issues in the Citrix CloudBridge 7.4 release.
citrix.com 12
Enhancements
The Citrix CloudBridge 7.4 release has the following enhancements:
On models that include a management service VM, the management service GUI (the System tab) is
no longer used. All management is now performed in the accelerator GUI, simplifying the user
interface and making it more consistent between models that have a management service VM and
those that do not.
On the CloudBridge 4000 and 5000 appliance, using the NetScaler instance GUI is no longer
necessary when setting up WCCP or virtual inline modes.
The Reset to Factory functionality now retains IP configuration and licensing to allow appliances to be
moved from one location to another easily, and shortening the reset time to just a few minutes.
A built-in packet analyzer allows trace files to be viewed on the appliance itself.
The CloudBridge VPX now supports DHCP on the accelerated bridge interface.
The new WAN Insight feature enables NetScaler Insight Center to monitor both accelerated and
unaccelerated traffic flowing through CloudBridge appliances. It can track connections by branch
office as well as by application and user, so link-related or branch-related performance issues can be
pinpointed easily.
Multi-Hop support for NetScaler Insight Center enables Insight Center to detect which Citrix
appliances a connection passes through (CloudBridge, NetScaler, NetScaler Gateway), and in which
order, for improved reporting.
NetScaler Insight Center 10.5.55.8007.e now monitors CloudBridge VPX 7.4.0 appliances.
Note: To monitor a CloudBridge VPX appliance, specify the CloudBridge VPX primary IP
address in the NetScaler Insight Center.
Performance Enhancements
CloudBridge now supports the Citrix NITRO API, which allows you to control CloudBridge appliances
through REST (Representational State Transfer) commands.
A datacenter appliance can now generate and push out secure tunnel credentials to branch-office
appliances.
Other Enhancements
citrix.com 13
Known Issues and Workarounds
The issues that exist in Build 7.4.
Advanced Optimization
Issue 549038: ICA sessions may fail to start if the datacenter includes a NetScaler appliance running in
transparent mode with a build lower than 10.5.55.8004_e and the deployment includes CloudBridge
appliances running release 7.4.0. With Connection Chaining Enabled.
Workaround: Upgrade the NetScaler to Build for CB 7.4 GA Build is 10.5.55.8007_e or above. Or
Disable Connection Chaining in NS and CB
Issue ID 543262: CloudBridge ICA acceleration is not compatible with releases prior to 7.3.1 by default.
Accelerated ICA connections with partner appliances using releases prior to 7.3.1 will fail.
Workaround: Either upgrade all older boxes to release 7.3.1 or above, or, on all appliances running
7.3.1 and above, set the parameter ICA.SupportCbUnawareClientServer to Off, using the Tuning
page's General Parameters feature.
Issue ID 485986: The appliance sometimes becomes unresponsive after the user enables video
caching, or when an appliance with video caching enabled is updated to a new release.
Issue ID 513139: If you delete the ALTHTTP application classifier, Receiver for HTML5 traffic will no
longer be parsed. If you recreate the ALTHTTP classifier, it still will not parse the Receiver for HTML5
traffic.
Issue ID 505623: Automatic client reconnection is not implemented with Citrix Receiver for HTML5.
Hence, disabling acceleration on a CloudBridge appliance can disconnect existing Receiver for HTML5
sessions.
See https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-receiver-
feature-matrix.pdf.
Issue ID 502854: In a XenApp and XenDesktop environment, if you add port 8008 to the Video Caching
port list, clients fail to start HTML5 XenApp-hosted applications or XenDesktop-hosted desktops .
Workaround: Create an exclude video source entry for the VDA subnet IP address. This prevents the
appliance from proxying connections destined for the VDA subnet.
Compression
Issue 546885. Under some circumstances, secure acceleration performance may be up to 25% slower
than with previous releases.
Issue ID 480374: (CloudBridge 4000/5000) Do not attempt to upgrade the software by using the
"Upgrade software" mechanism before provisioning the appliance. Use the documented procedure,
which involves updating the management service to release 7.4.0 first.
Issue ID 558463: After making any change to Network Adapter page, the GUI prompts for rebooting the
appliance. Sometimes, after rebooting the appliance, the GUI reports that it is failing multiple times to
connect to appliance. In fact, the appliance is up and the GUI is accessible.
Issue ID 558462: On the Network Adapters > Interfaces page, resetting a 1 Gbps Ethernet interface
fails to reset the interface to its default (Auto) speed/duplex settings.
citrix.com 14
Workaround: Manually set the interface to Auto.
Issue ID 284137, 302326, 368560, 422659, 447895: (CloudBridge 4000/5000). Detailed connection
information is missing.
Issue 503925: New time presets for Russian time-zones are not available on CloudBridge Advanced
platforms.
Issue ID 547672: If you add an initial certificate/key pair inside the Secure Peering Certificates and
Keys section of the Secure Peering page, it is not displayed or selectable on the Certificate/Key Pair
Name menu.
Workaround: Add the certificate/key pair on the Secure Acceleration: Certificate and Keys page first.
Documentation
Issue ID 562816: The Citrix eDocs documentation for this release was not complete at the time of
release, and largely consists of the 7.3 documentation.
Issue ID 552919, 552920: The help icon (a question mark in a circle) takes the user to help topics for
the NetScaler SDX rather than CloudBridge.
Workaround: See Citrix eDocs online documentation for the desired information.
Issue ID 477773: CloudBridge 4000 or 5000 installation issues might arise if two or more CloudBridge
4000 or 5000 appliances are connected to the same broadcast domain.
Issue ID 419760: The accelerator's signaling IP address cannot be changed from the GUI of a
CloudBridge 4000 or 5000 appliance.
Workaround:
2. Navigate to Configuration > Load Balancing > Virtual Servers > BR_LB_VIP_SIG.
Issue ID 500819: If you have already added a maximum number of four AppFlow collectors on a
CloudBridge appliance, adding another collector by using NetScaler Insight Center will display an error,
but Insight Center will continue to list the CloudBridge appliance in its list of added devices, and will not
collect any AppFlow records from the CloudBridge appliance.
Issue ID 561139: (AppFlow) If you define an application in the CloudBridge application classifier that
contains a colon (":") in the name, it will not be exported correctly to the AppFlow collector.
Issue ID 553170: The NetScaler Insight Center dashboard displays the WAN latency value as zero until
the CloudBridge appliance acquires a number of traffic samples.
Issue ID 549679: If NetScaler Insight Center does not get a connection closure update for a particular
connection ID, and the ID is reused, the IP data of the previous connection may be displayed.
Issue ID 549601: If a CloudBridge session is inactive, the WAN Insight node of NetScaler Insight
Center continues to display older data.
citrix.com 15
1. On the Configuration tab, in the navigation pane, click the System and in the right pane click Change
Database Cache Settings.
4. Click OK.
Issue ID 538570: The NetScaler Insight Center dashboard displays the server IP address as
255.255.255.255 on all HDX Insight network topology diagrams.
Issue ID 533063: On the NetScaler Insight Center dashboard, the latency values displayed on the
graph and the network topology diagram might not match due to time synchronization issues.
Networking
Issue ID 487997: After a high availability failover in a group mode topology, group mode might not be
enabled.
Workaround: Disable and enable group mode after the high availability failover.
Issue ID 552529: (CloudBridge 4000/5000) Internal signalling IP 169.254.x.x subnet is displayed in the
CB monitoring connections page and the same is reported to Appflow connectors
Issue ID 539849: WCCP-GRE multicast routing does not work on appliances with a management
service unless the "WCCP and Virtual Inline In-Band Management traffic support" option is enabled on
the Tuning page.
Issue ID 525815: When you access a published application, the Insight Application Report will show
multiple instances of the application if the application launches multiple connections (for example,
Google Chrome.)
Issue ID 550723: Connections in the reverse direction (initiated in the datacenter) do not show an
accurate WAN latency in NetScaler Insight Center.
Platform
Issue ID 539907: On a CloudBridge appliance in transparent mode, when CloudBridge Plug-in Exclude
acceleration rules specified a port number (or range), the acceleration rules are parsed as if the port
had not been specified. In redirector mode, the port specification is honored.
System
Issue ID 557747: (CloudBridge 4000/500) When updating an already-provisioned appliance from an old
release, such as 6.2, the update may fail with a "Failed to upgrade CloudBridge Accelerator, Instance x.
x.x.x is DOWN" message.
Workaround: Restore the admin account password to the factory default (nsroot) and restart the
update. Alternatively, perform a factory reset and then update using the procedure for release 7.1 and
up, which will replace your existing configuration with the factory defaults for the current release, giving
you a fully modern configuration.
Issue ID 547960: If you are using the Private CA feature, deleting either the CA or the Certificate-key
pair (but not both) from that feature will prevent you from re-enabling it.
Workaround: Delete both the CA and the certificate-key pair, then re-enable secure peering in Private
CA mode. This will recreate the credentials.
citrix.com 16
Limitations and Caveats
The management service and NetScaler instance time is not synchronized with that of the NTP server
after the NTP Server is configured through the management service.
NetScaler Insight Center takes two minutes to display the current connection details on the dashboard.
If you upgrade NetScaler Insight Center release 10.5 build 55.8004e to release 10.5 build 8xxx.e, the
columns names will not be displayed on the dashboard.
Workaround: Click the Settings icon, and click "Go back to default."
If you upgrade NetScaler Insight Center appliance to release 10.5 build 55.8xxx.e, the compression
ratio values will be displayed as -NA-.
IPv6 Acceleration
Advanced optimization for IPv6 connections is not supported on the following features:
Video Caching
MAPI
CIFS
ICA
IPv6 connections are not optimized for the following deployment modes:
Virtual Inline mode
WCCP mode
The following limitations apply to IPv6 traffic handling :
The appliance bypasses packets with IPv6 extension headers, such as Routing and IPSEC, on a
per-packet basis.
The appliance removes the IPv6 extension headers, such as Hop-By-Hop, Destination Option,
and Mobility for the TCP connections.
CloudBridge 4000 and 5000 appliances remove IPv6 extension headers, except fragmentation
headers, from TCP/UDP traffic.
CloudBridge appliances do not support accelerated TCP connections with IPv6 fragments. Such
connections are reset when the appliance receives an IPv6 fragment. IPv6 protocol has a Path
MTU discovery feature, and is designed to avoid fragmentation with TCP. In the absence of
tunnels, the appliance rarely receives IPv6 fragmentation with TCP. If the appliance inadvertently
receives such fragmented traffic, the cause might be incorrect TCP configuration on the client or
server.
Workaround: Identify the traffic profile that contains fragmented IPv6 TCP traffic. Create, or
modify an existing, service class with the traffic profile and set the Acceleration Policy parameter
to none.
Video Caching
The video caching prepopulation feature has the following limitations:
Hosted videos should be accessible to the appliance by using absolute paths. A link that redirects to
the video source is not supported.
The video server should be able to respond to the HEAD method requested by the appliance IP
address.
The video server should enable directory listing of the folders.
citrix.com 17
Compatibility
The following table lists the products and platforms supported by release 7.4.
Table 1. Supported Products and Platforms
Appliance Type Supported?
Citrix CloudBridge 400 series Yes
Citrix CloudBridge 800 series Yes
Citrix CloudBridge 1000 with Windows Server and Citrix CloudBridge 2000 with Yes
Windows Server
Citrix CloudBridge 2000 and Citrix CloudBridge 3000 series Yes
Citrix CloudBridge 4000 and Citrix CloudBridge 5000 series Yes
Citrix CloudBridge 600 series Yes
Citrix CloudBridge VPX (all models) Yes
Citrix CloudBridge VPX for Amazon Yes
Citrix CloudBridge VPX for XenServer platforms Yes
Citrix CloudBridge VPX for VMware ESX or ESXi platforms Yes
Citrix CloudBridge VPX for Microsoft Hyper-V Yes
Citrix CloudBridge 700 series Yes
CloudBridge Plug-in Yes
Repeater 8000 Series (New appliances): Appliances that list SM85 Series 3 or SM88 Yes
Series 3 on the System Hardware line of the System Status page
Repeater 8000 Series (Earlier appliances): Appliances that list SM85 Series 2 or SM88 No
Series 2 on the System Hardware line of the System Status page
Earlier Models No
CloudBridge Plug-in
Compatible Operating Systems
The CloudBridge Plug-in is supported on desktop and laptop systems, but not on net-books or thin clients. It is
supported on the following operating systems:
Hardware Requirements
The recommended hardware specifications for systems running CloudBridge Plug-in are:
citrix.com 18
Features Table
Table 3. Features Table for Citrix CloudBridge 600 and 700 Series Appliances
Feature Citrix CloudBridge 600 series Citrix CloudBridge 700 series
Release 7.4 Y Y
Product Features
Video Caching Y N
TCP Acceleration Y Y
Compression Y Y
Traffic Shaping Y Y
XenApp/ XenDesktop Acceleration Y Y
Windows Filesystem Acceleration Y Y
SSL Acceleration Y Y
Windows Outlook Acceleration Y Y
RPC over HTTPS Y Y
CloudBridge Plug-In Support N N
Pay-As-You-Grow Support Y Y
Hardware Features
Network Bypass Card Y Y
10 Gbps Interfaces N N
Fiber Support N N
LCD Front Panel Interface Support Y Y
RS-232 Serial Interface Support Y Y
Support for Initial Config over Network N N
Modes
Inline Y Y
WCCP Y Y
Virtual Inline Y Y
Group Mode Y N
High Availability Y N/R*
VLANs Y N
*The accelerator portion of the product seamlessly fails over in high-availability mode, but the Windows Server portion
does not.
citrix.com 19
Windows Filesystem Y Y Y Y
Acceleration
SSL Acceleration Y Y Y Y
Windows Outlook Y Y Y Y
Acceleration
RPC over HTTPS Y Y Y Y
CloudBridge Plug-In N N Y Y
Support
Pay-As-You-Grow Y Y Y Y
Support
Hardware Features
Network Bypass Card Y Y Y Y
10 Gbps Interfaces N N N N
Fiber Support N N N Y
LCD Front Panel N N N N
Interface Support
RS-232 Serial Y Y Y Y
Interface Support
Support for Initial Y Y Y Y
Config over Network
Modes
Inline Y Y Y Y
WCCP Y Y Y Y
Virtual Inline Y Y Y Y
Group Mode Y N Y Y
High Availability Y Y Y Y
VLANs Y Y Y Y
Table 5. Features Table for Citrix CloudBridge 1000 and 2000 with Windows Server Series Appliances
Feature Citrix CloudBridge 1000 with Citrix CloudBridge 2000 with Windows
Windows Server series Server series
Release 7.4 Y Y
Product Features
Video Caching Y Y
TCP Acceleration Y Y
Compression Y Y
Traffic Shaping Y Y
XenApp/ XenDesktop Acceleration Y Y
Windows Filesystem Acceleration Y Y
SSL Acceleration Y Y
Windows Outlook Acceleration Y Y
RPC over HTTPS Y Y
CloudBridge Plug-In Support N Y
Pay-As-You-Grow Support Y Y
Hardware Features
Network Bypass Card Y Y
10 Gbps Interfaces N N
Fiber Support N N
citrix.com 20
LCD Front Panel Interface Support N N
RS-232 Serial Interface Support Y Y
Support for Initial Config over Y Y
Network
Modes
Inline Y Y
WCCP Y Y
Virtual Inline Y Y
Group Mode Y Y
High Availability Y Y
VLANs Y Y
Table 6. Features Table for Citrix CloudBridge 4000 and 5000 Series Appliances, Citrix CloudBridge VPX, and Citrix
CloudBridge VPX for Amazon
Feature Citrix Citrix Citrix CloudBridge VPX Citrix CloudBridge VPX
CloudBridge CloudBridge for Amazon
4000 series 5000 series
Release 7.4 Y Y Y Y
Product Features
Video Caching N N N N
TCP Acceleration Y Y Y Y
Compression Y Y Y Y
Traffic Shaping Y Y Y N
XenApp/ XenDesktop Y Y Y Y
Acceleration
Windows File System Y Y Y Y
Acceleration
SSL Acceleration Y Y Y Y
Windows Outlook Y Y Y Y
Acceleration
RPC over HTTPS Y Y Y Y
CloudBridge Plug-In Y Y Y N
Support
Pay-As-You-Grow Y Y Y N
Support
Hardware Features
Network Bypass Card Y Y N N
10 Gbps Interfaces Y Y * N
Fiber Support Y Y * N
LCD Front Panel N N N N
Interface Support
RS-232 Serial N N N N
Interface Support
Support for Initial Y Y N N
Config over Network
Modes
Inline Y Y Y Y**
WCCP Y Y Y N
Virtual Inline Y Y Y N
citrix.com 21
Group Mode N N N N
High Availability Y Y N N
VLANs Y Y Y/Y/N*** N
***The three values are for is for XenServer, VMware, and Hyper-V, respectively. In columns showing only one value,
the value applies to all three hypervisors.
Table 7. Features Table for Repeater Appliances and CloudBridge Plug-in
Feature Repeater 8820 Repeater 8520, 8540 CloudBridge Plug-In
Release 7.4 Y Y Y
Product Features
Video Caching N N N
TCP Acceleration Y Y Y
Compression Y Y Y
Traffic Shaping Y Y N
XenApp/ XenDesktop Y Y Y
Acceleration
Windows Filesystem Acceleration Y Y Y
SSL Acceleration Y Y Y
Windows Outlook Acceleration Y Y Y
RPC over HTTPS Y Y Y
CloudBridge Plug-In Support Y Y Y
Pay-As-You-Grow Support Y Y N
Hardware Features
Network Bypass Card Y Y N
10 Gbps Interfaces N N *
Fiber Support Y N *
LCD Front Panel Interface Y Y N
Support
RS-232 Serial Interface Support Y Y N
Support for Initial Config over N N N
Network
Modes
Inline Y Y N/A
WCCP Y Y N/A
Virtual Inline Y Y N/A
Group Mode Y Y N/A
High Availability Y Y N/A
VLANs Y Y N/A
citrix.com 22
Table 8. Hypervisors Compatible with Citrix CloudBridge VPX
XenServer 6.1, 6.2, XenServer 6.02/Hotfix 602E007, XenServer 5.6.0 (but not 5.6 FP1
Citrix XenServer or 5.6 SP2), XenServer 5.5
Hyper-V under Windows 2008 R2 SP1, Hyper-V 2012 Standard and Datacenter Edition
Microsoft Hyper-V
For instructions for changing the TSC emulation to maximize performance, see http://support.citrix.
com/article/CTX136003.
*The CloudBridge Connector License is enforced on the aggregate of ingress traffic on all the interfaces hosted
on the CloudBridge Connector.
Supported Browsers
To access the configuration utility and dashboard, your workstation must have a supported web browser and Java applet plug-
in version 1.6 or later installed.
Operating System Browser Versions
Windows 7 Internet Explorer 9
Mozilla Firefox 24.0
Google Chrome 30.0
MAC Google Chrome 30.0
citrix.com 23
Licensing, Upgrading, and Downgrading
Licensing
Release 7.4 supports both remote license servers and locally installed licenses.
For licensing information for all Citrix CloudBridge platforms, see http://support.citrix.com/article/ctx131110.
If you are upgrading from release 5.6, install a new virtual machine rather than upgrading the existing virtual
machine, because resource requirements changed with release 6.2.0. Release 6.0 and 6.2 virtual machines can
be updated with the CloudBridge release 7.4 binary.
Repeater 8500, Repeater 8800, Citrix CloudBridge 600, and Citrix CloudBridge 700
From the browser based user interface (http://appliance_ip_address), go to the System Maintenance >
Update Software link on the Configuration tab. In the Upgrade System Software table, click Choose File
to select the patch file (the file you downloaded with FTP), and then click Upload Patch, as shown in the
following screen shot.
Figure 1. Update Software Page
The patch file is then copied to your appliance and tested for integrity. If you have downloaded a valid file,
a Restart Unit? prompt appears. Click Yes.
The settings from your current release are copied to the new one, so your configuration is retained in the new
release. The process of installing the patch file continues during the restart, which might take several minutes
longer than usual. The new release is now running on your appliance.
Note: If your appliance still uses the old default password, it is changed to "password" when you install this
upgrade.
Citrix CloudBridge 400, CloudBridge 800, CloudBridge 2000, CloudBridge 3000, CloudBridge 4000, and CloudBridge
5000
CloudBridge 400, 800, 2000, 3000, 4000, and 5000 appliances can be updated to release 7.4 with the
following procedure.
This procedure is recommended for all CloudBridge 400 and 800, CloudBridge 2000 and 3000
appliances, and for CloudBridge 4000 and 5000 appliances that have already been configured. Your
existing configuration is retained without modification.
The update process involves two basic steps:
1. If you are not already running release 7.1.0 or higher, download the release 7.4.0 management service,
then update the management service to release 7.4.0.
2. Download and install the release 7.4.0 upgrade bundle.
citrix.com 24
The versions of the management service and upgrade bundle corresponding to release 7.4 are listed in
the Compatibility section. These files can be downloaded from My Account.
Note: If the #SESS_CORRUPTED error message appears at any time during these procedures, click Logout,
clear your browser cache, close your browser, and open it again.
1. Update the management service. On the System > Configuration > Management Service > Software
Images tab, click Upload and select and upload the new management service from the dialog box.
2. On the Configuration > Management Service page, click Upgrade Management Service. Select the
management service image you just uploaded, and then click OK. The management service is
upgraded. The UI becomes unresponsive during this process.
3. Clear your browser cache.
4. Once the new management service is installed, the UI starts responding again and takes you to the
logon page. Log on. Go to the System > Configuration page and verify that the current version of the
management service matches the version you intended to install.
If the pages display a Version Incompatibility Detected warning message, it just means that you
need to install the upgrade bundle. Ignore the Recommendations in the warning and install the
upgrade bundle, as described below.
1. If your appliance is not yet running Release 7.1.0 or later, upload and install the management service
for the target release before continuing.
2. Acquire the update file. If you log on to citrix.com with your My Account credentials, the CloudBridge
software is available in the Downloads section. The upgrade file has a .upg extension and is several
hundred megabytes long. Download the file to a convenient system. To minimize transfer time, this
system should be in the same facility as the appliance and have a fast link to it (Gigabit Ethernet rather
than 54 Mbps wireless).
3. Log on to the appliance and navigate to the System > Configuration page .
4. Click the Update Software link.
5. In the text box that appears, specify the upgrade file, and then click Upload.
6. When a message announces that the upload was successful, click Install.
7. The appliance performs the upgrade, which takes about half an hour. It displays a series of status
messages, starting with Preparing to upgrade and ending with Upgrade completed
Successfully.
8. Click OK to display the updated user interface. Clear your browser cache to ensure successful
operation.
Troubleshooting
1. If there is no Update Software link, you are using an earlier version of the management service. Update
the management service to release 7.4, and then run the update process.
2. If the graphical user interface seems dysfunctional after the update, clear your browser cache. You
might also need to wait for all features to initialize.
3. The update process is a post-provisioning process. It does not function properly on a new system or
after a factory reset if you run it before running the Configuration Wizard.
citrix.com 25
4. The update process can fail for a variety of reasons, including a corrupted or truncated update file, an
appliance using versions that are not in its supported range, and other issues. If the update process
fails, it displays an error message.
5. If you need to run the update process again, you must upload the update file again.
To upgrade a Citrix CloudBridge 700 appliance, see the Citrix Branch Repeater with Windows Server
User's Guide, release 3.0, chapter 3.
Troubleshooting Installation Related Issues
The clockface showing the estimated update time is not always 100% accurate. If the installation ends
with an error page displaying some kind of HTTP timeout error, wait a few minutes, and then attempt to
connect normally to the browser based management interface of the appliance. Doing so usually shows
that the newly installed version is up and running.
Sometimes an update fails if it spans a large number of releases, such as a jump from release 4.x to 6.0.
If this happens, installing an intermediate release first (for example, release 5.5) and upgrading in two
steps usually works.
For information about troubleshooting installation related issues for Citrix CloudBridge VPX for Amazon,
see WAN Optimization for CloudBridge.
Other Appliances
Upgrading creates a new software installation. It does not remove the previous release of the software or the previous
configuration settings. Therefore, an appliance can be returned to any release that it has previously used.
You can revert to a previous release of the software by using the Downgrade Release feature, which is available
on the System Maintenance: Update Software page. The downgrade returns the configuration to what it was for
the earlier release at the time the upgrade was applied. Any configuration changes you made with the newer
release are lost.
The software can be downgraded to previously installed releases only. Neither the Upgrade Software nor the
Downgrade Release feature supports the installation of patch files with a earlier release number than the current
one, except for releases already resident on the appliance.
citrix.com 26
CloudBridge 7.4.6 Release Notes
The release notes describe the changes or enhancements, fixed issues, and known issues in Build 6. The list of known
issues is cumulative, that is, it includes issues that are newly found in this build and also issues from previous builds.
Note
This release notes document does not include security related fixes. For a list of security related fixes
and advisories, see the Citrix security bulletin.
The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the CloudBridge
team.
What's New
New features in release 7.4.6 include:
The Office 365 acceleration feature allows the branch offices to gain the optimization benefits that CloudBridge
7.4.6 provides for Microsoft Office 365 application.
citrix.com 27
Fixed Issues
The following issues were addressed in CloudBridge release 7.4.6 -
CB-OS
Degraded performance, with increased CPU consumption and high inbound queue latency, can result from
a memory fragmentation issue that occurs in rare situations.
[# 601827, 637658, 648186, 620947, 625975, 647996, 626994, 630896, 645449, 645773]
CB-HA
In a High Availability setup, If the exchange of heart beat messages between the primary and secondary
CloudBridge appliances is delayed by about four seconds, the primary appliance restarts and the secondary
appliance becomes primary.
[# 647279]
CB-GUI-Config
Service Class report lists only the WAN-link traffic, regardless of the selected link-filtering parameter.
[# 647597]
The CloubBridge appliance displays the following message when you try to add a certificate-key pair:
[# 650219]
The Service Class graphs list the ICA connections as Other TCP Traffic instead of as ICA traffic.
[# 653070]
CB-SVM
Users are sometimes unable to log on to a service virtual machine (SVM) based platform (for example,
NetScaler SDX).
[# 650505]
Upgrade issue from prior 7.4.0 releases, only on platforms that do not have management
service virtual machine (SVM).
[# 641504]
CB- Config-Reporting-Infra
A large variety of applications (for example, AppleTalk, Hermes, Windows Live Messenger, and others)
open suddenly, resulting in increased CPU consumption and eventually a system failure.
[# 651398]
citrix.com 28
Known Issues
Upgrade issue from prior 7.4.0 releases, only on platforms that do not have Management Service VM (SVM).
[# 641504]
Auto secure peering feature will not work over TLS1.2 until support is added to Data Path Access. Currently
TLS1.2 support is limited to Management Path Access.
Workaround: For this to work, Auto secure peering has to be done over HTTPS configuration using the default
"Any Protocol", then the configuration can be moved to "TLS1.2".
[# 640507]
citrix.com 29
Office 365 Acceleration
CloudBridge optimizes WAN to provide consistent user experience for business applications across branch offices and
remote sites.
Microsoft Office 365 is a software-as-a-service (SaaS) application, which provides the Microsoft's Office suite of
enterprise-grade productivity applications. This application is hosted on the cloud and is delivered on demand to users.
The Office 365 acceleration feature allows the branch offices to gain the optimization benefits that CloudBridge 7.4.6
provides for Microsoft Office 365 application.
Use case
When the WAN segment is considerably slower than the internet segment, and Microsofts Office 365 servers are
closer to the larger office than the branch-office.
Topology
The branch-office Office 365 traffic is sent over the WAN to the main office, and then forwarded to Office 365 servers
through the Internet. The segment between the branch office and main office is accelerated.
Note
The segment between the main office and Microsoft Office 365 servers is not accelerated. It is advised that the
main office connects to the closest Office 365 server.
How it Works?
CloudBridge SSL acceleration can decrypt and accelerate Office 365 traffic, providing compression. In short, Office 365
branch-office acceleration can be thought of as a special case of RPC-over-HTTPS acceleration.
Procedure
1. Create secure peering between the branch and main office CloudBridge appliances.
citrix.com 30
Note
To avoid security alerts on your browsers, the proxy certificates must be signed by your Windows domains
CA server, which makes it acceptable to any domain user.
4. Create SSL split proxy profile and bind the split proxy to service class (web (internet- secure)).
5. Initiate the office 365 connection and check the Accelerated connections.
Warning
Branch office devices that are not part of the domain will display security warnings unless you install the
certificates manually. Firefox users also have to install the certificates manually, since Firefox does not honor the
devices certificate store.
1. Set up a secure peering relationship between the two CloudBridge appliances, as described in Secure Peering
section of CloudBridge 7.4 Product Documentation in http://docs.citrix.com/en-us/cloudbridge/7-31.html.
Note
The server-side CloudBridge appliance serves as an intermediary between Office 365 and the clients, so these
certificates will be signed by the server-side domain controller but it refers to the Office 356 domains.
b. If necessary, add the snap-ins for Certification Authority, Certificate Template and Certificates.
c. Navigate to Certificate Templates > Web Server Properties > Security and select all the options.
d. Navigate to Certificates > Personal > Certificates (Computer) > All Tasks > Request New Certificate.
citrix.com 31
e. In the Certificate Enrolment window, click Next.
f. In the Select Certificate Enrolment Policy window, select Active directory enrolment policy.
g. In the Active Directory Enrolment Policy window, select Web Server > Details > Properties.
3. Copy information from Office365 certificates into your new certificates. You will end up with a single certificate
from three Office365 certificates. Proceed as follows:
citrix.com 32
Note
Do not log in.
b. Click the padlock icon on the URL bar and select Connection > Certificate Information > Details.
Note
These instructions are for the Chrome browser; the procedure is the same for other browsers also.
c. Click Subject Alternative Name, this will reveal a list of DNS names such as login.microsoftonline.com.
Copy the information in the text box below it.
d. Return to your new certificates Certificates Properties window. Add the alternative names in the Value
field with Type as DNS to match each alternative name in the Microsoft certificate.
citrix.com 33
e. Repeat the process of discovering Subject Alternate Names and adding them to your certificate for https:
//outlook.office365.com, https://potal.office.com, https://office.live.com, and https://*.sharepoint.com (the SharePoint
URL is customer-specific).
f. Create a Common Name for your new certificate. The example above shows a common name as
Office365 proxy.
a. Under Certificates > Personal > Certificates, select the above created proxy certificate, and then select All
Tasks > Export.
citrix.com 34
b. The Certificate Export Wizard appears. Click Next.
c. In Export Private Key, select the option Yes, export the private key and click Next.
e. Type and confirm the password, export the private key, and save the certificate as loginportal.pfx.
a. In the Certificate Export Wizard, click Next. In Export Private Key, select the option No, do not export the
private key. Click Next.
citrix.com 35
b. Retain the default values for the export file format.
c. Type and confirm the password, and export the private key and certificate, saving the file to a file to a file name
such as office365_keys.pfx.
6. Download the public keys of the root CA and Intermediate CAs of the Microsoft certificates.
a. From the browser, navigate to https://login.microsoftonline.com. Click the padlock icon in the browser.
Navigate to Connection > Certificate Information > Certification Path.
b. Select the root certificate (the one at the top of the list), and then click View Certificate > Details > Copy to
File. The Certificate Export Wizard appears. Click Next.
Note
Alternatively, you can use Wireshark or OpenSSL to get the root and intermediate CA names and get the
certificates from 'AUTHENTIC' source (for example, Windows SSL store).
citrix.com 36
d. Repeat step 6 to save the root and intermediate CAs of the following domains:
i. login.microsoftonline.com
ii. portal.office.com
iii. outlook.office356.com
iv. *.sharepoint.com
v. office.live.com
7. Add all the Office 365 server CAs, proxy certificate/key pairs, and private keys to the server-side CloudBridge
appliance. The CAs are added using the CA Certificates tab on the Certificates and Keys page. Certificates and
certificate/key pairs are added on the Certificate/Key Pairs tab.
8. Create an SSL split-proxy profile and bind the split proxy to the Web (Internet-Secure) service class.
a. Navigate to Configuration > Secure Acceleration > SSL Profile > Add Profile.
b. Enter the profile name of your choice. Select Profile Enabled, Parse Subject Alternative Names, and Split
Proxy.
c. Under Server-Side Proxy Configuration > Verification Store, select Use all configured CA stores.
d. Under Client-side Proxy Configuration > Certificate/Private Key, select the cert/private key pair you
created and exported previously (the one shown in the example as loginportal.pfx). Select Build Certificate Chain.
Select the CA associated with the certificate/key pair under Certificate Chain Store.
citrix.com 37
9. Bind the created SSL profile to the Internet (Web-Secure) service class. Navigating to Configure > Optimization
Rules > Service Classes and add the SSL profile to the SSL profile list.
10. Enable acceleration and disk-based compression for the Internet (Web-Secure) service class.
The connection is accelerated. In the browser, the certificate should display your root CA, not the actual Office
365 certificate, as the server-side appliances CA certificate.
12. On the appliance Monitoring > Connections page, verify that the Office 365 connections are compressed and
are receiving SSL acceleration.
citrix.com 38
Note
Firefox does not accept the devices certificates by default, but has its own certificate store. Therefore,
credentials accepted in the normal Windows domain behavior by other browsers, and by the device as a whole,
must be installed manually into Firefox. To install certificates into Firefox, follow the procedure in the section,
Installing certificates to Firefox.
1. In the Firefox browser navigating to Options> Advanced > Certificate > View Certificates > Authorities >
Import.
2. Upload the local CA proxy certificate, select all the options in the Downloading Certificate wizard and click OK.
citrix.com 39
citrix.com 40
Frequently Asked Questions (FAQs)
1. Why do we parse the SAN?
It is tedious to create multiple profiles for FQDNS for each of the domains, to overcome this we parse the SAN from
the certificates.
An error/warning message is displayed If the browser/app does not contain the CA certificate, in such cases the
clients IP address will be added to an exclude list after few attempts to connect from browser/app (2-3 times). In the
next attempt, connection is not SSL proxied and the page loads without any error/warning. The client IP address will
remain in the exclude list for 48hrs. The exclude list is maintained only for split proxy.
In the CloudBridge appliance UI click Monitoring > Connections > Accelerated Connections, check for the SSL
proxy state. For connection details, click the details icon.
4. What happens if exclude list option is not enabled by default as part of SSL profile configuration?
If the browser/app does not contain the CA certificate, it displays an error/warning and the connections from that
client/App will be blocked. To avoid such issues, select Exclude List option as part of SSL profile configuration.
5. What happens if the required SAN's are not part of the configured/created proxy certificate?
The connections will not be SSL proxied and there will be no acceleration benefits for non proxied SSL connections.
6. What happens when the client is not part of the domain or if the client does not have the root certificate of the
domain?
7. What happens if the Data Center side CloudBridge does not have root or intermediate CAs?
The connections are blocked or the Office 365 application pages which require the missing root or intermediate
CAs are partially loaded. To unblock the connections or to have these page fully loaded, either add the appropriate
CA certificates or disable the SSL profile from acceleration.
Excluded client information can be known from logs or by using the CLI command show ssl-exclude -list.
By default, exclude list information from the appliance will be cleared after 48 hours. User can forcibly clear the
exclude list information using CLI commands clear ssl-exclude-list -<all>/<Client_IP>.
From the logs or by using the CLI command show ssl-non-proxied-sni, you can know the list of the non proxied
SNIs.
citrix.com 41
12. What is the default time for client in exclude state?
13. Can we have multiple profile applied for a particular service class?
To do this, on your Virtual WAN appliance navigate to Configuration > Service Class > Web (Internet-Secure) >
Edit > Edit (Application) and add the available profiles.
14. How do you check the reason for non proxied connections?
Check the TCP connection page, for more information check the logs. To debug the non-proxied connection issues,
do the following.
Set the valid configuration. For more information on configuring office 365 feature, see Office 365 Acceleration.
Information about excluded clients can be cleared from the appliance using the CLI command clear ssl-exclude-
list -<all>/<Client_IP>.
Additional Notes
Logging to OneDrive client sometimes displays a warning message "spurious warning", This is a known
issue from Microsoft (https://support.microsoft.com/en-us/kb/3097938 ) and not specific to CloudBridge
appliance.
For the office 365 redirected pages to be proxied, it is recommended to create a separate proxy certificate
which contains SAN list corresponding to the certificate of the redirected pages. Create another profile with
this proxy certificate and apply to the service class. Also add the relevant CA in the CloudBridge
appliance .
Sometimes browser doesnt show the correct CA certificates, in such cases use Wireshark or OpenSSL
to get the root and Intermediate CA names and get the certificates from 'authentic' source (for example,
windows SSL store).
Difference in browser behavior can be observed in accessing the office 365 applications from different
browsers having no required certificates and with Exclude list option disabled.
When office 365 connections are SSL proxied (that means SSL proxy set to True) and in browser office 365
certificate is displayed instead of the proxy certificate, it is recommended to open the browser in in-cognitive
mode and check the behavior or clear the cache and then check the behavior again.
Microsoft Office 365 includes many components and applications such as OneDrive, Outlook, SharePoint,
Word, PPT, Excel, OneNote. All these applications have been tested and is known to work without any
problems. Other applications are expected to work without any problems, too; however, this status can
change over time, and you may encounter unknown problems.
citrix.com 42
FAQs
Acceleration
Compression
CIFS and MAPI
Monitoring with AppFlow
RPC over HTTP
SCPS
Secure Peering
SSL Accleration
The CloudBridge Plug-in
Traffic Shaping
Video Caching
citrix.com 43
Acceleration
Does acceleration use a tunnel?
No, acceleration is transparent, using the same IP addresses and port numbers as the original connection. This allows
your current monitoring methods to continue to work normally.
With compressed connections, the payload is compressed, of course, and the output of the compressor is
accumulated into full-sized packets. The upshot is that, for example, 3:1 compression results in one-third as
many packets being transmitted, rather than the same number of packets, each reduced to one-third size.
Compression also uses CloudBridge TCP header options and sequence number adjustment.
citrix.com 44
CIFS and MAPI
What pre-requisites are required to before configuring MAPI and Signed SMB on a CloudBridge appliance?
You must satisfy the following conditions before you configure MAPI and Signed SMB on a CloudBridge appliance:
The Secure Peer option should be set to True on client as well as server side appliance. To configure
secure peering, see Secure Peering.
A delegate user must be added to the data center side appliance and its status should be marked as
Success. To configure a delegate user, see Joining the Windows Domain and Adding the
Kerberos Delegate User.
The data center side appliance must successfully join the domain. To join the appliance to a domain,
see Joining the Windows Domain and Adding the Kerberos Delegate User.
The DNS IP addressed configured on the server side appliance must be reachable.
What do I need to verify before making the CloudBridge appliance to join the domain?
Before making the appliance to join the domain, verify the following:
How can I verify if the CloudBridge appliance is ready to add a user as a delegate user?
You can verify the user by using the Check delegate user utility on the Windows domain page. If the status for all
the parameters does not have any error messages, the appliance is ready to add the user as a delegate user.
If the utility displays any failures, you must address these before you add a user as a delegate user. You can
refer to the log to understand the test results.
Are there any requirements for hostname and hostname length of the server side CloudBridge appliance?
On the server side CloudBridge appliance, make sure that the host name is unique within the network. Additionally,
the length of the host name must not be more than 15 characters.
Can I use Macintosh Outlook client and get acceleration benefits of the CloudBridge appliance?
No. Macintosh Outlook does not use MAPI as the communication protocol. Therefore, you cannot use Macintosh
Outlook in this setup.
Do I need make the branch side CloudBridge appliance join the domain for accelerating encrypted MAPI?
No. You do not need to make the make the branch side CloudBridge appliance join the domain for accelerating
encrypted MAPI.
Can I configure a CloudBridge 2000 appliance with Windows-Server on a data center side for encrypted MAPI?
Yes. You can configure a CloudBridge 2000 appliance with Windows-Server on a data center side for encrypted
MAPI.
When I make a CloudBridge appliance to join a domain and an NTP server configured with a different time zone exists on the
network, does the appliance synchronize time with the domain controller or the NTP server?
When you make the CloudBridge appliance join a domain, the appliance always synchronized its time with the domain
controller and not the NTP server.
On the CloudBridge appliance, what is the default duration to clear the black listed connection?
By default, the black listed connections are cleared in 900 seconds.
citrix.com 45
Starting CloudBridge release 6.2.4, the appliance supports Negotiate (default) and NTLM v2 Outlook authentication,
but Kerberos authentication is not supported. However, CloudBridge 6.2.3 and earlier releases support only Negotiate
Outlook authentication.
For more information on MAPI and CIFS, see Outlook(MAPI) and Filesystem (CIFS/SMB).
citrix.com 46
Compression
What is the benefit of CloudBridge Compression?
A: While the basic mechanism of compression is to make data streams smaller, the benefit of this is to make things
faster. A smaller file (or a smaller transaction) takes less time to transfer. Size doesnt matter: the point of
compression is speed.
One-time compressed or encrypted data streams that are never to be seen again and have already been
compressed or encrypted, such as encrypted SSH tunnels and real-time video camera monitoring are not
compress, since their data streams are never the same twice.
Compressed binary data or encrypted data that is seen more than once compresses extremely well on the
second and subsequent transfers, with compression ratios in the range of hundreds to thousands to one on
these later transfers. On the first transfer, they do not compress. The average compression ratio for such data is
dependent on how frequently data is seen more than once. While individual transfers sometimes show
compression ratios over 1,000:1, averages for the compressed binary data on the link averages between 1.5:1
and 5:1 on most links, with averages over 10:1 on some links, depending on the nature of the traffic.
Text streams and uncompressed/unencrypted binary data compress even on the first pass. Text streams
compress well because even unrelated texts have many substrings in common. This is true of documents,
source code, HTML pages, and so on. First-pass compression on the order of 1.5:1 to 4:1 are common. On the
second and subsequent passes, they compress almost as well as compressed binary data (100:1 or more).
Uncompressed binary data is variable, but often compresses better than text. Examples of uncompressed binary
data include CD images, executable files, and uncompressed image, audio, and video formats. On the second
and subsequent passes, they compress about as well as compressed binary data.
XenApp and XenDesktop data compresses especially well with file transfers, printer output, and video, provided
that the same data streams have traversed the link before. Because of protocol overhead, peak compression is
approximately 40:1, and average compression is likely to be in the neighborhood of 3:1. Interactive data streams,
such as screen updates), give compression results on the order of 2:1.
Compression, on the other hand, has no concept of object names, and provided benefit whenever a string in the
transfer matches one that is already in compression history. This means that if you download a file, change 1%
of its content, and upload the new file, you might achieve 99:1 compression on the upload. If you download a file
and then upload it to a different directory on the remote site, you might achieve a high compression ratio as well.
Compression does not require file locking and does not suffer from staleness. The object is always
fetched from the server and is thus always byte-for-byte correct.
citrix.com 47
Monitoring with AppFlow
Which version of NetScaler Insight Center can I use to monitor CloudBridge appliances?
CloudBridge monitoring is supported on NetScaler Insight Center release 10.5 build 51.10 and later.
Does NetScaler Insight Center monitor both CloudBridge datacenter appliances and branch office appliances?
However, CloudBridge datacenter appliances aggregate information from the CloudBridge branch-office
appliances.
What are the minimum XenApp or XenDesktop versions and Citrix Receiver versions required by NetScaler Insight Center to
monitor CloudBridge appliances?
Table 1. XenApp/XenDesktop Versions and builds
citrix.com 48
Which appliance is monitored, when both NetScaler ADC (with ICA proxy mode enabled) and CloudBridge appliances are in
the network path?
NetScaler Insight Center monitors NetScaler ADC.
For CloudBridge 2000, 2000WS and 3000 appliances, NetScaler Insight Center uses CloudBridge
Instance IP address.
For CloudBridge 4000 and 5000 appliances, NetScaler Insight Center uses CloudBridge Accelerator
IP address.
Username: admin
Password: admin_passwd
Can Management Service IP address (running on CloudBridge 4000 and 5000 appliances) be used to discover CloudBridge
appliances?
No.
Can I use a CloudBridge VPX to demonstrate how NetScaler Insight Center collects reports from CloudBridge appliances?
However, if you want to use CloudBridge VPX for demonstration purpose, make sure that the CloudBridge VPX
has primary and accelerated pairs (apA) configured.
The NTP server must be configured on both the CloudBridge appliance and NetScaler Insight Center.
To add an NTP server to NetScaler Insight Center, see Configuring Clock Synchronization. These
NTP servers must be closely synchronized to each other.
Make sure that the CloudBridge appliances can communicate with NetScaler Insight Center by using
port 4739.
When both NetScaler ADC and CloudBridge appliance is located in the same network path, you
cannot configure a single NetScaler Insight Center to monitor both the appliances. NetScaler ADC
and CloudBridge appliance should use different NetScaler Insight Center virtual appliances for
generating HDX Insight reports.
Make sure that the CloudBridge appliance should only use the primary interface for sending Appflow
records.
Do not configure the CloudBridge appliance at the branch office to send Appflow records to NetScaler
Insight Center.
Verify that the CloudBridge appliance, XenApp or XenDesktop, and Receiver versions are supported
by NetScaler Insight Center.
To monitor the CloudBridge appliance, NetScaler Insight Center must successfully discover the
CloudBridge appliance.
Enable HDX data set on the CloudBridge appliance. To verify, on the Configuration tab, navigate to
Appliance Settings > AppFlow.
Make sure that the Update Interval is set to one minute on the CloudBridge appliance. Also, make
sure that the IP address and port values are not deleted. To verify, on the Configuration tab, navigate
to Appliance Settings > AppFlow.
Make sure that CloudBridge ICA connections are accelerated with Disk Based Compression (DBC)
policy. To verify, on the Configuration tab, navigate to Optimization Rules > Service Classes and in
the right pane, expand ICA and click Edit. The Acceleration policy must be Disk.
Does the CloudBridge appliance generate AppFlow reports for non-accelerated ICA connections?
No. NetScaler Insight Center reports are generated only when CloudBridge ICA connections are accelerated
with Disk Based Compression (DBC) policy.
citrix.com 49
To verify, on the Configuration tab, navigate to Optimization Rules > Service Classes and in the right pane,
expand ICA and click Edit. The Acceleration policy must be Disk ICA connections. The ICA Service class policies
that are not accelerated and configured with Flow Control policy, do not generate HDX Insight reports.
NetScaler insight Center does not generate reports if CloudBridge ICA connections are accelerated with flow
control policy.
Does NetScaler Insight Center support Multi Stream ICA (MSI) for CloudBridge appliances?
Currently NetScaler Insight center does not support collecting data records for MSI connections.
Yes. ICA connections from Plug-in-equipped systems must be accelerated with DBC compression policy.
To verify, on the Configuration tab of the CloudBridge appliance, navigate to Optimization Rules > Service
Classes and in the right pane, expand ICA and click Edit. The Acceleration policy must be Disk.
NetScaler Insight Center supports thin clients, but the client type details in the User Agent reports display
incorrect values.
Can a CloudBridge datacenter appliance and NetScaler ADC be added to the same NetScaler Insight Center, present in the
same datacenter location?
Can I add multiple CloudBridge datacenter appliances (present in the same datacenter location) to the same NetScaler
Insight Center?
Yes.
Can a CloudBridge appliance at the branch office be monitored by NetScaler Insight Center?
Yes. CloudBridge appliance is supported with Desktop director. However, the WAN Jitter and DC Jitter values
are not supported.
Ideally ICA RTT should be greater than the sum of WAN Latency and DC latency.
If the application is not actively sending data, then it does not work as expected. This is because, the TCP RTT
estimation works only on active connections. If a connection is not very active or if it is idle, the DC latency value
will be more than ICA RTT or WAN Latency.
What are the limitations of using Desktop Director Plug-in for generating HDX Insight reports for CloudBridge appliances?
Desktop director does not correlate data across user sessions with NetScaler Insight Center, if
CloudBridge generates a Replacement Session GUID (instead of using an Genuine GUID).
To verify, on the CloudBridge appliance, navigate to Monitoring > ICA Advanced > Conn Info.
This occurs if the customer is using an unsupported ICA Client or XenApp or XenDesktop server.
For supported versions, see Supported Software.
Desktop Director does not support WAN Jitter and LAN Jitter values.
What are the limitations of using thin clients for monitoring CloudBridge appliances?
The limitations of using thin clients to monitor CloudBridge appliances are listed in the following table:
citrix.com 50
1 Dell Dell Wyse 8.0_037 13.0.0.6685 Replacement
WTOS
Model
R10L Rx0L
Thin Client
citrix.com 51
Replacement
6 Dell Dell Wyse HF 2.0 13.0.0.6685
WTOS _105
Model
R00LX
Rx0L HDX
Thin Client
Replacement
7 Dell Dell Wyse 11.2.062 13.0.2.265571
Enhanced
Suse Linux
Enterprise,
Model
Dx0D,
D50D
citrix.com 52
RPC over HTTPS
Is it mandatory to create a service class to accelerate RPC over HTTPS connections?
Creating a new service class is an optional task. You can use an existing HTTPS service class. However, to create
reports specifically for RPC over HTTPS connections, you must create a new service class and bind the SSL profile to
it. If you do not want to create a service class for RPC over HTTPS connections, you can bind the SSL profile you have
created to the Web (Private-Secure) service class.
I have not created any service class for the RPC over HTTPS applications. How will this affect the reporting of
the RPC over HTTPS connections?
When you upgrade the appliance to CloudBridge release 7.3, the RPC over HTTPS applications that are created do not
belong to any service class. As a result, all RPC over HTTPS connections are listed as the TCP Other connections in
the reports. If you want to classify these connections as RPC over HTTPS connections, you must create a service class
for these applications.
Is there a default service class for RPC over HTTPS on the appliance?
No. The appliance has only default applications, and not default service classes. You must create the service class for
an application.
Does the appliance provide any SSL compression benefits to the RPC over HTTPS connections?
No. The appliance does not provide any SSL compression benefits to the RPC over HTTP connections. Compression
benefits are available only for encryption and decryption of HTTPS traffic.
Similar to MAPI, does the appliance optimize latency for RPC over HTTPS connections?
No. The appliance does not optimize latency for RPC over HTTPS.
Yes. MAPI over HTTP is a new protocol supported on Microsoft Exchange Server 2013 SP1 or later.
What is the difference between RPC over HTTPS settings on client-side and server-side CloudBridge
appliances?
Except for creating a service class and adding RPC over HTTPS applications to it, you do not need any additional
configuration on a client-side CloudBridge appliance.
Some Exchange servers require TLS session ticket support. To accelerate connections to these servers, you need to
create an SSL profile with split proxy, because transparent proxy mode does not support TLS session tickets.
If a load balancing setup is used for the Microsoft Exchange Server, which destination IP address should I add
to the filter rule when creating an RPC over HTTPS service class?
If you are using a load balancing appliance, add its virtual IP (VIP) address to the filter rule when creating an RPC over
HTTP service class.
How can I differentiate between the MAP and RPC over HTTPS traffic in the Outlook (MAPI) page?
You can differentiate the traffic based on applications shown on the Outlook (MAPI) page. For example, MAPI and RPC
over HTTPS are used for the following applications:
citrix.com 53
SCPS
What is SCPS protocol?
Space Communications Protocol Standard (SCPS) protocol is a variant of the TCP protocol.
What happens if I use an SCPS-enabled appliance at one end non-SCPS-enabled appliance on the other end of the link?
If the appliance on one end of the connection has SCPS enabled and one does not, retransmission performance
suffers. This condition also causes an "SCPS Mode Mismatch" alert.
What is the difference between the behavior of a SCPS-enabled appliance and default appliance?
The main difference between a SCPS-enabled and the default appliance behavior is that SCPS-style "selective
negative acknowledgements" (SNACKs) are used instead of standard selective acknowledgements (SACKs).
citrix.com 54
Secure Peering
Which CloudBridge features required secure peering?
You need to establish secure peering between CloudBridge appliances at two ends of the link when you intend to use
any of the following features:
SSL compression
Signed CIFS support
Encrypted MAPI support
What happens when you enable secure peering on an appliance at one end of the link?
When you enable secure peering on a CloudBridge appliance at one end of the link, the other appliance detects it and
attempts to open an SSL signaling tunnel. If the two appliances successfully authenticate each other over this tunnel,
the appliances have a secure peering relationship. All accelerated connections between the two appliances are
encrypted, and compression is enabled.
What happens when I do not enable secure peering on the partner appliance?
When an appliance has secure peering enabled, connections with a partner for which it does not have a secure peer
relationship are not encrypted or compressed, though TCP flow-control acceleration is still available. Compression is
disabled to ensure that data stored in compression history from secured partners cannot be shared with unsecured
partners.
To protect data even if the appliance is stolen, the keystore password must be reentered every time the
appliance is restarted. Until this is done, secure peering and compression are disabled.
Does the CloudBridge appliance I received from Citrix contain keys and certificate to set up secure tunnel?
No. CloudBridge products are shipped without the required keys and certificates for the SSL signaling tunnel. You
must generate them yourself.
citrix.com 55
SSL Acceleration
Does acceleration use a tunnel?
No, acceleration is transparent, using the same IP addresses and port numbers as the original connection. This allows
your current monitoring methods to continue to work normally.
With compressed connections, the payload is compressed, of course, and the output of the compressor is
accumulated into full-sized packets. The upshot is that, for example, 3:1 compression results in one-third as
many packets being transmitted, rather than the same number of packets, each reduced to one-third size.
Compression also uses CloudBridge TCP header options and sequence number adjustment.
citrix.com 56
The CloudBridge Plug-in
What methods can I use to the install the CloudBridge plug-in on my computer?
You can use any of the following methods to install the CloudBridge plug-in on your computer:
For more information about customizing the msi file, see Customizing the Plug-in MSI File.
What are the minimum hardware requirements for installing the CloudBridge plug-in?
For the CloudBridge plug-in, your computer should meet the following requirements:
Windows Vista
Home Basic 32-bits
Home Premium
Business
Enterprise
Ultimate
Windows 7
Home Basic 32-bits
Home Premium 64-bits
Business
Enterprise
Ultimate
Windows 8
Professional 32-bits
Enterprise 64-bits
Depending on your operating system version, download either 32-bit or 64-bit CloudBridge installer
version.
You cannot install the CloudBridge plug-in on a compressed drive or folder.
Make sure that the computer has sufficient free disk space.
You cannot downgrade the CloudBridge plug-in release. If you want to use an earlier CloudBridge
release, you must uninstall the current release and then install an earlier release.
citrix.com 57
Which CloudBridge appliances support the CloudBridge plug-in?
The following CloudBridge appliances support the CloudBridge plug-in:
CloudBridge 2000
CloudBridge 2000 appliance with Windows Server
CloudBridge 3000
CloudBridge 4000
CloudBridge 5000
Repeater 8520
Repeater 8540
Repeater 8820
CloudBridge 400
CloudBridge 700
CloudBridge 800
CloudBridge 1000 with Windows Server
Do I need to install a Concurrent (CCU) license on CloudBridge 2000, 3000, and VPX appliances to use the CloudBridge plug-
in?
Yes. You must install a CCU license on CloudBridge 2000, 3000, and VPX appliances to use the CloudBridge plug-in.
Do I need install a CCU license on CloudBridge 4000 and 5000 appliances to use the CloudBridge plug-in?
No. You do not need to install a CCU license on CloudBridge 4000 and 5000 appliances to use the CloudBridge plug-
in. The appliance base license is sufficient for the CloudBridge plug-in to connect to these appliances.
Never use ALL/ALL for acceleration configuration. Specify the subnets on the basis of the
requirements.
Do not configure acceleration for the NetScaler Gateway VIP address.
Which Citrix Receiver and NetScaler Gateway releases are supported with the CloudBridge plug-in?
The CloudBridge plug-in supports Citrix Receiver 4.1 and NetScaler Gateway 10.5 releases.
Which CloudBridge features are not supported with the CloudBridge plug-in?
The CloudBridge plug-in does not support the following CloudBridge features:
Video Caching
Traffic Shaping
IPv6
Do I need to configure acceleration rules on a CloudBridge 4000 or 5000 appliance for the CloudBridge plug-in to work with
it?
Yes. You must configure acceleration rules on a CloudBridge 4000 or 5000 appliance for the CloudBridge plug-in to
work with it.
citrix.com 58
To accelerate traffic, what is the minimum recommended RTT value between the CloudBridge plug-in and appliance?
Citrix recommends that you configure an RTT value that is greater than any RTT (ping time) on the local LAN, but less
than the RTT for any remote user. The default value of 20 milliseconds is adequate for most networks.
What conditions should I consider when defining acceleration rules for the CloudBridge plug-in?
Consider the following conditions when defining acceleration rules for the CloudBridge plug-in:
Define acceleration rules for all subnets that are local to the appliance. These subnets are the LAN
subnets at the site where the appliance is installed.
If there are any destination IP addresses that are not part of the LAN, add exclude rules for these IP
addresses. Make sure that the rules for excluding IP addresses precede the rules for accelerating
traffic for subnets. This includes subnets at remote sites with IP addresses that appear local.
If you have installed the appliance in inline mode with a VPN and it is operating in transparent mode,
you can configure the appliance to accelerate all enterprise traffic, not just the traffic originated by or
destined to the local site. In this case, the only accelerated connections are between the CloudBridge
plug-in and VPN. Acceleration of the traffic between the CloudBridge plug-in and the VPN is optimal.
Where are the CloudBridge plug-in crash and trace files stored on the computer?
The crash and trace files of the CloudBridge plug-in are stored in the following folders:
Inline.
WCCP.
High Availability.
CloudBridge plug-in with NAT deployment.
CloudBridge plug-in with CloudBridge appliance in WCCP mode using ICA proxy.
CloudBridge plug-in with CloudBridge 4000 or 5000 appliance. In this deployment, the NetScaler
management port (0/1) is connected to the NetScaler management network, and the NetScaler
signaling IP address is on a different network.
How can I establish a secure tunnel between the CloudBridge plug-in and appliance?
To establish a secure tunnel between the CloudBridge plug-in and appliance, complete the following procedure:
1. the computer where you have installed the CloudBridge plug-in, run the following command:
citrix.com 59
2.
> showtunnels
Following is sample output of the command. If the output includes the text secure in the Connected Available
section, a secure tunnel has been established. If a secure tunnel is not established, the text reads cleartext.
Showtunnels
Message Tunnels:
Connected Available:
172.16.9.100 auto,secure,client,initiator,configured
CN: mike.199.130
Connected Available : 1
Clients: 1 peers: 0
citrix.com 60
Traffic Shaping
What is CloudBridge Traffic Shaping?
CloudBridge traffic shaping uses a group of policies to set the priority of different link traffic and send traffic onto the
link at a rate close to, but no greater than, the link speed. Unlike acceleration, which applies only to TCP/IP traffic, the
traffic shaper handles all traffic on the link.
How does the traffic shaper interact with XenApp and XenDesktop traffic?
The CloudBridge device parses the XenApp/XenDesktop data stream and is aware of the different types of traffic and
its priorities, favoring high-priority traffic. It is the only product that can prioritize encrypted ICA streams and provide
native support for MultiStream ICA, which divides a users session into up to four connections with different
priorities.
I have not configured any service class with Default Policy. However, the traffic shaping reports displays a large amount of
traffic represented by Default Policy. Have I configured something incorrectly?
No. There is no issue with your configuration. Traffic shaping is only applicable to the WAN link. Traffic on the LAN or
any other link is represented by Default Policy.
For example, consider a configuration where you create a service class, such as Management_Service_Class,
that has the management subnet as the destination IP address and you bind a custom traffic shaping policy to
this service class. In this case, when there is no traffic on WAN, you can notice that the management traffic is
classified as Management_Service_Class in the service class report. However, in the Traffic Shaping Policy
report, entries for Default Policy still exist that you might expect to exist as custom traffic shaping policy.
In the Traffic Shaping Policy report, the appliance does not use customized traffic shaping policy for the
Management_Service_Class policy and applies Default Policy. To avoid this confusion, you can clear the All
other option or define the LAN type link for the management interface.
citrix.com 61
Video Caching
How is video caching different from Disk Based Compression?
With caching, a local copy of the cached object is served by the local appliance, without downloading it again from the
remote server. Caching does not require an appliance on both ends of the link, just on the local end. With
compression, a remote copy of the object is served by the remote server. The remote (server-side) appliance
compresses it, reducing its size, and therefore, increasing its transmission speed, and the local (client-side) appliance
decompresses it.
Compression works on both modified and unmodified objects. If a file changes by 1% on the server, the next transfer
achieves up to 99:1 compression.
Caching works only on unmodified objects. If a file changes by 1% on the server, the new version must be
downloaded in its entirety. Caching and compression are complementary technologies, because anything that is not
cached, is compressed, achieving the benefits of both.
Can I partition the appliances total memory between the video cache and other CloudBridge features?
No. Cache partition and memory required are not configurable.
Can I activate caching for internal and external enterprise videos on my own sites?
Yes. If access to these videos is through HTTP, you can configure these sites for caching.
In addition, if a second user requests the same video while it is still being streamed for the first user, the second
user will receive the cached copy.
Unlike normal CloudBridge TCP operation, where the appliance preserves the original source and destination IP
addresses, the appliance replaces the client's source address with IP address assigned to the accelerated
bridge, so all HTTP traffic passing through the appliance appears to originate from the appliance itself.
CloudBridge 600 appliance with 1 Mbps and 2 Mbps bandwidth license models.
CloudBridge 800 appliance with all bandwidth license models.
CloudBridge 1000 appliance with Windows Server, with all bandwidth license models.
CloudBridge 2000 appliance with all the bandwidth license models.
CloudBridge 2000 appliance with Windows Server, with all bandwidth license models.
CloudBridge 3000 appliance with all the bandwidth license models.
For video caching, which deployment modes are the supported on a CloudBridge appliance?
What are the minimum configuration and other prerequisites for enabling the video caching feature?
To enable the video caching feature, you must:
Assign a valid IP address and gateway to the apA interface and, if present, to the apB interface.
On the appliance, configure a valid DNS server that can resolve to www.citrix.com.
citrix.com 62
Have at least one application in the Selected Video Caching Applications list.
Check the CloudBridge GUI alerts/notification of existing configuration alerts.
Does the CloudBridge appliance support video caching for all video websites?
No. The video website is available and added from the Supported Application list on the Video Caching configuration
page. By default the supported applications include YouTube, Vimeo, Youku, Dailymotion and Metacafe. You can add
other websites by specifying their IP addresses, if they do not use caching avoidance mechanisms, such as adding
random characters to URLs.
Can I use video caching with HTTP traffic sent to a port other than port 80?
Yes. For video caching, you can add customized ports to the appliance. To add customized ports for video caching,
navigate to the CloudBridge > Configuration > Optimization Rules > Video Caching page and click the Global Settings
link on the Settings tab.
Can CloudBridge compression (using an HTTP Service Class policy) be used with Video Caching?
Yes. When the cached objects are present in both CloudBridge compression history and the video cache, the content
is served from the cache on a cache hit, and fetched from the server (and compressed) on a cache miss.
Does an existing HTTP Application which requires IP address configuration when there is a transparent proxy, require any
changes?
Yes. CloudBridge performs HTTP transparent proxying, in which it replaces the Source IP address of the packet.
Therefore, if the existing HTTP application has certain policies (such as to block certain IP addresses or Proxy
mechanisms), those policies have to be changed.
What are the system memory and connection limits for the HTTP proxy connection?
To determine the limits, check the graphs and statistics on the Video Caching Debug page (support.html). Additionally,
verify that the Videocaching.cmd stats info command shows the following information.
CloudBridge Appliance
CloudBridge CloudBridge CloudBridge CloudBridge CloudBridge CloudBridge
600 800 1000 with 2000 with 2000 3000
Widows Server Widows Server
Disk 12 GB 25 GB 25 GB 50 GB 50 GB 99 GB
RAM 200 MB 375 MB 375 MB 700 MB 700 MB 1024 MB
Total HTTP 500 1000 1000 1500 1500 3000
Connections
limit
Maximum 100 200 200 300 300 600
HTTP Write
limit
After the above HTTP connection limits are reached, new connections are bypassed.
Note: Make sure that you do not change the above configuration.
Does the Monitoring page for video caching include only video traffic?
Yes. Non-video HTTP traffic (even though it is intercepted by the proxy), is not included in the video caching GUI
statistics.
Do I need to configure apA as well as apB interfaces with a valid IP address on a CloudBridge appliance?
No. You do not need to assign a valid IP address to both the interfaces. HTTP packets received from the apA
interface are proxied with the apA IP address, and HTTP packets received from the apB interface are proxied with the
apB IP address.
citrix.com 63
If you do not configure an IP address for an interface, the HTTP packets received on that interface do not get the
caching benefit.
What is the minimum and maximum limit for the size of a video file that can be cached?
Minimum: 100 KB
Maximum: 300 MB
Default: 100 MB
What happens when I upgrade the CloudBridge appliance from release 6.x to 7.y and video caching is enabled?
The existing CloudBridge DBC history is lost and a separate partition for video caching is created.
What happens when I downgrade the CloudBridge appliance from release 7.y to 6.x and video caching is enabled?
CloudBridge DBC and Video Caching history is preserved. However, the video caching feature is not available with
release 6.x.
What happens when I upgrade the CloudBridge appliance from release 7.x to 7.y and video caching is enabled?
The CloudBridge DBC and video caching history is preserved.
I have a single network in branch office that shares a management as well as data traffic. How should I configure video
caching in this network?
If you have single network for management and data traffic, Citrix recommends that you add the primary IP address to
the LAN side of the accelerated bridge port.
What is the maximum number of prepopulation tasks I can run at the same time?
One. If you attempt to start multiple prepopulation tasks at the same time, the appliance builds a queue of tasks on a
first in first out basis.
What is the maximum number of videos sources I can configure on the appliance?
100.
What is the maximum number of prepopulation entries I can add to the appliance?
50.
What is the maximum number of video files be downloaded and cached from a directory listed folder?
300.
Does the video downloading and caching initiated by the prepopulation feature get the disk based compression (DBC)
benefits?
Yes. Because the video file is cached, the attempt to access the video is served from the cache.
citrix.com 64
Product Selection and Deployment
Deploying CloudBridge appliances successfully is not difficult, but improper deployments can cause problems and
provide inadequate acceleration. Be sure to select appliances with sufficient capacity for the links that you want them to
accelerate. Product selection is also one of the factors to consider when deciding how best to fit the appliances into your
topology.
All packets in the TCP connection must pass through a supported combination of two acceleration units (
CloudBridge appliances or Plug-ins).
Traffic must pass through the two acceleration units in both directions.
For sites with only one WAN network, these criteria can be met by placing the CloudBridge appliance inline with the
WAN. In more complex sites, other options are available. Some, such as WCCP support, are available on all models.
Others are available on certain models only. Therefore, the needs of a more complex site might limit your choice of
appliances.
When evaluating your options, consider the importance of keeping various segments of your network up and running in
the event that a device fails or has to be disabled. For inline deployments, Citrix recommends an Ethernet bypass card.
This card, which is standard equipment on all 8800 and 8500 Series Repeater appliances and optional on CloudBridge
appliances, has a relay that closes if the appliance fails, allowing packets to pass through even if power is lost or
removed.
Redundancy is a consideration for all types of deployments. CloudBridge appliances offer different types of redundancy:
The Repeater 8800 Series and CloudBridge 4000/5000 appliances have dual power supplies.
The Repeater 8800 and 8500 Series and CloudBridge 4000/5000 appliances have redundant disk drives.
Appliances can be used in high-availability mode (two redundant appliances with automatic failover). This
mode is supported on all models.
citrix.com 65
Product Selection by Capacity
For proper operation, your CloudBridge appliance must have adequate resources to support the number of WAN links
that you want to accelerate, and to support all of the users of those links. Three capacities are important when selecting
a CloudBridge appliance: link capacity (bandwidth), user capacity, and disk capacity.
Link Capacity
When selecting a CloudBridge appliance, the most important factor is that it support your WAN links. If your site has a
single WAN link, your appliance should support your link speed. For example, a CloudBridge 2000-010 can supports
links of up to 10 Mbps, which would be suitable for an 8 Mbps link but not a 12 Mbps link. If your site has multiple links
that are to be accelerated by a single appliance, the appliance should support the total speed of all these WAN links
added together.
The maximum supported speed is determined by a combination of the appliance hardware and the product license. The
licensed bandwidth limit is the maximum link speed that is supported by the license.
Table 1. Licensed Bandwidth Limits by Product Line
Product Licensed WAN BW Range
Current Products
citrix.com 66
CloudBridge Plug-in 1
Disk Size
Disk space is used mostly for compression history, and more disk space results in greater compression performance.
The CloudBridge 4000/5000 series offers from1.8 TB to2.4 TB of disk capacity. That compares to 2.1 TB for the
CloudBridge 3000, 470 GB for the CloudBridge 2000, 80 GB for the CloudBridge 800, and 40 GB for the
CloudBridge400. CloudBridge VPX has a disk capacity of 100-500 GB. Ideally, an appliance should have a disk
capacity larger than the cycle time of the link's data. For example, a link carrying mostly daily update traffic should have
24 hours of disk capacity or more. With a link carrying mostly user sessions, this window can be smaller. (A 1 Mbps link
can transfer about 10 GB per day at full speed.)
Table 3. Examples of Data Lifetime for Disk Sizes
Link Speed
Appliance Model
1Mbps 10Mbps 100Mbps 1000Mbps
citrix.com 67
CloudBridge 5000 239 days 24 days 2.4 days 6 hours
citrix.com 68
Product and Mode Selection by Datacenter Topology
The appliance can be placed in line with your WAN link. The appliance uses two bridged Ethernet ports for inline mode.
Packets enter one Ethernet port and exit through the other. This mode puts the appliance between your WAN router
and your LAN. For the rest of the network, it is as if the appliance were not there at all. Its operation is completely
transparent.
Inline mode has the following advantages over the other deployment modes:
Maximum performance.
Very easy configuration, using only the Quick Installation page.
No reconfiguration of your other network equipment.
Other modes (WCCP, virtual inline, redirector) are less convenient to set up, generally requiring that you reconfigure
your router, and they have somewhat lower performance.
A basic deployment consideration is whether your site has a single WAN router or multiple WAN routers. You also have
to think about which features can be used in which modes. A requirement to support VPNs affects the placement of the
appliance in your network.
Access Gateway appliances support CloudBridge TCP optimizations, enabling accelerated VPN connections when
CloudBridge appliances are deployed with Access Gateway.
Forwarding Modes
Inline modeHighest-performance, most transparent mode. Data flows in on one accelerated Ethernet
port and out on the other. Requires no router reconfiguration of any kind.
Inline with dual bridgesSame as inline, but with two independent accelerated bridges.
WCCP modeRecommended when inline mode is not practical. Supported by most routers. Requires only
three lines of router configuration. To use WCCP mode on a Cisco router, the router should be running at
least IOS version 12.0(11)S or 12.1(3)T. (WCCP stands for Web Cache Communications Protocol, but the
protocol was greatly expanded with version 2.0 to support a wide variety of network devices.)
Virtual Inline modeSimilar to WCCP mode. Uses policy based routing. Generally requires a dedicated
LAN port on the router. Not recommended on units without an Ethernet bypass card. To use virtual inline
mode on a Cisco router, the router should be running IOS version 12.3(4)T or later.
Group modeUsed with two or more inline appliances, one per link, within a site. Recommended only
when multiple bridges, WCCP, and virtual inline modes are all impractical.
High-availability modeTransparently combines two inline or virtual inline appliances into a
primary/secondary pair. The primary appliance handles all the traffic. If it fails, the secondary appliance
takes over. Requires no router configuration. Requires an appliance with an Ethernet bypass card.
Transparent ModeThe recommended mode for communication with the CloudBridge Plug-in. In
transparent mode, the Plug-in initiates connections in essentially the same way as the CloudBridge
appliance, keeping the original IP address and port number of the connection and adding CloudBridge
options to the TCP/IP headers of selected packets. By contrast, in redirector mode (not recommended), the
Plug-in alters the destination IP and port numbers of the packets to match the signaling IP (and port) of the
appliance.
Redirector mode (not recommended)Used by the CloudBridge Plug-in to forward traffic to the appliance.
Can be used as a stand-alone mode or combined with one of the other deployments. Requires no router
configuration.
Acceleration Modes
Softboost modeA high-performance TCP variant that is recommended for most links. Although it
provides less performance than hardboost mode, it works with any deployment. Acts like normal TCP, but
faster.
Hardboost modeA highly aggressive, bandwidth-limited TCP variant useful for high-speed links,
intercontinental links, satellite links, and other fixed-speed links for which achieving full link speed is difficult.
Recommended for fixed-speed, point-to-point links where traffic shaping is not required.
citrix.com 69
Sites with One WAN Router
For a site with only one WAN router, the main issue in deployment is to allow the CloudBridge appliance to work in
harmony with the router. The following figure shows the recommended deployment modes for a single router. Compare
it to your router cabling to find the best mode for your environment.
Figure 1. Recommended Deployment Modes, Based on WAN Router Topology
1. Single LAN, Single WAN: Inline mode. The router has a single active LAN interface and a single active WAN
interface. The recommended mode for this case is inline mode, which provides the simplest installation, the most
features, and the highest performance of any mode.
2. Single LAN, Redundant WANs: Inline mode. Inline mode is best for this configuration as well.
3. Single LAN, Multiple WANs: Inline or WCCP. This topology falls into two categories: hub-and-spoke or multihop. In
a hub-and-spoke deployment, connections are mostly between a spoke site and the hub site. In a multihop
deployment, many connections are between two spoke sites, with the data passing through the hub site. A single
multihop connection can thus involve as many as three appliances, depending on the details of where the hub site's
appliance is positioned in the traffic flow.
For proper traffic shaping in multihop deployments, all WAN traffic on the hub site's WAN router must also pass
through the appliance, instead of being passed by the router directly between WAN interfaces. In this case,
WCCP is the preferred mode. If the deployment is hub-and-spoke, with most traffic terminating on the hub site,
an inline deployment is preferable.
4. Dual LANs, single WAN: Inline (with dual bridges) or WCCP. This mode is supported by dual accelerated bridges,
WCCP mode, or virtual inline mode.
5. Multiple LANs, multiple WANs: Inline (dual bridges) or WCCP. This is similar to Case C, but complicated by the
presence of multiple LAN interfaces as well as multiple WANs. WCCP can always be used here. In the two-LAN case,
an appliance with dual bridges can also be used in inline mode.
citrix.com 70
D2. Inline, Dual Bridges Yes No No Yes
E. WCCP Yes No No Yes
E2. Inline, Dual Bridges Yes No No Yes
Appliances WITHOUT Ethernet Bypass Cards
Config. Mode Softboost Hardboost Group Mode High Availability
A. Inline Yes Yes No No
B. WCCP Yes No No No
C1. WCCP Yes No No No
C2. Inline Yes No No No
D. WCCP Yes No No No
D2. Inline, Dual Bridges No No No No
E. WCCP Yes No No No
E2. Inline, Dual Bridges No No No No
citrix.com 71
Sites with Multiple WAN Routers
More than one WAN router at the same site raises the possibility of asymmetric routing. Normally, IP networks are not
affected by what path the packets take, so long as they arrive at their destination. However, the appliance relies on
seeing every packet in the connection. "End-around" packets are not acceptable.
In a site with only one WAN router, asymmetric routing is not a problem, because the appliance can be placed in the
path between the router and the rest of the site, so that traffic into or out of the router also passes through the
appliance. But with two WAN routers, asymmetric routing can become an issue.
Asymmetric routing problems can appear during installation or later, as a result of failover to a secondary link, or other
forms of dynamic routing and load balancing. The following figure shows an example sites that might suffer from
asymmetric routing. If sites C and D always use the direct path, C-D or D-C, when sending traffic to each other,
everything is fine. However, packets that take the longer path, C-E-D or D-E-C, bypass the appliances, causing new
connections to be unaccelerated and existing connections to hang.
Figure 1. Asymmetric Routing
Asymmetric routing can be addressed by router configuration, appliance placement, or appliance configuration.
If the router is configured to ensure that all packets of a given connection always pass through the appliance in both
directions, there is no asymmetry.
If the appliance is positioned after the point where all the WAN streams are combined, asymmetry is avoided, and all
traffic is accelerated, as shown in the following figure.
Figure 2. Avoiding Asymmetric Routing through Proper Placement of the Appliance
Configuring the appliance to use one of the following asymmetry-resistant forwarding modes can eliminate the problem:
Multiple Bridges. An appliance with two accelerated bridges, or accelerated pairs, (for example, apA and
apB), allows two links to be accelerated in inline mode. The two links can be fully independent, load-
balanced, or primary/backup links.
WCCP mode allows a single appliance to be shared between multiple WAN routers, allowing it to handle all
the WAN traffic regardless of which link it arrives on.
Virtual inline mode allows a single appliance to be shared between multiple WAN routers, allowing it to
handle all the WAN traffic regardless of which link it arrives on.
Group mode allows two or more inline appliances to share traffic with each other, ensuring that traffic that
arrives on the wrong link is handed off properly. Because group mode requires multiple appliances, it is an
expensive solution that is best suited to installations where the accelerated links have wide physical
separation, making the other alternatives difficult. For example, if the two WAN links are on different offices
in the same city (but the campuses are connected by a LAN-speed link), group mode might be the only
choice.
Figure 3. Eliminating Asymmetric Routing by Using Group Mode or Virtual Inline Mode
citrix.com 72
Note: One end of the link can use virtual inline mode while the other end uses group mode. The two ends of a link do not
have to use the same forwarding mode.
Figure 4. Sites with Only One WAN Link Cannot Have Asymmetric Routing Problems
citrix.com 73
Supported Mode/Feature Combinations
In general, all modes are simultaneously active. However, some combinations should not be used together, as shown in the
following table.
Supported Combinations, Units WITH Ethernet Bypass Cards
Config. Inline Virtual Inline WCCP- GRE WCCP- L2 Multiple Bridges High Avail. Group Mode
CloudBridge Plug-in Y Y Y Y Y Y N
Inline Y N N N Y Y Y
Virtual Inline Y Y Y Y Y N
WCCP- GRE Y Y Y Y N
WCCP- L2 Y Y Y N
Multiple Bridges Y Y N
High Avail. Y Y
Supported Combinations, Units WITHOUT Ethernet Bypass Cards
Config. Inline Virtual Inline WCCP- GRE WCCP- L2 Multiple Bridges High Avail. Group Mode
CloudBridge Plug-in N N N N N N N
Inline Y N N N N N N
Virtual Inline Y Y Y N N N
WCCP- GRE Y Y N N N
WCCP- L2 Y N N N
Multiple Bridges N N Y
High Avail. N N
Y = Yes, supported. N = Not supported.
citrix.com 74
Recommendations for Supporting VPNs
VPN support is simply a matter of putting the appliance on the LAN side of the VPN, as shown in the following figure.
This placement ensures that the appliance receives and transmits the decapsulated, decrypted, plain-text version of the
link traffic, allowing compression and application acceleration to work. (Application acceleration and compression have
no effect on encrypted traffic. However, TCP protocol acceleration works on encrypted traffic.)
Figure 1. VPN Cabling for an Inline VPN
The following figure shows one option for accelerating one-arm VPNs. The appliance is on the server side of the VPN.
All VPN traffic with a local destination is accelerated. VPN traffic with a remote destination is not accelerated. Non-VPN
traffic can also be accelerated.
Figure 2. One-Arm VPN Acceleration, Option A
The following figure shows another option for accelerating one-arm VPNs. The appliance is on the server side of the
VPN. All VPN traffic with a local destination is accelerated. VPN traffic with a remote destination is not accelerated. Non-
VPN traffic can also be accelerated.
Figure 3. One-Arm VPN Acceleration, Option B
Important: For acceleration to be effective, the VPN must preserve TCP header options. Most VPNs do so.
citrix.com 75
Supporting CloudBridge Plug-in With Citrix Access Gateway VPNs
The Access Gateway Standard Edition VPN supports CloudBridge Plug-in acceleration, provided that a CloudBridge
appliance is deployed with the Access Gateway appliance and the Access Gateway appliance is configured to support it. See
the CloudBridge Release Notes for a list of supported Access Gateway releases.
For CloudBridge Plug-in support with other VPNs, see your VPN documentation or contact your Citrix representative.
To configure CloudBridge support, use the Access Gateway administration tool, as follows:
1. On the Global Cluster Policies page, under Advanced Options, select the Enable TCP optimization with
CloudBridge Plug-in check box.
2. Make sure that the IP addresses used by the CloudBridge (redirector IP and management IP) have access enabled in
the Network Resources section on the Access Policy Manager page.
3. For each of these addresses, enable all protocols (TCP, UDP, ICMP) and enable Preserve TCP Options.
4. Make sure that these same addresses are included under User Groups: Default: Network Policies on the Access
Policy Manager page.
citrix.com 76
What Happens if the Appliance Fails
CloudBridge appliances have safeguards against loss of connectivity in case of software, hardware, and power failures.
These safeguards are mode-dependent.
In inline mode, appliances maintain network continuity in the event of hardware, software, or power failure. If present,
the bypass relay in the appliance closes if power is lost or some other failure occurs. Inline appliances without a bypass
card usually block traffic in the event of a serious failure, but they continue to forward traffic under some conditions,
namely, when the network stack is running but the acceleration software has been disabled or has shut itself down
because of persistent errors.
Existing accelerated connections usually become unresponsive after a failure and are eventually terminated by the
application or the network stack at one of the end points. Some accelerated connections might continue as
unaccelerated connections after the failure. New connections run in unaccelerated mode.
When the appliance comes back online, existing connections continue as unaccelerated connections. New connections
are accelerated.
In WCCP mode, the router bypasses an appliance that stops responding, and reopens the connection when the
appliance begins responding again. The WCCP protocol has integral health-checking.
If the "verify-availability" option is used with virtual inline mode, the router behaves like it does with WCCP mode,
bypassing the appliance when it is not available and reconnecting when it is. If "verify-availability" is not used, all
packets forwarded to the appliance are dropped if the appliance is not available.
In group mode, an appliance can be configured to fail "open" (bridging disabled) or "closed" (bridging or bypass relay
enabled).
In high availability mode, if one HA appliance fails, the other takes over automatically. The appliances' bypass cards
are disabled in HA mode, so if the HA appliances are in inline mode and both appliances fail, connectivity is lost.
In redirector mode, the CloudBridge Plug-in performs health checking on redirector-mode appliances and bypasses
unresponsive appliances, sending traffic directly to endpoint servers instead.
citrix.com 77
Feature Details
Many administrators can configure CloudBridge by simply setting the parameters on the Quick Installation page, thus
performing a complete basic configuration for acceleration and traffic shaping. This is especially true of branch-office
installations. However, understanding the theory of operation of your appliance enables you to put it to optimal use, and
some users need to look more deeply into how the appliance operates. For example, a simple inline configuration might
not be the best fit for your network, or you might want to use features that are not enabled with the Quick Installation
alone.
The appliance's fundamental purpose is to accelerate TCP traffic and to eliminate congestion by applying traffic shaping
to all WAN traffic. In addition to these functions, the appliance supports several forwarding modes to move network data
into and out of the appliance. One of these modes, inline mode, can be configured from the Quick Installation page. The
others require configuration of the appliance, your router, or both.
Similarly, the Quick Installation page performs a basic configuration of traffic shaping functions, suitable for installations
with a single WAN link. Additional configuration is necessary for multiple links, or if the default definitions for
applications, service classes, or traffic shaping policies do not match your needs, in which case you can edit the
definitions.
Many acceleration functions operate automatically, without configuration. These include TCP flow control acceleration,
compression, Windows filesystem (CIFS) acceleration, Citrix XenApp/XenDesktop acceleration, and Outlook/Exchange
(MAPI) acceleration. Other acceleration features require configuration before use, including secure peering, SSL
acceleration, and advanced Windows file-system and Outlook/Exchange acceleration that depends on being a member
of the Windows domain.
citrix.com 78
Compression
CloudBridge compression uses breakthrough technology to provide transparent multilevel compression. It is true
compression that acts on arbitrary byte streams. It is not application-aware, is indifferent to connection boundaries, and
can compress a string optimally the second time it appears in the data. CloudBridge compression works at any link
speed.
The compression engine is very fast, allowing the speedup factor for compression to approach the compression ratio.
For example, a bulk transfer monopolizing a 1.5 Mbps T1 link and achieving a 100:1 compression ratio can deliver a
speedup ratio of almost 100x, or 150 Mbps, provided that the WAN bandwidth is the only bottleneck in the transfer.
Unlike with most compression methods, CloudBridge compression history is shared between all connections that pass
between the same two appliances. Data sent hours, days, or even weeks earlier by connection A can be referred to
later by connection B, and receive the full speedup benefit of compression. The resulting performance is much higher
than can be achieved by conventional methods.
Compression can use the appliance's disk as well as memory, providing up to terabytes of compression history.
Compression engines are limited by the size of their compression history. Traditional compression algorithms, such as
LZS and ZLIB, use compression histories of 64 KB or less. CloudBridge appliances maintain at least 100 GB of
compression history. With more than a million times the compression history of traditional algorithms, the CloudBridge
algorithm finds more matches and longer matches, resulting in superior compression ratios.
The CloudBridge compression algorithm is very fast, so that even the entry-level appliances can saturate a 100 Mbps
LAN with the output of the compressor. The highest-performance models can deliver well over 1 Gbps of throughput.
Only payload data is compressed. However, headers are compressed indirectly. For example, if a connection achieves
4:1 compression, only one full-sized output packet is sent for every four full-sized input packets. Thus, the amount of
header data is also reduced by 4:1.
CloudBridge compression is application-independent: it can compress data from any non-encrypted TCP connection.
Unlike caching, compression performance is robust in the face of changing data. With caching, changing a single byte
of a file invalidates the entire copy in the cache. With compression, changing a single byte in the middle of a file just
creates two large matches separated by a single byte of nonmatching data, and the resulting transfer time is only
slightly greater than before. Therefore, the compression ratio degrades gracefully with the amount of change. If you
download a file, change 1% of it, and upload it again, expect a 99:1 compression ratio on the upload.
Another advantage of a large compression history is that precompressed data compresses easily with CloudBridge
technology. A JPEG image or a YouTube video, for example, is precompressed, leaving little possibility for additional
compression the first time it is sent over the link. But whenever it is sent again, the entire transfer is reduced to just a
handful of bytes, even if it is sent by different users or with different protocols, such as by FTP the first time and HTTP
the next.
In practice, compression performance depends on how much of the data traversing the link is the same as data that has
previously traversed the link. The amount varies from application to application, from day to day, and even from moment
to moment. When looking at a list of active accelerated connections, expect to see ratios anywhere from 1:1 to 10,000:
1.
citrix.com 79
Compressing Encrypted Protocols
Many connections showing poor compression performance do so because they are encrypted. Encrypted traffic is
normally uncompressible, but CloudBridge appliances can compress encrypted connections when the appliances join
the security infrastructure. CloudBridge appliances join the security infrastructure automatically with Citrix XenApp and
XenDesktop, and can join the security infrastructure of SSL, Windows file system (CIFS/SMB), and Outlook/Exchange
(MAPI) servers with manual configuration.
To serve the different needs of different kinds of traffic, CloudBridge appliances use not one but five compression
engines, so the needs of everything from the most massive bulk transfer to the most latency-sensitive interactive traffic
can be accommodated with ease. The compression engine is matched dynamically to the changing needs of individual
connections, so that compression is automatically optimized. An added benefit is that the compression engine requires
no configuration.
citrix.com 80
Enabling or Disabling Compression
Compression is enabled, on a per-service-class basis, on the Configuration: Service Classes page. This page has a pull-
down menu for each service class, with the following options:
Disk, meaning that both disk based and memory based compression are enabled. This option should be
selected unless you have a specific reason for disabling it.
Memory, meaning that memory based compression is enabled but disk based compression is not. This
setting is rarely used, because the appliance automatically selects memory or disk if both types of
compression are enabled.
Flow-Control Only, which disables compression but enables flow-control acceleration. Select this option for
services that are always encrypted, and for the FTP control channel.
None, meaning that compression and flow-control are both disabled.
citrix.com 81
Measuring Disk Based Compression Performance
The Compression Status tab of the Reports: Compression page reports the system compression performance since the
system was started or since the Clear button was used to reset the statistics. Compression for individual connections is
reported in the connection closure messages in the system log. For example:
Compression performance varies with a number of factors, including the amount of redundancy in the data stream and,
to a lesser extent, the structure of the data protocol.
Some applications, such as FTP, send pure data streams; the TCP connection payload is always byte-for-byte identical
to the original data file. Others, such as CIFS or NFS, do not send pure data streams, but mix commands, metadata,
and data in the same stream. The compression engine distinguishes the file data by parsing the connection payload in
real time. Such data streams can easily produce compression ratios between 100:1 and 10,000:1 on the second pass.
Average compression ratios for the link depend on the relative prevalence of long matches, short matches, and no
matches. This ratio is dependent on the traffic and is difficult to predict in practice.
Test results show the effect of multi-level compression as a whole, with memory based and disk based compression
each making its contribution.
Maximum compression performance is not achieved until the storage space available for disk based compression is
filled, providing a maximum amount of previous data to match with new data. In a perfect world, testing would not
conclude until the appliance's disks had not only been filled, but filled and overwritten at least once, to ensure that
steady-state operation has been reached. However, few administrators have that much representative data at their
disposal.
Another difficulty in performance testing is that acceleration often exposes weak links in the network, typically in the
performance of the client, the server, or the LAN, and these are sometimes misdiagnosed as disappointing acceleration
performance.
You can use Iperf or FTP for preliminary and initial testing. Iperf is useful for preliminary testing. It is extremely
compressible (even on the first pass) and uses relatively little CPU and no disk resources on the two endpoint systems.
Compressed performance with Iperf should send more than 200 Mbps over a T1 link if the LANs on both sides use
Gigabit Ethernet, or slightly less than 100 Mbps if there is any Fast Ethernet equipment in the LAN paths between
endpoints and appliances.
Iperf is preinstalled on the appliances (under the Diagnostics menu) and is available fromhttp://iperf.sourceforge.net/.
Ideally, it should be installed and run from the endpoint systems, so that the network is tested from end to end, not just
from appliance to appliance.
FTP is useful for more realistic testing than is possible with Iperf. FTP is simple and familiar, and its results are easy to
interpret. Second-pass performance should be roughly the same as with Iperf. If not, the limiting factor is probably the
disk subsystem on one of the endpoint systems.
1. Transfer a multiple-gigabyte data stream between two appliances with disk based compression enabled. Note
the compression achieved during this transfer. Depending on the nature of the data, considerable compression
may be seen on the first pass.
2. Transfer the same data stream a second time and note the effect on compression.
citrix.com 82
XenApp/XenDesktop Acceleration
Note: In this discussion, XenApp refers to the ICA and CGP protocol streams. Therefore, what is said about XenApp applies
also to XenDesktop.
XenApp/XenDesktop (ICA/CGP) acceleration has three components:
Compression--The appliance cooperates with XenApp clients and servers to compress XenApp data
streams for interactive data (keyboard/mouse/display/audio) and batch data (printing and file transfers). This
interaction takes place transparently and requires no configuration of the appliance. A small amount of
configuration, described below, is required on older XenApp servers (release 4.x).
Multistream ICA--In addition to compression, CloudBridge appliances support the new Multistream ICA
protocol, in which up to four connections are used for the different ICA priorities, instead of multiplexing all
priorities over the same connection. This approach gives interactive tasks greater responsiveness,
especially when combined with the appliances traffic shaping.
Note: Multistream ICA is disabled by default. It can be enabled on the Features page.
Traffic shaping--The CloudBridge traffic shaper uses the priority bits in the XenApp data protocols to
modulate the connections priority in real time, matching the bandwidth share of each connection to
what the connection is transmitting at the moment.
To optimize ICA connections for XenApp and XenDesktop release 7.0 and later, CloudBridge appliance supports Citrix
Receiver for Chrome release 1.4 and later, and Citrix Receiver for HTML5 release 1.4 and later.
citrix.com 83
Configuring XenApp Acceleration
XenApp acceleration applies to both the ICA and CGP protocols within XenApp. The CloudBridge appliances, XenApp
servers, and XenApp clients provide cooperative acceleration of XenApp connections, providing substantial speedup
compared to XenApp alone. This cooperation requires up-to-date versions of all three components.
XenApp compression dynamically switches between memory based compression for interactive channels (such as
mouse, keyboard, and screen data) and disk based compression for bulk tasks (such as file transfers and print jobs).
Compression ratios increase as compression history fills, increasing the amount of data that can be matched against
new data. XenApp compression provides several times as much data reduction as does unassisted XenApp, often
exceeding 50:1 on repetitive bulk transfers such as printing or saving successive versions of the same document.
XenApp compression achieves high link utilization without congestion, by preventing users from interfering with each
other.
HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\EnableForSecureIca = 1
HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\EnableWanScalerOptimization = 1
HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\UchBehavior = 2
After you start XenApp sessions over the accelerated link, accelerated ICA connections should appear on the
appliances Monitoring: Connections page. A compression ratio of greater than 1:1 indicates that
compression is taking place.
citrix.com 84
Optimizing Chrome and HTML5 versions of Citrix Receiver
Application that must serve dynamic content work on HTML5 WebSockets. Citrix Receiver for Chrome and Citrix
Receiver for HTML5 are such applications that support HTML5 WebSockets. These applications have simplified access
to XenDesktop as these can be integrated with most recent Web browsers that support HTML5 WebSockets.
CloudBridge appliances running release 7.3.1 or later support Citrix Receiver for HTML5. By default, this feature is
enabled on the appliance as soon as CloudBridge release 7.3.1 or later is installed on it. The feature enhances the
users experience with clientless Citrix Receiver for HTML5.
Note: You do not need to make any changes to the appliance configuration to use this feature.
In a typical branch office and datacenter setup, shared resources like Virtual Desktop Agent (VDA) are installed on a
Citrix XenServer server in the datacenter. Clients from the branch offices access these shared resources over the
network by using Citrix Receiver.
Being HTML compliant, VDA uses a WebSocket listener that runs on port 8008. When accessing an application, the
client initiates a TCP connection at port 8008, and uses it to send an HTTP request to the server to upgrade the
connection and use the WebSocket protocol. After the client negotiates the WebSocket connection with VDA,
Independent Computing Architecture (ICA) negotiations begin and the client and the server use ICA over HTML5 to
exchange data. For more information about the sequence of messages exchanged between the client and server, see
Messages Exchanged Between the Client and the Server.
After connections are established between the clients and the server, the CloudBridge appliance starts optimizing the
connections by speeding up the traffic over the network, and accelerating Web page and other applications using Citrix
Receiver for HTML5. The functionality of optimizing the Citrix Receiver for HTML5 connections is similar to HTTP
Acceleration.
Note:
If you are using SSL encryption for connections over Citrix Receiver for HTML5, connections use ICA over SSL. To
enable ICA over SSL acceleration with Citrix Receiver for HTML5, you need to configure standard SSL acceleration,
which includes the appropriate destination IP address in the service class and SSL profile mapping. If you are planning
to deploy the appliance in ICA proxy mode, you must map the StoreFront VIP address to StoreFront certificates.
Similarly, if you plan to deploy the appliance in any end-to-end SSL encryption deployment mode, you must map the
VDA IP address to VDA certificates.
citrix.com 85
2. On the ICA Connections tab, verify that the HTML5 connections are listed. An HTML5 connection is shown with
HTML as a prefix in the Client Computer Name column, as shown in the following screen shot:
4. In the Conn Info tab, scroll down to the ICA Client and Server Information section. Entries for HTML5
connections have Citrix HTML5 client in the Product ID column, as shown in the following screen shot:
citrix.com 86
Deployment Scenarios
In a typical CloudBridge deployment, the CloudBridge appliances are paired across branch offices and datacenter. You
install shared resources, such as VDA, in the datacenter. Clients from various branch offices access datacenter
resources by using Citrix Receiver, as shown in the following figure.
Figure 1. A typical CloudBridge deployment topology
Clients install a Citrix Receiver software product, such as Citrix Receiver for HTML5, on their local computers and use it
to access resources in the datacenter. Connections through the pair of CloudBridge appliances are optimized.
As shown in the above figure, the following sequence of messages is exchanged between the client and server when a client
from a branch office wants to access datacenter server resources:
citrix.com 87
1. Client uses Citrix Receiver for HTML5 to send a TCP connection request to VDA on port 8008.
2. After establishing the TCP connection, the client sends a WebSocket upgrade request to VDA.
3. VDA responds to the upgrade request and switches to the WebSocket protocol.
4. Client and VDA negotiate WebSocket authorization.
5. Client sends a WebSocket connection request to VDA.
6. VDA responds to the WebSocket connection request.
7. VDA initiates ICA negotiation with the client.
8. After ICA negotiation, VDA starts transmitting ICA data.
9. VDA sends packet termination message.
10. Client responds with the packet termination message.
Note: The above example lists the sample messages exchanged for ICA over WebSocket. If you are using ICA over Common
Gateway Protocol (CGP), the client and server negotiate CGP instead of WebSocket. However, for ICA over TCP, the client
and server negotiate ICA.
Depending on the components you have deployed on the network, the connection is terminated at different points. The
preceding figure represents a topology that does not have any additional components deployed on the network. As a
result, the client communicates directly with VDA at port 8008. However, if you have installed a gateway, such as
NetScaler Gateway, at the datacenter, the connection is established with the gateway and it proxies VDA. Until the
gateway negotiates the WebSocket authorization, there is no communication with VDA. After the gateway has
negotiated WebSocket authorization, it opens a connection with VDA. Thereafter, the gateway acts as a middleman and
passes messages from the client to VDA and vice versa.
Similarly, if a VPN tunnel is created between a NetScaler gateway plugin installed on the client and NetScaler Gateway
installed at the datacenter, the gateway transparently forwards all client messages, immediately upon establishing a
TCP connection, to VDA, and vice versa.
Note: To optimize a connection that requires end-to-end SSL encryption, a TCP connection is established at port 443 on
VDA.
Direct Access
Direct Access with End-to-End SSL Encryption
ICA Proxy Mode
ICA Proxy Mode with End-to-End SSL Encryption
Full Virtual Private Network (VPN) Mode
Full Virtual Private Network (VPN) Mode with End-to-End SSL Encryption
Direct Access
The following figure shows the deployment topology of Citrix Receiver for HTML5 installed on the client in the direct
access mode.
Figure 3. CloudBridge appliances deployed in direct access mode
In the direct access mode, a pair of CloudBridge appliances is installed across a branch office and the
datacenter in inline mode. A client accesses VDA resources through Citrix Receiver for HTML5 over the private
WAN. Connections from the client to the VDA resources is secured by using encryption at the ICA level.
Messages exchanged between the client and VDA are explained in Understanding Messages Exchanged
Between the Client and the Server.
citrix.com 88
The CloudBridge appliances installed between the client and VDA datacenter optimize the Citrix Receiver for
HTML5 connections established between them.
A direct access deployment is suitable for a corporate intranet on which clients connect without using NetScaler
Gateway or any other firewall. You deploy a set up with direct access when CloudBridge appliances are
deployed in the inline mode and a client from a private WAN connects to the VDA resources.
The direct access with end-to-end SSL encryption mode is similar to the Direct Access mode, with the difference
that the connection between the client and VDA resources is secured by SSL encryption and uses port 443
instead of port 8008 for the connection.
In this deployment, communication between a pair of CloudBridge appliances is secured by making the two
appliance secured partners. This deployment is suitable for a corporate network where connections between the
client and VDA resources are secured by SSL encryption.
Note: You must configure appropriate certificates on the appliances to create secure partners. For more information
about secure partnering, see Secure Peering.
ICA Proxy Mode
The following figure shows the deployment topology of Citrix Receiver for HTML5 installed on the client in ICA proxy
mode.
Figure 5. CloudBridge appliances deployed in ICA proxy mode
In the ICA proxy mode, a pair of CloudBridge appliances is installed across the branch office and a datacenter in
inline mode. In addition, you install NetScaler Gateway, which proxies VDA, at the datacenter. A client accesses
VDA resources through Citrix Receiver for HTML5 over the public WAN. Because the gateway proxies the VDA,
two connections are established: an SSL connection between the client and NetScaler Gateway and an ICA
secured connection between NetScaler Gateway and VDA. The NetScaler Gateway establishes a connection
with VDA resources on behalf of the client. Connections from the gateway to the VDA resources is secured by
encryption at the ICA level.
citrix.com 89
Messages exchanged between the client and VDA are explained in Understanding Messages Exchanged
Between the Client and the Server . However, in this case the connection is terminated at NetScaler Gateway.
The gateway proxies VDA and opens a connection to VDA only after the gateway has negotiated WebSocket
authorization. The gateway then transparently passes messages from client to VDA and vice versa.
If you expect users to access VDA resources from a public WAN, you can consider deploying the ICA Proxy
mode set up.
Note: You must configure appropriate certificates on the appliances to create secure partners. For more information
about secure partnering, see Secure Peering.
ICA Proxy Mode with End-to-End SSL Encryption
The following figure shows the deployment topology of Citrix Receiver for HTML5 installed on the client in ICA proxy
mode secured with end-to-end SSL encryption.
Figure 6. CloudBridge appliances deployed in ICA proxy mode secured with end-to-end SSL encryption
ICA Proxy mode with end-to-end SSL encryption mode is similar to ordinary ICA Proxy mode, with the difference
that the connection between the NetScaler Gateway and VDA is secured by SSL encryption instead of using an
ICA secured connection. In this scenario, you must install appropriate certificates on the CloudBridge appliance
and VDA. The connection between the NetScaler Gateway and VDA uses port 443 instead of port 8008, as in
case of ordinary ICA Proxy mode.
This deployment is suitable for a network where you must secure end-to-end communication between clients
and VDA, including the connection between NetScaler Gateway and VDA.
Full Virtual Private Network (VPN) Mode
The following figure shows the deployment topology of Citrix Receiver for HTML5 installed on the client in the full
Virtual Private Network (VPN) mode.
Figure 7. CloudBridge appliances deployed in VPN mode
In full VPN mode, a pair of CloudBridge appliances is installed across a branch office and the datacenter in inline
mode. In addition to Citrix receiver for HTML5, you install the NetScaler Gateway plugin on the client and
NetScaler Gateway interfacing external network at the datacenter. The NetScaler Gateway plugin on the client
and NetScaler Gateway on the datacenter create an SSL tunnel or VPN over the network when they establish a
connection. As a result, the client has a direct secure access to the VDA resources, with transparent connection
through the CloudBridge appliance. When the client connection is terminated at NetScaler Gateway, the gateway
opens a transparent connection to port 8008 on VDA.
citrix.com 90
Messages exchanged between the client and VDA are explained in the Understanding Messages Exchanged
Between the Client and the Server section. However, in this case the connection is terminated at NetScaler
Gateway. The gateway proxies VDA and opens a transparent connection to VDA at port 8008, and transparently
passes all messages from client to VDA and vice versa.
The CloudBridge plug-in enables the client to access resources regardless of the location of the client. When you
expect clients to need access to the VDA resources from locations other than their desktops, you can deploy the
setup in full virtual Private Network (VPN) mode.
This deployment is suitable for organizations expecting their employees to access resources when they are
traveling.
Full Virtual Private Network (VPN) Mode with End-to-End SSL Encryption
The following figure shows the deployment topology of Citrix Receiver for HTML5 installed on the client in the full VPN
mode secured with end-to-end SSL encryption.
Figure 8. CloudBridge appliances deployed in VPN mode secured with end-to-end SSL encryption
Full Virtual Private Network (VPN) mode with end to end SSL encryption deployment is similar to ordinary full
VPN mode, with the difference that the communication between NetScaler Gateway and VDA is secured by SSL
encryption and uses port 443 instead of port 8008.
This deployment is suitable for organizations that need end-to-end SSL encryption for resources accessed by
the employees who are traveling.
citrix.com 91
Troubleshooting
Issue: After upgrading an appliance to CloudBridge release 7.3.1, the ICA connections are not categorized
as Citrix Receiver for HTML5 connections in the ICA Monitoring pages.
Cause: Service class defined on the appliance is HTTP (Private) instead of Web (Private). When you
upgrade an appliance to CloudBridge release 7.3.1, the ALTHTTP application is not added to this
service class. As a result, even though ICA connections over Citrix Receiver for HTML5 are optimized,
these are not categorized as Citrix Receiver for HTML5 connections in the ICA Monitoring pages.
Resolution : To categorize ICA connections over Citrix Receiver for HTML5, complete the following
procedure:
1. Navigate to the Configuration > Optimization Rules > Service Classes page.
2. Edit the HTTP (Private) service class.
3. Click Add Rule.
4. In Filter Rules, under Applications, click Any.
5. From the Applications list, select ALTHTTP.
6. Click Add.
7. Click Save.
8. Make other changes to the filter rule, as required.
9. Click Save.
citrix.com 92
HTTP Acceleration
The CloudBridge accelerator uses a variety of zero-config optimizations to speed up HTTP traffic. This in turn
accelerates Web pages and any other applications using the HTTP protocol (file downloads, video streaming, automatic
updates, and so on).
Optimizations that accelerate HTTP include compression, traffic shaping, flow control, and caching.
Compression
HTTP is an ideal application for CloudBridge multi-level compression.
Static content, including standard HTML pages, images, video, and binary files, receives variable amounts of first-pass
compression, typically 1:1 on pre-compressed binary content, and 2:1 or more on text-based content. Starting with the
second time the object is seen, the two largest compression engines (memory-based compression and disk-baed
compression) deliver extremely high compression ratios, with larger objects receiving compression ratios of 1,000:1 or
more. With such high compression ratios, the WAN link stops being the limiting factor, and the server, the client, or the
LAN becomes the bottleneck.
The appliance switches between compressors dynamically to give maximum performance. For example, the appliance
uses a smaller compressor on the HTTP header and a larger one on the HTTP body.
Dynamic content, including HTTP headers and dynamically generated pages pages that are never the same twice
but have similarities to each other are compressed by the three compression engines that deal with smaller
matches. The first time a page is seen, compression is good. When a variant on a previous page is seen, compression
is better.
Traffic Shaping
HTTP consists of a mix of interactive and bulk traffic. Every users traffic is a mix of both, and sometimes the same
connection contains a mix of both. The traffic shaper seamlessly and dynamically ensures that each HTTP connection
gets its fair share of the link bandwidth, preventing bulk transfers from monopolizing the link at the expense of
interactive users, while also ensuring that bulk transfers get any bandwidth that interactive connections do not use.
Flow Control
Advanced retransmission algorithms and other TCP-level optimizations retain responsiveness and maintain transfer
rates in the face of latency and loss.
Video Caching
HTTP caching for video files was introduced in release 7.0 Caching involves saving HTTP objects to local storage and
serving them to local clients without reloading them from the server.
What is the difference between caching and compression? While caching provides speedup that is similar to compression,
the two methods are different, making them complementary.
Compression speeds up transfers from the remote server, and this higher data rate can place a higher load
on the server if compression were not present. Caching prevents transfers from the server, and reduces the
load on the server.
Compression works on any data stream this is similar to a previous transfer if you change the name of a
file on the remote server and transfer it again, compression will work perfectly. Caching works only when the
object being requested by the client and the object on the disk are known to be identical if you change
the name of a file on the remote server and transfer it again, the cached copy is not used.
Compressed data cannot be delivered faster than the server can send it. Cached data is dependent only on
the speed of the client-side appliance.
Compression is CPU-intensive; caching is not.
citrix.com 93
TCP Flow-Control Acceleration
Ordinary WANs have very poor responsiveness at high link utilization and at long distances. A widely used rule of thumb
for ordinary, non-accelerated WAN links is, "once link utilization reaches 40%, it is time to add more bandwidth, because
performance and reliability have degraded to the point where the link is largely unusable." Interactive performance
suffers, making it hard for people to get work done, and connections frequently time out. Accelerated links do not have
this problem. A link with 95% utilization is still perfectly usable.
CloudBridge appliances become virtual gateways that control the TCP traffic on the WAN link. Ordinary TCP is
controlled on a per-connection basis by the endpoint devices. Optimal control of link traffic is difficult, because neither
the endpoint devices nor individual connections have any knowledge of the link speed or the amount of competing
traffic. A gateway, on the other hand, is in an ideal position to monitor and control link traffic. Ordinary gateways
squander this opportunity because they cannot supply the flow control that TCP lacks. CloudBridge technology adds the
intelligence that is missing in the network equipment and the TCP connections alike. The result is greatly improved
WAN performance, even under harsh conditions such as high loss or extreme distance.
CloudBridge flow control is lossless and transparent, and it implements a broad spectrum of speed optimizations. No
configuration is required, because of autodiscovery and autoconfiguration. You might, however, have to tweak your
firewalls if they block the TCP options used by the acceleration algorithms.
citrix.com 94
Lossless, Transparent Flow Control
Acceleration operates on any TCP connection passing through two appliances (one at the sending site and one at the
receiving site), or a CloudBridge appliance and a CloudBridge Plug-in. Although the above figure shows a network of
two appliances, any appliance can accelerate connections between any number of other appliance-equipped sites
simultaneously. This allows a single appliance to be used per site, rather than two per link.
Like any gateway, the CloudBridge appliance meters packets onto the link. Unlike ordinary gateways, however, it imposes
transparent, lossless flow control on each link segment, including:
The LAN segment between the sender and the sending appliance
The WAN segment between the sending and receiving appliances
The LAN segment between the receiving appliance and the receiver
Flow control can be managed independently for each of these three segments. The segments are partly decoupled, so
each can have its speed controlled independently. This is important when a connection's speed needs to be ramped up
or down quickly to its fair bandwidth share, and is also important as a means of supporting enhanced WAN algorithms
and compression.
The TCP protocol is designed to make every TCP connection attempt to increase its bandwidth usage continuously.
However, the link bandwidth is limited. The result is that the links become overrun. CloudBridge flow control keeps the
TCP connections flowing at just the right speed. The link is filled but is never overrun, so queuing latency and packet
losses are minimized, while throughput is maximized.
With ordinary TCP, long-running connections (which have had time to seize all the bandwidth) tend to squeeze out short-
running connections. This problem, which ruins interactive responsiveness, does not occur with flow control .
citrix.com 95
Speed Optimizations
Most TCP implementations do not perform well over WAN links. To name just two problems, the standard TCP
retransmission algorithms (Selective Acknowledgments and TCP Fast Recovery) are inadequate for links with high loss
rates, and do not consider the needs of short-lived transactional connections.
CloudBridge implements a broad spectrum of WAN optimizations to keep the data flowing under all kinds of adverse
conditions. These optimizations work transparently to ensure that the data arrives at its destination as quickly as
possible.
The figure below shows the transfer speeds possible at various distances, without acceleration, when the endpoints use
standard TCP (TCP Reno). For example, gigabit throughputs are possible without acceleration within a radius of a few
miles, 100 Mbps is attainable to less than 100 miles, and throughput on a worldwide connection is limited to less than 1
Mbps, regardless of the actual speed of the link. With acceleration, however, the speeds above the diagonal line
become available to applications. Distance is no longer a limiting factor.
Figure 1. Non-accelerated TCP Performance Plummets With Distance
Note: Without Citrix acceleration, TCP throughput is inversely proportional to distance, making it impossible to extract the full
bandwidth of long-distance, high-speed links. With acceleration, the distance factor disappears, and the full speed of a link
can be used at any distance. (Chart based on model by Mathis, et al, Pittsburgh Supercomputer Center.)
Accelerated transfer performance is approximately equal to the link bandwidth. The transfer speed is not only higher
than with unaccelerated TCP, but is also much more constant in the face of changing network conditions. The effect is
to make distant connections behave as if they were local. User-perceived responsiveness remains constant regardless
of link utilization. Unlike normal TCP, with which a WAN operating at 90% utilization is useless for interactive tasks, an
accelerated link has the same responsiveness at 90% link utilization as at 10%.
With short-haul connections (ones that fall below the diagonal line in the figure above), little or no acceleration takes
place under good network conditions, but if the network becomes degraded, performance drops off much more slowly
than with ordinary TCP.
Non-TCP traffic, such as UDP, is not accelerated. However, it is still managed by the traffic shaper.
Example
One example of CloudBridge's advanced TCP optimizations is a retransmission optimization called transactional mode.
A peculiarity of TCP is that, if the last packet in a transaction is dropped, its loss not noticed by the sender until a
receiver timeout (RTO) period has elapsed. This delay, which is always at least one second long, and often longer, is
the cause of the multiple-second delays seen on lossy links-delays that make interactive sessions unpleasant or
impossible.
Transactional mode solves this problem by automatically retransmitting the final packet of a transaction after a brief
delay. Therefore, an RTO does not happen unless both copies are dropped, which is unlikely.
A bulk transfer is basically a single enormous transaction, so the extra bandwidth used by transactional mode for a bulk
transfer can be as little as one packet per file. However, interactive traffic, such as key presses or mouse movements,
has small transactions. A transaction might consist of a single undersized packet. Sending such packets twice has a
modest bandwidth requirement. In effect, transactional mode provides forward error correction (FEC) on interactive
traffic and gives end-of-transaction RTO protection to other traffic.
citrix.com 96
Autodiscovery and Autoconfiguration
In a patent-pending process called autodiscovery, CloudBridge units detect each other's presence automatically. The
appliances attach TCP header options to the first packets in each connection: the SYN packet (sent by the client to the
server to open the connection), and the SYN-ACK packet (sent by the server to the client to indicate that the connection
has been accepted). By tagging the SYN packets and listening for tagged SYN and SYN-ACK packets, the appliances
can detect each other's presence in real time, on a connection-by-connection basis.
The main benefit of autodiscovery is that you do not have to reconfigure all of your appliances every time you add a new
one to your network. They find each other automatically. In addition, the same process allows autoconfiguration. The
two appliances use the TCP header options to exchange operating parameters, including the bandwidth limits (in both
the sending and receiving directions), the basic acceleration mode (hardboost or softboost), and the acceptable
compression modes (disk, memory, or none). All of the information that each appliance needs about its partner is
exchanged with each connection, allowing per-connection variations (for example, per-service-class variations in the
allowable compression types).
Figure 1. How Autodiscovery Works
1. The client opens a TCP connection to the server, as usual, by sending it a TCP SYN packet.
2. The first appliance passes the SYN packet through after attaching a set of appliance-specific TCP header options to it
and adjusting its window size.
3. The second appliance reads the TCP options, removes them from the packet, and forwards them to the server.
4. The server accepts the connection by responding as usual with a TCP SYN-ACK packet.
5. The second appliance remembers that this connection is a candidate for acceleration and attaches its own
acceleration options to the SYN-ACK header.
6. The first appliance reads the options added by the second appliance, strips them from the packet header, and
forwards the packet to the client. The connection is now accelerated. The two appliances have exchanged the
necessary parameters through the option values, and they store them in memory for the duration of the connection.
The connection is accelerated, and the acceleration is transparent to the client, server, routers, and firewalls.
citrix.com 97
Softboost and Hardboost
TCP flow control has two modes: softboost and hardboost.
Softboost uses a rate-based sender that sends accelerated traffic at speeds up to the link's bandwidth limit. If the
bandwidth limit is set slightly lower than the link speed, packet loss and latency are minimized, while link utilization is
maximized. Interactive applications see fast response times while bulk-transfer applications see high bandwidth.
Softboost shares the network with other applications in any topology, and it interoperates with third-party QoS systems.
Hardboost is more aggressive than softboost. By ignoring packet losses and other so-called "congestion signals," it
performs very well on links plagued with heavy, non-congestion-related losses, such as satellite links. It is also excellent
on low-quality, long-haul links with a high background packet loss, such as many overseas links. Hardboost is
recommended only for point-to-point links that do not achieve adequate performance with softboost.
Note:
Hardboost should be used only on fixed-speed point-to-point links or hub-and-spoke deployments where the
hub bandwidth is at least equal to the sum of the accelerated spoke bandwidths.
Softboost and hardboost are mutually exclusive, which means that all the Appliances that must
communicate with each other must be set the same. If one unit is set to hardboost and the other is set to
softboost, no acceleration takes place.
1. On the Configuration: Links: Hardboost/Softboost tab, select Softboost as the WAN Boost Mode.
2. Click Update.
1. On the Configuration: Links: Hardboost/Softboost tab, select Hardboost as the WAN Boost Mode.
2. Set WAN Bandwidth Receive Limit to 95% of the link speed.
3. Click Update.
citrix.com 98
Firewall Considerations
The CloudBridge appliance's use of TCP options puts accelerated traffic at risk from firewalls that have aggressive rules
about denying service to connections using less-common TCP options.
Some firewalls strip off the "unknown" options and then forward the packet. This action prevents acceleration but does
not impair connectivity.
Other firewalls deny service to connections with unknown options. That is, the SYN packets with CloudBridge options
are dropped by the firewall. When the appliance detects repeated connection-attempt failures, it retries without the
options. This restores connectivity after a delay of variable length, usually in the range of 20-60 seconds, but without
acceleration.
Any firewall that does not pass CloudBridge options through unmodified must be reconfigured to accept TCP options in
the range of 2431 (decimal).
Most firewalls do not block these options. However, Cisco ASA and PIX firewalls (and perhaps others) with release 7.x
firmware might do so by default.
The firewalls at both ends of the link should be examined, because either one might be permitting options on outgoing
connections but blocking them on incoming connections.
The following example should work with Cisco ASA 55x0 firewalls using 7.x firmware. Because it globally allows options in
the range of 24-31, there is no customized per-interface or per-unit configuration:
====================================================================
CONFIGURATION FOR CISCO ASA 55X0 WITH 7.X CODE TO ALLOW TCP OPTIONS
====================================================================
hostname(config)# tcp-map WSOptions
hostname(config-tcp-map)# tcp-options range 24 31 allow
hostname(config-tcp-map)# class-map WSOptions-class
hostname(config-cmap)# match any
hostname(config-cmap)# policy-map WSOptions
hostname(config-pmap)# class WSOptions-Class
hostname(config-pmap-c)# set connection advanced-options WSOptions
hostname(config-pmap-c)# service-policy WSOptions global
=====================================================
POLICY MAP TO ALLOW APPLIANCE TCP OPTIONS TO PASS (PIX 7.x)
=====================================================
pixfirewall(config)#access-list tcpmap extended permit tcp any any
pixfirewall(config)# tcp-map tcpmap
pixfirewall(config-tcp-map)# tcp-opt range 24 31 allow
pixfirewall(config-tcp-map)# exit
pixfirewall(config)# class-map tcpmap
pixfirewall(config-cmap)# match access-list tcpmap
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map global_policy
pixfirewall(config-pmap)# class tcpmap
pixfirewall(config-pmap-c)# set connection advanced-options tcpmap
citrix.com 99
Traffic Shaping
The CloudBridge traffic shaper is an easy-to-use solution for link congestion. Traffic shaping is highly configurable for sites
with special needs, but the default settings are fine for most installations, providing the following benefits:
The traffic shaper is based on bandwidth-limited fair queuing, which gives each service class its fair share of the link
bandwidth. If the link is otherwise idle, any connection (in any service class) can use the entire link. When multiple
connections are competing for the link bandwidth, the traffic shaper applies traffic shaping policies to determine the right mix
of traffic. Every TCP connection or non-TCP flow has a traffic shaping policy. The traffic shaping policy is arrived at in a three-
stage process:
1. The traffic is examined by the application classifier to determine what application it belongs to.
2. The application is looked up in the service-class list to see which service-class it belongs to.
3. The traffic-shaping policy specified by the service-class definition sets the weighted priority and other parameters for
this traffic.
The total bandwidth available for all connections sharing a link is determined by a link definition. Similarly to the way an
application is matched against a list of service classes to determine the service class, a link is matched against a list of link
definitions find the definition that specifies the inbound and outbound bandwidths of the link. To remember which entity does
what, keep the following points in mind:
The link definition tells the traffic shaper how fast to send data for the link.
The application classifier determines which service class to use.
The service-class definition specifies the traffic-shaping policy and whether acceleration is to be attempted.
The traffic-shaping policy sets the weighted priority and a few other parameters to be used on the traffic.
Note: For more information about the application classifier and service classes, see Mechanisms Common to Acceleration
and Traffic Shaping.
Some highlights of the traffic shaper:
All WAN traffic is subject to traffic shaping: accelerated connections, unaccelerated connections, and non-
TCP traffic such as UDP flows and GRE streams.
The algorithm is weighted fair queuing, in which the administrator assigns each service class a priority. Each
service class represents a bandwidth pool, entitled to a minimum fraction of the link speed, equal to
(my_priority/sum_of_all_priorities). A service class with a weighted priority of 100 gets twice as much
bandwidth as a service class with a weighted priority of 50. You can assign weights from 1 through 256.
Each connection within a service class gets an equal share of the bandwidth allotted to that service class.
Each connection gets its fair share of the link bandwidth, because priorities are applied to the actual WAN
data transferred, after compression. For example, if you have two data streams with the same priority, one
achieving 10:1 compression and the other achieving 2:1 compression, users see a 5:1 difference in
throughput, even though the WAN link usage of the two connections is identical. In practice, this disparity is
desirable, because WAN bandwidth, not application bandwidth, is the scarce resource that needs to be
managed.
Traffic-shaping policies apply equally to both accelerated and unaccelerated traffic. For example, an
accelerated XenApp connection and an unaccelerated XenApp connection both receive traffic shaping, so
both can have an elevated priority compared to bulk traffic. As another example, time-sensitive non-TCP
traffic, such as VoIP (which uses the UDP protocol) can be expedited.
Traffic shaping is applied to the WAN link in both the sending and receiving directions, to both accelerated
and non-accelerated traffic. This feature prevents congestion and increased latency even when the other
side of the link is not equipped with a CloudBridge appliance. For example, Internet downloads can be
prioritized and managed.
The traffic-shaping policy for a service class can be specified on a per-link basis if desired.
In addition to shaping the traffic directly, the traffic shaper can affect it indirectly by setting the Differentiated Services
Code Point (DSCP) field to inform downstream routers about the type of traffic shaping each packet requires.
citrix.com 100
Traffic Shaping Changes Since Release 5.x
In releases 6.0 and later, a new traffic-shaping engine manages all the traffic on your WAN links, in both the incoming
and outgoing directions. It replaces the previous system, Repeater QoS, which operated only on accelerated traffic and
in the sending direction only.
When upgrading an appliance from release 5.x to release 6.x, any Repeater QoS definitions are automatically
converted to traffic-shaping policies. For example, if a QoS category of "Queue A" was assigned 30% of the link in
release 5.x, this category is converted into a traffic-shaping policy called "Queue A" with a priority of 30.
For the release 5.x default case, in which 100% of the link is assigned to Queue A, no conversion is done. The release
6.0 defaults are used instead.
However, the principles of release 6.x traffic shaping are different from those of Repeater 5.x QoS. QoS settings cannot be
migrated when you upgrade to release 6.x. Advantages of traffic shaping over the old system include:
citrix.com 101
Weighted Fair Queuing
In any link, the bottleneck gateway determines the queuing discipline, because data in the non-bottleneck gateways
does not back up. Without pending data in the queues, the queuing protocol is irrelevant.
Most IP networks use deep FIFO queues. If traffic arrives faster than the bottleneck speed, the queues fill up and all
packets suffer increased queuing times. Sometimes the traffic is divided into a few different classes with separate
FIFOs, but the problem remains. A single connection sending too much data can cause large delays, packet losses, or
both for all the other connections in its class.
A CloudBridge appliance uses weighted fair queuing, which provides a separate queue for each connection. With fair
queuing, a too-fast connection can overflow only its own queue. It has no effect on other connections. But because of
lossless flow control, there is no such thing as a too-fast connection, and queues do not overflow.
The result is that each connection has its traffic metered into the link in a fair manner, and the link as a whole has an
optimal bandwidth and latency profile.
The following figure shows the effect of fair queuing. A connection that requires less than its fair share of bandwidth (the
bottom connection) gets as much bandwidth as it attempts to use. In addition, it has very little queuing latency.
Connections that attempt to use more than their fair share get their fair share, plus any bandwidth left over from
connections that use less than their fair share.
Figure 1. Fair Queuing in Action
The optimal latency profile provides users of interactive and transactional applications with ideal performance, even
when they are sharing the link with multiple bulk transfers. The combination of lossless, transparent flow control and fair
queuing enables you to combine all kinds of traffic over the same link safely and transparently.
The difference between weighted fair queuing and unweighted fair queuing is that weighted fair queuing includes the
option of giving some traffic a higher priority (weight) than others. Traffic with a weight of two receives twice the
bandwidth of traffic with a weight of one. In a CloudBridge configuration, the weights are assigned in traffic-shaping
policies.
citrix.com 102
Traffic Shaping Policies
Every service class definition specifies a traffic-shaping policy, which sets parameters for traffic of the associated
service class. The following figure shows the page on which you create a traffic-shaping policy.
Figure 1. Creating a New Traffic-Shaping Policy
A CloudBridge appliance ships with factory-default policies that span a broad range of priorities, with each policy
separated from its neighbors by a factor of two in priority. These policies are listed on the Configuration: Traffic Shaping
Policies page. Note that, with the exception of Default Policy, at the bottom of the traffic shaping policies list, the
factory-default policies cannot be edited or deleted. The reason is to ensure that they have the same meaning on all
appliances. To make changes, create a new traffic-shaping policy with the new parameters and change the appropriate
service-class definitions to refer to the new traffic-shaping policy.
Figure 2. Creating an ICA Traffic-Shaping Policy That Specifies Per-Priority DSCP Values
citrix.com 103
You can assign different traffic-shaping priorities to different values of the two-bit ICA priority field (a bit field in the Citrix
ICA and CGP protocols used by XenApp and XenDesktop).
Note: The controls for ICA priorities are hidden by default on the Configuration: Traffic Shaping Policies: Create Policy page.
Press the Show All Advanced Options button to show them.
The advanced options support both single-connection and multi-connection ICA/CGP streams. In single-connection
streams (the traditional ICA/CGP implementation) all four priorities are multiplexed in a single connection, and the ICA
priority field of the connection changes with the kind of date being sent. The CloudBridge appliance changes its traffic-
shaping priority to match. The newer multi-connection option uses different connections for different priority levels, with
a static ICA priority for each connection.
ICA priorities can be mapped to Differentiated Services Code Point (DSCP) values in the IP header, informing the
downstream routers about the kind of handling that each packet requires.
Note that, if you clear the Set ICA Priorities check box for a traffic-shaping policy, existing connections governed by that
policy are reclassified as Other TCP traffic for the rest of their lifetimes. They cannot be transferred from one ICA traffic-
shaping state to another.
citrix.com 104
Traffic Classification
The two main functions of a CloudBridge or CloudBridge appliance are traffic shaping, which maximizes link usage for
all types of traffic, and acceleration, which applies compression and various optimizations to accelerate TCP traffic. Two
basic components of both traffic shaping and acceleration are the application-classifier mechanism and the service-
class mechanism. The former identifies the type of traffic, so that the latter can assign the traffic to a service class. Each
service class has a traffic shaping policy and an acceleration policy.
citrix.com 105
The Application Classifier
The application classifier uses application definitions to categorize the traffic by protocol and application. This
information is used to create reports, and by the service-class mechanism. Many applications are already defined, and
you can define more as needed.
Applications must not have overlapping definitions. For example, if one application on your network uses TCP ports
3120 and 3128, and another application uses port 3120, only one CloudBridge application definition can include port
3120.
1. Navigate to the Configuration > Optimization Rules > Application Classifiers button on the page.
2. Click Add.
3. On the Add an Application Classifier page, set the following parameters:
a. NameName of the application classifier. Must begin with an ASCII alphanumeric or underscore (_)
character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), colon (:), at (@),
equals (=), and hyphen (-) characters. Maximum length: 31 characters.
b. DescriptionDescription of the application classifier.
c. Application GroupThe application classifier belongs to this application group. Application groups
are a set of predefined groups of applications that are categorized on the basis of their functionality.
d. Classification TypeThe high-level classification you want to use for this application classifier. The
high-level classification is mostly done on the basis of the port that an application uses.
4. Click Add.
citrix.com 106
Service Classes
Service classes are assigned traffic-shaping policies and acceleration policies to be used for all connections that match the
service-class definition. Service classes can be based on the following parameters:
Applications
IP or VLAN addresses
DSCP bits
SSL profiles
The default service-class definitions are recommended as a starting point. Modify them if they prove inadequate for your
links.
The service classes are defined in an ordered list. The first definition that matches the traffic being processed becomes
the service class for the traffic.
citrix.com 107
Differences Between Acceleration Decisions and Traffic Shaping Policies
To make an acceleration decision, the CloudBridge appliance examines the initial SYN packet of each TCP connection
to determine whether the connection is a candidate for acceleration. The SYN packet contains no payload, only
headers, so the acceleration decision must be based on the contents of the SYN packet's headers, such as the
destination port or destination IP address of the connection. Acceleration, once applied, lasts for the duration of the
connection.
Unlike acceleration decisions, traffic-shaping policies can be based on the contents of the connection's data stream.
Depending on how long it takes for the application classifier to receive enough data for a final classification, a
connection might be reclassified during its lifetime.
For example, the first packet in an HTTP connection to http://www.example.com is a SYN packet that contains a header
but no payload. The header has an IP destination port of 80, which matches the HTTP: Internet service class
definition, so the acceleration engine bases its acceleration decision, in this case, none (no acceleration) on that service
class.
The traffic shaper uses the traffic-shaping policy from the HTTP: Internet service-class, but this decision is
temporary. The first payload packet contains the string GET http://www.example.com, which matches the example
application definition in the application classifier. The service class that includes the example application is selected by
the traffic shaper, instead the service class that includes HTTP: Internet, and the traffic shaper uses the service-
class policy named in that service-class definition.
Note: Regardless of the service class policy, the reporting feature tracks the usage of the example application.
Important: All traffic is associated with an application and a service class, and all service classes have a traffic shaping policy,
but only TCP connections have an acceleration policy other than none.
citrix.com 108
Configuring Service Class Definitions
Because service-class definitions are an ordered list, a definition that is an exception to a general case must precede the
more general definition on the service-class page. The first definition whose rule matches the traffic is the one that is applied.
For example:
Service classes based on URLs must precede the HTTP service classes in the service-class list, because
any URL-based rule also matches the HTTP service class. Therefore, putting the HTTP service class first
would prevent the URL-based rules or published application-based rules from ever being used.
Similarly, service classes based on ICA (XenApp/XenDesktop) published applications must precede the
Citrix service class.
Because all URL-based rules match the HTTP service class, putting the HTTP service class above them would result in
the URL-based rules or published application-based rules never being used.
Figure 1. Default Service Class List
To create an RPC over HTTP service class and bind the SSL profile to it
1. Navigate to the Configuration > Optimization Rules > Service Classes page.
2. In the Name field, type a name for the service class.
3. Make sure that the Enabled option is selected.
4. From the Acceleration Policy list, select an acceleration policy. Memory and Disk specify where to store the
traffic history used for compression. Disk is usually the best choice, because the appliance automatically
selects disk or memory, depending on which is more appropriate for the traffic. Memory specifies memory
only. None is used only for uncompressible encrypted traffic and real-time video.
5. Select a QoS policy option.
6. In the traffic shaping policy list, make sure that Default Policy option is selected. Traffic shaping policies have a
weighted priority and other attributes that determine how matching traffic will be treated, relative to other traffic.
Most service classes are set to Default Policy, but higher-priority traffic can be assigned a higher-priority
traffic-shaping policy, and lower-priority traffic can be assigned a lower-priority policy.
7. In the Filter Rules section, click Add to create filter rule that has Any as the default value for all parameters. If a
rule is evaluated as TRUE for a given connection, the connection is assigned to that service class. Filter rules
for most service classes consist solely of a list of applications, but rules can also include IP addresses, VLAN
tags, DSCP values, and SSL profile names. All the fields in a rule default to Any (a wildcard). Fields within a
rule are ANDed together.
citrix.com 109
8. From the Application Group list, select Email and Collaboration.
9. Click Add.
10. From the Available list, select the required applications.
11. Move the selected applications to the Configured list.
12. In the Source IP Addresses field, add the client IP addresses.
13. From the Direction list, select the direction of the traffic.
14. In the Destination IP Addresses field, type the IP address of the server.
15. Click Add.
16. From the SSL Profiles list, select the SSL profile you have created.
17. Click Create.
Note: You must configure and bind an SSL profile to the service class only on the datacenter-side appliance.
citrix.com 110
Link Definitions
Link definitions enable the appliance to prevent congestion and loss on your WAN links and to perform traffic shaping. A
link definition specifies which traffic is associated with the defined link, the maximum bandwidth to allow for traffic
received on the link, and the maximum bandwidth for traffic sent over the link. The definition also identifies traffic as
inbound or outbound and as WAN-side or LAN-side traffic. All traffic flowing through the appliance is compared to your
list of link definitions, and the first matching definition identifies the link to which the traffic belongs.
By performing the Quick Installation procedure, you customize the appliance's default link definitions. You have then
defined the appliance's link to the WAN and its link to the LAN. For a simple inline deployment, no further configuration
of link definitions is necessary. Other types of deployments require additional configuration of link definitions.
Every link has two bandwidth limits, representing the sending speed and the receiving speed. Only when the link speed
is known can the appliance inject traffic into the link at exactly the right speed, thus eliminating the congestion and
packet loss that result from attempting to send too much, or the loss of performance that results from sending too little.
When placed between a fast LAN and a slower WAN and acting as a virtual gateway, the appliance has the ability to
receive traffic faster than the WAN can accept it, creating a backlog of traffic. The existence of this backlog enables the
appliance to choose which packet to send next, and this choice in turn makes traffic shaping possible. Unless there are
packets from multiple streams to choose from, there is no ability to favor one stream over the other. Traffic shaping is
therefore dependent on the existence of the virtual gateway and correctly set bandwidth limits.
Note: Link definitions normally apply to connections to the accelerated pair of bridge ports. The two motherboard ports,
Primary and Aux1, can also be defined as links, but doing so rarely serves any purpose, because they are used for
management and as a back-channel for high-availability and group modes, not for WAN traffic.
Important: For link-definition purposes, a link is a physical link, with its own bandwidth capacity. It is typically a cable that
leaves the building. Remember the following points:
citrix.com 111
The Default Link Definitions
The Configuration: Links page shows the currently defined links, either as a listing (collapsed) or in summary form
(expanded). The following links are defined by default. However, they require additional configuration (which you have
already done if you performed the Quick Installation procedure).
You can configure the accelerated bridges on the Quick Installation page or on the Configuration: Links page.
Figure 1. Link definition tab, collapsed (top) and expanded (bottom)
citrix.com 112
How the Traffic Shaper Users Link Definitions
To manage a link, the traffic shaper needs the following information:
The speed of the link in both the send and receive directions.
Whether the link is a WAN link or a LAN network.
A way of distinguishing link traffic from other traffic.
The direction in which traffic is flowing over the link.
Link Speed Link speed always refers to the speed of the physical link. In the case of a WAN link, it is the speed of
the WAN segment that terminates in the building with the CloudBridge appliance. The speed of the other end of the link
is not considered. For example, the following figure shows a network of four appliances. Each appliance has its
incoming and outgoing bandwidths set to 95% of the speed of its own, local WAN segment, without regard to the speed
of the remote endpoints.
Figure 1. Local bandwidth limits track local link speeds
The reason for setting the bandwidth limits to 95% of the link speed instead of 100% is to allow for link overhead (few
links can carry data at 100% of their published speeds) and to ensure that the appliance is slightly slower than the link,
so that it becomes a slight bottleneck. Traffic shaping is not effective unless the traffic shaper is the bottleneck in the
connection.
Distinguishing Different Types of TrafficIn each link definition, you must declare whether the definition applies to
a WAN link or a LAN network.
The traffic shaper needs to know whether a packet is traveling on the WAN, and, if so, in which direction. To provide this
information:
For simple inline deployments, you declare that one port of the accelerated bridge belongs to the WAN link
and that the other port belongs to the LAN.
In other deployment modes, the appliance examines IP addresses, MAC addresses, VLANs, or WCCP
service groups. (Note that testing for WCCP service groups is not yet supported.)
If a site has multiple WANs, the local link definitions must include rules that enable the appliance to
distinguish traffic from different WANs.
citrix.com 113
Configuring Link Definitions
Link definitions are arranged in an ordered list, one entry per link, which is tested from top to bottom for every packet
entering or leaving the appliance. The first matching definition determines which link the packet belongs to. Within each
link definition is an ordered list of rules, which is also tested from top to bottom. Each packet is compared to these rules,
and if it matches one of them, the packet is considered to be traveling over that link.
Within a single rule, the fields are all ANDed together, so all specified values have to match. All fields default to Any, a
wildcard entry that always matches. When a field consists of a list, such as a list of IP subnets, the list entries are ORed
together. That is, if any element matches, the list as a whole is considered to be a match.
Citrix recommends port based link definitions for simple inline deployments, and IP based link definitions for all other
deployments.
Figure 1. Link definition rules
To configure link definitions, set parameters on the Create/Edit Link page, which you access from the Configuration:
Links: Link Definition tab.
citrix.com 114
Inline Links
Most CloudBridge appliances use a simple inline deployment, where each accelerated bridge serves just one WAN link.
This is the simplest mode to configure.
In Figure 1, all traffic passing through the accelerated bridge is assumed to be WAN traffic. The link is an ADSL link with
different send and receive speeds (6.0 mbps down, 1.0 mbps up). The WAN is connected to accelerated bridge port
apA.1, and the LAN is connected accelerated bridge port apA.2.
This link is easy to configure on the Edit Links page, shown in the following figure.
Figure 2. WAN definition (top) and LAN definition (bottom)
citrix.com 115
The configuration shown in Figure 3 is similar to the one shown in Figure 1-3, but the site has a second link, a T1 link to
the corporate WAN, in addition to the ADSL Internet link. The CloudBridge has two accelerated bridges, one for each
WAN link.
Configuration is almost as simple as the single-bridge case, with the following additional steps:
1. Edit a second WAN link on apB, which in this case is apB.1. Set the type to WAN. Set the link bandwidth to
95% of the 1.5 mbps T1 speed, and give the link a new name, such as WAN to HQ.
2. Add a rule specifying apB.2 to the LAN definition and delete the default link definition for apB.2. (Alternatively,
you can edit the default link definition for apB.2 to specify it as a LAN link, as was done for apA.2.)
citrix.com 116
Non-Inline Links
For other than simple inline deployments (which serve only one WAN per accelerated bridge), use IP subnets instead of
bridge ports to distinguish LAN traffic from WAN traffic. This approach is essential for one-arm deployments, which use
only a single bridge port. IP subnets are sometimes useful for inline deployments as well, especially when the appliance
serves more than one WAN. For simple inline deployments, however, port based links are easier to define.
The traffic classifier applies a specialized convention when examining the Src IP and Dst IP:
This convention can sometimes be confusing, but it allows the direction of packet travel to be implicitly considered as
part of the definition.
For the configuration shown in the above figure, you can define the LAN and WAN links without specifying the
Ethernet ports at all, using the LAN subnet instead:
Create a rule for the LAN link definition and specify the LAN subnet in the Src IP field.
Create a rule for the WAN link definition and specify the LAN subnet (not the WAN subnet) in the Dst
IP field.
Configuration of the WCCP link in the above figure, using IP addresses, is the same as in Example 1, because the LAN
and WAN IP subnets are identical.
When WCCP-GRE is used, the GRE headers are ignored and the IP headers within the encapsulated data packets are
used. Therefore, this same link definition works for WCCP-L2, WCCP-GRE, inline, and virtual inline modes.
citrix.com 117
(WCCP and virtual inline modes require configuration of your router. WCCP also requires configuration on the
Configuration: Advanced Deployments page.)
citrix.com 118
Secure Traffic Acceleration
CloudBridge appliance supports secure traffic acceleration for various applications.
citrix.com 119
Secure Peering
Several advanced functions require that the CloudBridge appliances at the two ends of the link establish a secure peer
relationship with each other, setting up an SSL signaling tunnel (also called a signaling connection). These features are
SSL compression, signed CIFS support, and encrypted MAPI support.
When secure peering is enabled, compression is automatically disabled for all partner appliances (and computers
running the CloudBridge Plug-in) that have not established a secure peer relationship with the local appliance.
To establish a secure peer relationship, you have to generate security keys and certificates, and configure a securing
signaling tunnel between the appliances. Before configuring the tunnel, order a crypto license from Citrix.
citrix.com 120
How Secure Peering Works
When the appliance at one end of a connection detects that the other appliance has secure peering enabled, it attempts
to open an SSL signaling tunnel. If the two appliances successfully authenticate each other over this tunnel, they have a
secure peering relationship. All accelerated connections between the two appliances are encrypted, and compression is
enabled.
When an appliance has secure peering enabled, connections with a partner for which it does not have a secure peer
relationship are not encrypted or compressed, though TCP flow-control acceleration is still available. Compression is
disabled to ensure that data stored in compression history from secured partners cannot be shared with unsecured
partners.
Note: Because an appliance with secure peering enabled does not compress connections to unsecured partners, using the
same appliance successfully with a mix of secured and unsecured partners is difficult. Keep this point in mind when designing
your accelerated network.
A keystore password is required to access the security parameters. This keystore password is different from the
administrator's password, to allow security administration to be separated from other tasks. If the keystore password is
reset, all existing encrypted data and private keys are lost.
To protect data even if the appliance is stolen, the keystore password must be reentered every time the appliance is
restarted. Until this is done, secure peering and compression are disabled.
citrix.com 121
Generating Security Keys and Certificates
CloudBridge products are shipped without the required keys and certificates for the SSL signaling tunnel. You must
generate them yourself. You can generate keys and certificates through your normal process for generating credentials,
or with the "openssl" package from http://www.openssl.org.
For testing purposes, you can generate and use a self-signed X509 certificate based on a private key (which you also
generate). In production, use certificates that refer to a trusted certifying authority. The following example calls openssl from
the command line on a PC to generate a private key (my.key) and self-signed certificate (my.crt):
citrix.com 122
Configuring Secure Peering
There are two ways to establish secure peering:
1. Using credentials generated by the appliances. This method was introduced in release 7.4.
2. Using credentials you provide yourself. This method is available in all releases since 5.7.
Because an appliance with secure peering enabled will only compress connections with partner appliances with which it
has a secure peering relationship, this procedure should be applied at the same time to all your appliances.
1. Install a crypto license on the appliance. Without a crypto license, secure acceleration is not available.
a. If you have not done so already, acquire crypto licenses from Citrix.
b. If you are using a network license server, go to the Configuration > Appliance Settings > Licensing >
Add License page and click the Remote license server and Crypto License On options.
c. If you are using local licensing, go to Configuration > Appliance Settings > Licensing > Add License
page click the Local license server option, and click Add to upload a local crypto license.
d. Verify successful license installation on the Configuration > Appliance Settings > Licensing page. Under
Licensing Information, a crypto license should be shown as active and with an expiration date in the
future.
2. Go to the Configuration > Secure Acceleration page. If the page has a button labeled Secure, click it.
citrix.com 123
e.
1. Use the Prepare the appliances for securing peering procedure, above, to prepare your appliances for
this procedure.
2. On one datacenter appliance, go to Configuration > Secure Acceleration and click the Enable button, if
present, to enable secure peering.
3. Click the pencil icon under Secure Peering. The keystore should be open. If it isnt, open it now.
4. Click the pencil icon under Secure Peering Certificate and Keys. Click the Enable Secure Peering and Private
CA options, then click Save. This will generate a local self-signed CA certificate and a local certificate-key pair.
5. Click the + icon under Connected Peers. In the Connect Peer dialog box, enter the IP address,
administrators user name, and administrators password for one of your remote appliances and click
Connect. This issues a CA certificate and certificate-key pair for the remote appliance, and copies it to the
remote appliance,
6. Repeat for your other remote appliances.
7. On the datacenter appliance, verify connectivity by going to Monitoring > Partners and Plug-ins > Secure
Partners. For each remote appliance, the content of the Secure field should be True, and the Connection Status
should be Connected Available.
citrix.com 124
CIFS, SMB2, and MAPI
Windows is one of the common operating systems deployed on the network. The Windows operating system supports
distributed resources shared across locations. For example, you can make resources in your datacenter accessible from
various branch offices. For access over the network, Windows uses Common Internet File System (CIFS) protocol for
accessing shared files, and Messaging Application Programming Interface (MAPI) protocols for accessing email through
Microsoft Outlook. That is, Windows uses CIFS protocol for CIFS-based (Windows and Samba) file transfer and
directory browsing, and Microsoft Outlook uses the MAPI protocol to access Outlook data.
You can use a CloudBridge appliance to optimize the CIFS, Sever Message Block version 2 (SMB2), and MAPI
connections over the network.
In addition to supporting the Windows operating system, CloudBridge appliances support CIFS and SMB2 on NetApp
and Hitachi storage systems.
The flowchart in Figure 1 shows the complete procedure to configure a CloudBridge appliance for optimizing CIFS,
SMB2, and MAPI traffic.
Figure 1. Configuring a CloudBridge appliance for optimizing CIFS, SMB2, and MAPI traffic
citrix.com 125
citrix.com 126
citrix.com 127
Configuring a CloudBridge Appliance to Optimize Secure Windows Traffic
You must add the CloudBridge appliance to the Windows security infrastructure before you can optimize the signed
Windows file system and encrypted MAPI Outlook/Exchange traffic.
As a result of enhancements to the Windows security system in the recent Windows releases, clients and servers
secure the traffic by authenticating and encrypting data. This requires the CloudBridge appliance be a trusted member
of the Windows security infrastructure before it can optimize signed Windows file system and encrypted MAPI
Outlook/Exchange traffic.
After you add the appliance to the Windows security infrastructure, the appliance has the following capabilities:
Acceleration of fileserver traffic for Microsoft Windows servers, NetApp servers, and Hitachi HNAS by using
signed SMB and signed SMB2 protocol.
Acceleration of Microsoft Exchange server traffic when it is accessed by Outlook clients using encrypted
MAPI or RPC over HTTPS.
After the appliance has become a part of the Windows security infrastructure, users have to be authenticated before
they can access resources. To avoid the difficulty of configuring a large number of users in the domain, you can
delegate the authentication responsibility to a delegate user.
You create a delegate user in the active directory. This user is similar to a normal user, but with special privileges. After
creating the delegate user, you must configure this user on the CloudBridge appliance. The appliance uses the delegate
user to authenticate on behalf of users when they access authenticated and encrypted data streams using Windows
protocols, such as CIFS and MAPI.
For accelerating CIFS and MAPI traffic, the standard Windows delegation mechanism allows you to limit security
delegation to the relevant services. This constrained delegation has been available since the release of Windows Server
2003.
After becoming a part of the domain, the appliance accelerates the secure Windows traffic. A datacenter appliance that
joins a Windows domain must have a secure peer relationship with the remote appliance or CloudBridge Plug-in, but
only the datacenter appliance joins the Windows domain. For purposes of CIFS or MAPI acceleration, the remote
appliance acts as a slave to the datacenter appliance, being controlled over the secure SSL tunnel between the two.
Therefore, the delegate user credentials do not leave the datacenter.
The following figure shows a sample topology diagram for this setup.
Figure 1. Windows domain authentication flow
In Figure 1, a branch office client accesses resources of the datacenter. The branch office client, being in another
domain, uses NTLM authentication as a part of the Windows security system. As with all accelerated connections
between two CloudBridge appliances in a secure peer relationship, the CIFS or MAPI connections and NTLM
authentications over the WAN are encrypted. Depending on the Windows domain controller version, the user request
from the datacenter CloudBridge appliance is authenticated using NTLM or Kerberos authentication protocol. After the
domain authenticates the user, subsequent access requests to the Exchange server and file servers use Kerberos
authentication protocol. The CloudBridge appliance then optimizes the connections established between the client and
the server.
citrix.com 128
If the appliances do not have a secure peer relationship, or if the datacenter appliance has not successfully joined the
domain, the connections use TCP flow-control acceleration, which performs no security operations, compression, or
data transformations. The connections between the client and server are established as if the CloudBridge appliances
were not there.
You can configure different client authentication modes on Windows operating systems. The types of connections that
the CloudBridge appliance optimizes depend on the client authentication mode that you configure.
The following table list the Windows client-authentication modes on Windows, and the corresponding CloudBridge
optimizations.
Table 1. Authentication and Optimization Supported for Windows Operating System
Client Operating Client Authentication Mode Optimization Comments
System
Windows XP/Windows Negotiate Authentication Default setting used for all
Vista/Windows7/Windows (SPNEGO) TCP flow-control Windows releases.
8 acceleration
Compression
CIFS protocol
acceleration
Note: If you use the NTLM only or Kerberos only client authentication modes, the traffic is not accelerated if it is encrypted.
Both the client-side and server-side acceleration appliances must have established a secure peer
relationship.
The appliances must use an NTP server that is closely synchronized to the time on the Windows domain
server. Ideally, the appliances and the Windows domain server are all clients of the same NTP server.
Outlook must not be configured for the (non-default) Kerberos only or NTLM only option. The default
(negotiated) option is required for acceleration.
The client and server can be members of any domain that has two-way trust with the server-side appliance's
domain. One-way trust is not supported.
A Kerberos delegate user must be set up on the domain controller, to be used by the appliance participating
in the domain's security infrastructure.
The DNS server IP addresses for the domain must be configured and reachable on the server-side
appliance.
The domain servers must be fully reachable, with both forward and reverse lookups for all the IP addresses
of the domain controllers configured on the DNS servers.
The server-side CloudBridge appliance's host name must be unique. Using the default host name of
"hostname" is likely to cause problems.
Note: The Macintosh Outlook client does not use the MAPI (Outlook/Exchange) standard and is not accelerated by this
feature.
You can use the Pre Domain Check utility to find out if there are any issues with joining the appliance to a domain.
Note: The Windows security system uses the Exchange service to manage MAPI connections.
Figure 2. Configuring the setup to optimize secure Windows traffic
citrix.com 129
Joining a CloudBridge Appliance to the Windows Domain
When the appliance joins the domain, it exchanges a shared secret with the domain controller, allowing the
appliance to remain part of the domain indefinitely. When joining an appliance to a domain, make sure that you
have administrator credentials for the domain controller.
To make sure that the CloudBridge appliance optimizes the CIFS and MAPI traffic (including traffic encapsulated
as RPC over HTTPS), you must make the appliance part of the domain that the Windows fileserver and
Exchange server are a part of. You need to join the server-side appliance to the domain.
Note: The domain administration credentials are not saved on the appliance.
To join a CloudBridge appliance to a Windows domain
1. Navigate to the Configuration > Secure Acceleration > Windows Domain tab.
2. Click Join Windows Domain.
3. Enter the Windows domain name in the Domain Name field.
4. In the User Name field, enter the user name of the domain controller administrator.
5. In the Password field, specify the domain controller administrator password.
6. If necessary, edit the DNS servers for consistency with the Windows domain.
7. Click OK.
8. In the Delegate Users section, add a delegate user, as described in the procedures below.
Setting up user authentication by using Kerberos delegation involves two tasksconfiguring a delegate user
on the domain controller and then adding this user to the CloudBridge appliance.
citrix.com 130
Before you configure a delegate user on a CloudBridge appliance, you must configure a delegate user
with the required properties on the domain controller. You can either create a delegate user account or
use an existing user account as a delegate user account.
After creating an account or selecting an existing account, enable delegation for this user. You then
associate the delegate user with the CIFS and Exchange services, so that the traffic for these services
can be accelerated. After you add this user to the CloudBridge appliance, the appliance presents
delegated credentials for the services associated with this account.
1. Log on to the Windows domain controller as an administrator. Make sure that the file server or
Exchange server is a member of this domain.
2. From the Start menu, open the Active Directory Users and Computers Window.
3. Create a delegate user, as shown in the following screen shot:
1. From the Start menu, open the Active Directory Users and Computers Window.
2. From the View menu, select Advanced Features.
3. Select the User node.
4. Right-click the user that you want to make a delegate user.
citrix.com 131
5. From the shortcut menu, select Properties and navigate to the Attribute Editor tab, as shown
in the following screen shot:
6. From the Attributes list, select servicePrincipalName, as shown in the following screen shot:
7. Click Edit.
8. In the Multi-valued String Editor dialog box, in the Value to add field, specify delegate/<
User_Name>, as shown in the following screen shot:
9. Click Add.
10. Click OK.
11. Click Apply.
12. Click OK.
citrix.com 132
13. Open the user's MAPI-CIFS Delegate User Properties dialog box and verify that the
Delegation tab has been added to the dialog box, as shown in the following screen shot:
1. In the Delegation tab, select the Trust this user for delegation to specific services only
option.
2. Select the Use any authentication protocol option.
3. Click Add, as shown in the following screen shot:
citrix.com 133
5. In the Select Users or Computers dialog box, add the local computer to be selected, as shown
in the following screen shot:
6. Click OK.
7. In the Add Services dialog box, from the Available services list, select cifs, as shown in the
following screen shot:
8. If you have to set up MAPI acceleration on the CloudBridge appliance, press and hold the Ctrl
key, and select the exchangeMDB service.
9. Click OK. The services you have selected are added to the Services to which this account
can present delegated credentials list, as shown in the following screen shot:
citrix.com 134
After configuring the delegate user on the Active Directory server, you must configure this user on the
CloudBridge appliance, so that the appliance can present this user's delegated credentials to the domain. This
enables the appliance to actively optimize the network traffic for the advanced CIFS and MAPI acceleration
features.
To add the delegate user to the server-side appliance
citrix.com 135
Configuring CIFS and SMB2 Acceleration
The CIFS acceleration feature provides a suite of protocol-specific performance enhancements to CIFS-based
(Windows and Samba) file transfer and directory browsing, including enhancements to CIFS transport and to related
protocols such as DCERPC.
CIFS acceleration has three parts:
On networks where CIFS signing is enabled, CIFS protocol acceleration and compression require that you either disable
CIFS packet authentication (signing), or have your datacenter appliances join the Windows domain, and create a secure
peer relationship between the datacenter appliances and your remote appliances and CloudBridge Plug-ins.
Table 1. CIFS acceleration features, by SMB protocol version and whether the appliance has joined the Windows domain.
SMB Version TCP Flow Control Compression Protocol Acceleration
Signing disabled
SMB 1.0 Y Y Y
SMB 2.0 Y Y Y
SMB 2.1 Y Y N
SMB 3.0 Y Y N
Signing enabled, CloudBridge has joined domain
SMB 1.0 Y Y Y
SMB 2.0 Y Y Y
SMB 2.1 Y Y N
SMB 3.0 Y Y N
Signing enabled, CloudBridge has not joined domain
SMB 1.0 Y N N
SMB 2.0 Y N N
SMB 2.1 Y N N
SMB 3.0 Y N N
Table 2. Which SMB protocol version is used, by client and server operating system
Client/Server Windows 8 Windows Windows 7 Windows Windows Vista Earlier versions of
OS Server 2012 Server 2008 R2 Windows Server 2008 Windows
Windows 8 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows
Server 2012
Windows 7 SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0
Windows
Server 2008
R2
Windows SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0
Vista
Windows
Server 2008
Previous SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0
versions of
citrix.com 136
Windows
Not every CIFS implementation uses request patterns that are recognized by the appliance. These unsupported
versions do not achieve acceleration in the full range of cases, as shown in the following table.
Table 3. CloudBridge Support for CIFS Servers and Clients
Product Server Client
Windows Server 2003- Yes* Yes*
2012
Windows XP, Vista, 7, Yes* Yes*
8, 2000
NetApp Yes N/A
Hitachi Yes N/A
Windows NT Yes No
Windows ME and No No
earlier
Others See Note
* Newer Windows versions use the SMB3 protocol when both client and server support it. Protocol acceleration is
not supported for SMB3, so protocol acceleration with an SMB 3-capable OS occurs only when communicating with
an earlier operating system.
Note: Most third-party CIFS implementations emulate one of the servers or clients listed above. To the extent that the
emulation is successful, traffic is accelerated, or not, as shown in the above table. If the emulation behaves differently
from what the CIFS accelerator expects, CIFS acceleration is terminated for that connection.
The behavior of CIFS acceleration with a given CIFS implementation cannot be known for certain until it has been
tested.
Large file reads and writesThese SMB1 optimizations are for file transfers of at least 640 KB. Safe read-ahead and
write-behind techniques are used to stream the data without pauses for every transfer (a transfer is 64 KB or less).
These optimizations are enabled only if the transfer has a BATCH or EXCLUSIVE lock and is "simple." File copies are
always simple. Files opened through applications might or might not be, depending on how they are handled within the
application.
Speedup ratios of 10x are readily obtainable with CIFS acceleration, provided that your link and disks are fast enough to
accommodate ten times your current transfer speeds. 50x speedup can be obtained if necessary, but is not normally
enabled, because of memory consumption. Contact your Citrix representative if 10x is not sufficient.
Small file reads and writesSmall-file enhancements center more around metadata (directory) optimizations than
around data streaming. Native CIFS does not combine metadata requests in an efficient way. CIFS acceleration does.
As with large-file acceleration, these optimizations are not performed unless they are safe (for example, they are not
performed if the CIFS client was not granted an exclusive lock on the directory.) When the SMB2 protocol is used, file
metadata is cached locally for even greater improvements.
Directory BrowsingStandard CIFS clients perform directory browsing in an extremely inefficient way, requiring an
enormous number of round trips to open a remote folder. CIFS acceleration reduces the number of round trips to 2 or 3.
When the SMB2 protocol is used, directory data is cached locally for even greater improvements.
citrix.com 137
CIFS Protocol Acceleration
CIFS acceleration is supported on all models. CIFS is a TCP based protocol and benefits from flow control. However,
CIFS is implemented in a way that is highly inefficient on long-haul networks, requiring an excessive number of round
trips to complete an operation. Because the protocol is very sensitive to link latency, full acceleration must be protocol-
aware.
CIFS acceleration reduces the number of round-trips through a variety of techniques. The pattern of requests from the
client is analyzed and its next action is predicted. In many cases, it is safe to act on the prediction even if it is wrong,
and these safe operations are the basis of many optimizations.
For example, SMB1 clients issue sequential file reads in a non-overlapping fashion, waiting for each 64KB read to
complete before issuing the next one. By implementing read-ahead, the appliance can safely deliver up to 10x
acceleration by fetching the anticipated data in advance.
Additional techniques accelerate directory browsing and small-file operations. Acceleration is applied not only to CIFS
operations, but also to the related RPC operations.
Prerequisites
If your network uses CIFS signing, the appliance must be a trusted member of the domain. To make the appliance a
trusted member of the domain, see Adding a CloudBridge Appliance to the Windows Security Infrastructure.
Depending on their security settings, Windows servers or domain servers might need to have their security settings
adjusted.
Figure 1. Windows Server Security Options, Windows Server 2003 and Windows Server 2008.
Windows file servers have two security modes: "sealing" and "signing."
Sealing encrypts the data stream and prevents CIFS protocol acceleration altogether.
Signing adds authentication data to every data packet, without encrypting the data stream. This prevents acceleration
unless you have implemented the procedures described in Adding a CloudBridge Appliance to the Windows Security
Infrastructure. When this requirement is met, signing is accelerated automatically. Otherwise, signing must be disabled
(if it is not disabled already) for protocol acceleration to take place.
By default, Windows file servers offer signing but do not require it, except for domain servers, which require it by default.
To achieve CIFS acceleration with systems that currently require signing, you must change the system security settings
to disable this requirement. You can do so in the local security settings on the file server, or in group policies. The
citrix.com 138
following examples, for Windows Server 2003 and Windows Server 2008, show the local settings. The group-policy
changes are, of course, almost identical. (For an example of the Local Security Settings screen, see the figure,
Windows Server Security Options, Windows Server 2003 and Windows Server 2008.)
citrix.com 139
Interpreting CIFS Statistics
The Monitoring: Filesystem (CIFS/SMB) page shows a list of accelerated CIFS connections. These connections are
divided into "optimized" and "non-optimized" connections. Because all these connections are accelerated (with flow
control and compression), "optimized" connections have CIFS optimizations in addition to flow control and compression,
while "non-optimized" connections have flow control and compression only.
citrix.com 140
CIFS Management Summary
CIFS acceleration provides significant improvement even at relatively short link distances.
CIFS acceleration begins when a file system is first accessed by the client. If acceleration is enabled with
the file server and client already up and running, no acceleration occurs for many minutes, until the
preexisting CIFS connections are fully closed. CIFS connections are very persistent and last a long time
before closing themselves, even when idle. This behavior is annoying during test, but has little importance in
normal deployment.
Dismounting and remounting a file system in Windows does not close the CIFS connections, because
Windows does not really dismount the file system fully. Rebooting the client or server works. For a less
invasive measure, use the NET USE devicename /DELETE command from the Windows command line
to fully dismount the volume. In Linux, smbmount and umount fully dismount the volume.
Disabling and then reenabling CIFS read and write optimizations on the appliance raises similar issues.
Existing connections do not become accelerated when CIFS is enabled, and the number of protocol
errors detected on the Monitoring: Filesystem (CIFS/SMB) page increases briefly.
CIFS statistics can be confusing, because only the appliance farthest from the fileserver reports CIFS
acceleration with full statistics. The other appliance sees it as ordinary acceleration.
CIFS acceleration is not supported in proxy mode.
If CIFS acceleration does not take place with a Windows server, check the servers security settings.
citrix.com 141
Configuring MAPI Acceleration
Microsoft Outlook acceleration provides improved performance for traffic between Microsoft Outlook clients and
Microsoft Exchange Servers, increasing throughput with a variety of optimizations, including data prefetching and
compression.
This feature is also called "MAPI acceleration," after the MAPI protocol used between Outlook and Exchange Server.
In networks where the Outlook data stream is unencrypted (the default before Outlook 2007), this feature requires no
configuration.
In networks where the Outlook data is encrypted (the default with Outlook 2007 and later), acceleration can be obtained
in one of two ways: by disabling encryption in the Outlook clients or by having the appliances join the Windows domain.
Any combination of supported clients and servers (using the MAPI protocol) is supported.
Outlook must connect to the Exchange Server normally, using the MAPI protocol (not through an HTTP or
HTTPS proxy or "Outlook Anywhere").
If the server-side appliance has joined a Windows domain, connections with MAPI encryption are
accelerated. Otherwise, they are not, and encryption should be disabled in the Outlook clients.
Prerequisites
If your network uses encrypted Outlook data, which is the default setting in Outlook 2007 and later, you must implement one
of the following prerequisites to make sure that MAPI connections are accelerated:
Configuration
Outlook acceleration is a zero-configuration feature that is enabled by default. (If not wanted, it can be disabled by disabling
acceleration on the MAPI service class on the Configuration: Service Class Policy page.) Outlook acceleration takes place
automatically if the following conditions are met:
Encryption was disabled by default before Outlook 2007. Starting with Outlook 2007, encryption is enabled by
default.
Performance Note
MAPI uses a different data format from other protocols. This difference prevents effective cross-protocol compression.
That is, a file that was first transferred through FTP and then as an email attachment does not receive a compression
advantage on the second transfer. If the same data is sent two times in MAPI format, the second transfer receives full
compression.
citrix.com 142
Troubleshooting CIFS and MAPI
Issue: A domain controller is removed from the network. However, the CloudBridge appliance is not able to
leave the domain.
Workaround: From the Windows Domain page, change the DNS to the one through which you can
resolve the intended domain. Next, use the Rejoin Domain option to make the CloudBridge appliance
join that domain. Now try leaving from the domain.
Issue: MAPI connections are not optimized and the following error message appears:
Cause: This is a known issue with CloudBridge 6.2.3 and earlier releases.
Issue: The appliance optimized the MAPI connections. However, the monitoring pages display the number
of send and received bytes as zero.
Resolution: This is a benign issue and does not affect the functionality of the appliance. You can
ignore it.
Cause: Secure peering with the partner appliance is not properly configured.
Issue: When connecting to an Exchange cluster, Outlook users with optimized connections are occasionally
bypassed or prompted for logon credentials.
Cause: MAPI optimization requires that each node in the Exchange cluster be associated with the
exchangeMDB service principal name (SPN). Over time, as you need more capacity, you add
additional nodes to the cluster. However, sometimes, the configuration task might not be completed,
leaving some nodes in cluster without SPN settings. This issue is most prevalent in Exchange clusters
with Exchange Server 2003 or Exchange Server 2007.
Issue: When attempting to connect to Outlook, the Trying to connect message is displayed and then
the connection is terminated.
citrix.com 143
Cause: The client-side CloudBridge appliance has blacklist entries that do not exist on the server-side
appliance.
Resolution: Remove the blacklist entries from both appliances, or (recommended) upgrade the
software of the appliances to CloudBridge release 6.2.5 or later.
Issue: The appliance fails to join the domain even after passing the pre domain checks.
Issue: The LdapError error message appears when you add a delegate user to the CloudBridge
appliance.
Issue: The Time skew error message appears when you add a delegate user to the CloudBridge
appliance.
Resolution: Verify that the appliance is joined to the domain. If not, join the appliance to the domain.
This synchronizes the appliance time with the domain-server time and resolves the issue.
Issue: The Client is temporarily excluded for acceleration. Last Error (Kerberos
error.) error message appears when you add a delegate user to the CloudBridge appliance.
Cause: The delegate user is configured for the Use Kerberos only authentication.
Resolution: Verify that, on the domain controller, the delegate user's authentication setting is Use any
authentication protocol.
Issue: The Delegate user not ready error message appears when you add a delegate user to the
CloudBridge appliance.
Resolution: If the message appears only on the client-side appliance, ignore it. However, if the
message is displayed on the server-side appliance, run the delegate user precheck tool, available on
the Windows Domain page, and then configure the delegate user on the server-side appliance.
Issue: The Last Error (The Server is not delegated for Kerberos authentication.
Please add delegate user, check list for services and server allowed for
delegation.) UR:4 error message appears when you add a delegate user to the CloudBridge appliance.
Resolution: Verify that the delegate user is correctly configured on the domain controller and that you
have added appropriate services to the domain controller.
citrix.com 144
Resolution: Run the domain precheck tool, available on the Windows Domain page, and resolve the
issues, if any. If the domain precheck tool does not report any issues, contact Citrix Technical Support
for further assistance in resolving the issue.
citrix.com 145
SSL Compression
CloudBridge SSL compression applies multisession compression to SSL connections (for example, HTTPS traffic),
providing compression ratios of up to 10,000:1.
Note: SSL compression requires a secure peering (signaling) connection between the two appliances at the ends of the
accelerated link.
Encryption is maintained from end to end by splitting the connection into three encrypted segments: client to client-side
appliance, client-side appliance to server-side appliance, and server-side appliance to server.
Figure 1. SSL Compression
Caution: SSL Compression decrypts the encrypted data stream and, unless the User Data Encryption option is used, the
compression histories of both acceleration units retain clear-text records of the decrypted data. Verify that your deployment
and settings are consistent with your organization's security policies. Citrix recommends that you enable encryption of the
compression history on each unit when you configure the secure peering signaling connection required for SSL acceleration.
Note: When you enable SSL compression, the appliance stops attempting compression with other appliances with which it
does not have a secure peer relationship (whether CloudBridge, CloudBridge, or CloudBridge Plug-in). This feature is thus
best-suited for networks where all appliances are configured for SSL compression.
Note: With SSL compression enabled, you must manually type in the Key Store password each time the appliance is
restarted.
citrix.com 146
How SSL Compression Works
SSL compression has access to the clear-text data of the connection, because the server-side appliance acts as a
security delegate of the endpoint servers. This behavior is possible because the server-side appliance is configured with
copies of the servers' security credentials (private keys and certificates), allowing it to act on the servers' behalf. To the
client, this behavior is equivalent to communicating directly with the endpoint server.
Because the appliance is working as a security delegate of the server, most configuration is on the server-side
appliance. The client-side appliance (or plug-in) acts as a satellite of the server-side appliance and does not require per-
server configuration.
The server-side and client-side appliances share session status through an SSL signaling connection. All accelerated
connections between the two appliances are sent over SSL data connections, whether the original connections were
encrypted or not.
Note: SSL compression does not necessarily encrypt all link traffic. Traffic that was originally encrypted remains encrypted,
but unencrypted traffic is not always encrypted. The appliances do not attempt to encrypt unaccelerated traffic. Because there
is no absolute guarantee that any given connection will be accelerated (various events prevent acceleration), there is no
guarantee that the appliances will encrypt a given unencrypted connection.
SSL compression operates in one of two modes: transparent proxy or split proxy. These two modes support slightly
different SSL features. You select the mode that provides the features a given application requires.
Which SSL proxy mode to useUse SSL transparent proxy mode only if you require true client authentication (that
is, authentication that correctly identifies the individual endpoint client) and you do not require Diffie-Hellman, Temp
RSA, TLS session tickets, SSL version 2, or session renegotiation. Use SSL split proxy for all other deployments.
True client authentication is supported in this mode, but Temp RSA and Diffie-Hellman are not. SSL transparent proxy
mode is suited for applications that require client authentication, but only if none of the following features are required:
Diffie-Hellman, Temp RSA, TLS session tickets, SSL version 2. Also, session renegotiation must not be attempted, or
the connection terminates.
No configuration is required on the client-side appliance (other than configuring a secure peering relationship with the
server-side appliance), and no configuration is required on the client, which treats the connection exactly as if it were
communicating directly with the server.
Figure 1. SSL Transparent Proxy Mode
Split proxy mode also supports proxied client authentication if you install optional client credentials, which are presented
to the endpoint server application if it requests client authentication. These client credentials will be presented instead of
the actual endpoint client's credentials. (Use transparent proxy if the endpoint client credentials are required by the
application.)
Because true client authentication is not supported in this mode, the server cannot authenticate the actual endpoint
client. If the server-side appliance is not configured with client credentials, all attempts by the server-side application at
client authentication fail. If the server-side appliance is configured with client credentials, all requests for client
authentication will be answered with these credentials, regardless of the identity of the actual client.
citrix.com 147
No configuration is required on the client-side appliance (other than configuring a secure peering relationship with the
server-side appliance), and no configuration is required on the client, which treats the connection as if it were
communicating directly with the server. The server credentials on the server-side appliance are not installed on the
client-side appliance.
To support multiple servers, multiple private certificate-key pairs can be installed on the appliance, one per SSL profile.
Special SSL rules in the service class definitions match up servers to SSL profiles, and thus SSL profiles to credentials.
In SSL split proxy mode, the CA certificates and certificate-key pairs and CA certificates do not actually have to match
those of the servers, though they can. Due to the nature of a split proxy, the server-side appliance can be use
credentials that are acceptable to the client application (valid credentials issued by a trusted authority). Note that, in the
case of HTTPS connections, Web browsers issue a warning if the common name does not match the domain name in
the URL. In general, using copies of the server's credentials is the more trouble-free option.
Figure 2. SSL Split Proxy Mode
citrix.com 148
Configuring SSL Compression
For SSL compression to work, the CloudBridge appliance needs certificates from either the server or the client. To support
multiple servers, multiple private keys can be installed on the appliance, one per SSL profile. Special SSL rules in the service
class definitions match up servers to SSL profiles, and thus SSL profiles to private keys.
1. Acquire copies of your servers CA certificate and private certificate-key pair and install them on the server-
side appliance. These credentials are likely to be application-specific. That is, a server might have different
credentials for an Apache Web server than for an Exchange Server running RPC over HTTPS.
2. (Split-proxy mode only.) For split-proxy mode, configure, on the server-side appliance only, a split-proxy SSL
profile for your SSL server, as follows:
a. On the Configuration: Secure Acceleration: SSL Profile tab, click Add to add a new profile. The SSL
Profile screen appears.
b. On the SSL Profile screen, enter a name for your SSL profile (usually the name of the server).
c. Select the Profile Enabled check box.
d. If your SSL server uses more than one virtual host name, type the target virtual host name into the
Virtual Host Name field. This is the host name listed in the server credentials. Otherwise, you can leave
this field blank. (To support multiple virtual hosts, create a separate SSL profile for each host name.)
This option is effective only with TLS.
e. For Proxy Type, select Split.
f. Leave the Certificate Verification field at its default value (Signature/Expiration) unless your policies
dictate otherwise.
g. Perform server-side proxy configuration:
i. In the Verification Store field, select an existing server CA from the pull-down menu, or click the
+ icon to upload a server CA.
ii. If you want to require the servers credentials to match the credentials used in this profile,
select the Authentication required check box.
iii. Using the Protocol Version menu, select the protocols your server accepts.
iv. If necessary, edit the Cipher Specification string, using the OpenSSL syntax.
v. If you want to allow server-side SSL session renegotiation, select the type of renegotiation from
the Renegotiation type drop-down list.
Caution: This option is disabled by default, to prevent renegotiation exploits.
h. Perform client-side proxy configuration:
i. Certificate/Private Key field. Leave at its default value.
ii. Leave the Build Certificate Chain check box selected (the default). This option causes the SSL
certificate chain to be built by the server-side appliance.
iii. If desired, select or upload a CA store to use as the Certificate Chain Store.
iv. Select the Protocol Versions you want to support on the client side.
v. If necessary, edit the client-side Cipher Specification.
vi. If you want to allow client-side SSL session renegotiation, select the type of renegotiation from
the Renegotiation type drop-down list.
citrix.com 149
3. (Transparent proxy mode only.) For transparent proxy only, on the server-side appliance only, go to the
Configuration: Secure Acceleration: SSL Profile tab and click Add.
a. On the SSL Profile screen, enter a name for your SSL profile (usually the name of the server).
b. Select the Profile Enabled check box.
c. If your SSL server uses more than one virtual host name, in the Virtual Host Name field, type the virtual
host name that matches the server credentials that you provided earlier. Otherwise, you can leave the
field blank. This option is effective only for TLS. To support multiple virtual host names, create multiple
SSL Profiles.
d. For Proxy Type, select Transparent.
e. In the SSL Servers Private Key field, select your servers private key from the pull-down menu,
or click the + icon to upload a new private key.
f. Click Add.
citrix.com 150
4. Add or modify a service class. You must attach the SSL profile to a service class on the server-side appliance.
This can be done either with a new service class based on the server IP, or an existing service class based on
the application.
5. (Creating a new IP-based service class.) On the server-side appliance, create a new service class with
appropriate SSL rules:
a. On the Configuration: Optimization Rules: Service Classes page, click Add.
b. In the Name field, enter a name for the new service class (for example, Accelerated HTTPS).
c. Enable compression by setting the Acceleration Policy to Disk or Memory.
d. Create a service-class rule.
e. In the Filter Rules section, click Add. In the Dst IP field, type the servers IP address (for example,
172.16.0.1 or, equivalently, 172.16.0.1/32.
f. In the Direction field, set the rule to Unidirectional. (SSL profiles are disabled if Bidirectional is
specified.)
g. In the SSL Profiles section, select at least one available SSL profile and move it to the Configured
section.
h. Click Create to save the rule.
6. (Modifying an existing service class.) On the server-side appliance, edit an existing service class to allow SSL
acceleration.
a. On the Configuration: Optimization Rules: Service Classes page, select an appropriate service
class, such as Web (Private-Secure) for HTTPS traffic on private subnets, and click Edit.
b. Enable compression by setting the Acceleration Policy to Disk or Memory.
c. Select the service-class rule and click Edit.
d. In the Direction field, set the rule to Unidirectional. (SSL profiles are disabled if Bidirectional is
specified.)
e. In the SSL Profiles section, select at least one available SSL profile and move it to the Configured
section.
f. Click Save to save the rule.
7. Set service classes on the client-side appliance. SSL traffic is not compressed unless it falls into a service
class, on the client-side appliance, that enables acceleration and compression. This can be an ordinary service-
class rule, not an SSL rule (only the server-side appliance needs SSL rules), but it must enable acceleration
and compression. The traffic falls into an existing service class, such as HTTPS or Other TCP
Traffic. If this classs policy enables acceleration and compression, no additional configuration is
needed.
8. Verify operation of the rule. Send traffic that should receive SSL acceleration through the appliances. On the
server-side appliance, on the Monitoring: Optimization: Connections: Accelerated Connections tab, the Service
Class column should match the service class you set up for secure acceleration, and the SSL Proxy column
should list True for appropriate connections.
citrix.com 151
Using SSL Compression with the CloudBridge Plug-in
The CloudBridge Plug-in is always used as the client-side unit and thus requires no additional SSL configuration other
than installing credentials for the SSL signaling (secure peering) connection. The main difference between SSL
compression on the plug-in and the appliance is that the plug-in is unable to encrypt the user data in the disk based
compression history.
Caution: Because disk based compression history on the Plug-in is not encrypted, it retains a clear-text record of potentially
sensitive and ephemeral encrypted communications. This lack of encryption is potentially dangerous on computers for which
physical access is not controlled. Therefore, Citrix recommends the following best practices:
Do not use Certificate Validation: None on your appliances. (Note that, in this case, the appliance refuses
to allow compression with plug-ins that do not have appropriate certificates.)
Install certificates only on systems that can be verified to meet your organizations requirements for
physical or data security (for example, laptops that use full-disk encryption).
The CloudBridge Plug-in supports both SSL split proxy and SSL transparent proxy. The plug-in ships without certificate-
key pairs for the SSL signaling connection. If desired, the same credentials can be used by all plug-ins, or each plug-in
can have its own credentials.
The plug-in does not attempt SSL compression unless credentials have been installed.
citrix.com 152
RPC over HTTP
Microsoft Exchange Server is one of the common email servers used across organizations. As a result of recent
enhancements in Microsoft Exchange Server, you can securely connect to it over the Internet. Depending on the
available bandwidth, you might experience latency in the email delivered to the Outlook client. In addition to the MAPI
protocol, the CloudBridge appliance supports Remote Procedure Call over HTTPS (RPC over HTTPS) to optimize
Microsoft Exchange traffic. This feature is also known as Outlook Anywhere.
RPC over HTTPS is not a new protocol, but starting with Microsoft Exchange 2013, it replaces MAPI as the default
protocol. The main advantage of RPC over HTTPS is that it enables clients to securely connect to the mail server over
the Internet.
When you use RPC over HTTPS, the Microsoft Exchange server must use a digital certificate and private key to
authenticate itself to the Outlook client. The communication between the client and server uses HTTPS as a transport
protocol.
On the CloudBridge appliance, RPC over HTTPS is supported for the following the Microsoft Outlook and Exchange Server
versions:
Microsoft Outlook
Microsoft Outlook version 2007
Microsoft Outlook version 2010
Microsoft Outlook version 2013
Microsoft Exchange Server
Microsoft Exchange Server version 2007
Microsoft Exchange Server version 2010
Microsoft Exchange Server version 2013
Of these, all versions except Microsoft Exchanges Server 2013 support MAPI (over TCP) as well as RPC over HTTPS.
However, Microsoft Exchange Server 2013 forces connections to use RPC over HTTPS, regardless of the Microsoft
Outlook version you use, to connect to the Exchange server.
citrix.com 153
Configuring RPC over HTTPS
By default, the RPC over HTTPS feature is enabled on the appliance. However, to configure the appliance to accelerate RPC
over HTTPS, you must perform the following additional tasks:
citrix.com 154
Configure Encrypted MAPI
Note: Skip this section if you have already configured encrypted MAPI acceleration on the appliance.
Microsoft Outlook uses Messaging Application Programming Interface (MAPI) connections between Outlook clients and
the Microsoft Exchange server. MAPI connections use RPCs, which are encapsulated by an HTTP connection.
Therefore, before you configure RPC over HTTPS on a CloudBridge appliance, you must configure encrypted MAPI on
the appliance.
Prerequisites
Before you configure encrypted MAPI, make sure that the following prerequisites are met:
The Secure Peer option should be set to True on the client as well as the server-side appliance. To
configure a secure partner, see Secure Peering.
The DNS IP address configured on the server-side appliance must be reachable.
The datacenter-side appliance must successfully join the domain. To join the appliance to a domain,
see Joining the Windows Domain and Adding the Kerberos Delegate User.
A delegate user must be added to the datacenter-side appliance, and its status should be marked as
Success. To configure a delegate user, see Joining the Windows Domain and Adding the
Kerberos Delegate User.
citrix.com 155
Configuring an SSL Profile with a Server Certificate
The HTTPS connection that encapsulates the MAPI connection is secured by SSL. As a result, RPC over HTTPS
requires connectivity through TCP port 443. This port is assigned to HTTPS, which web-server administrators usually
keep open in the firewall application. Using SSL-protected communication helps RPC over HTTPS to maintain the
security of all communications.
To enable RPC over HTTPS acceleration, you must install a server certificate on the appliance. Using this server
certificate, you can configure an SSL profile that RPC over HTTPS uses for secure communication. To configure an
SSL profile with an Exchange server certificate, see Installing Server and Client Certificates.
Note: You must configure an SSL profile only on the datacenter-side appliance.
citrix.com 156
Creating an RPC over HTTPS Service Class and Binding the SSL Profile to It
To optimize the RPC over HTTP connections, you must create a service class that lists HTTPS and all MAPI
applications. You must provide the IP address of the Microsoft Exchange server as a destination IP address for this
service class, and then bind the SSL profile you created to this service class. Binding the profile to the service class
makes sure that the communication between the Outlook client and Microsoft Exchange server is secured by using this
profile.
To create an RPC over HTTPS service class and bind the SSL profile to it
Note: You must configure and bind an SSL profile to the service class only on the datacenter-side appliance.
citrix.com 157
Verifying Accelerated RPC over HTTPS Connections
After you have configured RPC over HTTPS on the appliance , you can verify that the appliance is accelerating the RPC
over HTTPS connection on the Monitoring page for MAPI. The accelerated RPC over HTTPS connections are listed on
the Accelerated MAPI Sessions tab.
Note: You must configure RPC over HTTPS on your client-side appliances as well as your server-side CloudBridge
appliances to accelerate the RPC over HTTPS connections.
To verify that RPC over HTTPS Connections are being accelerated
Note: The Application has possible values of: HTTPS eMAPI, HTTP eMAPI, HTTPS MAPI, and HTTP MAPI.
citrix.com 158
Troubleshooting
Issue: After upgrading the software of the appliance to CloudBridge release 7.3, the monitoring reports do not have a
special category for RPC over HTTPS connections.
Cause: When you upgrade the appliance to CloudBridge release 7.3, the RPC over HTTPS applications do not belong
to their own service class. As a result, all RPC over HTTPS connections are listed as TCP Other connections in the
reports.
Resolution: To categorize these connections as RPC over HTTPS connections, create a service class for them
applications.
Issue: After creating a service class for RPC over HTTPS, all HTTP and HTTPS traffic is categorized as RPC over
HTTP.
Cause: You have not added the destination IP address to the service class you have created for RPC over HTTPS
applications.
Resolution: Modify the service class you have created for RPC over HTTPS applications, by adding the destination IP
addresses of your servers.
citrix.com 159
How HTML5 Works
HTML5 uses HTTP, which is a request/response protocol for communication between clients and servers. A client
initiates a TCP connection and uses it to send HTTP requests to the server. The server responds to these requests by
granting access rights for the available resources. After the client and server establish a connection, the messages
exchanged between them contain only WebSocket headers, not HTTP headers.
The infrastructure of HTML5 consists of WebSockets, which further use the existing HTTP infrastructure to provide a
lightweight mechanism for communication between a client and a web server. You typically implement the WebSocket
protocol in a browser and web servers. However, you can use this protocol with any client or server application.
When a client attempts to make a connection using WebSockes, web servers treat the WebSocket handshake as an
upgrade request, and the server switches to the WebSocket protocol. The WebSocket protocol enables frequent
interaction between the browser and the web servers. Therefore, you can use this protocol for live updates, such as
stock indexes and score cards, and even live games. This is possible because of a standardized way for the server to
send unsolicited responses to the client while maintaining an open connection for two-way ongoing communication
between the client browser and the server.
Note:
You can also achieve this effect, in non-standardized ways, by using various other technologies, such as Comet. For
more information about Comet, see http://en.wikipedia.org/wiki/Comet_(programming).
The WebSocket protocol communicates over TCP ports 80 and 443. This facilitates communication in environments that
use firewalls to block non-web Internet connections. Additionally, WebSocket has its own fragmentation mechanism. A
WebSocket message can be sent as multiple WebSocket frames.
Note: You cannot use WebSocket if the web applications on the servers do not support it.
To open a WebSocket connection, the browser sends an HTTP upgrade message to the server for switching to the
WebSocket protocol. The server either accepts or rejects this request. Following are snippets of a sample client request
and server response:
GET /HTTP/1.1
Upgrade: websocket
Sec-websocket-protocol: <List of protocols that the client supports over this websocket sessio
Sec-websocket-extensions: <List of extensions client wants applied to this session, such as co
Sec-Websocket-version: <Version of websocket protocol that the client intends to use.>
The following figure shows the sequence of messages exchanged between a client and a server:
Figure 1. Sequence of messages exchanged between a client and a server
citrix.com 160
During an HTML5 connection, the following messages are exchanged between the client and the server:
citrix.com 161
Video Caching
Many organizations use video for communications that are not time sensitive, (for example, training sessions and
prerecorded messages to employees). Communicating messages through videos is not only cost effective but also
convenient when the audience is spread across time zones. However, videos consume a lot of bandwidth when played
over the Internet. Insufficient bandwidth causes latency, which affects the user experience and degrades the impact of
video communication.
The CloudBridge video caching improves the viewing experience for HTTP video streams, especially on slower links.
The video cache is maintained on the local CloudBridge appliance. When a local user views a video that has already
been cached, the appliance can deliver the cached copy at full LAN speed.
After you configure the appliance to cache videos, it caches the videos viewed by your users. You can also use the pre-
population option to fetch selected videos from the local video server in anticipation of later use.
The video caching feature uses an intercepting proxy cache to examine all HTTP requests. Requests that meet the
requirements listed below are cached. Videos are not served from the cache unless they are evaluated as fresh by the
cache engine. Otherwise, they are fetched again for the viewer, and the previously cached version is overwritten.
Note: Unlike normal CloudBridge TCP operation, where the appliance preserves the original source and destination
addresses, the appliance replaces the client's source address with the IP address assigned to the accelerated bridge.
Therefore, all HTTP traffic passing through the appliance appears to originate from the appliance itself.
A video is cached when all of the following criteria are met:
The protocol used to stream the video is HTTP. By default, port 80 is configured for video caching. However,
if you have configured another port, such as 8080 for a web server, you must specify this port for caching
videos.
You have added video sources from which you want to cache videos. By default, YouTube, Vimeo, Youku,
Dailymotion, and Metacafe video sources are added to the appliance, but only YouTube and Vimeo are
enabled. If you want to cache videos from any of the other default sources, you must enable them. When
adding new video sources, you can enable them as you add them.
Besides YouTube, Vimeo, Metacafe, Dailymotion, and Youku, you can specify additional websites, IP
addresses, or subnets as video sources. Note that these websites should not have any avoidance
mechanisms, such as adding random characters to a URL.
The video must be in one of the recognized video formats and have the one of the following file extensions: .
3gp, .avi, .dat, .divx, .dvx, .dv-avi, .flv, .fmv, .h264, .hdmov, .m15, .m1v, .m21, .m2a, .m2v, .m4e .m4v, .m75,
.moov, .mov, .movie, .mp21, mp2v, .mp4, .mp4v, .mpe, .mpeg, mpeg4, mpg, mpg2, .mpv, .mts, .ogg, .ogv, .
qt, .qtm, .ra, .rm, .ram, .rmd, .rms, rmvb, .rp, rv, .swf, .ts, .vfw, .vob, .webm, .wm, .wma, .wmv, and .wtv.
Platforms supported
The video caching feature is supported by the following appliances:
CloudBridge 600 appliance with 1 Mbps and 2 Mbps bandwidth license models.
CloudBridge 800 appliance with all bandwidth license models.
CloudBridge 1000 appliance with Windows Server, with all bandwidth license models.
CloudBridge 2000 appliance with all the bandwidth license models.
CloudBridge 2000 appliance with Windows Server, with all bandwidth license models.
CloudBridge 3000 appliance with all the bandwidth license models.
citrix.com 162
If any of the supported websites change the way they present content, the video caching benefit for those
sites might not be achieved until the video caching policy file is updated. For such occasional changes, Citrix
provides an updated video caching policy file. To use it, see Upgrading the Video Caching Policy File.
Some video websites might use different file formats for the same video, depending on the operating system
or the browser used to access the video. This might result in a cache miss.
Some video websites, such as YouTube, adapt to the network conditions. The quality of a video can
therefore depend on the network conditions at the time it is cached.
citrix.com 163
Use Cases
You can deploy video caching on CloudBridge appliance under the following scenarios:
In this use case, users access the Internet through the web browsers on their computers. Those requests that involve
video content from an enabled site, such as Vimeo, are cached on the local CloudBridge appliance. Any subsequent
access of the same video results in cache hits on the local appliance, allowing the video to be delivered at LAN speed
and without waiting for the remote server.
Unlike other CloudBridge features, which accelerate traffic between paired devices, this feature is a single-ended
operation that requires only the local appliance, with access to the video website.
Branch Office with XenApp and XenDesktop Users using HDX MediaStream
Flash Redirection
HDX flash redirection is a feature of XenApp and XenDesktop. Instead of rendering the video on the remote
XenDesktop display by using the server-side or datacenter Internet, flash videos are tunneled to the local system
through this feature. The video is streamed to the actual client machine and is rendered on the actual client, using the
branch office Internet. Enabling the video caching feature on the branch-side CloudBridge appliance can give users a
significantly improved viewing experience. Additionally, enabling the feature reduces the bandwidth requirement for
streaming videos.
citrix.com 164
In this use case, users access the video web servers from the datacenter. When you enable the video caching feature
on the branch-side CloudBridge appliance, the user request is served from cache of the branch-side CloudBridge
appliance. This helps reduce network traffic to the datacenter CloudBridge appliance. As a result, the bandwidth of the
datacenter CloudBridge appliance can be used to serve traffic for other branches.
citrix.com 165
Configuring the Video Caching Feature
You can configure the video caching feature through either the CloudBridge graphical user interface or command line
interface. By default, the appliance is configured to cache videos from YouTube and Vimeo. Youku, Metacafe, and
Dailymotion are also configured on the appliance by default. All you have to do is enable them. You can add video websites,
such as an internal website serving video tutorials or other information .
Note: Video caching an optional feature that is not enabled by default. You need not enable it unless you have a substantial
amount of HTTP video traffic .
citrix.com 166
Prerequisites
To configure video caching on the appliance, make sure that the following prerequisites are met:
You have configured appropriate IP address for accelerated bridge port you are planning to use for video
caching.
You can ping the apA/apB gateway from the appliance.
DNS Server details are accurate.
Appliance can resolve the DNS name www.Citrix.com.
The CloudBridge apX IP address has an HTTP access in your corporate network.
If the appliance is deployed between the trunk ports of two network devices, you must specify the VLAN ID
with the IP address to be used by the appliance to send HTTP requests on the Network Configuration page.
citrix.com 167
Enabling the Video Caching Feature
Before you can start using the video caching feature, you must enable it.
1. Navigate to the Configuration > Appliance Settings > Network Adapters > Management Settings section and
verify that the Primary DNS Server details are accurate and the appliance is able to resolve the DNS name
www.Citrix.com.
2. Navigate to the Configuration > Appliance Settings > Network Adapters > Network Adapters section.
3. Select an accelerated pair (for example apA).
4. Click Edit and verify that the IP addresses, network mask, and default gateway IP addresses specified for the
accelerated pair are accurate.
citrix.com 168
Note: When you click OK, the service is restarted and a new caching partition is created. If you are enabling
the feature for the first time on the appliance, a new partition is created by reducing the disk space allocated to
other disk based compression. The disk based compression history is reset, and existing connections are
terminated.
8. Alternatively, you can navigate to the Configuration > Optimization Rules > Video Caching page and click
Enable. The service restarts as soon as you enable the feature.
citrix.com 169
Adding Video Websites
The appliance is configured to cache videos from YouTube and Vimeo, and is partially configured to cache videos from
Youku, Metacafe, and Dailymotion. To cache videos from any of the latter three sites, you must enable the site. A video
from an enabled website is cached as soon as a user accesses it. You can configure additional video websites that do
not require URL rewrite by adding their host names or IP addresses to the Video Source list on the appliance. You can
also include custom sites that do not have any cache avoidance mechanisms.
You must enable these video sources before the appliance can cache videos from them.
Note: The video caching feature uses video sources for the configuration workflow. If you configure any of the video sources
with a host name or a website/hostname, the appliance proxies all HTTP traffic that flows through the appliance. However, if
you configure all video sources with IP addresses only, the appliance proxies and caches only these IP addresses.
Regardless of whether you use host names or IP addresses, if your organization does not permit access to the YouTube,
Vimeo, Dailymotion, Metacafe, and Youku websites, make sure that you disable these video sources.
9. Click Add.
citrix.com 170
Managing the Video Caching Sources
You can manage your video sources either globally, by configuring global settings, or individually, by changing status of
a video source.
citrix.com 171
Configuring Global Settings
Global settings enable you to configure the feature at the appliance level. Irrespective of the video sources you have added,
these settings are applicable to the entire video caching feature on the appliance. You can:
citrix.com 172
Configuring the X-Forwarded-For Header Option
To provide video caching, the CloudBridge appliance proxies client HTTP connections to video servers. If you need to
account for Client IP addresses, enable the X-Forwarded For Header option, which makes the client IP addresses
available to an accounting server. When you enable this option, the appliance adds the client IP address to the X-
Forwarded-For header of all HTTP requests that the appliance proxies.
citrix.com 173
Configuring the Maximum Size of the Cached Objects
You can configure a maximum size for cached objects. An object larger than this limit is not cached. By default, the
maximum caching object size is 100 MB.
1. Navigate to the Configuration > Optimization Rules > Video Caching page.
2. From the Max Caching Object Size list, select a value from the available limits.
3. Click OK.
citrix.com 174
Configuring a Default Domain Name Suffix
For the URLs that do not contain complete domain names and require domain name suffixes to be added to the
hostname of the video server, appending a default domain name is necessary for eliciting a response from the server.
For example, when you access the http://training/CloudBridge_VideoCaching.mp4 video, the appliance might be
expected to translate the URL to http://training.example.com/CloudBridge_VideoCaching.mp4. In this case, you must
specify example.com as the domain name suffix.
Note: You can configure only one domain name suffix on the appliance.
citrix.com 175
Configuring Caching Ports
The video caching feature requires a port number for the HTTP video server. The default is port 80. If your HTTP video
server uses a port other than this well-known HTTP port, you must add the port number to the list of caching ports.
1. Navigate to the Configuration > Optimization Rules > Video Caching page.
2. On the Global Settings tab, click the Set Global Parameters link.
3. In the Caching Ports field, type the HTTP video servers port to add it to the list of caching ports.
Optionally, add multiple port numbers separated by commas.
4. Click OK.
citrix.com 176
Updating the Video Caching Policy File
When supported websites change the way that they deliver videos, video caching benefits for that site are lost. Citrix
provides an updated video-caching policy file, which you can upload to your CloudBridge appliance.
To update the Video Caching Policy file, navigate to the CloudBridge > Configuration > System Maintenance > Update
Caching Policy page and upload the file that you received from Citrix.
citrix.com 177
Clearing the Video Cache
After you enable the video caching feature, the appliance starts caching videos from the configured video sources. The
status of disk usage is depicted in the Cache Disk Usage graph on the Global Settings tab of the Video Caching page,
as shown in the following screen shot.
Note: The appliance uses 10% of the allocated disk space for management purposes. When the disk usage reaches 90% of
the allocated disk space, that is an indication of the disk being full. To cache more video objects, the appliance removes the
least used objects from the video cache. You need not clear the cache unless the cache serves stale video objects.
citrix.com 178
Managing Individual Video Sources
You can make the following changes to an individual video source:
citrix.com 179
Changing the Status of Video Source
You can change the status of a video source if you decide to add it to the list of video sources but not enable it until
later, or to temporarily disable the video server instead of deleting it, or to exclude certain videos from caching.
Alternatively, you can delete the video source from the list.
The following actions are available for changing the status of a video source:
Note: You can also exclude a video source when adding it to the appliance.
citrix.com 180
Deleting a Video Source
If you no longer need a video source, you can delete it from the list. To delete a video source, select it from the Video
Sources tab and click Delete.
citrix.com 181
Fetching Videos in Advance
A CloudBridge appliance can download and cache videos from your internal video server before anyone views them.
This feature is useful when you want to make sure that all users get the same benefits (for example when playing a self-
training video scheduled at a specific time). You can schedule static URLs from which you want to fetch videos.
The fetched videos are stored in the video cache. As soon as a user sends a request for the URL, the video is served
from the cache, even for the first access of the video.
citrix.com 182
Adding a URL for Caching Videos in Advance
To download and cache a video in advance, you must specify the absolute path for the URL of a specific video or a
video folder on which directory indexing is enabled.
Note: If you just add an entry to the video prepopulation tasks, the related video is downloaded and cached. However, when a
client accesses the video, it is served from the video server and does not get caching benefits. To make sure that the client
gets caching benefits, you must add the video server or IP address used in the prepopulation task to the video sources list.
By default, the URL is enabled and scheduled to cache videos immediately, and each video from this URL is
cached only once.
Configured Fetching video for caching before the first view is configured for the URL and
a new task is added.
Connection timeout Connection to the server has timed out and there is no response from the
error server.
The video to be downloaded and cached has been permanently moved to another
Error 301 - Moved location.
Permanently
Error 403 - Forbidden Access to the video to be downloaded and cached is denied.
Error 404 - Not Found The video to be downloaded and cached is not available at the link provided.
Error 504: Server The URL you have specified is not reachable.
unreachable
Successfully Download successful for the URL, and <x> number of media files are
downloaded <x> file(s) downloaded to the cache.
citrix.com 183
Failed to download <x> Download failed for some of the media files from the URL.
out of <y> files
Failed to download x Failed to download any media file from the URL.
files(s)
Starting The appliance has started downloading media files from the URL.
Deleting this entry The entry is being deleted from the list of URLs.
Failed to get Directory Failed to get listing from the remote directory you specified.
listing
Entry removed by clear The entry has been purged by the clear cache operation.
cache operation
Schedule time elapsed The scheduled time at which to download the remote object is past.
In-cache <x>/<y> files On refreshing the status of an entry, the appliance has found that <x>
number of files out of <y> number of files exist in the cache
Interface ap<X> The bridge interface ap<X> is not enabled for Video Caching.
disabled for Video
Caching
citrix.com 184
Managing Video Caching Prepopulation
You can manage video caching prepopulation to control how you want to download and cache videos from the URLs. You
can perform the following tasks to manage video caching prepopulation:
Start downloading videos before or after the scheduled date and time.
Update the URL of an entry.
Disable caching of videos from a URL entry.
Schedule caching of videos from a URL entry.
Update an interface for a URL entry.
Refresh the status of a URL entry.
Delete a URL entry.
The following flowchart shows the flow control of the processes followed when managing various activities of the video
prepopulation feature.
citrix.com 185
Start Downloading Videos
If technical issues with a website or the URL that you have added interfere with scheduled downloading and caching,
you can start downloading and caching videos when required at any time.
To download and cache a video immediately, select the entry for the video you want to cache, and then click Start Now.
Updating the status of the video takes approximately one minute.
After you click Start Now, the Status column displays the status of the video downloads from the URL.
citrix.com 186
Updating the URL of a Prepopulation Entry
After you have added a URL from which to download and cache video in advance, you can fine tune the URL for
optimum results, such as reconfiguring the URL when the location of videos changes or the name of the media file is
changed in the source.
To update a URL
1. Navigate to the Configuration > Optimization Rules > Video Caching page.
2. On the Prepopulation tab, select the entry that you want to update.
3. Click Modify.
4. In the URL field, specify the new URL.
5. Click OK.
citrix.com 187
Disabling Caching of Videos from a URL in a Prepopulation Entry
If you want to periodically prepopulate the cache with videos from a given URL, you need not delete the entry. You can
disable it, and then enable it when needed.
To disable an entry
1. Navigate to the CloudBridge > Configuration > Optimization Rules > Video Caching page.
2. Click the Prepopulation tab.
3. Select the entry that you want to update.
4. Click Modify.
5. From Status, select the Disable option.
6. Click OK.
citrix.com 188
Schedule Caching of Videos from a URL in a Prepopulation Entry
You can schedule the date and time at which you want to start downloading and caching videos from the URL to the
appliance. For example, you might want to fetch videos just before you expect users to start accessing them. That not
only saves disk space, but also puts the latest versions of the videos in the cache.
citrix.com 189
Updating an Interface in a URL Entry
If you have configured multiple links on the network, you might want to use a particular link to download videos,
because of better network connectivity. To configure multiple links, you use the available bridge ports, such as apA and
apB bridged ports. You can use these ports to download videos for a URL entry.
citrix.com 190
Refreshing the Status of a URL Entry
Over time, the status of the cached videos might change. Checking the status of the entry periodically makes sure that
users do not get unexpected results when accessing videos.
1. Navigate to the Configuration > Optimization Rules > Video Caching page.
2. On the Prepopulation tab, select the entry for which you want to refresh the status of cached videos.
3. Click Status Check.
citrix.com 191
Deleting a URL Entry
If you do not need a URL entry, you can delete if from the list. To delete a URL entry, select the entry and click Delete.
Note: When you delete a video prepopulation task from the list, it also removes the related video objects from the cache.
citrix.com 192
Verifying Video Caching
Graphs and data on the Monitoring page, Dashboard page, and Usage page help you evaluate the benefits provided by
your video caching configuration. The data-reduction ratio resulting from video caching (similar to the overall
compression ratio) is displayed on the Dashboard, on the video caching monitoring page, and on the Usage graph
page. Also, hovering over the Data Reduction ratio on the Dashboard page displays the caching benefit percentage
along with compression benefit percentage on the supported platforms.
The purpose of caching is not just to save bandwidth, but also to increase performance, decrease load on the video
servers, and lessen the impact of network congestion.
The estimated WAN bandwidth savings resulting from video caching are displayed as follows:
On the Dashboard page, you can view the caching benefit, as a percentage, by hovering the cursor over the
Data Reduction field on the Dashboard. You can also view the bytes served from the cache (Cached Data)
under Aggregated Link Throughput.
Figure 1. Viewing Caching Benefit on the Dashboard.
On the Monitoring > Optimization > Video Caching page, you can view the number of objects cached, and
the Cache Hit Ratio (as a percentage). The bar and the time graphs display the number of requests and
bytes served from cache over 1 minute, 1 hour, 1 day, 1 week, and 1 month. This data is also displayed in a
tabular format below the graph.
Figure 2. Viewing Caching Benefit on the Monitoring page
On the Monitoring > Optimization > Usage Graph page, you can view the cached data in the LAN Monitoring
graph.
Figure 3. Viewing Caching Benefit on the Usage Graph Page
citrix.com 193
Upgrade and Downgrade Considerations
Upgrading to or downgrading from CloudBridge release 7.0 and later can affect the resources allocated to other disk
based compression (DBC).
By default, the video caching feature is disabled in CloudBridge release 7.0 or later. As a result, an upgrade to release
7.0 or later does not create a partition for video caching. When you enable the video caching feature, you are prompted
with a warning message stating "Service will be restarted and disk based compression history will be cleared. Do you
want to continue?" If you click OK, acceleration is restarted and a new caching partition is created, reducing the disk
space allocated to other Disk Based Compression and invalidating Disk Based Compression history.
However, if you upgrade from release 7.0 or later, the partition is retained if it has already been created.
The Video Caching feature in release 7.x, except release 7.3, uses application classifiers. However, release 7.3 uses
video sources for the configuration workflow, which has a single page to enable, disable, and exclude videos. Therefore,
before you upgrade the appliance from release 7.x to 7.3, make sure that you move application classifiers available in
the Configuration > Video Caching page from the Supported list to the Selected list. This avoids the possibility of any
HTTP traffic getting blocked.
Additionally, if you had configured the appliance to cache and proxy a specific subnet or list of IP addresses by deleting
the All rule on the Advanced page, you must disable the unused application classifier before you upgrade the
appliance to release 7.3
citrix.com 194
Troubleshooting
Issue: After adding an entry to the list of prepopulation tasks, the entry is still in the Configured state.
Cause: A prepopulation task takes approximately one minute move to the Downloading state.
Resolution: Check the status of the entry after a minute or refresh the page to verify that the status changes to
Downloading.
Issue: After adding an entry to the list of prepopulation tasks, the status of the entry displays ERROR 403. However, the
website works fine in a Web browser.
Cause: The IP address of the CloudBridge apA does not have access to the video server.
Resolution: To resolve this issue, verify and update the following:
Cause: The video server does not support the HEAD method.
Resolution: The video server must permit CloudBridge IP address for this method.
Cause: Directory listing for folders is not enabled on the video server.
Resolution: The video server must enable directory listing for the folders.
Issue: After creating entries for prepopulation tasks, you cannot modify or delete entries.
Cause: You might have clicked Start Now for the entry.
Resolution: This is by design. You cannot modify or delete an entry after you have clicked Start Now for the entry and
the entry is in the queued, starting, or downloading state. You can delete the entry only after the download is complete.
Issue: After creating entries for propopulation tasks, video is not getting downloaded and cached. The status of the
entry displays Failed to Download.
Cause: The prepopulation entry does not have absolute URL for the video.
Resolution: To resolve this issue, complete the following procedure:
1. Verify that the prepopulation entry has the actual URL of the video, such as http://10.102.29.16/CloudBridge_demo.
mp4, and not an HTML file. The CloudBridge appliance cannot search the content of the HTML file to find the video
link.
2. Verify that the HTTP protocol is used to serve the video. You can verify this by using the View Source option of the
web browser.
3. You can get the absolute URL of the video by using the Developer Tools option of the web browser.
citrix.com 195
Monitoring with AppFlow
CloudBridge AppFlow support enables flexible, customized monitoring of your CloudBridge appliances.
The AppFlow interface works with any AppFlow collector. The collector receives detailed information from the appliance,
using the AppFlow open standard (http://www.appflow.org). You can use the AppFlow collector to create customized
analysis, monitoring, and reports. The AppFlow interface is easy to configure, requiring little more than the IP address of
the AppFlow collector.
This feature is available on CloudBridge datacenter appliances (CloudBridge 2000, 2000WS, 3000, 4000, and 5000).
citrix.com 196
Why Use AppFlow Monitoring?
A monitoring service that supports a wide range of devices can present a more complete view of your network. Because
the CloudBridge appliance has an extensive view of WAN traffic, including detailed statistics about XenApp/XenDesktop
traffic, it provides key insights into the WAN user experience.
XenApp/XenDesktop Example
In a XenApp and XenDesktop environment, if a branch user encounters low performance, the administrator might have to
monitor the network, the users, and applications hosted on XenApp or XenDesktop. The administrators might need to ask the
following questions:
The CloudBridge AppFlow support provides answers to all of the above questions, allowing, for example, a congested
WAN link to be distinguished from a slow server or a slow client.
Note: The AppFlow feature is available on CloudBridge 2000, 2000WS, 3000, 4000, and 5000 appliances.
citrix.com 197
How AppFlow works
AppFlow collects the flow and user-session level information from the CloudBridge appliances and transmits the
information to AppFlow collectors .
Using UDP as the transport protocol, AppFlow transmits the collected data, called flow records, to one or more AppFlow
collectors. The collectors aggregate the flow records and generate performance reports.
AppFlow uses actions and policies to send records for a selected flow to a specific set of collectors. An AppFlow action
specifies which set of collectors receive the AppFlow records.
AppFlow monitoring includes support for the IPFIX architecture, as defined in RFC5470. CloudBridge IPFIX support adds the
following features:
Templates for L4 (application) data records, WAN optimization data records, and HDX
(XenApp/XenDesktop) data records, facilitating expanded monitoring and analysis.
Compatibility with NetScaler IPFIX templates.
General IPFIX infrastructure, including collector and exporter processes and sampling/filtering options.
citrix.com 198
Understanding AppFlow Collectors
AppFlow collectors are devices that gather detailed information by using the AppFlow open standard (http://www.
appflow.org), and transform raw data into visual reports. You can use the AppFlow collector to create customized
analysis, monitoring, and reports. The CloudBridge AppFlow interface is easy to configure, requiring little more than the
IP address of the AppFlow collector.
AppFlow collectors can provide reports, such as:
You can use NetScaler Insight Center or Splunk as AppFlow collectors to monitor CloudBridge appliances.
citrix.com 199
About NetScaler Insight center
NetScaler Insight Center is a virtual appliance that analyses the traffic flowing through CloudBridge appliances and
generates performance reports. NetScaler Insight Center uses AppFlow to retrieve the traffic information.
NetScaler Insight Center has three components:
Web Insight delivers data analytics for web traffic flowing through NetScaler ADCs.
HDX Insight delivers data analytics for XenApp and XenDesktop traffic flowing through NetScaler appliance,
NetScaler Gateway appliances, or CloudBridge appliances..
WAN Insight delivers data analytics for accelerated and unaccelerated traffic flowing through CloudBridge
7.4.0 appliances.
For details about all the components, see Understanding NetScaler Insight Center.
HDX Insight provides Citrix XenApp and Citrix XenDesktop administrators with an easy way to monitor the users and
performance of the applications hosted on those products. HDX Insight captures data about the ICA traffic that flows
through the CloudBridge datacenter devices, generates AppFlow records by doing deep inspection of the data, and
presents the records as visual reports on the HDX Insight tab of the NetScaler Insight Center dashboard.
WAN Insight gives CloudBridge administrators an easy way to monitor the accelerated and unaccelarted WAN traffic
that flows through CloudBridge datacenter and CloudBridge branch appliances, and it provides end-to-end visibility that
includes client-specific data, application-specific data, and branch- specific data. With the ability to identify and monitor
all the applications, clients, and branches on the network, you can effectively deal with the issues that degrade
performance.
The following figure shows how a NetScaler Insight Center virtual appliance collects information from CloudBridge
appliances.
A CloudBridge appliance resides between the clients and the servers. When a NetScaler Insight Center virtual
appliance is configured to retrieve information about the traffic flowing through the CloudBridge devices, it uses
AppFlow to retrieve the information and display it as visual reports.
A NetScaler Insight Center virtual appliance retrieves the gathered information for each monitored application on the
CloudBridge appliance, analyzes the information, and presents it as visual reports.
To start using NetScaler Insight Center, you must install it on either XenServer, or VMware ESX, or Microsoft Hyper-V.
Then, you must add the CloudBridge devices to the NetScaler Insight Center inventory and enable data collection on
NetScaler Insight Center.
citrix.com 200
About Splunk
Splunk is another AppFlow monitoring tool that provides details about relevant storage logs, events and metrics.
citrix.com 201
Before you Begin
Before you start using NetScaler Insight Center or Splunk, you must understand the software requirements, operating
systems, and port information, and that your AppFlow collectors and CloudBridge appliances meet the prerequisites.
citrix.com 202
Supported Software
AppFlow is compatible with the following products.
Table 1. Software versions and builds
Product Version Supported
NetScaler Insight Center HDX Insight 10.5 and later
WAN Insight 11.0
Splunk 6.1.1-207789-x64
XenApp 6.5, build 6682 with HRP01
XenDesktop 5.6, build 56060
7.0 and higher versions
CloudBridge 2000, 3000, 4000 and 5000 7.3.0 and later
Table 2. Operating systems
Version Supported for HDX Insight
Product
HTML5 1.5
ChromeApp 1.5
NetScaler Insight Center also supports the following thin clients for monitoring CloudBridge deployments.
citrix.com 203
Dell Wyse WTOS Model TXO T00X Xenith2
Dell Wyse WTOS Model CX0 C10LE
Dell Wyse WTOS Model R00LX Rx0L HDX Thin Client
Dell Wyse Enhanced Suse Linux Enterprise, Model Dx0D, D50D
Dell Wyse ZX0 Z90D7 (WES7) Thin Client
However, there are some limitations while using these thin clients. For details, see FAQs.
citrix.com 204
Ports
For communication purposes, the following ports must be open between the CloudBridge and NetScaler Insight Center, or
CloudBridge and Splunk.
Component Type Port Details
NetScaler Insight Center/ TCP 80/443 For NITRO communication from NetScaler Insight Center to
Splunk CloudBridge appliance
TCP 22 For SSH communication from NetScaler Insight Center to
CloudBridge appliance
UDP 4739 For AppFlow communication from CloudBridge to NetScaler
Insight Center.
ICMP No reserved To detect the network reachability from NetScaler Insight
port Center to CloudBridge appliance.
citrix.com 205
Prerequisites
Before you start using NetScaler Insight Center or Splunk to monitor a CloudBridge appliance, make sure that:
NTP server is configured on both CloudBridge and NetScaler Insight Center or Splunk. To add an NTP
server on NetScaler Insight Center, see Configuring Clock Synchronization.
MSI is disabled on the CloudBridge appliance.
citrix.com 206
Monitoring CloudBridge Appliances with NetScaler insight Center
To use NetScaler Insight Center as your AppFlow collector, you must install one or more NetScaler Insight Center
virtual appliances on either on a XenServer or on VMware ESX.
You must then add the CloudBridge appliances to the NetScaler Insight Center inventory and enable data collection for
those appliances. NetScaler Insight Center then begins collecting data and generating reports.
To install NetScaler Insight Center on XenServer, see Installing NetScaler Insight Center on XenServer.
To install NetScaler Insight Center on VMware ESX, see Installing NetScaler Insight Center on VMware ESX.
After you install NetScaler Insight Center, you can access it through its graphical user interface (GUI).
For information about accessing and using NetScaler Insight Center, see http://support.citrix.com/proddocs/topic/ni-10-5-
map/ni-wrapper-intro-con.html.
citrix.com 207
Adding CloudBridge Appliances and Enabling Data Collection
To monitor a CloudBridge appliance, you must add it to the NetScaler Insight Center inventory and enable data
collection on the appliance.
Before adding CloudBridge appliances and enabling data collection, note the following considerations:
To monitor CloudBridge appliances, enable AppFlow on the NetScaler Insight Center. You do not need to
enable AppFlow on the CloudBridge appliance.
When you add a CloudBridge device on NetScaler Insight Center, provide the CloudBridge IP address, not
the Management service IP address or the NetScaler instance IP address.
The NTP server used by the CloudBridge appliance must be in sync with the NetScaler NTP server time.
This is typically done by using the same NTP server for both. To add an NTP server on NetScaler Insight
Center, see Configuring Clock Synchronization.
1. On the Configuration tab in the NetScaler Insight Center GUI, navigate to Inventory, and click Add. All devices
that are added to the NetScaler Insight Center are displayed on the Inventory page.
2. Choose the Device Type and enter the source IP address that the device uses for AppFlow records. Also enter
the user name and password required for access to the device.
3. Click Add. When the CloudBridge appliance is added, information about the appliance appears in the Inventory
list.
citrix.com 208
NetScaler Insight Center in a CloudBridge Setup
NetScaler Insight Center monitors both CloudBridge branch appliances and datacenter appliances. It also detects and
monitors which Citrix appliances a connection passes through (CloudBridge, NetScaler, NetScaler Gateway), and in
which order, for improved reporting.
citrix.com 209
Viewing Reports
After you add the CloudBridge appliances to the NetScaler insight Center inventory, you can view the HDX insight
reports on the dashboard tab of NetScaler Insight Center.
To view the reports on the NetScaler Insight Center Dashboard tab, click HDX Insight.
For more information about viewing reports, see Viewing the Reports.
For more information about the HDX Insight metric definitions, see HDX Insight Reports.
For more information about the HDX Insight metric definitions, see WAN Insight Reports.
citrix.com 210
Use Cases
The following scenarios describe how NetScaler Insight Center can help IT administrators troubleshoot issues.
Scenario 1
The delays might be due to latency in the server network, ICA traffic delays caused by the server network, or latency on
the client network.
To identify the root cause of the issue, analyze the following metrics:
In the Current Application Sessions table, click the hop diagram symbol to display information about the connection between
the client and the server, including latency values.
Figure 1. Figure 1
In this example, the DC Latency is 1 millisecond, the WAN latency is 592 milliseconds and Host Delays is 0 seconds.
This indicates that the user is experiencing delay because of latency in the WAN network.
Scenario 2
The delay might be due to latency in the server network, ICA-traffic delays caused by the server network, latency on the
WAN network, or time taken to launch an application.
To identify the root cause of the issue, analyze the following metrics:
Figure 2. Figure 2
citrix.com 211
In this example, the DC Latency is 1 millisecond, the WAN latency is 13 milliseconds, and the Launch Duration value of
2.37 seconds. This indicates that the cause for the delay in launching the application is high application launch time.
citrix.com 212
Monitoring CloudBridge Appliances with Splunk
After you have understood the prerequisites and after you have installed Splunk, you can start using Splunk to monitor
the CloudBridge appliances.
To start monitoring CloudBridge appliances with Splunk, you must first enable AppFlow monitoring on the CloudBridge
appliances, so that they send information about their traffic to Splunk.
citrix.com 213
Enabling AppFlow on CloudBridge Appliances
To enable AppFlow monitoring, configure each collector is configured with a name, an IP address, and a port. Up to four
collectors can be defined, and they can be enabled or disabled independently. They can also be edited or deleted.
(Once defined, the IP address of a collector cannot be changed. To change the address of a collector, delete the
collector definition and create a new one with the new IP address.)
To configure a CloudBridge appliance to send data to Splunk, do the following:
1. On the Configuration tab of the CloudBridge appliance, navigate to Appliance Settings > AppFlow and, in the right
pane, click Enable to enable AppFlow monitoring.
2. Choose the kind of traffic that you want the AppFlow collector to monitor, by specifying one of the following the data
sets:
TCP: Start collecting the TCP information flowing through the CloudBridge appliances.
WANOpt: Start collecting the TCP WAN optimization details, such as compression benefits.
HDX: Start collecting information about ICA traffic flowing through XenApp and/or XenDesktop
Note: In release 7.2 of the CloudBridge software, WAN optimization is enabled by default. Choose the
Data Upload Interval value to specify how often the data collectors receive an update, in minutes. The
default value is 1.
3. Add the collectors by specifying the collector details.
Specify the following details:
Collector Name: Name of the AppFlow collector
IP address: IP address of the AppFlow collector
Port: Port at which the collector sends and receives data when the operation is performed. Default
value is 4739
Status: Enables the CloudBridge appliance to start or stop sending the traffic information.
Note: You can specify a maximum of four AppFlow collectors on a CloudBridge appliance.
Caution: The volume of data sent to the collector is large, and might exceed your WAN bandwidth. Use AppFlow monitoring
for local appliances only.
citrix.com 214
Troubleshooting Tips
NetScaler Insight Center does not display the HDX Insight reports for CloudBridge appliances. What should I do?
Check the firewall configuration and make sure that the CloudBridge appliance and NetScaler Insight
Center communicate over port 4739.
Wait for 2 to 3 minutes after the traffic is generated. NetScaler Insight Center usually takes two to
three minutes to display the HDX Insight reports for a user.
Check the CloudBridge discovery status on the NetScaler Insight Center Inventory.
Make sure that CloudBridge ICA connections are accelerated with Disk Based Compression (DBC)
policy. To verify, on the Monitoring tab, navigate to Optimization > Connections, and in the right pane
check to see if the Compression Type is Disk for ICA service class.
Also, on the Configuration tab, navigate to Optimization Rules > Service Classes and in the right
pane, expand ICA and click Edit. The Acceleration Policy selected must be Disk.
On the CloudBridge appliance, make sure that the configuration for Appflow HDX Data set is enabled.
Also, make sure that the update Interval is set to one minute and NetScaler Insight Center collector IP
or port should not be deleted. To verify, on the Configuration tab, navigate to Appliance Settings >
AppFlow and verify the values on the right pane.
The HDX Insight reports display the Uptime as 'Negative.' What should I do?
Make sure that the NTP server is configured on both CloudBridge appliance and NetScaler Insight Center. To
add an NTP server on NetScaler Insight Center, see Configuring Clock Synchronization.
Note: If you have configured the NTP server at a later point of time, then, run the drop_table command from the
NetScaler Insight Center Command Line Interface (CLI). Then discover the appliance again and establish a new ICA
connection.
The ICA RTT is shown as N/A on the NetScaler Insight Center reports. What should I do?
To debug this issue, check to see if the EUEM value on XenApp or XenDesktop is enabled or not. If EUEM is
disabled, then NetScaler Insight Center does not display the ICA RTT values. If EUEM is enabled, and ICA RTT is
shown as N/A, then perform each of the following diagnostic operations sequentially till the issue is resolved.
Check if the Citrix End User Experience Monitoring (EUEM) configurations are enabled on the
XenApp server:
1. From the Citrix AppCenter, navigate to Citrix Resources > XenApp > Farm > Policies.
2. On the Settings tab, go to ICA > End User Monitoring and make sure that the following
configurations are enabled:
ICA Round Trip Calculation
ICA Round Trip Calculation Interval
ICA Round Trip Calculation for Idle Connections
3. Verify the configurations.
a. Check for ICA RTT policy entries in the registry.
Note: Modifying the registry with an incorrect entry might destabilize the appliance.
i. Open the command prompt from your Windows machine.
ii. Type regedit and press Enter.
iii. Navigate to HKEY_LOCAL_MACHINE > Software > Policies > Citrix >
EndUserMonitoring.
iv. Make sure that the following configurations are available:
ICA Round Trip Calculation
ICA Round Trip Calculation Interval
ICA Round Trip Calculation for Idle Connections
b. Make sure that the services for these configurations are set to Automatic.
i. Open the command prompt from your Windows machine.
ii. Type services.msc and press Enter.
iii. In the Services dialog box, make sure that Citrix End User Experience
Monitoring is listed and the Startup Type is set to Automatic.
If you are using a virtual desktop application, make sure that the Startup Type is set to Automatic.
This has to be done on the master image.
1. Open the command prompt from your Windows machine.
2. Type services.msc and press Enter.
citrix.com 215
3. In the Services dialog box, make sure that Citrix End User Experience Monitoring is listed
and the Startup Type is set to Automatic.
Make sure that the Citrix EUEM Hotfix is available.
1. Open the command prompt from your Windows machine.
2. Type appwiz.cpl and press Enter.
3. On the Uninstall or Change a Program dialog box, make sure that the Citrix HotFix
XA650R01W2K8R2X64064 for the XenApp 6.5 with R01 server is installed.
After you start the XenApp or XenDesktop traffic, wait for two or three minutes and check to see the
ICA RTT value in NetScaler Insight Center reports.
Check if NetScaler Insight Center dashboard displays session ID as NON-EUEM as shown in the
following image:
Figure 1. NetScaler Insight Center Report
1. On the Monitoring tab of the CloudBridge appliance, navigate to Optimization > ICA Advanced, and click the
Conn Info tab to make note of the ICA session Conn ID.
Figure 2. CloudBridge Appliance Conn Info tab
citrix.com 216
2. On the ICA Advanced page, click the Conn Stats tab, and check to see if the EUEM ICA RTT value is non-zero
for that particular ICA session ID.
Figure 3. CloudBridge Appliance Conn Stats Table
If the configurations are correct, then for any one of those active sessions, check to see if the ICA RTT is a non-zero
value for the same session ID in NetScaler Insight Center.
Figure 4. NetScaler Insight Center Report
citrix.com 217
Internet Protocol Version 6 (IPv6) Acceleration
When you connect to the Internet through a device, the device is assigned an IP address. The IP address identifies the
appliance and indicates its location. The number of devices connecting to the Internet is rapidly increasing. As a result,
it is difficult to manage the request for the IP addresses with the existing version of Internet Protocol (IP), IPv4, which
uses 32-bit addresses. By using IPv4, approximately 4.3 billion addresses can be assigned to the devices connecting to
the Internet.
IPv6 addresses this issue by using 128-bit addresses and a hexadecimal label to identify the network interfaces of
devices on an IPv6 network. Because IPv6 supports far more IP addresses than does IPv4, organizations and
applications are gradually introducing support for the IPv6 protocol.
The IPv4 and IPv6 protocols are not interoperable, which makes the transition difficult. To accelerate the increasing
IPv6 traffic from various applications supported on the CloudBridge appliance, you can enable the IPv6 Acceleration
feature.
By default, IPv6 is disabled on the appliance. To enable IPv6 acceleration on a CloudBridge appliance, navigate to the
CloudBridge > Configuration > Appliance Settings > Feature page and enable the IPv6 Acceleration feature, as shown
in the following screen shot.
citrix.com 218
Verifying IPv6 Connections
After enabling IPv6 acceleration on the appliance, the appliance starts accelerating traffic for the applications using IPv6
protocol. To make sure that the appliance is accelerating the IPv6 traffic, you can monitor such connections on the
appliance.
To monitor the IPv6 connections, navigate to the CloudBridge > Monitoring tab. The Connections page of the Monitoring
tab display IPv6 protocols traffic related statistics:
Connections: The Connections page lists details of all the connections established with the appliance. This
page consists of two tabs, Accelerated Connections and Unaccelerated Connections. The Accelerated
Connections tab lists all connections that the appliance is accelerating. You can identify IPv6 traffic in this
tab by referring to the Initiator and Responder column of each entry. If these columns contain hexadecimal
IP address values, the entry represents an IPv6 connection, as shown in the following screen shot.
IPv6 connections that are not accelerated, are listed on the Unaccelerated Connections tab. If you want
to accelerate these connections, you might need to troubleshoot and fine tune the application
parameters on the appliance. As on the Accelerated Connections tab, you can identify the IPv6
connections on this tab by referring to the Initiator and Responder columns of each entry.
Top Applications: The Top Applications page provides granularity in the time frame that you can use to
graphically represent the traffic throughput of various applications served by the CloudBridge appliance. By
default, traffic throughput is displayed by the last minute. However, you can change the time frame by
selecting Last Minute, Last Hour, Last Day, Last Week, or Last Month from the list available on the Title bar
of the page. This page has three tabs, Top Applications Graphs, Since Last Restart, and Active
Applications (Since Last Restart). The Top Applications Graphs tab contains the following statistics:
Total Application Link Throughput Percentage (Sent): This is a pie chart depicting the percentage of
traffic that the appliance has sent to each application. If the appliance has sent a significant percentage
of traffic for an application using IPv6 protocol, the application has its percentage of traffic depicted in
this graph.
Total Application Link Throughput Percentage (Received): This is a pie chart depicting the
percentage of traffic that the appliance has received from each application. If the appliance has received
a significant percentage of traffic from an application using IPv6 protocol, the graph displays the
percentage of traffic generated by the application.
citrix.com 219
Sent Rate: This is a stacked graph of series of data depicting the rate, in bits per second, at which the
appliance has sent traffic to each application. If the appliance has sent data to an application using IPv6
protocol, a series depicting each application using IPv6 protocol is also plotted on this graph.
Received Rate: This is a stacked graph of series of data depicting the rate, in bits per second, at which
the appliance has received traffic from each application. If the appliance has received data from an
application using IPv6 protocol, a series depicting each application using IPv6 protocol is also plotted on
this graph.
Top Applications table: This is a table of statistics for each application. The table lists all applications
for which the appliance has served traffic, along with sent and received rates in bits per second, total
bytes sent and received, percentage of the traffic for the application, and the rate at which the appliance
has served traffic for the application. If the appliance has served traffic for an application using IPv6
protocol, the application is listed in this table, along with its statistics.
Application Groups: This is a table of statistics for each application, along with its application group and
parent application, if any. The table lists bytes sent and received for the application. Each application,
and its application group and parent application are displayed as hyperlinks. If you click the hyperlink,
granular details of the statistics are displayed for the link you have clicked. If the appliance has served
traffic for an application using IPv6 protocol, the application is listed in this table, along with its statistics.
citrix.com 220
The Since Last Restart tab contains statistics on the application traffic since the time you restarted
the appliance. The tab contains the Total Application Link Throughput Percentage (Sent) and Total
Application Link Throughput Percentage (Received) graphs, and Top Applications and Application
Groups tables, depicting statistics similar to the Top Applications Graphs tab but with data since the
appliance was restarted. The Active Applications (Since Last Restart) tab contains a table listing
all active applications since the appliance was restarted. This table contains details about sent and
receive rate, total bytes sent and received, and total packets sent and received for the applications.
citrix.com 221
SCPS Support
CloudBridge software supports the SCPS (Space Communications Protocol Standard) TCP variant. SCPS is widely
used for satellite communication.
SCPS is a TCP variant used in satellite communication and similar applications. The appliance can accelerate SCPS
connections if the SCPS option is selected on the Configuration: Tuning page.
The main practical difference between SCPS and the default appliance behavior is that SCPS-style "selective negative
acknowledgements" (SNACKs) are used instead of standard selective acknowledgements (SACKs). These two
methods of enhancing data retransmissions are mutually exclusive, so if the appliance on one end of the connection
has SCPS enabled and one does not, retransmission performance suffers. This condition also causes an "SCPS Mode
Mismatch" alert.
If you must mix SCPS-enabled appliances with non-SCPS-enabled appliances, deploy them in such a way that
mismatches do not occur. You can either use IP-based service class rules or arrange the deployment so that each path
has matching appliances.
citrix.com 222
Automatically Configuring CloudBridge Devices
If you are using Citrix Command Center to manage your Citrix appliances, the AutoConfiguration feature enables a
CloudBridge appliance to automatically register itself with Citrix Command Center.
After you have specified a DNS IP address in the setup wizard, the appliance performs reverse and forward lookups to
identify the Command Center IP address. If you opt for having the appliance automatically configured by the Command
Center server, the server starts configuring the appliance automatically soon after the appliance is registered with it. The
Command Center server uses configuration profiles selected for the appliance to run configuration commands on the
appliance. For more information about how the autoconfiguration feature works on the Command Center server, see
Command Center.
Additionally, you can use Citrix Command Center to manage and monitor the appliance remotely.
Note: This feature is supported with Citrix Command Center release 5.2 build 41 and later.
citrix.com 223
Platforms Supported
The autoconfiguration feature is supported on the following appliances
citrix.com 224
Registering a CloudBridge Appliance with Citrix Command Center
Before you can use Citrix Command Center to manage a CloudBridge appliance, you must register the appliance with it.
To configure a CloudBridge appliance for autoconfiguration
1. In the CloudBridge setup wizard (System > Configuration > System > Setup Wizard ), specify the IP address of the
DNS server used by the CloudBridge device.
2. Enter the registration password that you specified in Configure CloudBridge Registration Settings on the Command
Center server, and click OK. Leave this field blank if you have not changed the password.
The CloudBridge appliance sends a registration request to the Command Center server, which automatically discovers
the device and runs the commands available in the configuration profile.
Alternatively, you can navigate to the CloudBridge > Configuration > Appliance Settings > Logging/Monitoring page and
specify the Command Center details on the Command Center tab.
To register the appliance with Citrix Command Center
1. Navigate to the CloudBridge > Configuration > Appliance Settings > Logging/Monitoring page.
2. Click the Command Center tab.
3. In the IP Address field, type the IP address of the Citrix Command Center appliance with which you want to register
the CloudBridge appliance.
4. In the Port field, type the port number used for Citrix Command Center. 8443 is the default port number used for Citrix
Command Center.
5. In the Registration Password field, type the password that the Command Center administrator has set for a
CloudBridge appliance to log on to Citrix Command Center. Do not specify any password if the Command Center
administrator has accepted the default password for registering the appliance.
6. Click Update.
7. Select AutoConfiguration By Citrix Command Center option to automatically configure the appliance through
Command Center.
The Status field changes from Disabled to Initiated registration, which later changes to Request accepted if the
registration of the appliance with Citrix Command Center is successful.
Your CloudBridge appliance is registered with Citrix Command Center and you can now manage the appliance remotely
by using Citrix Command Center.
citrix.com 225
CloudBridge Connector
The CloudBridge Connector feature of the Citrix CloudBridge appliance connects enterprise datacenters to external
clouds and hosting environments, making the cloud a secure extension of your enterprise network. Cloud-hosted
applications appear as though they are running on one contiguous enterprise network. With Citrix CloudBridge
Connector, you can augment your datacenters with the capacity and efficiency available from cloud providers.
The CloudBridge Connector enables you to move your applications to the cloud to reduce costs and increase reliability.
The WAN optimization feature of the CloudBridge appliance accelerates traffic, providing LAN-like performance for
applications running across enterprise datacenters and clouds.
In addition to using CloudBridge Connector between a datacenter and a cloud, you can use it to connect two
datacenters for a high-capacity secure and accelerated link.
citrix.com 226
Understanding CloudBridge Connector
To implement the Citrix CloudBridge Connector solution, you connect a datacenter to another datacenter or an external
cloud by setting up a tunnel called the CloudBridge Connector tunnel.
To connect a datacenter to another datacenter, you set up a CloudBridge Connector tunnel between two appliances,
one in each datacenter.
To connect a datacenter to an external cloud (for example, Amazon AWS cloud), you set up a CloudBridge Connector
tunnel between a CloudBridge appliance in the datacenter and a virtual appliance (VPX) that resides in the Cloud. The
remote end point can be a CloudBridge Connector or a NetScaler VPX with platinum license.
The following illustration shows a CloudBridge Connector tunnel set up between a datacenter and an external cloud.
The appliances between which a CloudBridge Connector tunnel is set up are called the end points or peers of the
CloudBridge Connector tunnel.
The GRE protocol provides a mechanism for encapsulating packets, from a wide variety of network protocols, to be
forwarded over another protocol. GRE is used to:
Create a transport tunnel for any type of traffic that needs to be sent unchanged across a different
network.
The GRE protocol encapsulates packets by adding a GRE header and a GRE IP header to the packets.
The Internet Protocol security (IPSec) protocol suite secures communication between peers in the CloudBridge
Connector tunnel.
Data integrity
IPSec uses the transport mode in which the GRE encapsulated packet is encrypted. The encryption is done by the
Encapsulating Security Payload (ESP) protocol. The ESP protocol ensures the integrity of the packet by using a HMAC
citrix.com 227
hash function, and ensures confidentiality by using an encryption algorithm. After the packet is encrypted and the HMAC
is calculated, an ESP header is generated. The ESP header is inserted after the GRE IP header and, an ESP trailer is
inserted at the end of the encrypted payload.
Peers in the CloudBridge Connector tunnel use the Internet Key Exchange version (IKE) protocol (part of the IPSec
protocol suite) to negotiate secure communication, as follows:
The two peers mutually authenticate with each other, using one of the following authentication
methods:
Pre-shared key authentication. A text string called a pre-shared key is manually configured on each
peer. The pre-shared keys of the peers are matched against each other for authentication. Therefore, for
the authentication to be successful, you must configure the same pre-shared key on each of the peers.
Digital certificates authentication. The initiator (sender) peer signs message interchange data by
using its private key, and the other receiver peer uses the sender's public key to verify the signature.
Typically, the public key is exchanged in messages containing an X.509v3 certificate. This certificate
provides a level of assurance that a peer's identity as represented in the certificate is associated with a
particular public key.
An encryption algorithm.
Cryptographic keys for encrypting data in one peer and decrypting the data in the other.
This agreement upon the security protocol, encryption algorithm and cryptographic keys is called a Security Association
(SA). SAs are one-way (simplex). For example, when two peers, CB1 and CB2, are communicating through a
Connector tunnel, CB1 has two Security Associations. One SA is used for processing out-bound packets, and the other
SA is used for processing inbound packets.
SAs expire after a specified length of time, which is called the lifetime. The two peers use the Internet Key Exchange
(IKE) protocol (part of the IPSec protocol suite) to negotiate new cryptographic keys and establish new SAs. The
purpose of the limited lifetime is to prevent attackers from cracking a key.
Also, CloudBridge instances on the CloudBridge Connector tunnel end-points provide WAN optimization over the
tunnel.
citrix.com 228
Prerequisites for Configuring the CloudBridge Connector Tunnel
Before setting up a CloudBridge connector tunnel between AWS Cloud and a CloudBridge appliance configured for one-arm
mode in the data center, verify that the following tasks have been completed:
1. Make sure that the CloudBridge appliance in the datacenter is set up correctly. For more information on deploying a
CloudBridge appliance in one-arm mode that uses WCCP/Virtual Inline protocol, see and .
2. Install, configure, and launch a NetScaler virtual appliance (VPX instance) on AWS cloud. For more information, see
Installing NetScaler VPX on AWS.
3. Install, configure, and launch an instance of CloudBridge virtual appliance (VPX) on AWS cloud. For more information,
see .
4. On AWS, bind the CloudBridge VPX instance on AWS to a load balancing virtual server in the NetScaler VPX
instance on AWS. This binding is required for sending traffic through the CloudBridge VPX instances, to achieve WAN
optimization over the CloudBridge Connector tunnel.
To create a load balancing virtual server by using the command line interface
To add the CloudBridge VPX instance on AWS as a service and bind it to the load balancing virtual
server by using the command line interface
citrix.com 229
Configuring the Tunnel
To configure the CloudBridge Connector tunnel, use the configuration utility of both the NetScaler VPX appliances to perform
the following tasks:
Create an IPSec profileAn IPSec profile entity specifies the IPSec protocol parameters, such as IKE
version, encryption algorithm, hash algorithm, and PSK, to be used by the IPSec protocol in the CloudBridge
connector tunnel.
Create an IP tunnel and associate the IPSec profile with itAn IP tunnel specifies the local IP address,
remote IP address, protocol used to set up the CloudBridge connector tunnel, and an IPSec profile entity.
The created IP tunnel entity is also called the CloudBridge tunnel entity.
Create a PBR rule and associate the IP tunnel with itA PBR entity specifies a set of conditions and an
IP tunnel (CloudBridge tunnel) entity. The source IP address range and the destination IP range are the
conditions for the PBR entity. You must set the source IP address range and the destination IP address
range to specify the subnet whose traffic is to traverse the CloudBridge tunnel. For example, consider a
request packet that originates from a client on the subnet in the datacenter and is destined to a server on the
subnet in the AWS cloud. If this packet matches the source and destination IP range of the PBR entity on
the NetScaler virtual appliance on the CloudBridge appliance in the datacenter, it is considered for
CloudBridge processing, which sends the packet across the CloudBridge tunnel associated with the PBR
entity.
add ipsec profile <ipsec_profile_name> -encAlgo AES -hashAlgo HMAC_SHA1 -lifetime 500 -psk
<password>
To create an IP tunnel and bind the IPSEC profile to it by using the command line interface
To create a PBR rule and bind the IPSEC tunnel to it by using the command line interface
To create an IP tunnel and bind the IPSEC profile to it by using the NetScaler configuration utility
To create a PBR rule and bind the IPSEC tunnel to it by using the NetScaler configuration utility
The new CloudBridge Connector tunnel configuration on the CloudBridge appliance in the datacenter appears on
the Home tab of the Management Service user interface.
The corresponding new CloudBridge Connector tunnel configuration on the NetScaler VPX appliance in the
AWS cloud appears on the configuration utility.
The current status of the CloudBridge connector tunnel is indicated in the Configured CloudBridge pane. A green
dot indicates that the tunnel is up. A red dot indicates that the tunnel is down.
citrix.com 231
Configuring CloudBridge Connector Tunnel between two Datacenters
You can configure a CloudBridge Connector tunnel between two different datacenters to extend your network without
reconfiguring it, and leverage the capabilities of the two datacenters. A CloudBridge Connector tunnel between the two
geographically separated datacenters enables you to implement redundancy and safeguard your setup from failure. The
CloudBridge Connector tunnel helps achieve optimal utilization of infrastructure and resources across two datacenters.
The applications available across the two datacenters appear as local to the user.
To connect a datacenter to another datacenter, you set up a CloudBridge Connector tunnel between a CloudBridge
4000/5000 appliance that resides in one datacenter and another CloudBridge 4000/5000 appliance that resides in the
other datacenter.
To understand how a CloudBridge Connector tunnel is configured between two different datacenters, consider an
example in which a CloudBridge Connector tunnel is set up between NetScaler appliance CB_4000/5000-1 in
datacenter DC1 and NetScaler appliance CB_4000/5000-2 in datacenter DC2.
Both CB_ 4000/5000-1 and CB_4000/5000-2 function in one arm mode (WCCP/PBR). They enable communication
between private networks in datacenters DC1 and DC2. For example, CB_ 4000/5000-1 and CB_4000/5000-2 enable
communication between client CL1 in datacenter DC1 and server S1 in datacenter DC2 through the CloudBridge
Connector tunnel. Client CL1 and server S1 are on different private networks.
For proper communication between CL1 and S1, L3 mode is enabled on NS_VPX_CB_ 4000/5000-1 and NS_VPX_CB_
4000/5000-2, and routes are configured as follows:
citrix.com 232
Remote endpoint IP address of
the CloudBridge Connector
tunnel = 203.0.210.30*
Name =
Cloud_Connector_DC1-DC2
Name =
Cloud_Connector_DC1-DC2
Encryption algorithm = AES
Hash algorithm = HMAC SHA1
Name =
Cloud_Connector_DC1-DC2
Name =
Cloud_Connector_DC1-DC2
citrix.com 233
Encryption algorithm = AES
Hash algorithm = HMAC SHA1
citrix.com 234
Configuring CloudBridge Connector Tunnel between a Datacenter and AWS
Cloud
Consider an example in which a CloudBridge Connector tunnel is configured between CloudBridge appliance CB_DC-1,
which is deployed in WCCP/PBR one-arm mode in a datacenter, and AWS cloud. CB_DC-1 is connected to router R1.
A NAT device is also connected to R1 for connections between the datacenter and Internet.
Note: The settings in the example would also work for any type of CloudBridge deployment. This setting in this example
includes policy based routes instead of netbridge for allowing the desired subnets traffic to pass through the CloudBridge
Connector tunnel.
As shown in the following figure, the CloudBridge connector tunnel is established between NetScaler virtual appliance
NS_VPX_CB-DC, running on the CloudBridge appliance CB_DC-1, and NetScaler virtual appliance NS_VPX-AWS
running on AWS cloud. For WAN optimizing the traffic flow over the CloudBridge Connector tunnel, NS_VPX_CB-DC is
paired to CloudBridge repeater instances running on CB_DC-1, and on the AWS side, CloudBridge virtual appliance
CB_VPX-AWS running on AWS is paired to NS_VPX-AWS.
The following table lists the settings in the datacenter in this example.
Entity Name Details
IP address of client CL1 10.10.6.90
Settings on NAT device NAT-Dev-1
NAT IP address on public side 66.165.176.15 *
NAT IP address on private side 10.10.7.70
Settings on CB_DC-1
Management service IP address of 10.10.1.10
CB_DC-1
Settings on NS_VPX_CB-DC running on CB_DC-1
The NSIP address 10.10.1.20
SNIP address 10.10.5.30
IPSec profile CBC_DC_AWS_IPSec_Profile
IKE version = v2
Encryption algorithm = AES
Hash algorithm = HMAC SHA1
citrix.com 235
IPSec profile name =
CBC_DC_AWS_IPSec_Profile
The following table lists the settings on AWS cloud in this example.
Entity Name Details
IP address of server 10.20.6.90
S1
Settings on NS_VPX-AWS
NSIP address 10.20.1.20
Public EIP address 203.0.1.120*
mapped to the NSIP
address
SNIP address 10.20.5.30
Public EIP address 203.0.1.150*
mapped to the SNIP
address
IPSec profile CBC_DC_AWS_IPSec_Profile
IKE version = v2
Encryption algorithm = AES
Hash algorithm = HMAC SHA1
CloudBridge CBC_DC_AWS
Connector tunnel Local endpoint IP address of the CloudBridge
Connector tunnel =10.20.5.30
Remote endpoint IP address of the CloudBridge
Connector tunnel = Public NAT IP address of NAT
device NAT-Dev-1 in the datacenter = 66.165.176.15*
Tunnel protocol = GRE and IPSEC
IPSec profile name = CBC_DC_AWS_IPSec_Profile
Both NS_VPX_CB-DC, on CB_DC-1, and NS_VPX-AWS function in L3 mode. They enable communication between
private networks in the datacenter and AWS cloud. NS_VPX_CB-DC and NS_VPX-AWS enable communication
between client CL1 in the datacenter and server S1 in the AWS cloud through the CloudBridge Connector tunnel. Client
CL1 and server S1 are on different private networks.
Note: AWS does not support L2 mode. Therefore, it is necessary to have only L3 mode enabled on both the endpoints.
For proper communication between CL1 and S1, L3 mode is enabled on NS_VPX_CB-DC and NS_VPX-AWS, and routes
are configured as follows:
citrix.com 236
R1 has a route for reaching S1 through NS_VPX_CB-DC.
NS_VPX_CB-DC has a route for reaching NS_VPX-AWS through R1.
S1 should have a route reaching CL1 through NS_VPX-AWS.
NS_VPX-AWS has a route for reaching NS_VPX_CB-DC through an upstream router.
The following are the routes configured on various network devices in the datacenter for the CloudBridge Connector tunnel to
work properly:
Routes Network Gateway
Routes on router R1
Route for reaching server S1 10.20.6.X/24 Tunnel endpoint SNIP address
of NS_VPX_CB-DC =
10.10.5.30
Route for reaching remote end point EIP address mapped to the CloudBridge Private IP address of the NAT
of the CloudBridge Connector connector SNIP address of NS_VPX-AWS = device = 10.10.7.70
tunnel 203.0.1.50
Routes on NS_VPX_CB-DC
Route for reaching NS_VPX-AWS EIP address mapped to the CloudBridge IP address of R1 = 10.10.5.1
connector SNIP address of NS_VPX-AWS =
203.0.1.50
The following are the routes configured on various network devices on AWS cloud for the CloudBridge Connector tunnel to
work properly:
Routes Network Gateway
Routes on server S1
Route for reaching client 10.10.6.X/24 Tunnel endpoint SNIP address of NS_VPX-
CL1 AWS = 10.10.6.1
Routes on NetScaler virtual appliance NS_VPX-AWS
Route for reaching Public IP address of NAT_Dev-1 in the IP address of the upstream router on AWS
NS_VPX_CB-DC datacenter = 66.165.176.15*
Following is the traffic flow of a request packet from Client CL1 in the CloudBridge Connector tunnel:
14.
citrix.com 237
14. S1 processes the request packet and sends out a response packet. The destination IP address in the response
packet is the IP address of client CL1, and the source IP address is the IP address of server S1.
citrix.com 238
CloudBridge 400, 800, 2000 and 3000 Appliances
The CloudBridge 400, 800, 2000 and 3000 appliances are 1U accelerators for use in datacenters and larger branch
offices.
The CloudBridge 2000 can be thought of as a faster Repeater 8500 appliance with two accelerated bridges, while the
CloudBridge 3000 can be thought of as a faster Repeater 8800 with three accelerated bridges. The configuration
process, however, is not the same. Like the high-end Repeater SDX appliance, CloudBridge 2000 and 3000 appliances
use virtual machines for acceleration and management, running under a XenServer hypervisor.
The CloudBridge 400, 800, 2000, and 3000 Series are the next generation of CloudBridge appliances, with the following
general characteristics:
CloudBridge 400 Series. An small, affordable 1U appliance suitable for smaller branch offices, the
CloudBridge 400 Series has two accelerated bridges and supports WAN speeds of up to 6 Mbps.
CloudBridge 800 Series. A small 1U appliance suitable for medium-sized branch offices, the CloudBridge
800 Series has two accelerated bridges and supports WAN speed of up to 10 Mbps.
CloudBridge 2000 Series. A full-sized 1U appliance suitable for large branch offices and smaller
datacenters, the CloudBridge 2000 Series has two accelerated bridges and supports WAN speed of 10-
50Mbps.
CloudBridge 3000 Series. A full-sized 1U appliance suitable for the largest branch offices and medium-sized
datacenters, the CloudBridge 3000 Series has three accelerated bridges and supports WAN speed of 50-
155 Mbps.
All of these appliances have similar architectures and run the same release binaries. These appliances are fully
supported with release 7.4.
citrix.com 239
Supported Features
The following table lists various features supported on CloudBridge 400, 800, 2000, and 3000 appliances.
Table 1. Features Table for Citrix CloudBridge 400, 800, 2000, and 3000 Series Appliances
Citrix CloudBridge Citrix CloudBridge Citrix CloudBridge Citrix CloudBridge
400 series 800 series 2000 series 3000 series
AutoConfiguration Y Y Y Y
CloudBridge Plug-In N N Y Y
Compression Y Y Y Y
RPC over HTTPS Y Y Y Y
SSL Compression Y Y Y Y
TCP Acceleration Y Y Y Y
Traffic Shaping Y Y Y Y
Video Caching N Y Y Y
Windows File System Y Y Y Y
Acceleration
Windows Outlook Y Y Y Y
Acceleration
XenApp/ XenDesktop Y Y Y Y
Acceleration
Group Mode Y N Y Y
High Availability Y Y Y Y
Mode
Inline Mode Y Y Y Y
Virtual Inline Mode Y Y Y Y
WCCP Mode Y Y Y Y
VLANs Y Y Y Y
citrix.com 240
Hardware Platforms
Within a given series, all models use the same hardware, and the different WAN speed ratings are obtained through
different licensing options. For example, both CloudBridge 400 models (the 400-002 and 400-006) use the same
hardware, and a given appliance can be licensed either as a 2 Mbps appliance or a 6 Mbps appliance, but a
CloudBridge 400 can not be upgraded to a CloudBridge 800, 2000, 0r 3000. The same is true of the other series.
The licensed bandwidth applies only to the sending direction, so a CloudBridge 400-002, rated at 2 Mbps in the sending
direction, is appropriate for an ADSL link with a 12 Mbps/2 Mbps download/upload bandwidth.
In addition to differences in WAN bandwidth capabilities, the different series vary in CPU power, installed RAM, and
installed disk capacity.
All models use solid-state drives instead of conventional hard drives for increased speed and reliability.
citrix.com 241
Introduction to the Hardware Platforms
All of the platforms have similar components, but the CloudBridge hardware platforms offer a wide range of features,
communication ports, and processing capacities. All CloudBridge hardware platforms support the CloudBridge software
and have multicore processors.
citrix.com 242
Common Hardware Components
Each platform has front panel and back panel hardware components. The various hardware components on the front
panel and back panel vary by hardware platform.
citrix.com 243
Ports
Ports are used to connect the appliance to external devices. CloudBridge appliances support RS232 serial ports and
10/100/1000Base-T copper Ethernet ports.
10/100/1000BASE-T port
The 10/100/1000BASE-T port has a maximum transmission speed of 1 gigabit per second, ten times faster than the
other type of copper Ethernet port. Most platforms have at least one 10/100/1000Base-T port.
To connect any of these ports to your network, you plug one end of a standard Ethernet cable into the port and plug the
other end into the appropriate network connector.
Management Ports
Management ports are standard copper Ethernet ports (RJ45), which are used for direct access to the appliance for
system administration functions.
citrix.com 244
Field Replaceable Units
Note: CloudBridge 400/800 appliances do not have field replaceable units.
Citrix CloudBridge field replaceable units (FRU) are CloudBridge components that can be quickly and easily removed
from the appliance and replaced by the user or a technician at the user's site. The FRUs in a CloudBridge appliance can
include an AC power supply and a solid-state drive.
Note: The solid-state drive stores your configuration information, which has to be restored from a backup after replacing the
unit.
citrix.com 245
Power Supply
CloudBridge appliances are configured with a single power supply. For a CloudBridge 3000 appliance, you can order a
second power supply.
The appliance ships with a standard power cord that plugs into the appliances power supply. The other end of the
cord has a NEMA 5-15 plug on the other end for connecting to the power outlet on the rack or in the wall.
For power-supply specifications, see Common Hardware Components, which describes the various hardware
components, hardware platforms and includes a table summarizing the hardware specifications.
Note: If you suspect that a power-supply fan is not working, see the description of your platform. On some platforms, what
appears to be the fan does not turn, and the actual fan turns only when necessary.
Table 1. LED Power Supply Indicators
Power Supply Type LED Color LED Indicates
AC OFF No power to any power supply.
Flashing RED No power to this power supply.
Flashing GREEN Power supply is in standby mode.
GREEN Power supply is functional.
RED Power supply failure.
1. If replacing an existing power supply, align the semicircular handle, so that it is perpendicular to the power supply,
loosen the thumbscrew, press the lever toward the handle and pull out the existing power supply, as shown in the
following figure.
Note: The illustration in the following figures might not represent the actual CloudBridge appliance.
Figure 1. Removing the Existing AC Power Supply
citrix.com 246
5. Connect the power supply to a power source.
citrix.com 247
Solid-State Drive
A solid-state drive (SSD) is a high-performance data storage device that stores data in solid-state flash memory. It stores the
CloudBridge software and user data.
3. Verify that the replacement SSD is the correct type for the CloudBridge platform.
4. Pick up the new SSD, open the drive handle fully to the left, and insert the drive into the slot as far as possible. To
seat the drive, close the handle flush with the rear of the appliance so that the drive locks securely into the slot.
Important: When you insert the drive, make sure that the Citrix product label is at the top if the drive is inserted
horizontally or at the right if the drive is inserted vertically.
Figure 2. Inserting the Replacement Solid-State Drive
citrix.com 248
Citrix CloudBridge 400 and 800
The Citrix CloudBridge 400 and 800 platforms each have a dual-core processor and 8GB of memory. These platforms
have a bandwidth of up to 6 Mbps and up to 10 Mbps, respectively.
The following figure shows the front panel of a CloudBridge 400/800 appliance.
Figure 1. Citrix CloudBridge 400/800, front panel
The front panel of the CloudBridge 400/800 appliance has a power button and five LEDs.
The power button switches main power (the power to the power supply) on or off.
Solid blue Local UID has been activated. Use this function to locate the server in a
rack mount environment.
Blinking blue Remote UID is on. Use this function to identify the server from a remote
(300 m/s) location.
NIC1 and NIC2Indicate network activity on the LAN1 and WAN1 ports.
HDDIndicates the status of the hard disk drive.
PowerWhen blinking, indicates that the power supply unit is receiving power and operating normally.
The following figure shows the back panel of a CloudBridge 400/800 appliance.
Figure 2. Citrix CloudBridge 400/800 appliance, back panel
The following components are visible on the back panel of a CloudBridge 400/800 appliance:
Cooling fan
citrix.com 249
Single power supply, rated at 200 watts, 110-240 volts
Accelerated pairs of Ethernet ports (apA and apB) which function as accelerated bridges. Individual port
assignments: LAN1 is apA.1, WAN1 is apA.2, LAN2 is apB.1, LAN2 is apB.2.
RS-232 serial console port
One Aux Ethernet port and one management port
Two USB ports
One Solid State Drive (SSD)
CloudBridge 400 - 160 GB SSD
CloudBridge 800 - 240 GB SSD
citrix.com 250
Citrix CloudBridge 2000
The Citrix CloudBridge 2000 platform has 3 models: CB 2000-010, CB 2000-020, and CB 2000-050, with bandwidths of
10Mbps, 20Mbps, and 50Mbps, respectively. Each model is a 1U appliance with one quad-core processor and 24
gigabytes (GB) of memory.
The following figure shows the front panel of the CloudBridge 2000 appliance.
Figure 1. Citrix CloudBridge 2000, front panel
The following figure shows the back panel of the CloudBridge 2000 appliance.
Figure 2. Citrix CloudBridge 2000 appliance, back panel
The following components are visible on the back panel of the CloudBridge 2000 appliance:
600 GB removable solid-state drive, which stores the appliance's software and user data.
Power switch, which turns off power to the appliance. Press the switch for five seconds to turn off the power.
USB port (reserved for a future release).
Non-maskable interrupt (NMI) button, for use at the request of Technical Support to produce a core dump.
You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent
unintentional activation.
Single power supply, rated at 300 watts, 100-240 volts.
citrix.com 251
Citrix CloudBridge 3000
The Citrix CloudBridge 3000 platform has 3 models: CloudBridge 3000-050, CloudBridge 3000-100, and CloudBridge
3000-155, with bandwidths of 50M bps, 100 Mbps, and 155 Mbps, respectively. Each model is a 1U appliance with one
quad-core processor and 32 gigabytes (GB) of memory.
The Citrix CloudBridge 3000 appliance is available in two port configurations:
The following figure shows the front panel of a CloudBridge 3000 with six 10/100/1000 Base-T copper Ethernet ports.
Figure 1. Citrix CloudBridge 3000 (610/100/1000 Base-T copper Ethernet ports), front panel
The following figure shows the front panel of a CloudBridge 3000 appliance with four 1G SX fiber ports.
Figure 2. Citrix CloudBridge 3000 (41G SX Fiber ports), front panel
The following figure shows the back panel of the CloudBridge 3000 appliance.
Figure 3. Citrix CloudBridge 3000 appliance, back panel
The following components are visible on the back panel of the CloudBridge 3000 appliance:
Four 600 GB removable solid-state drives. The top left solid-state drive stores both the appliance's software
and the user data. The other three store only user data.
citrix.com 252
Power switch, which turns power to the appliance on or off. To turn off the power, press the switch for five
seconds.
USB port (reserved for a future release).
Non-maskable interrupt (NMI) button, for use at the request of Technical Support to produce a core dump.
You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent
unintentional activation.
Disable alarm button, which is nonfunctional unless you install a second power supply. In that case, it
disables the alarm that sounds if the appliance is plugged into only one power outlet or one of the power
supplies fails.
Single power supply, rated at 450 watts, 100-240 volts.
citrix.com 253
Summary of Hardware Specifications
The following tables summarize the specifications of the CloudBridge 400, 800, 2000, and 3000 hardware platforms.
Table 1. Citrix CloudBridge 400, 800, 2000, and 3000 Platforms Summary
CloudBridge 400 CloudBridge 800 CloudBridge CloudBridge
2000 3000
Platform Performance
Model CB Model CB
2000-020: 20 3000-100:
Mbps 100 Mbps
Model CB Model CB
2000-050: 50 3000-155:
Mbps 155 Mbps
Hardware Specifications
RAM 8 GB 8 GB 24 GB 32 GB
Power supplies 1 1 1 1
citrix.com 254
Physical Dimensions
Rack Units 1U 1U 1U 1U
System width EIA 310-D for 19- EIA 310-D for 19- EIA 310-D for EIA 310-D for
inch racks inch racks 19-inch racks 19-inch racks
System depth 10.5" (26.7 cm) 10.5" (26.7 cm) 25.4" (64.5 25.4" (64.5
cm) cm)
System weight 8 lbs (3.5 kg) 8 lbs (3.5 kg) 32 lbs (14.5 32 lbs (14.5
kg) kg)
Shipping 26L x 18.5W x 6.5" 26L x 18.5W x 6.5" 32L x 23.5W 32L x 23.5W
dimensions H H x 7.5" H x 7.5" H
and weight
14 lbs 14 lbs 39 lbs 39 lbs
Voltage 100/240 VAC, 50-60 100/240 VAC, 50-60 100/240 VAC, 100/240 VAC,
Hz Hz 50-60 Hz 50-60 Hz
citrix.com 255
Preparing for Installation
Before you install your new appliance, carefully unpack your appliance and make sure that all parts were delivered.
Once you are satisfied that your appliance has been delivered to your expectations, verify that the location where the
appliance will be installed meets temperature and power requirements and that the server cabinet or floor-to-ceiling
cabinet is securely bolted to the floor and has sufficient airflow.
Only trained and qualified personnel should install, maintain, or replace the appliance, and efforts should be taken to
ensure that all cautions and warnings are followed.
citrix.com 256
Unpacking the CloudBridge Appliance
The hardware accessories for your particular appliance, such as cables, adapters, and rail kit, vary depending on the
hardware platform you ordered. Unpack the box that contains your new appliance on a sturdy table with plenty of space
and inspect the contents.
If you ordered a CloudBridge 400 or CloudBridge 800 appliance, the box should contain:
If you ordered a CloudBridge 2000 or CloudBridge 3000 appliance, the box should contain:
In addition to the items included in the box with your new appliance, you will need the following items to complete the
installation and initial configuration process.
Ethernet cables for each additional Ethernet port that you will connect to your network
One available Ethernet port on your network switch or hub for each Ethernet port you want to connect to
your network
A computer to serve as a management workstation
citrix.com 257
Preparing the Site and Rack
A CloudBridge appliance has specific site and rack requirements. You must make sure that adequate environmental control
and power density are available. Racks must be bolted to the ground, have sufficient airflow, and have adequate power and
network connections. Preparing the site and rack are important steps in the installation process and will help ensure a smooth
installation.
Site Requirements
The appliance should be installed in a server room or server cabinet with the following features:
Environment control
An air conditioner, preferably a dedicated computer room air conditioner (CRAC), capable of maintaining the cabinet
or server room at a temperature of no more than 27 degrees C/80.6 degrees F at altitudes of up to 2100 m/7000 ft, or
18 degrees C/64.4 degrees F at higher altitudes, a humidity level no greater than 45 percent, and a dust-free
environment.
Power density
Wiring capable of handling at least 4,000 watts per rack unit in addition to power needs for the CRAC.
Rack Requirements
The rack on which you install your appliance should meet the following criteria:
Rack characteristics
Racks should be either integrated into a purpose-designed server cabinet or be the floor-to-ceiling type, bolted down
at both top and bottom to ensure stability. If you have a cabinet, it should be installed perpendicular to a load-bearing
wall for stability and sufficient airflow. If you have a server room, your racks should be installed in rows spaced at least
1 meter/3 feet apart for sufficient airflow. Your rack must allow your IT personnel unfettered access to the front and
back of each server and to all power and network connections.
Power connections
At minimum, two standard power outlets per unit.
Network connections
At minimum, four Ethernet connections per rack unit.
Space requirements
One empty rack unit for each CloudBridge 400, 800, 2000 and 3000 appliances.
citrix.com 258
Cautions and Warnings
Follow basic electrical safety precautions to protect yourself from harm and the appliance from damage.
Be aware of the location of the emergency power off (EPO) switch, so that you can quickly remove power to
the appliance if an electrical accident occurs.
Remove all jewelry and other metal objects that might come into contact with power sources or wires before
installing or repairing the appliance. When you touch both a live power source or wire and ground, any metal
objects can heat up rapidly and may cause burns, set clothing on fire, or fuse the metal object to an exposed
terminal.
Use a regulating, uninterruptible power supply (UPS) to protect the appliance from power surges and
voltage spikes, and to keep the appliance operating in case of power failure.
Never stack the appliance on top of any other server or electronic equipment.
All appliances are designed to be installed on power systems that use TN earthing. Do not install your
device on a power system that uses either TT or IT earthing.
Make sure that the appliance has a direct physical connection to the earth during normal use. When
installing or repairing an appliance, always make sure that the ground circuit is connected first and
disconnected last.
Make sure that a fuse or circuit breaker no larger than 120 VAC, 15 A U.S. (240 VAC, 16 A international) is
used on all current-carrying conductors on the power system to which your appliances are connected.
Do not work alone when working with high voltage components.
Always disconnect the appliance from power before removing or installing any component. When
disconnecting power, first shut down the appliance, and then unplug the power cords of all the power supply
units connected to the appliance. As long as the power cord is plugged in, line voltages can be present in
the power supply, even when the power switch is OFF.
Do not use mats designed to decrease static electrical discharge as protection from electrical shock.
Instead, use rubber mats that have been specifically designed as electrical insulators.
Make sure that the power source can handle the appliance's maximum power consumption rating with no
danger of an overload. Always unplug any appliance before performing repairs or upgrades.
Do not overload the wiring in your server cabinet or on your server room rack.
During thunderstorms, or anticipated thunderstorms, avoid performing any hardware repairs or upgrades
until the danger of lightning has passed.
When you dispose of an old appliance or any components, follow any local and national laws on disposal of
electronic waste.
To prevent possible explosions, replace expired batteries with the same model or a manufacturer-
recommended substitute and follow the manufacturers instructions for battery replacement.
Never remove a power supply cover or any sealed part that has the following label:
Appliance Precautions
Determine the placement of each component in the rack before you install the rails.
Install the heaviest appliance first, at the bottom of the rack, and then work upward. Distribute the load on
the rack evenly. An unbalanced rack is hazardous.
Allow the power supply units and hard drives to cool before touching them.
Install the equipment near an electrical outlet for easy access.
Mount equipment in a rack with sufficient airflow for safe operation.
citrix.com 259
For a closed or multiple-unit rack assembly, the ambient operating temperature of the rack environment
might be greater than the ambient temperature of the room. Therefore, consider the lowest and highest
operating temperatures of the equipment when making a decision about where to install the appliance in the
rack.
Rack Precautions
Make sure that the leveling jacks on the bottom of the rack are fully extended to the floor, with the full weight
of the rack resting on them.
For a single-rack installation, attach a stabilizer to the rack.
For a multiple-rack installation, couple (attach) the racks together.
Always make sure that the rack is stable before extending a component from the rack.
Extend only one component at a time. Extending two or more simultaneously might cause the rack to
become unstable.
The handles on the left and right of the front panel of the appliance should be used only for extending the
appliance out of the rack. Do not use these handles for mounting the appliance on the rack. Use the rack-rail
hardware, described later, instead.
citrix.com 260
Installing the Hardware
After you have determined that the location where you will install your appliance meets the environmental standards and
the server rack is in place according to the instructions, you are ready to install the hardware. After you mount the
appliance, you are ready to connect it to the network, to a power source, and to the console terminal that you will use for
initial configuration. To complete the installation, you turn on the appliance. Be sure to observe the cautions and
warnings listed with the installation instructions.
citrix.com 261
Rack Mounting the Appliance
A CloudBridge 400, 800, 2000 or 3000 appliance requires one rack unit. These appliances are rack-mount devices that
can be installed into two-post relay racks or four-post EIA-310 server racks. Verify that the rack is compatible with your
appliance.
To mount a CloudBridge appliance, you must first install the rails and then install the appliance in the rack, as
follows:
1. Position the right inner rail behind the ear bracket on the right side of the appliance.
2. Align the holes on the rail with the corresponding holes on the side of the appliance.
3. Attach the rail to the appliance with the provided screws.
4. Repeat steps 1 through 3 to install the left inner rail on the left side of the appliance.
1. Position the rack rails at the desired location in the rack, keeping the sliding rail guide facing inward.
2. Snap the rails to the rack.
Note: Make sure that both rack rails are at same height and that the rail guides are facing inward.
1. Align the inner rails, attached to the appliance, with the rack rails.
2. Slide the appliance into the rack rails, keeping the pressure even on both sides, and push the appliance
into the rack rails until it locks into place.
3. Verify that the appliance is locked in place by pulling it all the way out from the rack.
Note: The illustration in the following figure might not represent your actual appliance.
Figure 1. Rack Mounting the Appliance
citrix.com 262
Connecting the Cables
When the appliance is securely mounted on the rack, determine which ports you should use. You are then ready to
connect the cables. Ethernet cables and the optional console cable are connected first. Connect the power cable last.
Danger: Remove all jewelry and other metal objects that might come in contact with power sources or wires before installing
or repairing the appliance. When you touch both a live power source or wire and ground, any metal objects can heat up
rapidly, and may cause burns, set clothing on fire, or fuse the metal object to an exposed terminal.
Ports
A typical installation using a single accelerated-bridge uses three Ethernet ports (the Primary port and apA) and five IP
addresses (three on the Primary port's subnet and two on apA's subnet).
The appliance has two motherboard ports and two (CloudBridge 400/800 and CloudBridge 2000) or three (CloudBridge
3000) accelerated bridges. The Primary port is used for initial configuration.
On the CloudBridge 2000 and CloudBridge 3000 appliances, the motherboard ports are labeled "0/1" and "0/2." They
are equivalent to the Primary and Aux1 ports, respectively.
The CloudBridge 400/800 and CloudBridge 2000 appliances each have two pairs of accelerated bridge ports. The
CloudBridge 3000 appliance has three pairs of accelerated-bridge ports. On a CloudBridge appliance, ports 1/1 and 1/2
are the accelerated pair A (apA) bridge ports, ports 1/3 and 1/4 are the apB ports, and ports 1/5 and 1/6 are the apC
bridge ports.
Ethernet cables connect your appliance to the network. The type of cable you need depends on the type of port used to
connect to the network. Use a category 5e or category 6 Ethernet cable with a standard RJ-45 connector on a
10/100/1000BASE-T port.
A CloudBridge appliances has one power supply, unless you have installed a second. A separate ground cable is not
required, because the three-prong plug provides grounding. Provide power to the appliance by installing the power cord.
citrix.com 263
Switching on the Appliance
After you have installed the appliance in a rack and connected the cables, verify that the power cable is properly connected. If
you have installed a second power supply, make sure the second cable is connected to an outlet for a different circuit than
the first. After verifying the connections, you are ready to switch on the appliance.
Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs you can
quickly remove power from the appliance.
citrix.com 264
Initial Configuration
The appliance shipped from Citrix has default IP addresses configured on it. To deploy the appliance on the network,
you must configure the appropriate IP addresses on the appliance to accelerate the network traffic.
To perform initial configuration:
citrix.com 265
Prerequisites
Before you begin configuring the appliance, make sure that the following prerequisites have been met:
citrix.com 266
Worksheet
The following table lists the default values of network configuration, CloudBridge configuration, Windows configuration,
system settings, password, and setup wizard in your traffic subnet and the management subnet. Record the values applicable
to your appliance in the third column.
Deployment Worksheet
Field Default Value Value for Description of the Field
your
Appliance
Network Configuration
XenServer IP Address 192.168.100.2 Management IP address of the XenServer.
(Management Subnet)
Management Service IP 192.168.100.1 Management IP address of the Management Service.
Address (Management
Subnet)
Netmask (Management 255.255.0.0 Network mask for the management subnet.
Subnet)
Gateway (Management None The default gateway IP address of the appliance.
Subnet)
Port Model 2-Port Select 2-port or 4-port, depending on the model. In 4-port
mode, Windows Server does not have access to ports 1/3 and
1/4.
DNS Server None IP address of the DNS server. Citrix recommends that you
specify a valid DNS server IP address. This is a mandatory
parameter.
CloudBridge Configuration
IP Address 192.168.100.20 Primary CloudBridge IP address at which you manage the
(Management Subnet) CloudBridge instance.
Netmask (Management 255.255.0.0 Network mask for the management IP address of the appliance.
Subnet) Same as previous netmask.
Gateway (Management None The default gateway IP address of the appliance. Same as the
Subnet) previous gateway.
System Settings
NTP Server (none) IP address of the NTP server. Citrix recommends that you
specify a valid NTP server IP address. You can either enter the
IP address or the server name.
Time Zone UTC Specify the time zone for your location.
Password
Password nsroot New password for access to the appliance.
Confirm Password nsroot New password for access to the appliance.
Command Center Configuration
Command Center IP None Optional. IP address of the Command Center appliance with
Address which you want to register this appliance. More info.
Command Center Port 8443 Optional. Port number of the Command Center appliance. More
info.
Registration Password None Password you want to use to register the CloudBridge
appliance.
Licensing
License Server Address None IP address of the licensing server. Required only when you
select a remote model license type.
Licensing Service Port 27000
Port number of the licensing server. Required only when
you select a remote model license type.
citrix.com 267
Links
Receive (Download) None WAN link download speed.
Speed
Send (Upload) Speed None WAN link upload speed.
citrix.com 268
Configuring the Appliance by Connecting a Computer to the Ethernet Port
For initial configuration of a CloudBridge appliance, perform the following tasks::
With inline deployments, this configuration might be all you need, because most acceleration features are enabled by
default and require no additional configuration.
You can configure the appliance connecting the appliance to your computer through either the Ethernet port or the serial
console. The following procedure enables you to configure the appliance by connecting it to your computer through the
Ethernet port.
If you want to configure the appliance by connecting it to the computer through the serial console, assign the
management service IP address from your Worksheet by completing the Assigning a Management IP Address through
the Serial Console procedure, and then run steps 4 through 25 of the following procedure.
Note: Make sure that you have physical access to the appliance.
To configure the appliance by connecting a computer to the CloudBridge appliances Ethernet port 0/1
1. Set the Ethernet port address of a computer (or other browser-equipped device with an Ethernet port), to
192.168.100.50, with a network mask of 255.255.0.0. On a Windows device, this is done by changing the Internet
Protocol Version 4 properties of the LAN connection, as shown below. You can leave the gateway and DNS server
fields as blank.
2. Using an Ethernet cable, connect this computer to the port labeled MGMT on a CloudBridge 1000 appliance with
Windows Server, or to the port labeled PRI on a CloudBridge 2000 appliance with Windows Server.
3. Switch on the appliance. Using the web browser on the computer, access the appliance by using the default
management service IP address http://192.168.100.1.
4. On the login page, use the following default credentials to log on to the appliance:
Username: nsroot
Password: nsroot.
5. Start the configuration wizard by clicking Get Started.
6. On the Platform Configuration page, enter the respective values from your worksheet, as shown in the following
example:
citrix.com 269
Note: If, for CloudBridge configuration, you want to use the same network mask and gateway as those for Network
Configuration, select the Use System Netmask and Gateway option.
7. Click Done. A screen showing the Installation in Progress message appears. This process takes
approximately 2 to 5 minutes, depending on your network speed.
Note: If you are configuring the appliance by connecting it to your computer through the serial console port, skip step 8
through step 14.
8. A Redirecting to new management IP message appears.
9. Click OK.
10. Unplug your computer from the Ethernet port and connect the port to your management network.
11. Reset the IP address of your computer to its previous setting.
12. From a computer on the management network, log on to the appliance by entering the new Management Service IP
address, such as https://<Managemnt_IP_Address>, in a web browser.
13. To continue the configuration, accept the certificate and continue. The option to continue varies according to the web
browser you are using.
14. Log on to the appliance by using the nsroot user name and the password from your worksheet.
15. The Configuration wizard starts again. In this wizard, some of the values which you have already provided, appear by
default. Specify rest of the values you have recorded in your worksheet.
16. If you want to manage the appliance through Command Center, specify the Command Center IP address, port, and
registration password in the Command Center Configuration page. Otherwise, skip this step.
17. In System Services section, update the values if necessary.
18. In the Licensing section, select the appropriate license type. You can either select a local license or a remote license
server to apply a license to the appliance.
a. If you opt for a local license, you must generate a license by using the host ID of the appliance. To generate a
local license for the appliance, see http://support.citrix.com/article/ctx131110. To apply the license, you can
navigate to the CloudBridge > Configuration > Appliance Settings > Licensing page, after completing the
Configuration wizard.
b. If you opt for a remote licensing server, you must select a remote appliance model and provide the IP address
of the licensing server in the Licensing Server Address field.
19. In the WAN Link Definition section, specify receive and send speeds for the WAN link in the respective fields. Citrix
recommends values 10% lower than the WAN bandwidth, to avoid network congestion.
20. By default, WAN-side adapter settings are configured on the appliance. Accept the default settings.
21. Click Install. After the Installation process is complete, the appliance restarts.
22. As soon as the appliance restarts, the Dashboard page appears.
23. To configure the appliance to accelerate the network traffic, open navigate to the Configuration tab.
Note: Make sure that you have already applied the appropriate license to the appliance.
24. On the Network Adapters page of the Appliance Settings node, verify and, if necessary, assign IP addresses, subnet
masks, and gateways to the accelerated bridges (apA and apB) to be used. Applying these changes restarts the
appliance.
Note: You need to assign IP addresses to apA and apB adapters only if you intended to configure WCCP mode,
virtual inline mode, or the Video Caching feature on the appliance.
25. The Initial Configuration is complete. Traffic now flows through the appliance. The Dashboard page shows this traffic.
citrix.com 270
26. You need additional configuration on the appliance if you intend to use some of the modes and features, such as
WCCP mode, virtual inline mode, video caching, secure peering, high availability, encrypted CIFS/MAPI acceleration,
AppFlow monitoring, or SNMP monitoring.
Note:
Inline installations place the appliance between your LAN and WAN routers, using both ports of the
accelerated bridge, such as ports LAN1 and WAN1 on a CloudBridge 1000 appliance with Window Server or
ports 1/1 and 1/2 on CloudBridge 2000 appliance with Windows Server, for the apA accelerated bridge port.
WCCP and virtual inline installations connect a single accelerated bridge port to your WAN router.
Virtual inline installations require that you configure your router to forward WAN traffic to the appliance. See
Router Configuration.
WCCP installations require configuration of your router and the appliance. See WCCP Mode.
citrix.com 271
Assigning a Management IP Address through the Serial Console
If you do not want to change the settings of your computer, you can perform initial configuration by connecting the
appliance to your computer with a serial null modem cable. Make sure that you have physical access to the appliance.
To configure the appliance through the serial console
Username: nsroot
Password: nsroot.
5. At the $ prompt, run the following command to switch to the shell prompt of the appliance:
$ ssh 169.254.0.10
6. Enter Yes to continue connecting to the management service.
7. Log on to the shell prompt of the appliance with the following default credentials:
Password: nsroot.
8. At the logon prompt, run the following command to open the Management Service Initial Network Address
Configuration menu:
# networkconfig
9. Type 1 and press Enter to select option 1, and specify a new management IP address for the management service.
10. Type 2 and press Enter to select option 2, and specify a new management IP address for the XenServer server.
11. Type 3 and press Enter to select option 3, and then specify the network mask for the management service IP
address.
12. Type 4 and press Enter to select option 4, and then specify the default gateway for the management service IP
address.
13. Type 8 and press Enter to save the settings and exit.
14. Access the CloudBridge appliance by entering the new management service IP address of the appliance, such as
https://<Management_Service_IP_Address>, in a web browser of a computer on the management network.
15. To continue the configuration, accept the certificate and continue. The option to continue varies according to the web
browser you are using.
16. Run steps 4 through 25 of the Configuring the Appliance by Connecting a Computer to the Ethernet Port procedure to
complete the configuration process
citrix.com 272
Deployment Modes
A CloudBridge appliance acts as a virtual gateway. It is neither a TCP endpoint nor a router. Like any gateway, its job is
to buffer incoming packets and put them onto the outgoing link at the right speed. This packet forwarding can be done in
different ways, such as inline mode, virtual inline mode, and WCCP mode. Although these methods are called modes,
you do not have to disable one forwarding mode to enable another. If your deployment supports more than one mode,
the mode that the appliance uses is determined automatically by the Ethernet and IP format of each packet.
Because the appliance supports different forwarding modes and different kinds of non-forwarded connections, it needs
a way of distinguishing one kind of traffic from another. It does so by examining the destination IP address and
destination Ethernet address (MAC address), as shown in table below. For example, in inline mode, the appliance is
acting as a bridge. Unlike other traffic, bridged packets are addressed to a system beyond the appliance, not to the
appliance itself. The address fields contain neither the appliance's IP address nor the appliance's Ethernet MAC
address.
In addition to pure forwarding modes, the appliance has to account for additional types of connections, including
management connections to the GUI and the heartbeat signal that passes between members of a high-availability pair.
For completeness, these additional traffic modes are also listed in table below.
Table 1. How Ethernet and IP Addresses Determine the Mode
Destination IP Destination Ethernet Address Mode
Address
Not appliance Not appliance Inline or Pass-through
Not appliance Appliance Virtual Inline or L2 WCCP
Appliance Appliance Direct (UI access)
Appliance (VIP) Appliance High-Availability. Proxy mode
Appliance (WCCP Appliance WCCP GRE Mode
GRE Packet)
Appliance (Signaling Appliance Signaling Connection (CloudBridge plugin Signaling
IP) Connection (CloudBridge plugin, Secure Peer) or
Redirector Mode Connection (CloudBridge plugin)
All modes can be active simultaneously. The mode used for a given packet is determined by the Ethernet and IP
headers.
The forwarding modes are:
Inline mode, in which the appliance transparently accelerates traffic flowing between its two Ethernet ports.
In this mode, the appliance appears (to the rest of the network) to be an Ethernet bridge. Inline mode is
recommended, because it requires the least configuration.
WCCP mode, which uses the WCCP v. 2.0 protocol to communicate with the router. This mode is easy to
configure on most routers. WCCP has two variants: WCCP-GRE and WCCP-L2. WCCP-GRE encapsulates
the WCCP traffic within generic routing encapsulation (GRE) tunnels. WCCP-L2 uses un-encapsulated
network Layer 2 (Ethernet) transport.
Virtual inline mode, in which a router sends WAN traffic to the appliance and the appliance returns it to the
router. In this mode, the appliance appears to be a router, but it uses no routing tables. It sends the return
traffic to the real router. Virtual inline mode is recommended when inline mode and high-speed WCCP
operation are not practical.
Group mode, which allows two appliances to operate together to accelerate a pair of widely separated
WAN links.
High availability mode, which allows to appliances to operate as an active/standby high availability pair. If
the primary appliance fails, the secondary appliance takes over.
Pass-through traffic refers to any traffic that the appliance does not attempt to accelerate. It is a traffic
category, not a forwarding mode.
Direct access, where the appliance acts as an ordinary server or client. The GUI and CLI are examples of
direct access, using the HTTP, HTTPS, SSH, or SFTP protocols. Direct access traffic can also include the
NTP and SNMP protocols.
Appliance-to-appliance communication, which can include signaling connections (used in secure peering
and by the CloudBridge plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE
tunnels (used by group mode).
citrix.com 273
Deprecated modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used
in new installations.
citrix.com 274
Customizing the Ethernet ports
A typical appliance has four Ethernet ports: two accelerated bridged ports, called accelerated pair A (apA.1 and apA.2),
with a bypass (fail-to-wire) relay, and two unaccelerated motherboard ports, called Primary and Aux1. The bridged ports
provide acceleration, while the motherboard ports are sometimes used for secondary purposes. Most installations use
only the bridged ports.
Some CloudBridge units have only the motherboard ports. In this case, the two motherboard ports are bridged.
The appliances user interface can be accessed by a VLAN or non-VLAN network. You can assign a VLAN to any
of the appliances bridged ports or motherboard ports for management purposes.
Figure 1. Ethernet Ports
Port List
The ports are named as follows:
Table 1. Ethernet Port Names
Motherboard port 1 Primary (or apA.1 if no bypass card is present)
Motherboard port 2 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present)
Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2)
Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2)
citrix.com 275
Port Parameters
Each bridge and motherboard port can be:
Enabled or disabled
Assigned an IP address and subnet mask
Assigned a default gateway
Assigned to a VLAN
Set to 1000 Mbps, 100 Mbps, or 10 Mbps
Set to full duplex, half-duplex, or auto (on CloudBridge 4000/5000 appliances, some ports can be set to 10
Gbps)
All of these parameters except the speed/duplex setting are set on the Configuration: IP Address page. The
speed/duplex settings are set on the Configuration: Interface page.
Notes about parameters:
citrix.com 276
Accelerated Bridges (apA and apB)
Every appliance has at least one pair of Ethernet ports that function as an accelerated bridge, called apA (for
accelerated pair A). A bridge can act in inline mode, functioning as a transparent bridge, as if it were an Ethernet switch.
Packets flow in one port and out the other. Bridges can also act in one arm mode, in which packets flow in one port and
back out the same port.
An appliance that has a bypass card maintains network continuity if a bridge or appliance malfunctions.
Some units have more than one accelerated pair, and these additional accelerated pairs are named apB, apC, and so
on.
Bypass Card
If the appliance loses power or fails in some other way, an internal relay closes and the two bridged ports are electrically
connected. This connection maintains network continuity but makes the bridge ports inaccessible. Therefore you might
want to use one of the motherboard ports for management access.
Caution: Do not enable the Primary port if it is not connected to your network. Otherwise, you cannot access the appliance,
as explained in Ethernet Bypass and Link-Down Propagation
Bypass cards are standard on some models and optional on others. Citrix recommends that you purchase appliances
with bypass cards for all inline deployments.
The bypass feature is wired as if a cross-over cable connected the two ports, which is the correct behavior in properly
wired installations.
Important: Bypass installations must be tested - Improper cabling might work in normal operation but not in bypass mode.
The Ethernet ports are tolerant of improper cabling and often silently adjust to it. Bypass mode is hard-wired and has no such
adaptability. Test inline installations with the appliance turned off to verify that the cabling is correct for bypass mode.
When it is time for the appliance to send a packet for a given connection, the packet is sent over the same bridge from
which the appliance received the most recent input packet for that connection. Thus, the appliance honors whatever link
decisions are made by the router, and automatically tracks the prevailing load-balancing or main-link/failover-link
algorithm in real time. For non-load-balanced links, the latter algorithm also ensures that packets always use the correct
bridge.
citrix.com 277
Two units with multiple bridges can be used in a high-availability pair. Simply match up the bridges so that all links pass
through both appliances.
citrix.com 278
Motherboard Ports
Although the Ethernet ports on a bypass card are inaccessible when the bypass relay is closed, the motherboard ports
remain active. You can sometimes access a failed appliance through the motherboard ports if the bridged ports are
inaccessible.
citrix.com 279
VLAN Support
A virtual local area network (VLAN) uses part of the Ethernet header to indicate which virtual network a given Ethernet
frame belongs to. CloudBridge appliances support VLAN trunking in all forwarding modes (inline, WCCP, virtual inline,
and group mode). Traffic with any combination of VLAN tags is handled and accelerated correctly.
For example, if one traffic stream passing through the accelerated bridge is addressed to 10.0.0.1, VLAN 100, and
another is addressed to 10.0.0.1, VLAN 111, the appliance knows that these are two distinct destinations, even though
the two VLANs have the same IP address.
You can assign a VLAN to all, some, or none of the appliance's Ethernet ports. If a VLAN is assigned to a port, the
management interfaces (GUI and CLI) listen only to traffic on that VLAN. If no VLAN is assigned, the management
interfaces listen only to traffic without a VLAN. This selection is made on the Configuration: Appliance Settings: Network
Adapters: IP Addresses tab.
citrix.com 280
Inline Mode
In inline mode, traffic passes into one of the appliance's Ethernet ports and out of the other. When two sites with inline
appliances communicate, every TCP connection passing between them is accelerated. All other traffic is passed
through transparently, as if the appliance were not there.
Figure 1. Inline mode, Accelerating All Traffic on a WAN
Note: Any TCP-based traffic passing through both units is accelerated. No address translation, proxying, or per-site setup is
required. Inline mode is auto-detecting and auto-configuring.
Configuration is minimized with inline mode, because your WAN router need not be aware of the appliance's existence.
Depending on your configuration, inline mode's link-down propagation can affect management access to the appliance if
a link goes down.
Inline mode is most effective when applied to all traffic flowing into and out of a site, but it can be used for only some of
the site's traffic.
citrix.com 281
Ethernet Bypass and Link-Down Propagation
Note: Link-Down propagation was added to the CloudBridge 2000, 3000, 4000, and 5000 appliances with the 7.2.1 release.
Most appliance models include a "fail-to-wire" (Ethernet bypass) feature for inline mode. If power fails, a relay closes
and the input and output ports become electrically connected, allowing the Ethernet signal to pass through from one
port to the other as if the appliance were not there. In fail-to-wire mode, the appliance looks like a cross-over cable
connecting the two ports.
Any failure of the appliance hardware or software also closes the relay. When the appliance is restarted, the bypass
relay remains closed until the appliance is fully initialized, maintaining network continuity at all times. This feature is
automatic and requires no user configuration.
When the bypass relay is closed, the appliance's bridge ports are inaccessible.
If carrier is lost on one of the bridge ports, the carrier is dropped on the other bridge port to ensure that the link-down
condition is propagated to the device on the other side of the appliance. Units that monitor link state (such as routers)
are thus notified of conditions on the other side of the bridge.
Link-down propagation has two operating modes:
If the Primary port is not enabled, the link-down state on one bridge port is mirrored briefly on the other
bridge port, and then the port is re-enabled. This allows the appliance to be reached through the still-
connected port for management, HA heartbeat, and other tasks.
If the Primary port is enabled, the appliance assumes (without checking) that the Primary port is used for
management, HA heartbeat, and other tasks. The link-down condition on one bridge port is mirrored
persistently on the other port, until carrier is restored or the unit is rebooted. This is true even if the Primary
port is enabled in the GUI but not connected to a network, so the Primary port should be disabled (the
default) when not in use.
citrix.com 282
Accelerating an Entire Site
Inline mode, Accelerating All Traffic on a WAN shows a typical configuration for inline mode. For both sites, the
appliances are placed between the LAN and the WAN, so all WAN traffic that can be accelerated is accelerated. This is
the simplest method for implementing acceleration, and it should be used when practical.
Because all the link traffic is flowing through the appliances, the benefits of fair queuing and flow control prevent the link
from being overrun.
In IP networks, the bottleneck gateway determines the queuing behavior for the entire link. By becoming the bottleneck
gateway, the appliance gains control of the link and can manage it intelligently. This is done by setting the bandwidth
limit slightly lower than the link speed. When this is done, link performance is ideal, with minimal latency and loss even
at full link utilization.
citrix.com 283
Partial-Site Acceleration
To reserve the appliance's accelerated bandwidth for a particular group of systems, such as remote backup servers, you can
install the appliance on a branch network that includes only those systems. This is shown in the following figure.
Figure 1. Inline Mode, Accelerating Selected Systems Only
CloudBridge traffic shaping relies on controlling the entire link, so traffic shaping is not effective with this topology,
because the appliance sees only a portion of link traffic. Latency control is up to the bottleneck gateway, and interactive
responsiveness can suffer.
citrix.com 284
Configuring and Troubleshooting Inline Mode
Inline mode requires only basic configuration, because it is applied automatically to any packets passing through the
accelerated bridge. Troubleshooting is described under .
citrix.com 285
WCCP Mode
Web Cache Communication Protocol (WCCP) is a dynamic routing protocol introduced by Cisco. Originally intended
only for web caching, WCCP version 2 became a more general-purpose protocol, suitable for use by accelerators such
as Citrix CloudBridge appliances.
WCCP mode is the simplest way of installing a CloudBridge appliance when inline operation is impractical. It is also
useful where asymmetric routing occurs, that is, when packets from the same connection arrive over different WAN
links. In WCCP mode, the routers use the WCCP 2.0 protocol to divert traffic through the appliance. Once received by
the appliance, the traffic is treated by the acceleration engine and traffic shaper as if it were received in inline mode.
Note:
For the purposes of this discussion, WCCP version 1 is considered obsolete and only WCCP version 2 is
presented.
The standard WCCP documentation calls WCCP clients caches. To avoid confusion with actual
caches, Citrix generally avoids calling a WCCP client a cache. Instead, WCCP clients are typically
called appliances.
This discussion uses the term router to indicate WCCP-capable routers and WCCP-capable
switches. Though the term router is used here, some high-end switches also support WCCP, and
can be used with CloudBridge appliances.
WCCP is the original CloudBridge WCCP offering supported since release 3.x. It supports a single appliance
service group (no clustering).
WCCP clustering, introduced in release 7.2, allows your router to load-balance traffic between multiple
appliances.
A WCCP-mode appliance requires only a single Ethernet port. The appliance should either be deployed on a dedicated
router port (or WCCP-capable switch port) or isolated from other traffic through a VLAN. Do not mix inline and WCCP
modes.
The following figure shows how a router is configured to intercept traffic on selected interfaces and forward it to the
WCCP-enabled appliance. Whenever the WCCP-enabled appliance is not available, the traffic is not intercepted, and is
forwarded normally.
Figure 1. WCCP Traffic Flow
Traffic Encapsulation
WCCP allows traffic to be forwarded between the router and the appliance in either of the following modes:
L2 ModeRequires that the router and appliance be on the same L2 segment (typically an Ethernet
segment). The IP packet is unmodified, and only the L2 addressing is altered to forward the packet. In many
devices, L2 forwarding is performed at the hardware layer, giving it the maximum performance. Because of
its performance advantage, L2 forwarding is the preferred mode, but not all WCCP-capable devices support
it.
citrix.com 286
GRE ModeGeneric Routing Encapsulation (GRE) is a routed protocol and the appliance can in theory be
placed anywhere, but for performance it should be placed close to the router, on a fast, uncongested path
that traverses as few switches and routers as possible. GRE is the original WCCP mode. A GRE header is
created and the data packet is appended to it. The receiving device removes the GRE header. With
encapsulation, the appliance can be on a subnet that is not directly attached to the router. However, both the
encapsulation process and the subsequent routing add CPU overhead to the router, and the addition of the
28-byte GRE header can lead to packet fragmentation, which adds additional overhead.
WCCP mode supports multiple routers and both GRE vs. L2 forwarding. Each router can have multiple WAN links. Each
link can have its own WCCP service group.
Traffic shaping is not effective unless the appliance manages UDP traffic as well as TCP traffic. A second service group,
with a UDP service group for each WAN link, is recommended if traffic shaping is desired.
Multiple service groups can be used with WCCP on the same appliance. For example, the appliance can receive
service-group 51 traffic from one WAN link and service-group 62 traffic from another WAN link. The appliance also
supports multiple routers. It is indifferent to whether all the routers use the same service group or different routers use
different service groups.
Service Group Tracking. If a packet arrives on one service group, output packets for the same connection are sent on
the same service group. If packets arrive for the same connection on multiple service groups, output packets track the
most recently seen service group for that connection.
citrix.com 287
When WCCP is used with high-availability mode, the primary appliance sends its own apA or apB management IP
address, not the virtual address of the HA pair, when it contacts the router. If failover occurs, the new primary appliance
contacts the router automatically, reestablishing the WCCP channel. In most cases the WCCP timeout period and the
HA failover time overlap. As a result, the network outage is less than the sum of the two delays.
Standard WCCP allows only a single appliance in a WCCP service group. If a new appliance attempts to contact the
router, it discovers that the other appliance is handling the service group, and the new appliance sets an Alert. It
periodically checks to determine whether the service group is still active with the other appliance, and the new appliance
handles the service group when the other appliance becomes inactive. WCCP clustering allows multiple appliances per
service group.
Deployment Topology
The following figure shows a simple WCCP deployment, suitable for either L2 or GRE. The traffic port (1/1) is connected
directly to a dedicated router port (Gig 4/12).
Figure 3. Simple WCCP deployment
In this example, the CloudBridge 4000/5000 is deployed in one-arm mode, with the traffic port (1/1) and the
management port (0/1) each connecting to its own dedicated router port.
On the router, WCCP is configured with identical ip wccp redirect in statements on the WAN and LAN ports.
Two service groups are used, 71 and 72. Service group 71 is used for TCP traffic and service group 72 is used for UDP
traffic. The CloudBridge appliance does not accelerate UDP traffic, but can apply traffic shaping policies to it.
Note: The WCCP specification does not allow protocols other than TCP and UDP to be forwarded, so protocols such as
ICMP and GRE always bypass the appliance.
WCCP Clustering
CloudBridge release 7.2 or later supports WCCP clustering, which enables your router to load-balance your traffic
between multiple appliances. For more information about deploying CloudBridge appliances as a cluster, see WCCP
Clustering.
WCCP Specification
For more information about WCCP, see Web Cache Communication Protocol V2, Revision 1, http://tools.ietf.
org/html/draft-mclaggan-wccp-v2rev1-00.
citrix.com 288
WCCP Mode (Non-Clustered)
WCCP mode allows only a single appliance in a WCCP service group. If a new appliance attempts to contact the router,
it discovers that the other appliance is handling the service group, and the new appliance sets an Alert. It periodically
checks to determine whether the service group is still active with the other appliance, and the new appliance handles
the service group when the other appliance becomes inactive.
Note: WCCP clustering allows multiple appliances per service group.
On appliances with more than one accelerated pair, all the traffic for a given WCCP service group must
arrive on the same accelerated pair.
Do not mix inline and WCCP traffic on the same appliance. The appliance does not enforce this guideline,
but violating it can cause difficulties with acceleration. (WCCP and virtual inline modes can be mixed, but
only if the WCCP and virtual inline traffic are coming from different routers.)
For sites with a single WAN router, use WCCP whenever inline mode is not practical.
Only one appliance is supported per service group. If more than one appliance attempts to connect to the
same router with the same service group, the negotiation will succeed only for the first appliance.
For sites with multiple WAN routers serviced by the same appliance, WCCP can be used to support one,
some, or all of your WAN routers. Other routers can use virtual inline mode.
citrix.com 289
Router Support for WCCP
Configuring the router for WCCP is very simple. WCCP version 2 support is included in all modern routers, having been
added to the Cisco IOS at release 12.0(11)S and 12.1(3)T. The best router-configuration strategy is determined by the
characteristics of your router and switches. Traffic shaping requires two service groups.
If your router supports Reverse Path Forwarding, you must disable it on all ports, because it can confuse WCCP traffic
with spoofed traffic. This feature is found in newer Cisco routers such as the Cisco 7600.
On the WAN port only, add a WCCP redirect in statement and a WCCP redirect out
statement.
On every port on the router, except the port attached to the appliance, add a WCCP redirect in
statement.
The first method redirects only WAN traffic to the appliance, while the second method redirects all router traffic to the
appliance, whether it is WAN related or not. On a router with several LAN ports and substantial LAN-to-LAN traffic,
sending all traffic to the appliance can overload its LAN segment and burden the appliance with this unnecessary load.
If GRE is used, the unnecessary traffic can load down the router as well.
On some routers, the "redirect in" path is faster and puts less of a load on the router's CPU than does the "redirect out"
path. If necessary, this can be determined by direct experiment on your router: Try both redirection methods under full
network load to see which delivers the highest transfer rates.
Some routers and WCCP-capable switches do not support "WCCP redirect out," so the second method must be used.
To avoid overloading the router, the best practice to avoid redirecting large numbers of router ports through the
appliance, perhaps by using two routers, one for WAN routing and one for LAN-to-LAN routing.
citrix.com 290
Configuring the Router
The appliance negotiates WCCP-GRE or WCCP-L2 automatically. The main choice is between unicast operation (in
which the appliance is configured with the IP address of each router), or multicast operation (in which both the appliance
and the routers are configured with the multicast address.)
Normal (Unicast) operationFor normal operation, the procedure is to declare WCCP version 2 and the WCCP group ID
for the router as a whole, then enable redirection on each WAN interface. Following is a Cisco IOS example:
config term
ip wccp version 2
! We will configure the appliance to use group 51 for TCP and 52 for UDP.
ip wccp 51
ip wccp 52
If multiple routers are to use the same appliance, each is configured as shown above, using either the same service
groups or different ones.
Multicast operationWhen giving the appliance and each router a multicast address, the configuration is slightly different
than for normal operation. Following is a Cisco IOS example:
config term
ip wccp version 2
ip wccp 51 group-address 225.0.0.1
citrix.com 291
Basic Configuration Procedure for WCCP Mode on the CloudBridge Appliance
For most sites, you can use the following procedure to configure the WCCP mode on the appliance. The procedure has
you set several parameters to sensible default values. Advanced deployments might require that you set these
parameters to other values. For example, if WCCP service group 51 is already used by your router, you need to use a
different value for the appliance.
citrix.com 292
WCCP Service Group Configuration Details
In a service group, a WCCP router and a CloudBridge appliance ("WCCP Cache" in WCCP terminology) negotiate
communication attributes (capabilities). The router advertises its capabilities in the "I See You" message. The communication
attributes are:
The appliance triggers an alert if it detects an incompatibility between its attributes and those of the router. The
appliance might be incompatible because of a specific attribute of a service group (such as GRE or Level-2). More
rarely, in a multicast service group, an alert can be triggered when the "Auto" selection chooses a particular attribute
with a particular router connected, but the attribute is incompatible with a subsequent router.
Following are the basic rules for the communication attributes within a CloudBridge Appliance.
For Router Forwarding:
When Auto is selected, the preference is for Level-2, because it is more efficient for both router and
appliance. Level-2 is negotiated if the router supports it and the router is on the same subnet as the
appliance.
Routers in a unicast service group can negotiate different methods if Auto is selected.
Routers in a multicast service group must all use the same method, whether forced with GRE or
Level-2, or, with Auto, as determined by the first router in the service group to connect.
For an incompatibility, an alert announces that the router has incompatible router forwarding.
For the Mask method, the appliance negotiates the source IP address mask. The appliance
provides no mechanism to select destination IP address or the ports for either source or
destination. The source IP address mask does not specifically identify any specific IP address
or range. The protocol does not provide a means to specify a specific IP address. By default, because
there is only a single appliance in the service group, a one-bit mask is used, to conserve router
resources. (Release 6.0 used a larger mask.)
For Password:
If the router requires a password, the password defined on the appliance must match. If the router does not
require a password, the password field on the appliance must be blank.
citrix.com 293
WCCP Testing and Troubleshooting
When working with WCCP, the appliance provides different ways of monitoring the status of the WCCP interface, and
your router should also provide information.
Monitoring: Appliance Performance: WCCP PageThe WCCP page reports the current state of the WCCP link,
and reports most problems.
Log EntriesThe Monitoring: Appliance Performance: Logging page shows a new entry each time WCCP mode is
established or lost.
Figure 1. WCCP Log Entries (format varies somewhat with release)
Router StatusOn the router, the "show ip wccp" command shows the status of the WCCP link:
Router>enable
Password:
Router#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.16.2.4
Protocol Version: 2.0
Service Identifier: 51
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 19951
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
citrix.com 294
WCCP Clustering
The WCCP clustering feature enables you to multiply your acceleration capacity by assigning more than one
CloudBridge appliance to the same links. You can cluster up to 32 identical appliances, for up to 32 times the capacity.
Because it uses the WCCP 2.0 standard, WCCP clustering works on most routers and some smart switches, most likely
including those you are already using.
Because it uses a decentralized protocol, WCCP clustering allows CloudBridge appliances to be added or removed at
will. If an appliance fails, its traffic is rerouted to the surviving appliances.
Unlike CloudBridge high-availability, an active/passive pair that uses two appliances to provide the performance of a
single appliance, the same appliances deployed as a WCCP cluster has twice the performance of a single appliance,
delivering both redundancy and improved performance.
In addition to adding more appliances as your sites needs increase, you can use Citrixs Pay as You
Grow feature to increase your appliances capabilities through license upgrades.
Citrix Command Center is recommended for managing WCCP clusters. The following figure shows a basic network of a
cluster of CloudBridge appliances in WCCP mode, administered by using Citrix Command Center.
Figure 1. CloudBridge Cluster Administered by Using Citrix Command Center
One appliance in the cluster is selected as the designated cache, and controls the load-balancing behavior of the
appliances in the cluster. The designated cache is the appliance with the lowest IP address. Because the appliances
have identical configurations, it doesnt matter which one is the designated cache. If the current designated cache
goes offline, a different appliance becomes the designated cache.
The designated cache determines how the load-balanced traffic is allocated and informs the router of these decisions.
The router shares information with all members of the cluster, so the cluster can operate even if the designated cache
goes offline.
Note: As normally configured, a CloudBridge 4000/5000 appliance appears as two WCCP caches to the router.
Load-Balancing Algorithm
Load balancing in WCCP is static, except when an appliance enters or leaves the cluster, which causes the cluster to
be rebalanced among its current members.
citrix.com 295
The WCCP standard supports load balancing based on a mask or a hash. For example, CloudBridge WCCP
clustering uses the mask method only, using a mask of 1-6 bits of the 32-bit IP address. These address bits can
be non-consecutive. All addresses yielding the same result when masked are sent to the same appliance. Load
balancing effectiveness depends on choosing an appropriate mask value: a poor mask choice can result in poor
load-balancing or even none, with all traffic sent to a single appliance.
citrix.com 296
Deployment Topology
Depending on your network topology, you can deploy WCCP cluster either with a single router or with multiple routers.
Whether connected to a single router or multiple routers, each appliance in the cluster must be connected identically to
all routers in use.
As shown on the CloudBridge Datasheet, a CloudBridge 3000-100 can support 100 Mbps and 400 users, so a pair of
these appliances supports 200 Mbps and 800 users, which satisfies the datacenters requirements of a 200 Mbps
link and 750 users.
For fault tolerance, however, the WCCP cluster should continue to operate without becoming overloaded if one
appliance fails. That can be accomplished by using three appliances when the calculations call for two. This is called the
N+1 rule.
Failure is an unusual event, so usually all three appliances are in operation. In this case, each appliance is supporting
only 67 Mbps and 250 users, leaving plenty of headroom, and making good use of the fact that the cluster has three
times the CPU power and three times the compression history of a single appliance.
Without WCCP clustering, the same level of capacity and fault-tolerance would require a pair of CloudBridge 4000-500
appliances in high availability mode. Only one of these appliances is active at a time.
citrix.com 297
Limitations
Configuring appliances in a WCCP cluster has the following limitations:
All appliances within a cluster must be the same model and use the same software release.
Parameter synchronization between appliances within the cluster is not automatic. Use Command Center to
manage the appliances as a group.
CloudBridge traffic shaping is not effective, because it relies on controlling the entire link as a unit, and none
of the appliances are in a position to do this. Router QoS can be used instead.
The WCCP-based load-balancing algorithms do not vary dynamically with load, so achieving a good load
balance can require some tuning.
The hash method of cache assignment is not supported. Mask assignment is the supported method.
While the WCCP standard allows mask lengths of 1-7 bits, the appliance supports masks of 1-6 bits.
Multicast service groups are not supported; only unicast service groups are supported.
All routers using the same service group pair must support the same forwarding method (GRE or L2).
The forwarding and return method negotiated with the router must match: both must be GRE or both must
be L2. Some routers do not support L2 in both directions, resulting in an error of "Router's forward or return
or assignment capability mismatch." In this case, the service group must be configured as GRE.
CloudBridge VPX does not support WCCP clustering.
The appliance supports (and negotiates) only unweighted (equal) cache assignments. Weighted
assignments are not supported.
Some older appliances, such as the CloudBridge 700, do not support WCCP clustering.
(CloudBridge 4000/5000 only) Two accelerator instances are required per interface in L2 mode. No more
than three interfaces are supported per appliance (and then only on appliances with six or more accelerator
instances.)
(CloudBridge 4000/5000 only) WCCP control packets from the router must match one of the router IP
addresses configured on the appliance for the service group. In practice, the router's IP address for the
interface that connects it to the appliance should be used. The router's loopback IP should not be used.
citrix.com 298
Planning Your Deployment
Deploying appliances in a WCCP cluster requires more planning than does deploying a single appliance. Read the
following sections carefully before proceeding.
citrix.com 299
Selecting Appliances
The appliances you select for the deployment must all be the same model, running the same software version.
Otherwise, management and troubleshooting can become impractical.
Your appliance choice is generally made by comparing your sites WAN bandwidth and number of WAN users to
the capacities of the different appliances in the CloudBridge Data Sheet. For fault tolerance, always order one more
appliance than is absolutely required according to the data sheet.
The number of appliances you need is found as follows, rounding up all fractions:
Note that if appliances = 2, you can use just a single appliance instead of WCCP clustering, or an HA pair instead of
WCCP clustering, since the equation builds in a spare appliance. In other words, WCCP clustering is not necessary
(from a capacity perspective) unless appliances is 3 or more.
Example. Suppose you have 700 users and a 100 Mbps link. Some appliances you might consider are the CloudBridge
2000-050, the CloudBridge 3000-100, and the CloudBridge 4000-310.
Model Optimized WAN Capacity Maximum HDX Sessions Appliances_bw Appliances_users Appliances
2000- 50 Mbps 300 3 4 4
050
3000- 100 Mbps 400 2 3 3
100
4000- 310 Mbps 750 2 2 2
310
As you can see from the above table, the higher-performance platforms require fewer appliances to get the job done, as
you would expect. The CloudBridge 4000-310 meets the requirements with a single appliance, and evaluates to two
appliances only because the equations build in a spare.
You can always add more capacity by adding more appliances, but that is not always necessary. The bandwidth limits
of two of the three choices, the CloudBridge 3000-100 and the CloudBridge 4000-310, can be increased through a
license upgrade. The CloudBridge 2000-050 however, is already at the high end of the range for CloudBridge 2000
appliances.
citrix.com 300
Load-Balancing in the WCCP Cluster
Traffic is distributed among the appliances in the WCCP cluster. If an appliance leaves the cluster (through failure,
overload, or being manually disabled), its traffic is rebalanced by distributing it among the surviving members. If an
appliance joins the cluster, traffic is rebalanced once more to give the new appliance its fair share.
Traffic is distributed on the basis of an address mask that is applied to the source and destination addresses of WAN
traffic. You must select an appropriate mask field for efficient load-balancing. An inappropriate mask can result in load-
balancing that is poor to nonexistent. For example, if the mask matches an address field that is identical at all your
remote sites, all your WAN traffic is sent to a single appliance, overloading it. For example, if all of your remote sites
have an address in the form of 10.0.x.x, and your mask bits are within the 10.0 portion of the address all traffic is sent to
a single appliance.
The address bits extracted by the address mask are used as an index that is used (indirectly) to select one of the WCCP
caches (appliances). For example, an address mask with two one bits results in four possible values, depending on the
address. Each of these values can be thought of as a bucket. With two mask bits, you have four buckets, numbered 0-3. The
buckets are assigned to WCCP caches. To be effective, there must be at least as many buckets as caches. If you use a two-
bit mask and have five or more caches, some caches are idle, because each bucket is assigned to only one cache, and there
are not enough buckets to cover all five caches:
Cache 1 2 3 4 5
Buckets 0 1 2 3 -
If there are more buckets than caches, some caches are assigned multiple buckets. For example, if you set three mask bits,
creating eight buckets, and you have four caches, two buckets are assigned to each cache. If you have five caches, three
caches are assigned two buckets each, and two caches are assigned just one. If each bucket represents the same number of
users, you have a 2:1 load imbalance across caches:
Cache 1 2 3 4 5
Buckets 0-1 2-3 4-5 6 7
Increasing the number of set mask bits reduces this imbalance. With four mask bits (16 index values) and five caches, four
caches receive three buckets and one cache receives four buckets, resulting in only a 4:3 imbalance. With six set mask bits
(the largest number supported), four caches receive 13 buckets and one receives 12, which is only a 13:12 load imbalance.
Cache 1 2 3 4 5
Buckets 0-12 13-25 26-38 39-51 52-63
Ideally, you would like each remote site to be directed to a single appliance in the WCCP cluster, so that all traffic to and
from a given site is stored in the same compression history. With this arrangement, any traffic from one user at the site
can be used to compress similar traffic from any other user at that site. In other words, for compressibility, load-
balancing works best if it the address mask selects the bits that differentiate one remote site from another. These are
often the least-significant bits of the subnet portion of the IP address. Using these bits tends to allocate the same
number of remote sites (not users) per local appliance. A mask that aligns with the host portion of the address instead of
the subnet results in a more equal number of remote users (not sites) per appliance, but at the expense of compression
effectiveness. (Compression is only effective when connections flow through the same appliances, and splitting traffic
from the same remote site between two or more local appliances interferes with this.)
Finally, for good load-balancing, each "one" bit in the address mask must be set to one on 50% of the remote
addresses, and set to zero on 50% of the remote addresses. This is not the case on all address bits, since in most
WANs, the highest-order network bits never change at all (such as the 10 in 10.x.x.x). Such bits must never be selected
by the address mask.
In addition, many subnets are only sparsely populated. For example, if only 50 addresses are used in the subnet
10.1.2.0/24, and they are assigned sequentially, the two higher-order host bits (representing the unused range of
10.1.2.64-10.1.2.255) for this subnet never change, and if these two bits are included in the address mask, three-fourths
of the buckets receive no traffic.
The number of one bits in the address mask must allow at least as many combinations as there are
WCCP caches in the cluster. That is, if you have eight appliances, the address mask must contain at least
three one bits.
The one bits in the address mask must each be inside the active address range for most of your
remote subnets, or they skew the load-balancing distribution.
citrix.com 301
The mask should split the address range of individual remote sites into as few pieces as possible, for best
compression performance.
If a remote appliance is faster than the local members of the WCCP cluster, the mask should be designed to
divide its traffic between multiple local appliances. For example, a 100 Mbps remote appliance should have
its traffic split between two 50 Mbps local appliances by setting a bit inside the remote appliances active
address range.
The one bits in the mask are typically contiguous, but this is not required. They can be in any
pattern.
Example: Suppose you set an address mask of 0x0000 0f00, which has four one bits. This defines a four-bit
field that is extracted from the IP address, yielding 16 possible results (16 buckets). These buckets are in turn assigned
to the actual WCCP caches in the WCCP cluster.
Address Masked Address (mask = 0x0000 0f00) Bucket
10.0.0.5 0.0.0.0 0
10.0.1.128 0.0.1.0 1
155.0.2.55 0.0.2.0 2
253.100.255.2 0.0.15.0 15
10.0.15.1 0.0.15.0 15
Zero bits in the mask are ignored, and the one bits are used to define the extracted field. So if the mask is 0x10
10 10 10, these widely separated one bits are extracted into a four-bit field, declaring 16 buckets and a bucket
numbers in the range of 0-15.
citrix.com 302
Assigning Buckets to Appliances
The mapping of bucket to appliances is subject to several variables:
Which appliances are available: If an appliance is down, its share of buckets are given to the available
appliance. If a new appliance is added to the cluster, it is given its fair share of buckets.
The mapping algorithm used (deterministic or least-disruptive).
The order in which appliances come online (least-disruptive mapping only).
The IP addresses of the appliances. WCCP algorithms can use a sorted list of appliance IP addresses; for
example, assigning buckets to appliances in the same order as the appliance IP addresses.
The most important of these factors, from an administrators point of view, is the mapping algorithm.
Deterministic mapping. The deterministic mapping algorithm is less graceful than the least-disruptive algorithm, but it
supports Hot Standby Router Protocol (HSRP) and Global Server Load Balancing (GSLB) routing, and is required when
multiple routers using such protocols share the WCCP cluster.
Deterministic mapping is also the preferred method when the cluster has only two appliances.
Assignments are based on the IP addresses of the active appliances. Each appliance gets its fair share of bucket, with
the lowest-numbered bucket being assigned to the appliance with the lowest IP address. If there are more appliances
than buckets, the leftover appliances (with no bucket assigned to them) are the ones with the highest-numbered IP
addresses. This deterministic assignment allows traffic to arrive for a single connection through any of the routers in the
service group and be forwarded to the same appliance.
Reassignment can be disruptive to accelerated connections, which are reset if they migrate to a different appliance.
With deterministic mapping, the number of buckets that are reassigned to new appliances can be quite high if there are
three or more appliances.
Least-disruptive mapping. When a bucket is assigned to a different appliance, any open accelerated connections that
used the old appliance is reset. The least-disruptive algorithm keeps the reassignment to a minimum. For example, if
you have three appliances, and one appliance fails, the new mapping preserves roughly two-thirds of the assignments
and remaps the remaining third (which fails anyway, because their appliance failed). The least-disruptive algorithm does
not support HSRP or GSLB routing, because it is not guaranteed to result in identical mappings on all the routers in the
service group, and therefore, packets from a single connection might be sent to two different appliances by two different
routers, which causes accelerated connections to fail.
citrix.com 303
Startup and Failover Behavior
Each appliance registers itself with the routers specified in its service class definitions. The first appliance to register
itself, becomes the designated cache, and works with the routers to apportion traffic between itself and the other caches
(called subordinate caches). Because your appliances use identical WCCP algorithms, it does not matter which one
becomes the designated cache.
As additional appliances come online, they are added to the WCCP cluster, and the traffic is reapportioned among the
active appliances. This happens at ten-second increments. After a cold start of the routers or appliances, all of the
appliances might come online within the same ten-second window, or they might arrive over multiple ten-second
windows, causing traffic to be reapportioned multiple times before it stabilizes. In the latter case, the appliances that
come online first maycan become overloaded until additional appliances come online.
An accelerated connection fails when allocated to a different appliance, making reallocation disruptive. This is not true
of non-accelerated connections, which generally experience a delay of thirty seconds or more, and then continue. The
least-disruptive mapping option minimizes the amount of reallocation when an appliance fails.
If an appliance fails or otherwise goes offline, its absence is noted, and the designated cache reapportions its traffic to
the remaining appliances. If the designated cache itself goes offline, the role of designated cache is also reapportioned.
It takes about thirty seconds for the cluster to react to the loss of a cache.
citrix.com 304
Deployment Worksheet
On the following worksheet, you can calculate the number of appliances needed for your installation and the
recommended mask field size. The recommended mask size is 1-2 bits larger than the minimum mask size for your
installation.
Parameter Value Notes
Appliance Model Used
XenApp and XenDesktop Users on WAN Link Uwan =
User overload Factor Uoverload = Uwan/Uspec =
WAN Link BW BWwan =
BW Overload Factor BWoverload = BWwan/BWspec =
Min number of buckets Bmin = N, rounded up a power of 2
=
If CloudBridge 4000 or 5000, Bmin = 2*N, rounded up to a power
of 2 =
Recommended value B = 4 * Bmin if Bmin <= 16, else 2 *
Bmin =
Mask value: The mask value is a 32-bit address mask with a number of one bits equal to M in the above
worksheet. Often these bits can be the least-significant bits in the WAN subnet mask used by your remote sites. If the
masks at your remote sites vary, use the median mask. (Example: With /24 subnets, the least significant bits of the
subnet are 0x00 00 nn 00. The number of bits to set to one is log2(mask size): if mask size is 16, set four bits to one. So
with a mask size of 16 and a /24 subnet, set the mask value to 0x00 00 0f 00.): ______
The above guidelines work only if the selected subnet field is evenly distributed in your traffic, that is, that each address
bit selected by the mask is a one for half the remote hosts, and a zero for the other half. Otherwise, load-balancing is
impaired. This even distribution might be true for only a small number of bits in the network field (perhaps only two or
three bits). If this is the case with your network, instead of masking bits in the offending area of the subnet field, displace
those bits to a portion of the host address field that has the 50/50 property. For example, if only three subnet bits in a
/24 subnet have the 50/50 property, and you are using four mask bits, a mask of 0x00 00 07 10 avoids the offending bit
at 0x00 00 0800 and displaces it to 0x00 00 00 10, a portion of the address field that is likely to have the 50/50 property
if your remote subnets generally use at least 32 IP addresses each.
Parameter Value Notes
Final Mask Value
citrix.com 305
Accelerated Bridge Usually apA
WAN Service A service group not already in use on your router (51-255)
Group
LAN Service Group Another unused service group
Router IP address IP address of router interface on port facing the appliance
WCCP Protocol
(usually "Auto")
DC Algorithm Use "Deterministic" if you have only two appliances or are using dynamic load balancing
like HSRP or GSLB. Otherwise, use "Least Disruptive."
citrix.com 306
Configuring WCCP Clustering
After you have finalized the deployment topology, considered all limitations, and filled in the deployment worksheet, you
are ready to deploy your appliances in a WCCP cluster. To configure the WCCP cluster, you need to perform the
following tasks:
citrix.com 307
Configuring the Router
WCCP configuration on the router is simple, because most WCCP parameters are set by the appliances.
Unlike legacy CloudBridge WCCP support, WCCP clustering uses two service groups for TCP traffic. One service group
is used on the router's WAN interface, and the other is used on the router's LAN interfaces (except for the LAN interface
used by the CloudBridge appliances themselves, when deployed in L2-mode WCCP cluster).
As shown in the following figure, you need to configure two service groups because WCCP allows the mask to be
applied to either the source IP or the destination IP address, which is not quite what is required. To keep connections
between two endpoints together, regardless of which endpoint initiates the connection, the appliance applies the
address mask to the source IP address of incoming WAN traffic, and to the destination IP address of incoming LAN
traffic. This requires two service groups.
The WAN service group uses WCCP source-ip address masking, while the LAN service group uses dest-ip masking. In
some deployments, it may be necessary to reverse the assignments, using the WAN service group for your LAN
interface and vice versa. This might occur if the number of local IP addresses greatly exceeds the number of remote IP
addresses.
Figure 1. CloudBridge WCCP Cluster
Example. The following example uses service group 61 for the WAN service group and service group 62 for the LAN service
group. Three router interfaces are used. One is connected to the WAN, one is connected to the LAN, and one is connected to
the WCCP cluster.
!
! Example is for WCCP clustering using WCCP redirect in statements
! on LAN and WAN interfaces.
! This definition is appropriate for modern Cisco routers.
! Global declarations
ip wccp 61
ip wccp 62
!
interface GigabitEthernet1/1
description LAN interface. SG 62 is used for LAN
ip address 172.80.1.56 255.255.255.0
ip wccp 62 redirect in
!
interface GigabitEthernet1/2
description LAN interface attaching CloudBridge L2-WCCP appliances
description (No wccp redirect statements are used on this interface)
citrix.com 308
ip address 172.80.21.56 255.255.255.0
!
interface GigabitEthernet1/3
description WAN interface. SG 61 is used for WAN
ip address 172.80.22.56 255.255.255.0
ip wccp 61 redirect in
!
Note: If the router used multiple ports for LAN traffic, each port is configured with an ip wccp 62 redirect in statement.
Similarly, if the router used multiple ports for WAN traffic, each port is configured with an ip wccp 61 redirect in
statement.
If the router used multiple ports for LAN traffic, each port is configured with an ip wccp 62 redirect in
statement. Similarly, if the router used multiple ports for WAN traffic, each port is configured with an ip
wccp 61 redirect in statement.
If multiple routers shared the same WCCP cluster, they use the same service groups.
It is also possible to use ip wccp redirect statements on only the WAN interfaces:
In many routers, the ip wccp redirect out path is not optimized in hardware, but uses the CPU. If the routers
capabilities along this path exceeds the WAN speed, this method is practical, and is simpler than using redirect
statements on every interface.
Router ACLs can be used to limit redirection. For example, for initial testing, perhaps only a single remote IP address
might be allowed to be redirected through WCCP.
citrix.com 309
Configuring the Appliance
Repeat the following procedure for each appliance in the cluster:
6. Enter T5 from your worksheet as the Cache 1 IP, T6 as the Cache 2 IP, T2 as the Subnet Mask, and T1 as the
Gateway. Click Save. The Configure Service Group section appears.
7. In the Service Group Details section, specify the WAN and LAN service groups (T11 and T12 from your worksheet).
8. In the Priority field, select 100 (in practice this value is somewhat arbitrary).
9. From the Protocol list, select TCP.
10. In the DC Algorithm field, select Deterministic or Least Disruptive. Deterministic is always safe to use, and
should be used if you are using only two appliances, or are using multiple routers. Least Disruptive disrupts
fewer user sessions on failover when used with clusters of three or more appliances, but has restrictions on its use.
11. Set Service Group Pair Status to On.
12. If your router is configured to require a password, enter the password in the Service Group Password field.
Otherwise, leave the field blank.
13. In the Router Communications Details section, enter the IP address of the router (T8 on your worksheet: often
identical to T1 as well). This is the IP address of the appliance-facing router interface. If you use multiple routers to
communicate with the appliance, list them all here.
14. From the Router Forwarding list, select Level 2 or GRE, according to the capabilities of your router. Use Level 2 if you
can, and GRE if you must.
15. For the Mask Value, enter the value you determined from the WCCP Clustering worksheet. This is a critical value: a
poor choice will result in poor load-balancing or none at all.
16. Click Create. This creates the WAN and LAN service groups.
17. On the Configuration > Optimization Rules > Link Definitions page, change the bandwidth limits on each defined WAN
to 95% of the aggregate speed of all your WANs. This prevents the link from being under-utilized when load-balancing
is imperfect. If ICA (XenApp/XenDesktop) is the dominant use, set each appliance to (95% of WAN bandwidth)/N,
where N is the number of appliances (or twice the number of appliances if they are CloudBridge 4000 or 5000 units),
citrix.com 310
to divide the bandwidth equally among the appliances. This latter method is most appropriate for applications with
large numbers of active connections that have relatively low bandwidth requirements.
citrix.com 311
Testing and Troubleshooting
The Monitoring > Appliance > Application Performance > WCCP page shows the current state of not only the local
appliance but of all other appliances that have joined the cluster. Select a WCCP cache and click Get Info.
The Cache Status tab shows the local appliances status. When all is well, the status is 25: has
assignment. You must refresh the page manually to monitor changes in status. If the appliance does not reach the
status of 25: has assignment within a timeout period, other informative status messages are displayed.
Additional information is displayed when you click on the Service Group or the Routers tabs.
The Cluster Summary tab displays information about the WCCP cluster as a whole. As a side effect of the WCCP
protocol, each member of the cluster has information about all the others, so this information can be monitored from any
appliance in the cluster.
Your router can also provide status information. See your router documentation.
citrix.com 312
Virtual Inline Mode
Note: Use virtual inline mode only when both inline mode and WCCP mode are impractical. Do not mix inline and virtual inline
modes within the same appliance. However, you can mix virtual inline and WCCP modes within the same appliance. Citrix
does not recommend virtual inline mode with routers that do not support health monitoring.
In virtual inline mode, the router uses policy based routing (PBR) rules to redirect incoming and outgoing WAN traffic to
the appliance for acceleration, and the appliance forwards the processed packets back to the router. Almost all of the
configuration tasks are performed on the router. The only thing to be configured on the appliance is the forwarding
method, and the default method is recommended.
Like WCCP, Virtual inline deployment requires no rewiring and no downtime, and it provides a solution for asymmetric
routing issues faced in a deployment with two or more WAN links. Unlike WCCP, it contains no built-in status monitoring
or health checking, making troubleshooting difficult. WCCP is thus the recommended mode, and virtual inline is
recommended only when inline and WCCP modes are both impractical.
Example
The following figure shows a simple network in which all traffic destined for or received from the remote site is redirected
to the appliance. In this example, both the local site and remote site use virtual inline mode.
Figure 1. Virtual Inline Example
Following are some configuration details for the network in this example:
Endpoint systems have their gateways set to the local router (which is not unique to virtual inline mode).
Each router is configured to redirect both incoming and outgoing WAN traffic to the local appliance.
Each appliance processes the traffic received from its local router and forwards it back to the router.
PBR rules configured on the router prevent routing loops by allowing packets to make only one trip to and
from the appliance. The packets that the appliance forwards back to the router are sent to their original (local
or remote) destination.
Each appliance has its default gateway set to the address of the local router, as usual (on the
Configuration: Network Adapters page). The options for forwarding packets back to the router are Return
to Ethernet Sender and Send to Gateway.
citrix.com 313
Configuring Packet Forwarding on the Appliance
Virtual inline mode offers two packet-forwarding options:
Return to Ethernet Sender (default)This mode allows multiple routers to share an appliance. The appliance
forwards virtual inline output packets back to where they came from, as indicated by the Ethernet address of the
incoming packet. If two routers share a single appliance, each gets its own traffic back, but not the traffic from the other
router. This mode also works with a single router.
Send to Gateway (not recommended)In this mode, virtual inline output packets are forwarded to the default
gateway for delivery, even if they are destined for hosts on the local subnet. This option is usually less desirable than
the Return to Ethernet Sender option, because it adds an easily forgotten element of complexity to the routing structure.
To specify the packet-forwarding optionOn the Configuration: Optimization Rules: Tuning page, next to Virtual
Inline, select Return to Ethernet Sender or Send to Gateway.
citrix.com 314
Router Configuration
The router has three tasks when supporting virtual inline mode:
1. It must forward both incoming and outgoing WAN traffic to the CloudBridge appliance.
2. It must forward CloudBridge traffic to its destination (WAN or LAN).
3. It must monitor the health of the CloudBridge appliance so that the appliance can be bypassed if it fails.
Policy-Based Rules
In virtual inline mode, the packet forwarding methods can create routing loops if the routing rules do not distinguish
between a packet that has been forwarded by the appliance and one that has not. You can use any method that makes
that distinction.
A typical method involves dedicating one of the router's Ethernet ports to the appliance and creating routing rules that
are based on the Ethernet port on which packets arrive. Packets that arrive on the interface dedicated to the appliance
are never forwarded back to the appliance, but packets arriving on any other interface can be.
The basic routing algorithm is:
Note: When considering routing options, keep in mind that returning data, not just outgoing data, must flow through the
appliance. For example, placing the appliance on the local subnet and designating it as the default router for local systems
does not work in a virtual inline deployment. Outgoing data would flow through the appliance, but incoming data would
bypass it. To force data through the appliance without router reconfiguration, use inline mode.
Health Monitoring
If the appliance fails, data should not be routed to it. By default, Cisco policy based routing does no health monitoring. To
enable health monitoring, define a rule to monitor the appliance's availability, and specify the "verify-availability" option for the
"set ip next-hop" command. With this configuration, if the appliance is not available, the route is not applied, and the
appliance is bypassed.
Important: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy-
based routing do not support health-checking. The health-monitoring feature is relatively new. It became available in Cisco
IOS release 12.3(4)T.
Following is an example of a rule for monitoring the availability of the appliance:
!- Use a ping (ICMP echo) to see if appliance is connected track 123 rtr 1 reachabilit y ! rt
This rule pings the appliance at 192.168.1.200 periodically. You can test against 123 to see if the unit is up.
citrix.com 315
Routing Examples
The following examples illustrate configuring Cisco routers for the local and remote sites shown in Virtual inline example
. To illustrate health monitoring, the configuration for the local site includes health monitoring, but the configuration for
the remote site does not.
Note: The configuration for the local site assumes that a ping monitor has already been configured.
The examples conform to the Cisco IOS CLI. They might not be applicable to routers from other vendors.
Local Site, Health-Checking Enabled
!
! For health-checking to work, do not forget to start
! the monitoring process.
!
! Original configuration is in normal type.
! appliance-specific configuration is in bold.
!
ip cef
!
interface FastEthernet0/0
ip address 10.10.10.5 255.255.255.0
ip policy route-map client_side_map
!
interface FastEthernet0/1
ip address 172.68.1.5 255.255.255.0
ip policy route-map wan_side_map
!
interface FastEthernet1/0
ip address 192.168.1.5 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 171.68.1.1
!
ip access-list extended client_side
permit ip 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255
ip access-list extended wan_side
permit ip 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
route-map wan_side_map permit 20
match ip address wan_side
!- Now set the appliance as the next hop, if its up.
set ip next-hop verify-availability 192.168.1.200 20 track 123
!
route-map client_side_map permit 10
match ip address client_side
set ip next-hop verify-availability 192.168.1.200 10 track 123
citrix.com 316
permit ip 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255
ip access-list extended wan_side
permit ip 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255
!
route-map wan_side_map permit 20
match ip address wan_side
set ip next-hop 192.168.2.200
!
route-map client_side_map permit 10
match ip address client_side
set ip next-hop 192.168.2.200
!_
Each of the above examples applies an access list to a route map and attaches the route map to an interface. The
access lists identify all traffic originating at one accelerated site and terminating at the other (A source IP of 10.10.10.0
/24 and destination of 20.20.20.0/24 or vice versa). See your router's documentation for the details of access lists and
route-maps.
This configuration redirects all matching IP traffic to the appliances. If you want to redirect only TCP traffic, you can change
the access-list configuration as follows (only the remote side's configuration is shown here):
!
ip access-list extended client_side
permit tcp 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255
ip access-list extended wan_side
permit tcp 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255
!
Note that, for access lists, ordinary masks are not used. Wildcard masks are used instead. Note that when reading a
wildcard mask in binary, "1" is considered a "don't care" bit.
citrix.com 317
Virtual Inline for Multiple-WAN Environments
Enterprises with multiple WAN links often have asymmetric routing policies, which seem to require that an inline
appliance be in two places at once. Virtual inline mode solves the asymmetric routing problem by using the router
configuration to send all WAN traffic through the appliance, regardless of the WAN link used. The below figure shows a
simple multiple-WAN link deployment example.
The two local-side routers redirect traffic to the local appliance. The FE 0/0 ports for both routers are in the same
broadcast domain as the appliance. The local appliance must use the default virtual inline configuration (Return to
Ethernet Sender).
Figure 1. Virtual Inline Mode With Two WAN Routers
citrix.com 318
Virtual Inline Mode and High-Availability
Virtual Inline mode can be used in a high availability (HA) configuration. The below figure shows a simple HA
deployment. In virtual inline mode, a pair of appliances acts as one virtual appliance. Router configuration is the same
for an HA pair as with a single appliance, except that the Virtual IP address of the HA pair, not the IP address of an
individual appliance, is used in the router configuration tables. In this example, the local appliances must use default
virtual inline configuration (Return to Ethernet Sender).
Figure 1. High-availability Example
citrix.com 319
Monitoring and Troubleshooting
In virtual inline mode, unlike WCCP mode, the appliance provides no virtual inline-specific monitoring. To troubleshoot a
virtual inline deployment, log into the appliance and use the Dashboard page to verify that traffic is flowing into and out
of the appliance. Traffic forwarding failures are typically caused by errors in router configuration.
If the Monitoring: Usage or Monitoring: Connections pages show that traffic is being forwarded but no acceleration is
taking place (assuming that an appliance is already installed on the other end of the WAN link), check to make sure that
both incoming WAN traffic and outgoing WAN traffic are being forwarded to the appliance. If only one direction is
forwarded, acceleration cannot take place.
To test health-checking, power down the appliance. The router should stop forwarding traffic after the health-checking
algorithm times out.
citrix.com 320
Group Mode
In group mode, two or more appliances become a single virtual appliance. This mode is one solution to the problem of
asymmetric routing, which is defined as any case in which some packets in a given connection pass through a given
appliance but others do not. A limitation of the appliance architecture is that acceleration cannot take place unless all
packets in a given connection pass through the same two appliances. Group mode overcomes this limitation.
Group mode can be used with multiple or redundant links without reconfiguring your routers.
Note: Group mode is not supported on the CloudBridge 4000 or 5000 appliances.
Group mode applies only to the appliances on one side of the WAN link; the local appliances neither know nor care
whether the remote appliances are using group mode.
Group mode uses a heartbeat mechanism to verify that other members of the group are active. Packets are forwarded
to active group members only.
Avoiding asymmetric routing is the main reason to use group mode, but group mode is not the only method available for
that purpose. If you decide that it is the best method for your environment, you can enable it by setting a few
parameters. If the default mechanism for determining which appliance is responsible for a particular connection does not
provide optimal acceleration, you can change the forwarding rules.
Figure 1. Group Mode With Redundant Links
Figure 2. Group Mode With Non-Redundant Links with Possible Asymmetric Routing
citrix.com 321
When to Use Group Mode
Use group mode in the following set of circumstances:
WCCP mode, in which traffic from two or more links is sent to the same appliance by WAN routers, by
means of the WCCP protocol.
Virtual inline mode, in which your routers send traffic from two or more links through the same appliance (or
high-availability pair).
Multiple bridges, where each link passes through a different accelerated bridge in the same appliance.
LAN-level aggregation, which places an appliance (or high-availability pair) closer to the LAN, before the
point where WAN traffic is split into two or more paths.
citrix.com 322
How Group Mode Works
In group mode, the appliances that are part of the group each take ownership for a portion of the group's connections. If
a given appliance is the owner of a connection, it makes all the acceleration decisions about that connection and is
responsible for compression, flow control, packet retransmission, and so on.
If an appliance receives a packet for a connection for which it is not the owner, it forwards the packet to the appliance
that is the owner. The owner examines the packet, makes the appropriate acceleration decisions, and forwards any
output packets back to the non-owning appliance. This process preserves the link selection made by the router, while
allowing all packets in the connection to be managed by the owning appliance. For the routers, the introduction of the
appliances has no consequences. The routers do not need to be reconfigured in any way, and the appliances do not
need to understand the routing mechanism. They simply accept the routers' forwarding decisions.
Figure 1. Sending-side Traffic in Group Mode
Group mode has two, user-selectable failure modes, which control how the group members interact with each other if
one of them fails. The failure mode also determines whether the failed appliance's bypass card opens (blocking traffic
through the appliance) or remains closed (allowing traffic to pass through). The failure modes are:
Continue to accelerate- If a group member fails, its bypass card is opened and no traffic passes through the failed
appliance. The result is presumably a fail-over if redundant links are used. Otherwise, the link is simply inaccessible.
The other appliances in the group continue to accelerate. The usual hashing algorithm handles the changed conditions.
(That is, the old hashing algorithm is used, and if the failed unit is indicated as the owner, a hashing algorithm based on
the new, smaller group is applied. This preserves as many older connections as possible.)
Do not accelerate- If a group member fails, its bypass card closes, allowing traffic to pass through without acceleration.
Because an unaccelerated path introduces asymmetric routing, the other members of the group also go into pass-
through mode when they detect the failure.
citrix.com 323
Enabling Group Mode
To enable group mode, create a group of two or more appliances. An appliance can be a member of only one group.
Group members are identified by IP address and the SSL common name in the appliance license.
All group mode parameters are on the Settings: Group Mode page, in the Configure Settings: Group Mode table.
Figure 1. Group Mode Page
1. Select the address to use for group communication. At the top of the Group Mode Configuration table on the
Configuration: Advanced Deployments: Group Mode tab, the table cell under Member VIP contains the management
address of the port used to communicate with other group members. Use the (unlabeled) drop-down menu to select
the correct address (for example, to use the Aux1 port, select the IP address you assigned to the Aux1 port). Then,
click Change VIP.
2. Add at least one more group member to the list. (Groups of three or more are supported but are rarely used.) In the
next cell of the Member VIP column, type the IP address of the port used by the other appliance for group-mode
communication.
3. Type the other group members SSL common name in the SSL Common Name column. The SSL common name
is listed on the other appliances Configure: Advanced Deployments: High Availability tab. If the other group
member is a high-availability pair, the name listed is the SSL common name of the primary appliance.
Note: If the local appliance is not part of a high-availability pair, the first cell in the HA Secondary SSL Common Name
is blank.
If the other group member is a high-availability pair, specify the SSL Common Name of the HA secondary
appliance in the HA Secondary SSL Common Name column.
4. Click Add.
5. Repeat steps 2-4 for any additional appliances or high-availability pairs in the group.
6. The three buttons under the list of group members are toggles, so each is labeled as the opposite of its current setting:
a. The top button reads either, Do not accelerate when member failure is detected or Continue to accelerate
when member failure is detected. The Do not accelerate... setting always works and does not block
traffic, but if any member fails, the other group members go into bypass mode, which causes a complete loss
of acceleration. With the Continue to accelerate option, the failing appliances bridge becomes an
open circuit, and the link fails. This option is appropriate if the WAN router responds by causing a failover. New
connections, and open connections belonging to the surviving appliances, are accelerated.
b. The bottom button should now be labeled Disable Group Mode. If it is not, enable group mode by clicking the
button.
7. Refresh the screen. The top of the page should list the group mode partners, but display warnings about their status,
because they havent been configured for group mode yet. For example, it might indicate that the partner cannot
be found or is running a different software release.
8. Repeat this procedure with the other members of the group. Within 20 seconds after enabling the last member of the
group, the Group Mode Status line should show NORMAL, and the other group mode members should be listed with
Status: On-Line and Configuration: OK.
citrix.com 324
Forwarding Rules
By default, the owner of a group-mode connection is set by a hash of the source and destination IP addresses. Each
appliance in the group uses the same algorithm to determine which group member owns a given connection. This
method requires no configuration. The owner can optionally be specified through user-settable rules.
Because the group-mode hash is not identical to that used by load balancers, about half of the traffic tends to be
forwarded to the owning appliance in a two-Appliance group. In the worst case, forwarding causes the load on the LAN-
side interface to be doubled, which halves the appliance's peak forwarding rate for actual WAN traffic.
This speed penalty can be reduced if the Primary or Aux1 Ethernet ports are used for traffic between group members.
For example, if you have a group of two appliances, you can use an Ethernet cable to connect the two units' Primary
ports, then specify the Primary port on the Group Mode page on each unit. However, maximum performance is
achieved if the amount of traffic forwarded between the group-mode members is minimized.
The owner can optionally be set according to specific IP/port-based rules. These rules must be identical on all
appliances in the group. Each member of the group verifies that its group-mode configuration is identical to the others. If
not all of the configurations are identical, none of the member appliances enter group mode.
If traffic arrives first at the appliance that owns the connection, it is accelerated and forwarded normally. If it arrives first
at a different appliance in the group, it is forwarded to its owner over a GRE tunnel, which accelerates it and returns it to
the original appliance for forwarding. Thus, group mode leaves the router's link selection unchanged.
Using explicit IP-based forwarding rules can reduce the amount of group-mode forwarding. This is especially useful in
primary-link/backup-link scenarios, where each link handles a particular range of IP addresses, but can act as a backup
when the other link is down.
Figure 1. IP-Based Owner Selection
Forwarding rules can ensure that group members handle only their "natural" traffic. In many installations, where traffic is
usually routed over its normal link and only rarely crosses the other one, these rules can reduce overhead substantially.
Rules are evaluated in order, from top to bottom, and the first matching rule is used. Rules are matched against an
optional IP address/mask pair (which is compared against both source and destination addresses), and against an
optional port range.
Regardless of the ordering of rules, if the partner appliance is not available, traffic is not forwarded to it, whether a rule
matches or not.
For example, in the figure below, member 172.16.1.102 is the owner of all traffic to or from its own subnet (172.16.1.0
/24), while member 172.16.0.184 is the owner of all other traffic.
If a packet arrives at unit 172.16.1.102, and it is not addressed to/from net 172.16.1.0/24, it is forwarded to 172.16.0.184.
If unit 172.16.0.184 fails, however, unit 172.16.1.102 no longer forwards packets. It attempts to handle the traffic itself.
This behavior can be inhibited by clicking Do NOT Accelerate When Member Failure Detected on the Group Mode
tab.
In a setup with a primary WAN link and a backup WAN link, write the forwarding rules to send all traffic to the appliance
on the primary link. If the primary WAN link fails, but the primary appliance does not, the WAN router fails over and
sends traffic over the secondary link. The appliance on the secondary link forwards traffic to the primary-link appliance,
and acceleration continues undisturbed. This configuration maintains accelerated connections after the link failover.
Figure 2. Forwarding Rules
citrix.com 325
citrix.com 326
Monitoring and Troubleshooting Group Mode
Two things should be checked in a group-mode installation:
That the two appliances have entered group mode, which can be determined on either appliances
Configuration: Advanced Deployments: Group Mode page.
That the behavior of the group-mode pair is as desired when the other member fails, and when one of the
links fail, as determined by disabling the other appliance and temporarily disconnecting one of the links,
respectively.
citrix.com 327
High-Availability Mode
Two identical appliances on the same subnet can be combined as a high-availability pair. The appliances each monitor
the other's status by using the standard Virtual Router Redundancy Protocol (VRRP) heartbeat mechanism. The pair
has a common virtual IP address for management, in addition to each appliance's management IP address. If the
primary appliance fails, the secondary appliance takes over. Failover takes approximately five seconds.
citrix.com 328
How High-Availability Mode Works
In a high availability (HA) pair, one appliance is primary, and the other is secondary. The primary monitors its own and
the secondary's status. If it detects a problem, traffic processing fails over to the secondary appliance. Existing TCP
connections are terminated. To ensure successful failover, the two appliances keep their configurations synchronized.
In a WCCP mode high availability configuration, the appliance that is processing traffic maintains communication with
the upstream router.
Status monitoringWhen high availability is enabled, the primary appliance uses the VRRP protocol to send a
heartbeat signal to the secondary appliance once per second. In addition, the primary appliance monitors the carrier
status of its Ethernet ports. The loss of carrier on a previously active port implies a loss of connectivity.
Failover If the heartbeat signal of the primary appliance should fail, or if the primary appliance loses carrier for five
seconds on any previously active Ethernet port, the secondary appliance takes over, becoming the primary. When the
failed appliance restarts, it becomes the secondary. The new primary announces itself on the network with an ARP
broadcast. MAC spoofing is not used. Ethernet bridging is disabled on the secondary appliance, leaving the primary
appliance as the only path for inline traffic. Fail-to-wire is inhibited on both appliances to prevent loops.
Caution: The Ethernet bypass function is disabled in HA mode. If both appliances in an inline HA pair lose power, connectivity
is lost. If WAN connectivity is needed during power outages, at least one appliance must be attached to a backup power
source.
Note: The secondary appliance in the HA pair has one of its bridge ports, port apA.1, disabled to prevent forwarding loops. If
the appliance has dual bridges, apB.1 is also disabled. In a one-arm installation, use port apA.2. Otherwise, the secondary
appliance becomes inaccessible when HA is enabled.
Primary/secondary assignmentIf both appliances are restarted, the first one to fully initialize itself becomes the
primary. That is, the appliances have no assigned roles, and the first one to become available takes over as the
primary. The appliance with the highest IP address on the interface used for the VRRP heartbeat is used as a tie-
breaker if both become available at the same time.
Connection termination during failoverBoth accelerated and unaccelerated TCP connections are terminated as a
side effect of failover. Non-TCP sessions are not affected, except for the delay caused by the brief period (several
seconds) between the failure of the primary appliance and the failover to the secondary appliance. Users experience the
closing of open connections, but they can open new connections.
Configuration synchronizationThe two appliances synchronize their settings to ensure that the secondary is ready
to take over for the primary. If the configuration of the pair is changed through the browser based interface, the primary
appliance updates the secondary appliance immediately.
HA cannot be enabled unless both appliances are running the same software release.
HA in WCCP modeWhen WCCP is used with an HA pair, the primary appliance establishes communication with the
router. The appliance uses its management IP address on apA or apB, not its virtual IP address, to communicate with
the router. Upon failover, the new primary appliance establishes WCCP communication with the router.
citrix.com 329
Cabling Requirements
The two appliances in the high availability pair are installed onto the same subnet in either a parallel arrangement or a
one-arm arrangement, both of which are shown in the following figure. In a one-arm arrangement, use the apA.2 port
(and, optionally, the apB.2 port), not the apA.1 port. Some models require a separate management LAN, whether
deployed in inline or one-armed mode. This is depicted only in the middle diagram.
Figure 1. Cabling for High-Availability Pairs
Do not break the above topology with additional switches. Random switch arrangements are not supported. Each of the
switches must be either a single, monolithic switch, a single logical switch, or part of the same chassis.
If the spanning-tree protocol (STP) is enabled on the router or switch ports attached to the appliances, failover will work,
but the failover time may increase to roughly thirty seconds. Without STP, failover time is roughly five seconds. Thus, to
achieve the briefest possible failover interval, disable STP on the ports connecting to the appliances.
Figure 2. Ethernet Port Locations (Older Models)
citrix.com 330
Other Requirements
Both appliances in an HA pair must meet the following criteria:
Have identical hardware, as shown by on the System Hardware entry on the Dashboard page.
Run exactly the same software release.
Be equipped with Ethernet bypass cards. To determine what is installed in your appliances, see the
Dashboard page.
Appliances that do not support HA display a warning on the Configuration: High Availability page.
citrix.com 331
Management Access to the High-Availability Pair
When configuring a high-availability (HA) pair, you assign the pair a virtual IP (VIP) address, which enables you to
manage the two appliances as if they were a single unit. After you enable high-availability mode, managing the
secondary appliance through its IP address is mostly disabled, with most parameters grayed out. A warning message
displays the reason on every page. Use the HA VIP for all management tasks. You can, however, disable the secondary
appliance's HA state from its management UI.
citrix.com 332
Configuring the High-Availability Pair
You can configure two newly installed appliances as a high-availability pair, or you can create an HA pair by adding a
second appliance to an existing installation.
Prerequisites: Physical installation and basic configuration procedures
To configure high availability
1. Make sure that no more than one appliance is connected to the traffic networks (on the accelerated bridges). If both
are connected, disconnect one bridge cable from the active bridges on the second appliance. This will prevent
forwarding loops.
2. On the Features page of the first appliance, disable Traffic Processing. This disables acceleration until the HA pair is
configured.
3. Repeat for the second appliance.
4. On the first appliance, go to the Configuration: Advanced Deployments: High Availability tab, show below.
5. Select the Enabled Check box.
6. Click the Configure HA Virtual IP Address link and assign a virtual IP address to the apA interface. This address will
be used later to control both appliances as a unit.
7. Return to the High Availability page and, in the VRRP VRID field, assign a VRRP ID to the pair. Although the value
defaults to zero, the valid range of VRRP ID numbers is 1 through 255. Within this range, you can specify any value
that does not belong to another VRRP device on your network.
8. In the Partner SSL Common Name field, type the other appliances SSL Common Name, which is displayed on
that appliances Configuration: Advanced Deployments: High Availability tab, in the Partner SSL Common Name
field. The SSL credentials used here are factory-installed.
9. Click Update.
10. Repeat steps 3-8 on the second appliance. If you are managing the appliance via an accelerated bridge (such as
apA), you may have to reconnect the Ethernet cable that you removed in step 1 to connect to the second appliance. If
so, plug this cable in and disconnect the corresponding cable on the first appliance.
11. With your browser, navigate to the virtual IP address of the HA pair. Enable Traffic Processing on the Features page.
Any further configuration will be performed from this virtual address.
12. Plug in the cable that was left disconnected.
13. On each appliance, the Configuration: Advanced Deployments: High Availability page should now show that high
availability is active and that one appliance is the primary and the other is the secondary. If this is not the case, a
warning banner appears at the top of the screen, indicating the nature of the problem.
citrix.com 333
Updating Software on a High-Availability Pair
Updating the CloudBridge software on an HA pair causes a failover at one point during the update.
Note: Clicking the Update button terminates all open TCP connections.
citrix.com 334
Saving/Restoring Parameters of an HA Pair
The System Maintenance: Backup/Restore function can be used to save and restore parameters of an HA pair as follows:
1. Disable HA on both appliances by clearing the Enabled check box on the Configuration: Advanced
Deployments: High Availability (HA) tab.
2. Unplug a network cable from the bridge of one appliance. (Call it Appliance A.)
3. Unplug the power cord from Appliance A.
4. Restore the parameters on the other appliance (Appliance B), by uploading a previously saved set of
parameters on the System Maintenance: Backup/Restore page and clicking Restore Settings. (Completing this
operation requires a restart, which reenables HA).
5. Wait for Appliance B to restart. It becomes the primary.
6. Restart Appliance A.
7. Log on to Appliance As GUI and reenable HA on the Configuration: Advanced Deployments: High
Availability (HA) tab. The appliance get its parameters from the primary.
8. Plug in the network cable removed in step 2.
citrix.com 335
Troubleshooting High Availability Pairs
If the appliances report any failure to enter high-availability mode, the error message will also note the cause. Some
issues that can interfere with high-availability mode are:
citrix.com 336
Managing the Appliance
CloudBridge 4000/5000 is an appliance containing multiple virtual CloudBridge WAN accelerators controlled by a single
virtual NetScaler load balancer. This combination provides a high-performance WAN accelerator for busy datacenters.
citrix.com 337
CloudBridge Licensing Overview
The process of allocating your CloudBridge licenses has been greatly simplified. The new licensing framework allows
you to focus on getting maximum value from Citrix products.
In the CloudBridge configuration utility (GUI), you can use your hardware serial number (HSN) or your license activation
code (LAC) to allocate your licenses. Alternatively, if a license is already present on your local computer, you can
upload it to the appliance.
For all other functionality, such as returning or reallocating your license, you must use the licensing portal. Optionally,
you can still use the licensing portal for license allocation. For more information about the licensing portal, see "http:
//support.citrix.com/article/CTX131110".
Note:
On a CloudBridge appliance, you can use the HSN or LAC to allocate your license or upload the license to
the appliance from a local computer. On a CloudBridge VPX appliance, you can only upload the license to
the appliance from a local computer.
You must purchase separate licenses for each appliance in a high availability (HA) pair. Make sure that the
same type of licenses are installed on both the appliances. For example, if you purchase a platinum license
for one appliance, you must purchase another platinum license for the other appliance.
Note: You must purchase separate licenses for each appliance in a high availability (HA) pair. Make sure that the same type
of licenses are installed on both the appliances. For example, if you purchase a platinum license for one appliance, you must
purchase another platinum license for the other appliance.
citrix.com 338
Prerequisites
To use the hardware serial number or license activation code to allocate your licenses:
The management service virtual machine of the appliance must have an access to public domain.
Your license must be linked to your hardware, or you must have a valid license activation code (LAC). Citrix
sends your LAC by email when you purchase a license.
citrix.com 339
Allocating your License by using the Configuration Utility
If your license is already linked to your hardware, the license allocation process can use the hardware serial number.
Otherwise, you must type the license activation code (LAC).
6. Click Update Licenses, and then select one of the following options:
Use Hardware Serial NumberThe software internally fetches the serial number of your appliance
and uses this number to display your license(s).
Use License Activation CodeCitrix emails the LAC for the license that you purchased. Enter the
LAC in the text box.
7. Click Get Licenses. Depending on the option that you selected, one of the following dialog boxes appears.
The following dialog box appears if you selected Hardware Serial Number.
citrix.com 340
The following dialog box appears if you selected License Activation Code.
8. Select the license that you want to allocate, and then click Get.
9. Click Apply for the license to take effect.
citrix.com 341
Installing the License
If you downloaded your license file to your local computer by accessing the licensing portal, you must upload the license
to the appliance.
6. Click Add New License, then select Upload license files from a local computer.
7. Click Browse. Navigate to the location of the license files, select the license file, and then click Open.
See also
citrix.com 342
Verifying CloudBridge Licenses
Before using a feature, make sure that your license supports the required number of accelerators.
licensed.
4. Alternately, navigate to CloudBridge > Instances. The Licensed column displays the status of licensed accelerates as
green.
citrix.com 343
Internet Protocol Version 6 (IPv6) Acceleration
When you connect to the Internet through a device, the device is assigned an IP address. The IP address identifies and
indicates the location of the appliance. The number of devices connecting to the Internet is rapidly increasing. As a
result, it is difficult to manage the request for the IP addresses with the existing version of Internet Protocol (IP), IPv4,
which uses 32-bit addresses. By using IPv4, approximately 4.3 billion addresses can be assigned to the devices
connecting to the Internet.
IPv6 addresses this issue by using 128-bit addresses and a hexadecimal label to identify the network interfaces of
devices on an IPv6 network. Because IPv6 supports far more IP addresses than does IPv4, organizations and
applications are gradually introducing support for the IPv6 protocol.
The IPv4 and IPv6 protocols are not interoperable, which makes the transition difficult. To accelerate the increasing
IPv6 traffic from various applications supported on the CloudBridge appliance, you can enable the IPv6 Acceleration
feature.
citrix.com 344
Verifying IPv6 Connections
After enabling IPv6 acceleration on the appliance, the appliance starts accelerating traffic for the applications using IPv6
protocol. To make sure that the appliance is accelerating the IPv6 traffic, you can monitor such connections on the
appliance.
To monitor the IPv6 connections, navigate to the CloudBridge > Monitoring tab. The Connections page of the Monitoring
tab display IPv6 protocols traffic related statistics:
Connections: The Connections page lists details of all the connections established with the appliance. This
page consists of two tabs, Accelerated Connections and Unaccelerated Connections. The Accelerated
Connections tab lists all connections that the appliance is accelerating. You can identify IPv6 traffic in this
tab by referring to the Initiator and Responder column of each entry. If these columns contain hexadecimal
IP address values, the entry represents an IPv6 connection, as shown in the following screen shot.
IPv6 connections that are not accelerated, are listed on the Unaccelerated Connections tab. If you want
to accelerate these connections, you might need to troubleshoot and fine tune the application
parameters on the appliance. As on the Accelerated Connections tab, you can identify the IPv6
connections on this tab by referring to the Initiator and Responder columns of each entry.
Top Applications: The Top Applications page provides granularity in the time frame that you can use to
graphically represent the traffic throughput of various applications served by the CloudBridge appliance. By
default, traffic throughput is displayed by the last minute. However, you can change the time frame by
selecting Last Minute, Last Hour, Last Day, Last Week, or Last Month from the list available on the Title bar
of the page. This page has three tabs, Top Applications Graphs, Since Last Restart, and Active
Applications (Since Last Restart). The Top Applications Graphs tab contains the following statistics:
Total Application Link Throughput Percentage (Sent): This is a pie chart depicting the percentage of
traffic that the appliance has sent to each application. If the appliance has sent a significant percentage
of traffic for an application using IPv6 protocol, the application has its percentage of traffic depicted in
this graph.
Total Application Link Throughput Percentage (Received): This is a pie chart depicting the
percentage of traffic that the appliance has received from each application. If the appliance has received
a significant percentage of traffic from an application using IPv6 protocol, the graph displays the
percentage of traffic generated by the application.
citrix.com 345
Sent Rate: This is a stacked graph of series of data depicting the rate, in bits per second, at which the
appliance has sent traffic to each application. If the appliance has sent data to an application using IPv6
protocol, a series depicting each application using IPv6 protocol is also plotted on this graph.
Received Rate: This is a stacked graph of series of data depicting the rate, in bits per second, at which
the appliance has received traffic from each application. If the appliance has received data from an
application using IPv6 protocol, a series depicting each application using IPv6 protocol is also plotted on
this graph.
Top Applications table: This is a table of statistics for each application. The table lists all applications
for which the appliance has served traffic, along with sent and received rates in bits per second, total
bytes sent and received, percentage of the traffic for the application, and the rate at which the appliance
has served traffic for the application. If the appliance has served traffic for an application using IPv6
protocol, the application is listed in this table, along with its statistics.
Application Groups: This is a table of statistics for each application, along with its application group and
parent application, if any. The table lists bytes sent and received for the application. Each application,
and its application group and parent application are displayed as hyperlinks. If you click the hyperlink,
granular details of the statistics are displayed for the link you have clicked. If the appliance has served
traffic for an application using IPv6 protocol, the application is listed in this table, along with its statistics.
citrix.com 346
The Since Last Restart tab contains statistics on the application traffic since the time you restarted
the appliance. The tab contains the Total Application Link Throughput Percentage (Sent) and Total
Application Link Throughput Percentage (Received) graphs, and Top Applications and Application
Groups tables, depicting statistics similar to the Top Applications Graphs tab but with data since the
appliance was restarted. The Active Applications (Since Last Restart) tab contains a table listing
all active applications since the appliance was restarted. This table contains details about sent and
receive rate, total bytes sent and received, and total packets sent and received for the applications.
citrix.com 347
CloudBridge 1000 and 2000 Appliances with Windows Server
The CloudBridge 1000 and 2000 appliances with Windows Server combine virtualized instances of the CloudBridge
WAN optimization appliance with Windows Server virtual machine installed on the appliance. The Windows Server
instance is a fully-licensed version of Microsoft Windows Server 2012 R2 Standard Edition.
The CloudBridge 1000 and 2000 appliances with Windows Servers are based on the Citrix branch architecture, which
supports multiple virtual machines. All branch appliances contain a CloudBridge instance, a management service
instance, and a Xen hypervisor. In addition, the CloudBridge 1000 and 2000 appliances with Windows Server include a
Windows Server instance, which runs independently of the CloudBridge instance.
As shown in the below figure, the Windows Server and the CloudBridge instance are partly isolated from one another,
because the accelerated bridges are accessible only to the accelerator. This allows the accelerator and the Windows
Server to be placed at different points in your LAN topology.
Figure 1. Architecture of the CloudBridge 1000 and 2000 Appliances with Windows Server
The CloudBridge instance is typically used in inline mode, with the CloudBridge instance interposed between the WAN
router and the LAN, so WAN traffic flows through the accelerated bridge. The CloudBridge instance can also be
deployed in WCCP or virtual inline modes, using a single accelerated bridge port.
The Windows server is deployed in a one-armed configuration in the same local LAN in which you would deploy any
other server.
In addition to the accelerated bridges and the Windows LAN port, a management port connects to all virtual machines
(instances) and the hypervisor.
The appliance has two modes, two-port mode and four-port mode, which determine how ports 1/3 and 1/4 are used.
citrix.com 348
Supported Features
The following table lists various features supported on CloudBridge 1000 and 2000 appliances with Windows Server.
Table 1. Features Table for Citrix CloudBridge 1000 and 2000 with Windows Server Series Appliances
Citrix CloudBridge 1000 with Citrix CloudBridge 2000 with Windows
Windows Server series Server series
AutoConfiguration Y Y
CloudBridge Plug-In N Y
Compression Y Y
RPC over HTTPS Y Y
SSL Compression Y Y
TCP Acceleration Y Y
Traffic Shaping Y Y
Video Caching Y Y
Windows File System Acceleration Y Y
Windows Outlook Acceleration Y Y
XenApp/ XenDesktop Acceleration Y Y
Group Mode Y Y
High Availability Mode Y Y
Inline Mode Y Y
Virtual Inline Mode Y Y
WCCP Mode Y Y
VLANs Y Y
citrix.com 349
Hardware Platforms
CloudBridge 1000 and 2000 appliances have similar hardware components, but are differentiated based on hardware
chassis, communication ports, and processing capacities. CloudBridge hardware platforms support the CloudBridge
software and have multicore processors.
citrix.com 350
Introduction to Hardware Platforms
Citrix CloudBridge supports Windows Server on two hardware platforms Citrix CloudBridge 1000WS and Citrix
CloudBridge 2000WS. Whereas CloudBridge 2000WS has better performance capacity as compared to CloudBridge
1000WS, the latter has more RAM and hard disk space.
citrix.com 351
Citrix CloudBridge 1000 Appliance with Windows Server
The Citrix CloudBridge 1000 with Windows Server platform has a quad-core processor and 32 GB of memory. This
platform has a bandwidth of up to 20 Mbps.
The following figure shows the front panel of a CloudBridge 1000 appliance with Windows Server.
Figure 1. Citrix CloudBridge 1000 with Windows Server, front panel
The front panel of the CloudBridge 1000 with Windows Server appliance has a power button and five LEDs.
Blinking red (0.25 Power failure, check for the non-operational power supply.
Hz)
Solid blue Local UID has been activated. Use this function to locate the server in a
rack mount environment.
Blinking blue (300 Remote UID is on. Use this function to identify the server from a remote
m/s) location.
NIC1 and NIC2 Indicate network activity on the LAN1 and WAN1 ports.
HDD Indicates the status of the hard disk drive.
Power Indicates that the power supply units are receiving power and operating normally.
The following figure shows the back panel of a CloudBridge 1000 appliance with Windows Server.
Figure 2. Citrix CloudBridge 1000 appliance with Windows Server , back panel
The following components are visible on the back panel of a CloudBridge 1000 appliance with Windows Server:
Cooling fan
Single power supply, rated at 200 watts, 110-240 volts
citrix.com 352
Accelerated pairs of Ethernet ports (apA and apB) which function as accelerated bridges
RS-232 serial console port
One AUX Ethernet port and one management port
Two USB ports
citrix.com 353
Citrix CloudBridge 2000 Appliance with Windows Server
The Citrix CloudBridge 2000 with Windows Server platform is a 1U appliance with one quad-core processor and 24
gigabytes (GB) of memory.
The following figure shows the front panel of the CloudBridge 2000 appliance with Windows Server.
Figure 1. Citrix CloudBridge 2000 appliance with Windows Server, front panel
Note: You cannot assign apA ports to Windows Server. However, you can assign AUX port to Windows Server
CloudBridge 2000 appliance with Windows Server has the following ports:
The following figure shows the back panel of the CloudBridge 2000 appliance with Windows Server.
Figure 2. Citrix CloudBridge 2000 appliance with Windows Server, back panel
The following components are visible on the back panel of the CloudBridge 2000 appliance with Windows Server:
600 GB removable solid-state drive, which stores the appliance's software and user data, and 1 TB hard
disk drive.
Power switch, which switches power to the appliance on or off. Press the switch for five seconds to switch
off the power.
USB port (reserved for a future release).
Non-maskable interrupt (NMI) button, for use at the request of Technical Support to produce a core dump.
You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent
unintentional activation.
Single power supply, rated at 300 watts, 100-240 volts.
citrix.com 354
Ethernet Port Names
When configuring the appliance, you have to specify IP addresses for various Ethernet ports of the appliance. The
Ethernet ports are named differently on the front panel of CloudBridge 1000 and 2000 appliances with Windows Server,
in the CloudBridge instance, and in the Windows Server, as shown in the following table:
Front Panel CloudBridge Windows Server
Instance
CloudBridge CloudBridge
1000WS 2000WS
MGMT (Blue) 0/1 (LOM/PRI) Primary Citrix PV Ethernet Adapter #0: 0/1
AUX 0/2 (AUX) Aux Citrix PV Ethernet Adapter #1: 0/2
apA LAN1/WCCP 1/1 apA.1 N/A
(Green)
apA WAN1 1/2 apA.2 N/A
apB LAN2 1/3 apB.1* Double-click the Desktop icon nic_mapping.vbs to display
the mapping**
apB WAN2 1/4 apB.2* Double-click the Desktop icon nic_mapping.vbs to display
the mapping**
citrix.com 355
Summary of Hardware Specifications
The following tables summarize the specifications of the CloudBridge 1000 and 2000 with Windows Server hardware
platforms.
CloudBridge 1000 with Windows
CloudBridge 2000 with Windows Server
Server
Windows Server version Windows Server 2012 R2 Windows Server 2012 R2
Platform Performance
Bandwidth Up to 20 Mbps Up to 50 Mbps
Maximum HDX sessions Up to 100 300
Total sessions 10,000 20,000
Acceleration Plug-in
N/A 750
CCUs
Hardware Specifications
Processor 4 Cores 4 Cores
Total disk space 1x300 GB SSD and 1x1 TB HDD 1 x 600 GB SSD and 1X1 TB HDD
SSD (dedicated 123 GB for Disk-Based Compression 225 GB for Disk-Based Compression (DBC)
Compression history) (DBC)
50 GB for video caching
25 GB for video caching
RAM 32 GB 24 GB
Network Interfaces 2 pair with bypass 10/100/1000 4 x 10/100/1000 Base-T copper Ethernet
2 GigE ports for Management and 2 GigE ports for Management and AUX
AUX ports ports
Power supplies 1 1
Physical Dimensions
Rack Units 1U 1U
System width EIA 310-D for 19-inch racks EIA 310-D for 19-inch racks
System depth 10" (25.4 cm) 25.4" (64.5 cm)
System weight 8.5 lbs (3.9 kg) 32 lbs (14.5 kg)
Shipping dimensions and 26 L x 18.5 W x 6.5" H
weight 32 L x 23.5 W x 7.5" H
14.5 lbs
39 lbs
citrix.com 356
Environmental RoHS, WEEE RoHS, WEEE
certifications
citrix.com 357
Installing the Appliance
After you have determined that the location where you will install your appliance meets the environmental standards and
the server rack is in place according to the instructions, you are ready to install the hardware. After you mount the
appliance, you are ready to connect it to the network, to a power source, and to the console terminal that you will use for
initial configuration. You can also connect the appliance to a computer through Ethernet port for initial configuration. On
CloudBridge 1000 appliance with Windows Server, this port is labeled as MGMT (management) port and on
CloudBridge 2000 appliance with Windows Server, the port is labeled as PRI (primary) port. To complete the
installation, you switch on the appliance. Be sure to observe the cautions and warnings listed with the installation
instructions.
citrix.com 358
Rack Mounting the Appliance
A CloudBridge 1000 or 2000 appliance with Windows Server requires one rack unit. Both are rack-mount devices that
can be installed into two-post relay racks or four-post EIA-310 server racks. Verify that the rack is compatible with your
appliance.
citrix.com 359
Rack Mounting a CloudBridge 1000 Appliance with Windows Server
CloudBridge 1000 appliance with Windows Server is not shipped with rails. You can mount the appliance to the rack by
using the front mounting ports.
citrix.com 360
Rack Mounting a CloudBridge 2000 Appliance with Windows Server
A CloudBridge 2000 appliance with Windows Server requires one rack unit. Both are rack-mount devices that can be installed
into two-post relay racks or four-post EIA-310 server racks. Verify that the rack is compatible with your appliance.
To mount a CloudBridge appliance, you must first install the rails and then install the appliance in the rack, as
follows:
1. Position the right inner rail behind the ear bracket on the right side of the appliance.
2. Align the holes on the rail with the corresponding holes on the side of the appliance.
3. Attach the rail to the appliance with the provided screws.
4. Repeat steps 1 through 3 to install the left inner rail on the left side of the appliance.
1. Position the rack rails at the desired location in the rack, keeping the sliding rail guide facing inward.
2. Snap the rails to the rack.
Note: Make sure that both rack rails are at same height and that the rail guides are facing inward.
1. Align the inner rails, attached to the appliance, with the rack rails.
2. Slide the appliance into the rack rails, keeping the pressure even on both sides, and push the appliance
into the rack rails until it locks into place.
3. Verify that the appliance is locked in place by pulling it all the way out from the rack.
Note: The illustration in the following figure might not represent your actual appliance.
Figure 1. Rack Mounting the Appliance
citrix.com 361
Connecting the Cables
When the appliance is securely mounted on the rack, determine which ports you should use. You are then ready to
connect the cables. Ethernet cables and the optional console cable are connected first. Connect the power cable last.
Warning: Before installing or repairing the appliance, remove all jewelry and other metal objects that might come in contact
with power sources or wires. When you touch both a live power source or wire and ground, any metal objects can heat up
rapidly and cause burns, set clothing on fire, or fuse the metal object to an exposed terminal.
Ports
A typical installation using a single accelerated bridge uses four Ethernet ports (the Primary port and apA) and six IP
addresses (four on the Primary port's subnet and two on apA's subnet).
The appliance has two motherboard ports and two accelerated bridges.
The motherboard ports are labeled as MGMT (management) and AUX1 (auxiliary) ports in
CloudBridge 1000 appliance with Windows Server and PRI (primary) and AUX (auxiliary) in
CloudBridge 2000 appliance with Windows Server. You use MGMT port of the CloudBridge 1000
appliance with Windows Server and PRI port of the CloudBridge 2000 appliance with Windows Server
for initial configuration.
Accelerated bridge ports are apA and apB are available on the back panel of CloudBridge 1000
appliance with Windows Server and the front panel of CloudBridge 2000 appliance with Windows
Server. On CloudBridge 1000WS appliance with Windows Server, these ports are labeled as LAN1
and WAN1, and LAN2 and WAN2, respectively. However, on CloudBridge 2000WS appliance with
Windows Server, these ports are labeled as 1/1 and 1/2, and 1/3 and 1/4, respectively.
1. Insert the RJ-45 connector on one end of your Ethernet cable into an appropriate port.
On CloudBridge 1000 appliance with Windows Server, the ports are available on the back panel
and labeled as LAN1 and WAN1 for apA bridged port for LAN and WAN links, respectively.
On CloudBridge 2000 appliance with Windows Server, the ports are available on the front panel.
The ports on CloudBridge 2000 with Windows are labeled as 1/1 and 1/2 for the apA bridged port.
You can use 1/1 for LAN and 1/2 for WAN link.
2. Insert the RJ-45 connector on the other end into the target device, such as a router or switch.
3. Verify that the LED glows amber when the connection is established.
1. Insert the DB-9 connector at the end of the cable into the console port.
On CloudBridge 1000 appliance with Windows Server, the port is located on the back panel.
On CloudBridge 2000 appliance with Windows Server, the port is located on the front panel.
Note: To use a cable with an RJ-45 converter, insert the optional converter provided into the console
port and attach the cable to it.
2. Insert the RJ-45 connector at the other end of the cable into the serial port of the computer or terminal.
citrix.com 362
Switching on the Appliance
After you have installed the appliance in a rack and connected the cables, verify that the power cable is properly connected.
After verifying the connections, you are ready to switch on the appliance.
1. Verify that the appliance is connected through a console or Ethernet port, so that you can configure the
appliance after it is switched on.
2. Press the ON/OFF toggle power switch on the appliance.
3. On CloudBridge 2000 appliance for Windows Server, verify that the LCD on the front panel is backlit and the
start message appears
Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs, you can
quickly remove power from the appliance.
citrix.com 363
Initial Configuration
After checking the connections, you are ready to deploy the CloudBridge 1000 and 2000 appliances with Windows
Server on the network.
The appliance shipped from Citrix has default IP addresses configured on it. To deploy the appliance on the network,
you must configure the appropriate IP addresses on the appliance to accelerate the network traffic.
To perform initial configuration:
citrix.com 364
Prerequisites
Before you begin configuring the appliance, make sure that the following prerequisites have been met:
citrix.com 365
Worksheet
The following table lists the default values of network configuration, CloudBridge configuration, Windows configuration,
system settings, password, and setup wizard in your traffic subnet and the management subnet. Record the values applicable
to your appliance in the third column.
CloudBridge 1000 or 2000 Appliance with Windows Server Deployment Worksheet
Field Default Value Value for Description of the Field
your
Appliance
Network Configuration
XenServer IP Address 192.168.100.2 Management IP address of the XenServer.
(Management Subnet)
Management Service IP 192.168.100.1 Management IP address of the Management Service.
Address (Management
Subnet)
Netmask (Management 255.255.0.0 Network mask for the management subnet.
Subnet)
Gateway (Management None The default gateway IP address of the appliance.
Subnet)
Port Model 2-Port Select 2-port or 4-port, depending on the model. In 4-port
mode, Windows Server does not have access to ports 1/3 and
1/4.
DNS Server None IP address of the DNS server. Citrix recommends that you
specify a valid DNS server IP address. This is a mandatory
parameter.
CloudBridge Configuration
IP Address 192.168.100.20 Primary CloudBridge IP address at which you manage the
(Management Subnet) CloudBridge instance.
Netmask (Management 255.255.0.0 Network mask for the management IP address of the appliance.
Subnet) Same as previous netmask.
Gateway (Management None The default gateway IP address of the appliance. Same as the
Subnet) previous gateway.
Windows Configuration
IP Address 192.168.100.40 IP address to manage Windows Virtual Machine.
(Management Subnet)
Netmask (Management 255.255.0.0 Network mask for the management IP address of the appliance.
Subnet) Same as the previous netmask.
Gateway (Management None The default gateway IP address of the appliance. Same as the
Subnet) previous gateway.
System Settings
NTP Server (none) IP address of the NTP server. Citrix recommends that you
specify a valid NTP server IP address. You can either enter the
IP address or the server name.
Time Zone UTC Specify the time zone for your location.
Password
Password nsroot New password for access to the appliance.
Confirm Password nsroot New password for access to the appliance.
Command Center Configuration
Command Center IP None Optional. IP address of the Command Center appliance with
Address which you want to register this appliance. More info.
Command Center Port 8443 Optional. Port number of the Command Center appliance.
Registration Password None Password you want to use to register the CloudBridge
citrix.com 366
appliance.
Licensing
License Server Address None IP address of the licensing server. Required only when you
select a remote model license type.
Licensing Service Port 27000
Port number of the licensing server. Required only when
you select a remote model license type.
Links
Receive (Download) None WAN link download speed.
Speed
Send (Upload) Speed None WAN link upload speed.
citrix.com 367
Configuring the Appliance by Connecting a Computer to the Ethernet Port
For initial configuration of a CloudBridge appliance, perform the following tasks::
With inline deployments, this configuration might be all you need, because most acceleration features are enabled by
default and require no additional configuration.
You can configure the appliance connecting the appliance to your computer through either the Ethernet port or the serial
console. The following procedure enables you to configure the appliance by connecting it to your computer through the
Ethernet port.
Note: On a CloudBridge 1000 appliance with Windows Server, you use the Ethernet port labeled as MGMT. However, on
CloudBridge 2000 appliance with Windows Server, you use the Ethernet port labeled as PRI or LOM.
If you want to configure the appliance by connecting it to the computer through the serial console, assign the
management service IP address from your Worksheet by completing the Assigning a Management IP Address through
the Serial Console procedure, and then run steps 4 through 25 of the following procedure.
Note: Make sure that you have physical access to the appliance.
To configure the appliance by connecting a computer to the CloudBridge appliances Ethernet port 0/1
1. Set the Ethernet port address of a computer (or other browser-equipped device with an Ethernet port), to
192.168.100.50, with a network mask of 255.255.0.0. On a Windows device, this is done by changing the Internet
Protocol Version 4 properties of the LAN connection, as shown below. You can leave the gateway and DNS server
fields as blank.
2. Using an Ethernet cable, connect this computer to the port labeled MGMT on a CloudBridge 1000 appliance with
Windows Server, or to the port labeled PRI on a CloudBridge 2000 appliance with Windows Server.
3. Switch on the appliance. Using the web browser on the computer, access the appliance by using the default
management service IP address http://192.168.100.1.
4. On the login page, use the following default credentials to log on to the appliance:
Username: nsroot
Password: nsroot.
5. Start the configuration wizard by clicking Get Started.
6. On the Platform Configuration page, enter the respective values from your worksheet, as shown in the following
example:
citrix.com 368
Note: If, for CloudBridge configuration, you want to use the same network mask and gateway as those for Network
Configuration, select the Use System Netmask and Gateway option.
7. Click Done. A screen showing the Installation in Progress message appears. This process takes
approximately 2 to 5 minutes, depending on your network speed.
Note: If you are configuring the appliance by connecting it to your computer through the serial console port, skip step 8
through step 14.
8. A Redirecting to new management IP message appears.
9. Click OK.
10. Unplug your computer from the Ethernet port and connect the port to your management network.
11. Reset the IP address of your computer to its previous setting.
12. From a computer on the management network, log on to the appliance by entering the new Management Service IP
address, such as https://<Managemnt_IP_Address>, in a web browser.
13. To continue the configuration, accept the certificate and continue. The option to continue varies according to the web
browser you are using.
14. Log on to the appliance by using the nsroot user name and the password from your worksheet.
15. The Configuration wizard starts again. In this wizard, some of the values which you have already provided, appear by
default. Specify rest of the values you have recorded in your worksheet.
16. If you want to manage the appliance through Command Center, specify the Command Center IP address, port, and
registration password in the Command Center Configuration page. Otherwise, skip this step.
17. In System Services section, update the values if necessary.
18. In the Licensing section, select the appropriate license type. You can either select a local license or a remote license
server to apply a license to the appliance.
a. If you opt for a local license, you must generate a license by using the host ID of the appliance. To generate a
local license for the appliance, see http://support.citrix.com/article/ctx131110. To apply the license, you can
navigate to the CloudBridge > Configuration > Appliance Settings > Licensing page, after completing the
Configuration wizard.
b. If you opt for a remote licensing server, you must select a remote appliance model and provide the IP address
of the licensing server in the Licensing Server Address field.
19. In the WAN Link Definition section, specify receive and send speeds for the WAN link in the respective fields. Citrix
recommends values 10% lower than the WAN bandwidth, to avoid network congestion.
20. By default, WAN-side adapter settings are configured on the appliance. Accept the default settings.
21. Click Install. After the Installation process is complete, the appliance restarts.
22. As soon as the appliance restarts, the Dashboard page appears.
23. To configure the appliance to accelerate the network traffic, open navigate to the Configuration tab.
Note: Make sure that you have already applied the appropriate license to the appliance.
24. On the Network Adapters page of the Appliance Settings node, verify and, if necessary, assign IP addresses, subnet
masks, and gateways to the accelerated bridges (apA and apB) to be used. Applying these changes restarts the
appliance.
Note: You need to assign IP addresses to apA and apB adapters only if you intended to configure WCCP mode,
virtual inline mode, or the Video Caching feature on the appliance.
25. The Initial Configuration is complete. Traffic now flows through the appliance. The Dashboard page shows this traffic.
citrix.com 369
26. You need additional configuration on the appliance if you intend to use some of the modes and features, such as
WCCP mode, virtual inline mode, video caching, secure peering, high availability, encrypted CIFS/MAPI acceleration,
AppFlow monitoring, or SNMP monitoring.
Note:
Inline installations place the appliance between your LAN and WAN routers, using both ports of the
accelerated bridge, such as ports LAN1 and WAN1 on a CloudBridge 1000 appliance with Window Server or
ports 1/1 and 1/2 on CloudBridge 2000 appliance with Windows Server, for the apA accelerated bridge port.
WCCP and virtual inline installations connect a single accelerated bridge port to your WAN router.
Virtual inline installations require that you configure your router to forward WAN traffic to the appliance. See
Router Configuration.
WCCP installations require configuration of your router and the appliance. See WCCP Mode.
citrix.com 370
Additional Configuration for Windows
You can use the Windows management tools to perform additional configuration, such as configuring ports and other
Windows services, on the Windows instance.
To perform additional configurations for Windows
1. Open a remote desktop (RDP) session to the IP address of the Windows instance from your Worksheet.
2. Log on to the Windows instance with the following credentials:
Username: Administrator
Password: password
3. Use interface AUX for Windows Server traffic. This port has a Windows Device Description of "Citrix PV Ethernet
Adapter #1: 0/2." Set it to use an IP address and network mask in the network that you chose for the Windows
adapter.
4. Enable Windows services for access to services, such as domain services, printer definitions, and user rights.
5. Define only a single default gateway. Add non-default routes as appropriate for your installation.
citrix.com 371
Assigning a Management IP Address through the Serial Console
If you do not want to change the settings of your computer, you can perform initial configuration by connecting the
appliance to your computer with a serial null modem cable. Make sure that you have physical access to the appliance.
To configure the appliance through the serial console
Username: nsroot
Password: nsroot.
5. At the $ prompt, run the following command to switch to the shell prompt of the appliance:
$ ssh 169.254.0.10
6. Enter Yes to continue connecting to the management service.
7. Log on to the shell prompt of the appliance with the following default credentials:
Password: nsroot.
8. At the logon prompt, run the following command to open the Management Service Initial Network Address
Configuration menu:
# networkconfig
9. Type 1 and press Enter to select option 1, and specify a new management IP address for the management service.
10. Type 2 and press Enter to select option 2, and specify a new management IP address for the XenServer server.
11. Type 3 and press Enter to select option 3, and then specify the network mask for the management service IP
address.
12. Type 4 and press Enter to select option 4, and then specify the default gateway for the management service IP
address.
13. Type 8 and press Enter to save the settings and exit.
14. Access the CloudBridge appliance by entering the new management service IP address of the appliance, such as
https://<Management_Service_IP_Address>, in a web browser of a computer on the management network.
15. To continue the configuration, accept the certificate and continue. The option to continue varies according to the web
browser you are using.
16. Run steps 4 through 25 of the Configuring the Appliance by Connecting a Computer to the Ethernet Port procedure to
complete the configuration process
citrix.com 372
Deployment Modes
A CloudBridge appliance acts as a virtual gateway. It is neither a TCP endpoint nor a router. Like any gateway, its job is
to buffer incoming packets and put them onto the outgoing link at the right speed. This packet forwarding can be done in
different ways, such as inline mode, virtual inline mode, and WCCP mode. Although these methods are called modes,
you do not have to disable one forwarding mode to enable another. If your deployment supports more than one mode,
the mode that the appliance uses is determined automatically by the Ethernet and IP format of each packet.
Because the appliance supports different forwarding modes and different kinds of non-forwarded connections, it needs
a way of distinguishing one kind of traffic from another. It does so by examining the destination IP address and
destination Ethernet address (MAC address), as shown in table below. For example, in inline mode, the appliance is
acting as a bridge. Unlike other traffic, bridged packets are addressed to a system beyond the appliance, not to the
appliance itself. The address fields contain neither the appliance's IP address nor the appliance's Ethernet MAC
address.
In addition to pure forwarding modes, the appliance has to account for additional types of connections, including
management connections to the GUI and the heartbeat signal that passes between members of a high-availability pair.
For completeness, these additional traffic modes are also listed in table below.
Table 1. How Ethernet and IP Addresses Determine the Mode
Destination IP Destination Ethernet Address Mode
Address
Not appliance Not appliance Inline or Pass-through
Not appliance Appliance Virtual Inline or L2 WCCP
Appliance Appliance Direct (UI access)
Appliance (VIP) Appliance High-Availability. Proxy mode
Appliance (WCCP Appliance WCCP GRE Mode
GRE Packet)
Appliance (Signaling Appliance Signaling Connection (CloudBridge plugin Signaling
IP) Connection (CloudBridge plugin, Secure Peer) or
Redirector Mode Connection (CloudBridge plugin)
All modes can be active simultaneously. The mode used for a given packet is determined by the Ethernet and IP
headers.
The forwarding modes are:
Inline mode, in which the appliance transparently accelerates traffic flowing between its two Ethernet ports.
In this mode, the appliance appears (to the rest of the network) to be an Ethernet bridge. Inline mode is
recommended, because it requires the least configuration.
WCCP mode, which uses the WCCP v. 2.0 protocol to communicate with the router. This mode is easy to
configure on most routers. WCCP has two variants: WCCP-GRE and WCCP-L2. WCCP-GRE encapsulates
the WCCP traffic within generic routing encapsulation (GRE) tunnels. WCCP-L2 uses un-encapsulated
network Layer 2 (Ethernet) transport.
Virtual inline mode, in which a router sends WAN traffic to the appliance and the appliance returns it to the
router. In this mode, the appliance appears to be a router, but it uses no routing tables. It sends the return
traffic to the real router. Virtual inline mode is recommended when inline mode and high-speed WCCP
operation are not practical.
Group mode, which allows two appliances to operate together to accelerate a pair of widely separated
WAN links.
High availability mode, which allows to appliances to operate as an active/standby high availability pair. If
the primary appliance fails, the secondary appliance takes over.
Pass-through traffic refers to any traffic that the appliance does not attempt to accelerate. It is a traffic
category, not a forwarding mode.
Direct access, where the appliance acts as an ordinary server or client. The GUI and CLI are examples of
direct access, using the HTTP, HTTPS, SSH, or SFTP protocols. Direct access traffic can also include the
NTP and SNMP protocols.
Appliance-to-appliance communication, which can include signaling connections (used in secure peering
and by the CloudBridge plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE
tunnels (used by group mode).
citrix.com 373
Deprecated modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used
in new installations.
citrix.com 374
Customizing the Ethernet ports
A typical appliance has four Ethernet ports: two accelerated bridged ports, called accelerated pair A (apA.1 and apA.2),
with a bypass (fail-to-wire) relay, and two unaccelerated motherboard ports, called Primary and Aux1. The bridged ports
provide acceleration, while the motherboard ports are sometimes used for secondary purposes. Most installations use
only the bridged ports.
Some CloudBridge units have only the motherboard ports. In this case, the two motherboard ports are bridged.
The appliances user interface can be accessed by a VLAN or non-VLAN network. You can assign a VLAN to any
of the appliances bridged ports or motherboard ports for management purposes.
Figure 1. Ethernet Ports
Port List
The ports are named as follows:
Table 1. Ethernet Port Names
Motherboard port 1 Primary (or apA.1 if no bypass card is present)
Motherboard port 2 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present)
Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2)
Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2)
citrix.com 375
Port Parameters
Each bridge and motherboard port can be:
Enabled or disabled
Assigned an IP address and subnet mask
Assigned a default gateway
Assigned to a VLAN
Set to 1000 Mbps, 100 Mbps, or 10 Mbps
Set to full duplex, half-duplex, or auto (on CloudBridge 4000/5000 appliances, some ports can be set to 10
Gbps)
All of these parameters except the speed/duplex setting are set on the Configuration: IP Address page. The
speed/duplex settings are set on the Configuration: Interface page.
Notes about parameters:
citrix.com 376
Accelerated Bridges (apA and apB)
Every appliance has at least one pair of Ethernet ports that function as an accelerated bridge, called apA (for
accelerated pair A). A bridge can act in inline mode, functioning as a transparent bridge, as if it were an Ethernet switch.
Packets flow in one port and out the other. Bridges can also act in one arm mode, in which packets flow in one port and
back out the same port.
An appliance that has a bypass card maintains network continuity if a bridge or appliance malfunctions.
Some units have more than one accelerated pair, and these additional accelerated pairs are named apB, apC, and so
on.
Bypass Card
If the appliance loses power or fails in some other way, an internal relay closes and the two bridged ports are electrically
connected. This connection maintains network continuity but makes the bridge ports inaccessible. Therefore you might
want to use one of the motherboard ports for management access.
Caution: Do not enable the Primary port if it is not connected to your network. Otherwise, you cannot access the appliance,
as explained in Ethernet Bypass and Link-Down Propagation
Bypass cards are standard on some models and optional on others. Citrix recommends that you purchase appliances
with bypass cards for all inline deployments.
The bypass feature is wired as if a cross-over cable connected the two ports, which is the correct behavior in properly
wired installations.
Important: Bypass installations must be tested - Improper cabling might work in normal operation but not in bypass mode.
The Ethernet ports are tolerant of improper cabling and often silently adjust to it. Bypass mode is hard-wired and has no such
adaptability. Test inline installations with the appliance turned off to verify that the cabling is correct for bypass mode.
When it is time for the appliance to send a packet for a given connection, the packet is sent over the same bridge from
which the appliance received the most recent input packet for that connection. Thus, the appliance honors whatever link
decisions are made by the router, and automatically tracks the prevailing load-balancing or main-link/failover-link
algorithm in real time. For non-load-balanced links, the latter algorithm also ensures that packets always use the correct
bridge.
citrix.com 377
Two units with multiple bridges can be used in a high-availability pair. Simply match up the bridges so that all links pass
through both appliances.
citrix.com 378
Motherboard Ports
Although the Ethernet ports on a bypass card are inaccessible when the bypass relay is closed, the motherboard ports
remain active. You can sometimes access a failed appliance through the motherboard ports if the bridged ports are
inaccessible.
citrix.com 379
VLAN Support
A virtual local area network (VLAN) uses part of the Ethernet header to indicate which virtual network a given Ethernet
frame belongs to. CloudBridge appliances support VLAN trunking in all forwarding modes (inline, WCCP, virtual inline,
and group mode). Traffic with any combination of VLAN tags is handled and accelerated correctly.
For example, if one traffic stream passing through the accelerated bridge is addressed to 10.0.0.1, VLAN 100, and
another is addressed to 10.0.0.1, VLAN 111, the appliance knows that these are two distinct destinations, even though
the two VLANs have the same IP address.
You can assign a VLAN to all, some, or none of the appliance's Ethernet ports. If a VLAN is assigned to a port, the
management interfaces (GUI and CLI) listen only to traffic on that VLAN. If no VLAN is assigned, the management
interfaces listen only to traffic without a VLAN. This selection is made on the Configuration: Appliance Settings: Network
Adapters: IP Addresses tab.
citrix.com 380
Inline Mode
In inline mode, traffic passes into one of the appliance's Ethernet ports and out of the other. When two sites with inline
appliances communicate, every TCP connection passing between them is accelerated. All other traffic is passed
through transparently, as if the appliance were not there.
Figure 1. Inline mode, Accelerating All Traffic on a WAN
Note: Any TCP-based traffic passing through both units is accelerated. No address translation, proxying, or per-site setup is
required. Inline mode is auto-detecting and auto-configuring.
Configuration is minimized with inline mode, because your WAN router need not be aware of the appliance's existence.
Depending on your configuration, inline mode's link-down propagation can affect management access to the appliance if
a link goes down.
Inline mode is most effective when applied to all traffic flowing into and out of a site, but it can be used for only some of
the site's traffic.
citrix.com 381
Ethernet Bypass and Link-Down Propagation
Note: Link-Down propagation was added to the CloudBridge 2000, 3000, 4000, and 5000 appliances with the 7.2.1 release.
Most appliance models include a "fail-to-wire" (Ethernet bypass) feature for inline mode. If power fails, a relay closes
and the input and output ports become electrically connected, allowing the Ethernet signal to pass through from one
port to the other as if the appliance were not there. In fail-to-wire mode, the appliance looks like a cross-over cable
connecting the two ports.
Any failure of the appliance hardware or software also closes the relay. When the appliance is restarted, the bypass
relay remains closed until the appliance is fully initialized, maintaining network continuity at all times. This feature is
automatic and requires no user configuration.
When the bypass relay is closed, the appliance's bridge ports are inaccessible.
If carrier is lost on one of the bridge ports, the carrier is dropped on the other bridge port to ensure that the link-down
condition is propagated to the device on the other side of the appliance. Units that monitor link state (such as routers)
are thus notified of conditions on the other side of the bridge.
Link-down propagation has two operating modes:
If the Primary port is not enabled, the link-down state on one bridge port is mirrored briefly on the other
bridge port, and then the port is re-enabled. This allows the appliance to be reached through the still-
connected port for management, HA heartbeat, and other tasks.
If the Primary port is enabled, the appliance assumes (without checking) that the Primary port is used for
management, HA heartbeat, and other tasks. The link-down condition on one bridge port is mirrored
persistently on the other port, until carrier is restored or the unit is rebooted. This is true even if the Primary
port is enabled in the GUI but not connected to a network, so the Primary port should be disabled (the
default) when not in use.
citrix.com 382
Accelerating an Entire Site
Inline mode, Accelerating All Traffic on a WAN shows a typical configuration for inline mode. For both sites, the
appliances are placed between the LAN and the WAN, so all WAN traffic that can be accelerated is accelerated. This is
the simplest method for implementing acceleration, and it should be used when practical.
Because all the link traffic is flowing through the appliances, the benefits of fair queuing and flow control prevent the link
from being overrun.
In IP networks, the bottleneck gateway determines the queuing behavior for the entire link. By becoming the bottleneck
gateway, the appliance gains control of the link and can manage it intelligently. This is done by setting the bandwidth
limit slightly lower than the link speed. When this is done, link performance is ideal, with minimal latency and loss even
at full link utilization.
citrix.com 383
Partial-Site Acceleration
To reserve the appliance's accelerated bandwidth for a particular group of systems, such as remote backup servers, you can
install the appliance on a branch network that includes only those systems. This is shown in the following figure.
Figure 1. Inline Mode, Accelerating Selected Systems Only
CloudBridge traffic shaping relies on controlling the entire link, so traffic shaping is not effective with this topology,
because the appliance sees only a portion of link traffic. Latency control is up to the bottleneck gateway, and interactive
responsiveness can suffer.
citrix.com 384
Configuring and Troubleshooting Inline Mode
Inline mode requires only basic configuration, because it is applied automatically to any packets passing through the
accelerated bridge. Troubleshooting is described under .
citrix.com 385
WCCP Mode
Web Cache Communication Protocol (WCCP) is a dynamic routing protocol introduced by Cisco. Originally intended
only for web caching, WCCP version 2 became a more general-purpose protocol, suitable for use by accelerators such
as Citrix CloudBridge appliances.
WCCP mode is the simplest way of installing a CloudBridge appliance when inline operation is impractical. It is also
useful where asymmetric routing occurs, that is, when packets from the same connection arrive over different WAN
links. In WCCP mode, the routers use the WCCP 2.0 protocol to divert traffic through the appliance. Once received by
the appliance, the traffic is treated by the acceleration engine and traffic shaper as if it were received in inline mode.
Note:
For the purposes of this discussion, WCCP version 1 is considered obsolete and only WCCP version 2 is
presented.
The standard WCCP documentation calls WCCP clients caches. To avoid confusion with actual
caches, Citrix generally avoids calling a WCCP client a cache. Instead, WCCP clients are typically
called appliances.
This discussion uses the term router to indicate WCCP-capable routers and WCCP-capable
switches. Though the term router is used here, some high-end switches also support WCCP, and
can be used with CloudBridge appliances.
WCCP is the original CloudBridge WCCP offering supported since release 3.x. It supports a single appliance
service group (no clustering).
WCCP clustering, introduced in release 7.2, allows your router to load-balance traffic between multiple
appliances.
A WCCP-mode appliance requires only a single Ethernet port. The appliance should either be deployed on a dedicated
router port (or WCCP-capable switch port) or isolated from other traffic through a VLAN. Do not mix inline and WCCP
modes.
The following figure shows how a router is configured to intercept traffic on selected interfaces and forward it to the
WCCP-enabled appliance. Whenever the WCCP-enabled appliance is not available, the traffic is not intercepted, and is
forwarded normally.
Figure 1. WCCP Traffic Flow
Traffic Encapsulation
WCCP allows traffic to be forwarded between the router and the appliance in either of the following modes:
L2 ModeRequires that the router and appliance be on the same L2 segment (typically an Ethernet
segment). The IP packet is unmodified, and only the L2 addressing is altered to forward the packet. In many
devices, L2 forwarding is performed at the hardware layer, giving it the maximum performance. Because of
its performance advantage, L2 forwarding is the preferred mode, but not all WCCP-capable devices support
it.
citrix.com 386
GRE ModeGeneric Routing Encapsulation (GRE) is a routed protocol and the appliance can in theory be
placed anywhere, but for performance it should be placed close to the router, on a fast, uncongested path
that traverses as few switches and routers as possible. GRE is the original WCCP mode. A GRE header is
created and the data packet is appended to it. The receiving device removes the GRE header. With
encapsulation, the appliance can be on a subnet that is not directly attached to the router. However, both the
encapsulation process and the subsequent routing add CPU overhead to the router, and the addition of the
28-byte GRE header can lead to packet fragmentation, which adds additional overhead.
WCCP mode supports multiple routers and both GRE vs. L2 forwarding. Each router can have multiple WAN links. Each
link can have its own WCCP service group.
Traffic shaping is not effective unless the appliance manages UDP traffic as well as TCP traffic. A second service group,
with a UDP service group for each WAN link, is recommended if traffic shaping is desired.
Multiple service groups can be used with WCCP on the same appliance. For example, the appliance can receive
service-group 51 traffic from one WAN link and service-group 62 traffic from another WAN link. The appliance also
supports multiple routers. It is indifferent to whether all the routers use the same service group or different routers use
different service groups.
Service Group Tracking. If a packet arrives on one service group, output packets for the same connection are sent on
the same service group. If packets arrive for the same connection on multiple service groups, output packets track the
most recently seen service group for that connection.
citrix.com 387
When WCCP is used with high-availability mode, the primary appliance sends its own apA or apB management IP
address, not the virtual address of the HA pair, when it contacts the router. If failover occurs, the new primary appliance
contacts the router automatically, reestablishing the WCCP channel. In most cases the WCCP timeout period and the
HA failover time overlap. As a result, the network outage is less than the sum of the two delays.
Standard WCCP allows only a single appliance in a WCCP service group. If a new appliance attempts to contact the
router, it discovers that the other appliance is handling the service group, and the new appliance sets an Alert. It
periodically checks to determine whether the service group is still active with the other appliance, and the new appliance
handles the service group when the other appliance becomes inactive. WCCP clustering allows multiple appliances per
service group.
Deployment Topology
The following figure shows a simple WCCP deployment, suitable for either L2 or GRE. The traffic port (1/1) is connected
directly to a dedicated router port (Gig 4/12).
Figure 3. Simple WCCP deployment
In this example, the CloudBridge 4000/5000 is deployed in one-arm mode, with the traffic port (1/1) and the
management port (0/1) each connecting to its own dedicated router port.
On the router, WCCP is configured with identical ip wccp redirect in statements on the WAN and LAN ports.
Two service groups are used, 71 and 72. Service group 71 is used for TCP traffic and service group 72 is used for UDP
traffic. The CloudBridge appliance does not accelerate UDP traffic, but can apply traffic shaping policies to it.
Note: The WCCP specification does not allow protocols other than TCP and UDP to be forwarded, so protocols such as
ICMP and GRE always bypass the appliance.
WCCP Clustering
CloudBridge release 7.2 or later supports WCCP clustering, which enables your router to load-balance your traffic
between multiple appliances. For more information about deploying CloudBridge appliances as a cluster, see WCCP
Clustering.
WCCP Specification
For more information about WCCP, see Web Cache Communication Protocol V2, Revision 1, http://tools.ietf.
org/html/draft-mclaggan-wccp-v2rev1-00.
citrix.com 388
WCCP Mode (Non-Clustered)
WCCP mode allows only a single appliance in a WCCP service group. If a new appliance attempts to contact the router,
it discovers that the other appliance is handling the service group, and the new appliance sets an Alert. It periodically
checks to determine whether the service group is still active with the other appliance, and the new appliance handles
the service group when the other appliance becomes inactive.
Note: WCCP clustering allows multiple appliances per service group.
On appliances with more than one accelerated pair, all the traffic for a given WCCP service group must
arrive on the same accelerated pair.
Do not mix inline and WCCP traffic on the same appliance. The appliance does not enforce this guideline,
but violating it can cause difficulties with acceleration. (WCCP and virtual inline modes can be mixed, but
only if the WCCP and virtual inline traffic are coming from different routers.)
For sites with a single WAN router, use WCCP whenever inline mode is not practical.
Only one appliance is supported per service group. If more than one appliance attempts to connect to the
same router with the same service group, the negotiation will succeed only for the first appliance.
For sites with multiple WAN routers serviced by the same appliance, WCCP can be used to support one,
some, or all of your WAN routers. Other routers can use virtual inline mode.
citrix.com 389
Router Support for WCCP
Configuring the router for WCCP is very simple. WCCP version 2 support is included in all modern routers, having been
added to the Cisco IOS at release 12.0(11)S and 12.1(3)T. The best router-configuration strategy is determined by the
characteristics of your router and switches. Traffic shaping requires two service groups.
If your router supports Reverse Path Forwarding, you must disable it on all ports, because it can confuse WCCP traffic
with spoofed traffic. This feature is found in newer Cisco routers such as the Cisco 7600.
On the WAN port only, add a WCCP redirect in statement and a WCCP redirect out
statement.
On every port on the router, except the port attached to the appliance, add a WCCP redirect in
statement.
The first method redirects only WAN traffic to the appliance, while the second method redirects all router traffic to the
appliance, whether it is WAN related or not. On a router with several LAN ports and substantial LAN-to-LAN traffic,
sending all traffic to the appliance can overload its LAN segment and burden the appliance with this unnecessary load.
If GRE is used, the unnecessary traffic can load down the router as well.
On some routers, the "redirect in" path is faster and puts less of a load on the router's CPU than does the "redirect out"
path. If necessary, this can be determined by direct experiment on your router: Try both redirection methods under full
network load to see which delivers the highest transfer rates.
Some routers and WCCP-capable switches do not support "WCCP redirect out," so the second method must be used.
To avoid overloading the router, the best practice to avoid redirecting large numbers of router ports through the
appliance, perhaps by using two routers, one for WAN routing and one for LAN-to-LAN routing.
citrix.com 390
Configuring the Router
The appliance negotiates WCCP-GRE or WCCP-L2 automatically. The main choice is between unicast operation (in
which the appliance is configured with the IP address of each router), or multicast operation (in which both the appliance
and the routers are configured with the multicast address.)
Normal (Unicast) operationFor normal operation, the procedure is to declare WCCP version 2 and the WCCP group ID
for the router as a whole, then enable redirection on each WAN interface. Following is a Cisco IOS example:
config term
ip wccp version 2
! We will configure the appliance to use group 51 for TCP and 52 for UDP.
ip wccp 51
ip wccp 52
If multiple routers are to use the same appliance, each is configured as shown above, using either the same service
groups or different ones.
Multicast operationWhen giving the appliance and each router a multicast address, the configuration is slightly different
than for normal operation. Following is a Cisco IOS example:
config term
ip wccp version 2
ip wccp 51 group-address 225.0.0.1
citrix.com 391
Basic Configuration Procedure for WCCP Mode on the CloudBridge Appliance
For most sites, you can use the following procedure to configure the WCCP mode on the appliance. The procedure has
you set several parameters to sensible default values. Advanced deployments might require that you set these
parameters to other values. For example, if WCCP service group 51 is already used by your router, you need to use a
different value for the appliance.
citrix.com 392
WCCP Service Group Configuration Details
In a service group, a WCCP router and a CloudBridge appliance ("WCCP Cache" in WCCP terminology) negotiate
communication attributes (capabilities). The router advertises its capabilities in the "I See You" message. The communication
attributes are:
The appliance triggers an alert if it detects an incompatibility between its attributes and those of the router. The
appliance might be incompatible because of a specific attribute of a service group (such as GRE or Level-2). More
rarely, in a multicast service group, an alert can be triggered when the "Auto" selection chooses a particular attribute
with a particular router connected, but the attribute is incompatible with a subsequent router.
Following are the basic rules for the communication attributes within a CloudBridge Appliance.
For Router Forwarding:
When Auto is selected, the preference is for Level-2, because it is more efficient for both router and
appliance. Level-2 is negotiated if the router supports it and the router is on the same subnet as the
appliance.
Routers in a unicast service group can negotiate different methods if Auto is selected.
Routers in a multicast service group must all use the same method, whether forced with GRE or
Level-2, or, with Auto, as determined by the first router in the service group to connect.
For an incompatibility, an alert announces that the router has incompatible router forwarding.
For the Mask method, the appliance negotiates the source IP address mask. The appliance
provides no mechanism to select destination IP address or the ports for either source or
destination. The source IP address mask does not specifically identify any specific IP address
or range. The protocol does not provide a means to specify a specific IP address. By default, because
there is only a single appliance in the service group, a one-bit mask is used, to conserve router
resources. (Release 6.0 used a larger mask.)
For Password:
If the router requires a password, the password defined on the appliance must match. If the router does not
require a password, the password field on the appliance must be blank.
citrix.com 393
WCCP Testing and Troubleshooting
When working with WCCP, the appliance provides different ways of monitoring the status of the WCCP interface, and
your router should also provide information.
Monitoring: Appliance Performance: WCCP PageThe WCCP page reports the current state of the WCCP link,
and reports most problems.
Log EntriesThe Monitoring: Appliance Performance: Logging page shows a new entry each time WCCP mode is
established or lost.
Figure 1. WCCP Log Entries (format varies somewhat with release)
Router StatusOn the router, the "show ip wccp" command shows the status of the WCCP link:
Router>enable
Password:
Router#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.16.2.4
Protocol Version: 2.0
Service Identifier: 51
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 19951
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
citrix.com 394
WCCP Clustering
The WCCP clustering feature enables you to multiply your acceleration capacity by assigning more than one
CloudBridge appliance to the same links. You can cluster up to 32 identical appliances, for up to 32 times the capacity.
Because it uses the WCCP 2.0 standard, WCCP clustering works on most routers and some smart switches, most likely
including those you are already using.
Because it uses a decentralized protocol, WCCP clustering allows CloudBridge appliances to be added or removed at
will. If an appliance fails, its traffic is rerouted to the surviving appliances.
Unlike CloudBridge high-availability, an active/passive pair that uses two appliances to provide the performance of a
single appliance, the same appliances deployed as a WCCP cluster has twice the performance of a single appliance,
delivering both redundancy and improved performance.
In addition to adding more appliances as your sites needs increase, you can use Citrixs Pay as You
Grow feature to increase your appliances capabilities through license upgrades.
Citrix Command Center is recommended for managing WCCP clusters. The following figure shows a basic network of a
cluster of CloudBridge appliances in WCCP mode, administered by using Citrix Command Center.
Figure 1. CloudBridge Cluster Administered by Using Citrix Command Center
One appliance in the cluster is selected as the designated cache, and controls the load-balancing behavior of the
appliances in the cluster. The designated cache is the appliance with the lowest IP address. Because the appliances
have identical configurations, it doesnt matter which one is the designated cache. If the current designated cache
goes offline, a different appliance becomes the designated cache.
The designated cache determines how the load-balanced traffic is allocated and informs the router of these decisions.
The router shares information with all members of the cluster, so the cluster can operate even if the designated cache
goes offline.
Note: As normally configured, a CloudBridge 4000/5000 appliance appears as two WCCP caches to the router.
Load-Balancing Algorithm
Load balancing in WCCP is static, except when an appliance enters or leaves the cluster, which causes the cluster to
be rebalanced among its current members.
citrix.com 395
The WCCP standard supports load balancing based on a mask or a hash. For example, CloudBridge WCCP
clustering uses the mask method only, using a mask of 1-6 bits of the 32-bit IP address. These address bits can
be non-consecutive. All addresses yielding the same result when masked are sent to the same appliance. Load
balancing effectiveness depends on choosing an appropriate mask value: a poor mask choice can result in poor
load-balancing or even none, with all traffic sent to a single appliance.
citrix.com 396
Deployment Topology
Depending on your network topology, you can deploy WCCP cluster either with a single router or with multiple routers.
Whether connected to a single router or multiple routers, each appliance in the cluster must be connected identically to
all routers in use.
As shown on the CloudBridge Datasheet, a CloudBridge 3000-100 can support 100 Mbps and 400 users, so a pair of
these appliances supports 200 Mbps and 800 users, which satisfies the datacenters requirements of a 200 Mbps
link and 750 users.
For fault tolerance, however, the WCCP cluster should continue to operate without becoming overloaded if one
appliance fails. That can be accomplished by using three appliances when the calculations call for two. This is called the
N+1 rule.
Failure is an unusual event, so usually all three appliances are in operation. In this case, each appliance is supporting
only 67 Mbps and 250 users, leaving plenty of headroom, and making good use of the fact that the cluster has three
times the CPU power and three times the compression history of a single appliance.
Without WCCP clustering, the same level of capacity and fault-tolerance would require a pair of CloudBridge 4000-500
appliances in high availability mode. Only one of these appliances is active at a time.
citrix.com 397
Limitations
Configuring appliances in a WCCP cluster has the following limitations:
All appliances within a cluster must be the same model and use the same software release.
Parameter synchronization between appliances within the cluster is not automatic. Use Command Center to
manage the appliances as a group.
CloudBridge traffic shaping is not effective, because it relies on controlling the entire link as a unit, and none
of the appliances are in a position to do this. Router QoS can be used instead.
The WCCP-based load-balancing algorithms do not vary dynamically with load, so achieving a good load
balance can require some tuning.
The hash method of cache assignment is not supported. Mask assignment is the supported method.
While the WCCP standard allows mask lengths of 1-7 bits, the appliance supports masks of 1-6 bits.
Multicast service groups are not supported; only unicast service groups are supported.
All routers using the same service group pair must support the same forwarding method (GRE or L2).
The forwarding and return method negotiated with the router must match: both must be GRE or both must
be L2. Some routers do not support L2 in both directions, resulting in an error of "Router's forward or return
or assignment capability mismatch." In this case, the service group must be configured as GRE.
CloudBridge VPX does not support WCCP clustering.
The appliance supports (and negotiates) only unweighted (equal) cache assignments. Weighted
assignments are not supported.
Some older appliances, such as the CloudBridge 700, do not support WCCP clustering.
(CloudBridge 4000/5000 only) Two accelerator instances are required per interface in L2 mode. No more
than three interfaces are supported per appliance (and then only on appliances with six or more accelerator
instances.)
(CloudBridge 4000/5000 only) WCCP control packets from the router must match one of the router IP
addresses configured on the appliance for the service group. In practice, the router's IP address for the
interface that connects it to the appliance should be used. The router's loopback IP should not be used.
citrix.com 398
Planning Your Deployment
Deploying appliances in a WCCP cluster requires more planning than does deploying a single appliance. Read the
following sections carefully before proceeding.
citrix.com 399
Selecting Appliances
The appliances you select for the deployment must all be the same model, running the same software version.
Otherwise, management and troubleshooting can become impractical.
Your appliance choice is generally made by comparing your sites WAN bandwidth and number of WAN users to
the capacities of the different appliances in the CloudBridge Data Sheet. For fault tolerance, always order one more
appliance than is absolutely required according to the data sheet.
The number of appliances you need is found as follows, rounding up all fractions:
Note that if appliances = 2, you can use just a single appliance instead of WCCP clustering, or an HA pair instead of
WCCP clustering, since the equation builds in a spare appliance. In other words, WCCP clustering is not necessary
(from a capacity perspective) unless appliances is 3 or more.
Example. Suppose you have 700 users and a 100 Mbps link. Some appliances you might consider are the CloudBridge
2000-050, the CloudBridge 3000-100, and the CloudBridge 4000-310.
Model Optimized WAN Capacity Maximum HDX Sessions Appliances_bw Appliances_users Appliances
2000- 50 Mbps 300 3 4 4
050
3000- 100 Mbps 400 2 3 3
100
4000- 310 Mbps 750 2 2 2
310
As you can see from the above table, the higher-performance platforms require fewer appliances to get the job done, as
you would expect. The CloudBridge 4000-310 meets the requirements with a single appliance, and evaluates to two
appliances only because the equations build in a spare.
You can always add more capacity by adding more appliances, but that is not always necessary. The bandwidth limits
of two of the three choices, the CloudBridge 3000-100 and the CloudBridge 4000-310, can be increased through a
license upgrade. The CloudBridge 2000-050 however, is already at the high end of the range for CloudBridge 2000
appliances.
citrix.com 400
Load-Balancing in the WCCP Cluster
Traffic is distributed among the appliances in the WCCP cluster. If an appliance leaves the cluster (through failure,
overload, or being manually disabled), its traffic is rebalanced by distributing it among the surviving members. If an
appliance joins the cluster, traffic is rebalanced once more to give the new appliance its fair share.
Traffic is distributed on the basis of an address mask that is applied to the source and destination addresses of WAN
traffic. You must select an appropriate mask field for efficient load-balancing. An inappropriate mask can result in load-
balancing that is poor to nonexistent. For example, if the mask matches an address field that is identical at all your
remote sites, all your WAN traffic is sent to a single appliance, overloading it. For example, if all of your remote sites
have an address in the form of 10.0.x.x, and your mask bits are within the 10.0 portion of the address all traffic is sent to
a single appliance.
The address bits extracted by the address mask are used as an index that is used (indirectly) to select one of the WCCP
caches (appliances). For example, an address mask with two one bits results in four possible values, depending on the
address. Each of these values can be thought of as a bucket. With two mask bits, you have four buckets, numbered 0-3. The
buckets are assigned to WCCP caches. To be effective, there must be at least as many buckets as caches. If you use a two-
bit mask and have five or more caches, some caches are idle, because each bucket is assigned to only one cache, and there
are not enough buckets to cover all five caches:
Cache 1 2 3 4 5
Buckets 0 1 2 3 -
If there are more buckets than caches, some caches are assigned multiple buckets. For example, if you set three mask bits,
creating eight buckets, and you have four caches, two buckets are assigned to each cache. If you have five caches, three
caches are assigned two buckets each, and two caches are assigned just one. If each bucket represents the same number of
users, you have a 2:1 load imbalance across caches:
Cache 1 2 3 4 5
Buckets 0-1 2-3 4-5 6 7
Increasing the number of set mask bits reduces this imbalance. With four mask bits (16 index values) and five caches, four
caches receive three buckets and one cache receives four buckets, resulting in only a 4:3 imbalance. With six set mask bits
(the largest number supported), four caches receive 13 buckets and one receives 12, which is only a 13:12 load imbalance.
Cache 1 2 3 4 5
Buckets 0-12 13-25 26-38 39-51 52-63
Ideally, you would like each remote site to be directed to a single appliance in the WCCP cluster, so that all traffic to and
from a given site is stored in the same compression history. With this arrangement, any traffic from one user at the site
can be used to compress similar traffic from any other user at that site. In other words, for compressibility, load-
balancing works best if it the address mask selects the bits that differentiate one remote site from another. These are
often the least-significant bits of the subnet portion of the IP address. Using these bits tends to allocate the same
number of remote sites (not users) per local appliance. A mask that aligns with the host portion of the address instead of
the subnet results in a more equal number of remote users (not sites) per appliance, but at the expense of compression
effectiveness. (Compression is only effective when connections flow through the same appliances, and splitting traffic
from the same remote site between two or more local appliances interferes with this.)
Finally, for good load-balancing, each "one" bit in the address mask must be set to one on 50% of the remote
addresses, and set to zero on 50% of the remote addresses. This is not the case on all address bits, since in most
WANs, the highest-order network bits never change at all (such as the 10 in 10.x.x.x). Such bits must never be selected
by the address mask.
In addition, many subnets are only sparsely populated. For example, if only 50 addresses are used in the subnet
10.1.2.0/24, and they are assigned sequentially, the two higher-order host bits (representing the unused range of
10.1.2.64-10.1.2.255) for this subnet never change, and if these two bits are included in the address mask, three-fourths
of the buckets receive no traffic.
The number of one bits in the address mask must allow at least as many combinations as there are
WCCP caches in the cluster. That is, if you have eight appliances, the address mask must contain at least
three one bits.
The one bits in the address mask must each be inside the active address range for most of your
remote subnets, or they skew the load-balancing distribution.
citrix.com 401
The mask should split the address range of individual remote sites into as few pieces as possible, for best
compression performance.
If a remote appliance is faster than the local members of the WCCP cluster, the mask should be designed to
divide its traffic between multiple local appliances. For example, a 100 Mbps remote appliance should have
its traffic split between two 50 Mbps local appliances by setting a bit inside the remote appliances active
address range.
The one bits in the mask are typically contiguous, but this is not required. They can be in any
pattern.
Example: Suppose you set an address mask of 0x0000 0f00, which has four one bits. This defines a four-bit
field that is extracted from the IP address, yielding 16 possible results (16 buckets). These buckets are in turn assigned
to the actual WCCP caches in the WCCP cluster.
Address Masked Address (mask = 0x0000 0f00) Bucket
10.0.0.5 0.0.0.0 0
10.0.1.128 0.0.1.0 1
155.0.2.55 0.0.2.0 2
253.100.255.2 0.0.15.0 15
10.0.15.1 0.0.15.0 15
Zero bits in the mask are ignored, and the one bits are used to define the extracted field. So if the mask is 0x10
10 10 10, these widely separated one bits are extracted into a four-bit field, declaring 16 buckets and a bucket
numbers in the range of 0-15.
citrix.com 402
Assigning Buckets to Appliances
The mapping of bucket to appliances is subject to several variables:
Which appliances are available: If an appliance is down, its share of buckets are given to the available
appliance. If a new appliance is added to the cluster, it is given its fair share of buckets.
The mapping algorithm used (deterministic or least-disruptive).
The order in which appliances come online (least-disruptive mapping only).
The IP addresses of the appliances. WCCP algorithms can use a sorted list of appliance IP addresses; for
example, assigning buckets to appliances in the same order as the appliance IP addresses.
The most important of these factors, from an administrators point of view, is the mapping algorithm.
Deterministic mapping. The deterministic mapping algorithm is less graceful than the least-disruptive algorithm, but it
supports Hot Standby Router Protocol (HSRP) and Global Server Load Balancing (GSLB) routing, and is required when
multiple routers using such protocols share the WCCP cluster.
Deterministic mapping is also the preferred method when the cluster has only two appliances.
Assignments are based on the IP addresses of the active appliances. Each appliance gets its fair share of bucket, with
the lowest-numbered bucket being assigned to the appliance with the lowest IP address. If there are more appliances
than buckets, the leftover appliances (with no bucket assigned to them) are the ones with the highest-numbered IP
addresses. This deterministic assignment allows traffic to arrive for a single connection through any of the routers in the
service group and be forwarded to the same appliance.
Reassignment can be disruptive to accelerated connections, which are reset if they migrate to a different appliance.
With deterministic mapping, the number of buckets that are reassigned to new appliances can be quite high if there are
three or more appliances.
Least-disruptive mapping. When a bucket is assigned to a different appliance, any open accelerated connections that
used the old appliance is reset. The least-disruptive algorithm keeps the reassignment to a minimum. For example, if
you have three appliances, and one appliance fails, the new mapping preserves roughly two-thirds of the assignments
and remaps the remaining third (which fails anyway, because their appliance failed). The least-disruptive algorithm does
not support HSRP or GSLB routing, because it is not guaranteed to result in identical mappings on all the routers in the
service group, and therefore, packets from a single connection might be sent to two different appliances by two different
routers, which causes accelerated connections to fail.
citrix.com 403
Startup and Failover Behavior
Each appliance registers itself with the routers specified in its service class definitions. The first appliance to register
itself, becomes the designated cache, and works with the routers to apportion traffic between itself and the other caches
(called subordinate caches). Because your appliances use identical WCCP algorithms, it does not matter which one
becomes the designated cache.
As additional appliances come online, they are added to the WCCP cluster, and the traffic is reapportioned among the
active appliances. This happens at ten-second increments. After a cold start of the routers or appliances, all of the
appliances might come online within the same ten-second window, or they might arrive over multiple ten-second
windows, causing traffic to be reapportioned multiple times before it stabilizes. In the latter case, the appliances that
come online first maycan become overloaded until additional appliances come online.
An accelerated connection fails when allocated to a different appliance, making reallocation disruptive. This is not true
of non-accelerated connections, which generally experience a delay of thirty seconds or more, and then continue. The
least-disruptive mapping option minimizes the amount of reallocation when an appliance fails.
If an appliance fails or otherwise goes offline, its absence is noted, and the designated cache reapportions its traffic to
the remaining appliances. If the designated cache itself goes offline, the role of designated cache is also reapportioned.
It takes about thirty seconds for the cluster to react to the loss of a cache.
citrix.com 404
Deployment Worksheet
On the following worksheet, you can calculate the number of appliances needed for your installation and the
recommended mask field size. The recommended mask size is 1-2 bits larger than the minimum mask size for your
installation.
Parameter Value Notes
Appliance Model Used
XenApp and XenDesktop Users on WAN Link Uwan =
User overload Factor Uoverload = Uwan/Uspec =
WAN Link BW BWwan =
BW Overload Factor BWoverload = BWwan/BWspec =
Min number of buckets Bmin = N, rounded up a power of 2
=
If CloudBridge 4000 or 5000, Bmin = 2*N, rounded up to a power
of 2 =
Recommended value B = 4 * Bmin if Bmin <= 16, else 2 *
Bmin =
Mask value: The mask value is a 32-bit address mask with a number of one bits equal to M in the above
worksheet. Often these bits can be the least-significant bits in the WAN subnet mask used by your remote sites. If the
masks at your remote sites vary, use the median mask. (Example: With /24 subnets, the least significant bits of the
subnet are 0x00 00 nn 00. The number of bits to set to one is log2(mask size): if mask size is 16, set four bits to one. So
with a mask size of 16 and a /24 subnet, set the mask value to 0x00 00 0f 00.): ______
The above guidelines work only if the selected subnet field is evenly distributed in your traffic, that is, that each address
bit selected by the mask is a one for half the remote hosts, and a zero for the other half. Otherwise, load-balancing is
impaired. This even distribution might be true for only a small number of bits in the network field (perhaps only two or
three bits). If this is the case with your network, instead of masking bits in the offending area of the subnet field, displace
those bits to a portion of the host address field that has the 50/50 property. For example, if only three subnet bits in a
/24 subnet have the 50/50 property, and you are using four mask bits, a mask of 0x00 00 07 10 avoids the offending bit
at 0x00 00 0800 and displaces it to 0x00 00 00 10, a portion of the address field that is likely to have the 50/50 property
if your remote subnets generally use at least 32 IP addresses each.
Parameter Value Notes
Final Mask Value
citrix.com 405
Accelerated Bridge Usually apA
WAN Service A service group not already in use on your router (51-255)
Group
LAN Service Group Another unused service group
Router IP address IP address of router interface on port facing the appliance
WCCP Protocol
(usually "Auto")
DC Algorithm Use "Deterministic" if you have only two appliances or are using dynamic load balancing
like HSRP or GSLB. Otherwise, use "Least Disruptive."
citrix.com 406
Configuring WCCP Clustering
After you have finalized the deployment topology, considered all limitations, and filled in the deployment worksheet, you
are ready to deploy your appliances in a WCCP cluster. To configure the WCCP cluster, you need to perform the
following tasks:
citrix.com 407
Configuring the Router
WCCP configuration on the router is simple, because most WCCP parameters are set by the appliances.
Unlike legacy CloudBridge WCCP support, WCCP clustering uses two service groups for TCP traffic. One service group
is used on the router's WAN interface, and the other is used on the router's LAN interfaces (except for the LAN interface
used by the CloudBridge appliances themselves, when deployed in L2-mode WCCP cluster).
As shown in the following figure, you need to configure two service groups because WCCP allows the mask to be
applied to either the source IP or the destination IP address, which is not quite what is required. To keep connections
between two endpoints together, regardless of which endpoint initiates the connection, the appliance applies the
address mask to the source IP address of incoming WAN traffic, and to the destination IP address of incoming LAN
traffic. This requires two service groups.
The WAN service group uses WCCP source-ip address masking, while the LAN service group uses dest-ip masking. In
some deployments, it may be necessary to reverse the assignments, using the WAN service group for your LAN
interface and vice versa. This might occur if the number of local IP addresses greatly exceeds the number of remote IP
addresses.
Figure 1. CloudBridge WCCP Cluster
Example. The following example uses service group 61 for the WAN service group and service group 62 for the LAN service
group. Three router interfaces are used. One is connected to the WAN, one is connected to the LAN, and one is connected to
the WCCP cluster.
!
! Example is for WCCP clustering using WCCP redirect in statements
! on LAN and WAN interfaces.
! This definition is appropriate for modern Cisco routers.
! Global declarations
ip wccp 61
ip wccp 62
!
interface GigabitEthernet1/1
description LAN interface. SG 62 is used for LAN
ip address 172.80.1.56 255.255.255.0
ip wccp 62 redirect in
!
interface GigabitEthernet1/2
description LAN interface attaching CloudBridge L2-WCCP appliances
description (No wccp redirect statements are used on this interface)
citrix.com 408
ip address 172.80.21.56 255.255.255.0
!
interface GigabitEthernet1/3
description WAN interface. SG 61 is used for WAN
ip address 172.80.22.56 255.255.255.0
ip wccp 61 redirect in
!
Note: If the router used multiple ports for LAN traffic, each port is configured with an ip wccp 62 redirect in statement.
Similarly, if the router used multiple ports for WAN traffic, each port is configured with an ip wccp 61 redirect in
statement.
If the router used multiple ports for LAN traffic, each port is configured with an ip wccp 62 redirect in
statement. Similarly, if the router used multiple ports for WAN traffic, each port is configured with an ip
wccp 61 redirect in statement.
If multiple routers shared the same WCCP cluster, they use the same service groups.
It is also possible to use ip wccp redirect statements on only the WAN interfaces:
In many routers, the ip wccp redirect out path is not optimized in hardware, but uses the CPU. If the routers
capabilities along this path exceeds the WAN speed, this method is practical, and is simpler than using redirect
statements on every interface.
Router ACLs can be used to limit redirection. For example, for initial testing, perhaps only a single remote IP address
might be allowed to be redirected through WCCP.
citrix.com 409
Configuring the Appliance
Repeat the following procedure for each appliance in the cluster:
6. Enter T5 from your worksheet as the Cache 1 IP, T6 as the Cache 2 IP, T2 as the Subnet Mask, and T1 as the
Gateway. Click Save. The Configure Service Group section appears.
7. In the Service Group Details section, specify the WAN and LAN service groups (T11 and T12 from your worksheet).
8. In the Priority field, select 100 (in practice this value is somewhat arbitrary).
9. From the Protocol list, select TCP.
10. In the DC Algorithm field, select Deterministic or Least Disruptive. Deterministic is always safe to use, and
should be used if you are using only two appliances, or are using multiple routers. Least Disruptive disrupts
fewer user sessions on failover when used with clusters of three or more appliances, but has restrictions on its use.
11. Set Service Group Pair Status to On.
12. If your router is configured to require a password, enter the password in the Service Group Password field.
Otherwise, leave the field blank.
13. In the Router Communications Details section, enter the IP address of the router (T8 on your worksheet: often
identical to T1 as well). This is the IP address of the appliance-facing router interface. If you use multiple routers to
communicate with the appliance, list them all here.
14. From the Router Forwarding list, select Level 2 or GRE, according to the capabilities of your router. Use Level 2 if you
can, and GRE if you must.
15. For the Mask Value, enter the value you determined from the WCCP Clustering worksheet. This is a critical value: a
poor choice will result in poor load-balancing or none at all.
16. Click Create. This creates the WAN and LAN service groups.
17. On the Configuration > Optimization Rules > Link Definitions page, change the bandwidth limits on each defined WAN
to 95% of the aggregate speed of all your WANs. This prevents the link from being under-utilized when load-balancing
is imperfect. If ICA (XenApp/XenDesktop) is the dominant use, set each appliance to (95% of WAN bandwidth)/N,
where N is the number of appliances (or twice the number of appliances if they are CloudBridge 4000 or 5000 units),
citrix.com 410
to divide the bandwidth equally among the appliances. This latter method is most appropriate for applications with
large numbers of active connections that have relatively low bandwidth requirements.
citrix.com 411
Testing and Troubleshooting
The Monitoring > Appliance > Application Performance > WCCP page shows the current state of not only the local
appliance but of all other appliances that have joined the cluster. Select a WCCP cache and click Get Info.
The Cache Status tab shows the local appliances status. When all is well, the status is 25: has
assignment. You must refresh the page manually to monitor changes in status. If the appliance does not reach the
status of 25: has assignment within a timeout period, other informative status messages are displayed.
Additional information is displayed when you click on the Service Group or the Routers tabs.
The Cluster Summary tab displays information about the WCCP cluster as a whole. As a side effect of the WCCP
protocol, each member of the cluster has information about all the others, so this information can be monitored from any
appliance in the cluster.
Your router can also provide status information. See your router documentation.
citrix.com 412
Virtual Inline Mode
Note: Use virtual inline mode only when both inline mode and WCCP mode are impractical. Do not mix inline and virtual inline
modes within the same appliance. However, you can mix virtual inline and WCCP modes within the same appliance. Citrix
does not recommend virtual inline mode with routers that do not support health monitoring.
In virtual inline mode, the router uses policy based routing (PBR) rules to redirect incoming and outgoing WAN traffic to
the appliance for acceleration, and the appliance forwards the processed packets back to the router. Almost all of the
configuration tasks are performed on the router. The only thing to be configured on the appliance is the forwarding
method, and the default method is recommended.
Like WCCP, Virtual inline deployment requires no rewiring and no downtime, and it provides a solution for asymmetric
routing issues faced in a deployment with two or more WAN links. Unlike WCCP, it contains no built-in status monitoring
or health checking, making troubleshooting difficult. WCCP is thus the recommended mode, and virtual inline is
recommended only when inline and WCCP modes are both impractical.
Example
The following figure shows a simple network in which all traffic destined for or received from the remote site is redirected
to the appliance. In this example, both the local site and remote site use virtual inline mode.
Figure 1. Virtual Inline Example
Following are some configuration details for the network in this example:
Endpoint systems have their gateways set to the local router (which is not unique to virtual inline mode).
Each router is configured to redirect both incoming and outgoing WAN traffic to the local appliance.
Each appliance processes the traffic received from its local router and forwards it back to the router.
PBR rules configured on the router prevent routing loops by allowing packets to make only one trip to and
from the appliance. The packets that the appliance forwards back to the router are sent to their original (local
or remote) destination.
Each appliance has its default gateway set to the address of the local router, as usual (on the
Configuration: Network Adapters page). The options for forwarding packets back to the router are Return
to Ethernet Sender and Send to Gateway.
citrix.com 413
Configuring Packet Forwarding on the Appliance
Virtual inline mode offers two packet-forwarding options:
Return to Ethernet Sender (default)This mode allows multiple routers to share an appliance. The appliance
forwards virtual inline output packets back to where they came from, as indicated by the Ethernet address of the
incoming packet. If two routers share a single appliance, each gets its own traffic back, but not the traffic from the other
router. This mode also works with a single router.
Send to Gateway (not recommended)In this mode, virtual inline output packets are forwarded to the default
gateway for delivery, even if they are destined for hosts on the local subnet. This option is usually less desirable than
the Return to Ethernet Sender option, because it adds an easily forgotten element of complexity to the routing structure.
To specify the packet-forwarding optionOn the Configuration: Optimization Rules: Tuning page, next to Virtual
Inline, select Return to Ethernet Sender or Send to Gateway.
citrix.com 414
Router Configuration
The router has three tasks when supporting virtual inline mode:
1. It must forward both incoming and outgoing WAN traffic to the CloudBridge appliance.
2. It must forward CloudBridge traffic to its destination (WAN or LAN).
3. It must monitor the health of the CloudBridge appliance so that the appliance can be bypassed if it fails.
Policy-Based Rules
In virtual inline mode, the packet forwarding methods can create routing loops if the routing rules do not distinguish
between a packet that has been forwarded by the appliance and one that has not. You can use any method that makes
that distinction.
A typical method involves dedicating one of the router's Ethernet ports to the appliance and creating routing rules that
are based on the Ethernet port on which packets arrive. Packets that arrive on the interface dedicated to the appliance
are never forwarded back to the appliance, but packets arriving on any other interface can be.
The basic routing algorithm is:
Note: When considering routing options, keep in mind that returning data, not just outgoing data, must flow through the
appliance. For example, placing the appliance on the local subnet and designating it as the default router for local systems
does not work in a virtual inline deployment. Outgoing data would flow through the appliance, but incoming data would
bypass it. To force data through the appliance without router reconfiguration, use inline mode.
Health Monitoring
If the appliance fails, data should not be routed to it. By default, Cisco policy based routing does no health monitoring. To
enable health monitoring, define a rule to monitor the appliance's availability, and specify the "verify-availability" option for the
"set ip next-hop" command. With this configuration, if the appliance is not available, the route is not applied, and the
appliance is bypassed.
Important: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy-
based routing do not support health-checking. The health-monitoring feature is relatively new. It became available in Cisco
IOS release 12.3(4)T.
Following is an example of a rule for monitoring the availability of the appliance:
!- Use a ping (ICMP echo) to see if appliance is connected track 123 rtr 1 reachabilit y ! rt
This rule pings the appliance at 192.168.1.200 periodically. You can test against 123 to see if the unit is up.
citrix.com 415
Routing Examples
The following examples illustrate configuring Cisco routers for the local and remote sites shown in Virtual inline example
. To illustrate health monitoring, the configuration for the local site includes health monitoring, but the configuration for
the remote site does not.
Note: The configuration for the local site assumes that a ping monitor has already been configured.
The examples conform to the Cisco IOS CLI. They might not be applicable to routers from other vendors.
Local Site, Health-Checking Enabled
!
! For health-checking to work, do not forget to start
! the monitoring process.
!
! Original configuration is in normal type.
! appliance-specific configuration is in bold.
!
ip cef
!
interface FastEthernet0/0
ip address 10.10.10.5 255.255.255.0
ip policy route-map client_side_map
!
interface FastEthernet0/1
ip address 172.68.1.5 255.255.255.0
ip policy route-map wan_side_map
!
interface FastEthernet1/0
ip address 192.168.1.5 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 171.68.1.1
!
ip access-list extended client_side
permit ip 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255
ip access-list extended wan_side
permit ip 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
route-map wan_side_map permit 20
match ip address wan_side
!- Now set the appliance as the next hop, if its up.
set ip next-hop verify-availability 192.168.1.200 20 track 123
!
route-map client_side_map permit 10
match ip address client_side
set ip next-hop verify-availability 192.168.1.200 10 track 123
citrix.com 416
permit ip 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255
ip access-list extended wan_side
permit ip 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255
!
route-map wan_side_map permit 20
match ip address wan_side
set ip next-hop 192.168.2.200
!
route-map client_side_map permit 10
match ip address client_side
set ip next-hop 192.168.2.200
!_
Each of the above examples applies an access list to a route map and attaches the route map to an interface. The
access lists identify all traffic originating at one accelerated site and terminating at the other (A source IP of 10.10.10.0
/24 and destination of 20.20.20.0/24 or vice versa). See your router's documentation for the details of access lists and
route-maps.
This configuration redirects all matching IP traffic to the appliances. If you want to redirect only TCP traffic, you can change
the access-list configuration as follows (only the remote side's configuration is shown here):
!
ip access-list extended client_side
permit tcp 10.16.20.0 0.0.0.255 10.10.10.0 0.0.0.255
ip access-list extended wan_side
permit tcp 10.10.10.0 0.0.0.255 10.16.20.0 0.0.0.255
!
Note that, for access lists, ordinary masks are not used. Wildcard masks are used instead. Note that when reading a
wildcard mask in binary, "1" is considered a "don't care" bit.
citrix.com 417
Virtual Inline for Multiple-WAN Environments
Enterprises with multiple WAN links often have asymmetric routing policies, which seem to require that an inline
appliance be in two places at once. Virtual inline mode solves the asymmetric routing problem by using the router
configuration to send all WAN traffic through the appliance, regardless of the WAN link used. The below figure shows a
simple multiple-WAN link deployment example.
The two local-side routers redirect traffic to the local appliance. The FE 0/0 ports for both routers are in the same
broadcast domain as the appliance. The local appliance must use the default virtual inline configuration (Return to
Ethernet Sender).
Figure 1. Virtual Inline Mode With Two WAN Routers
citrix.com 418
Virtual Inline Mode and High-Availability
Virtual Inline mode can be used in a high availability (HA) configuration. The below figure shows a simple HA
deployment. In virtual inline mode, a pair of appliances acts as one virtual appliance. Router configuration is the same
for an HA pair as with a single appliance, except that the Virtual IP address of the HA pair, not the IP address of an
individual appliance, is used in the router configuration tables. In this example, the local appliances must use default
virtual inline configuration (Return to Ethernet Sender).
Figure 1. High-availability Example
citrix.com 419
Monitoring and Troubleshooting
In virtual inline mode, unlike WCCP mode, the appliance provides no virtual inline-specific monitoring. To troubleshoot a
virtual inline deployment, log into the appliance and use the Dashboard page to verify that traffic is flowing into and out
of the appliance. Traffic forwarding failures are typically caused by errors in router configuration.
If the Monitoring: Usage or Monitoring: Connections pages show that traffic is being forwarded but no acceleration is
taking place (assuming that an appliance is already installed on the other end of the WAN link), check to make sure that
both incoming WAN traffic and outgoing WAN traffic are being forwarded to the appliance. If only one direction is
forwarded, acceleration cannot take place.
To test health-checking, power down the appliance. The router should stop forwarding traffic after the health-checking
algorithm times out.
citrix.com 420
Group Mode
In group mode, two or more appliances become a single virtual appliance. This mode is one solution to the problem of
asymmetric routing, which is defined as any case in which some packets in a given connection pass through a given
appliance but others do not. A limitation of the appliance architecture is that acceleration cannot take place unless all
packets in a given connection pass through the same two appliances. Group mode overcomes this limitation.
Group mode can be used with multiple or redundant links without reconfiguring your routers.
Note: Group mode is not supported on the CloudBridge 4000 or 5000 appliances.
Group mode applies only to the appliances on one side of the WAN link; the local appliances neither know nor care
whether the remote appliances are using group mode.
Group mode uses a heartbeat mechanism to verify that other members of the group are active. Packets are forwarded
to active group members only.
Avoiding asymmetric routing is the main reason to use group mode, but group mode is not the only method available for
that purpose. If you decide that it is the best method for your environment, you can enable it by setting a few
parameters. If the default mechanism for determining which appliance is responsible for a particular connection does not
provide optimal acceleration, you can change the forwarding rules.
Figure 1. Group Mode With Redundant Links
Figure 2. Group Mode With Non-Redundant Links with Possible Asymmetric Routing
citrix.com 421
When to Use Group Mode
Use group mode in the following set of circumstances:
WCCP mode, in which traffic from two or more links is sent to the same appliance by WAN routers, by
means of the WCCP protocol.
Virtual inline mode, in which your routers send traffic from two or more links through the same appliance (or
high-availability pair).
Multiple bridges, where each link passes through a different accelerated bridge in the same appliance.
LAN-level aggregation, which places an appliance (or high-availability pair) closer to the LAN, before the
point where WAN traffic is split into two or more paths.
citrix.com 422
How Group Mode Works
In group mode, the appliances that are part of the group each take ownership for a portion of the group's connections. If
a given appliance is the owner of a connection, it makes all the acceleration decisions about that connection and is
responsible for compression, flow control, packet retransmission, and so on.
If an appliance receives a packet for a connection for which it is not the owner, it forwards the packet to the appliance
that is the owner. The owner examines the packet, makes the appropriate acceleration decisions, and forwards any
output packets back to the non-owning appliance. This process preserves the link selection made by the router, while
allowing all packets in the connection to be managed by the owning appliance. For the routers, the introduction of the
appliances has no consequences. The routers do not need to be reconfigured in any way, and the appliances do not
need to understand the routing mechanism. They simply accept the routers' forwarding decisions.
Figure 1. Sending-side Traffic in Group Mode
Group mode has two, user-selectable failure modes, which control how the group members interact with each other if
one of them fails. The failure mode also determines whether the failed appliance's bypass card opens (blocking traffic
through the appliance) or remains closed (allowing traffic to pass through). The failure modes are:
Continue to accelerate- If a group member fails, its bypass card is opened and no traffic passes through the failed
appliance. The result is presumably a fail-over if redundant links are used. Otherwise, the link is simply inaccessible.
The other appliances in the group continue to accelerate. The usual hashing algorithm handles the changed conditions.
(That is, the old hashing algorithm is used, and if the failed unit is indicated as the owner, a hashing algorithm based on
the new, smaller group is applied. This preserves as many older connections as possible.)
Do not accelerate- If a group member fails, its bypass card closes, allowing traffic to pass through without acceleration.
Because an unaccelerated path introduces asymmetric routing, the other members of the group also go into pass-
through mode when they detect the failure.
citrix.com 423
Enabling Group Mode
To enable group mode, create a group of two or more appliances. An appliance can be a member of only one group.
Group members are identified by IP address and the SSL common name in the appliance license.
All group mode parameters are on the Settings: Group Mode page, in the Configure Settings: Group Mode table.
Figure 1. Group Mode Page
1. Select the address to use for group communication. At the top of the Group Mode Configuration table on the
Configuration: Advanced Deployments: Group Mode tab, the table cell under Member VIP contains the management
address of the port used to communicate with other group members. Use the (unlabeled) drop-down menu to select
the correct address (for example, to use the Aux1 port, select the IP address you assigned to the Aux1 port). Then,
click Change VIP.
2. Add at least one more group member to the list. (Groups of three or more are supported but are rarely used.) In the
next cell of the Member VIP column, type the IP address of the port used by the other appliance for group-mode
communication.
3. Type the other group members SSL common name in the SSL Common Name column. The SSL common name
is listed on the other appliances Configure: Advanced Deployments: High Availability tab. If the other group
member is a high-availability pair, the name listed is the SSL common name of the primary appliance.
Note: If the local appliance is not part of a high-availability pair, the first cell in the HA Secondary SSL Common Name
is blank.
If the other group member is a high-availability pair, specify the SSL Common Name of the HA secondary
appliance in the HA Secondary SSL Common Name column.
4. Click Add.
5. Repeat steps 2-4 for any additional appliances or high-availability pairs in the group.
6. The three buttons under the list of group members are toggles, so each is labeled as the opposite of its current setting:
a. The top button reads either, Do not accelerate when member failure is detected or Continue to accelerate
when member failure is detected. The Do not accelerate... setting always works and does not block
traffic, but if any member fails, the other group members go into bypass mode, which causes a complete loss
of acceleration. With the Continue to accelerate option, the failing appliances bridge becomes an
open circuit, and the link fails. This option is appropriate if the WAN router responds by causing a failover. New
connections, and open connections belonging to the surviving appliances, are accelerated.
b. The bottom button should now be labeled Disable Group Mode. If it is not, enable group mode by clicking the
button.
7. Refresh the screen. The top of the page should list the group mode partners, but display warnings about their status,
because they havent been configured for group mode yet. For example, it might indicate that the partner cannot
be found or is running a different software release.
8. Repeat this procedure with the other members of the group. Within 20 seconds after enabling the last member of the
group, the Group Mode Status line should show NORMAL, and the other group mode members should be listed with
Status: On-Line and Configuration: OK.
citrix.com 424
Forwarding Rules
By default, the owner of a group-mode connection is set by a hash of the source and destination IP addresses. Each
appliance in the group uses the same algorithm to determine which group member owns a given connection. This
method requires no configuration. The owner can optionally be specified through user-settable rules.
Because the group-mode hash is not identical to that used by load balancers, about half of the traffic tends to be
forwarded to the owning appliance in a two-Appliance group. In the worst case, forwarding causes the load on the LAN-
side interface to be doubled, which halves the appliance's peak forwarding rate for actual WAN traffic.
This speed penalty can be reduced if the Primary or Aux1 Ethernet ports are used for traffic between group members.
For example, if you have a group of two appliances, you can use an Ethernet cable to connect the two units' Primary
ports, then specify the Primary port on the Group Mode page on each unit. However, maximum performance is
achieved if the amount of traffic forwarded between the group-mode members is minimized.
The owner can optionally be set according to specific IP/port-based rules. These rules must be identical on all
appliances in the group. Each member of the group verifies that its group-mode configuration is identical to the others. If
not all of the configurations are identical, none of the member appliances enter group mode.
If traffic arrives first at the appliance that owns the connection, it is accelerated and forwarded normally. If it arrives first
at a different appliance in the group, it is forwarded to its owner over a GRE tunnel, which accelerates it and returns it to
the original appliance for forwarding. Thus, group mode leaves the router's link selection unchanged.
Using explicit IP-based forwarding rules can reduce the amount of group-mode forwarding. This is especially useful in
primary-link/backup-link scenarios, where each link handles a particular range of IP addresses, but can act as a backup
when the other link is down.
Figure 1. IP-Based Owner Selection
Forwarding rules can ensure that group members handle only their "natural" traffic. In many installations, where traffic is
usually routed over its normal link and only rarely crosses the other one, these rules can reduce overhead substantially.
Rules are evaluated in order, from top to bottom, and the first matching rule is used. Rules are matched against an
optional IP address/mask pair (which is compared against both source and destination addresses), and against an
optional port range.
Regardless of the ordering of rules, if the partner appliance is not available, traffic is not forwarded to it, whether a rule
matches or not.
For example, in the figure below, member 172.16.1.102 is the owner of all traffic to or from its own subnet (172.16.1.0
/24), while member 172.16.0.184 is the owner of all other traffic.
If a packet arrives at unit 172.16.1.102, and it is not addressed to/from net 172.16.1.0/24, it is forwarded to 172.16.0.184.
If unit 172.16.0.184 fails, however, unit 172.16.1.102 no longer forwards packets. It attempts to handle the traffic itself.
This behavior can be inhibited by clicking Do NOT Accelerate When Member Failure Detected on the Group Mode
tab.
In a setup with a primary WAN link and a backup WAN link, write the forwarding rules to send all traffic to the appliance
on the primary link. If the primary WAN link fails, but the primary appliance does not, the WAN router fails over and
sends traffic over the secondary link. The appliance on the secondary link forwards traffic to the primary-link appliance,
and acceleration continues undisturbed. This configuration maintains accelerated connections after the link failover.
Figure 2. Forwarding Rules
citrix.com 425
citrix.com 426
Monitoring and Troubleshooting Group Mode
Two things should be checked in a group-mode installation:
That the two appliances have entered group mode, which can be determined on either appliances
Configuration: Advanced Deployments: Group Mode page.
That the behavior of the group-mode pair is as desired when the other member fails, and when one of the
links fail, as determined by disabling the other appliance and temporarily disconnecting one of the links,
respectively.
citrix.com 427
High-Availability Mode
Two identical appliances on the same subnet can be combined as a high-availability pair. The appliances each monitor
the other's status by using the standard Virtual Router Redundancy Protocol (VRRP) heartbeat mechanism. The pair
has a common virtual IP address for management, in addition to each appliance's management IP address. If the
primary appliance fails, the secondary appliance takes over. Failover takes approximately five seconds.
citrix.com 428
How High-Availability Mode Works
In a high availability (HA) pair, one appliance is primary, and the other is secondary. The primary monitors its own and
the secondary's status. If it detects a problem, traffic processing fails over to the secondary appliance. Existing TCP
connections are terminated. To ensure successful failover, the two appliances keep their configurations synchronized.
In a WCCP mode high availability configuration, the appliance that is processing traffic maintains communication with
the upstream router.
Status monitoringWhen high availability is enabled, the primary appliance uses the VRRP protocol to send a
heartbeat signal to the secondary appliance once per second. In addition, the primary appliance monitors the carrier
status of its Ethernet ports. The loss of carrier on a previously active port implies a loss of connectivity.
Failover If the heartbeat signal of the primary appliance should fail, or if the primary appliance loses carrier for five
seconds on any previously active Ethernet port, the secondary appliance takes over, becoming the primary. When the
failed appliance restarts, it becomes the secondary. The new primary announces itself on the network with an ARP
broadcast. MAC spoofing is not used. Ethernet bridging is disabled on the secondary appliance, leaving the primary
appliance as the only path for inline traffic. Fail-to-wire is inhibited on both appliances to prevent loops.
Caution: The Ethernet bypass function is disabled in HA mode. If both appliances in an inline HA pair lose power, connectivity
is lost. If WAN connectivity is needed during power outages, at least one appliance must be attached to a backup power
source.
Note: The secondary appliance in the HA pair has one of its bridge ports, port apA.1, disabled to prevent forwarding loops. If
the appliance has dual bridges, apB.1 is also disabled. In a one-arm installation, use port apA.2. Otherwise, the secondary
appliance becomes inaccessible when HA is enabled.
Primary/secondary assignmentIf both appliances are restarted, the first one to fully initialize itself becomes the
primary. That is, the appliances have no assigned roles, and the first one to become available takes over as the
primary. The appliance with the highest IP address on the interface used for the VRRP heartbeat is used as a tie-
breaker if both become available at the same time.
Connection termination during failoverBoth accelerated and unaccelerated TCP connections are terminated as a
side effect of failover. Non-TCP sessions are not affected, except for the delay caused by the brief period (several
seconds) between the failure of the primary appliance and the failover to the secondary appliance. Users experience the
closing of open connections, but they can open new connections.
Configuration synchronizationThe two appliances synchronize their settings to ensure that the secondary is ready
to take over for the primary. If the configuration of the pair is changed through the browser based interface, the primary
appliance updates the secondary appliance immediately.
HA cannot be enabled unless both appliances are running the same software release.
HA in WCCP modeWhen WCCP is used with an HA pair, the primary appliance establishes communication with the
router. The appliance uses its management IP address on apA or apB, not its virtual IP address, to communicate with
the router. Upon failover, the new primary appliance establishes WCCP communication with the router.
citrix.com 429
Cabling Requirements
The two appliances in the high availability pair are installed onto the same subnet in either a parallel arrangement or a
one-arm arrangement, both of which are shown in the following figure. In a one-arm arrangement, use the apA.2 port
(and, optionally, the apB.2 port), not the apA.1 port. Some models require a separate management LAN, whether
deployed in inline or one-armed mode. This is depicted only in the middle diagram.
Figure 1. Cabling for High-Availability Pairs
Do not break the above topology with additional switches. Random switch arrangements are not supported. Each of the
switches must be either a single, monolithic switch, a single logical switch, or part of the same chassis.
If the spanning-tree protocol (STP) is enabled on the router or switch ports attached to the appliances, failover will work,
but the failover time may increase to roughly thirty seconds. Without STP, failover time is roughly five seconds. Thus, to
achieve the briefest possible failover interval, disable STP on the ports connecting to the appliances.
Figure 2. Ethernet Port Locations (Older Models)
citrix.com 430
Other Requirements
Both appliances in an HA pair must meet the following criteria:
Have identical hardware, as shown by on the System Hardware entry on the Dashboard page.
Run exactly the same software release.
Be equipped with Ethernet bypass cards. To determine what is installed in your appliances, see the
Dashboard page.
Appliances that do not support HA display a warning on the Configuration: High Availability page.
citrix.com 431
Management Access to the High-Availability Pair
When configuring a high-availability (HA) pair, you assign the pair a virtual IP (VIP) address, which enables you to
manage the two appliances as if they were a single unit. After you enable high-availability mode, managing the
secondary appliance through its IP address is mostly disabled, with most parameters grayed out. A warning message
displays the reason on every page. Use the HA VIP for all management tasks. You can, however, disable the secondary
appliance's HA state from its management UI.
citrix.com 432
Configuring the High-Availability Pair
You can configure two newly installed appliances as a high-availability pair, or you can create an HA pair by adding a
second appliance to an existing installation.
Prerequisites: Physical installation and basic configuration procedures
To configure high availability
1. Make sure that no more than one appliance is connected to the traffic networks (on the accelerated bridges). If both
are connected, disconnect one bridge cable from the active bridges on the second appliance. This will prevent
forwarding loops.
2. On the Features page of the first appliance, disable Traffic Processing. This disables acceleration until the HA pair is
configured.
3. Repeat for the second appliance.
4. On the first appliance, go to the Configuration: Advanced Deployments: High Availability tab, show below.
5. Select the Enabled Check box.
6. Click the Configure HA Virtual IP Address link and assign a virtual IP address to the apA interface. This address will
be used later to control both appliances as a unit.
7. Return to the High Availability page and, in the VRRP VRID field, assign a VRRP ID to the pair. Although the value
defaults to zero, the valid range of VRRP ID numbers is 1 through 255. Within this range, you can specify any value
that does not belong to another VRRP device on your network.
8. In the Partner SSL Common Name field, type the other appliances SSL Common Name, which is displayed on
that appliances Configuration: Advanced Deployments: High Availability tab, in the Partner SSL Common Name
field. The SSL credentials used here are factory-installed.
9. Click Update.
10. Repeat steps 3-8 on the second appliance. If you are managing the appliance via an accelerated bridge (such as
apA), you may have to reconnect the Ethernet cable that you removed in step 1 to connect to the second appliance. If
so, plug this cable in and disconnect the corresponding cable on the first appliance.
11. With your browser, navigate to the virtual IP address of the HA pair. Enable Traffic Processing on the Features page.
Any further configuration will be performed from this virtual address.
12. Plug in the cable that was left disconnected.
13. On each appliance, the Configuration: Advanced Deployments: High Availability page should now show that high
availability is active and that one appliance is the primary and the other is the secondary. If this is not the case, a
warning banner appears at the top of the screen, indicating the nature of the problem.
citrix.com 433
Updating Software on a High-Availability Pair
Updating the CloudBridge software on an HA pair causes a failover at one point during the update.
Note: Clicking the Update button terminates all open TCP connections.
citrix.com 434
Saving/Restoring Parameters of an HA Pair
The System Maintenance: Backup/Restore function can be used to save and restore parameters of an HA pair as follows:
1. Disable HA on both appliances by clearing the Enabled check box on the Configuration: Advanced
Deployments: High Availability (HA) tab.
2. Unplug a network cable from the bridge of one appliance. (Call it Appliance A.)
3. Unplug the power cord from Appliance A.
4. Restore the parameters on the other appliance (Appliance B), by uploading a previously saved set of
parameters on the System Maintenance: Backup/Restore page and clicking Restore Settings. (Completing this
operation requires a restart, which reenables HA).
5. Wait for Appliance B to restart. It becomes the primary.
6. Restart Appliance A.
7. Log on to Appliance As GUI and reenable HA on the Configuration: Advanced Deployments: High
Availability (HA) tab. The appliance get its parameters from the primary.
8. Plug in the network cable removed in step 2.
citrix.com 435
Troubleshooting High Availability Pairs
If the appliances report any failure to enter high-availability mode, the error message will also note the cause. Some
issues that can interfere with high-availability mode are:
citrix.com 436
CloudBridge 4000 and 5000 Appliances
Citrix CloudBridge 4000/5000 appliances are high-performance WAN accelerators for busy datacenters. These
appliances combines multiple virtual accelerator instances with a single virtual instance of the NetScaler load-balancer,
providing the performance of multiple CloudBridge appliances in a single package.
CloudBridge 4000/5000 WAN accelerators are the high end of the Citrix CloudBridge product line. They are designed to
accelerate sites with WAN links with speeds in excess of 155 Mbps, especially busy datacenters that communicate with
a large number of branch and regional sites.
Figure 1. Typical Use Case
A single CloudBridge 4000/5000 appliance can support WAN speeds of up to 2 Gbps and up to 5000
XenApp/XenDesktop users.
For datacenters needing even more performance, multiple CloudBridge 4000/5000 appliances can be deployed as a
load-balanced array using the WCCP clustering feature.
Figure 2. Load balancing multiple CloudBridge 4000/5000 appliances
CloudBridge 4000/5000 is recommended at the hub of a hub-and-spoke deployment, where smaller appliances are
used at the spokes, whenever the link speed or the number of XenApp/XenDesktop users is higher than can be
supported by a smaller appliance.
DC to DC Replication
If you require a secondary data center, CloudBridge 4000/5000 appliances can provide optimization for Data-Center to
Data-Center replication. This optimization improves replication time and reduces bandwidth consumption.
For details on how to configure a CloudBridge appliance for DC-to-DC replication with NetApp SnapMirror, see http:
//support.citrix.com/article/CTX137181.
citrix.com 437
Architecture
Internally, the CloudBridge 4000/5000 appliance contains several virtual machines:
A Xen hypervisor
A NetScaler instance
At least two accelerator instances
A management server instance that manages the GUI and other tasks
Internal networking
Figure 2. CloudBridge 4000/5000 virtual machines, internal networks, and external port usage (inline deployment shown)
No WAN traffic enters or leaves the accelerators except as configured in the NetScaler instance. When the appliance is
first used, the Provisioning Wizard sets up an initial configuration that provides communication and load balancing
between the NetScaler instance and the accelerators.
The management service is the management configuration interface for the appliance, and provides access to key
operating and monitoring elements of the appliance. The management service displays CloudBridge parameters as if
they were from a single accelerator, and all changes made through this interface are applied to all the accelerator
instances.
The Xen hypervisor hosts all the virtual machines. The hypervisor is not user-configurable and should not be accessed
except at the request of Citrix.
Traffic InterfacesThe traffic interfaces include all the network interfaces except ports 0/1 and 0/2, which are used
only for management. Acceleration takes place only on the traffic interfaces.
Note: You must keep the traffic interfaces isolated from the management interface to prevent ARP flapping and other
problems. This isolation can be achieved physically or by tagging management interface and traffic interface packets with
different VLANs.
Management subnetThe virtual machines connect directly to the external management subnet, with different IP
addresses for the management service, NetScaler instance, and XenServer.
Note: You must keep the traffic interfaces isolated from the management interface to prevent ARP flapping and other
problems. This isolation can be achieved physically or by tagging management interface and traffic interface packets with
different VLANs.
Private Internal traffic subnetThe accelerators' accelerated ports are connected to the NetScaler instance
internally in a one-arm mode, using an internal traffic subnet. There is no direct connection between the instances'
accelerated ports and the appliances external ports. All accelerated traffic to the accelerators is controlled by the
NetScaler instance.
Since this internal subnet is not accessible from outside the appliance, it uses non-routable subnets in the 169.254.0.0/16
range. The NetScaler instance provides NAT for features that require routable access to the accelerator Only the following
two features of the accelerators require IP addresses that can be reached from the outside world:
The signaling IP address, used for secure peering and the CloudBridge Plugin.
IP addresses, used for communication with the router when the WCCP protocol is used.
citrix.com 438
In both cases, the number of externally visible IP addresses is independent of the number of accelerators the appliance
has.
The internal traffic subnet requires two IP addresses per accelerator, plus an address for the NetScaler, plus one or two
WCCP VIP addresses if WCCP is used. Since the internal network is private, it has an abundance of address space for
these tasks.
Data Flow on the Private Traffic SubnetThe one-arm connection between the NetScaler instance and the
accelerators uses the CloudBridge virtual inline mode, in which the NetScaler instance routes packets to the
accelerators and the accelerators route them back to the NetScaler instance. Traffic flow over this internal traffic subnet
is identical regardless of whether the mode visible to the outside world (on the external interfaces) is inline, virtual inline,
or WCCP.
This traffic requires the CloudBridge "Return to Ethernet Sender" option, and the NetScaler MAC Address Forwarding
and Use Subnet IP options, which are enabled by the Provisioning Wizard.
WCCP mode is a one-arm configuration. The accelerators establish WCCP control channels with the
router. In WCCP mode, only one or two accelerators manage the WCCP control channel on behalf of
all the accelerators. Data traffic is load-balanced across all the accelerators. When GRE
encapsulation is used, the NetScaler instance performs GRE encapsulation/decapsulation on the data
stream between itself and the router, allowing the data between the NetScaler and the accelerators to
use a decapsulated, Level-2 configuration.
Inline mode operates much the same as WCCP mode internally, but externally the appliance
emulates a bridge, and no WCCP control channel is established. A packet that enters the appliance
on one bridge port exits through the other bridge port. CloudBridge 4000 and 5000 appliances have
multiple bridges to support multiple inline links.
In virtual inline mode (used when WCCP and inline modes are not feasible), the appliance is deployed
in a one-arm configuration, much like WCCP, but without the WCCP control channel. Traffic is sent to
the appliance from the router, using policy-based routing (PBR) rules. The appliance processes the
traffic and returns it to the router.
See CloudBridge 4000/5000 virtual machines, internal networks, and external port usage for a diagram of port usage on
CloudBridge 4000/5000 appliances. Traffic ports are arranged as a set of accelerated bridges, while the management
ports are independent. Typically only one management port is used.
Accelerated Bridges
CloudBridge 4000/5000 appliances have multiple accelerated bridges. Different models have different numbers and
types of bridge ports. The two ports making up such a bridge are called an "accelerated pair." All current models include
a built-in network bypass function. (Some older CloudBridge 4000-500 and 4000-1000 units do not include network
bypass). The network bypass function (also called "fail to wire") connects pairs of ports together if the appliance fails as
a result of either power loss or software failure (as determined by an internal watchdog timer).
Inline deployment. The bypass function allows CloudBridge 4000/5000 to be deployed in line with your WAN, typically
between your LAN and your WAN router, without introducing a point of network failure.
citrix.com 439
The accelerated bridges support either 1 Gbps or 10 Gbps data rates. Ethernet and SFP+ interfaces are supported,
depending on model.
One-arm deployment. One-arm deployments are also supported, using WCCP or virtual inline modes. With such
deployments, a CloudBridge 4000/5000 traffic port is usually connected directly to a port on the WAN router. The other
port on the bridged pair is left unconnected.
Performance considerations. Inline deployments provide higher performance than the one-arm deployments, because
the use of two ports instead of one doubles the peak throughput of the interfaces.
Peak throughput is important with CloudBridge 4000/5000 appliances, because the compressor provides acceleration in
proportion to the compression ratio. That is, a connection that achieves 100:1 compression transfers data one hundred
times faster than an uncompressed connection, provided that the rest of the network path can keep up.
For example, take a datacenter with a 500 Mbps WAN link and a 1 Gbps LAN. The small 2:1 speed ratio between the
WAN and LAN allows compression to provide only a 2x speedup on a whole-link basis, because there is no way to get
data onto or off of the LAN at speeds above 1 Gbps. A 10 Gbps LAN, which allows a tenfold increase in peak data
rates, is recommended for use with CloudBridge 4000/5000 deployments.
When a CloudBridge 4000/5000 appliance is deployed in a one-arm mode, the peak transfer rate is cut in half. A
CloudBridge 4000/5000 in one-arm mode, connected to the router with a 1 Gbps LAN interface, saturates this interface
when the WAN is running at full speed in both directions. For good performance, a CloudBridge 4000/5000 must have a
LAN interface that is much faster than the WAN. When the appliance is connected directly to the router in a one-arm
mode, use a 10 Gbps router port.
Note: The 10 Gbps ports support 10 Gbps only. They do not negotiate lower speeds. Use the 1 Gbps ports for 1 Gbps
networks.
Other Ports
A CloudBridge 4000/5000 appliance has at least two non-accelerated ports. Port 0/1 is typically used for management,
Port 0/2 is present but typically not used. A Light Out Management (LOM) port is also provided. An RS-232 port can be
used for management.
citrix.com 440
Supported Features
Table 1. Features Table for Citrix CloudBridge 4000 and 5000 Series Appliances
Citrix CloudBridge 4000 series Citrix CloudBridge 5000 series
AutoConfiguration N N
CloudBridge Connector Y Y
CloudBridge Plug-In Y Y
Compression Y Y
RPC over HTTPS Y Y
SSL Compression Y Y
TCP Acceleration Y Y
Traffic Shaping Y Y
Video Caching N N
Windows File System Acceleration Y Y
Windows Outlook Acceleration Y Y
XenApp/ XenDesktop Acceleration Y Y
Group Mode Mode N N
High Availability Mode Y Y
Inline Mode Y Y
Virtual Inline Mode Y Y
WCCP Mode Y Y
VLANs Y Y
citrix.com 441
Hardware Platforms
Citrix CloudBridge 4000 and 5000 is a high-performance WAN accelerator for busy datacenters that combines multiple
virtual instances of the CloudBridge appliance with a single virtual instance of the NetScaler load-balancer, providing the
performance of multiple CloudBridge appliances in a single package.
citrix.com 442
Introduction to the Hardware Platforms
Citrix CloudBridge 4000/5000 appliances are the highest-performing products in Citrix CloudBridge Product line. The
appliances achieve this performance by combining a NetScaler VPX load balancer with three to eight accelerators, all in
a single high-performance server that meets the needs of busy datacenters.
citrix.com 443
Hardware Components
Each platform has front panel and back panel hardware components. The front panel has an LCD display and an
RS232 serial console port. The number, type, and location of portscopper Ethernet, copper and fiber 1G SFP and
10G SFP+vary by hardware platform. The back panel provides access to the fan and the field replaceable units
(power supplies, and solid-state and hard-disk drives).
citrix.com 444
Ports
Note: Some CloudBridge appliances do not require SFP transceivers.
Ports are used to connect the appliance to external devices. Citrix CloudBridge 4000/5000 appliances support RS232
serial ports, 10/100/1000Base-T copper Ethernet ports, fiber 1G SFP ports and 10-gigabit fiber SFP+ ports. All Citrix
CloudBridge 4000/5000 appliances have a combination of some or all of these ports. For details on the type and
number of ports available on your appliance, see the section describing that platform.
10/100/1000BASE-T port
The 10/100/1000BASE-T port has a maximum transmission speed of 1 gigabit per second, ten times faster than the
other type of copper Ethernet port.
To connect any of these ports to your network, you plug one end of a standard Ethernet cable into the port and plug the
other end into the appropriate network connector.
Management Ports
Management ports are standard copper Ethernet ports (RJ45), which are used for direct access to the appliance for
system administration functions.
The 10G SFP+ ports are high-speed ports that can operate at speeds of up to 10 Gbps. You need a fiber optic cable to
connect to a 10G SFP+ port.
citrix.com 445
Field Replaceable Units
Citrix CloudBridge 4000/5000 field replaceable units (FRU) are components that can be quickly and easily removed
from the appliance and replaced by the user or a technician at the user's site. The FRUs in a Citrix CloudBridge
4000/5000 appliance can include DC or AC power supplies, and solid-state and hard-disk drives.
Note: By default the appliance ships with AC power supplies. DC power supply is orderable.
citrix.com 446
Power Supply
Citrix CloudBridge 4000/5000 appliances are configured with dual power supplies but can operate with only one power
supply. The second power supply serves as a backup.
For power-supply specifications, see "Hardware Platforms," which describes the various platforms and includes a table
summarizing the hardware specifications.
Table 1. LED Power Supply Indicators
Power Supply Type LED Color LED Indicates
AC OFF No power to any power supply.
Flashing RED No power to this power supply.
Flashing GREEN Power supply is in standby mode.
GREEN Power supply is functional.
RED Power supply failure.
DC OFF No power to any power supply.
Flashing RED No power to this power supply.
Flashing BLUE Power supply is in standby mode.
BLUE Power supply is functional.
RED Power supply failure.
1. Align the semicircular handle perpendicular to the power supply. Loosen the thumbscrew and press the lever toward
the handle and pull out the existing power supply, as shown in the following figure.
Figure 1. Removing the Existing AC Power Supply
citrix.com 447
5. Connect the power supply to a power source. If connecting all power supplies, plug separate power cords into the
power supplies and connect them to separate wall sockets.
Note: CloudBridge 4000/5000 appliances emit a high-pitched alert if one power supply fails or if you connect only one power
cable to an appliance in which two power supplies are installed. To silence the alarm, press the small red button on the back
panel of the appliance. The disable alarm button is functional only when the appliance has two power supplies.
1. Loosen the thumbscrew and press the lever towards the handle and pull out the existing power supply, as shown in
the following figure.
Figure 3. Removing the Existing DC Power Supply
5. When the power supply is completely inserted into its slot, release the lever.
6. Connect the power supply to a power source. If connecting all power supplies, plug separate power cords into the
power supplies and connect them to separate wall sockets.
Note: CloudBridge 4000/5000 appliances emit a high-pitched alert if one power supply fails or if you connect only one power
cable to an appliance in which two power supplies are installed. To silence the alarm, press the small red button on the back
panel of the appliance. The disable alarm button is functional only when the appliance has two power supplies.
citrix.com 448
Solid-State Drive
A solid-state drive (SSD) is a high-performance device that stores data in solid-state flash memory.
3. Verify that the replacement SSD is the correct type for the platform.
4. Pick up the new SSD, open the drive handle fully to the left or up, and insert the drive into the slot as far as possible.
To seat the drive, close the handle flush with the rear of the appliance so that the drive locks securely into the slot.
Important: When you insert the drive, make sure that the Citrix product label is at the top if the drive is inserted
horizontally or at the right if the drive is inserted vertically.
Figure 2. Inserting the Replacement Solid-State Drive
citrix.com 449
Hard Disk Drive
The NetScaler and CloudBridge virtual machines are hosted on the hard-disk drive.
4. Pick up the new disk drive, open the drive handle fully to the left, and insert the new drive into the slot as far as
possible. To seat the drive, close the handle flush with the rear of the appliance so that the hard drive locks securely
into the slot.
Important: When you insert the drive, make sure that the Citrix product label is at the top.
Figure 2. Inserting the Replacement Hard Disk Drive
citrix.com 450
Hardware Platforms
The CloudBridge 4000/5000 hardware platforms offer a wide range of features, communication ports, and processing
capacities. All platforms have multicore processors.
Citrix CloudBridge 4000/5000 appliances are the highest-performing products in Citrix CloudBridge Product line. The
appliances achieve this performance by combining a NetScaler VPX load balancer with three to eight accelerators, all in
a single high-performance server that meets the needs of busy datacenters.
citrix.com 451
Citrix CloudBridge 4000
Citrix CloudBridge 4000 are 2U appliances. Each model has two 6-core processors for a total of 12 physical cores (24
cores with hyper-threading), and 48 gigabytes (GB) of memory. The Citrix CloudBridge 4000 have a bandwidth of
310Mbps, 500Mbps, and 1Gbps, respectively.
The following figures shows the front panel of the Citrix CloudBridge 4000 appliance.
Figure 1. Citrix CloudBridge 4000, front panel (without FTW cards)
10/100Base-T copper Ethernet Port (RJ45), also called LOM port. You can use this port to remotely monitor
and manage the appliance independently of the appliance's software.
Note: The LEDs on the LOM port are not operational by design.
RS232 serial console port.
Two 10/100/1000Base-T copper Ethernet management ports (RJ45). These ports are used to connect
directly to the appliance for system administration functions.
Network Ports
CloudBridge 4000 (without FTW cards). Eight 1G SFP ports and four 10G SFP+ ports.
CloudBridge 4000 (with FTW cards). Eight 1G copper Ethernet ports and four 10G ports.
The following figure shows the back panel of the Citrix CloudBridge 4000 appliance.
Figure 3. Citrix CloudBridge 4000, back panel
The following components are visible on the back panel of the Citrix CloudBridge 4000 appliance:
Four 600 GB removable solid-state drives, which store the appliance's compression history. The 256 GB
solid-state drive below the hard disk drive stores the appliance's software.
USB port (reserved for a future release).
A 1 TB removable hard disk drive.
Power switch, which turns off power to the appliance, just as if you were to unplug the power supply. Press
the switch for five seconds to turn off the power.
Disable alarm button. This button is functional only when the appliance has two power supplies.
Press this button to stop the power alarm from sounding when you have plugged the appliance into
only one power outlet or when one power supply is malfunctioning and you want to continue operating
the appliance until it is repaired.
Dual power supplies (either AC or DC), each rated at 850 watts, 100-240 volts.
citrix.com 452
Citrix CloudBridge 5000
Citrix CloudBridge 5000 are 2U appliances. Each model has two 6-core processors for a total of 12 physical cores (24
cores with hyper-threading), and 96 gigabytes (GB) of memory. The Citrix CloudBridge 5000 have a bandwidth of 1.5
Gbps and 2Gbps respectively.
The following figure shows the front panel of the Citrix CloudBridge 5000 appliance.
Figure 1. Citrix CloudBridge 5000, front panel
10/100Base-T copper Ethernet Port (RJ45), also called LOM port. You can use this port to remotely monitor
and manage the appliance independently of the appliance's software.
Note: The LEDs on the LOM port are not operational by design.
RS232 serial console port.
Two 10/100/1000Base-T copper Ethernet management ports (RJ45). These ports are used to connect
directly to the appliance for system administration functions.
Eight 10G ports.
The following figure shows the back panel of the Citrix CloudBridge 5000 appliance.
Figure 2. Citrix CloudBridge 5000, back panel
The following components are visible on the back panel of the Citrix CloudBridge 5000 appliance:
Six 600 GB removable solid-state drives, which store the appliance's compression history. The 256 GB solid-
state drive next to the power supplies store the appliance's software.
USB port (reserved for a future release).
Power switch, which turns off power to the appliance, just as if you were to unplug the power supply. Press
the switch for five seconds to turn off the power.
A 1 TB removable hard disk drive.
Disable alarm button. This button is functional only when the appliance has two power supplies.
Press this button to stop the power alarm from sounding when you have plugged the appliance into
only one power outlet or when one power supply is malfunctioning and you want to continue operating
the appliance until it is repaired.
Dual power supplies (either AC or DC), each rated at 650 watts, 100-240 volts.
citrix.com 453
Summary of Hardware Specifications
The following tables summarize the specifications of the Citrix CloudBridge 4000/5000 hardware platforms.
Table 1. Citrix CloudBridge 4000/5000 Appliances
Citrix CloudBridge 4000/5000
Platform Performance
Bandwidth 310 Mbps 500 Mbps 1.0 Gbps 1.5 Gbps 2.0 Gbps
Hardware Specifications
Dual Intel Dual Intel Dual Intel Dual Intel Dual Intel
Processor
E5645 E5645 E5645 X5680 X5680
SSD 2 TB 2 TB 2 TB 3 TB 3 TB
(dedicated
compression
history)
HDD 1 TB 1 TB 1 TB 1 TB 1 TB
RAM 48 GB 48 GB 48 GB 96 GB 96 GB
Note: Some non fail-to-wire CloudBridge 4000 appliances require SFP+ transceivers.
Power supplies 2 2 2 2 2
Physical Dimensions
Rack units 2 2 2 2 2
citrix.com 454
System width EIA 310-D, EIA 310-D, EIA 310-D, EIA 310-D, EIA 310-D,
IEC 60297, IEC 60297, IEC 60297, IEC 60297, IEC 60297,
DIN 41494 DIN 41494 DIN 41494 DIN 41494 DIN 41494
SC48D rack SC48D rack SC48D rack SC48D rack SC48D rack
width with width with width with width with width with
mounting mounting mounting mounting mounting
brackets brackets brackets brackets brackets
System weight 46 lbs (20.9 46 lbs (20.9 46 lbs (20.9 49 lbs (22.2 49 lbs (22.2
kg) kg) kg) kg) kg)
Shipping 37 x 24 37 x 24 37 x 24 37 x 24 37 x 24
dimensions by 11 by 11 by 11 by 11 by 11
and weight
59 lbs 59 lbs 59 lbs 61 lbs 61 lbs
94 x 61 x 28 94 x 61 x 28 94 x 61 x 28 94 x 61 x 28 94 x 61 x 28
cm cm cm cm cm
Input voltage 100-240 VAC 100-240 VAC 100-240 VAC 100-240 VAC 100-240 VAC
and frequency
ranges 47-63 Hz 47-63 Hz 47-63 Hz 47-63 Hz 47-63 Hz
Power 650 watts 650 watts 650 watts 850 watts 850 watts
consumption 2,200 BTU per 2,200 BTU per 2,200 BTU per 2,900 BTU per 2,900 BTU per
hour. hour. hour. hour. hour.
Allowed 5%-95%, non- 5%-95%, non- 5%-95%, non- 5%-95%, non- 5%-95%, non-
relative condensing condensing condensing condensing condensing
humidity
Safety UL, TUV-C UL, TUV-C UL, TUV-C UL, TUV-C UL, TUV-C
certifications
Electromagnetic FCC (Part 15 FCC (Part 15 FCC (Part 15 FCC (Part 15 FCC (Part 15
emissions Class A), DoC, Class A), DoC, Class A), DoC, Class A), DoC, Class A), DoC,
certifications
and CE, VCCI, CE, VCCI, CE, VCCI, CE, VCCI, CE, VCCI,
susceptibility CNS, AN/NES CNS, AN/NES CNS, AN/NES CNS, AN/NES CNS, AN/NES
standards
citrix.com 455
Environmental RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE
compliance
citrix.com 456
Preparing for Installation
Before you install your new appliance, carefully unpack your appliance and make sure that all parts were delivered.
Once you are satisfied that your appliance has been delivered to your expectations, verify that the location where the
appliance will be installed meets temperature and power requirements and that the server cabinet or floor-to-ceiling
cabinet is securely bolted to the floor and has sufficient airflow.
Only trained and qualified personnel should install, maintain, or replace the appliance, and efforts should be taken to
ensure that all cautions and warnings are followed.
citrix.com 457
Unpacking the Appliance
Unpack the box that contains your new appliance on a sturdy table with plenty of space and inspect the contents.
Use the following list to verify that you received everything that should have been included in the box.
In addition to the items included in the box with your new appliance, you will need the following items to complete the
installation and initial configuration process.
Ethernet cables for each additional Ethernet port that you will connect to your network
One available Ethernet port on your network switch or hub for each Ethernet port you want to connect to
your network
A computer to serve as a management workstation
citrix.com 458
Preparing the Site and Rack
There are specific site and rack requirements for the CloudBridge 4000/5000 appliance. You must make sure that adequate
environmental control and power density are available. Racks must be bolted to the ground, have sufficient airflow, and have
adequate power and network connections. Preparing the site and rack are important steps in the installation process and help
ensure a smooth installation.
Site Requirements
The appliance should be installed in a server room or server cabinet with the following features:
Environment control
An air conditioner, preferably a dedicated computer room air conditioner (CRAC), capable of maintaining the cabinet
or server room at a temperature of no more than 27 degrees C/80.6 degrees F at altitudes of up to 2100 m/7000 ft, or
18 degrees C/64.4 degrees F at higher altitudes, a humidity level no greater than 45 percent, and a dust-free
environment.
Power density
Wiring capable of handling at least 4,000 watts per rack unit in addition to power needs for the CRAC.
Rack Requirements
The rack on which you install your appliance should meet the following criteria:
Rack characteristics
Racks should be either integrated into a purpose-designed server cabinet or be the floor-to-ceiling type, bolted down
at both top and bottom to ensure stability. If you have a cabinet, it should be installed perpendicular to a load-bearing
wall for stability and sufficient airflow. If you have a server room, your racks should be installed in rows spaced at least
1 meter/3 feet apart for sufficient airflow. Your rack must allow your IT personnel unfettered access to the front and
back of each server and to all power and network connections.
Power connections
At minimum, two standard power outlets per unit.
Network connections
At minimum, Ethernet connection per rack unit.
Space requirements
Two empty rack units for CloudBridge 4000/5000 appliances.
citrix.com 459
Cautions and Warnings
Follow basic electrical safety precautions to protect yourself from harm and the appliance from damage.
Be aware of the location of the emergency power off (EPO) switch, so that you can quickly remove power to
the appliance if an electrical accident occurs.
Remove all jewelry and other metal objects that might come into contact with power sources or wires before
installing or repairing the appliance. When you touch both a live power source or wire and ground, any metal
objects can heat up rapidly and may cause burns, set clothing on fire, or fuse the metal object to an exposed
terminal.
Use a regulating, uninterruptible power supply (UPS) to protect the appliance from power surges and
voltage spikes, and to keep the appliance operating in case of power failure.
Never stack the appliance on top of any other server or electronic equipment.
All appliances are designed to be installed on power systems that use TN earthing. Do not install your
device on a power system that uses either TT or IT earthing.
Make sure that the appliance has a direct physical connection to the earth during normal use. When
installing or repairing an appliance, always make sure that the ground circuit is connected first and
disconnected last.
Make sure that a fuse or circuit breaker no larger than 120 VAC, 15 A U.S. (240 VAC, 16 A international) is
used on all current-carrying conductors on the power system to which your appliances are connected.
Do not work alone when working with high voltage components.
Always disconnect the appliance from power before removing or installing any component. When
disconnecting power, first shut down the appliance, and then unplug the power cords of all the power supply
units connected to the appliance. As long as the power cord is plugged in, line voltages can be present in
the power supply, even when the power switch is OFF.
Do not use mats designed to decrease static electrical discharge as protection from electrical shock.
Instead, use rubber mats that have been specifically designed as electrical insulators.
Make sure that the power source can handle the appliance's maximum power consumption rating with no
danger of an overload. Always unplug any appliance before performing repairs or upgrades.
Do not overload the wiring in your server cabinet or on your server room rack.
During thunderstorms, or anticipated thunderstorms, avoid performing any hardware repairs or upgrades
until the danger of lightning has passed.
When you dispose of an old appliance or any components, follow any local and national laws on disposal of
electronic waste.
To prevent possible explosions, replace expired batteries with the same model or a manufacturer-
recommended substitute and follow the manufacturers instructions for battery replacement.
Never remove a power supply cover or any sealed part that has the following label:
Appliance Precautions
Determine the placement of each component in the rack before you install the rails.
Install the heaviest appliance first, at the bottom of the rack, and then work upward. Distribute the load on
the rack evenly. An unbalanced rack is hazardous.
Allow the power supply units and hard drives to cool before touching them.
Install the equipment near an electrical outlet for easy access.
Mount equipment in a rack with sufficient airflow for safe operation.
citrix.com 460
For a closed or multiple-unit rack assembly, the ambient operating temperature of the rack environment
might be greater than the ambient temperature of the room. Therefore, consider the lowest and highest
operating temperatures of the equipment when making a decision about where to install the appliance in the
rack.
Rack Precautions
Make sure that the leveling jacks on the bottom of the rack are fully extended to the floor, with the full weight
of the rack resting on them.
For a single-rack installation, attach a stabilizer to the rack.
For a multiple-rack installation, couple (attach) the racks together.
Always make sure that the rack is stable before extending a component from the rack.
Extend only one component at a time. Extending two or more simultaneously might cause the rack to
become unstable.
The handles on the left and right of the front panel of the appliance should be used only for extending the
appliance out of the rack. Do not use these handles for mounting the appliance on the rack. Use the rack-rail
hardware, described later, instead.
citrix.com 461
Installing the Hardware
After you have determined that the location where you will install your appliance meets the environmental standards and
the server rack is in place according to the instructions, you are ready to install the hardware. After you mount the
appliance, you are ready to connect it to the network, to a power source, and to the console terminal that you will use for
initial configuration. To complete the installation, you turn on the appliance. Be sure to observe the cautions and
warnings listed with the installation instructions.
citrix.com 462
Rack Mounting the Appliance
Most appliances can be installed in standard server racks that conform to EIA-310-D specification. The appliances ship
with a set of rails, which you must install before you mount the appliance. The only tools that you need for installing an
appliance are a Phillips screwdriver and a flathead screwdriver.
Caution: If you are installing the appliance as the only unit in the rack, mount it at the bottom. If the rack contains other units,
make sure that the heaviest unit is at the bottom. If the rack has stabilizing devices available, install them before mounting the
appliance.
To mount the appliance, you must first install the rails and then install the appliance in the rack.
Perform the following tasks to mount the appliance:
4. Repeat steps 1 through 3 to install the left inner rail on the other side of the appliance.
citrix.com 463
3. Install the adjustable rail assembly into the rack as shown in the following figures. Use a screw to lock the rear rail
flange into the rack. With the screw securing the rail in place, you can optionally remove the latching spring.
Figure 4. Installing the Rail Assembly to the Rack
citrix.com 464
Installing and Removing 1G SFP Transceivers
Note: Some CloudBridge 4000/5000 appliances do not require SFP transceivers.
A Small Form-Factor Pluggable (SFP) is a compact transceiver that can operate at speeds of up to 1 gigabit per second
and is available in both copper and fiber types. Inserting a 1G SFP copper transceiver converts the 1G SFP port to a
1000BASE-T port. Inserting a 1G SFP fiber transceiver converts the 1G SFP port to a 1000BASE-X port. Auto-
negotiation is enabled by default on the 1G SFP port into which you insert your 1G SFP transceiver. As soon as a link
between the port and the network is established, the speed and mode are matched on both ends of the cable.
Caution: CloudBridge 4000/5000 appliances do not support 1G SFP transceivers from vendors other than Citrix Systems.
Attempting to install third-party 1G SFP transceivers on your CloudBridge 4000/5000 appliance voids the warranty.
Insert 1G SFP transceivers into the 1G SFP ports on the front panel of the appliance. Frequent installation and removal
of transceivers shortens their life span. Follow the removal procedure carefully to avoid damaging the 1G SFP
transceiver or the appliance.
Caution: Do not install the transceivers with the cables attached. Doing so can damage the cable, the connector, or the
optical interface of the transceiver.
3. Hold the 1G SFP transceiver between your thumb and index finger and insert it into the 1G SFP transceiver port,
pressing it in until you hear the transceiver snap into place.
4. Lock the transceiver.
5. Verify that the LED is green and blinks twice, which indicates that the transceiver is functioning correctly.
6. If you are using a fiber 1G SFP transceiver, do not remove the dust caps attached to the transceiver and the cable
until you are ready to insert the cable.
citrix.com 465
Installing and Removing 10G SFP+ Transceivers
Note: Some CloudBridge 4000/5000 appliances do not require SFP+ transceivers.
A 10-Gigabit Small Form-Factor Pluggable (SFP+) is a compact optical transceiver that can operate at speeds of up to
10 gigabits per second. Autonegotiation is enabled by default on the 10G SFP+ ports into which you insert your 10G
SFP+ transceiver. As soon as a link between the port and the network is established, the mode is matched on both
ends of the cable and for 10G SFP+ transceivers, the speed is also autonegotiated.
Caution: CloudBridge 4000/5000 appliances do not support 10G SFP+ transceivers provided by vendors other than Citrix
Systems. Attempting to install third-party 10G SFP+ transceivers on your CloudBridge 4000/5000 appliance voids the
warranty.
Insert the 10G SFP+ transceivers into the 10G SFP+ ports on the front panel of the appliance. Frequent installation and
removal of transceivers shortens their life span. Follow the removal procedure carefully to avoid damaging the
transceiver or the appliance.
Caution: Do not install the transceivers with the cables attached. Doing so can damage the cable, the connector, or the
optical interface of the transceiver.
citrix.com 466
Install Fiber Patch Cable in Ports 10/3 and 10/4
Through release 7.2.1, on an appliance, CloudBridge ports 10/3 and 10/4 must be connected with the provided cable,
as shown in the following figure.
Starting with release 7.2.2, the patch cable is no longer required, and can be omitted if:
The appliance was shipped from the factory with release 7.2.2 or later, or
The appliance was shipped from the factory with release 7.2.1 or earlier, but you upgrade it to 7.2.2 or later
and change the default loopback in the management service (on System > Configuration > System >
Configure Loopback Settings).
Note: If you decide to eliminate the need to use loopback cable, the ports 10/3 and 10/4 are still reserved. These ports are not
available for WAN optimization.
Figure 1. Installing the Patch Cable
citrix.com 467
To install the patch cable
1. Connect the LC-to-LC cable to the ports as shown in the figures above.
2. Insert one end of the cable into port 10/3.
3. Insert the other end of the cable into port 10/4.
citrix.com 468
Connecting the Cables
When the appliance is securely mounted on the rack, you are ready to connect the cables. Ethernet cables and the
optional console cable are connected first. Connect the power cable last.
Danger: Before installing or repairing the appliance, remove all jewelry and other metal objects that might come in contact
with power sources or wires. When you touch both a live power source or wire and ground, any metal objects can heat up
rapidly and cause burns, set clothing on fire, or fuse the metal object to an exposed terminal.
2. Insert the RJ-45 connector on the other end into the target device, such as a router or switch.
3. Verify that the LED glows amber when the connection is established.
Note: To use a cable with an RJ-45 converter, insert the optional converter provided into the console port and attach
the cable to it.
2. Insert the RJ-45 connector at the other end of the cable into the serial port of the computer or terminal.
citrix.com 469
2. Connect the other end of the power cable to a standard 110V/220V power outlet.
3. Repeat steps 1 and 2 to connect the second power supply.
Note: The appliance emits a high-pitched alert if one power supply fails or if you connect only one power cable to the
appliance. To silence the alarm, you can press the small red button located on the back panel of the appliance.
citrix.com 470
Switching on the Appliance
After you have installed the appliance in a rack and connected the cables, verify that the power cable is properly connected. If
you have installed a second power supply, make sure the second cable is connected to an outlet for a different circuit than
the first. After verifying the connections, you are ready to switch on the appliance.
Caution: Be aware of the location of the emergency power off (EPO) switch, so that if an electrical accident occurs you can
quickly remove power from the appliance.
citrix.com 471
Lights Out Management Port of the CloudBridge 4000/5000 Appliance
The CloudBridge 4000/5000 appliances have an Intelligent Platform Management Interface (IPMI), also known as the
Lights out Management (LOM), port on the front panel of the appliance. By using the LOM, you can remotely monitor
and manage the appliance, independently of the CloudBridge 4000/5000 software. You can remotely change the IP
address, perform different power operations, and obtain health monitoring information of the appliance by connecting to
the appliance through the LOM port.
By connecting the LOM port over a dedicated channel that is separate from the data channel, you can make sure that
connectivity to the appliance is maintained even if the data network is down.
1. In a web browser, type the IP address of the LOM port. For initial configuration, type the ports default address:
http://192.168.1.3
2. In the User Name box, type nsroot.
3. In the Password box, type nsroot.
1. In a web browser, log on to the LOM port by using the administrator credentials.
2. In the Menu bar, click Remote Control.
3. Under Options, click Power Control, and then select one of the following options:
Reset SystemRestart the appliance.
Power Off System ImmediateDisconnect power to the appliance without shutting down the
appliance.
Power On SystemTurn on the appliance.
Power Cycle SystemTurn off the appliance, and then turn it back on.
4. Click Perform Action.
citrix.com 473
Planning the Deployment
CloudBridge 4000/5000 deployments require adequate planning, especially for units deployed in large datacenters:
An appropriate appliance or group of appliances must be selected to support both the current and
anticipated load.
A deployment mode must be selected to match the requirements of your site.
Other aspects must also be considered.
citrix.com 474
Sizing Guidelines
For successful deployment of one or more CloudBridge 4000/5000 appliances in your datacenter, keep the following
principles in mind:
You must provide enough CloudBridge 4000/5000 peak-load capacity, in terms of WAN bandwidth and the
number of users. See the current specifications sheet for the capacities of different CloudBridge 4000/5000
models: http://www.citrix.com/content/dam/citrix/en_us/documents/products/cloudbridge-branch-repeater-
spec-sheet.pdf (In the spec sheet, the number of users is referred to as "HDX sessions"). Ensure adequate
peak-load capacity, both for now and for the time until you expect to upgrade. Acceleration is resource
intensive, and performance suffers if the appliance runs short of resources. Never overcommit any
CloudBridge appliance, especially in the datacenter. Provision your datacenter to easily accommodate peak
loads.
Provide enough capacity for expected expansion over the life of the deployment. CloudBridge 4000/5000
appliances using the same hardware platform can have their capacity upgraded with a new license as part
of the Citrix pay-as-you-grow program. CloudBridge 4000/5000 models 310, 500, and 1000 use one
hardware platform, and models 1500 and 2000 use another hardware platform. This means that, for
example, a CloudBridge 4000/5000 500 can be converted through a license upgrade to a CloudBridge
4000/5000 1000, but not to a CloudBridge 4000/5000 1500.
For more capacity than can be provided by a single appliance, multiple CloudBridge 4000/5000 appliances
can be cascaded behind a stand-alone NetScaler appliance.
Different models have differing numbers of traffic ports. If you require multiple bridges, make sure your
model has at least as many as you need.
citrix.com 475
Selecting a Deployment Mode
The CloudBridge 4000/5000 appliance can be deployed inline or in a one-arm mode. Inline deployments do not require
router reconfiguration; one-arm modes do. CloudBridge 4000/5000 offers internal port bypassing (fail-to-wire) to allow
traffic to continue flowing in inline mode if the appliance fails.
Note: Only the one-arm WCCP mode (with a single router) is documented at this time. Inline mode is not yet documented.
Citrix recommends WCCP mode at this time.
Different CloudBridge 4000/5000 models offer different numbers of accelerated bridges. Models with multiple
accelerated bridges can accelerate multiple inline WAN links. See the specifications sheet for more details, http://www.
citrix.com/content/dam/citrix/en_us/documents/products-solutions/cloudbridge-data-sheet.pdf.
Inline, bridged (L2 inline). This closely resembles a standard CloudBridge inline deployment. Packets enter
one bridge port and exit the other bridge port.
One-arm, WCCP. This resembles a standard CloudBridge WCCP deployment.
Citrix also supports the following two modes (which are outside the scope of this document):
Inline, routed. The NetScaler instance uses routing rules instead of bridging rules to determine how to
forward packets.
Virtual inline. This resembles WCCP, but lacks built-in health-checking.
In L2 inline mode, CloudBridge 4000/5000 is placed between your LAN and your WAN router (or other aggregation
point at the LAN-WAN boundary). In a one-arm mode, CloudBridge 4000/5000 is generally connected directly to a
dedicated port on your WAN router.
In cases where the WAN router ports are not as fast as the LAN (for example, when the WAN router has gigabit
Ethernet, but the LAN has10 gigabit Ethernet), inline mode provides better performance, because its LAN-side traffic is
not limited to the speed of the router interface. (Compression allows the LAN-side traffic to be much faster than WAN-
bound traffic under favorable conditions.)
Considerations:
The inline modes require no reconfiguration of your routers, but involves a service disruption when
bringing the appliance into service.
One-arm modes require router reconfiguration but do not require a service disruption.
Inline mode has higher performance than the other modes.
One-arm modes are limited to half the speed of the router or switch port they are attached to.
With WCCP mode, configuring the router to send only a fraction of the WAN traffic to CloudBridge
4000/5000 (as little as the traffic from a single remote site or even a single remote IP address) makes
it easy to bring up and test the installation gradually. Inline mode requires that all WAN traffic pass
through the appliance.
WCCP mode requires more configuration of the CloudBridge 4000/5000 appliance than do other
modes, but is more standardized and provides more status information on the router.
Recommendation:
The greater control provided by WCCP, and especially the ability to put the deployment into service in
stages, makes WCCP the mode of choice for larger, more complex datacenters, especially if there
might be a possibility of overloading the CloudBridge 4000/5000 appliance.
Inline mode is convenient for smaller WAN networks and simpler datacenters. It is most commonly
used with the CloudBridge 4000/5000 310 and 500, and more rarely with the larger appliances.
Cascaded installations should use WCCP.
citrix.com 476
Selecting a Load Balancing Method
By default, the CloudBridge 4000/5000 Provisioning Wizard sets up load balancing to handle different kinds of
connections appropriately. This default behavior is adequate for most installations.
Sending all the connections from the same remote accelerator to the same local accelerator maximizes the benefits of
CloudBridge compression, and the default load balancing method accomplishes this. If an instance becomes
overloaded or unavailable, new connections are reallocated.
Accelerated connections
For incoming accelerated connections (that is, connections with CloudBridge options in the header of the SYN packet),
all connections from a given remote CloudBridge are sent to the same local accelerator.
The identity of the remote CloudBridge is determined by one of the CloudBridge SYN options: the "AgentID" field, which
contains the management IP address of the remote CloudBridge.
This method is used for connections from remote CloudBridge appliances and remote CloudBridge Plug-ins.
Other connections
Incoming non-accelerated connections and all outgoing connections are also distributed among the accelerators
according to the least-connection method, but since they do not contain an AgentID field, they cannot use AgentID
persistence. Instead, they use SRCIPDESTIP persistence, meaning that connections with the same IP addresses use
the same accelerator.
This behavior is controlled by the skipPersistency parameter. The default behavior is -skippersistency ReLB. The
alternative behavior, -skippersistency bypass, instructs the NetScaler instance to pass the connection through without
sending it to an accelerator.
Optional load balancing behavior includes the use of static routing (for hand-crafted load balancing) and variations on
the least-connection with AgentID and SRCIPDESTIP persistence methods used in the default configuration. The
behavior for dealing with overloaded instances can be changed from assigning connections to a difference instance to
passing them through as unaccelerated.
citrix.com 477
Gathering Information Needed for Configuration
Accurate information about both the local and the remote sites is essential to troubleshooting. Before installing the
CloudBridge 4000/5000 appliance, make sure that you have done the following:
1. Obtained or drawn an accurate network diagram of your local site (the one in which you are installing CloudBridge
4000/5000). The local network topology and the capabilities of your WAN routers determine which deployment modes
are appropriate for the site.
2. Chosen the deployment mode of the local CloudBridge 4000/5000 appliance (for example, WCCP or inline, with or
without HA and cascading).
3. Compiled a list of critical applications that must be tested to validate the deployment.
4. Obtained or drawn an accurate network diagram of your WAN, including both the local and the remote WAN links,
their bandwidths in both directions, their subnets, and whether they are accelerated. In deployments with many remote
sites, an aggregate of the different categories (accelerated and non-accelerated) is probably sufficient, and only the
largest remote sites need to be considered individually.
5. Determined whether there are multiple datacenters with datacenter-to-datacenter traffic, and whether any remote
datacenters have a CloudBridge 4000/5000 appliance.
6. Decided whether you plan to increase WAN capacity, the number of sites, or the number of users in the next 24
months. If so, the corresponding CloudBridge 4000/5000 capacity should be installed now.
7. If possible, formed an idea of the traffic breakdown over the WAN, including TCP traffic to and from CloudBridge-
accelerated sites, other TCP traffic, ICA users, HDX sessions, and real-time traffic such as VoIP. CloudBridge
4000/5000 needs to be provisioned for the peak loads in terms of accelerated TCP connections, ICA users, and total
WAN link capacity.
8. Determined the number of WAN links in the local site. Are they independent, or are they load balanced? If so, are they
active-active or active-standby?
9. Determined the current, unaccelerated RTT of the remote sites during peak periods.
10. Identified any QoS devices or proxies in the path between the local and remote sites. QoS devices should be on the
WAN side of CloudBridge 4000/5000. Proxies should be on the LAN side.
citrix.com 478
Initial Configuration
After checking the connections, you are ready to deploy the CloudBridge 4000 and 5000 appliances on the network.
The appliance shipped from Citrix has default IP addresses configured on it. To deploy the appliance on the network,
you must configure the appropriate IP addresses on the appliance to accelerate the network traffic.
Initial configuration consists of the following tasks:
citrix.com 479
Prerequisites
To deploy a Citrix CloudBridge 4000 or 5000 appliance, you must complete the following prerequisite setup before
configuring the appliance.
Software Versions
This document covers release of the CloudBridge software. See the release notes for the recommended versions of the
NetScaler software corresponding to the desired release of the CloudBridge software. Never use any versions other
than those recommended for CloudBridge 4000 and 5000 appliances.
License File
The number of accelerator appliances depend on the hardware platform and the type of license you apply to the appliance.
The following list displays the number of accelerators that gets provisioned automatically by the Configuration Wizard:
Before you start provisioning the appliance, Citrix recommends that you have the license file with you, as it is required
early in the configuration process To download a license file, complete the procedure described in the My Account All
Licensing Tools - User Guide.
citrix.com 480
Deployment Worksheet
Note: Use this worksheet only when provisioning a factory-reset appliance with the release 7.1 configuration wizard. If you
are simply upgrading a previously configured system to release 7.1, your appliance will retain its previous configuration,
which will be different.
The appliance uses at least two ports: the management port (typically 0/1) and the traffic port (such as 10/1). Inline
mode uses traffic ports in pairs, such as ports 10/1 and 10/2. Ports must be selected in advance, because the
configuration depends on their identity.
The appliance uses three subnets directly: the management subnet, the external traffic subnet, and the internal traffic
subnet. Multiple IP addresses are used on each subnet. Each subnet must be specified along with the correct subnet
mask.
The following figure is a worksheet for these parameters. It supports inline and WCCP modes, with and without HA. The
table below the figure describes what each entry means.
Figure 1. Deployment worksheet
citrix.com 481
address
External Traffic Subnet
T1. Router IP address 172.17.17.1 IP address of router on external traffic subnet.
T2. Subnet Mask 255.255.255.0 Subnet mask of external traffic subnet.
T3. NetScaler IP 172.17.17.2 NetScaler IP address on external traffic subnet.
address
T4. External Signaling 172.17.17.10 Traffic to this IP address is load-balanced
IP address between the signaling IP addresses of the
accelerators.
T5. External WCCP IP 172.17.17.11 Maps through NAT to WCCP VIP on accelerator
address #1 #1.
T6. External WCCP IP 172.17.17.12 Maps through NAT to WCCP VIP on accelerator
address #2 #2.
T7. Local LAN Subnets 10.200.0.0/16 The local LAN subnet to be accelerated. This is
the only subnet that will receive acceleration.
T8. GRE Router HostID NA WCCP-GRE only. Host ID of GRE router.
T9. Traffic Port 10/1 Port used for accelerated traffic.
T10+. (Inline) Additional Other traffic port in pair.
Traffic Port
T11, T12 (WCCP) Service 71, 72 Service groups used by accelerator #1 for
Groups: TCP, UDP WCCP. First is for TCP traffic, second is for
UDP.
T13, T14 (Not used)
T15, T16 (Inline) Ports used 10/5, 10/6 If multiple links are used with inline mode, these
by link #2 ports are used for link #2.
T17, T18 (Inline) Ports used 10/7, 10/8 If multiple links are used with inline mode, these
by link #3 ports are used for link #3.
VLAN1.1, VLAN1.2, External VLANs for 412 When VLAN trunking is used, these are tagged
VLAN1.3, VLAN1.4 Bridge #1 VLANs crossing bridge #1.
VLAN2.1, VLAN2.2, When VLAN trunking is used, these are tagged
VLAN2.3, VLAN2.4 VLANs crossing bridge #2.
VLAN3.1, VLAN3.2, External VLANs for When VLAN trunking is used, these are tagged
VLAN3.3, VLAN3.4 Bridge #1 VLANs crossing bridge #3.
citrix.com 482
Configuring the Appliance
Before you start configuring the appliance, you must change the IP address of the management service to the one in
your management network, so that you can access the appliance over the network. You can change the management
IP address by connecting a computer to the appliance through either the Ethernet port or the serial console.
citrix.com 483
Assigning a Management IP Address through the Ethernet Port
Use the following procedure for initial configuration of every CloudBridge 1000 or 2000 appliance with Windows Server. The
procedure accomplishes the following tasks:
With inline deployments, this configuration might be all you need, because most acceleration features are enabled by
default and require no additional configuration.
If you want to configure the appliance by connecting it to the computer through the serial console, assign the
management service IP address from your Worksheet by completing the Assigning a Management IP Address through
the Serial Console procedure, and then run steps 4 through 15 of the following procedure.
Note: You must have physical access to the appliance.
To configure the appliance by connecting a computer to the CloudBridge appliances Ethernet port 0/1
1. Set the Ethernet port address of a computer (or other browser-equipped device with an Ethernet port), to
192.168.100.50, with a network mask of 255.255.0.0. On a Windows device, this is done by changing the
Internet Protocol Version 4 properties of the LAN connection, as shown below. You can leave the gateway and
DNS server fields blank.
2. Using an Ethernet cable, connect this computer to the port labeled PRI on the CloudBridge appliance.
3. Switch on the appliance. Using the web browser on the computer, access the appliance by using the default
management service IP address, which is http://192.168.100.1.
4. On the login page, use the following default credentials to log on to the appliance:
Username: nsroot
Password: nsroot.
5. Start the configuration wizard by clicking Get Started.
6. On the Platform Configuration page, enter respective values from your worksheet, as shown in the following
example:
citrix.com 484
7. Click Done. A screen showing the Installation in Progress message appears. This process takes
approximately 2 to 5 minutes, depending on your network speed.
8. A Redirecting to new management IP message appears.
9. Click OK.
10. Unplug your computer from the Ethernet port and connect the port to your management network.
11. Reset the IP address of your computer to its previous setting.
12. From a computer on the management network, log on to the appliance by entering the new management
service IP address, such as https://<Managemnt_IP_Address>, in a web browser.
13. To continue the configuration, accept the certificate and continue. The option to continue varies according to
the web browser you are using.
14. Log on to the appliance by using the nsroot user name and the password from your worksheet.
15. To complete the configuration process, see Provisioning the Appliance.
citrix.com 485
Assigning a Management IP Address through the Serial Port
If you do not want to change the settings of your computer, you can configure the appliance by connecting it to your
computer with a serial null modem cable. You must have physical access to the appliance.
To configure the appliance through the serial console
Username: nsroot
Password: nsroot.
5. At the $ prompt, run the following command to switch to the shell prompt of the appliance:
$ ssh 169.254.0.10
6. Enter Yes to continue connecting to the management service.
7. Log on to the shell prompt of the appliance with the following default credentials:
Password: nsroot.
8. At the logon prompt, run the following command to open the Management Service Initial Network Address
Configuration menu:
# networkconfig
9. Type 1 and press Enter to select option 1, and specify a new management IP address for the management service.
10. Type 2 and press Enter to select option 2, and specify a new management IP address for the XenServer.
11. Type 3 and press Enter to select option 3, and specify the network mask for the IP addresses.
12. Type 4 and press Enter to select option 4, and specify the default gateway for the management service IP address.
13. Type 8 and press Enter to save the settings and exit.
14. Access the CloudBridge appliance by entering the new management service IP address of the appliance, such as
https://<Management_Service_IP_Address>, in a web browser of a computer on the management network.
15. To continue the configuration, accept the certificate and continue. The option to continue varies according to the web
browser you are using.
16. To complete the configuration process, see Provisioning the Appliance.
citrix.com 486
Provisioning the Appliance
After assigning an IP address to the management service, you are ready to provision the NetScaler and accelerator
instances. As soon as you log on to the appliance, the configuration wizard appears.
When using the configuration wizard, keep the following points in mind:
The following procedure assumes that you have already filled out the configuration worksheet.
If you change the IP addresses of the Management Network, or change the default gateway to an address
not on the Management Network, you lose connectivity to the appliance unless you are on the same
Ethernet segment as the management port.
When using the configuration wizard, check your entries carefully. The wizard has no Back button. If you
need to modify the previous screen, use the Back button on your browser. This takes you to the logon page,
then to the previous screen.
The configuration wizard is displayed only when you log on to the appliance for the first time to configure the
appliance. After you finish configuring the appliance, this wizard becomes inaccessible, and will reappear
only after a factory reset. Check your entries carefully.
citrix.com 487
Time ZoneSelect your time zone from the pull-down menu.
Change PasswordSelect this check box and type in a new nsroot password, two times, to change
the password. This same password is used on the management service and the NetScaler instance
for account nsroot, and on the accelerator for the admin account. If the password is not changed, it
remains set to nsroot (the default).
Figure 1. Sample Values for the Fields in Management Access Settings Page of the Configuration
You can also get a license file from the Citrix.com website by clicking the here link and using your My Citrix
credentials.
9. Select the license in the Name field and click Continue. The CloudBridge Setup page appears. Fill in the fields as
follows:
a. Network SettingsThis section informs the accelerators of the management network.
CloudBridge Accelerator IP AddressEnter the value of M6 from your worksheet. This is
the IP address of the accelerator
NetScaler IP AddressEnter the value of M7 from your worksheet. This is the IP address of
the NetScaler GUI.
Use System Netmask and GatewaySelect this option if you want to use the network mask
and gateway IP addresses you had specified in the Platform Configuration page.
NetmaskEnter the value of M3 from your worksheet. This is the subnet mask (netmask) of
the management network (note that you have entered this already, on a previous page).
GatewayEnter the value of M2 from your worksheet again.
citrix.com 488
Signaling IP AddressEnter the value of T4 from your worksheet. This is the external
signaling IP address of the accelerator, used by CloudBridge Plug-ins to connect to the
appliance.
Signaling NetmaskEnter the value of T2 from your worksheet. This is the subnet mask
(netmask) of the external traffic network.
b. XVA FilesThis section allows you to specify previously uploaded XVA files (Xen virtual machines) for the
NetScaler and accelerator instances. Select the XVA images that you uploaded as part of step 2.
Figure 3. CloudBridge Setup Page
10. Click Continue. The wizard starts provisioning the required instances, as shown in the following figure.
Figure 4. Provisioning Progress Indicator
11. After the instances are provisioned, add one of your local LAN subnets to the Link Configuration section from list T7 in
your worksheet, as shown in the following figure. This subnet will be added as a local LAN subnet in the accelerator. If
you have more than one LAN subnet, you can add them to the LAN link definition in the Accelerator GUI after the
configuration wizard completes. Click Add to add the subnet.
Figure 5. Link Configuration Is at the Bottom of This Page
12. Log off, and then log back on. If you see a "Version Incompatibility Detected" message, install the upgrade bundle you
downloaded in Step 2, using the procedure in Managing the Appliance by using the Management Service.
Basic configuration is complete. Next, perform deployment-mode-specific configuration (such as for WCCP mode).
Note: After the wizard completes, the appliance is configured for the basic setup. To configure the appliance for a specific
deployment scenario, see Deployment Modes.
citrix.com 489
Deployment Modes
CloudBridge 4000/5000 appliances have two recommended deployment modes: WCCP and inline. These modes are
commonly used without high availability (HA), and less commonly with HA.
At this time, Citrix recommends WCCP mode, with a single router and without HA, for most deployments. Use inline
mode when WCCP is not available.
Although not all of the following modes are recommended at this time, they are all supported:
Note: While modes other than WCCP and inline are supported, they are incompletely documented and are not recommended
for typical installations. Please contact your Citrix representative when considering one of these modes.
citrix.com 490
Virtual Inline Mode
In virtual inline mode, the router uses policy based routing (PBR) rules to redirect incoming and outgoing WAN traffic to
the appliance for acceleration, and the appliance forwards the processed packets back to the router.
Virtual inline mode provides a solution for asymmetric routing issues faced in a deployment with two or more WAN links.
Note: Citrix recommends that you do not deploy CloudBridge appliances in virtual inline mode with routers that do not support
health monitoring.
The tasks for configuring virtual inline mode are performed on the router. On the CloudBridge appliance, just verify that
the software version supports virtual inline mode and provision the instances with the necessary IP addresses. Do not
change the default forwarding method.
citrix.com 491
Validated Designs
The physical mode for virtual inline deployment of a CloudBridge appliance is one-arm mode. In a one-arm topology
with multiple subnets, the branches, local Repeater instances, and servers can exist on different subnets. For example,
you can deploy the appliance in one-arm mode for managing the Repeater instances, with the NetScaler and local
Repeater instances connected by the internal private subnet. A NetScaler-owned subnet IP address (SNIP) is used to
communicate with an accelerator instance. You must enable MAC Based Forwarding (MBF) Use Subnet IP address
(USNIP), and Return To Ethernet Sender options on the NetScaler instance.
This section contains Citrix validated deployment topologies for virtual inline mode.
citrix.com 492
Single Router and single link
A CloudBridge appliance deployed in virtual inline mode with one router and one link.
If you are deploying a CloudBridge appliance in virtual inline mode with one router and one link, complete the following
procedures:
citrix.com 493
Two routers and a single link
A CloudBridge appliance deployed in virtual inline mode with two routers and one link.
If you are deploying a CloudBridge appliance in virtual inline mode with two routers and a single link, complete the following
procedures:
citrix.com 494
Two routers and two links
A CloudBridge appliance deployed in virtual inline mode with two routers and two links.
If you are deploying a CloudBridge appliance in virtual inline mode with two routers and a single link, complete the following
procedures:
citrix.com 495
Two routers in High Availability setup
A CloudBridge appliance deployed in virtual inline mode with two routers in high availability setup and one link.
If you are deploying a CloudBridge appliance in virtual inline mode with two routers and a single link, complete the following
procedures:
citrix.com 496
Deployment Worksheet
The appliance uses at least two ports: the management port (typically 0/1) and the traffic port (such as 10/1) . You must
select ports in advance, because the configuration depends on the identity of the ports.
The appliance uses three subnets directly: the management subnet, the external traffic subnet, and the internal traffic
subnet. Multiple IP addresses are used on each subnet. Each subnet must be specified along with the correct subnet
mask.
The following figure is a worksheet for these parameters. It supports inline and virtual inline modes, with and without HA.
The table below the figure describes what each entry means.
Management Subnet
M2. Gateway IP address 10.199.79.254 Default gateway serving the management subnet.
M3. Subnet Mask 255.255.255.128 Subnet mask for the management subnet.
M4. Xen Hypervisor IP 10.199.79.225 IP address of Xen Hypervisor.
address
M5. Service VM IP address 10.199.79.226 IP address of Management Service VM, which controls
configuration.
M6. Accelerator UI 10.199.79.227 Accelerator GUI, also called the Broker UI, which manages the
instances as a unit.
M7. NetScaler 10.199.79.245 IP address of the NetScaler instance's GUI and CLI interfaces.
Management IP
address
External Traffic Subnet
T1. Router IP address 172.17.17.1 IP address of the first router on external traffic subnet.
T2. Router IP address 172.17.18.1 IP address of the second router on external traffic subnet.
T3. Subnet Mask 255.255.255.0 Subnet mask of external traffic subnet.
T4. Subnet IP address 172.17.17.2 Subnet IP address for NetScaler on external traffic subnet.
T5. Subnet IP address 172.17.18.2 Subnet IP address for NetScaler on external traffic subnet.
T6. External Signaling IP 172.17.17.10 Traffic to this IP address is load-balanced between the
address signaling IP addresses of the accelerators.
T7. Local LAN Subnets 10.200.0.0/16 The local LAN subnet to be accelerated. This is the only
subnet that will receive acceleration.
T8. Traffic Port 10/1 Port used for accelerated traffic.
T9. Traffic Port 10/6 Port used for accelerated traffic.
citrix.com 497
Note: Ports 10/3 and 10/4 are reserved for loopback cable. Do not configure these ports as traffic ports.
citrix.com 498
Configuring the NetScaler Instance
By default, the Getting Started wizard configures the appliance in inline mode. To deploy the CloudBridge appliance in
virtual inline mode, you must configure the NetScaler instance of the appliance to support this mode.
To configure the NetScaler instance for the virtual inline mode of the appliance:
Enable L3 Mode
Enable the Return to Ethernet Sender Mode
Add a Subnet IP Address
Bind the Subnet IP Address to VLAN of Data Interface
Configuring the Instance for Connection Migration
citrix.com 499
Enable Layer 3 Mode
In the inline mode, the default deployment mode of the appliance, the appliance uses layer 2 bridging. However, to deploy the
appliance in virtual inline mode, you must enable layer 3 mode and disable layer 2 mode on the appliance.
To enable layer 3 mode and disable layer 2 mode by using the configuration utility
1. Access the NetScaler instance by clicking the NetScaler instances IP address on the Configuration >
Instances > NetScaler page. You are logged on to the NetScaler instance automatically.
2. Navigate to the System > Settings page.
3. Click the Configure modes link.
4. In the Configure Modes dialog box, select Layer 3 Mode (IP Forwarding) option.
5. Clear the Layer 2 Mode option, as shown in following figure.
6. Click OK.
To enable layer 3 mode and disable layer 2 mode by using the command line interface, run the following commands
citrix.com 500
Enable the Return to Ethernet Sender Mode
This mode allows multiple routers to share an appliance. The appliance forwards virtual inline output packets back to where
they came from, as indicated by the Ethernet address of the incoming packet. If two routers share a single appliance, each
gets its own traffic back, but not the traffic from the other router. This mode also works with a single router.
To enable the Return to Ethernet Sender mode by using the configuration utility
3. In the Configure Layer 2 Parameter dialog box, select the Return to Ethernet Sender option, as shown in the
following figure.
4. Click OK.
To enable the Return to Ethernet Sender mode by using the command line interface, run the following command
> set L2Param -returnToEthernetSender ENABLED
citrix.com 501
Add a Subnet IP Address
You must add a Subnet IP (SNIP) address to the NetScaler instance. You assign this IP address to the NetScaler instance on
the external traffic subnet. The NetScaler instance uses this address to communicate with the router.
3. In the Create IP dialog box, specify a subnet IP address in the IP Address field if the address has not already
been created by the configuration wizard. (If it has already been created, it is listed on the IPs page). The
subnet IP address declares the external traffic network. In the IP Address field, type the NetScaler traffic IP
address (entry T4 in your worksheet).
4. In the Netmask field, specify the network mask (entry T3 in your worksheet).
5. From the IP Type group, make sure that the Subnet IP option is selected, as shown in the following figure.
To add a Subnet IP address to the instance by using the command line interface, run the following command
Note: Run the second command only if you are configuring the appliance for two links.
citrix.com 502
Bind the Subnet IP Address to VLAN of Data Interface
After adding a subnet IP address to the instance, you must bind the IP address to the VLAN of data interface you are using
on the instance. By default, the VLAN 1007 is bound to the 10/1 and 10/2 interfaces.
To bind the subnet IP address to VLAN of data interface from the configuration utility
4. In the Interface Bindings tab of the Configure VLAN dialog box, notice that the VLAN is bound to interfaces
10/1 (entry T9 of your worksheet) and 10/2.
5. In the IP Bindings tab, select the subnet IP address you have created, as shown in the following figure.
To bind the subnet IP addresses to VLANs of data interface by using the command line interface, run the following command
citrix.com 503
Note: Run the second command only if you are configuring the appliance for two links.
citrix.com 504
Configuring the Instance for Connection Migration
In your network setup, if you expect connection migration between the routers, then you must configure the layer 4
parameters and make changes to the VLAN configurations, appropriately.
3. In the Configure Layer 4 Parameter dialog box, select the Vlan from the L2 Connection Method list, as
shown in the following figure.
4. Click OK.
To bind the subnet IP address to VLAN of data interface by using the command line interface, run the following
command
> set L4Param l2connMethod vlan
citrix.com 505
5. In the IP Bindings tab, clear the entry for subnet IP address bound to the VLAN.
6. Click OK.
7. Open the VLAN, such as 1007, to which you want to bind the data interface.
8. In the interface Binding tab, select the data interface (entry T9 in your worksheet)
9. In the IP Bindings tab, select the subnet IP address (entry T5 in your worksheet) you just unbound from
the other VLAN.
10. Click OK.
To configure VLANs for connection migration by using the command line interface, run the following commands
citrix.com 506
Configuring a Router
To support virtual inline mode, a router must forward incoming as well as outgoing WAN traffic to the CloudBridge
appliance. After the appliance processes the traffic, the router must forward the incoming traffic from the appliance to
the LAN and the outgoing traffic from the appliance to the WAN. You have to configure policy based rules to avoid
routing loops. In addition, the router must monitor the health of the appliance so that the appliance can be bypassed if it
fails .
If the router supports the Reverse Path Forwarding feature, you must disable the feature on the interfaces with policies
to redirect traffic to a CloudBridge appliance, including the interface that is connected to the appliance. Otherwise, the
router intermittently drops traffic. By default, the Reverse Path Forwarding feature is enabled on the router.
Note: If the network has two routers, configure the following procedures for each router using appropriate IP addresses
identified in the worksheet.
Policy-based Rules
In the virtual inline mode, the packet forwarding methods can create routing loops if the routing rules do not distinguish
between a packet that has been forwarded by the appliance and one that has not. You can use any method that makes
that distinction.
A typical method involves dedicating one of the Ethernet ports of the router to the appliance and creating routing rules
based on the Ethernet port on which packets arrive. Packets that arrive on the interface dedicated to the appliance are
never forwarded back to the appliance, but packets arriving on any other interface can be.
Traffic shaping is not effective unless all WAN traffic passes through the appliance. Following is the basic routing algorithm:
Health Monitoring
If the appliance fails, data should not be routed to it. By default, Cisco policy based routing does not perform health
monitoring. To enable health monitoring, define a rule to monitor the availability of the appliance, and specify the "verify-
availability" option for the "set ip next-hop" command. With this configuration, if the appliance is not available, the route
is not applied, and the appliance is bypassed.
Note: Citrix recommends virtual inline mode only when used with health monitoring. Many routers that support policy based
routing do not support health checking. The health-monitoring feature is relatively new. It was first available in Cisco IOS
release 12.3(4)T.
Following is an example of a rule for monitoring the availability of the appliance by using Cisco Router model 7600 with
IOS Software version:
This rule pings the appliance at 17.17.17.2 periodically. You can test against 123 to see if the unit is up.
!
! For health-checking to work, do not forget to start
! the monitoring process.
!
! Original configuration is in normal type.
! appliance-specific configuration is in bold.
!
ip cef
!
interface FastEthernet0/0
ip address 10.200.51.0 255.255.255.0
citrix.com 507
ip policy route-map server_side_map
!
interface FastEthernet0/1
ip address 17.17.17.1 255.255.255.0!
interface FastEthernet1/0
ip address 192.168.1.5 255.255.255.0
ip policy route-map wan_side_map
!
ip classless
ip route 0.0.0.0 0.0.0.0 171.68.1.1
!
ip access-list extended server_side
permit ip 10.100.51.0 0.0.0.255 10.20.20.0 0.0.0.255
ip access-list extended wan_side
permit ip 10.20.20.0 0.0.0.255 10.100.51.0 0.0.0.255
!
route-map wan_side_map permit 20
match ip address wan_side
!- Now set the appliance as the next hop, if its up.
set ip next-hop verify-availability 17.17.17.10 20 track 123
!
route-map client_side_map permit 10
match ip address client_side
set ip next-hop verify-availability 17.17.17.10 10 track 123
This example applies an access list to a route map and attaches the route map to an interface. The access lists identify
all traffic originating at one accelerated site and terminating at the other (A source IP address of 10.100.51.0/24 and
destination IP address of 10.20.20.0/24 or vice versa). See your router's documentation for the details of access lists
and route-maps.
This configuration redirects all matching IP traffic to the appliances. If you want to redirect only TCP traffic, you can change
the access-list configuration as follows (only the remote side's configuration is shown here):
!
ip access-list extended server_side
permit tcp 10.200.51.0 0.0.0.255 10.20.20.0 0.0.0.255
ip access-list extended wan_side
permit tcp 10.20.20.0 0.0.0.255 10.200.51.0 0.0.0.255
!
citrix.com 508
Verifying the Virtual Inline Mode
By default, the HTTP and CIFS acceleration is enabled on the appliance. After you have successfully configured the
appliance in the virtual inline deployment mode, the appliance starts accelerating these connections.
Note: To configure application-specific connections, you must configure service classes for the respective applications.
To configure a service class, see http://support.citrix.com/proddocs/topic/cloudbridge-72/cb-traffic-classification-con.
html.
To verify that you have successfully configure the appliance in the virtual inline mode
citrix.com 509
WCCP Mode
Web Cache Communication Protocol (WCCP) is a dynamic routing protocol introduced by Cisco. Originally intended
only for web caching, WCCP version 2 became a more general-purpose protocol, suitable for use by accelerators such
as Citrix CloudBridge appliances.
WCCP mode is the simplest way of installing a CloudBridge appliance when inline operation is impractical. It is also
useful where asymmetric routing occurs, that is, when packets from the same connection arrive over different WAN
links. In WCCP mode, the routers use the WCCP 2.0 protocol to divert traffic through the appliance. Once received by
the appliance, the traffic is treated by the acceleration engine and traffic shaper as if it were received in inline mode.
Note:
For the purposes of this discussion, WCCP version 1 is considered obsolete and only WCCP version 2 is
presented.
The standard WCCP documentation calls WCCP clients caches. To avoid confusion with actual
caches, Citrix generally avoids calling a WCCP client a cache. Instead, WCCP clients are typically
called appliances.
This discussion uses the term router to indicate WCCP-capable routers and WCCP-capable
switches. Though the term router is used here, some high-end switches also support WCCP, and
can be used with CloudBridge appliances.
WCCP is the original CloudBridge WCCP offering supported since release 3.x. It supports a single appliance
service group (no clustering).
WCCP clustering, introduced in release 7.2, allows your router to load-balance traffic between multiple
appliances.
A WCCP-mode appliance requires only a single Ethernet port. The appliance should either be deployed on a dedicated
router port (or WCCP-capable switch port) or isolated from other traffic through a VLAN. Do not mix inline and WCCP
modes.
The following figure shows how a router is configured to intercept traffic on selected interfaces and forward it to the
WCCP-enabled appliance. Whenever the WCCP-enabled appliance is not available, the traffic is not intercepted, and is
forwarded normally.
Figure 1. WCCP Traffic Flow
Traffic Encapsulation
WCCP allows traffic to be forwarded between the router and the appliance in either of the following modes:
L2 ModeRequires that the router and appliance be on the same L2 segment (typically an Ethernet
segment). The IP packet is unmodified, and only the L2 addressing is altered to forward the packet. In many
devices, L2 forwarding is performed at the hardware layer, giving it the maximum performance. Because of
its performance advantage, L2 forwarding is the preferred mode, but not all WCCP-capable devices support
it.
citrix.com 510
GRE ModeGeneric Routing Encapsulation (GRE) is a routed protocol and the appliance can in theory be
placed anywhere, but for performance it should be placed close to the router, on a fast, uncongested path
that traverses as few switches and routers as possible. GRE is the original WCCP mode. A GRE header is
created and the data packet is appended to it. The receiving device removes the GRE header. With
encapsulation, the appliance can be on a subnet that is not directly attached to the router. However, both the
encapsulation process and the subsequent routing add CPU overhead to the router, and the addition of the
28-byte GRE header can lead to packet fragmentation, which adds additional overhead.
WCCP mode supports multiple routers and both GRE vs. L2 forwarding. Each router can have multiple WAN links. Each
link can have its own WCCP service group.
Traffic shaping is not effective unless the appliance manages UDP traffic as well as TCP traffic. A second service group,
with a UDP service group for each WAN link, is recommended if traffic shaping is desired.
Multiple service groups can be used with WCCP on the same appliance. For example, the appliance can receive
service-group 51 traffic from one WAN link and service-group 62 traffic from another WAN link. The appliance also
supports multiple routers. It is indifferent to whether all the routers use the same service group or different routers use
different service groups.
Service Group Tracking. If a packet arrives on one service group, output packets for the same connection are sent on
the same service group. If packets arrive for the same connection on multiple service groups, output packets track the
most recently seen service group for that connection.
citrix.com 511
When WCCP is used with high-availability mode, the primary appliance sends its own apA or apB management IP
address, not the virtual address of the HA pair, when it contacts the router. If failover occurs, the new primary appliance
contacts the router automatically, reestablishing the WCCP channel. In most cases the WCCP timeout period and the
HA failover time overlap. As a result, the network outage is less than the sum of the two delays.
Standard WCCP allows only a single appliance in a WCCP service group. If a new appliance attempts to contact the
router, it discovers that the other appliance is handling the service group, and the new appliance sets an Alert. It
periodically checks to determine whether the service group is still active with the other appliance, and the new appliance
handles the service group when the other appliance becomes inactive. WCCP clustering allows multiple appliances per
service group.
Deployment Topology
The following figure shows a simple WCCP deployment, suitable for either L2 or GRE. The traffic port (1/1) is connected
directly to a dedicated router port (Gig 4/12).
Figure 3. Simple WCCP deployment
In this example, the CloudBridge 4000/5000 is deployed in one-arm mode, with the traffic port (1/1) and the
management port (0/1) each connecting to its own dedicated router port.
On the router, WCCP is configured with identical ip wccp redirect in statements on the WAN and LAN ports.
Two service groups are used, 71 and 72. Service group 71 is used for TCP traffic and service group 72 is used for UDP
traffic. The CloudBridge appliance does not accelerate UDP traffic, but can apply traffic shaping policies to it.
Note: The WCCP specification does not allow protocols other than TCP and UDP to be forwarded, so protocols such as
ICMP and GRE always bypass the appliance.
WCCP Clustering
CloudBridge release 7.2 or later supports WCCP clustering, which enables your router to load-balance your traffic
between multiple appliances. For more information about deploying CloudBridge appliances as a cluster, see WCCP
Clustering.
WCCP Specification
For more information about WCCP, see Web Cache Communication Protocol V2, Revision 1, http://tools.ietf.
org/html/draft-mclaggan-wccp-v2rev1-00.
citrix.com 512
WCCP Mode (Non-Clustered)
WCCP mode allows only a single appliance in a WCCP service group. If a new appliance attempts to contact the router,
it discovers that the other appliance is handling the service group, and the new appliance sets an Alert. It periodically
checks to determine whether the service group is still active with the other appliance, and the new appliance handles
the service group when the other appliance becomes inactive.
Note: WCCP clustering allows multiple appliances per service group.
On appliances with more than one accelerated pair, all the traffic for a given WCCP service group must
arrive on the same accelerated pair.
Do not mix inline and WCCP traffic on the same appliance. The appliance does not enforce this guideline,
but violating it can cause difficulties with acceleration. (WCCP and virtual inline modes can be mixed, but
only if the WCCP and virtual inline traffic are coming from different routers.)
For sites with a single WAN router, use WCCP whenever inline mode is not practical.
Only one appliance is supported per service group. If more than one appliance attempts to connect to the
same router with the same service group, the negotiation will succeed only for the first appliance.
For sites with multiple WAN routers serviced by the same appliance, WCCP can be used to support one,
some, or all of your WAN routers. Other routers can use virtual inline mode.
citrix.com 513
Configuring WCCP
A WCCP deployment follows the same initial steps as an inline deployment, but has additional steps beyond the basic
inline procedure.
Prerequisites
Perform the following tasks if you have not done so already:
Configuration Summary
The following high-level procedure summarizes the WCCP installation process, which works for both GRE and L2
forwarding and for any number of routers and links.
To configure WCCP mode
Note: You must follow the hyperlinks and follow the detailed instructions for each step.
For normal operation, you must declare WCCP version 2 and the WCCP group ID for the router as a whole, and
then enable redirection on each WAN interface.
Either one or two WCCP service groups can be used, but two are recommended, so that both TCP and UDP can
be redirected, allowing more accurate traffic shaping. The WCCP standard requires that TCP and UDP traffic
use different service groups.
Example
citrix.com 514
Following is an example of configuring a Cisco IOS router:
^Z
Method B is preferred in circumstances when the routers do not support the wccp redirect out statement.
Example
Following is an example of configuring a Cisco IOS router:
^Z
Remember to save your router configuration when you are satisfied that it is correct.
citrix.com 515
Configuring Accelerators for WCCP Negotiation
One accelerator instance manages WCCP control traffic on behalf of all the instances. The WCCP control traffic is negligible.
The actual data traffic is divided among all the accelerators.
Note: The GUI calls WCCP mode single cache.
Summary: To configure the accelerators for WCCP mode, first enable WCCP mode. Then, configure service groups and
create a WAN link definition, on the CloudBridge appliance, for each WAN link on each WCCP router. (Each link has
two service groups, one for TCP and one for UDP.) If a service group is already defined for a given link, add the current
routers IP address to the definition. Test the service groups WCCP status before creating the WAN link
definition, and verify link traffic and acceleration status before configuring the next WAN link.
To configure the accelerators for WCCP mode
1. On the CloudBridge appliance, Navigate to Configuration > Appliance Settings > Advance Deployments > WCCP
page.
2. If the Enable button is displayed, click it to enable WCCP mode on the appliance. (If the Disable button is displayed,
WCCP mode is already enabled.)
Note: We will actually be configuring two caches.
3. In the Select Mode area, select Single Cache.
4. Starting with accelerator instance #1 (labeled WCCP Cache 1 on the page), configure the CloudBridge IP
Details by entering the external VIP you defined for accelerator instance 1 (T5 on your worksheet for instance #1, T6
for instance #2). Set the subnet mask for the external traffic network (T2 on your worksheet). Set the gateway IP for
the external traffic network (T1 on your worksheet). Click Save. The Configure Service Group controls appear.
5. In the Configure Service Group section, click Add. An Add Service Group popup appears.
6. In the Service Group Details area, specify a WCCP service group ID in the ID field. This ID must match one of the
service groups that you have defined on your router. Start with the lowest-numbered service group in your list (T11 for
the TCP service class, T12 for the UDP service class.).
7. In the WCCP Priority field, set the WCCP priority to 100 for instance #1, or to 80 for instance #2. (Other values work.
Use a priority for instance #1 that is greater than the priority for instance #2, and use a priority for instance #2 that is
greater than zero.)
8. From the Protocol list, select a protocol. You will perform this step for both TCP and UDP. Start with TCP.
9. In the Service Group Password field, enter a password if your router is configured to require one. Otherwise, leave the
field blank.
10. In the Router Communications Details area, in the Router IP Address field, enter the IP address of the router. This is
the routers address for its appliance-facing interface (T8 on your worksheet). If you use multiple routers to
communicate with the appliance, list them all here.
11. From the Router Assignment list, select a router assignment (Hash, Mask, or Auto). Auto is recommended. If Auto is
selected, Hash is negotiated if the router supports it. Otherwise Mask is used.
12. From the Router Forwarding list, select Level 2 or GRE. The same method must be used for both outbound and
inbound packets. L2 is recommended whenever possible, as GRE adds overhead to both the router and the
appliance. L2 requires that your router support Level 2, and that the routers IP and the VIP addresses be in the
same subnet. Otherwise, use GRE.
13. Click Create.
14. Repeat steps 6-13 with the next service group in sequence, but selecting UDP instead of TCP.
15. Repeat steps 4-14 for instance #2 (called WCCP Cache 2 in the GUI), except that the Cache IP is T6 from
your worksheet (instead of T5), and the WCCP priority value is 80 (instead of 100).
16. If desired, click Advanced Settings on the WCCP page and select a quicker timeout (Responsive or Tolerant, rather
than Default). This is a WCCP 2.1 feature and is not supported by all routers. If the appliance has trouble connecting
to the router, set this parameter back to Default.
Note: You must consider the following points when configuring a Citrix CloudBridge 4000/5000 appliance:
Traffic is load balanced across the accelerators on the basis of NetScaler load balancing policies.
The WCCP service group ID that you assign to the accelerator must match a service group defined on your
router, or the WCCP negotiation fails.
citrix.com 516
Verifying WCCP Mode
You can monitor the WCCP configuration from the CloudBridge GUI.
To monitor the WCCP configuration
3. Start traffic that should be forwarded through the CloudBridge appliance and monitor the connection on the Monitoring
> Optimization > Connections page.
If the connections are shown on the Accelerated Connections tab, that is an indicator that everything
is working.
If the connections are on the Unaccelerated Connections tab, look at the Details column. A routing
asymmetry detected message implies that one of the ip wccp redirect lines on the router is
missing or has an error, or that different paths are taken by client-server and server-client traffic.
If no connections are shown, but the appliance reports that it is connected to the router, and the
WCCP monitoring page shows no errors, the issue is probably with the router configuration.
citrix.com 517
WCCP Clustering
The WCCP clustering feature enables you to multiply your acceleration capacity by assigning more than one
CloudBridge appliance to the same links. You can cluster up to 32 identical appliances, for up to 32 times the capacity.
Because it uses the WCCP 2.0 standard, WCCP clustering works on most routers and some smart switches, most likely
including those you are already using.
Because it uses a decentralized protocol, WCCP clustering allows CloudBridge appliances to be added or removed at
will. If an appliance fails, its traffic is rerouted to the surviving appliances.
Unlike CloudBridge high-availability, an active/passive pair that uses two appliances to provide the performance of a
single appliance, the same appliances deployed as a WCCP cluster has twice the performance of a single appliance,
delivering both redundancy and improved performance.
In addition to adding more appliances as your sites needs increase, you can use Citrixs Pay as You
Grow feature to increase your appliances capabilities through license upgrades.
Citrix Command Center is recommended for managing WCCP clusters. The following figure shows a basic network of a
cluster of CloudBridge appliances in WCCP mode, administered by using Citrix Command Center.
Figure 1. CloudBridge Cluster Administered by Using Citrix Command Center
One appliance in the cluster is selected as the designated cache, and controls the load-balancing behavior of the
appliances in the cluster. The designated cache is the appliance with the lowest IP address. Because the appliances
have identical configurations, it doesnt matter which one is the designated cache. If the current designated cache
goes offline, a different appliance becomes the designated cache.
The designated cache determines how the load-balanced traffic is allocated and informs the router of these decisions.
The router shares information with all members of the cluster, so the cluster can operate even if the designated cache
goes offline.
Note: As normally configured, a CloudBridge 4000/5000 appliance appears as two WCCP caches to the router.
Load-Balancing Algorithm
Load balancing in WCCP is static, except when an appliance enters or leaves the cluster, which causes the cluster to
be rebalanced among its current members.
citrix.com 518
The WCCP standard supports load balancing based on a mask or a hash. For example, CloudBridge WCCP
clustering uses the mask method only, using a mask of 1-6 bits of the 32-bit IP address. These address bits can
be non-consecutive. All addresses yielding the same result when masked are sent to the same appliance. Load
balancing effectiveness depends on choosing an appropriate mask value: a poor mask choice can result in poor
load-balancing or even none, with all traffic sent to a single appliance.
citrix.com 519
Deployment Topology
Depending on your network topology, you can deploy WCCP cluster either with a single router or with multiple routers.
Whether connected to a single router or multiple routers, each appliance in the cluster must be connected identically to
all routers in use.
As shown on the CloudBridge Datasheet, a CloudBridge 3000-100 can support 100 Mbps and 400 users, so a pair of
these appliances supports 200 Mbps and 800 users, which satisfies the datacenters requirements of a 200 Mbps
link and 750 users.
For fault tolerance, however, the WCCP cluster should continue to operate without becoming overloaded if one
appliance fails. That can be accomplished by using three appliances when the calculations call for two. This is called the
N+1 rule.
Failure is an unusual event, so usually all three appliances are in operation. In this case, each appliance is supporting
only 67 Mbps and 250 users, leaving plenty of headroom, and making good use of the fact that the cluster has three
times the CPU power and three times the compression history of a single appliance.
Without WCCP clustering, the same level of capacity and fault-tolerance would require a pair of CloudBridge 4000-500
appliances in high availability mode. Only one of these appliances is active at a time.
citrix.com 520
Limitations
Configuring appliances in a WCCP cluster has the following limitations:
All appliances within a cluster must be the same model and use the same software release.
Parameter synchronization between appliances within the cluster is not automatic. Use Command Center to
manage the appliances as a group.
CloudBridge traffic shaping is not effective, because it relies on controlling the entire link as a unit, and none
of the appliances are in a position to do this. Router QoS can be used instead.
The WCCP-based load-balancing algorithms do not vary dynamically with load, so achieving a good load
balance can require some tuning.
The hash method of cache assignment is not supported. Mask assignment is the supported method.
While the WCCP standard allows mask lengths of 1-7 bits, the appliance supports masks of 1-6 bits.
Multicast service groups are not supported; only unicast service groups are supported.
All routers using the same service group pair must support the same forwarding method (GRE or L2).
The forwarding and return method negotiated with the router must match: both must be GRE or both must
be L2. Some routers do not support L2 in both directions, resulting in an error of "Router's forward or return
or assignment capability mismatch." In this case, the service group must be configured as GRE.
CloudBridge VPX does not support WCCP clustering.
The appliance supports (and negotiates) only unweighted (equal) cache assignments. Weighted
assignments are not supported.
Some older appliances, such as the CloudBridge 700, do not support WCCP clustering.
(CloudBridge 4000/5000 only) Two accelerator instances are required per interface in L2 mode. No more
than three interfaces are supported per appliance (and then only on appliances with six or more accelerator
instances.)
(CloudBridge 4000/5000 only) WCCP control packets from the router must match one of the router IP
addresses configured on the appliance for the service group. In practice, the router's IP address for the
interface that connects it to the appliance should be used. The router's loopback IP should not be used.
citrix.com 521
Planning Your Deployment
Deploying appliances in a WCCP cluster requires more planning than does deploying a single appliance. Read the
following sections carefully before proceeding.
citrix.com 522
Selecting Appliances
The appliances you select for the deployment must all be the same model, running the same software version.
Otherwise, management and troubleshooting can become impractical.
Your appliance choice is generally made by comparing your sites WAN bandwidth and number of WAN users to
the capacities of the different appliances in the CloudBridge Data Sheet. For fault tolerance, always order one more
appliance than is absolutely required according to the data sheet.
The number of appliances you need is found as follows, rounding up all fractions:
Note that if appliances = 2, you can use just a single appliance instead of WCCP clustering, or an HA pair instead of
WCCP clustering, since the equation builds in a spare appliance. In other words, WCCP clustering is not necessary
(from a capacity perspective) unless appliances is 3 or more.
Example. Suppose you have 700 users and a 100 Mbps link. Some appliances you might consider are the CloudBridge
2000-050, the CloudBridge 3000-100, and the CloudBridge 4000-310.
Model Optimized WAN Capacity Maximum HDX Sessions Appliances_bw Appliances_users Appliances
2000- 50 Mbps 300 3 4 4
050
3000- 100 Mbps 400 2 3 3
100
4000- 310 Mbps 750 2 2 2
310
As you can see from the above table, the higher-performance platforms require fewer appliances to get the job done, as
you would expect. The CloudBridge 4000-310 meets the requirements with a single appliance, and evaluates to two
appliances only because the equations build in a spare.
You can always add more capacity by adding more appliances, but that is not always necessary. The bandwidth limits
of two of the three choices, the CloudBridge 3000-100 and the CloudBridge 4000-310, can be increased through a
license upgrade. The CloudBridge 2000-050 however, is already at the high end of the range for CloudBridge 2000
appliances.
citrix.com 523
Load-Balancing in the WCCP Cluster
Traffic is distributed among the appliances in the WCCP cluster. If an appliance leaves the cluster (through failure,
overload, or being manually disabled), its traffic is rebalanced by distributing it among the surviving members. If an
appliance joins the cluster, traffic is rebalanced once more to give the new appliance its fair share.
Traffic is distributed on the basis of an address mask that is applied to the source and destination addresses of WAN
traffic. You must select an appropriate mask field for efficient load-balancing. An inappropriate mask can result in load-
balancing that is poor to nonexistent. For example, if the mask matches an address field that is identical at all your
remote sites, all your WAN traffic is sent to a single appliance, overloading it. For example, if all of your remote sites
have an address in the form of 10.0.x.x, and your mask bits are within the 10.0 portion of the address all traffic is sent to
a single appliance.
The address bits extracted by the address mask are used as an index that is used (indirectly) to select one of the WCCP
caches (appliances). For example, an address mask with two one bits results in four possible values, depending on the
address. Each of these values can be thought of as a bucket. With two mask bits, you have four buckets, numbered 0-3. The
buckets are assigned to WCCP caches. To be effective, there must be at least as many buckets as caches. If you use a two-
bit mask and have five or more caches, some caches are idle, because each bucket is assigned to only one cache, and there
are not enough buckets to cover all five caches:
Cache 1 2 3 4 5
Buckets 0 1 2 3 -
If there are more buckets than caches, some caches are assigned multiple buckets. For example, if you set three mask bits,
creating eight buckets, and you have four caches, two buckets are assigned to each cache. If you have five caches, three
caches are assigned two buckets each, and two caches are assigned just one. If each bucket represents the same number of
users, you have a 2:1 load imbalance across caches:
Cache 1 2 3 4 5
Buckets 0-1 2-3 4-5 6 7
Increasing the number of set mask bits reduces this imbalance. With four mask bits (16 index values) and five caches, four
caches receive three buckets and one cache receives four buckets, resulting in only a 4:3 imbalance. With six set mask bits
(the largest number supported), four caches receive 13 buckets and one receives 12, which is only a 13:12 load imbalance.
Cache 1 2 3 4 5
Buckets 0-12 13-25 26-38 39-51 52-63
Ideally, you would like each remote site to be directed to a single appliance in the WCCP cluster, so that all traffic to and
from a given site is stored in the same compression history. With this arrangement, any traffic from one user at the site
can be used to compress similar traffic from any other user at that site. In other words, for compressibility, load-
balancing works best if it the address mask selects the bits that differentiate one remote site from another. These are
often the least-significant bits of the subnet portion of the IP address. Using these bits tends to allocate the same
number of remote sites (not users) per local appliance. A mask that aligns with the host portion of the address instead of
the subnet results in a more equal number of remote users (not sites) per appliance, but at the expense of compression
effectiveness. (Compression is only effective when connections flow through the same appliances, and splitting traffic
from the same remote site between two or more local appliances interferes with this.)
Finally, for good load-balancing, each "one" bit in the address mask must be set to one on 50% of the remote
addresses, and set to zero on 50% of the remote addresses. This is not the case on all address bits, since in most
WANs, the highest-order network bits never change at all (such as the 10 in 10.x.x.x). Such bits must never be selected
by the address mask.
In addition, many subnets are only sparsely populated. For example, if only 50 addresses are used in the subnet
10.1.2.0/24, and they are assigned sequentially, the two higher-order host bits (representing the unused range of
10.1.2.64-10.1.2.255) for this subnet never change, and if these two bits are included in the address mask, three-fourths
of the buckets receive no traffic.
The number of one bits in the address mask must allow at least as many combinations as there are
WCCP caches in the cluster. That is, if you have eight appliances, the address mask must contain at least
three one bits.
The one bits in the address mask must each be inside the active address range for most of your
remote subnets, or they skew the load-balancing distribution.
citrix.com 524
The mask should split the address range of individual remote sites into as few pieces as possible, for best
compression performance.
If a remote appliance is faster than the local members of the WCCP cluster, the mask should be designed to
divide its traffic between multiple local appliances. For example, a 100 Mbps remote appliance should have
its traffic split between two 50 Mbps local appliances by setting a bit inside the remote appliances active
address range.
The one bits in the mask are typically contiguous, but this is not required. They can be in any
pattern.
Example: Suppose you set an address mask of 0x0000 0f00, which has four one bits. This defines a four-bit
field that is extracted from the IP address, yielding 16 possible results (16 buckets). These buckets are in turn assigned
to the actual WCCP caches in the WCCP cluster.
Address Masked Address (mask = 0x0000 0f00) Bucket
10.0.0.5 0.0.0.0 0
10.0.1.128 0.0.1.0 1
155.0.2.55 0.0.2.0 2
253.100.255.2 0.0.15.0 15
10.0.15.1 0.0.15.0 15
Zero bits in the mask are ignored, and the one bits are used to define the extracted field. So if the mask is 0x10
10 10 10, these widely separated one bits are extracted into a four-bit field, declaring 16 buckets and a bucket
numbers in the range of 0-15.
citrix.com 525
Assigning Buckets to Appliances
The mapping of bucket to appliances is subject to several variables:
Which appliances are available: If an appliance is down, its share of buckets are given to the available
appliance. If a new appliance is added to the cluster, it is given its fair share of buckets.
The mapping algorithm used (deterministic or least-disruptive).
The order in which appliances come online (least-disruptive mapping only).
The IP addresses of the appliances. WCCP algorithms can use a sorted list of appliance IP addresses; for
example, assigning buckets to appliances in the same order as the appliance IP addresses.
The most important of these factors, from an administrators point of view, is the mapping algorithm.
Deterministic mapping. The deterministic mapping algorithm is less graceful than the least-disruptive algorithm, but it
supports Hot Standby Router Protocol (HSRP) and Global Server Load Balancing (GSLB) routing, and is required when
multiple routers using such protocols share the WCCP cluster.
Deterministic mapping is also the preferred method when the cluster has only two appliances.
Assignments are based on the IP addresses of the active appliances. Each appliance gets its fair share of bucket, with
the lowest-numbered bucket being assigned to the appliance with the lowest IP address. If there are more appliances
than buckets, the leftover appliances (with no bucket assigned to them) are the ones with the highest-numbered IP
addresses. This deterministic assignment allows traffic to arrive for a single connection through any of the routers in the
service group and be forwarded to the same appliance.
Reassignment can be disruptive to accelerated connections, which are reset if they migrate to a different appliance.
With deterministic mapping, the number of buckets that are reassigned to new appliances can be quite high if there are
three or more appliances.
Least-disruptive mapping. When a bucket is assigned to a different appliance, any open accelerated connections that
used the old appliance is reset. The least-disruptive algorithm keeps the reassignment to a minimum. For example, if
you have three appliances, and one appliance fails, the new mapping preserves roughly two-thirds of the assignments
and remaps the remaining third (which fails anyway, because their appliance failed). The least-disruptive algorithm does
not support HSRP or GSLB routing, because it is not guaranteed to result in identical mappings on all the routers in the
service group, and therefore, packets from a single connection might be sent to two different appliances by two different
routers, which causes accelerated connections to fail.
citrix.com 526
Startup and Failover Behavior
Each appliance registers itself with the routers specified in its service class definitions. The first appliance to register
itself, becomes the designated cache, and works with the routers to apportion traffic between itself and the other caches
(called subordinate caches). Because your appliances use identical WCCP algorithms, it does not matter which one
becomes the designated cache.
As additional appliances come online, they are added to the WCCP cluster, and the traffic is reapportioned among the
active appliances. This happens at ten-second increments. After a cold start of the routers or appliances, all of the
appliances might come online within the same ten-second window, or they might arrive over multiple ten-second
windows, causing traffic to be reapportioned multiple times before it stabilizes. In the latter case, the appliances that
come online first maycan become overloaded until additional appliances come online.
An accelerated connection fails when allocated to a different appliance, making reallocation disruptive. This is not true
of non-accelerated connections, which generally experience a delay of thirty seconds or more, and then continue. The
least-disruptive mapping option minimizes the amount of reallocation when an appliance fails.
If an appliance fails or otherwise goes offline, its absence is noted, and the designated cache reapportions its traffic to
the remaining appliances. If the designated cache itself goes offline, the role of designated cache is also reapportioned.
It takes about thirty seconds for the cluster to react to the loss of a cache.
citrix.com 527
Deployment Worksheet
On the following worksheet, you can calculate the number of appliances needed for your installation and the
recommended mask field size. The recommended mask size is 1-2 bits larger than the minimum mask size for your
installation.
Parameter Value Notes
Appliance Model Used
XenApp and XenDesktop Users on WAN Link Uwan =
User overload Factor Uoverload = Uwan/Uspec =
WAN Link BW BWwan =
BW Overload Factor BWoverload = BWwan/BWspec =
Min number of buckets Bmin = N, rounded up a power of 2
=
If CloudBridge 4000 or 5000, Bmin = 2*N, rounded up to a power
of 2 =
Recommended value B = 4 * Bmin if Bmin <= 16, else 2 *
Bmin =
Mask value: The mask value is a 32-bit address mask with a number of one bits equal to M in the above
worksheet. Often these bits can be the least-significant bits in the WAN subnet mask used by your remote sites. If the
masks at your remote sites vary, use the median mask. (Example: With /24 subnets, the least significant bits of the
subnet are 0x00 00 nn 00. The number of bits to set to one is log2(mask size): if mask size is 16, set four bits to one. So
with a mask size of 16 and a /24 subnet, set the mask value to 0x00 00 0f 00.): ______
The above guidelines work only if the selected subnet field is evenly distributed in your traffic, that is, that each address
bit selected by the mask is a one for half the remote hosts, and a zero for the other half. Otherwise, load-balancing is
impaired. This even distribution might be true for only a small number of bits in the network field (perhaps only two or
three bits). If this is the case with your network, instead of masking bits in the offending area of the subnet field, displace
those bits to a portion of the host address field that has the 50/50 property. For example, if only three subnet bits in a
/24 subnet have the 50/50 property, and you are using four mask bits, a mask of 0x00 00 07 10 avoids the offending bit
at 0x00 00 0800 and displaces it to 0x00 00 00 10, a portion of the address field that is likely to have the 50/50 property
if your remote subnets generally use at least 32 IP addresses each.
Parameter Value Notes
Final Mask Value
citrix.com 528
Accelerated Bridge Usually apA
WAN Service A service group not already in use on your router (51-255)
Group
LAN Service Group Another unused service group
Router IP address IP address of router interface on port facing the appliance
WCCP Protocol
(usually "Auto")
DC Algorithm Use "Deterministic" if you have only two appliances or are using dynamic load balancing
like HSRP or GSLB. Otherwise, use "Least Disruptive."
citrix.com 529
Configuring WCCP Clustering
After you have finalized the deployment topology, considered all limitations, and filled in the deployment worksheet, you
are ready to deploy your appliances in a WCCP cluster. To configure the WCCP cluster, you need to perform the
following tasks:
citrix.com 530
Configuring the Router
WCCP configuration on the router is simple, because most WCCP parameters are set by the appliances.
Unlike legacy CloudBridge WCCP support, WCCP clustering uses two service groups for TCP traffic. One service group
is used on the router's WAN interface, and the other is used on the router's LAN interfaces (except for the LAN interface
used by the CloudBridge appliances themselves, when deployed in L2-mode WCCP cluster).
As shown in the following figure, you need to configure two service groups because WCCP allows the mask to be
applied to either the source IP or the destination IP address, which is not quite what is required. To keep connections
between two endpoints together, regardless of which endpoint initiates the connection, the appliance applies the
address mask to the source IP address of incoming WAN traffic, and to the destination IP address of incoming LAN
traffic. This requires two service groups.
The WAN service group uses WCCP source-ip address masking, while the LAN service group uses dest-ip masking. In
some deployments, it may be necessary to reverse the assignments, using the WAN service group for your LAN
interface and vice versa. This might occur if the number of local IP addresses greatly exceeds the number of remote IP
addresses.
Figure 1. CloudBridge WCCP Cluster
Example. The following example uses service group 61 for the WAN service group and service group 62 for the LAN service
group. Three router interfaces are used. One is connected to the WAN, one is connected to the LAN, and one is connected to
the WCCP cluster.
!
! Example is for WCCP clustering using WCCP redirect in statements
! on LAN and WAN interfaces.
! This definition is appropriate for modern Cisco routers.
! Global declarations
ip wccp 61
ip wccp 62
!
interface GigabitEthernet1/1
description LAN interface. SG 62 is used for LAN
ip address 172.80.1.56 255.255.255.0
ip wccp 62 redirect in
!
interface GigabitEthernet1/2
description LAN interface attaching CloudBridge L2-WCCP appliances
description (No wccp redirect statements are used on this interface)
citrix.com 531
ip address 172.80.21.56 255.255.255.0
!
interface GigabitEthernet1/3
description WAN interface. SG 61 is used for WAN
ip address 172.80.22.56 255.255.255.0
ip wccp 61 redirect in
!
Note: If the router used multiple ports for LAN traffic, each port is configured with an ip wccp 62 redirect in statement.
Similarly, if the router used multiple ports for WAN traffic, each port is configured with an ip wccp 61 redirect in
statement.
If the router used multiple ports for LAN traffic, each port is configured with an ip wccp 62 redirect in
statement. Similarly, if the router used multiple ports for WAN traffic, each port is configured with an ip
wccp 61 redirect in statement.
If multiple routers shared the same WCCP cluster, they use the same service groups.
It is also possible to use ip wccp redirect statements on only the WAN interfaces:
In many routers, the ip wccp redirect out path is not optimized in hardware, but uses the CPU. If the routers
capabilities along this path exceeds the WAN speed, this method is practical, and is simpler than using redirect
statements on every interface.
Router ACLs can be used to limit redirection. For example, for initial testing, perhaps only a single remote IP address
might be allowed to be redirected through WCCP.
citrix.com 532
Configuring the Appliance
Repeat the following procedure for each appliance in the cluster:
6. Enter T5 from your worksheet as the Cache 1 IP, T6 as the Cache 2 IP, T2 as the Subnet Mask, and T1 as the
Gateway. Click Save. The Configure Service Group section appears.
7. In the Service Group Details section, specify the WAN and LAN service groups (T11 and T12 from your worksheet).
8. In the Priority field, select 100 (in practice this value is somewhat arbitrary).
9. From the Protocol list, select TCP.
10. In the DC Algorithm field, select Deterministic or Least Disruptive. Deterministic is always safe to use, and
should be used if you are using only two appliances, or are using multiple routers. Least Disruptive disrupts
fewer user sessions on failover when used with clusters of three or more appliances, but has restrictions on its use.
11. Set Service Group Pair Status to On.
12. If your router is configured to require a password, enter the password in the Service Group Password field.
Otherwise, leave the field blank.
13. In the Router Communications Details section, enter the IP address of the router (T8 on your worksheet: often
identical to T1 as well). This is the IP address of the appliance-facing router interface. If you use multiple routers to
communicate with the appliance, list them all here.
14. From the Router Forwarding list, select Level 2 or GRE, according to the capabilities of your router. Use Level 2 if you
can, and GRE if you must.
15. For the Mask Value, enter the value you determined from the WCCP Clustering worksheet. This is a critical value: a
poor choice will result in poor load-balancing or none at all.
16. Click Create. This creates the WAN and LAN service groups.
17. On the Configuration > Optimization Rules > Link Definitions page, change the bandwidth limits on each defined WAN
to 95% of the aggregate speed of all your WANs. This prevents the link from being under-utilized when load-balancing
is imperfect. If ICA (XenApp/XenDesktop) is the dominant use, set each appliance to (95% of WAN bandwidth)/N,
where N is the number of appliances (or twice the number of appliances if they are CloudBridge 4000 or 5000 units),
citrix.com 533
to divide the bandwidth equally among the appliances. This latter method is most appropriate for applications with
large numbers of active connections that have relatively low bandwidth requirements.
citrix.com 534
Testing and Troubleshooting
The Monitoring > Appliance > Application Performance > WCCP page shows the current state of not only the local
appliance but of all other appliances that have joined the cluster. Select a WCCP cache and click Get Info.
The Cache Status tab shows the local appliances status. When all is well, the status is 25: has
assignment. You must refresh the page manually to monitor changes in status. If the appliance does not reach the
status of 25: has assignment within a timeout period, other informative status messages are displayed.
Additional information is displayed when you click on the Service Group or the Routers tabs.
The Cluster Summary tab displays information about the WCCP cluster as a whole. As a side effect of the WCCP
protocol, each member of the cluster has information about all the others, so this information can be monitored from any
appliance in the cluster.
Your router can also provide status information. See your router documentation.
citrix.com 535
Inline Mode
Note: This documentation is valid only for appliances that were provisioned from a factory-reset state with the release 7.1
Configuration Wizard. For appliances that have been updated to release 7.1, but not reprovisioned from a factory-reset state,
see the release 7.0 documentation.
When you deploy a CloudBridge 4000/5000 appliance in inline mode, pairs of Ethernet ports on the appliance function
as accelerated bridges. Traffic flows into one bridge port and out the other. When two sites with appliances
communicate, TCP connections between the sites can be accelerated. Traffic that cannot be accelerated is passed
through transparently, as if the appliance were not there.
For maximum reliability, the bridge pairs are equipped with a bypass feature that causes the two ports to be connected
to each other should the appliance fail or lose power, allowing traffic to continue flowing even during such an outage.
Starting in release 7.1, inline mode depends on the NetScaler add interfacePair command to isolate bridge
traffic, ensuring that traffic from one bridge pair stays on that pair. In previous releases, this was done with VLAN
definitions. Appliances that were provisioned with release 7.1 have this feature enabled by default. Appliances that were
upgraded to release 7.1 without reprovisioning retain their old configuration.
Inline mode is currently recommended only for sites where WCCP is not practical, and which have a single WAN link, or
have fully independent WAN links that do not use dynamic routing, load-balancing, or fail-over.
citrix.com 536
Deployment Topology
The following figure shows a CloudBridge 4000/5000 appliance in inline mode.
Figure 1. Basic cabling for inline mode
As shown in the above figure, inline mode is a two-arm mode. For inline deployments, the NetScaler instance is
configured in L2 (bridged) mode, but the accelerators are connected internally to the NetScaler instance in a one-arm
configuration.
Inline mode is the easiest mode to configure. You connect one port of an accelerated pair to the WAN router and the
other to the LAN network. The appliance transparently accelerates traffic flowing between the two ports, which to the
rest of the network appear to be an Ethernet bridge.
You can also deploy the appliance to accelerate traffic from certain resources only, such as back-end servers, and not
the traffic of the entire network. Such an arrangement reserves the appliance's resources for the selected traffic. In this
case, you install the appliance on the branch network that includes the resources for with you want to accelerate traffic.
citrix.com 537
citrix.com 538
Port Affinity
Port traffic on a given bridge must be isolated to that bridge. In release 7.1, this is done as part of the provisioning
process. It can also be done manually with the add interfacePair command in the NetScaler command line
interface.
The following examples show how this command is used to create port affinity on all bridged pairs in the appliance:
CloudBridge 4000
CloudBridge 5000
citrix.com 539
VLAN Trunking
VLAN trunking is also known as tagged VLAN and 802.1Q tagging. The 802.1Q tagging enables a networking device to
add information to a frame at Layer 2 to identify the VLAN membership of the frame. Tagging also enables network
environments to have VLANs that span multiple devices. A device that receives the packet reads the tag and
recognizes the VLAN to which the frame belongs.
When you configure tagging on bridged interfaces, the VLAN configuration must be identical on both ports of the bridge.
Tagged VLANs are not supported on the management interfaces (ports 0/1 and 0/2).
For example, if your WAN link uses VLAN 412, you declare VLAN 412 as a tagged VLAN in the NetScaler instance, and
bind it to both ports of the bridge (such as ports 10/1 and 10/2), as shown in the example below.
Figure 1. Tagged VLANs for VLAN trunking. VLAN 412 is tagged
1. From the System > Settings > Configure NSVLAN Settings dialog box. This method declares a VLAN whose
broadcast traffic is isolated from other VLANS. This method is recommended for the management subnet. It requires a
restart to take effect.
Note: This VLAN configuration method is neither synchronized nor propagated in high availability mode. Therefore,
you must perform the configuration independently on each appliance of a high availability setup.
2. From the Create VLANs dialog box (reached from Network > VLANs > Add..). This method does not create an
isolated broadcast domain, from traffic originating in the NetScaler instance until we bind the NetScaler IP addresses
to the VLAN. Adding such a VLAN does not require a restart. This method is recommended for all VLANs except the
management subnet.
citrix.com 540
Ethernet Bypass
The appliance includes a bypass feature for inline mode. In a power failure, a relay closes and the input and output
ports become electrically connected. This feature allows the Ethernet signal to pass through from one port to the other,
as if the appliance were not there. The appliance functions like a cross-over cable connecting the two ports.
Besides a power failure, any failure of the appliance hardware or software also closes the relay. When the appliance is
restarted, the bypass relay remains closed until the appliance is fully initialized, maintaining network continuity at all
times. This feature is automatic and requires no user configuration.
When the bypass relay is closed, the bridge ports of the appliance are inaccessible.
Bypass Considerations
The bypass feature is disabled when the NetScaler instance is set to L3 mode. Because L3 mode is the
factory default, inline mode should be configured before the appliance is placed in line with data traffic.
The bypass feature is disabled when the appliance is in HA mode.
A bypass event causes all bypass-enabled port pairs (except the loopback ports) to enter the bypass mode.
The loopback ports never enter bypass mode.
A bypass event occurs if the NetScaler instance or the bypass daemon in Dom-0 becomes unresponsive.
A bypass event is not triggered by accelerators becoming unresponsive.
The 1-Gigabit bypass ports are copper, and 10-Gigabit bypass ports are fiber ports.
citrix.com 541
Configuring Inline Mode
Note: These instructions are valid only for appliances that were provisioned from a factory-reset state with the release 7.1
Configuration Wizard. For appliances that have been updated to release 7.1, but not reprovisioned from a factory-reset state,
see the release 7.0 documentation.
Basic configurationis performed by the release 7.1 Configuration Wizard. Additional configuration is required only if you
use VLAN trunking on data passing through the bridges.
citrix.com 542
Configuring the High Availability Setup on the Appliances
High availability(HA) works directly between the NetScaler instances of two CloudBridge 4000 or 5000 appliances. As
shown in the configuration , the two appliances are configured almost identically, except for management network IP
addresses.
Note: The accelerator instances on the two appliances are not synchronized, and must be kept consistent manually. Take this
into account when deciding whether to use HA.
Note: For a smooth installation, install and test one appliance before adding the second one, noting all configuration changes,
especially to the accelerator.
Note: You must use the same aPA and signaling addresses on both appliances. However, all management subnet IP
addresses must be unique on each appliances.
If the active appliance becomes unavailable, the passive appliance transparently takes over the function of the primary
appliance. This is called failover. As a result, disruption of services over the network is minimal. After a failover,
all clients must reestablish their connections to the managed servers, but the session persistence rules are maintained
as they were before the failover.
HA is supported in all deployment modes, and the HA configuration procedure is the same for all modes. The two
appliances should be running identical hardware, licensing, and software releases, and must be deployed identically,
using the same deployment modes on the same subnets.
When you enable HA, the configuration of the primary appliances NetScaler instance is copied to the secondary
appliance as part of the NetScaler HA synchronization process.
1. Complete the configuration for your chosen deployment mode (inline or WCCP). Note that all parameters for
the external traffic subnet and the private traffic subnet are identical for both appliances, but some
management subnet values are different on the two appliances.
2. Fully configure appliance #1 and test it thoroughly. If inline mode is used, do not connect the traffic network to
the bridge ports on appliance #2.
3. Fully configure appliance #2. Note that some parameters are different on the two appliances: H1, H4, H5, H6,
and H17 are used on the second appliance in place of M1, M4, M5, M6, and M17. Make sure that the
accelerators are configured identically to the ones on appliance #1, and that both appliances have identical
VLAN definitions in the NetScaler instances.
4. Access the NetScaler instance on appliance #1, by specifying its IP address (M17) in a web browser.
5. Log on to the NetScaler instance.
6. In the Navigation pane, expand the System node.
7. Select the High Availability node.
8. Click Add, as shown in the following figure.
Figure 1. Configuring a high availability setup of the NetScaler instances
9. In the remote Node IP Address field of the High Availability Setup dialog box, specify the NSIP address of the
NetScaler instance of the other appliance #2 (H17 on your worksheet), as shown in the following figure.
Figure 2. Configuring a high availability setup of the NetScaler instances
citrix.com 543
10. Click OK. The appliances are now configured as a high availability pair, as shown in the following figure.
Figure 3. Configuring high availability on the NetScaler instance
Note: To learn more about setting up high availability on a NetScaler instance, see the High Availability node of the Citrix
eDocs website.
citrix.com 544
Evaluating the Configuration
Putting your appliance online in a production network requires special attention to prevent disruption or confusion,
especially in a complex environment
Rollout Example
When deploying CloudBridge 4000/5000, the basic rollout decision is whether to activate the entire deployment at once or to
roll it out in stages. In a large or complex environment, a phased approach avoids trouble, and the deployment can be
extended at will. This type of approach calls for the use of WCCP. The following example illustrates one approach for such a
site:
1. Configure the system as described in the installation procedure, except for the router. There, instead of setting up
WCCP redirection for all incoming and outgoing WAN traffic, set it up for traffic to and from either a single remote site
or a single IP address at that site. The remote site must already contain an enabled CloudBridge appliance.
2. The accelerator page. If not, check your WCCP configuration on the router and on the accelerators, and check your
NAT definitions on the NetScaler instance by using Monitoring: WCCP page. If not, check your WCCP configuration
on the router and on the accelerators, and check your NAT definitions on the NetScaler instance by using nstrace. If
nstrace reveals an issue, and your definitions look correct, rebooting the appliance may resolve the issue.
3. Test acceleration between the new site and the remote site, with the remote site as the client side and the
CloudBridge 4000/5000 equipped site as the server side, as described in General Monitoring.
4. If traffic does not appear, the router is not sending traffic to the CloudBridge 4000/5000 properly. The error could be in
the Router configuration, the NetScaler configuration, or the CloudBridge WCCP configuration. Double-check these
settings.
5. If traffic appears but is not accelerated, you might have a problem with asymmetrical routing, with not having a
CloudBridge license installed, or with having acceleration disabled either globally or on the service classes associated
with the traffic.
6. When all is working properly, test reverse connections, where a site on the CloudBridge 4000/5000 side is the client
and the remote site is the server, if applicable.
7. If using NetScaler HA, save the configuration of the individual WCCP-enabled instances from the individual instances'
GUIs, and save the configuration of the accelerator, do basic configuration manually, then restore the saved
configurations, first of the accelerators as a whole, and then restore the two WCCP-enabled instances. Once this is
done (and NetScaler HA is enabled), test failover by powering down the primary appliance. Be careful to avoid IP
address conflicts.CloudBridge 4000/5000, do basic configuration manually, then restore the saved configurations, first
of the accelerators as a whole, and then restore the two WCCP-enabled instances. Once this is done (and NetScaler
HA is enabled), test failover by powering down the primary appliance. Be careful to avoid IP address conflicts.
8. If using NetScaler HA, save the configuration of the individual WCCP-enabled instances from the individual instances'
GUIs, and save the configuration of the accelerator, restore these saved configurations, first of the accelerators as a
whole, and then restore the two WCCP-enabled instances. Once this is done (and NetScaler HA is enabled), test
failover by powering down the primary appliance.CloudBridge 4000/5000, restore these saved configurations, first of
the accelerators as a whole, and then restore the two WCCP-enabled instances. Once this is done (and NetScaler HA
is enabled), test failover by powering down the primary appliance.
9. Expand the scope of acceleration to include more remote sites, and repeat the above testing. When doing so, also
examine the Monitoring: System Load page, especially during peak periods, to verify that the CloudBridge
4000/5000 is not heavily loaded.
10. Continue this process until the entire WAN is being accelerated.
Monitoring
Use the CloudBridge 4000/5000Use the CloudBridge 4000/5000 GUI to monitor traffic after you configure a LAN link
and a WAN link. CloudBridge 4000/5000 allows a very simple link definition.
1. Edit one link so its name is "LAN," its type is "LAN," and its speed is 10 Gbps in both directions. Delete its
existing filter rule, then click Add Rule, and then click Save to save a link definition that matches all traffic.
2. Edit the other link so that its name is "WAN," its type is "WAN," its speed is 95% of the aggregate speed of
your site's WAN links in each direction. Delete its existing filter rule, then click Add Rule, and then click Save to
save a link definition that matches all traffic.
citrix.com 545
To verify that link configuration is working correctly, traffic must be flowing. If the network does not have enough
traffic to fill the WAN link to capacity, run test traffic to fill the network to capacity. Then look at the link reports on
the Reports: Link Usage tab. The following figure shows these reports.
General Monitoring
1. If WCCP is configured, verify that the service groups are in operation and the routers are redirecting traffic.
(Note that the CloudBridge WCCP page packet counts are not present in CloudBridge 4000/5000. Check traffic
by other means, such as on the Monitoring: Active Connections page, and on the router.)
2. On the remote CloudBridges, verify that outgoing connections are being accelerated, and that all accelerated
connections to the datacenter report the same Partner Unit on the remote appliance's Monitoring: Connections
page. When load-balancing is working properly, all outgoing accelerated connections show the same Partner
Unit. (However, incoming accelerated connections might show different units.)
3. Double-check remote CloudBridges for correctly set bandwidth limits, to prevent remote issues from being
misidentified as datacenter issues.
4. Generally monitor the CloudBridge 4000/5000 unit for alerts.
5. In the broker UI, use the Dashboard, the Monitoring: Remote Partners, and perhaps the Monitoring: Appliance
Load pages to monitor the overall activity and load of the system.
citrix.com 546
Troubleshooting Tips
While most installations complete smoothly, some installations require knowledge of the appliances internal
structure or the use of little-known features before you can perform additional monitoring and troubleshooting. These
troubleshooting tips provide information and techniques that allow a more in-depth analysis of the appliance.
Some reports show addresses on the private subnets within the CloudBridge 4000/5000, so its good to
know what these addresses mean. These subnets connect the virtual machines together, without connecting to
external ports.
All these addresses are on the local link subnet 169.254.0.0/16, described in RFC3927. This address space is
segmented into three partly overlapping subnets: system management, private traffic, and accelerator
management subnets.
System Management Subnet, 169.254.0.0/16
Function Address
Management Service 169.254.0.10/16
NetScaler Instance 169.254.0.11/16
XenServer 169.254.0.1/16
Private Traffic Subnet, 169.254.10.0/24
Function Address
apA IP, accelerators 1-8 169.254.10.21/24 - 169.254.10.28/24
apA Signaling IP, accelerators 1-8 169.254.10.121/24 - 169.254.10.128/24
NetScaler Instance 169.254.10.11/24
Accelerator Management Subnet, 169.254.0.21-28/24
Function Address
Accelerator unified management IP (controls all accelerators) 169.254.0.20/24
Primary Port IP, accelerators 1-8 169.254.0.21/24 - 169.254.0.28/24
Figure 1. Virtual machines in the CloudBridge 4000 and 5000. The system management subnet is not shown in this
diagram. The traffic shaper manages traffic from all accelerators and is controlled via the accelerator GUI.
citrix.com 547
A fully active instance will show a green circle for VM State, Instance State, and Licensed.
Your appliance may have more instances present than are licensed; ignore the unlicensed instances.
If the VM State or Instance State of the remaining instances are not green, use the
Rediscover action to attempt to bring these instances back into operation.
You can also get detailed information for each instance, as shown below:
Every instance should have a Status of Inventory from CloudBridge Instance completed.
Every instance should be running the same version of the software.
Every instance should have the netmask (255.255.255.0) and gateway (169.254.0.20).
Instances that show an uptime shorter than other instances have rebooted since the last whole-
system reboot.
You can also log into the NetScaler instance directly from your browser if you know its IP address on the
management port (port 0/1).
Once logged in, you will see the NetScaler GUI, which identifies itself as NetScaler VPX at the top of the page.
This is the standard NetScaler user interface. Using monitoring features is safe. Configuration changes should
be made with caution, as the CloudBridge 4000/5000 makes undocumented assumptions about how the
NetScaler instance is configured.
citrix.com 548
Using Ping and Traceroute
The ping and traceroute utilities are not available on the accelerator instances, as they are on other CloudBridge
products. Instead, you can use the equivalent features on the NetScaler instance, using the Diagnostics page as
shown below.
These features will work over your external network and on the appliances internal subnets.
The System Health tables show a status summary, with a Details link for expanded information in
graphical form.
The Events tables show a status summary, with a Show Events link to see the related log entries.
The power supply was struggling, as can be seen in both the Hardware Sensors Summary and the
System Health Events log. (The count in the System Health Events heading shows that there was
only one event, the Date field shows that it happened long before the screen was displayed, and the
Message indicates that the incident was Non-Critical, so replacing the power supply is likely not called
for.)
Several ports are marked as Down, which is only an error if a cable is supposed to be present. Most
appliances have several unused ports.
Fail To Wire lists FTW Disabled for all ports. This means that the network bypassing feature is not
enabled on this appliance. Examination of the FTW Events showed that there were no actual events,
indicating that the feature is probably disabled.
citrix.com 549
For each warning or error, additional details are available through the Details links or Show Events buttons.
You can log into some of the virtual machines from the management port (port 0/1) using an ssh utility (such as
PuTTY on Windows), logging in either as root or nsroot and using the administrative password. This will give you
a shell prompt.
The most common use for logging on via SSH is to restore the IP address of an instance, typically the
management service, that has become unreachable due to misconfigured network parameters. Otherwise, SSH
is not recommended, as configuration changes can render the appliance unstable or unusable.
If neither of the two instances below are accessible over the network, you can log into the XenServer instance
using the RS-232 port, which will give you a shell prompt.
Instance Login Password Actual username
Management Service nsroot Admin password root
Management Service root Admin password root
XenServer nsroot Admin password nsroot
XenServer root Admin password root
Once logged into one of these virtual machines, you can use SSH from the shell prompt to reach the NetScaler
instance or the accelerator at the appropriate 169.254.x.x address.
The usual UNIX/Linux commands are available, including the vi text editor.
Logging into the accelerator GUI IP allows you to manage all the accelerator instances as a unit. Changes are
automatically propagated to all the accelerator instances.
On rare occasions, you may wish to troubleshoot individual accelerator instances. To do this, use the following
URLs:
Accelerator Instance URL
1 https://<accelerator_ip>:4001
2 https://<accelerator_ip>:4002
8 https://<accelerator_ip>:4008
The login for the instances is admin. The password is the same admin password as is used on the other
instances.
This is recommended for monitoring, not for making permanent changes, since any parameter you set in an
instance may be overwritten later by the synchronization process.
The update bundles distributed by Citrix are in a simple .tgz format (a tar archive compressed with gzip). It is
sometimes useful to extract individual components from the archive, rather than going back to the the Citrix Web
site and downloading them individually. This is most commonly useful with the management service (build-svm*.
tgz) or the accelerator release (orbital*.bin).
The update bundle can be managed by tar/gzip or by archiving utilities like 7-zip.
citrix.com 550
citrix.com 551
Managing the Appliance
CloudBridge 4000/5000 is an appliance containing multiple virtual CloudBridge WAN accelerators controlled by a single
virtual NetScaler load balancer. This combination provides a high-performance WAN accelerator for busy datacenters.
citrix.com 552
CloudBridge Licensing Overview
The process of allocating your CloudBridge licenses has been greatly simplified. The new licensing framework allows
you to focus on getting maximum value from Citrix products.
In the CloudBridge configuration utility (GUI), you can use your hardware serial number (HSN) or your license activation
code (LAC) to allocate your licenses. Alternatively, if a license is already present on your local computer, you can
upload it to the appliance.
For all other functionality, such as returning or reallocating your license, you must use the licensing portal. Optionally,
you can still use the licensing portal for license allocation. For more information about the licensing portal, see "http:
//support.citrix.com/article/CTX131110".
Note:
On a CloudBridge appliance, you can use the HSN or LAC to allocate your license or upload the license to
the appliance from a local computer. On a CloudBridge VPX appliance, you can only upload the license to
the appliance from a local computer.
You must purchase separate licenses for each appliance in a high availability (HA) pair. Make sure that the
same type of licenses are installed on both the appliances. For example, if you purchase a platinum license
for one appliance, you must purchase another platinum license for the other appliance.
Note: You must purchase separate licenses for each appliance in a high availability (HA) pair. Make sure that the same type
of licenses are installed on both the appliances. For example, if you purchase a platinum license for one appliance, you must
purchase another platinum license for the other appliance.
citrix.com 553
Prerequisites
To use the hardware serial number or license activation code to allocate your licenses:
The management service virtual machine of the appliance must have an access to public domain.
Your license must be linked to your hardware, or you must have a valid license activation code (LAC). Citrix
sends your LAC by email when you purchase a license.
citrix.com 554
Allocating your License by using the Configuration Utility
If your license is already linked to your hardware, the license allocation process can use the hardware serial number.
Otherwise, you must type the license activation code (LAC).
6. Click Update Licenses, and then select one of the following options:
Use Hardware Serial NumberThe software internally fetches the serial number of your appliance
and uses this number to display your license(s).
Use License Activation CodeCitrix emails the LAC for the license that you purchased. Enter the
LAC in the text box.
7. Click Get Licenses. Depending on the option that you selected, one of the following dialog boxes appears.
The following dialog box appears if you selected Hardware Serial Number.
citrix.com 555
The following dialog box appears if you selected License Activation Code.
8. Select the license that you want to allocate, and then click Get.
9. Click Apply for the license to take effect.
citrix.com 556
Installing the License
If you downloaded your license file to your local computer by accessing the licensing portal, you must upload the license
to the appliance.
6. Click Add New License, then select Upload license files from a local computer.
7. Click Browse. Navigate to the location of the license files, select the license file, and then click Open.
See also
citrix.com 557
Verifying CloudBridge Licenses
Before using a feature, make sure that your license supports the required number of accelerators.
licensed.
4. Alternately, navigate to CloudBridge > Instances. The Licensed column displays the status of licensed accelerates as
green.
citrix.com 558
CloudBridge 600 and Repeater 8520, 8540, and 8820 Appliances
The CloudBridge 600 and Repeater 8520, 8540, and 8820 appliances are designed primarily for use in branch offices.
More advanced models are used primarily in data centers.
The CloudBridge/Repeater 600, 8500, and 8800 Series are an older generation of CloudBridge appliances, with the following
general characteristics:
CloudBridge 600 Series. A small 1U appliance suitable for smaller branch offices, the CloudBridge 600
Series has a single accelerated bridge and supports WAN speeds of 1-10 Mbps.
Repeater 8500 Series. A full-sized 1U appliance suitable for large branch offices and smaller datacenters,
the Repeater 8500 Series has a single accelerated bridge and supports WAN speed of 10-45 Mbps.
Repeater 8800 Series. A 2U appliance for large datacenters, the Repeater 8800 Series supports WAN
speeds of up to 155 Mbps and features dual power supplies and optional support four two accelerated
bridges.
All of these appliances have similar architectures and run the same release binaries. These appliances are fully
supported with CloudBridge release 7.
citrix.com 559
Hardware Platforms
citrix.com 560
Introduction to Hardware Platforms
The various hardware platforms offer a wide range of features, communication ports, and processing capacities.
citrix.com 561
CloudBridge 600 Series
CloudBridge 600 Series are 1U appliances, each appliance has one dual-core processor and 4 gigabytes of memory.
The CloudBridge 600 Series have a bandwidth of 1Mbps, 2Mbps, and 10Mbps.
The following figure shows the front panel of the CloudBridge 600 Series appliance.
Figure 1. CloudBridge 600 Series, front panel
The front panel has the LCD screen and the LCD keypad.
The following figure shows the back panel of the CloudBridge 600 Series appliance.
Figure 2. CloudBridge 600 Series, back panel
The following components are visible on the back panel of the CloudBridge 600 Series appliance:
citrix.com 562
Repeater 8520 and 8540
Repeater 8520 and Repeater 8540 are 1U appliances, each appliance has one dual-core processor and 4 gigabytes of
memory. Model 8520 has a bandwidth of 10Mbps and model 8540 has a bandwidth of 45Mbps.
The following figure shows the front panel of the Repeater 8520/8540 appliance.
Figure 1. Repeater 8520/8540, front panel
The front panel has the LCD screen and the LCD keypad.
The following figure shows the back panel of the Repeater 8520/8540 appliance.
Figure 2. Repeater 8520/8540, back panel
The following components are visible on the back panel of the Repeater 8520/8540 appliance:
citrix.com 563
Repeater 8820
Repeater 8820 is a 2U appliance with 1 quad-core processor, and 12 gigabytes (GB) of memory. It has a bandwidth of
155Mbps.
The following figure shows the front panel of the Repeater 8820 appliance.
Figure 1. Repeater 8820, front panel
The front panel has the LCD screen and the LCD keypad.
The following figure shows the back panel of the Repeater 8820 appliance.
Figure 2. Repeater 8820, back panel
The following components are visible on the back panel of the Repeater 8820 appliance:
citrix.com 564
Common Hardware Components
Each platform in the CloudBridge family has front panel and back panel hardware components. The front panel has an
LCD display. The number, type, and location of ports vary by hardware platform. The back panel provides access to the
fan, power cable, serial console cable, and Ethernet ports.
LCD Display
When you first install the appliance, you can configure the initial settings by using the LCD keypad on the front panel of
the appliance. The keypad interacts with the LCD display module, which is also on the front panel of these appliances.
When you have installed the appliance and are ready for initial configuration, use the LCD display and keypad to set the
IP Address, subnet mask, and default gateway. You can then connect to the appliance's IP address to access the main
user interface.
To use the LCD keypad to perform basic configuration, see Setting Initial ParametersSetting Initial Parameters.
Ethernet Ports
A typical appliance has four Ethernet ports: two bridged ports and two motherboard ports. The bridged ports provide
acceleration. Typically, the bridged ports are on an Ethernet bypass card, which activates a fail-to-wire (FTW) relay if a
failure occurs, so that data transmission continues. In this case, the motherboard ports can be used for secondary
purposes. On an appliance that does not have an Ethernet bypass card, the two motherboard ports are bridged. In
either case, the two bridged ports form an accelerated pair. Acceleration is supported only on accelerated pairs.
On an appliance with a bypass card providing two bridged ports, the bridged ports are called Accelerated Pair A (apA),
and the two motherboard ports are called Primary and Aux1. In this case, the motherboard ports can be used for the
user interface and for the back-channel access required for group mode or high availability mode.
Every appliance has an Accelerated Pair A. Some appliances have a second accelerated pair, called Accelerated Pair B
(apB).
The ports are named as follows:
Table 1. Ethernet port names
Motherboard port 1 Primary (or apA.1 if no bypass card is present)
Motherboard port 2 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present)
Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2)
Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2)
Bridged Ports
In inline mode, the pair of bridged ports acts as a transparent bridge, as if it were an Ethernet switch. Packets flow in
one port and out the other. The bridges can also act in single-ended mode (WCCP or virtual inline), in which packets
flow in one port and back out the same port.
A bypass card is standard equipment on some models and optional on others. If the appliance loses power or
fails in some other way, an internal relay closes and the two bridged ports are connected electrically. This
maintains network continuity but makes the bridge ports inaccessible.
Motherboard Ports
While the Ethernet ports on a bypass card are inaccessible when the bypass relay is closed, the motherboard ports
remain active. You can sometimes access a failed appliance from the motherboard ports when the bridged ports are
inaccessible.
Port Parameters
Each bridge and motherboard port can be:
Enabled or disabled
Assigned an IP address and netmask
Assigned a default gateway
Assigned to a VLAN
Set to 1000 Mbps, 100 Mbps, or 10 Mbps at full or half duplex
After the appliance is installed, all of these parameters except the speed/duplex setting can be set on the
Configure Settings: IP Address page. The speed/duplex settings are set on the Configure Settings: Interface
page.
Notes about parameters:
citrix.com 565
Disabled ports do not respond to any traffic.
To secure the user interface on ports with IP addresses, select HTTPS instead of HTTP on the
UI page.
Inline mode works even if a bridge has no IP address; all other modes require that an IP address be
assigned to the port.
Traffic is not routed between interfaces. For example, a connection on bridge apA does not cross over
to the Primary or Aux1 ports, but remains on bridge apA. The entire issue of routing is left to your
routers.
To handle load balanced links, the bridges use the following algorithm: when it is time to send a packet for a
given connection, it is sent on a bridge that received the most recent input packet. The appliance honors the link
decisions made by the router, and automatically tracks the load balancing or main-link/failover-link algorithm in
real time. For non-load balanced links, this algorithm ensures that packets always use the correct bridge.
WCCP and Virtual Inline Modes. Multiple bridges are supported with both WCCP and virtual inline modes (not
shown). Usage is the same as the single-bridge case, except that WCCP has the additional limitation that all
traffic for a given WCCP service group must arrive on the same bridge.
High Availability with Multiple Bridges. Two units with multiple bridges can be used in a high availability pair.
Simply match up the bridges so that all links pass through both appliances.
citrix.com 566
Summary of Hardware Specifications
The following tables summarize the specifications of the CloudBridge hardware platforms.
Table 1. Citrix CloudBridgePlatform Summary
CloudBridge 600 series/CloudBridge 700 series
Branch Offices
Target Application
Maximum HDX 10 20 20
sessions
Acceleration Plug- NA NA NA
in CCUs
Hardware Specifications
RAID NA NA NA
RAM 4 GB 4 GB 4 GB
2-Port Fiber NA NA NA
1000SX
4-Port Copper NA NA NA
10/100/1000
4-Port fiber NA NA NA
1000SX
Physical Dimensions
Rack Units 1U 1U 1U
citrix.com 567
System width EIA 310-D, IEC 60297, EIA 310-D, IEC 60297, EIA 310-D, IEC 60297,
DIN 41494 SC48D rack DIN 41494 SC48D rack DIN 41494 SC48D rack
width with mounting width with mounting width with mounting
brackets brackets brackets
System depth 11.5 (29.2 cm) 11.5 (29.2 cm) 11.5 (29.2 cm)
Voltage 100/240 VAC, 50-60 Hz 100/240 VAC, 50-60 Hz 100/240 VAC, 50-60 Hz
Electromagnetic FCC (Part 15 Class A), FCC (Part 15 Class A), FCC (Part 15 Class A),
and susceptibility DoC,CE, VCCI, CNS, DoC,CE, VCCI, CNS, DoC,CE, VCCI, CNS,
certifications AN/NES AN/NES AN/NES
citrix.com 568
Bandwidth 10 Mbps 45 Mbps 155 Mbps
Hardware Specifications
File storage NA NA NA
RAM 4 GB 4 GB 12 GB
Physical Dimensions
Rack Units 1U 1U 2U
System width EIA 310-D, IEC EIA 310-D, IEC 60297, DIN EIA 310-D, IEC 60297,
60297, DIN 41494 SC48D rack width with DIN 41494 SC48D rack
41494 SC48D mounting brackets width with mounting
rack width with brackets
mounting
brackets
System depth 23.1 (58.7 23.1 (58.7 cm) 29.8 (75.7 cm)
cm)
System weight 22 lbs (10 kg) 22 lbs (10 kg) 59 lbs (26.76 kg)
citrix.com 569
Shipping 20 x 22.5 x 8 in 20 x 22.5 x 8 in (50.8 x 57.2 x 36.5 x 26.5 x 11 in (92.7 x
dimensions and (50.8 x 57.2 x 20.3 cm) 67.3 x 27.9 cm)
weight 20.3 cm)
35 lbs (15.9 kg) 69 lbs (31.3 kg)
35 lbs (15.9 kg)
Voltage 100/240 VAC, 50- 100/240 VAC, 50-60 Hz 100/240 VAC, 50-60 Hz
60 Hz
Electromagnetic FCC (Part 15 FCC (Part 15 Class A), DoC, FCC (Part 15 Class A),
and susceptibility Class A), DoC, CE, VCCI, CNS, AN/NES DoC,CE, VCCI, CNS,
certifications CE, VCCI, CNS, AN/NES
AN/NES
*The two values represent the difference between CloudBridge 600 series and CloudBridge 700 series.
citrix.com 570
Installing the Hardware
After you have verified the accessories you received with the appliance, you are ready to mount the appliance, connect
it to the network, and then connect it to a power source. To complete the installation, turn on the appliance. Be sure to
observe all cautions and warnings.
citrix.com 571
Cautions and Warnings
Follow basic electrical safety precautions to protect yourself from harm and the appliance from damage.
Be aware of the location of the emergency power off (EPO) switch, so that you can quickly remove power to
the appliance if an electrical accident occurs.
Remove all jewelry and other metal objects that might come into contact with power sources or wires before
installing or repairing the appliance. When you touch both a live power source or wire and ground, any metal
objects can heat up rapidly and may cause burns, set clothing on fire, or fuse the metal object to an exposed
terminal.
Use a regulating, uninterruptible power supply (UPS) to protect the appliance from power surges and
voltage spikes, and to keep the appliance operating in case of power failure.
Never stack the appliance on top of any other server or electronic equipment.
All appliances are designed to be installed on power systems that use TN earthing. Do not install your
device on a power system that uses either TT or IT earthing.
Make sure that the appliance has a direct physical connection to the earth during normal use. When
installing or repairing an appliance, always make sure that the ground circuit is connected first and
disconnected last.
Make sure that a fuse or circuit breaker no larger than 120 VAC, 15 A U.S. (240 VAC, 16 A international) is
used on all current-carrying conductors on the power system to which your appliances are connected.
Do not work alone when working with high voltage components.
Always disconnect the appliance from power before removing or installing any component. When
disconnecting power, first shut down the appliance, and then unplug the power cords of all the power supply
units connected to the appliance. As long as the power cord is plugged in, line voltages can be present in
the power supply, even when the power switch is OFF.
Do not use mats designed to decrease static electrical discharge as protection from electrical shock.
Instead, use rubber mats that have been specifically designed as electrical insulators.
Make sure that the power source can handle the appliance's maximum power consumption rating with no
danger of an overload. Always unplug any appliance before performing repairs or upgrades.
Do not overload the wiring in your server cabinet or on your server room rack.
During thunderstorms, or anticipated thunderstorms, avoid performing any hardware repairs or upgrades
until the danger of lightning has passed.
When you dispose of an old appliance or any components, follow any local and national laws on disposal of
electronic waste.
To prevent possible explosions, replace expired batteries with the same model or a manufacturer-
recommended substitute and follow the manufacturers instructions for battery replacement.
Never remove a power supply cover or any sealed part that has the following label:
Appliance Precautions
Determine the placement of each component in the rack before you install the rails.
Install the heaviest appliance first, at the bottom of the rack, and then work upward. Distribute the load on
the rack evenly. An unbalanced rack is hazardous.
Allow the power supply units and hard drives to cool before touching them.
Install the equipment near an electrical outlet for easy access.
Mount equipment in a rack with sufficient airflow for safe operation.
citrix.com 572
For a closed or multiple-unit rack assembly, the ambient operating temperature of the rack environment
might be greater than the ambient temperature of the room. Therefore, consider the lowest and highest
operating temperatures of the equipment when making a decision about where to install the appliance in the
rack.
Rack Precautions
Make sure that the leveling jacks on the bottom of the rack are fully extended to the floor, with the full weight
of the rack resting on them.
For a single-rack installation, attach a stabilizer to the rack.
For a multiple-rack installation, couple (attach) the racks together.
Always make sure that the rack is stable before extending a component from the rack.
Extend only one component at a time. Extending two or more simultaneously might cause the rack to
become unstable.
The handles on the left and right of the front panel of the appliance should be used only for extending the
appliance out of the rack. Do not use these handles for mounting the appliance on the rack. Use the rack-rail
hardware, described later, instead.
citrix.com 573
Rack Mounting the Appliance
The following table lists the hardware platforms and the rack units required for each platform.
Table 1. Height Requirements for Each Platform
Platform Number of rack units
CloudBridge 600 Series One rack unit
Repeater 8520/8540 One rack unit
Repeater 8820 Two rack units
To mount a Repeater appliance, you must first install the rails and then install the appliance in the rack, as
follows:
1. Position the right inner rail behind the ear bracket on the right side of the appliance.
2. Align the holes on the rail with the corresponding holes on the side of the appliance.
3. Attach the rail to the appliance with screws.
4. Repeat steps 1 through 3 to install the left inner rail on the left side of the appliance.
1. Position the rack rails at the desired location in the rack, keeping the sliding rail guide facing inward.
2. Snap the rails to the rack.
Note: Make sure that both rack rails are at same height and that the rail guides are facing inward.
1. Align the inner rails, attached to the appliance, with the rack rails.
2. Slide the appliance into the rack rails, keeping the pressure even on both sides, and push the appliance
into the rack rails until it locks into place.
3. Verify that the appliance is locked in place by pulling it all the way out from the rack.
citrix.com 574
Connecting the Cables
When the appliance is securely mounted on the rack, you are ready to connect the cables. Ethernet cables are
connected first. Connect the power cable last.
Danger: Before installing or repairing the appliance, remove all jewelry and other metal objects that might come in contact
with power sources or wires. When you touch both a live power source or wire and ground, any metal objects can heat up
rapidly and cause burns, set clothing on fire, or fuse the metal object to an exposed terminal.
Fast Ethernet cabling issues and autonegotiation failures are the leading causes of installation problems. In
addition, compression delivers higher performance if your LAN is running at gigabit speeds. Therefore,
upgrading to Gigabit Ethernet when installing an appliance is a good practice.
Connector Polarity and Cross-Over Cables- Fast Ethernet has two connector polarities: computer and switch,
comparable to DCE and DTE in RS-232. Connecting a computer to a switch requires a straight-through cable.
Connecting a computer to a computer or a switch to a switch requires a cross-over cable (analogous to a null
modem cable in RS-232). Routers generally, but not always, use the same connector polarity as computers.
Both Ethernet ports on the appliance are wired as computer ports. Therefore, for Fast Ethernet:
The uplink port on a switch can be thought of as having a built-in cross-over cable.
Fast Ethernet Auto-Negotiation Failures- The Fast Ethernet specification has a flaw that leads to
autonegotiation failures when one end of a connection is set to Auto and the other is forced to 100 Mbps full-
duplex. The Auto connection usually sets itself to 100 Mbps half-duplex. This mismatched connection functions
at low network loads but behaves erratically under high loads. This problem is built into the Fast Ethernet
standard and is not a bug in the appliance.
To avoid this problem, set the units on each end of the cable to the same mode, whether Auto or a specific
mode, such as 1000 Mbps Full Duplex. Citrix appliances default to Auto. This setting can be changed through
the management interface, on the Configuration: Network Adapters page.
In a fail-to-wire installation, the issue extends to both appliance ports plus the ports they connect to. All four ports
should be set to Auto, or all four should be forced to the same mode.
The autonegotiation problem can occur anywhere along the path between LAN and WAN, not necessarily on the
connection to the appliance itself. It is not unusual to discover long-standing cases of this problem in installations
where past performance expectations have been low. It should be suspected when the appliance reports high
packet losses. If the mismatch occurs on a link directly connected to the appliance, the Alerts page reports a half-
duplex connection.
Older Fast Ethernet Equipment- Older Fast Ethernet products do not support full-duplex operation at all. Older
equipment is often less reliable with autonegotiation as well.
citrix.com 575
Cabling is the same as with Fast Ethernet.
Some appliances are shipped with more than one pair of accelerated LAN/WAN ports (Accelerated Pair A and
Accelerated Pair B). On such appliances, assign the Management IP address to the subnet attached to Accelerated
Pair A.
Figure 1. Appliance connectors
On an appliance equipped with an Ethernet bypass card, the motherboard Ethernet (Primary and Aux1) ports are not
accelerated, and are shipped with plugs to prevent cables from being installed into them accidentally. If needed, you
can use them for administrative purposes, or for a back channel for group mode or high availability mode. If your
appliance does not have an Ethernet bypass card, the motherboard ports are an accelerated pair.
You can use either port of an accelerated pair as the WAN-facing port, but when you define your links, you must know
which port that is. A good convention is to use apA.1 as the LAN port and apA.2 as the WAN port. If only one port is
used (WCCP or virtual inline installations), use apA.1.
Figure 2. Ethernet port locations on the appliance
citrix.com 576
Troubleshooting Problems with Cabling (Inline Mode Only)
If your appliance has a bypass card, you can test the cabling for an inline installation as soon as the cables are connected,
before powering on the appliance. Cabling for other modes can be tested only after the appliance is configured.
To test the cable connections of an appliance containing a bypass card, deployed in inline mode, verify that packets can
be sent through the appliance, from the network connected to one side of the appliance to the network connected to the
other side. You can use ping, ftp, or another convenient program. An appliance without a bypass card blocks traffic if
not powered on, so skip this test for such an appliance.
Problems at this stage can have one of the following causes:
Simple cabling errors. Cables might be disconnected or plugged into the wrong port. Inspect your cabling
set-up. Note that many appliances have two unused Ethernet ports. Make sure that you are using an
accelerated pair.
10/100 Ethernet. The use of a cross-over cable where a straight-through cable is needed, or vice versa.
Compare your cabling to the diagrams in the cabling instructions.
10/100 Ethernet. A cable connected to the Uplink port of a switch when it should connect to a regular port, or
vice versa. Inspect your cabling set-up.
10/100 Ethernet. If all else fails, replacing either of the cables with the opposite type of cable should work
(that is, replace a straight-through cable with a crossover cable or vice versa).
Do not break the above topology with additional switches. Random switch arrangements are not supported. Each of the
switches must be either a single, monolithic switch, a single logical switch, or part of the same chassis.
Figure 5. Ethernet port locations on the appliance
citrix.com 577
The spanning-tree protocol (STP) is not recommended on the router or switch ports attached to the Repeater
appliances, because STP can increase the failover time by tens of seconds.
1. Connect one end of the power cable to the power outlet on the back panel of the appliance.
2. Connect the other end of the power cable to a standard 100V/240V power outlet.
citrix.com 578
Switching on the Appliance
After mounting the appliance and verifying that the Ethernet cables and power cable are properly connected, you are ready to
switch on the appliance. If installing a high availability pair, power up both units. Wait for the unit to become responsive to
front panel commands before proceeding with configuration.
citrix.com 579
Initial Configuration
After you have mounted your appliance in a rack, connected the cables, and connected the power cord, you are ready
to configure the appliance. Use the LCD keypad for initial configuration. Then, use a browser to connect to the graphical
user interface (GUI) and perform a quick installation, which takes about 20 minutes. For simple inline mode, no further
configuration is necessary. Other deployment modes require additional configuration.
Inline mode is not only the easiest mode to configure, but also provides the best performance. Use it unless your
network requires a different mode. In some situations, an inline deployment also requires additional configuration.
citrix.com 580
Prerequisites
Before you perform basic configuration, make sure that you have the following information:
citrix.com 581
Setting Initial Parameters
Note: The two interfaces displayed during the configuration are Accelerated Pair A and Primary. In most installations, the
Primary port should be ignored, and only Accelerated Pair A (apA) should be configured.
When the front-panel interface becomes active, set the Management IP address, netmask, and gateway address
through the front-panel interface.
The following table shows initial configuration procedure. If you are setting up an HA pair, perform the same procedure
on both units.
Table 1. Front-panel configuration
1.
This is the default display while the system starts. The five
buttons at the right are for navigation.
2.
This display appears after the system is initialized. The top
line shows the current accelerated bandwidth limit. The
bottom line is a performance bar graph (which is invisible
when no accelerated transfers are underway).
3.
Press the down button to display the host name (the name
assigned to the appliance), which cannot be set from the
front panel.
4.
Press the down button again to display the status of the
accelerated interface. It should be On by default.
5.
Press the down button to view the VLAN tagging status. By
default the value is Off. If your network does not require a
VLAN ID to reach the appliances interface, skip to
step 8.
6.
Press the center button to enter the VLAN tagging menu.
Press the up button to turn tagging on. Use the right button
to move the cursor through the digits of the decimal VLAN
number, and the up/down arrows to change the values of
the digits.
7.
Press the center button to submit the VLAN number, and
press it again to verify the setting.
8.
Press the down button to display the IP address setting.
9.
Press the center button to edit the IP address (the
management IP address). Use the right button to move the
cursor through the digits of the IP address, and the
up/down arrows to change the values of the digits. Press
the center button to submit the IP address.
10.
Press the down button to display the subnet mask setting,
and then press the center button to edit the mask. Use the
right button to move the cursor through the digits, and the
up/down arrows to change the values of the digits. Press
the center button to submit the netmask.
11.
Press the down button to display the gateway address, and
then press the center button to edit the value. Use the right
button to move the cursor through the digits, and the
citrix.com 582
up/down arrows to change the values of the digits. Press
the center button to submit the gateway address.
12.
Ignore Primary port entries. The Primary port was
introduced in Branch Repeater release 4.1. Do not
configure it now. Press the down button until you see the
Restart? screen.
13.
Changes do not take effect till you restart the appliance.
citrix.com 583
Preparing for Installation
Before you install your new appliance, carefully unpack it and make sure that all parts were delivered. The hardware
accessories, such as cables, adapters, and rail kit shipped with your appliance depend on the hardware platform you
ordered. Unpack the box that contains your new appliance on a sturdy table with plenty of space and inspect the
contents.
Hardware accessories, such as cables and rail kit, vary depending on the hardware platform you ordered.
Use the following list to verify that you received everything that should have been included in the box.
In addition to the items included in the box with your new appliance, you will need the following items to complete the
installation and initial configuration process.
Ethernet cables for each additional Ethernet port that you will connect to your network.
One available Ethernet port on your network switch or hub for each Ethernet port that you want to connect to
your network.
A computer to serve as a management workstation.
citrix.com 584
Performing Quick Installation
When you have finished initial configuration through the LCD panel, configure the router to allow access to the management
IP address that you assigned to the appliance. Then, open a web browser and access the appliance's graphical user
interface (GUI) at http://xx.xx.xx.xx, where xx.xx.xx.xx is the management IP address.
The management address is used to communicate with the browser-based management pages. This address should be on
the same subnet as the WAN router port that the appliance is connected to. If the appliance is used to accelerate links to
CloudBridge Plug-in. The management address is used to communicate with the browser-based management pages. This
address should be on the same subnet as the WAN router port that the appliance is connected to. If the appliance is used to
accelerate links to CloudBridge Plug-in users, assign a signaling IP address. The signaling address is used by CloudBridge
Plug-in to communicate with the appliance. Both addresses, if assigned must be on the same subnet as the other devices on
the same LAN segment, as shown in the following figure.
Tip: Ping these addresses first to make sure that they are not already in use.
When prompted for a user name and password, type the factory default values, which are Admin and password, respectively.
(You should change these values as soon as you finish the quick installation procedure.) The first time you access the GUI,
the Quick Installation page appears.
Note: Older versions of Chrome and Internet Explorer earlier than 6.x, are not supported.
On the Quick Installation page, you can set all of the parameters required for a simple inline configuration. For a more
complex configuration, setting the parameters on this page is a prerequisite.
Figure 1. Quick Installation page
citrix.com 585
On the Quick Installation page:
If you connected the appliance in a simple inline deployment, it is now up and running. You can view the accelerated
links on the GUI's Dashboard and Monitoring pages. (The left side of the screen displays links to those pages.)
Acceleration should increase as the appliance accumulates compression history.
citrix.com 586
Additional Configuration
All types of deployment require configuration of the settings on the Quick Installation page. The following deployment
scenarios require additional configuration:
The appliance is serving multiple LAN links. See Sites with Multiple WAN Routers and Link Definitions.
You are using the CloudBridge Plug-in. See CloudBridge Plug-in.
You are using any of the following deployment modes: WCCP, high-availability mode, virtual inline mode,
multiple accelerated bridges, or group mode. See Using Forwarding Modes.
You are upgrading from Branch Repeater release 5.x and you defined non-standard service classes. These
are converted automatically, but might require adjustments. See Service Classes.
You want to use any of the following features:
Important: Do not forget to change the administrative password from its default value.
citrix.com 587
Changing the Administrative Password
The default user account is the administrative account, which provides complete access to all features of the CloudBridge
appliance. To preserve security, you must change the administrative password from its default value when the appliance
restarts after the quick installation procedure. Citrix recommends changing the administrative password frequently.
citrix.com 588
Using the Graphical User Interface for Monitoring or Additional Configuration
CloudBridge appliances have a browser-based graphical user interface (GUI) for configuration and monitoring. To
access the GUI, enter the appliance's management address in a web browser's address bar. For example, if your
appliance's management address is 10.2.0.2, type:
http://10.2.0.2
When prompted, enter the user name and password assigned to you by the administrator.
Note: For initial setup, see Performing Quick Installation for the default user name and password. The first time you log on,
the Quick Installation page appears. Subsequently, the Dashboard page is the first to appear.
The header section of the graphical interface has tabs which allow you to navigate to other pages. All the operations are
grouped into three categories:
Dashboard
Monitoring
Configuration
As a navigation aid, in the currently displayed tab is highlighted. For example, the following figure shows the Dashboard
page, and therefore it shows the Dashboard tab as highlighted.
Figure 1. Dashboard Page
For additional information about the GUI, including descriptions of the fields on each page, see Using the Graphical
User Interface.
citrix.com 589
Initial Testing
You can do a few simple tests to determine whether the appliance is accelerating your WAN traffic.
1. Ping the remote appliance at its management address to make sure it is running.
2. On the Dashboard page, monitor the traffic passing through the appliance. The graphs are updated periodically
(by default, once per minute).
3. Open a connection to an appliance-equipped remote site, using FTP or some other convenient bulk-transfer
program such as ssh, rsync, iperf, or wget.
4. Start a data transfer. Once the transfer starts, the throughput graph should show accelerated bandwidth at the
bandwidth limit of either the local or the remote link, whichever is less. The compression usually yields a
compression ratio in the range of 1:1 to 10:1, depending on the compressibility of the test file.
5. Send the file a second time. This transmission should have a compression ratio of at least 100:1, and the
throughput should be considerably faster than the WAN link. (If not, you might have reversed apA.1 and apA.2
in your link definitions. You can fixed that on the Configuration: Optimization: Links page. Compression ratios
can be read on the Monitoring: Optimization: Connections page (on the Accelerated Connections tab). By
default, only open connections are displayed, but if you change the Connection State filter to Any, the data
persists for about a minute after the connection closes.
6. Check for CIFS acceleration. Reboot a convenient PC and mount all the CIFS (Windows) file systems that are
normally accessed over the WAN. Doing so should ensure that the PC opens new CIFS connections, which
will be accelerated.
7. Look at the Monitoring: Optimization: Filesystem (CIFS/SMB) page. Your connections to CIFS file servers
should be listed under Accelerated CIFS Connections. If they are listed under Non-Accelerated CIFS
Connections with Reason 3: Security Settings, you need to disable CIFS Signing on your server. See
To change the server's setting to allow CIFS acceleration. If the connections are not listed at all, you have a
routing or setup problem.
citrix.com 590
Initial Troubleshooting
You should test newly installed appliances to verify that they are providing acceleration, and, if not, discover the cause of the
difficulty.
The incorrect use of straight-through vs. cross-over cables, which causes a total loss of connectivity
on 10/100 Mbps links.
Links where one side is forced to 100 Mbps full-duplex, and the other is set to Auto-negotiate. A flaw
in the Fast Ethernet standard results in the Auto side choosing 100 Mbps HALF-duplex in this case.
The link works, but at greatly reduced performance. This can happen at the actual link to the
appliance, but long-standing cases are often discovered elsewhere in existing networks, where they
have gone unnoticed because past performance expectations have been low.
Start by verifying that you can connect to the local appliance at its management IP address (using pings or
browsing to the management interface). In inline mode, verify that you can connect through the appliance to
outside systems.
Cabling errors.
Router misconfiguration. Router loops or other configuration problems might be preventing successful
establishment of connections.
Inline mode- If the bandwidth is not shown as accelerated bandwidth, an appliance is not enabled, or
the remote appliance is not installed, or at least one unit is not on the path taken by the data. If no
bandwidth usage is shown at all, the local appliance is not on the path taken by the data (check your
cabling and routing tables).
Virtual inline or WCCP mode- If the traffic does not appear at all on the appliances usage
graph, the router is not routing the traffic through the appliance. Check your configuration.
Persistent connections- Only connections that are started after Acceleration is enabled are
accelerated. CIFS connections are very persistent, and it is usually necessary to dismount and
remount the file system on the client (or reboot) before acceleration can occur. To see the full effects
of acceleration, restarting the file server is the quickest method of guaranteeing that all the old
connections have closed, though this is disruptive in a production environment.
Security signing- A Windows server option called signing adds authentication data to CIFS transfers.
Signing prevents the CIFS protocol from being optimized, unless the Appliance has joined a Windows
citrix.com 591
domain. See Joining the Windows Domain for CIFS/MAPI Enhancements. To accelerate this traffic,
either join the Windows domain or disable signing on your servers. See To change the server's setting
to allow CIFS acceleration.
CIFS Session from client <ip> to server <ip> cannot be accelerated for CIFS due to: server sec
This happens on a per-connection basis, and non-bulk-transfer connections (such as SSH terminal sessions) are
often not affected.
The log of the receiver-side appliance unit might contain large numbers of "TCP Checksum Error" messages.
The appliance already uses a reduced MSS to make room for its own headers and those of other equipment, but
this needs to be reduced further if these problems are seen.
To fix this problem, two packet-size parameters need to be reduced. In most cases, reducing DefaultMss and
MaximumMss to 1340 bytes (from their default of 1380) should resolve the VPN fragmentation problem.
However, to find the proper MSS value that needs to be set, refer to the following article: http://support.citrix.
com/article/CTX115434.
The MSS value can be changed on the Configuration: Tuning page. Setting DefaultMss and MaximumMss to
1340 should solve the VPN hang problem.
citrix.com 592
CloudBridge VPX
Citrix CloudBridge VPX is a virtual Citrix CloudBridge appliance that can be hosted on Citrix XenServer, VMware ESX
or ESXi, Microsoft Hyper-V, and Amazon AWS- virtualization platforms. A CloudBridge VPX appliance supports most of
the features of a physical Repeater 8500 series appliance.
Because CloudBridge VPX is a virtual machine, you can deploy on your choice of hardware, exactly where you need it,
and in combination it with other virtual machines -- servers, VPN units, or other appliances -- to create a unit that
precisely suits your needs.
CloudBridge VPX software is available as:
Note: XenServer and VMware vSphere support VLAN trunking, but Hyper-V does not.
When a newly installed CloudBridge VPX virtual machine is up and running, you configure as you would configure a
physical CloudBridge appliance, using the same configuration screens.
Except for Amazon EC2 instances, licensing via remote license servers is mandatory for retail licenses.
Local licensing is available for non-retail licenses, such as evaluation and VPX Express licenses. For
Amazon EC2 instances, you can use either Citrix licensing or select a product with built-in licensing for the
bandwidth limit you desire (2, 10, 20, or 45 Mbps).
CloudBridge VPX obtains its CloudBridge Plug-in licenses from the remote license server (except for
CloudBridge VPX for Amazon AWS, which does not support Plug-ins). Plug-ins connecting to multiple virtual
appliances consume only a single Plug-in license, not one license per appliance, provided that all virtual
appliances use the same license server.
The CloudBridge LCD front-panel display is not supported.
The RS-232 serial command interface is not supported.
Multiple accelerated bridges are not supported.
Ethernet bypass cards are not supported.
Group mode is not supported.
CloudBridge High-availability mode is not supported. (XenServer HA and vSphere HA are supported.)
Three ports are supported (apA.1, apA.2, and Primary), except for Amazon AWS instances, which support
only a single port.
citrix.com 593
CloudBridge VPX Usage Scenarios
You can deploy CloudBridge VPX to accelerate the traffic to or from a branch office, to and from a particular server, or
in the cloud. In the data center, you can create a flexible and powerful configuration by assigning a separate VPX
instance to each server. Or, at any location, you can assign multiple VPX instances to one server, for different types or
levels of acceleration services within the same server.
For employees connecting through VPNs, CloudBridge VPX can accelerate their connections.
As with a physical appliance, inline mode is the most common type of configuration, but WCCP and virtual inline modes
can provide an effective deployment.
For employees connecting through VPNs, CloudBridge VPX can accelerate their connections.
As with a physical appliance, inline mode is the most common type of configuration, but WCCP mode can provide an
effective failover mechanism.
Branch-office accelerator
A CloudBridge VPX image can be installed on the server of your choice and deployed just like a CloudBridge
appliance. CloudBridge VPX has all the functionality of a CloudBridge appliance, and in addition has advantages
provided by virtualization. Group mode and high-availability modes are not supported.
Figure 1. VPX use case #1: Branch-office accelerator
If you add a virtual server to the simple branch-office accelerator configuration, you have an accelerated branch-
office server, as shown in the figure below. If you assign the virtual networks within the appliance hosting the
virtual machines so that the path to the WAN passes through the virtual CloudBridge, all WAN traffic is
accelerated automatically. For example, all web traffic, backups, remote applications, database queries, and
operations that require network-file-system access are accelerated.
The virtual environment allows you to add the desired functionality to the server unit, including the operating
system and features of your choice. This configuration accelerates all the WAN traffic from every system in the
branch office. You can even deploy multiple virtual servers on the same machine, consolidating your branch-
office rack down to a single unit running multiple virtual machines.
Figure 2. VPX use case #2: Accelerated branch-office server
Installing CloudBridge VPX VMs on every server in the data center creates a solution that scales perfectly as you
add server capacity, while minimizing the number of servers by adding acceleration to the servers themselves.
Once you have more than a few accelerated servers, the aggregate acceleration provided by multiple
CloudBridge VPX VMs exceeds anything that can be provided with a single appliance.
citrix.com 594
CloudBridge VPX accelerates all types of network applications, including XenApp, XenDesktop, Citrix
Merchandising Server, network file systems, databases, web servers, and more.
Figure 3. VPX use case #3: Accelerated Datacenter Servers
VPN accelerator
By installing the VPN of your choice with CloudBridge VPX, you have an accelerated VPN.
Note: Unlike other configurations, the VPN virtual machine is on the WAN side and the CloudBridge VPX virtual
appliance is on the LAN side, because the VPN traffic must be decrypted for compression and application acceleration.
Figure 4. VPX use case #4: VPN accelerator
By putting multiple CloudBridge VPX VMs on the same server, you can create different types or levels of
acceleration services within the same unit. One VPX instance might be dedicated to a critical application, or each
instance dedicated to an individual remote site or customer. Use VLAN switches to direct traffic to the
appropriate VPX instance.
Figure 5. VPX use case #5: Multiple Instances for Dedicated Acceleration Resources
In cases where an Ethernet bypass card would be desirable, using WCCP instead of inline mode provides effective
fault-tolerance, because WCCP has built-in health-checking. Instead of forwarding traffic through an unresponsive
WCCP device, the routers send the traffic directly to the end point.
Branch-office accelerator
citrix.com 595
CloudBridge VPX can be installed on the server of your choice and deployed just like any other CloudBridge
appliance. CloudBridge VPX has the same functionality as the CloudBridge appliance along with the additional
features provided by virtualization. The group mode and high-availability mode are not supported.
citrix.com 596
System Requirements and Provisioning
CloudBridge VPX runs on XenServer 5.5 or later, VMware vSphere ESX/ESXi 4.1 or later, Hyper-V under 64-bit
Windows Server 2008 R2 SP1, and Amazon AWS. CloudBridge VPX supports four configurations, from 2 to 8 GB of
RAM and 100 to 500 GB of disk space. The intermediate, 4 GB RAM/250 GB disk configuration is similar to the
Repeater 8500 series appliance.
Supported Configurations
The following tables list all supported CloudBridge VM configurations. (Amazon AWS configurations are preselected
and are somewhat different.)
Type vCPUs RAM Disk Maximum Maximum Accelerated Maximum
WAN Speed Connections CloudBridge Plug-ins
2 GB production 2 2 100 2 mbps 1,000 50
config. GB GB
4 GB production 2 4 250 10 mbps 10,000 250
config. GB GB
4 GB production 2 4 250 45 mbps 15,000 400
config.* GB GB
8 GB production 4 8 500 45 mbps 25,000 500
config. GB GB
* With 45mbps license
2 GB RAM
100 GB disk (local disks provide the best performance)
2 virtual NICs (Ethernet ports), except for Amazon AWS, which requires only one virtual NIC
2 virtual CPUs
A modern CPU (Intel Nehalem or newer or AMD Family 10h or newer, both of which were introduced
in 2008). Older CPUs may run at reduced performance due to the use of emulated x86 TSC
(timestamp counter) functionality. If clock states higher than C1 are not used and
SpeedStep/PowerNow modes are disabled in the BIOS of older processors, TSC emulation will not
be used and the system will run at normal speed.
The server hosting CloudBridge VPX must have RAM, CPU, and disk resources greater than those required by the
VPX VM. (VPX does not support VMware hardware over-commit.) Obviously, the server must have enough resources
to run the hypervisor as well as the virtual appliance. However, having as many physical Ethernet ports as virtual ones
is not mandatory if one of a CloudBridge VPX VM's Ethernet ports is connected to another virtual machine on the
same server. Possible Ethernet options include:
Mapping the CloudBridge VPX VM's two virtual ports to two physical ports, rendering its operation
equivalent to that of a stand-alone CloudBridge.
Mapping one of CloudBridge VPX VM's virtual ports to a physical port, and the other to a virtual
network containing one or more virtual machines on the same server, thus creating an accelerated
server.
Mapping each of CloudBridge VPX VM's virtual ports to a virtual network, thus chaining the
CloudBridge VPX VM between two sets of VMs on the same server.
The following figure shows a CloudBridge VPX VM in a one-arm deployment for traffic that terminates on another
virtual machine on the same server. Only one physical port is required in this case, but both virtual ports are
used.
Figure 1. Ethernet (Network) Port Assignments, One-Arm Operation
citrix.com 597
Maximum Usable Resources
Following are the maximum amount of resources that a single CloudBridge VPX virtual machine can use effectively
4 virtual CPUs
8 GB RAM
500 GB disk
4 virtual NICs
Server resources not allocated to CloudBridge VPX VMs are available to other VMs on the same server, but be
careful to avoid overcommitting resources.
As the amounts of RAM and disk space are increased, the additional resources are allocated primarily to the
compression subsystem. Increased memory also allows more connections and acceleration partners to be
supported.
The CloudBridge compression system makes heavy demands on the disk subsystem. In general, local disk
storage outperforms network disk storage and reduces resource contention on both the LAN and the network
disk.
The relationship between disk or memory resources and link speed is indirect. Memory and disk sizes have no
effect on the speed at which packets are sent over the link (bps). Providing more memory and disk space
improves compression performance by increasing the amount of compression history that can be used for
pattern matching.
Virtual NICs
Except for Amazon AWS, two virtual network interfaces are required. They are bridged and used for both
acceleration and the browser based user interface. These interfaces must be attached to different virtual
networks. Note that, for one-arm operation, the second interface can be a stub, attached only to a CloudBridge
VPX VM.
A third virtual network interface provides an independent interface to the CloudBridge VPX VM, which is the
equivalent to the Primary port on a physical appliance. It can be used for the browser based interface, but not for
acceleration.
Server resources beyond those allocated to CloudBridge VPX are available for other virtual machines
on the same server.
Resource usage by other VMs affects CloudBridge VPX performance, and vice versa. Acceleration
makes intensive use of CPU, memory, disk, and network.
Virtual network routing can be used to connect other VMs on the server to CloudBridge VPX VMs, but the simplest
method of connecting such VMs is to attach them to the server's LAN-side Ethernet port. WAN-bound packets then
pass through the CloudBridge VPX VM's bridge and are accelerated automatically, whether they originate inside or
outside the server hosting VPX.
Figure 2. An Inline Deployment that Accelerates External Traffic and Traffic from Local VMs
citrix.com 598
Installing CloudBridge Virtual Appliances on XenServer
To install Citrix CloudBridge virtual appliances on Citrix XenServer, you must first install XenServer on a machine with
adequate system resources. To perform the CloudBridge VPX installation, you use Citrix XenCenter, which must be installed
on a remote machine that can connect to the XenServer host through the network.
Before you begin installing a virtual appliance, do the following:
Install a supported version of XenServer on hardware that meets the minimum requirements. See the
CloudBridge release notes for the supported versions of XenServer.
Install XenCenter on a management workstation that meets the minimum system requirements.
Obtain VPX license files.
With the prerequisites met, you are ready to import the virtual appliances and configure them.
Important: Do not attach both virtual adapters to the same network . Doing so creates forwarding loops, which can
cause network outages. Also, do not attach the two physical Ethernet ports associated with CloudBridge VPX to the
same Ethernet switch.
12. Click Finish to complete the import process. To view the status of the import process, click the Log tab. The newly
created virtual machine appears under the server list in the XenCenter interface.
1.
citrix.com 599
1. In XenCenter, select the icon for the CloudBridge VPX virtual machine. Then, on the Storage tab, select Properties
and, in the Properties dialog box , adjust the disk allocation to the desired level.
Note:
Changing the disk allocation on the CloudBridge VPX virtual machine resizes and reinitializes the
compression history. Any accumulated history is lost.
Do not attempt to change resource allocation while CloudBridge VPX is running.
Do not use the Force Shutdown or Force Reboot commands. They might not work and can cause
problems. Use the Shutdown and Reboot commands instead.
Figure 1. Setting the disk allocation
2. Right-click the Branch Repeater VPX icon and select the Properties option. Under CPU and Memory, select the
number of VCPUs and the amount of VM memory corresponding to a supported configuration. See Supported
Configurations for more details.
Figure 2. Setting the virtual CPU and memory allocations
3. In the Branch Repeater VPX Properties dialog box, click Startup Options, and then select the Auto-start on server boot
check box. (The OS Boot Parameters are not used).
Figure 3. Setting the start-on-server-boot option
citrix.com 600
4. Set the basic network parameters. Depending on which release you are running, do one of the following:
a. For Release 6.0, after the virtual machine starts, go to the virtual machine console, log into the command-line
interpreter, and set the IP parameters for the accelerated bridge, using the following example as a guide:
Login: admin
Password: password
admin> set adapter apa -ip 172.16.0.213 -netmask 255.255.255.0
-gateway 172.16.0.1
admin> restart
b. For Release 6.1 or later, when a Repeater VPX virtual machine is started for the first time, it automatically runs
the Deployment Wizard. Follow the wizard to set the IP parameters.
5. After the CloudBridge VPX has restarted, log on to the browser-based UI (Default credentials: admin and password )
at the IP address that you assigned to apA
6. From the Command menu, select Quick Installation.
7. On the Quick Installation page, perform a quick installation as you would for a physical CloudBridge appliance.
8. Enable bridging by clicking the Enable Bridging link.
9. Check the network assignments in XenCenter to make sure that the two accelerated bridge ports are connected to
different networks, and then click OK.
Important: Connecting the two accelerated bridge ports to the same virtual or physical Ethernet segment creates
network loops, which can bring down your entire network. In such a case, shut down the CloudBridge VPX virtual
machine and fix the network assignments before proceeding.
10. Complete the configuration.
citrix.com 601
Installing CloudBridge Virtual Appliances on VMware ESX
Warning
Ensure that you enable the promiscuous mode on VM Network only. Do not enable the promiscuous mode on the
Virtual Switch setting.
Before installing Citrix Branch Repeater virtual appliances on VMware ESX, make sure that VMware ESX server is
installed on a machine with adequate system resources. To install virtual appliances on VMware ESX version 4.1 or
VMware ESXi version 4.0, or later, you use the VMware vSphere client. The client must be installed on a remote
machine that can connect to VMware ESX through the network. After the installation, you can use the vSphere client to
manage virtual appliances on either VMware ESX or VMware ESXi.
Before you begin installing a virtual appliance, do the following:
Install VMware ESX version 4.1 or ESXi 4, or later, on hardware that meets the minimum requirements.
Install the VMware vSphere client on a management workstation that meets the minimum system
requirements.
Download the CloudBridge VPX setup files.
Obtain CloudBridge VPX license files.
Also, before installing a CloudBridge VPX virtual appliance, label all the interfaces that you plan to assign to VPX virtual
appliances, in a unique format. In large deployments, labeling these interfaces in a unique format helps in quickly
identifying them among other interfaces used by other virtual machines, such as Windows and Linux virtual machines.
Such labeling is especially important when different types of virtual machines share the same interfaces.
CloudBridge VPX requires non-default networking options. Among other things, you will create two new virtual switches
(vswitch0 and vswitch1) for the accelerated bridge, which must be assigned to two different virtual switches.
1. Install VMware ESX 4.1 1 (or later) on the selected server and the vSphere client on a system from which you
can manage the server. You can download the software from http://downloads.VMware.com.
2. Configure the setting for the first virtual switch (vSwitch0)
Log on to the VMware ESX server by using the vSphere client.
On the vSphere client, select the Configuration tab, and then click Networking.
On virtual switch vswitch0, click Properties.
Figure 1. Configuring vSwitch0, continued
citrix.com 602
On the Properties page, select the VM Network and click Edit.
Figure 2. Configuring vSwitch0, continued
In the Properties dialog box, verify the changes, and then click Close.
Figure 4. Configuring vSwitch0, continued
citrix.com 603
3. Create the second virtual switch, label it, and configure settings for the new virtual switch (vswitch1).
Log on to the VMware ESX server by using the vSphere client.
In the vSphere client, on the Configuration tab, click Networking.
At the top-right corner, of the screen that appears, click Add Networking.
In the Add Network Wizard, for Connection Type, select Virtual Machine, and then click Next.
Select the Create a virtual switch check box .
Scroll through the list of vSwitch physical adapters, and choose the physical port that will map
to interface 1/1 on the virtual appliance.
Important: Do not select Use vSwitch0, or you will cause routing loops.
Click Next.
Figure 5. Creating vSwitch1, continued
citrix.com 604
Verify that all new and modified virtual switches are configured appropriately.
Label the new virtual switch as apA-1 by clicking on the connection settings and typing apA-1 in
Network Label text box.
Click Next, and click Finish.
Figure 7. Naming vSwitch1
Enable promiscuous mode on vSwitch1, following the same steps as for vSwitch0 in Step 2.
Figure 8. Enabling promiscuous mode on vSwitch1
4. Create the third virtual switch, vSwitch2, following the procedure in step 3, but attaching it to the port on the
WAN side of your network and naming it apA-2. Enable the promiscuous mode on vSwitch2, as you did on the
other ports.
5. Change the name of the virtual machine, if desired, and then click Next. Install the virtual machine.
Start the VMware vSphere client on your workstation.
citrix.com 605
5.
In the IP address / Name text box, type the IP address of the VMware ESX server that you
want to connect to.
In the User Name and Password text boxes, type the administrator credentials, and then click
Login.
On the File menu, click Deploy OVF Template.
In the Deploy OVF Template dialog box, in Deploy from file, browse to the location at which you
saved the CloudBridge VPX setup files, select the .ovf file, and click Next.
Change the name of the virtual machine, if desired, and then click Next.
Map the networks shown in the CPX OVF template to the networks that you configured on ESX
host : LAN-apA1 to apA-1, and WAN-apA2 to apA-2.
Note:
Always assign the two CloudBridge bridge ports (accelerated pair ports) to different virtual
and physical Ethernet segments.
If you assign both CloudBridge bridge (accelerated pair) ports to the same virtual or
physical Ethernet port or switch, you will cause network loops. These network loops can
make managing CloudBridge impossible and can bring down the entire Ethernet segment.
For example, you will cause network loops if you assign both CloudBridge ports to vmnic0.
The same thing happens if you assign the CloudBridge ports to different physical Ethernet
interfaces, but plug both Ethernet interfaces into the same physical switch.
Figure 9. Mapping network interfaces to CloudBridge VPX
Click Next to start installing VPX on VMware ESX. When installation is complete, a pop-up
window informs you of the successful installation.
6. You are now ready to start the CloudBridge VPX instance. In the navigation pane, right-click the instance that
you have just installed, and select Power On. Click the Console tab to emulate a console port.
7. Optionally, add a Primary Ethernet port.
In the navigation pane, right-click the CloudBridge VPX instance that you have just installed,
and select the Edit Settings option. On the Virtual Machine Properties page click Add.
In Add Hardware window, select Ethernet Adapter as the device type to add, and then click Next
.
Figure 10. Installing the Primary interface
citrix.com 606
Select VMXNET 3 as the adapter type, and select VM Network as the network label.
Click Finish, and then click OK.
If desired, change the memory and hard disk parameters assigned to the CloudBridge VPX
virtual machine to match one of the supported, nondefault configurations listed in REF
RTF39313235393a204669677572 \h \* MERGEFORMAT <Section xref> .
Figure 11. Adjusting memory and disk allocation
8. If you are running Branch Repeater VPX release 6.0, deploy the virtual appliance as follows:
At the logon prompt (in the console window), log on with default credentials: admin as the user
name and password as the password.
Use the set adapter apa command to set the accelerated bridge (apA) IP parameters. For
example: set adapter apa -ip 172.16.0.213 -gateway 172.16.0.1 -netmask
255.255.255.0
If you want a Primary port, use the set adapter primary command to set its IP parameters This
IP address must be different from the one assigned to apA. . For example: set adapter
primary -ip 172.16.1.222 -gateway 172.16.1.1 -netmask 255.255.255.0
Note: In systems with a Primary port, do not specify -gateway on both the Primary and apA
ports. Choose one or the other.
Restart the virtual machine to put the parameters into effect. Type: restart.
9. If you are running CloudBridge VPX release 6.1 or later, the CloudBridge VPX virtual machine automatically
runs the Deployment Wizard when started for the first time. Follow the instructions and prompts that appear on
the screen.
10. Continue configuration from the web UI, using the URL of either apA or the Primary port. For example (your
address may vary): https://172.16.0.213
11. On the Quick Installation page, perform a quick installation, as you would for a physical CloudBridge appliance.
12. Enable bridging by clicking the Enable Bridging link.
13.
citrix.com 607
13. Check the network assignments in XenCenter to make sure that the two network devices are connected to
different Networks, and then click OK.
Important: Connecting two accelerated bridge ports to the same virtual or physical Ethernet segment creates
network loops, which can bring down your entire network. In such a case, shut down the CloudBridge VPX
virtual machine and fix the network assignments before proceeding.
14. Complete the configuration as you would with any CloudBridge installation.
VLAN Support
CloudBridge VPX accelerates VLAN traffic automatically, without special configuration, and is thus compatible with
VLAN trunking. To use VLAN trunking in a VPX deployment, the VMware server must have VLAN trunking enabled on
the two apA bridge ports (apA.1 and apA.2), whose VLAN IDs must be set to "All(4095)."
citrix.com 608
Larger Disks
To support the 500 GB CloudBridge VPX configurations, the datastore must be configured to support a maximum file
size of 512 GB or more. This requires that the datastore have a block size of 2 MB or greater.
In the Add Storage window, select the 512 GB, Block size: 2MB as the Maximum File
size. Click Next.
Figure 15. Setting the datastore block size
citrix.com 609
4. Create a 500 GB virtual disk.
In the Virtual Machine Properties, on the Hardware tab, click Hard disk 1.
Set the Provisioned Size value to 500 GB. Click OK.
Figure 16. Creating a 500 GB virtual disk
ps | grep Xorg
5. Kill the Xorg process. For example, if the PID of Xorg is 582, type:
kill 582
6. After you kill the Xorg process, the message Press <return> to reboot appears. Do not reboot, instead,
press Ctrl+Alt+F3 to go to another console and continue working without rebooting.
7. Type:
cd /usr/lib/vmware/weasel
8. Edit fsset.py (these instructions assume familiarity with vi). Type:
citrix.com 610
8.
vi fsset.py
9. Search for class vmfs3FileSystem(FileSystemType):
10. Edit the blockSizeMB parameter to 2 (default value is 1)
11. Save the file and exit vi.
12. Go to the root directory and run weasel. Type:
cd /
/bin/weasel
13. Proceed with the normal installation process.
14. Create a 500 GB virtual disk.
In the Virtual Machine Properties, on the Hardware tab, click Hard disk 1.
Set the Provisioned Size value as 500 GB, and then click OK.
Hostname
Primary adapter network settings
Primary DNS configuration
1. Start with a CloudBridge VPX virtual machine that has been configured to include the Primary
port as well as apA.
2. Verify that the Ethernet port configuration matches that shown in the following figure.
Figure 17. Verify Ethernet port assignments
citrix.com 611
4. Deploy a new virtual machine from the template.
In the vSphere Client, right-click the Branch Repeater VPX instance and select
Deploy Virtual Machine from this Template.
Figure 19. Deploying the new virtual machine
On the Deploy Template screens, name the new VPX virtual machine, select
Thick Format for virtual disks, and select Customize using the Customization
Wizard .
In the Customization Wizard, enter a host name and a dummy domain name for
the new VPX virtual machine.
Figure 20. Customization wizard
The value on the Time Zone screen is ignored by CloudBridge. Accept the default
and go on to the next screen.
On the Network screen, select Custom Settings if you need to change the Primary
port IP address from the one in the template. You then assign this address (plus a
subnet mask and default gateway) to NIC3. Do not change NIC1 or NIC2.
On the DNS and Domain Settings screen, enter the DNS address used by
CloudBridge VPX in the Primary DNS field. Leave the Secondary DNS and
Tertiary DNS paths blank. Add a dummy domain such as test.com as the DNS
Search Path.
Figure 21. Setting the DNS server
citrix.com 612
Click Next, and then click Finish to exit the Guest Customization Wizard.
In the Deploy Template Wizard, clear the Power on the virtual machine after
creation check box.
Double check network assignments before powering up the virtual machine.
Note: Attaching both apA ports to the same virtual or real switch causes network
loops.
5. Start the virtual machine and continue CloudBridge configuration.
citrix.com 613
Installing CloudBridge Appliances on the Microsoft Hyper-V Platform
To install Citrix CloudBridge virtual appliances on Microsoft Windows Server, you must first install Windows Server, with the
Hyper-V role enabled, on a machine with adequate system resources. While installing the Hyper-V role, be sure to specify the
network interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve some NICs
for the host. Use Hyper-V Manager to perform the CloudBridge VPX installation.
CloudBridge VPX for Hyper-V is delivered in virtual hard disk (VHD) format. It includes the default configuration for
elements such as CPU, network interfaces, and hard-disk size and format. After you install a CloudBridge VPX
instance, you can configure its network adapters, add virtual NICs, assign the CloudBridge IP address, subnet mask,
and gateway, and complete the basic configuration of the virtual appliance.
For more information about Windows Server 2008 R2 system requirements, see http://www.microsoft.
com/windowsserver2008/en/us/system-requirements.aspx(the exact location is subject to change by
Microsoft at any time).
For information about installing Microsoft Server 2008 R2, see http://technet.microsoft.com/en-
us/library/dd379511(WS.10).aspx(the exact location is subject to change by Microsoft at any time).
Enable the Hyper-V role on Windows Server 2008 R2 or 2012. For more information, see http://technet.
microsoft.com/en-us/library/ee344837(WS.10).aspx(the exact location is subject to change by Microsoft at
any time).
Download the VPX setup files. If you do not have a My Citrix account, access the home page at http://www.
mycitrix.com, click the New Users link, and follow the instructions to create a new My Citrix account.
1. Log on to the Windows Server as an Administrator, either at a keyboard or VGA console, or through a NIC that
you plan to use for managing the virtual appliance (not at one of the ports that you will use for the accelerated
bridge).
2. To start Hyper-V Manager, click Start, point to Administrative Tools, and then click Hyper-V Manager
3. In the navigation pane, under Hyper-V Manager, select the server on which you want to install CloudBridge
VPX.
4. On the Actions menu, click Virtual Network Manager
5. In the Virtual Network Manager window, in the navigation pane, under Virtual Networks, click New virtual
network.
6. Choose External as type of virtual network, and then click Add.
7. Name the new virtual network as apA Network 1 and select the physical NIC to map it to.
8. Click OK to apply the changes.
citrix.com 614
9. The Apply Networking Changes popup displays a caution indicating that pending changes might disrupt
network connectivity. Click Yes.
10. Repeat steps 5 to 9 for the second accelerated bridge port, but name it as apA Network 2 and connect it to a
different physical port.
11. Click Apply to apply the networking changes.
See also
citrix.com 615
Installing CloudBridge VPX on Microsoft Server 2008 R2
10. In the Network drop down menu, select apA Network 1 . This is the LAN interface for apA1.
11. Make sure the Enable spoofing of the MAC addresses box is selected. If it is not, select it and apply the
changes.
12. In the Settings window's navigation pane, under Hardware, select the second network adapter in the list.
Repeat the step 10 and step 11, and assign the adapter to apA Network 2. This is the WAN interface for apA2.
Important: Do not configure the same Network for both the network adapters. Incorrect configuration creates
packet loops, which can bring down the network.
13. Optionally, change the virtual hard disk size:
In the Settings window navigation pane, under IDE Controller 0, select Hard Drive.
Click Edit.
Follow the steps in the Edit Virtual Hard Disk Wizard to increase the allocation to one of the
supported sizes, using the Expand option in the wizard.
Figure 2. Configuring disk and RAM allocation
citrix.com 616
14. Optionally, change the memory size.
In the Settings window's navigation pane, under Hardware, select Memory.
Allocate the RAM space by adjusting the memory to one of the supported sizes.
Click OK.
15. Optionally, define the management port.
Right-click the virtual machine, and then click Settings.
In the Settings window navigation pane, under Hardware, select Add Hardware.
Select Network Adapter from the list of devices, and then click Add.
Name the new virtual network as Primary Network 3.
Make sure the Enable spoofing of MAC addresses check box is selected.
Click OK to apply the changes.
16. Right-click the Branch Repeater VPX virtual machine and select Connect.
17. In the file menu, click Action, and then click Start to start the virtual machine.
Figure 3. Starting the VPX virtual machine
18. When a CloudBridge VPX virtual machine is started for the first time, it automatically starts the Deployment
Wizard. This wizard asks questions about the deployment mode: Inline, WCCP, or PBR (virtual inline), or
Setup Using Web UI. Select Setup Using Web UI. On the next screen, enter the IP, netmask, and gateway for
the apA interface, and click Finish.
19. After CloudBridge VPX has restarted, log on to the browser based UI ((user name: admin, password:
password) at the IP address that you assigned to apA, for example:
https://172.16.0.213
Additional Configuration
citrix.com 617
For additional configuration instructions, see the documentation for physical CloudBridge appliances.
citrix.com 618
Installing CloudBridge VPX on the Microsoft Server 2012
https://172.16.0.213
Additional Configuration
For additional configuration instructions, see the documentation for physical CloudBridge appliances.
citrix.com 619
Installing the CloudBridge Virtual Appliances on Amazon AWS
The CloudBridge VPX for Amazon AWS brings acceleration to the Amazon cloud.
Note: At the time of the 7.1.0 software release, the newest supported release of CloudBridge VPX for Amazon AWS is 7.0.1.
Use this version in conjunction with release 7.1.0 on other appliances.
Five variations are supported, four of which have hardwired licensing, and one of which uses ordinary CloudBridge licensing:
2 Mbps
10 Mbps
20 Mbps
45 Mbps
Bring your own license, which uses a standard Citrix license to determined the licensed bandwidth.
Besides the hardwired licensing, the major difference between CloudBridge VPX for Amazon AWS is that it supports
only a single port for both management and acceleration. This means that the appliance cannot be used in inline mode.
To create a CloudBridge VPX on Amazon AWS, you go through the same process as with creating any other instance,
setting a few instance parameters to non-default settings.
4. Click EC2 in the Compute & Networking section, then click Launch Instance.
5. In the Create a New Instance dialog box, select AWS Marketplace, and then click Continue to open the
Request Instance Wizard.
6. In the Request Instance Wizard dialog box, click AWS Marketplace tab.
7. In the Search text field, type CloudBridge to search for the CloudBridge AMI, and click Search.
citrix.com 620
On the search result page, select one of the Citrix CloudBridge offeringsOn the Citrix CloudBridge
page, click Continue.
8. On the Launch with EC2 Console tab, click the Accept Terms button, if present, then click Launch with
EC2 Console for the region where you want to launch Citrix CloudBridge AMI.
9. On the Request Instance Wizard page, type 1 in the Number of Instances text box, and from the
Instance Type drop-down list, select Large (m1.large, 7.5GIB).
10. From the Subnet drop-down list, select the private network subnet, and then click Continue.
11. On the next page, in the Advanced Instance Options section, you can change values from their defaults
if you choose, and then click Continue.
Note: CloudBridge AMI is not supported with more than one network interface. Therefore, the value of
Number of Network Interfaces field is set to 1.
citrix.com 621
12. On the Request Instances Wizard page, enter a name for the EC2 instance in the Value text box, and
then click Continue.
On the Request Instances Wizard page, select one of the three Kay Pair options and then click
Continue.
13. Verify the EC2 instance configuration details, and then click Launch to launch the EC2 instance.
14. Click Close to close the Launch Instance Wizard dialog box. The new EC2 instance is launched
successfully.
citrix.com 622
Disabling the Source/Destination Check Feature
You must disable the Source/Destination check feature of CloudBridge AMI instance for it to work properly on AWS.
1. On the Amazon EC2 Console Dashboard page, in the navigation pane, click instances. The new EC2 instance
should appear in the My Instances list.
2. Select the new EC2 instance. The instance details appear in the EC2 Instances pane.
3. Right-click the new EC2 instance and then select Change Source/Dest Check from the popup menu.
4. In the Change Source / Dest. Check dialog box, click Yes, Disable to disable the feature.
citrix.com 623
Configuring SNMP Monitoring on the CloudBridge AMI on AWS
You must enable SNMP monitoring on the CloudBridge AMI on AWS. Also, you must grant SNMP monitoring access to
the paired NetScaler VPX or CloudBridge Connector on AWS by adding its NSIP on the CloudBridge AMI instance.
5. Click Add.
citrix.com 624
Limitations and Usage Guidelines for CloudBridge AMI Instances on AWS
High Availability setup for CloudBridge AMI instances is not supported.
CloudBridge AMI instance in Group Mode is not supported.
CloudBridge plug-ins are not supported.
Tagged VLAN is not supported because of the inherent limitation of AWS.
Traffic shaping is not supported.
You may create only an m1.large CloudBridge AMI instance on AWS.
IP address/gateway/subnet assignment using the CloudBridge management user interface is not supported.
Console access is not available for CloudBridge AMI instance on AWS.
While configuring the CloudBridge instance, you may not change the disk size, which has a default value of
250 GB. A higher capacity disk does not increase the available Disk Based Compression (DBC) cache size.
citrix.com 625
Supported Modes
Table 1. Features Table for Citrix CloudBridge VPX, and Citrix CloudBridge VPX for Amazon
Citrix CloudBridge VPX Citrix CloudBridge VPX for Amazon
AutoConfiguration N N
CloudBridge Plug-In Y N
Compression Y Y
RPC over HTTPS Y Y
SSL Compression Y Y
TCP Acceleration Y Y
Traffic Shaping Y N
Video Caching N N
Windows File System Y Y
Acceleration
Windows Outlook Acceleration Y Y
XenApp/ XenDesktop Y Y
Acceleration
Group Mode Mode N N
High Availability N N
Inline Mode Y Y**
Virtual Inline Mode Y N
WCCP Mode Y N
VLANs Y/Y/N*** N
***The three values are for is for XenServer, VMware, and Hyper-V, respectively. In columns showing only one value,
the value applies to all three hypervisors.
citrix.com 626
The CloudBridge Plug-in
The CloudBridge Plug-in is a software based network accelerator that runs on Windows laptops and workstations,
providing acceleration anywhere, not just at offices with CloudBridge appliances. It connects to a Citrix CloudBridge
appliance at the other end of the link.
The principles of CloudBridge Plug-in operation are generally the same as those of a CloudBridge appliance. For topics
not included in the plug-in documentation, see the larger documentation set.
The plug-in is distributed as a standard Microsoft installation file (MSI). Plug-in deployment requires some plug-in
specific configuration of the CloudBridge appliances at the other ends of the links. If you customize the MSI file with the
DNS or IP addresses of the CloudBridge appliances, and a few other parameters, your users do not have to enter any
configuration information when installing the plug-in on their Windows computers.
Figure 1. Typical CloudBridge Network Showing the CloudBridge Plug-in
Note: The plug-in is supported by Citrix Receiver 1.2 or later, and can be distributed and managed by Citrix Receiver.
citrix.com 627
Hardware and Software Requirements
On the client side of the accelerated link, the CloudBridge Plug-in On the client side of the accelerated link, the CloudBridge
Plug-in is supported on Windows desktop and laptop systems, but not on netbooks or thin clients. Citrix recommends the
following minimum hardware specifications for the computer running the CloudBridge Plug-in:
Windows XP Home
Windows XP Professional
Windows Vista (all 32-bit versions of Home Basic, Home Premium, Business, Enterprise, and Ultimate)
Windows 7 (all 32-bit and 64-bit versions of Home Basic, Home Premium, Professional, Enterprise, and
Ultimate)
Windows 8 (32-bit and 64-bit versions of Enterprise Edition)
On the server side, the following appliances currently support CloudBridge Plug-in deployments:
citrix.com 628
How the CloudBridge Plug-in Works
CloudBridge products use your existing WAN/VPN infrastructure. A computer on which the plug-in is installed continues
to access the LAN, WAN, and Internet as it did before installation of the plug-in. No changes are required to your routing
tables, network settings, client applications, or server applications.
Best Practice: Use transparent mode when you can, and redirector mode when you must.
citrix.com 629
Transparent Mode
In transparent mode, the packets for accelerated connections must pass through the target appliance, much as they do
in appliance-to-appliance acceleration.
The plug-in is configured with a list of appliances available for acceleration. It attempts to contact each appliance,
opening a signaling connection. If the signaling connection is successful, the plug-in downloads the acceleration rules
from the appliance, which sends the destination addresses for connections that the appliance can accelerate.
Figure 1. Transparent Mode, Highlighting Three Acceleration Paths
Note:
Traffic flow--Transparent mode accelerates connections between a CloudBridge Plug-in and a plug-in-
enabled appliance.
Licensing--Appliances need a license to support the desired number of plug-ins. In the diagram, Repeater
A2 does not need to be licensed for plug-in acceleration, because Repeater A1 provides the plug-in
acceleration for site A.
Daisy-chaining--If the connection passes through multiple appliances on the way to the target appliance, the
appliances in the middle must have "daisy-chaining" enabled, or acceleration is blocked. In the diagram,
traffic from home-office and mobile VPN users that is destined for Large Branch Office B is accelerated by
Repeater B. For this to work, Repeaters A1 and A2 must have daisy-chaining enabled.
Whenever the plug-in opens a new connection, it consults the acceleration rules. If the destination address matches any
of the rules, the plug-in attempts to accelerate the connection by attaching acceleration options to the initial packet in
the connection (the SYN packet). If any appliance known to the plug-in attaches acceleration options to the SYN-ACK
response packet, an accelerated connection is established with that appliance.
The application and server are unaware that the accelerated connection has been established. Only the plug-in
software and the appliance know that acceleration is taking place.
Transparent mode resembles appliance-to-appliance acceleration but is not identical to it. The differences are:
Transparent mode is often used with VPNs. The CloudBridge Plug-in is compatible with most IPSec and PPTP VPNs,
and with Citrix Access Gateway VPNs.
citrix.com 630
The following figure shows packet flow in transparent mode. This packet flow is almost identical to appliance-to-
appliance acceleration, except that the decision of whether or not to attempt to accelerate the connection is based on
acceleration rules downloaded over the signaling connection.
Figure 2. Packet flow in transparent mode
citrix.com 631
Redirector Mode
Redirector mode works differently from transparent mode in the following ways:
The CloudBridge Plug-in software redirects the packets by addressing them explicitly to the appliance.
Therefore, the redirector-mode appliance does not have to intercept all of the WAN-link traffic. Because
accelerated connections are addressed to it directly, it can be placed anywhere, as long as it can be
reached by both the plug-in and the server.
The appliance performs its optimizations, then redirects the output packets to the server, replacing the
source IP address in the packets with its own address. From the server's point of view, the connection
originates at the appliance.
Return traffic from the server is addressed to the appliance, which performs optimizations in the return
direction and forwards the output packets to the plug-in.
The destination port numbers are not changed, so network monitoring applications can still classify the traffic.
The below figure shows the packet flow and address mapping in redirector mode.
Figure 2. Packet Flow in Redirector Mode
citrix.com 632
citrix.com 633
How the Plug-in Selects an Appliance
Each plug-in is configured with a list of appliances that it can contact to request an accelerated connection.
The appliances each have a list of acceleration rules, which is a list of target addresses or ports to which the appliance
can establish accelerated connections. The plug-in downloads these rules from the appliances and matches the
destination address and port of each connection with each appliance's rule set. If only one appliance offers to accelerate
a given connection, selection is easy. If more than one appliance offers to accelerate the connection, the plug-in must
choose one of the appliances.
The rules for appliance selection are as follows:
If all the appliances offering to accelerate the connection are redirector-mode appliances, the leftmost
appliance in the plug-in's appliance list is selected. (If the appliances were specified as DNS addresses, and
the DNS record has multiple IP addresses, these too are scanned from left to right.)
If some of the appliances offering to accelerate the connection use redirector mode and some use
transparent mode, the transparent-mode appliances are ignored and the selection is made from the
redirector-mode appliances.
If all of the appliances offering to accelerate the connection use transparent mode, the plug-in does not
select a specific appliance. It initiates the connection with CloudBridge SYN options, and whichever
candidate appliance attaches appropriate options to the returning SYN-ACK packet is used. This allows the
appliance that is actually in line with the traffic to identify itself to the plug-in. The plug-in must have an open
signaling connection with the responding appliance, however, or acceleration does not take place.
Some configuration information is considered to be global. This configuration information is taken from the
leftmost appliance in the list for which a signaling connection can be opened.
citrix.com 634
Deploying Appliances for Use with Plug-ins
Client acceleration requires special configuration on the CloudBridge appliance. Other considerations include appliance
placement. Plug-ins are typically deployed for VPN connections.
In addition, a single appliance can serve as an endpoint for plug-in acceleration or as an endpoint for site-to-site
acceleration, but cannot serve both purposes for the same connection at the same time. Therefore, when you use an
appliance for both plug-in acceleration for your VPN and for site-to-site acceleration to a remote data center, plug-in
users do not receive site-to-site acceleration. The seriousness of this problem depends on how much of the data used
by plug-in users comes from remote sites.
Finally, because a dedicated appliance's resources are not divided between plug-in and site-to-site demands, they
provide more resources and thus higher performance to each plug-in user.
However, appliances can use any deployment mode, except group mode or high availability mode. These modes are
suitable for both appliance-to-appliance and client-to-appliance acceleration. They can be used alone (transparent mode
) or in combination with redirector mode.
Put the appliance in the same address space as the servers, so that whatever address modifications are
used to reach the servers are also applied to the appliance.
Never access the appliance by using an address that the appliance does not associate with itself.
The appliance must be able to access the servers by using the same IP addresses at which plug-in users
access the same servers.
In short, do not apply NAT to the addresses of servers or appliances.
VPN accelerator - If the appliance is being used as a VPN accelerator, with all VPN traffic passing through
the appliance, all TCP traffic should be accelerated, regardless of destination.
Redirector mode - Unlike with transparent mode, an appliance in redirector mode is an explicit proxy,
causing the plug-in to forward its traffic to the redirector-mode appliance even when doing so is not
citrix.com 635
desirable. Acceleration can be counterproductive if the client forwards traffic to an appliance that is distant
from the server, especially if this "triangle route" introduces a slow or unreliable link. Therefore, Citrix
recommends that acceleration rules be configured to allow a given appliance to accelerate its own site only.
Other uses - When the plug-in is used neither as a VPN accelerator nor in redirector mode, the acceleration
rules should include addresses that are remote to the users and local to datacenters.
Defining the Rules- Define acceleration rules on appliance, on the Configuration: CloudBridge Plug-in:
Acceleration Rules tab.
Rules are evaluated in order, and the action (Accelerate or Exclude) is taken from the first matching rule. For a
connection to be accelerated, it must match an Accelerate rule.
IP Port Usage
Use the following guidelines for IP port usage:
Ports used for communication with CloudBridge Plug-in--The plug-in maintains a dialog with the
appliance over a signaling connection, which by default is on port 443 (HTTPS), which is allowed through
most firewalls.
Ports used for communication with servers--Communication between the CloudBridge Plug-in and the
appliance uses the same ports that the client would use for communication with the server if the plug-in and
appliance were not present. That is, when a client opens an HTTP connection on port 80, it connects to the
appliance on port 80. The appliance in turn contacts the server on port 80.
In redirector mode, only the well-known port (that is, the destination port on the TCP SYN packet) is
preserved. The ephemeral port is not preserved. In transparent mode, both ports are preserved.
The appliance assumes that it can communicate with the server on any port requested by the client,
and the client assumes that it can communicate with the appliance on any desired port. This works well
if appliance is subject to the same firewall rules as the servers. When such is the case, any connection
that would succeed in a direct connection succeeds in an accelerated connection.
citrix.com 636
Your firewall must not block TCP options in the range of 24-31 (decimal), or acceleration cannot take place. Most
firewalls do not block these options. However, a Cisco PIX or ASA firewall with release 7.x firmware might do so by
default, and therefore you might have to adjust its configuration.
citrix.com 637
Customizing the Plug-in MSI File
You can change parameters in the CloudBridge Plug-in distribution file, which is in the standard Microsoft Installer (MSI)
format. Customization requires the use of an MSI editor.
Note: The altered parameters in your edited. MSI file apply only to new installations. When existing plug-in users update to a
new release, their existing settings are retained. Therefore, after changing the parameters, you should advise your users to
uninstall the old version before installing the new one.
Best Practices: Create a DNS entry that resolves to the nearest plug-in-enabled appliance. For example, define "Repeater.
mycompany.com" and have it resolve to your appliance, if you have only one appliance. Or, if you have, say, five appliances,
have Repeater.mycompany.com resolve to one of your five appliances, with the appliance selected on the basis of closeness
to the client or to the VPN unit. For example, a client using an address associated with a particular VPN should see Repeater.
mycompany.com resolve to the IP address of the CloudBridge appliance connected to that VPN . Build this address into your
plug-in binary with an MSI editor, such as Orca. When you add, move, or remove appliances, changing this single DNS
definition on your DNS server updates the appliance list on your plug-ins automatically.
You can also have the DNS entry resolve to multiple appliances, but this is undesirable unless all appliances are
configured identically, because the plug-in takes some of it characteristics from the leftmost appliance in the list and
applies them globally (including SSL compression characteristics). This can lead to undesirable and confusing results,
especially if the DNS server rotates the order of IP addresses for each request.
There are many MSI editors, including Orca, which is part of Microsoft's free Platform SDK and can be downloaded from
Microsoft.
1. Download the PSDK-x86.exe version of the SDK and execute it. Follow the installation instructions.
2. Once the SDK is installed, the Orca editor must be installed. It will be under Microsoft Platform
SDK\Bin\Orca.Msi. Launch Orca.msi to install the actual Orca editor (orca.exe).
3. Running Orca--Microsoft provides its Orca documentation online. The following information describes how to
edit the most important CloudBridge Plug-in parameters.
4. Launch Orca with Start > All Programs > Orca. When a blank Orca window appears, open the CloudBridge
Plug-in MSI file with File > Open.
Figure 1. Using Orca
5. On the Tables menu, click Property. A list of all the editable properties of the .MSI file appears. Edit the
parameters shown in the following table. To edit a parameter, double-click on its value, type the new value, and
press Enter.
Parameter Description Default Comments
WSAPPLIANCES List of appliances None Enter the IP or DNS addresses of your CloudBridge
appliances here, in a comma-separated list in the form
of { appliance1, appliance2, appliance3 } . If the port
used for signaling connections is different from the
default (443), specify the port in the form Appliance1:
port_number .
DBCMINSIZE Minimum amount 250 Changing this to a larger value (for example, 2000)
of disk space to improves compression performance but prevents
use for installation if there is not enough disk space. The plug-in
compression, in will not install unless there is at least 100 MB of free disk
megabytes space in addition to the value that you specify for
DBCMINSIZE.
citrix.com 638
PRIVATEKEYPEM Private key for None Use Orca's Paste Cell command. The normal Paste
the plug-in. Part function does not preserve the key's format. Should be a
of the private key in PEM format (starting with -----BEGIN
certificate/key RSA PRIVATE KEY----- )
pair used with
SSL compression
X509CERTPEM Certificate for the None Use Orca's Paste Cell command. The normal Paste
plug-in. Part of function does not preserve the key's format. Should be a
the certificate/key certificate in PEM format (starting with -----BEGIN
pair used with CERTIFICATE ----- )
SSL compression
CACERTPEM Certification None Use Orca's Paste Cell command. The normal Paste
Authority function does not preserve the key's format. Should be a
Certificate for the certificate in PEM format (starting with -----BEGIN
plug-in. Used with CERTIFICATE ----- )
SSL compression
Figure 2. Editing Parameters in Orca
6. When done, use the File: Save As command to save your edited file with a new filename; for example, test.
msi.
Once you have customized the appliance list with Orca and distributed the customized MSI file to your users, the user
does not need to type in any configuration information when installing the software.
citrix.com 639
Deploying Plug-ins On Windows Systems
The CloudBridge Plug-in is an executable Microsoft installer (MSI) file that you download and install as with any other web-
distributed program. Obtain this file from the MyCitrix section of the Citrix.com website.
Note: The CloudBridge Plug-in user interface refers to itself as "Citrix Acceleration Plug-in Manager."
The only user configuration needed by the plug-in is the list of appliance addresses. This list can consist of a comma-
separated list of IP or DNS address. The two forms can be mixed. You can customize the distribution file so that the list
points to your appliance by default. Once installed, operation is transparent. Traffic to accelerated subnets is sent
through an appropriate appliance, and all other traffic is sent directly to the server. The user application is unaware that
any of this is happening.
citrix.com 640
Installation
To install CloudBridge Plug-in accelerator on Windows system:
1. The Repeater*.msi file is an installation file. Close all applications and any windows that might be open, and then
launch the installer it in the usual way (double-click on in a file window, or use the run command).
Figure 1. Initial Installation Screen
Note: The steps below are for an interactive installation. A silent installation can be performed with the command:
2. The installation program prompts for the location in which to install the software. The directory that you specify is used
for both the client software and the disk-based compression history. Together, they require a minimum of 500 MB of
disk space.
3. When the installer finishes, it might ask you to restart the system. After a restart, the CloudBridge Plug-in starts
automatically.
Figure 2. Final Installation Screen
4. Right-click the Accelerator icon in the task bar and select Manage Acceleration to launch the Citrix Plug-in Accelerator
Manager.
Figure 3. Citrix Accelerator Plug in Manager, Initial (Basic) Display
5. If the .MSI file has not been customized for your users, specify the signaling address and the amount of disk space to
use for compression:
citrix.com 641
In the Appliances: Signaling Addresses field, type the signaling IP address of your appliance. If you
have more than one Plug-in-enabled appliance, list them all, separated by commas. Either IP or DNS
addresses are acceptable.
Using the Data Cache slider, select the amount of disk space to use for compression. More is better.
7.5 GB is not too much, if you have that much disk space available.
Press the Apply.
The CloudBridge Plug-in accelerator is now running. All future connections to accelerated subnets will be accelerated
On the plug-in's Advanced.. Rules tab, the Acceleration Rules list should show each appliance as Connected and
each appliance's accelerated subnets as Accelerated. If not, check the Signaling Addresses IP field and your network
connectivity in general.
citrix.com 642
Troubleshooting Plug-ins
Plug-in installation generally goes smoothly. If not, check for the following issues:
Common problems
If you do not reboot the system, the CloudBridge Plug-in will not run properly.
A highly fragmented disk can result in poor compression performance.
A failure of acceleration (no accelerated connections listed on the Diagnostics tab) usually indicates that
something is preventing communication with the appliance. Check the Configuration: Acceleration Rules
listing on the plug-in to make sure that the appliance is being contacted successfully and that the target
address is included in one of the acceleration rules. Typical causes of connection failures are:
The appliance is not running, or acceleration has been disabled.
A firewall is stripping CloudBridge TCP options at some point between the plug-in and appliance.
The plug-in is using an unsupported VPN.
notepad oem13.inf
6. Delete everything except the three lines at the top that start with semicolons, and then save the file. This will clear out
any inappropriate or obsolete settings and the next installation will use default values.
7. Retry the installation.
1. Make sure the plug-in installation file has been copied to your local system.
2. Disconnect any active VPN/remote networking clients.
3. Disable any firewall and antivirus software temporarily.
4. If some of this is difficult, do what you can.
5. Reinstall the CloudBridge Plug-in.
6. If this doesn't work, reboot the system and try again.
citrix.com 643
CloudBridge Plug-in GUI Commands
The CloudBridge Plug-in GUI appears when you right-click the Citrix Accelerator Plug-in icon and select Manage
Acceleration. The GUI's Basic display appears first. There is also an Advanced display that can be used if desired.
citrix.com 644
Basic Display
On the Basic page, you can set two parameters:
The Signaling Addresses field specifies the IP address of each appliance that the plug-in can connect to.
Citrix recommends listing only one appliance, but you can create a comma-separated list. This is an ordered
list, with the leftmost appliances having precedence over the others. Acceleration is attempted with the
leftmost appliance for which a signaling connection can be established. You can use both DNS addresses
and IP addresses.
citrix.com 645
Advanced Display
The Advanced page contains four tabs: Rules, Connections, Diagnostics, and Certificates.
Figure 1. Citrix Accelerator Manager, Advanced Display
At the bottom of the display are buttons to enable acceleration, disable acceleration, and return to the Basic page.
Rules Tab
The Rules tab displays an abbreviated list of the acceleration rules downloaded from the appliances. Each list item
shows the appliance's signaling address and port, acceleration mode (redirector or transparent), and connection state,
followed by a summary of the appliance's rules.
Connections Tab
The Connections tab lists the number of open connections of different types:
Accelerated Connections--The number of open connections between the CloudBridge Plug-in and
appliances. This number includes one signaling connection per appliance but does not include accelerated
CIFS connections. Clicking More opens a window with a brief summary of each connection. (All of the More
buttons allow you to copy the information in the window to the clipboard, should you want to share it with
Support.)
Accelerated CIFS Connections--The number of open, accelerated connections with CIFS (Windows file
system) servers. This is usually the same as the number of mounted network file systems. Clicking More
displays the same information as with accelerated connections, plus a status field that reports Active if the
CIFS connection is running with CloudBridge's special CIFS optimizations.
Accelerated MAPI Connections--The number of open, accelerated Outlook/Exchange connections.
Accelerated ICA connections--The number of open, accelerated XenApp and XenDesktop connections
using the ICA or CGP protocols.
Unaccelerated Connections--Open connections that are not being accelerated. You can click More to
display a brief description of why the connection was not accelerated. Typically, the reason is that no
appliance accelerates the destination address, which is reported as Service policy rule .
Opening/Closing Connections--Connections that are not fully open, but are in the process of opening or
closing (TCP "half-open" or "half-closed" connections). The More button displays some additional
information about these connections.
Diagnostics Tab
The Diagnostics page reports the number of connections in different categories, and other useful information.
Start Tracing/Stop Tracing--If you report a problem, your Citrix representative might ask you to perform a
connection trace to help pinpoint problems. This button starts and stops the trace. When you stop tracing, a
pop-up window shows the trace files. Send them to your Citrix representative by the means he or she
recommends.
Clear History--This feature should not be used.
Clear Statistics--Pressing this button clears the statistics on the Performance tab.
Console--A scrollable window with recent status messages, mostly connection-open and connection-close
messages, but also error and miscellaneous status messages.
citrix.com 646
Figure 2. Citrix Accelerator Manager, Advanced.. Diagnostics Tab
Certificates Tab
On the Certificates tab, you can install security credentials for the optional secure peering feature. The purpose of these
security credentials is to enable the appliance to verify whether the plug-in is a trusted client or not.
Figure 3. Certificates tab
citrix.com 647
Updating the CloudBridge Plug-in
To install a newer version of the CloudBridge Plug-in, follow the same procedure you used when installing the plug-in
for the first time.
citrix.com 648
Troubleshooting CloudBridge Plug-in
Issue: I am facing signaling channel connectivity issues. How can I resolve these issues?
Resolution: To resolve signaling channel connectivity issues, perform the following troubleshooting
steps:
Verify that you have correctly configured the signaling IP address. You can do so by pinging the
signaling IP address and verifying the response.
Verify that the signaling status is enabled on the CloudBridge appliance.
Verify that the firewall installed on the network does not remove the CloudBridge TCP options.
Verify that a valid CloudBridge plug-in license is installed on the CloudBridge appliance.
Verify that the Signaling Channel Source Filtering configuration does not block the Client Source IP
address.
If you have enabled LAN Detection, verify that the Round Trip Time between the CloudBridge plug-in
and CloudBridge appliance is an acceptable value.
Issue: On a CloudBridge 4000 appliance, I am not able to disable the CloudBridge plug-in.
Resolution: None. You cannot disable the CloudBridge plug-in on a CloudBridge 4000 appliance.
Issue: When connecting to the CloudBridge appliance by using the CloudBridge plug-in, the following error
message entry is logged on the Alerts tab:
More CloudBridge Plug-ins than the current limit of <Number> have attempted
to connect to this Appliance.
Cause: The number of connections to the CloudBridge appliance has exceeded the licensed user limit.
Resolution: To update the signaling IP address on a CloudBridge 4000 or 5000 appliance, complete
the following procedure:
1. Log on to the NetScaler instance of the CloudBridge appliance.
2. Navigate to the Traffic Management > Load Balancing > Virtual Servers > BR_LB_VIP_SIG page.
3. Update the signaling IP address.
4. Save the configuration.
Issue: CIFS and ICA traffic is not getting accelerated.
citrix.com 649
Reference Material
You can refer to the following documentation for quick reference:
Glossary
citrix.com 650
Graphical User Interface
CloudBridge, and CloudBridge VPX have essentially identical graphical user interfaces (GUIs). CloudBridge 4000/5000
also contains this GUI as a subset of its user interface.
The GUI is browser-based, supporting HTTP and HTTPS. By default, the GUI is enabled on all active Ethernet ports,
using the management IP address assigned to each port, but the GUI can be disabled on a port-by-port basis.
The GUI is divided into pages, reached through tabs on the header and navigation bar on the left-hand column of each page.
The GUI pages are divided into three categories:
citrix.com 651
Dashboard Page
The dashboard shows you the status of the entire appliance at a glance. It has graphs for incoming and outgoing traffic,
top applications by WAN volume, top service classes by compression ratio, WAN throughput by traffic-shaping policy,
and more. By default, the page updates every minute, but this can be changed by pressing the Customize button.
Figure 1. Dashboard Page
Most features of the dashboard are disabled until you define your appliances links.
The LAN-side and WAN-side traffic are shown in different colors. When on compression, caching, or application
acceleration is going on, the LAN-side traffic and the WAN-side traffic are essentially identical, because the appliance is
not modifying the data as it passes through. Compression and caching reduce the amount of WAN-side traffic.
The compression ratio is dependent on the amount of long-term redundancy in the data streams, and tends to increase
over time as the appliances compression history fills.
citrix.com 652
Features Page
This page has enable/disable toggles for the appliances features, plus a master enable/disable toggle called Traffic
Processing.
Figure 1. Part of the Features page
In normal use, this page is helpful mostly for disabling features, since many features require more configuration than
simply toggling their state from disabled to enabled. Most features should be enabled on the relevant page under the
Configuration menu.
Traffic Processing
This is the master enable/disable toggle. When disabled, all features of the Appliance are disabled and all traffic passes
through without modification or traffic shaping.
Traffic Acceleration
This toggle enables and disables the acceleration engine.
Traffic Shaping
This toggle enables and disables the traffic-shaping engine.
Group Mode
Can be used to disable group mode, if enabled.
High Availability
Can be used to disable high-availability mode, if enabled.
ICA Multi-Stream
Enables ICA multi-stream acceleration support. If enabled, multi-stream ICA sessions will be negotiated when both the
client and server are multi-stream-enabled. Otherwise, single-stream ICA sessions will be used.
If multi-stream, multi-port ICA is enabled on your XenApp servers, you must also modify the ICA service class to
include the additional ports you have defined for multi-port mode.
citrix.com 653
MAPI Cross-Protocol Optimization
Allows MAPI session data to match non-MAPI session data in the compressor.
SCPS
SCPS is a TCP variant used in satellite communication and similar applications. The Appliance can accelerate SCPS
connections if this option is selected.
The main practical difference between SCPS and the default Appliance behavior is that SCPS-style selective negative
acknowledgements (SNACKs) are used instead of standard selective acknowledgements (SACKs). These two methods
of enhancing data retransmissions are mutually exclusive, so if the Appliance on one end of the connection has SCPS
enabled and one does not, retransmission performance will suffer. This condition will cause an SCPS Mode Mismatch
alert.
We recommend that, if you must mix SCPS-enabled Appliances with non-SCPS enabled Appliances, that you deploy
them in such a way that mismatches do not occur. This can be done with IP-based service class rules or by always
deploying the Appliances so that accelerated paths contain matched pairs rather than odd numbers of units.
Secure Partner
Duplicates the functionality of the Partner State toggle on the Configuration: Secure Partners page.
SNMP
Duplicates the functionality of the SNMP Status button on the Logging/Monitoring: SNMP tab.
SSH Access
Duplicates the functionality of the SSH Access Enable/Disable button on the Configuration: Administrator Interface: SSH
Access page.
SSL Optimization
Duplicates the functionality of the SSL Optimization Enable/Disable button on the SSL Encryption page.
Syslog Support
Duplicates the functionality of the Send to Syslog Server checkbox on the Configuration: Logging/Monitoring: Syslog
Server tab.
WCCP
Duplicates the functionality of the Enable button on the Configuration: Advanced Deployments: WCCP tab.
citrix.com 654
Quick Installation Page
The Quick Installation page allows a complete single-page installation of many appliances, and a partial installation for
most other appliances.
Figure 1. Quick Installation page
AdapterFor most appliances, this is apA, the accelerated bridge. Dual-bridge systems will allow you to
select apB instead.
IP Address, Gateway, NetmaskThese will already be configured (from the LCD front-panel installation
step), but you can change them if desired.
Primary/Secondary DNS IP AddressLets you specify a primary and backup DNS server.
NTP Time ServerAllows you to specify an NTP time server to keep your appliances clock
synchronized. Highly recommended.
Date/TimeIf you cannot use an NTP time server, the date and time can be set manually here.
Local Time ZoneSpecify your time zone here.
Citrix License TypeGives you a choice between Local License and a network license that matches
your hardware. Legacy (release 5.x) licenses are local licenses; new licenses are generally network licenses.
License Server AddressYou must specify a license server when using network licenses. You can use
either an IP address (such as 172.16.0.44) or a hostname (such as license_server.example.com).
citrix.com 655
Licensing Service PortIf your license server uses a port different from the default value of 27000,
specify it here.
Receive (Download) SpeedUse 95% of your nominal WAN receive rate.
Send (Upload) SpeedUse 95% of your nominal WAN send rate.
WAN-side AdapterThis will be either apA.1 or apA.2, depending on which port the Ethernet cable to
your WAN is plugged into. (Dual-bridge systems might use apB.1 or apB.2.)
Perform Quick InstallPress the Install button to perform the installation.
Wait for System to RestartAfter the system restarts, continue with your configuration if necessary.
Otherwise, your appliance is configured and operational.
citrix.com 656
Configuration Pages
The Configuration pages enable you to set up and adjust the operation of the appliance's features. Basic configuration
can be performed on the Quick Installation page alone, but advanced configuration also makes use of these pages.
citrix.com 657
Administrator Interface
This page has a range of options relating to the browser-based and LCD front-panel interfaces. It is divided into four
eight tabs: Web Access, HTTPS Certificate, User Accounts, Radius, TACACS+, SSH Access, Graphing, and
Miscellaneous.
Web Access Protocol--Selects between HTTP and secure HTTP (HTTPS).HTTPS is the default.
HTTP/HTTPS Ports--Sets the port used for each protocol. The non-selected protocol is greyed out. To
access it, select the protocol, press Update, and then change the port number. Setting the port numbers to
zero will disable browser-based access (re-enabling browser-based access will require the use of the serial
interface or the command-line interface).
HTTP Forwarding to HTTPS--If HTTPS is the selected protocol, attempts to reach the interface via HTTP
will result in an redirect to the correct protocol and port.
Admin accounts allow the user to view all pages and modify all settings.
Viewer accounts allow the user to see only the Main page and pop-up performance graphs.
The menu page is self-explanatory. Changes take effect as soon as the Update, Delete, or Add buttons are pressed.
Figure 3. User Accounts Tab
citrix.com 658
RADIUS and TACACS+ Tabs
RADIUS and TACACS+ authentication are also supported. The user interface for the two are similar. Enter the IP
address of the authentication server, verify the port number (the default is usually correct), enter the shared secret and
press the Update button.
Figure 4. RADIUS Authentication Tab
Note on RADIUS authentication--Radius authentication will succeed if the RADIUS server returns an 'Accept-Access'
packet with an appropriate 'Service-Type' attribute. If 'Service-Type' is 'Login,' then the user is granted viewer access. If
it is 'Administrative,' then the user is granted admin access. Otherwise, access is denied.
Figure 5. TACACS+ Authentication Tab
Note on TACACS authentication--Administrative privileges are granted if the TACACS user has privilege level 15.
Lower levels will be granted viewer access.
Note: For accounts that exist locally on the Appliance, the locally defined password continues to work after Radius or
TACACS+ authentication are enabled; the remote server is queried only if the password fails to match the locally stored value.
The two functions have Disable/Enable buttons. However, if you disable web access, you will of course not be able to
access the button to re-enable it. To re-enable the browser-based user interface, use the RS-232 or CLI interface.
Figure 6. Security: Manage Users page
citrix.com 659
Graphing Tab
This tab controls the graphing functions of the acceleration engine, which covers the graphs on the Monitoring pages
but not those on the Reports pages or the Dashboard, which are configured separately.
Display WAN Side Graph/Display LAN Side Graph--The data flow is not identical on the LAN side of the
Appliance and the WAN side. The differences between the two flows can provide useful information. For
example, the difference between accelerated line usage and good put should be very low on the LAN side,
because LANs usually (but not always) have a low packet-loss rate. But if there is a problem with the local
LAN (a failing switch, for example, or a port accidentally configured to half-duplex), losses may be high. By
default, both graphs are shown.
Combine Send/Recv Graphs--By default, send and receive traffic are added together, but they can be
displayed separately. This is useful on busy systems with traffic moving in both directions.
Autoscale Graphs--By default, bandwidth graphs are scaled automatically, but they can be scaled to user-
specified limits.
Graph Refresh Rate--The data displayed on the graphs covers 60 seconds of activity and is collected at
one-second intervals. The default refresh rate is ten seconds. Sensible values for the refresh interval are
between 1 and 60 seconds.
Autorefresh Graph--Unchecking this box means that the reload browser button must be pressed to see an
up-to-date graph.
Miscellaneous Tab
Figure 7. Configure Settings: UI page, Miscellaneous tab
Lock Changes via LCD--Checking this box prevents system settings from being updated via the front-panel
interface. By default, the front-panel is not locked.
Max Connections Shown on Connection Page--A busy system may have thousands of open connections.
The default is to show the first 800. This may be set to any value desired.
GUI Session Timeout--If the Web interface is idle for more than this time (in minutes), you will have to log
in again. Setting the value to zero will disable session timeouts.
CLI Session Timeout--If the command-line interface is idle for more than this time (in minutes), you will
have to log in again. Setting the value to zero will disable session timeouts.
citrix.com 660
Login Failure Limit--If an invalid password is given more than this many times in a row, you will not be able
to login until the 'login failure lockout period' has expired.
Login Failure Lockout Period--Logins are disabled by this many seconds if the 'login failure limit' has been
exceeded.
Show SSL Connection Help Guide--Enables some online help text at the bottom of SSL-acceleration
related pages. Disabled by default. Because this Users Guide has much more comprehensive
procedures, this help guide is not recommended.
citrix.com 661
Advanced Deployments
This page has the configuration for advanced deployment modes: WCCP, high-availability, group mode, and proxy
mode.
See WCCP Mode for the procedure for setting up your router and Appliance for use with WCCP.
This page allows you to set up Appliances as high-availability pairs, so that if one unit fails, the other will take over.
High Availability Status: One of Standalone, Primary, or Secondary. A standalone unit is not part of an HA pair. A
primary unit is actively handling accelerated connections. A secondary unit is idle, ready to take over if the primary unit
fails.
SSL Common Name: Uniquely identifies this Appliance. You type this string into the Partner SSL Common Name field
on your HA partner Appliance.
Virtual VIP Configuration: The virtual IP address used to manage the pair as a unit is not set here, but on the Configure
Settings: UI page. A link is provided here.
VRRP VRID: This identifies the HA pair according to the VRRP (Virtual Router Redundancy Protocol) as defined in RFC
2338. The default value of 0 is not a valid VRRP VRID, which must be in the range of 1-255. If there are no other VRRP
devices on the subnet containing the Appliance, the choice of a VRRP ID is arbitrary.
Note that, while the Appliance uses a VRRP ID (which is designed primarily for routers), the Appliance is not a router.
Partner SSL Common Name: Copy this from the Acceleration Partners SSL Common Name field.
Enabled: Turns high-availability functionality on or off. You will be warned that enabling or disabling high availability will
terminate all open connections.
citrix.com 662
Group Mode Tab
Group mode is a means for allowing two or more redundant links to be shared by two or more inline Appliances, with no
requirement that all the packets for a given connection pass through the same Appliance.
Group mode and the fields on the Group Mode page are fully explained in Group Mode.
Figure 3. Group Mode Tab
Private keys and certificates are factory-installed, but can be replaced, if desired. Click Edit, and paste the new
certificates and key in the boxes provided, replacing the old ones, then click Update.
Proxy Tab
In proxy mode, the Appliance masquerades locally as the remote system. Traffic for the remote system is then
forwarded to a remote Appliance and then to the remote system itself.
Figure 4. Proxy Tab
Proxying involves address translation. The addresses are entered in the Proxy Configuration page.
With a proxy connection, one end of the connection may be left in inline mode. When this is done, the in-lined appliance
requires no configuration.
When you enter a new proxy definition, the appliance pings the target address when you click Add. If the ping is
unsuccessful, a warning icon is displayed and the target address is shown in red. However, the proxy entry is still active.
On paths where pings are blocked but TCP traffic is not, the proxy definition will work in spite of the warning icon.
citrix.com 663
Application Classifiers
The Configuration: Application Classifiers page defines all the applications recognized by the CloudBridge classifier.
Figure 1. Defining a New Application
The classifier uses application definitions to divide the traffic into protocols and applications. This is used to create
reports and to set traffic-shaping policies through the service-class mechanism. A great many applications are already
defined, and you can define more as needed.
Application Group list--Applications are divided into groups, and by selecting one from the Application
Group list, you can restrict the display to the members of the selected group.
Only show user modified settings checkbox--This checkbox allows you to show only applications that
differ from the defaults, whether by being added or modified.
Auto-discover Citrix published applications checkbox--This option allows any Citrix published
applications seen in the data stream to be added to the application list automatically. Once discovered, they
will show up in reports and can be used for traffic-shaping policies.
Expand All/Collapse All buttons--In the collapsed state, just the application names are displayed.
Otherwise, their definitions are shown as well.
Create button--Used to create a new application.
Edit button--Allows an existing application to be altered. This process is essentially the same as creating a
new application.
Delete button--Deletes an application.
Note: Use caution when editing or deleting applications, since there is no way to reset the definitions to their defaults without
resetting the entire Appliance to its factory defaults.
citrix.com 664
Licensing
A license file must be installed before your Appliance will accelerate connections. License files are generally obtained
on MyCitrix. See the release notes for more information.
Figure 1. License Information Tab
The License Information tab gives the information needed for the creation of a license for your Appliance, or to match up
a pre-generated license with the correct Appliance. If a license has been successfully installed, the Required Action field
will say, None.
The format of the License Information tab is different if no license has been installed. The Required Action field will
report that only a legacy license is installed. A link is provided to go to the MyCitrix and obtain another.
If remote licenses are used, the Remote License Server address must be supplied, plus the Remote License Server Port
(the default value will almost always be correct). Also, the type of license must be specified in the Model pull-down
menu.
These licenses specify the maximum supported bandwidth. The remote license server needs to have a license available
for the model selected, or no license will be acquired.
If SSL acceleration, MAPI acceleration, or signed SMB acceleration are required, then a crypto license must
also be installed. Checking the Crypto License Requested box will acquire a crypto license, if available.
citrix.com 665
citrix.com 666
Links
The Configuration: Links page is where your WAN and LAN links are defined. Defining links enables the Appliance
s reporting and traffic shaping.
The order in which the links are shown on this is significant. When deciding which link a packet belongs to, the
Appliance tests the links in order, and the first matching link is selected. This means that overlapping definitions are
allowed, and the last definition in the link can match all traffic, serving as a default link.
The Expand All button will show the expanded form of the display, summarizing the link definitions instead of displaying
only the names of the link.
Links can be based on the Ethernet adapter associated with the traffic, the source and destination IP addresses, VLAN
tag, WCCP service group (for WCCP-GRE only), and the source and destination Ethernet MAC address. A simple inline
deployment might identify only the LAN-side and WAN-side accelerated bridge ports (apA.1 and apA.2), while a
complex datacenter deployment might need to use most of the features provided on the form to disambiguate traffic.
Defining a link in terms of its IP addresses is possible except when redundant links are used. Since a given packet may
go over either link in an active-standby or active-active dual-link deployment, some other method must be used to
determine which link the packet is using. If dual bridges are used, then the traffic for one link can go over apA and the
other over apB, and the links can be defined in terms of adapters. If the two links are served by different routers, the
citrix.com 667
MAC addresses of the routers can be used to tell the traffic apart. When all else fails, WCCP-GRE can be used, and the
router can use a different service group for each WAN link, allowing the CloudBridge unit to tell the link traffic apart in by
service group.
Adapter--This specifies a list of adapters (Ethernet ports). When links can be identified by ethernet adapter,
this simplifies configuration.
Src IP--The Source IP rules are considered for packets entering the unit (packets exiting the unit are
ignored). On these packets, the rules in the Src IP field are compared against the Source Address field in
the IP header. The rule specifies a list of IP addresses or subnets. Negative matches, such as Exclude
10.0.0.1 are also supported.
Dst IP--The Destination IP rules are considered for packets exiting the unit (packets entering the unit are
ignored). On these packets, the rules in the Dst IP field are compared against the Destination Address field
in the IP header. The rule specifies a list of IP addresses or subnets. Negative matches, such as
Exclude 10.0.0.1 are also supported.
VLAN--The VLAN rules are applied to the VLAN headers of packets entering or exiting the unit.
WCCP Service Group--The WCCP Service Group rules are applied to GRE-encapsulated WCCP packets
entering or leaving the unit. (This does not work with L2 WCCP.)
The traffic classifier uses the Src IP and Dest IP fields in a specialized way (the same applies to Src MAC and Dst MAC):
This convention allows the direction of packet travel to be implicitly considered as part of the definition. The same
concepts applies to the Src MAC and Dst MAC rules.
Hardboost/Softboost Tab
This tab allows you to select between hardboost and softboost modes. If hardboost is selected, the hardboost
bandwidth limit must be set. This number represents the speed at which the acceleration engine will attempt to send
and receive data and must be no faster than the WAN link on which the hardboost partner is reached.
Figure 4. Hardboost/Softboost tab
When softboost is selected, these bandwidth limits are not in effect and are not shown.
citrix.com 668
Logging/Monitoring
The Configuration: Appliance Settings: Logging/Monitoring page controls the logging and alert settings for the
Appliance. It has seven tabs: Log Options, Log Extraction, Log Statistics, Log Removal, Alert Options, Syslog Server,
and SNMP.
Log System RecordsThis gives general statistics about connections every 60 seconds. Most users will
want to disable this option.
Log Adapter RecordsThis reports the status of each Ethernet port every 60 seconds. Most users will
want to disable this option.
Log Flow RecordsThis summarizes the status of the communication between this unit and each active
Acceleration Partner every 60 seconds. Most users will want to disable this option.
Log Connection Records.This summarizes the state of each active accelerated connections every 60
seconds. Most users will want to disable this option.
Log Open/Close RecordsAdds a log entry whenever an accelerated connection is opened or closed.
These records contain performance statistics in addition to identifying the endpoints and the connection
duration. Leave this option enabled.
Log Text RecordsShows kernel and other OS messages. Leave this option enabled.
Log Alert RecordsRepeats the information from the Alerts page in the log. Leave this option enabled.
Other SettingsThe Log Max Size, Lines Displayed, and Max Export Count fields are self-explanatory
and rarely need to be changed.
citrix.com 669
Log Statistics Tab
The Log Statistics tab gives basic information about the logging system.
Figure 3. Log Statistics Tab
1. User-configurable alerts, which appear on the Configure Settings: Alert page. These are mostly informational and are
primarily of use when troubleshooting. Each of these alerts has a radio button to select between Alert, Logged, and
Disabled.
2. Internal alerts. These generally indicate a more serious problem, and cannot be masked by the user. They do not
appear on the Configure Settings: Alert page.
User-Configurable Alerts
Alerted means that when the condition occurs, it will be logged, the alert icon will appear at the top of the
screen, and the condition will be listed when the Error link is clicked.
Logged means that when the condition occurs, it will be logged, but the alert icon will not appear and the
condition will not be listed when the Error link is clicked.
Disabled means the condition will not be logged. Not all conditions can be disabled. These lack a radio
button under the Disabled column.
The Alert Retention Time parameter sets how long an Alert stays active after the condition that caused it
has gone away.
Each parameter has an associated description in the Help column (the text for which will not be repeated here).
Changes will not take effect unless you click the Update.
citrix.com 670
Asymmetric Network Configuration
Invalid or Illegal Packets Received
Out of CPU Resources
Out of Memory Resources
Internal Errors
Compression Error Detected
Softboost-Hardboost Mismatch
Disk Drive is Degraded
NIC Watchdog Bypass Event
Disk is Fragmented
Network Unreachable
DNS Lookup Failed
Appliance in the Middle Intercepting Options
Major Internal Errors
Minor Internal Errors
Internal Warning
WCCP Detected Major Error
WCCP Detected Minor Error
WCCP Warning
Network Driver Hang Detected
Signaling Channel Establishment Error
SCPS Mode Mismatch Detected
CloudBridge Plug-in count is nearing its limit
SSL Communication Error
Internal Alerts
Contact your support representative if you receive Alert messages that are not represented on the Configure
Settings: Alert page.
Some of these messages give guidance about whether you should contact us immediately or at your
convenience.
Alert Messages
Potential error conditions are reported at one of three levels: they can be ignored, they can be logged, or they
can be logged and also cause an Alert warning to appear at the top of the page.
The Alerts page lets you select the reporting for different types of error. Clicking on the link displays information
about the outstanding alerts.
Figure 5. Alert Details Page
Alerts will clear themselves if the problem goes away for long enough (by default, for one hour).
Alert messages are sent with a severity level of warning. All other messages are sent with a severity of
info.
All messages are sent to the syslog server, whether they are enabled in the Log Options tab or not.
An example of syslog output is shown below. The Appliance is identified through the management IP at the start of the
message. Each message is formatted as a single line.
citrix.com 671
May 08 14:40:37 172.16.0.101 Connection Status:
66.151.150.190:443<->69.59.212.183:3609 Duration:58.000 Sec
May 08 14:40:37 172.16.0.101 Connection Status:
207.47.50.203:443<->69.59.212.183:3668 Duration:0 Secs
SNMP Tab
This tab sets up SNMP monitoring of the Appliance. SNMP operation is disabled by default, but is enabled by the button
at the top of the page. SNMP v1 and v2c are supported.
Figure 7. SNMP Tab
Fields on this page have their conventional meanings. Management access must be restricted by giving an IP or
network number for the management station. However, this can be circumvented by setting the IP Bit mask to
zero (equivalent to a bit mask of 0.0.0.0). To give access to any host on a Class C subnet, set the IP Bit Mask to 24
(equivalent to 255.255.255.0). To limit access to a single host, set the IP Bit Mask to 32 (equivalent to 255.255.255.255).
SNMP accesses are read-only; that is, monitoring but not configuration is supported by SNMP.
The parameters available via SNMP are documented in the .MIB files themselves.
APPACCELERATION-PRODUCTS-MIB.txt
APPACCELERATION-SMI.txt
APPACCELERATION-STATUS-MIB.txt
APPACCELERATION-TC.txt
CITRIX-COMMON-MIB.txt
citrix.com 672
Network Adapters
IP Addresses Tab
This tab allows you to configure the IP address, netmask, gateway, HA virtual address, and VLAN of each interface, as
well as enabling or disabling the interface.
Figure 1. IP Addresses Tab
Accelerated Pairs
Most Appliances have four ports: two configured as a bridge called Accelerated Pair A, or apA, and two non-
bridged motherboard ports, Primary and Aux1.
A typical installation uses only apA. Some Appliances may have a second accelerated pair. Acceleration is not
supported on Primary or Aux1.
Accelerated pairs do not require an IP address for simple inline-mode operation, but an IP address is required if you use
the CloudBridge Plug-in, WCCP, or SSL acceleration. If apA is left without an IP address, the Primary port should be
enabled and have an IP address assigned to it so that the Appliance can be managed. Access from the serial and front-
panel interfaces will still be active. Per-port access is controlled on the Configuration: Network Adapters page.
Address Formats
Except for the hostname, the network settings expect static IP addresses or masks in the usual decimal dotted-quad
notation, such as 10.0.0.150. These should be assigned as if the Appliance were simply another computer on its
subnet, not as if it were a router (since it isnt a router).
Changes do not take effect until you click the Update button and restart the unit.
HA Virtual IP Addresses
If high-availability mode is used, one enabled interface needs to define an HA virtual IP address. This is used to
manage the pair as if it were a single unit. Both Appliances in the pair use the same HA Virtual IP address.
VLAN Settings
If your network uses VLANs, the Appliance should be set to a valid VLAN address.
Inline traffic will be accelerated regardless of the VLAN addresses (if any) of the packets, but traffic addressed to the
Appliance itself must match the Appliances VLAN setting that is, either no VLAN at all or a matching VLAN.
The correct VLAN setting is necessary for the proper operation of:
citrix.com 673
The browser-based user interface.
Virtual inline mode.
Proxy mode.
VLAN support is enabled by entering the VLAN number (a decimal number in the range of 0-4095), checking the Enable
box, and pressing Update.
Ethernet Tab
Each Ethernet interface used by the Appliance is listed here, along with its speed (10, 100, or 1000 Mbps), its duplex
setting (full or half), and its auto-negotiation state (auto or forced to a specific mode).
Figure 2. Ethernet Tab
Note: Auto-negotiation failures on Fast Ethernet (100 Mbps) networks are the most common cause of performance problems
with Appliances. These are caused by a flaw in the Fast Ethernet Specification.
A pull-down menu allows you to reset the modes of the individual Ethernet ports. Changes do not take effect until you
click the Update Adapter Configuration button.
Clicking on the individual adapter links (such as eth1) will open the Detailed Information page for the adapter.
Clicking on the black arrows next to the graphs will move the view into the past (left arrows) or towards the present (right
arrows) in one-minute increments.
The table offers More Info links for bridged adapters (that is, the two adapters used in inline mode) and individual flows.
(A flow is the set of all accelerated connections between a given pair of Appliances.) The statistics for bridged adapters
and individual flows are similar to those for individual adapters, with summary tables and second- by-second graphs.
Figure 3. Ethernet Adapter Detailed Information Page, Top Half
citrix.com 674
Figure 4. Ethernet Adapter Detailed Information Page, Bottom Half
citrix.com 675
CloudBridge Plug-ins
This page controls how the Appliance interacts with CloudBridge Plug-in. This page controls how the Appliance
interacts with CloudBridge Plug-in. CloudBridge Plug-in support is a licensed option; so this page is greyed out if no
Plug-ins are supported by your license.
This tab controls the basic operation of the Appliance when dealing with Plug-ins.
Signaling IP--This is an IP address that is used for the signaling connection between the Plug-in and the
Appliance, which transfers status information, and for data connections when using redirector mode.
Signaling Port--This is the port used by the signaling connection. Defaults to port 443 (HTTPS), which is
generally the best choice, since it is rarely blocked by firewalls.
Signaling Channel Source Filtering--This feature allows Plug-in clients to be accepted or rejected based
on their source IP. This in turn allows Plug-in acceleration to be disabled when it is not appropriate (such as
when the client is at the same site as the appliance). If this feature is enabled, a list of rules appears. The
appliance compares the source IP of every signaling connection with the list of rules. If the IP matches an
"allowed" range, the signaling connection is accepted. If it does not, it is rejected, and the client receives no
Plug-in acceleration (and does not consume a Plug-in license.)
Connection Mode--Choices are transparent mode (where connections are intercepted and accelerated by
the Appliance transparently, as with Appliance-to-Appliance communication) and redirector mode (where the
Plug-in sends accelerated connections to the Appliance explicitly, using the Appliance as a proxy and the
signaling IP as the proxy address. Transparent mode is recommended because redirector mode has several
liabilities that make it a mode of last resort.
LAN Detection--This feature prevents acceleration when the Plug-in and Appliance are on the same LAN.
Such local acceleration is undesirable because the Appliances bandwidth limit will be applied to
local connections, which will greatly reduce the speed of LAN-to-LAN traffic. To use this feature, enable it
and set the "Round Trip Time" to a value smaller than your shortest accelerated WAN RTT, but larger than
your largest LAN RTT.
Refresh/Cancel/Apply--Depending on context, some subset of these buttons will appear.
Note: Changes to the Status fiels are not updated in real time. Click Refresh to see the actual status.
citrix.com 676
If there are any destination addresses in this space that are not really LAN addresses, add Exclude rules for
these addresses and move the Exclude rules above the Accelerate rules. This would include any remote
sites with addresses that seem local.
If the appliance is in line with a VPN (and is not in line with anything else), and is operating in transparent
mode, you can set the Appliance to accelerate your entire enterprise rather than just the local site. In this
case, the only accelerated connections will be from Plug-in VPN connections and accelerating all the traffic
between the Plug-in and VPN is optimal.
citrix.com 677
Secure Partners
This page is used to set up the SSL signaling connection used by SSL compression.
Figure 1. Configuring Peer Communication
citrix.com 678
Service Classes
This page shows the list of defined service classes. This is an ordered list; the first matching service-class definition will
be used. Each service class has controls to move the definition within the list, edit the definition, or delete it.
By default, only the service class names are shown, but they can be expanded to summarize their definitions as well.
Rules can be based on the application, source and destination IP address, VLAN tag, or the incoming DiffServ
(TOS/DSCP) bits. If the SSL Profiles field is used, any traffic matching the service class is considered to also
match the selected SSL profile.
The traffic-shaping policies can be set to the same policy for all links or with per-link policies. In most
installations, per-link policies are not desirable.
Multiple rules can be specified. Fields within a single rule are ANDed together, so all specified fields must match.
When multiple rules are used, they are evaluated in order. If any rule matches, the traffic is considered to belong
to the service class.
Traffic-shaping policies are chosen from the pull-down menu. By default, a range of policies from Very Low to
Very High are defined, each policy having twice the weighted priority of the next-lower policy. In addition, there is
a VoIP Traffic policy that has an effectively infinite weight (and thus must be used with caution), and a Default
Policy.
citrix.com 679
Flow Control Only--The Flow Control checkbox enables or disables acceleration. Recommended for traffic that
is 100% uncompressible because the same data will never be seen twice (mostly encrypted protocols and live
video). Note that pre-compressed traffic such as JPG images, ZIP archives, and audio/video streams that are
played more than once are all highly compressible on the second pass. For example, if two people play the
same YouTube video, the compressor will achieve a high compression ratio for the second users, since the
video data will be the same as before and will match the first copy.
Disk Compression--Enables flow control and the full range of compression features (disk-based and memory-
based compression). Recommended for most traffic.
Memory-based Compression--Enables flow control and memory-based compression only. This option is rarely
used.
Acceleration policies are based solely on information available on the first packet of the connection (the SYN
packet). The results of deep packet inspection are not available until later in the connection, so such matches
cannot be made.
Traffic-Shaping Policy--The initial traffic-shaping policy is based on the first packet seen, but deep-packet
inspection may change this decision. For example, an application that is defined based on a URL will match
when a data packet containing an HTTP GET url command is seen. This will reclassify the traffic-shaping policy
for the connection.
All WAN data flows have a traffic-shaping policy, whether they are accelerated or non-accelerated, TCP or non-
TCP.
Other TCP Traffic is a special category that specifies the default acceleration action to take if no other service
classes apply.
The Web (Private) and Web (Private-Secure) service classes define HTTP and HTTPS service on the standard
private networks of 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as defined in RFC1918. These addresses are
not routable on the public Internet, and instead are used by most organizations for their private networks. As
such, we can assume that the problem of paranoid firewalls will not occur on these networks, and HTTP and
HTTPS traffic can be accelerated normally.
The Web (Internet) and Web (Internet-Secure) service classes are for non-private Web traffic and have flow
control and compression disabled.
The ordering of the two sets of rules is important; the Private rules need to occur first in the Service Class Policy
list.
These rules are not necessary unless Internet traffic passes through a single Appliance. If Internet traffic passes
through two Acceleration units (two Appliances or an Appliance and a Plug-in), the Internet rules can be set to
the same values as the Private rules, allowing acceleration on all Web traffic.
citrix.com 680
SSL Acceleration
This page consists of five disguised tabs (disguised because they are implemented as buttons). They are:
Profiles--Allows you to set up server profiles, typically one per endpoint SSL server. .
Manage CAs--Allows you to upload CA certificates. See .
Manage Keys--Upload certificate/key pair. See .
Import SSL--Upload an SSL configuration previously saved on the Export SSL tab.
Figure 1. Import SSL Tab
citrix.com 681
SSL Encryption
This page has the main password and enable/disable toggles for SSL compression.
Key Store--For greater security, keys are password-protected. SSL compression will not take place unless
the key store is opened with the password. For security reasons, SSL compression is disabled after each
restart, until this password is entered. If user data encryption is used, compression is also disabled until this
password is entered. .
User Data Store--User data, consisting mostly of disk-based compression history, can optionally be
encrypted using AES-256 encryption. Changing the encryption state causes disk-based compression history
to be lost. Encrypting the user data protects the contents from disk-based compression history from being
examined if the unit is stolen or removed from service.
SSL Optimization--The master enable/disable switch for the SSL compression feature.
On a CloudBridge appliance, when you enable the Disk encryption and SSL optimization features and restart the appliance,
you must enter the SSL keystore password to use the Disk encryption and SSL optimization features. Until CloudBridge
release 7.1, setting an SSL keystore password was mandatory to enable these features. However, starting CloudBridge
release 7.2, you can bypass the setting an SSL keystore password to enable features.
Note: By default, the SSL keystore password setting is enabled.
To disable the SSL keystore password settings
citrix.com 682
Traffic Shaping Policies
The Configuration: Traffic Shaping Policies page allows you to add traffic-shaping policies. The default policies are
adequate for most installations and cannot be edited or deleted (except for the ICA Priorities and Default policies).
However, if you have special requirements, new polices can be added or edited.
Figure 1. Traffic Shaping Policies Page
citrix.com 683
Tuning
This page contains a number of TCP-oriented settings, including which ports are accelerated, TCP window scaling
limits, connection timeouts, etc. The individual setting are listed below.
Figure 1. Tuning Page
Note: Unlike the other pages, the buttons on the Tuning page are greyed out until you change a parameter.
Window Settings
There are two tuning settings: the WAN scale limit and the LAN scale limit. These set the TCP scaling option between
the two Appliances (See RFC 1323). The default LAN scale limit is 16, corresponding to a 64 KB (2^16 bytes)
advertised window. The default WAN scale limit is 23, corresponding to an 8 MB (2^23 bytes) advertised window.
These values rarely need to be changed from their defaults, though in WANs with a very high bandwidth-delay product,
the WAN scale limit may need to be increased, while on a WAN with a very low bandwidth-delay product, the WAN
scale limit may need to be decreased. The rule of thumb is to have a WAN scale limit that is at least 2-3 times the
bandwidth-delay product.
For example, a 200 Mbps link with a 500 ms RTT has a bandwidth-delay product of 100,000,000 bits. Doubling this
gives 200,000,000 bits, or 25,000,000 bytes. This is larger than the default 8 MB window. Increasing the WAN scale
limit to 23 (225 bytes or 32 MB) would accommodate this.
Increasing these limits under other circumstances will not increase performance and will only waste memory.
Connection Timeout
Idle accelerated connections should time out eventually, as they consume system resources. This entry gives the idle
time that must elapse before the appliance closes a connection. If the application sends keep-alive packets, these will
reset the idle timer. Such connections will never be closed by the connection timeout mechanism.
citrix.com 684
Some links see thousands of half-closed connections that never become fully closed. These may eventually overflow
the appliances connection table. The Active Connections page can identify half-closed connections. If the problem
cannot be fixed at its source, shortening the idle timeout can eliminate the problem.
Special Ports
When using address translation with the ftp or rshell (rsh/rcp/rexec) protocols, the agent performing the address
translation must be protocol-aware. FTP control ports and rshell control ports define which ports are used with these two
protocol groups. If you use nonstandard ports for these protocols, adding the port numbers the special ports list will
allow them to work in proxy mode.
Virtual Inline
Virtual inline mode allows a router to send packets to the appliance and receive packets back from it.
There are two slight variations of this forwarding. The first is to forward packets to the default gateway. The second is to
forward them to the Ethernet address they came from. Both have the potential to create routing loops. Policy-based
routing is required to prevent router loops. See Virtual Inline Mode.
Daisy-Chain
Acceleration takes place between two Appliances. If three or more Appliances are used in series, the link will not be
accelerated end-to-end. Instead, the link between Appliances 1 and 2 will be accelerated, but not between Appliances 2
and 3.
Appliances with the Enable Daisy-Chained Units option set will detect when they are in the middle of a chain, and
pretend that such connections are non-accelerated. This guarantees that the two endpoint Appliances will both see an
accelerated connection.
citrix.com 685
This specifies the maximum size of the TCP portion of a packet. This defaults to 1380 bytes. If you have a VPN that
encapsulates packets inside another header (as PPTP and IPSec VPNs do), you may need to reduce this to prevent
packet fragmentation. Reducing the MSS to 1340 will usually accomplish this.
Both the Default MSS and Maximum MSS fields should always be set to the same value.
Generic Settings
This allows any internal Appliance parameter to be set to an arbitrary value. This is generally done only at the request of
Support.
For example, the bandwidth limit can be set 1,000 kbps by putting "SlowSendRate" in the Setting field and 1000
K/S in the Value field.
You can also query the current setting of a parameter by filling in the Setting field but leaving the Value field blank.
Note: The internal Appliance values are not documented and setting them in this way is not recommended, unless you are
advised to do so by Support.
citrix.com 686
Windows Domain
The Configuration: Appliance Settings: Windows Domain page allows the server-side appliance to join the same
Windows Domain as the servers it is accelerating, allowing encrypted MAPI and signed SMB traffic to be accelerated
(providing that the client-side appliance has SSL acceleration configured to the point where a secure peer relationship
exists between the client-side and server-side appliances).
Figure 1. Windows Domain Page
Joining the domain needs to happen only once, by typing in the domain credentials. (If the domain password changes,
this will have to be repeated.)
Demo Mode
In demo mode, the login credentials of a single user are used instead of the domain credentials. This allows the
acceleration of outcropped MAPI and signed SMB for that user. This mode is recommended for demonstration and
testing only.
citrix.com 687
System Maintenance Pages
On the System Maintenance pages, you can perform maintenance, update, and troubleshooting tasks on the appliance.
citrix.com 688
Backup/Restore
Reset to Factory Defaults. Sets all parameters except IP addresses, bandwidth settings, and licenses to their factory
defaults.
Figure 1. System Maintenance: Backup/Restore page
citrix.com 689
Clear Statistics
citrix.com 690
Date/Time
The date and time are set on this page. You can set the date and time manually by updating the time fields with the
current time, or use an NTP server by specifying its IP or DNS address. The Zone field allows you to choose a time
zone.
The date and time must be accurate (within 10-20 seconds) for the Appliance to join a Windows Domain successfully.
Figure 1. System Maintenance: Date/Time page
citrix.com 691
Diagnostics
Tracing Tab
Trace files are effective in helping our Technical Support team pinpoint your problem. The appliance provides a certain
amount of tracing continuously. The results can be packaged into an ZIP archive if you click Stop Trace. This archive
can be downloaded onto your computer, via Retrieve File. Once downloaded, it can be forwarded to Support. Because
the trace files are generated continuously, they also provide crash analysis data.
This tab has a large number of tracing parameters, none of which should be touched except at the request of Support.
Figure 1. The Tracing tab
1. Select one or more core files to send to Support. Choose core files based on date and time. That is, a core file that
was generated at a time when the unit was failing or behaving strangely is better than one from a period where no one
noticed anything wrong. When in doubt, send them all.
2. In the Core Retrieval table, select the check boxes in the left-hand column of the desired core files. Leave the
checkboxes for Retrieve Core, Trace, and Log checked and the Timespan at 20
minutes. (The Timespan field tells the system how far back before the core file was generated to collect log
data and similar information.)
3. Click Get Core Files. The selected files will be gathered into a.zip archive (this may take several minutes), and a new
screen will be shown.
4.
citrix.com 692
4. Click on the Click here link. A dialog box will ask you what you want to do with the file. Select Save File to Disk.
A Save As.. dialog box will open. Choose an appropriate directory and save the file.
http://dast.nlanr.net/Projects/Iperf
The documentation for iperf is also on this site. Iperf is preinstalled on appliances as a convenience.
To run iperf tests, one system (an appliance or other host) must run iperf as a server, and another must connect to it as
a client. The defaults on the Diagnostics Tools page are the usual defaults for iperf. Click Start Server to start an iperf
server on the appliance.
The Line Test: CLIENT function starts an iperf client on the unit, running in TCP mode. You specify the iperf
server to connect to, the port number, the interface, and the length of the test. For the latter two parameters, the
defaults are usually adequate. When the test is complete, the connection speed will be reported.
Figure 4. Line Tester tab
citrix.com 693
citrix.com 694
Restart System
When you click Restart System the appliance restarts. This process takes several minutes.
Figure 1. System Tools: Restart System page
citrix.com 695
Update Software
To install a patch file, click Browse on the System Upgrade Page, select the patch file, and upload it to the appliance.
This requires that the patch file be on a file system that can be accessed by your browser. (This condition is met
automatically if you used the same browser to download the patch in the first place.)
A patch file will be examined by the appliance and will only be installed if it is a valid patch file that will upgrade the
system to a different release from the one currently in use.
An upgrade preserves license files and system settings. The upgraded unit requires no reconfiguration except for any
new features that have been added with the new release.
Once a patch is installed, a new screen will ask if the unit can be restarted. The patch will not be applied until the unit is
restarted. If the user chooses not to restart the system immediately, a reminder will be placed at the top of each page.
The unit may require several minutes longer than usual to restart when it is applying a patch.
Figure 2. Display on a Successful Patch Upload
If you are using Repeater disk encryption, the other releases on the unit will be displayed in orange, and the Downgrade
Release option is not available unless you first disable disk encryption.
The appliance maintains copies of older releases, and the downgrade process reverts to one of these. Licenses and
settings are not copied back from the newer release to the older one. Instead, the unit will revert to the settings that
were in effect at the time the older release was upgraded.
citrix.com 696
Command Line Reference
You can use the command-line interface (CLI) to access the CloudBridge appliance remotely for interactive or scripted
configuration, monitoring, and file transfer.
The CLI uses two access mechanisms: SSH, for interactive and script access, and SFTP, for transferring files into and
out of the appliance. Alternatively, RS-232 access is available locally, through a null modem cable.
After accessing the appliance, you can enter commands. Command syntax is straightforward. Numeric fields use
decimal values. String fields can include embedded spaces if the string is enclosed in double quotation marks.
SSH Access
To access the CLI through SSH, open an SSH connection to the appliance's management IP address. Following is an
example of the login sequence:
ssh cli@172.16.0.103 Last login: Fri Jun 20 14:50:22 2008 from xx.xx.xx.xx Login: admin Passwor
Windows systems, by default, do not include an SSH package, so you might need to install a package such as PuTTY.
If so, you use "putty" instead of "ssh" to access the appliance.
The logon sequence has two steps:
1. Log on as user cli, which has a null password. You are then prompted to log in with proper credentials for the
appliance.
2. Log on as a valid appliance user, typically Admin, but with any user name and password that would work on the
appliances GUI.
After you log on, all the CLI commands are available.
RS-232 Access
You can use a terminal emulator to log on to a local appliance's CLI through a null modem cable connected to the
appliance's RS-232 serial port. Set the terminal emulator to 115,200 baud, 8 data bits, 1 stop bit, no parity. The login
procedure is the same as with SSH.
SFTP Access
To allow file transfers to and from the appliance, enable and activate a special account, for which the user name is transfer.
This account is disabled by default. To enable it, log on through SSH or RS-232 and enter the following CLI command:
This command enables the transfer account and sets its password to the password that you specify. Once enabled, the
transfer account cannot be disabled. However, you can effectively disable it by using the same command to assign a
very long and difficult to remember password.
To activate the transfer account, use the SFTP utility (or an equivalent Windows utility such as PSFTP) to log on to the
appliance, with user name transfer and the password that you specified when you enabled the account. Some CLI
commands can accept uploaded files as a command argument, or create files for download. After file transfer is
enabled, you can use SFTP or an equivalent utility to transfer files. When transferring files, do not use path names on
the appliance side of the transfer. Transfer all files into or out of the default directory. File names should contain only the
letters a-z and A-Z, the numerals 0-9, and the period and hyphen characters.
citrix.com 697
CLI Navigation
exit
Syntax: exit
quit
Syntax: quit
citrix.com 698
System Tools
show config-script
Syntax: show config-script
[-replicate]
[-file filename]
Displays the appliances current configuration or, optionally, saves the configuration to the file filename.
This configuration can be reloaded into the same appliance or another appliance.
-replicate omits appliance-specific configuration such as IP addresses, allowing the output of this command to be used
more conveniently for configuring multiple appliances.
-file filename specifies that the output should be saved to the specified file rather than displayed. No pathname
components should be used.
list config-script-files
Syntax: list config-script-files
save settings
Syntax: save settings
-file filename
Saves all parameters to the file specified by filename. The file is saved in the settings folder on the unit.
restore settings
Syntax: restore settings
-file filename
Restores all parameters from the file specified by filename. The file must be in the settings folder on the
unit.
Caution: This command takes effect immediately and reboots the appliance, without an are you sure? verification.
list settings-files
Syntax: list settings-files
reset settings
Syntax: reset settings
Equivalent to Reset to Factory Defaults in the UI. Sets all parameters except IP addresses and the license file to
their factory settings.
Caution: This command takes effect immediately and reboots the appliance, without an are you sure? verification.
restart
Syntax: restart
what
citrix.com 699
Syntax: what
show software
Syntax: show software
Lists all of the versions of the software installed on the appliance. One of these will be the running version, while the
others are available through the restore command (or, on the Web UI, the Downgrade Release feature).
verify software
Syntax: verify software
-file filename
Performs checks on file filename to see if it is a complete, uncorrupted software release file.
Note: This command is intended for newly transferred files. Files listed via the show software command are known-
good files and cannot be checked by this command.
install software
Syntax: install software
Installs the software file filename and optionally (with the -restart option) restarts the appliance.
Note: This command is intended for newly transferred files. Files listed via the show software command are installed
via the restore software command.
list software-files
Syntax: list software-files
restore software
Syntax: restore software
-version version
Reinstalls a previously installed software version. Version is the software version string. It must be identical to
one of the versions listed by the show software command.
Example: restore software -version 4.3.24.1014
set software
Syntax: set software
Selects which version of the binary should be used. Default should be used unless Citrix Support recommends
otherwise.
citrix.com 700
Licenses
add local-license
Syntax: add local-license
[-name license-name]
-file filename
list license-files
Syntax: list license-files
remove local-license
Syntax: remove local-license
-name license-name
rename local-license
Syntax: rename local-license
-old old-license-name
-new new-license-name
show license-models
Syntax: show license-models
Displays the list of models which is needed to acquire license from the remote license server.
show license
Syntax: show license
Displays the current license server configuration and the licensed features.
show local-license
Syntax: show local-license
set license-server
Syntax: set license-server
-location local
citrix.com 701
-location remote
[-model model name]
[-ip ipaddr]
[-port port]
-model specifies the model name with which to acquire the license. Use show license-models command to display the
list of models.
citrix.com 702
Security
show user
Syntax: show user
[-name username]
Lists all the users defined on the appliance, and whether they are administrators or view-only users. If the -name option
is specified, only the information about the specified user will be shown.
add user
Syntax: add user
-name username
-password password
-privilege {admin, viewer}
Defines a new user with the specified username, password, and privilege.
set user
Syntax: set user
-name username
-password password
-privilege {admin, viewer}
Alters the definition of an existing user with the specified username, allowing a change to the password or privilege level.
remove user
Syntax: remove user
-name username
show access
Syntax: show access
Summarizes the settings for the Web UI, for Radius and TACACS+ authentication, for transfer account, and for the
support account, including the enabled ports and options. By default, all five categories are displayed, but a single
category can be selected with the -type option.
enable access
Syntax: enable access
Enables one of: Radius authentication, TACACS+ authentication, or access to the Web UI. Parameters for these
features remain at their previous settings.
disable access
Syntax: disable access
Disables one of: Radius authentication, TACACS+ authentication, or access to the Web UI. Parameters for these
features remain at their previous settings.
citrix.com 703
set access
Syntax: set access
-type radius
[-ip ipaddr]
[-port port]
[-secret secret]
-type tacacs
[-ip ipaddr]
[-port port]
[-secret secret]
[-encrypt {enable, disable}]
-type web
[-protocol {http, https} -port port]
[-forwardhttp {enable, disable}]
[-ssl-cert certfile -ssl-key keyfile]
-type transfer
-password password
-type support
-password password
Configures access parameters. The first two forms enable Radius and TACACS+ authentication, respectively. The third
form sets the Web UI parameters. The forth form sets a password for the transfer account, which is used for
transferring files. The last form sets a password for the support account.
list certificate-files
Syntax: list certificate-files
citrix.com 704
System Status
enable unit
Syntax: enable unit
disable unit
Syntax: disable unit
enable acceleration
Syntax: enable acceleration
disable acceleration
Syntax: disable acceleration
enable traffic-shaping
Syntax: enable traffic-shaping
disable traffic-shaping
Syntax: disable traffic-shaping
enable ica-multi-stream
Syntax: enable ica-multi-stream
disable ica-multi-stream
Syntax: disable ica-multi-stream
show system-status
Syntax: show system-status
citrix.com 705
Ethernet Configuration
set interface
Syntax: set interface
Sets the speed and duplex parameters for the specified Ethernet port.
show interface
Syntax: show interface
Displays the Ethernet speed and duplex settings of all Ethernet ports, or, optionally, a single specified port.
citrix.com 706
Bandwidth Configuration
show bandwidth
Syntax: show bandwidth
Displays the bandwidth limits and other information from the Web UIs Bandwidth Management page.
set bandwidth
Syntax: set bandwidth
Sets the bandwidth limits and other bandwidth management settings. These parameters are the same as those on the
Web UIs Bandwidth Management page. The -schedule and -per-remote-unit settings are meaningful only with
hardboost. The -min-rate setting is meaningful only with partial bandwidth.
citrix.com 707
Link Configuration
show links
Syntax: show links
[-verbose]
Displays all of the currently defined links. The verbose parameter if specified will output a detailed listing of the settings
for each link being displayed.
show link
Syntax: show link
-name name
Displays a detailed listing of the settings for the link specified by the name parameter.
rename link
Syntax: rename link
-old oldname
-new newname
remove link
Syntax: remove link
remove link-filter
Syntax: remove link-filter
-link name
{-all, -filter-position number}
Removes either all link filters for the specified link or the filter at the position specified by 'number'.
Valid filter positions range from 1 to N (where N is the number of filters in the current list).
move link
Syntax: move link
-name name
{ -direction {up, down} -count count,
-position {bottom, top, number} }
Moves the named link either relative to the current position (using the direction parameter) or absolutely (using the
position parameter).
Valid integer positions range from 1 to N (where N is the number of links in the current list).
add link
Syntax: add link
citrix.com 708
-max-in-bandwidth rate [{bps, kbps, mbps, gbps}]
-max-out-bandwidth rate [{bps, kbps, mbps, gbps}]
{-match-all-traffic, filter-criteria-list}
where filter-criteria-list is
Creates a new link with the specified name, type, bandwidth rates and a single filter rule which can be either a
match all traffic type rule or a rule based upon the criteria specified for adapters, source-ips, destination-ips, VLANs,
WCCP service groups, source macs and destination macs. Double quotes can be used as delimiters for the link name
(which may contain spaces).
If no position parameter is specified, the new link will be inserted at the top of the current list of links. Valid position
arguments are top, bottom or a number in the range from 1 to N (where N is the number of links in the
current list). To add an entry to the bottom of the list specify bottom.
The units for the bandwidth rate will default to mbps if nothing is specified. Bandwidth rates must be at least 56
kbps and cannot exceed 1 Gbps. If the match all traffic filter rule is not specified, then at least one
filter criteria option must be specified.
VLANs are specified by VLAN group numbers which range from 1 to 4094. WCCP service group values range from 51
to 99. MAC addresses should be entered as 2 digit hex terms separated by -s, for example, 00-0C-F1-
56-98-AD.
add link-filter
Syntax: add link-filter
-link name
[-filter-position {bottom, top, number}]
[-adapters ([-exclude] adapter-name),...]
[-source-ips ([-exclude] ip),...]
[-destination-ips ([-exclude] ip),...]
[-vlans ([-exclude] vlan),...]
[-wccp-service-groups ([-exclude] id),...]
[-source-macs ([-exclude] mac),...]
[-destination-macs ([-exclude] mac),...]
Creates a new link filter in the link specified by the name parameter. If no filter position parameter is specified, the new
filter will be inserted at the bottom of the current list of filters. If a filter position is specified, then the new filter will be
inserted at that position in the list. Valid integer positions range from 1 to N (where N is the number of filters in the list).
For the adapters, source-ips, destination-ips, VLANs, WCCP-service-groups, source-macs, and destination-macs
parameters, if a setting is not provided, then any value for these fields will be considered a match. All of these
parameters provide the ability to specify a comma separated list of items. Each item may indicate that instead of a
match operation on the item being performed that an exclude operation is done instead.
VLANs are specified by VLAN group numbers which range from 1 to 4094. WCCP service group values range from 51
to 99. MAC addresses should be entered as 2 digit hex terms separated by -s, for example, 00-0C-F1-
56-98-AD.
set link
Syntax: set link
-name name
[-type {LAN, WAN}]
[-max-in-bandwidth rate [{bps, kbps, mbps, gbps}]]
[-max-out-bandwidth rate [{bps, kbps, mbps, gbps}]]
Changes the definition of an existing link. Double quotes can be used as delimiters for the link name (which may contain
spaces). At least one of the link attributes must be set.
citrix.com 709
The units for the bandwidth rate will default to mbps if nothing is specified. Bandwidth rates must be at least 56
kbps and cannot exceed 1 Gbps.
set link-filter
Syntax: set link-filter
-link name
-filter-position number
{-match-all-traffic, filter-criteria-list}
where filter-criteria-list is
Change the definition of the existing link filter specified by the name and filter-position parameters. Multiple filter settings
may be changed at once and the other settings will be left unchanged. At least one of the link filter attributes must be
set. Valid filter positions range from 1 to N (where N is the number of filters in the list).
VLANs are specified by VLAN group numbers which range from 1 to 4094. WCCP service group values range from 51
to 99. MAC addresses should be entered as 2 digit hex terms separated by -s, for example, 00-0C-F1-
56-98-AD.
citrix.com 710
Service Class Configuration
show service-classes
Syntax: show service-classes
Displays either all the currently defined service classes, only the modified ones, or only the ones with names that have
been requested. The verbose parameter if specified will output a detailed listing of the settings for each service class
being displayed.
show service-class
Syntax: show service-class
-name name
Displays a detailed listing of the settings for the service class specified by the name parameter.
enable service-class
Syntax: enable service-class
-name name
Enables the service class specified by the name parameter. By default newly created service classes are disabled so
that filter rules can be added.
disable service-class
Syntax: disable service-class
-name name
Disables the service class specified by the name parameter. Disabled service classes will not match any connections
and therefore will not provide any acceleration.
rename service-class
Syntax: rename service-class
-old oldname
-new newname
remove service-class
Syntax: remove service-class
remove service-class-filter
Syntax: remove service-class-filter
-service-class name
{-all, -filter-position number}
Removes either all filters for the specified service class or the filter at the position specified by number.
Valid filter positions range from 1 to N (where N is the number of filters in the list).
citrix.com 711
move service-class
Syntax: move service-class
-name name
{ -direction {up, down} -count count,
-position {bottom, top, number} }
Moves the named service class either relative to the current position (using the direction parameter) or absolutely (using
the position parameter).
Valid integer positions range from 1 to N (where N is the number of service classes in the list).
add service-class
Syntax: add service-class
Creates a new service class with the specified acceleration type and traffic shaping policy. Double quotes can be used
as delimiters for the service class name (which may contain spaces). A newly added service class will always be
created in a disabled state and must have at least one service class filter added to it before it can be enabled.
If no position parameter is specified, the new service class will be inserted at the top of the current list of service
classes. Valid integer positions range from 1 to N (where N is the number of service classes in the list).
The specified traffic shaping policy will be used for this service class on all links. Per-link traffic shaping policies only
need to be specified for links which have a traffic shaping policy that is different for this service class than the policy
specified by the -traffic-shaping-policy setting.
add service-class-filter
Syntax: add service-class-filter
-service-class name
[-filter-position {bottom, top, number}]
[-bidirectional {enable, disable}]
[-applications ([-exclude] name),...]
[-source-ips ([-exclude] ip),...]
[-destination-ips ([-exclude] ip),...]
[-diffserv-dscps ([-exclude] dscp),...]
[-vlans ([-exclude] vlan),...]
[-ssl-profiles ([-exclude] profile),...]
Creates a new service class filter in the service class specified. If no filter position parameter is specified, the new filter
will be inserted at the bottom of the current list of filters. If a filter position is specified, then the new filter will be inserted
at that position in the list. Valid integer positions range from 1 to N (where N is the number of filters in the list).
If the bi-directional parameter is enabled then the filter will also match connection setup messages that have a source IP
address that matches the filters destination-ips setting and a destination IP address that matches the filters
source-ips setting. Please note that this setting only applies to which connections can be accelerated, it does not apply
to traffic shaping.
For the applications, source-ips, destination-ips, diffserv-dscps and vlans parameters, if a setting is not provided, then
any value for these fields will be considered a match.
All of these parameters provide the ability to specify a comma separated list of items. Each item may indicate that
instead of a match operation on the item being performed that an exclude operation is done instead.
Valid DiffServ DSCP values range from 0 to 63. VLANs are specified by VLAN group numbers which range from 1 to
4094. SSL profile names which are specified must already be configured in the system or they will be rejected.
At least one ssl profile name must be configured in the ssl-profiles parameter for SSL connections to be matched.
set service-class
citrix.com 712
Syntax: set service-class
-name name
[-acceleration {disk, flow-control, memory, none}]
[-traffic-shaping-policy {default, policy}]
[-per-link-policies (link-name policy-name),...]
Changes the definition of an existing service class. Double quotes can be used as delimiters for the service class name
(which may contain spaces). At least one of the service class attributes must be set.
The specified traffic shaping policy will be used for this service class on all links. Per-link traffic shaping policies only
need to be specified for links which have a traffic shaping policy that is different for this service class than the policy
specified by the -traffic-shaping-policy setting.
set service-class-filter
Syntax: set service-class-filter
-service-class name
-filter-position number
{-match-all-traffic, filter-criteria-list}
where filter-criteria-list is
Change the definition of the existing service class filter rule specified by the name and filter-position parameters. Valid
filter positions range from 1 to N (where N is the number of filters in the current list).
Multiple filter settings may be changed at once and the other settings will be left unchanged. At least one of the service
class filter attributes must be set.
If the bi-directional parameter is enabled then the filter will also match connection setup messages that have a source IP
address that matches the filters destination-ips setting and a destination IP address that matches the filters
source-ips setting. Please note that this setting only applies to which connections can be accelerated, it does not apply
to traffic shaping.
Valid DiffServ DSCP values range from 0 to 63. VLANs are specified by VLAN group numbers which range from 1 to
4094. SSL profile names which are specified must already be configured in the system or they will be rejected.
citrix.com 713
Traffic Shaping Configuration
show traffic-shaping-policies
Syntax: show traffic-shaping-policies
show traffic-shaping-policy
Syntax: show traffic-shaping-policy
add traffic-shaping-policy
Syntax: add traffic-shaping-policy
-name name
-priority integer
[-ica-realtime-priority integer]
[-ica-interactive-priority integer]
[-ica-bulk-transfer-priority integer]
[-ica-background-priority integer]
[-optimize-voice {enable, disable}]
[-diffserv {integer, disabled}]
[-ica-realtime-diffserv {integer, disabled}]
[-ica-interactive-diffserv {integer, disabled}]
[-ica-bulk-transfer-diffserv {integer, disabled}]
[-ica-background-diffserv {integer, disabled}]
[-limit-bandwidth {by-percent, by-rate}
-max-in integer -max-
Add a new traffic shaping policy. Double quotes can be used as delimiters for the name (which may contain spaces).
Valid priority values range from 1 to 256. DiffServ values are specified by DSCP codes which range from 0 to 63.
Bandwidth may be limited by percent which can range from 1 to 99 or by kbps rate which can range from 56 to 1000000.
set traffic-shaping-policy
Syntax: set traffic-shaping-policy
-name name
-priority integer
[-ica-priorities {enable, disable}]
[-ica-realtime-priority integer]
[-ica-interactive-priority integer]
[-ica-bulk-transfer-priority integer]
[-ica-background-priority integer]
[-optimize-voice {enable, disable}]
[-diffserv {integer, disabled}]
[-ica-diffserv {enable, disable}]
[-ica-realtime-diffserv {integer, disabled}]
[-ica-interactive-diffserv {integer, disabled}]
[-ica-bulk-transfer-diffserv {integer, disabled}]
[-ica-background-diffserv {integer, disabled}]
[-limit-bandwidth {by-percent, by-rate}
-max-in integer -max-
Modify an existing traffic shaping policy. Double quotes can be used as delimiters for the name (which may contain
spaces).
Valid priority values range from 1 to 256. DiffServ values are specified by DSCP codes which range from 0 to 63.
Bandwidth may be limited by percent which can range from 1 to 99 or by kbps rate which can range from 56 to 1000000.
rename traffic-shaping-policy
citrix.com 714
Syntax: rename traffic-shaping-policy
-old oldname
-new newname
remove traffic-shaping-policy
Syntax: remove traffic-shaping-policy
Remove one or all traffic shaping policies. Some traffic shaping policies (e.g. Default Traffic Shaping Policy) are not
permitted to be removed.
clear traffic-shaping-policy-stats
Syntax: clear traffic-shaping-policy-stats
citrix.com 715
SNMP Configuration
show snmp
Syntax: show snmp
enable snmp
Syntax: enable snmp
disable snmp
Syntax: disable snmp
show snmp-system-mib
Syntax: show snmp-system-mib
Displays the current name, location, contact, and authentication failure trap settings.
set snmp-system-mib
Syntax: set snmp-system-mib
[-name name]
[-location location]
[-contact name]
[-auth-fail-trap {enable, disable}]
Sets the SNMP name of the appliance, its location, the contact persons name, and whether to enable
authentication failure traps. Double quotes can be used as delimiters for string fields (which may contain spaces).
show snmp-manager
Syntax: show snmp-manager
[-id id]
Displays the current SNMP manager entries. If -id is specified, only that SNMP manager is displayed.
add snmp-manager
Syntax: add snmp-manager
-community name
-ip addr
[-netmask {0, 4, 8, 12, 16, 20, 24, 28, 32}]
Enables access to SNMP functions by remote systems on the specified subnets and with the specified community
name. Double quotes can be used as delimiters for string fields (which may contain spaces).
remove snmp-manager
Syntax: remove snmp-manager
citrix.com 716
-community name
-ip addr
[-netmask {0, 4, 8, 12, 16, 20, 24, 28, 32}]
Removes the specified SNMP manager entry, or all SNMP manager entries. Double quotes can be used as delimiters
for string fields (which may contain spaces).
show snmp-trapdest
Syntax: show snmp-trapdest
-id id
add snmp-trapdest
Syntax: add snmp-trapdest
-name name
-ip addr
[-port port]
[-version {v1, v2c}]
Adds a new SNMP trap destination. Double quotes can be used as delimiters for string fields (which may contain
spaces).
remove snmp-trapdest
Syntax: remove snmp-trapdest
Removes the SNMP trap destination define by name or ID, or all SNMP trap destinations. Double quotes can be used
as delimiters for string fields (which may contain spaces).
citrix.com 717
Alert Configuration
show alert-configuration
Syntax: show alert-configuration
[-name alertname]
-retention
Displays the settings of the Alert system, or optionally of a single, named Alert. Equivalent to the information on the Alert
Configuration page. With -retention, the Alert Retention Time is displayed.
set alert-configuration
Syntax: set alert-configuration
-name name
-level {alerted, logged, disable, default}
[-threshold integer]
Sets parameters for individual, named Alerts, or sets global parameters. Equivalent to the Alert Configuration page. The
-retention option sets the alert timeout value in seconds, while the -verbose option allows verbose or non-verbose
reporting to be selected. The -threshold option is used to specify alerting thresholds. Not all alerts support a threshold.
reset alert-configuration
Syntax: reset alert-configuration
clear application-counters
Syntax: clear application-counters
show applications
Syntax: show applications
show application
Syntax: show application
This command shows the configuration information of the selected application. The parameter -id selects the application
listed on the show applications output.
add application
Syntax: add application
-name name
[-description description]
[-group application group]
[-classification-type ethertype, ica-published-app, ip, tcp, udp, web-address]
[-classification-parameters classification parameters]
citrix.com 718
rename application
Syntax: rename application
-old old-application-name
-new new-application-name
remove application
Syntax: remove application
set application
Syntax: set application
-name name
[-description description]
[-group application group]
[-classification-type ethertype, ica-published-app, ip, tcp, udp, web-address]
[-classification-parameters classification paramenters]
citrix.com 719
WCCP Configuration
show wccp
Syntax: show wccp
[-id id]
Displays the current settings for all WCCP service groups, or optionally only for the service group specified with -id.
enable wccp
Syntax: enable wccp
Global WCCP enable. Not effective unless acceleration is enabled and at least one WCCP service group is defined.
disable wccp
Syntax: disable wccp
add wccp
Adds a new WCCP service-group definition. The parameters are the same as those on the WCCP Configuration page
on the Web UI.
Syntax: add wccp
-id id
[-accelerated-pair {apa, apb}]
-router-communication unicast
-address addr1[,...,addrN]
[-router-assignment {hash, mask, auto}]
[-router-forwarding {auto, gre, level-2}]
[-state {enable, disable}]
[-priority number]
[-protocol {tcp, udp}]
-id id
[-accelerated-pair {apa, apb}]
-router-communication multicast
-address addr
[-router-assignment {hash, mask, auto}]
[-router-forwarding {auto, gre, level-2}]
[-router-return {auto, gre, level-2}]
[-time-to-live number]
[-state {enable, disable}]
[-priority number]
[-protocol {tcp, udp}]
-accelerated-pair = apa
-router-assignment = hash
-router-forwarding = auto
-router-return = auto
-time-to-live = 1
-state = enable
-priority = 0
-protocol = tcp
set wccp
Syntax: set wccp
-id id
[-accelerated-pair {apa, apb}]
citrix.com 720
[
-router-communication unicast
-address addr1[,...,addrN]
]
[-router-assignment {hash, mask, auto}]
[-router-forwarding {auto, gre, level-2}]
[-state {enable, disable}]
[-priority number]
[-protocol {tcp, udp}]
-id id
[-accelerated-pair {apa, apb}]
[
-router-communication multicast
-address addr
]
[-router-assignment {hash, mask, auto}]
[-router-forwarding {auto, gre, level-2}]
[-router-return {auto, gre, level-2}]
[-time-to-live number]
[-state {enable, disable}]
[-priority number]
[-protocol {tcp, udp}]
Alters an existing WCCP service-group definition. The parameters are the same as those on the WCCP Configuration
page on the Web UI.
remove wccp
Syntax: remove wccp
Deletes all WCCP service groups or (with -id) only the specified service group number.
citrix.com 721
Logging
show syslog
Syntax: show syslog
set syslog
Syntax: set syslog
-ip addr
[-port port]
Sets the IP address of the syslog server, and optionally the port number.
enable syslog
Syntax: enable syslog
disable syslog
Syntax: disable syslog
show log
Syntax: show log
[-stats]
[-options]
Shows the current logfile configurations and disk usage statistics. With -stats, only the usage statistics are shown. With -
options, only the configuration is shown. The information here is equivalent to the Log Configuration page in the Web UI.
set log
Syntax: set log
[-max-size megabytes]
[-display-lines lines]
[-max-export-lines lines]
[-system {enable, disable}]
[-adapter {enable, disable}]
[-flow {enable, disable}]
[-connection {enable, disable}]
[-openclose {enable, disable}]
[-text {enable, disable}]
[-alert {enable, disable}]
Sets the display parameters for the View Logs page. The settings here correspond to those on the Configure Logs page.
extract log
Syntax: extract log
-by-record
-from number
-to number
-records number
-format {text, xml}
-type {system, adapter, slow-flow, fast-flow, flow, connection,
open, close, open-close, text, alert, all}
citrix.com 722
-eol {lf, crlf, cr}
[-file filename]
-by-datetime
-from yyyy-mm-dd [hh:mm[:ss]]
-to yyyy-mm-dd [hh:mm[:ss]]
-records number
-format {text, xml}
-type {system, adapter, slow-flow, fast-flow, flow, connection,
open, close, open-close, text, alert, all}
-eol {lf, crlf, cr}
[-file filename]
Extracts the selected records to file filename. This command has the same parameters as that on the View Logs
page on the Web UI.
clear logs
Syntax: clear logs
Removes all log records, similar to the Remove All Log Records button in the Web UI.
list log-extracted-files
Syntax: list log-extracted-files
citrix.com 723
Proxy Configuration
show proxy
Syntax: show proxy
add proxy
Syntax: add proxy
Adds a new proxy definition. This command has the same parameters as that on the Proxy page on the Web UI.
remove proxy
Syntax: remove proxy
Removes a proxy definition. -local specifies which proxy definition to remove. -all specifies that all proxy definitions
should be removed.
citrix.com 724
Client Configuration
show client-rule
Syntax: show client-rule
[-id id]
Displays a client acceleration rule. If -id is omitted, all client rules are displayed.
add client-rule
Syntax: add client-rule
Adds a client acceleration rule. This command has the same parameters as those on the Client Acceleration Rules page
of the Web UI.
remove client-rule
Syntax: {-all, -id id}
Removes a client acceleration rule. -id specifies which rule to remove. -all specifies that all rules should be removed.
show signaling-channel
Syntax: show signaling-channel
enable signaling-channel
Syntax: enable signaling-channel
disable signaling-channel
Syntax: disable signaling-channel
set signaling-channel
Syntax: set signaling-channel
[-ip ipaddr]
[-port port]
[-mode {redirector, transparent}]
Sets the Client Signaling Channel options. This command has the same parameters as those on the Client Signaling
Channel Configuration page of the Web UI.
show client-settings
Syntax: show client-settings
set client-settings
Syntax: set client-settings
citrix.com 725
[-upgrade-notify {enable, disable}]
[-upgrade-url url]
[-diag-ftp-server server]
[-diag-ftp-port port]
[-diag-ftp-user user]
[-diag-ftp-password password]
[-diag-ftp-directory directory]
[-diag-email email]
[-diag-popups {enable, disable}]
[-diag-uploads {enable, disable}]
Sets the Client General Configuration options. This command has the same parameters as those on the Client General
Configuration page of the Web UI.
citrix.com 726
Group Mode Configuration
show group-mode
Syntax: show group-mode
enable group-mode
Syntax: enable group-mode
-type peer
-member-ip ipaddr
-type rule
{-all, -id id}
Enables a group forwarding rule. -id specifies which rule to enable. -all specifies that all rules should be enabled.
disable group-mode
Syntax: disable group-mode
-type peer
-member-ip ipaddr
-type rule
{-all, -id id }
Disables a group forwarding rule. -id specifies which rule to disable. -all specifies that all rules should be disabled.
set group-mode
Syntax: set group-mode
Enables or disables group mode options. This command has the same parameters as that on the Group Mode page on
the Web UI.
Syntax: set group-mode
-type local
-adapter {apa, apb, primary}
Sets the adapter parameter of the local group mode. This command has the same parameters as that on the Group
Mode page on the Web UI.
add group-mode
Syntax: add group-mode
citrix.com 727
-type peer
-member-ip ipaddr
-state {enable, disable}
-common-name name
[-ha-common-name name]
Adds a group mode peer. This command has the same parameters as that on the Group Mode page on the Web UI.
Syntax: add group-mode
-type rule
-member-ip ipaddr
-subnet subnet
-ports port-range
[-forwarded-if {match, not-match}]
[-state {enable, disable}]
Adds a group forwarding rule. This command has the same parameters as that on the Group Mode page on the Web UI.
remove group-mode
Syntax: remove group-mode
-type peer
{-all, -member-ip ipaddr}
Removes a group mode peer. -member-ip specifies which peer to remove. -all specifies that all peers should be
removed.
Syntax: remove group-mode
-type rule
{-all, -id id}
Removes a group forwarding rule. -id specifies which rule to remove. -all specifies that all rules should be removed.
citrix.com 728
SSL Configuration
add ssl-profile
Syntax: add ssl-profile
-name profile-name
[-state {enable, disable}]
-proxy-type transparent
[-virtual-hostname hostname]
-private-key private-key-name
Adds an SSL profile for transparent proxy mode. This command has the same parameters as that on the Profile tab of
the SSL Settings page on the Web UI.
Syntax: add ssl-profile
-name profile-name
[-state {enable, disable}]
-proxy-type split
[-virtual-hostname hostname]
-cert-key cert-key-pair-name
[-build-cert-chain {enable, disable}]
[-cert-chain-store {use-all-configured-CA-stores, store-name}]
[-cert-verification {none, Signature/Expiration, Signature/Expiration/
Common-Name-White-List, Signature/Expiration/Common-Name-Black-List}]
[-verification-store {use-all-configured-CA-stores, store-name}]
[-server-side-protocol {SSL-version-2, SSL-version-3,
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}]
[-server-side-ciphers ciphers]
[-server-side-authentication {enable, disable}]
[-server-side-cert-key cert-key-pair-name]
[-server-side-build-cert-chain {enable, disable}]
[-server-side-renegotiation {disable-old-style, enable-old-style, new-style,
compatible}]
[-client-side-protocol-version {SSL-version-2, SSL-version-3,
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}]
[-client-side-ciphers ciphers]
[-client-side-renegotiation {disable-old-style, enable-old-style, new-style,
compatible}]
Adds an SSL profile for split proxy mode. This command has the same parameters as that on the Profile tab of the SSL
Settings page on the Web UI.
set ssl-profile
Syntax: set ssl-profile
-name profile-name
[-state {enable, disable}]
[-proxy-type transparent]
[-virtual-hostname hostname]
[-private-key private-key-name]
-name profile-name
[-state {enable, disable}]
[-proxy-type split]
[-virtual-hostname hostname]
[-cert-key cert-key-pair-name]
[-build-cert-chain {enable, disable}]
[-cert-chain-store {use-all-configured-CA-stores, store-name}]
[-cert-verification {none, Signature/Expiration, Signature/Expiration/
Common-Name-White-List, Signature/Expiration/Common-Name-Black-List}]
[-verification-store {use-all-configured-CA-stores, store-name}]
[-server-side-protocol {SSL-version-2, SSL-version-3,
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}]
[-server-side-ciphers ciphers]
[-server-side-authentication {enable, disable}]
citrix.com 729
[-server-side-cert-key cert-key-pair-name]
[-server-side-build-cert-chain {enable, disable}]
[-server-side-renegotiation {disable-old-style, enable-old-style, new-style,
compatible}]
[-client-side-protocol-version {SSL-version-2, SSL-version-3,
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}]
[-client-side-ciphers ciphers]
[-client-side-renegotiation {disable-old-style, enable-old-style, new-style,
compatible}]
show ssl-profiles
Syntax: show ssl-profiles
Shows name, profile type, and state of all SSL profiles created.
show ssl-profile
Syntax: show ssl-profile
remove ssl-profile
Syntax: remove ssl-profile
Removes SSL profile. -id and -name specifies which profile to remove. -all specifies that all profiles are to be removed.
rename ssl-profile
Syntax: rename ssl-profile
-old old-profile-name
-new new-profile-name
show ssl-optimization
Syntax: show ssl-optimization
enable ssl-optimization
Syntax: enable ssl-optimization
disable ssl-optimization
Syntax: disable ssl-optimization
show ssl-secure-peer-connections
Syntax: show ssl-secure-peer-connections
citrix.com 730
show ssl-ca-store
Syntax: show ssl-ca-store
-name ca-store-name
show ssl-ca-stores
Syntax: show ssl-ca-stores
Shows summary information (name, expiration date, certificate count) on all SSL Certificate Authority certificates.
show ssl-cert-key-pair
Syntax: show ssl-cert-key-pair
-name cert-key-pair-name
show ssl-cert-key-pairs
Syntax: show ssl-cert-key-pairs
Shows summary information (name, expiration date, certificate count, key type) on all configured SSL certificate/key
pairs.
show ssl-disk-encryption
Syntax: show ssl-disk-encryption
show ssl-keystore
Syntax: show ssl-keystore
show ssl-peer-auto-discovery
Syntax: show ssl-peer-auto-discovery
show ssl-peer-connect-to
Syntax: show ssl-peer-connect-to
show ssl-peer-listen-on
Syntax: show ssl-peer-listen-on
add ssl-ca-store
Syntax: add ssl-ca-store
[-name name]
-file ca-certificate-filename
citrix.com 731
remove ssl-ca-store
Syntax: remove ssl-ca-store
-name name
add ssl-cert-key-pair
Syntax: add ssl-cert-key-pair
-name certificate/key-pair-name
{(-type combined
-file certificate/key-pair-filename),
(-type separate
-key-file key-filename
-cert-file cert-filename)}
[-key-password password]
[-file-password password]
remove ssl-cert-key-pair
Syntax: remove ssl-cert-key-pair
-name certificate/key-pair-name
add ssl-peer-auto-discovery-publish-item
Syntax: add ssl-peer-auto-discovery-publish-item
-ip-port ipaddr:port
remove ssl-peer-auto-discovery-publish-item
Syntax: remove ssl-peer-auto-discovery-publish-item
add ssl-peer-connect-to-item
Syntax: add ssl-peer-connect-to-item
-ip-port ipaddr:port
remove ssl-peer-connect-to-item
Syntax: remove ssl-peer-connect-to-item
add ssl-peer-listen-on-item
Syntax: add ssl-peer-listen-on-item
-ip-port ipaddr:port
citrix.com 732
Adds an SSL peer listen on CloudBridge IP address/port.
remove ssl-peer-listen-on-item
Syntax: remove ssl-peer-listen-on-item
add ssl-secure-peer-connections-item
Syntax: add ssl-secure-peer-connections-item
-cert-verification Signature/Expiration/Common-Name-Black-List
-item black-list-item
Adds an additional SSL peer security black list item. The first black list item was configured with the set ssl-secure-
peer-connections command.
Syntax: add ssl-secure-peer-connections-item
-cert-verification Signature/Expiration/Common-Name-White-List
-item white-list-item
Adds an additional SSL peer security white list item. The first white list item was configured with the set ssl-secure-
peer-connections command.
remove ssl-secure-peer-connections-item
Syntax: remove ssl-secure-peer-connections-item
Removes one or all SSL peer security white list or black list entries.
set ssl-cert-key-pair
Syntax: set ssl-cert-key-pair
-name certificate/key-pair-name
-action {add|replace}
-cert-key {DSA|RSA}
{(-type combined
-file certificate/key-pair-filename),
(-type separate
-key-file key-filename
-cert-file cert-filename)}
[-key-password password]
[-file-password password]
set ssl-keystore
Syntax: set ssl-keystore
-password new-password
-old-password old-password
set ssl-secure-peer-connections
Syntax: set ssl-secure-peer-connections
-cert-key-name cert-key-name
-ca-cert-store ca-cert-store-name
-cert-verification {None,Signature}
-cipher ssl-cipher-specification
citrix.com 733
Syntax: set ssl-secure-peer-connections
-cert-key-name cert-key-name
-ca-cert-store ca-cert-store-name
-cert-verification Signature/Expiration/Common-Name-Black-List
-item black-list-item-1
-cipher ssl-cipher-specification
Specifies the SSL peer configuration, where peer security certificate verification is a black list. The first black list entry is
specified here, additional entries may be added using the add ssl-secure-peer-connections-item command.
Syntax: set ssl-secure-peer-connections
-cert-key-name cert-key-name
-ca-cert-store ca-cert-store-name
-cert-verification Signature/Expiration/Common-Name-White-List
-item white-list-item-1
-cipher ssl-cipher-specification
Specifies the SSL peer configuration, where peer security certificate verification is a white list. The first white list entry is
specified here, additional entries may be added using the add ssl-secure-peer-connections-item command.
citrix.com 734
Test Mode Commands
clear compression-stats
Syntax: clear compression-stats
This command will clear the compression statistics, similar to the Clear button in the Compression
Status section of the Web UI.
clear compression-history
Syntax: clear compression-history
This command will reset the compression history content, similar to a Compression history content_reset
command given to console.php.
show object
Syntax: show object -class class [-name name]
set object
Syntax: set object -class class -name name -value value
citrix.com 735
Video Caching
enable videocaching
Syntax: enable videocaching
disable videocaching
Syntax: disable videocaching
add videocaching
Syntax: add videocaching
-state [enable|disable|exclude]
remove videocaching
Syntax: remove videocaching
dns-suffix
Video-sourceRemoves video source from the appliance. Removing a video source removes the
related videos from the cache.
dns-suffixRemoves the DNS suffix you have added for the URLs.
Listen-portsRemoves the specified ports from the listen ports list.
set videocaching
Syntax: set videocaching
-max-object-size [100|200|300]
-x-forwarded-for [enable|disable]
dns-suffixSuffixes domain name to the URLs that do not have complete domain name.
Max-object-sizeSets the maximum size limit for the video object that can be cached.
X-forwarded-for adds the client IP address to the X-Forwarded-For header of all HTTP requests
that the appliance proxies.
PolicyUpdates video caching policy file.
show videocaching
Syntax: show videocaching
[config|stats]
citrix.com 736
Displays details of the video caching configuration or statistics.
clear videocaching
Syntax: clear videocaching
[cache|stats]
citrix.com 737
Glossary
Text for Glossary
|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|
A
Accelerated bridge
Two ports on a bypass Ethernet card that are used as a two-port Ethernet bridge, performing inline-mode
acceleration.
Accelerated port
One of the two ports on an accelerated bridge.
Acceleration
The process of making network operations finish more quickly.
Acceleration Modes
Different modes of accelerated TCP. Two CloudBridge acceleration modes are supported: hardboost and softboost.
Acceleration policy
An entity specifying how to accelerate a given connection: no acceleration, flow-control only, memory based
compression, disk based compression.
Accelerator
Something that accelerates IP traffic: namely, a CloudBridge appliance or virtual machine. In the case of the
CloudBridge 4000/5000, this applies to the management (broker) instance and the accelerator instances taken as a
unit.
Accelerator instance
Refers to an accelerator in the form of a virtual machine. Such accelerators are used in the CloudBridge VPX, 400,
800, 2000, 3000, 4000 and 5000.
Appliance
A NetScaler or CloudBridge hardware product.
Application classifier
The part of the traffic shaper that determines which application a given data stream belongs to.
Asymmetric routing
A routing configuration that does not support acceleration unless additional steps are taken. For acceleration to
function properly, all packets for a given connection, in both directions, must pass through the appliance. If all packets
for a given connection pass over the same WAN link, there is no asymmetry. If the packets for a given connection are
distributed over more than one WAN link, there is asymmetry.
Autodetection
The process of detecting an acceleration partner through the presence of characteristic IP or TCP header fields.
Auto-negotiation
The process by which two appliances decide on the data rate and compression method to use for communication with
each other.
Auto-optimization
Zero-configuration optimization based on CloudBridge auto-detection and auto-negotiation.
Auxiliary port
One of the motherboard ports on a CloudBridge appliance
B
Branch office
citrix.com 738
An office smaller than a datacenter or a regional office, generally with 10 Mbps of WAN capacity or less, and assumed
to have no IT personnel on site.
Branch Repeater
A CloudBridge appliance intended only for use in branch offices.
Bypass card
An Ethernet adapter with bypass (fail-to-wire) capability between pairs of ports
Bypass mode
CloudBridge operational mode that does not accelerate traffic. Either the bypass relay is closed on the accelerated
bridge, bypassing the rest of the appliance, or acceleration is disabled, which leaves bridging active.
C
Caching
The act of saving a copy of data for possible future use.
CloudBridge
A Citrix product that accelerates IP data transmission between two locations or between a location and a cloud.
Available as a physical appliance or as a virtual instance on a CloudBridge 4000/5000 appliance. Not to be confused
with the old CloudBridge IPSec tunnel (now called CloudBridge Connector), which is an unrelated NetScaler feature.
CloudBridge 2000/3000
Mid-range CloudBridge appliances.
CloudBridge 4000/5000
High-end CloudBridge appliances, characterized by multiple accelerator instances.
CloudBridge accelerator
Same as "accelerator."
CloudBridge connector
A NetScaler feature that creates an IPSec tunnel to another NetScaler. Unrelated to the CloudBridge accelerator.
CloudBridge partner
The CloudBridge unit at the other end of the link. Acceleration requires a CloudBridge unit at each end of the link. The
accelerator at the remote end of the link is the parter of the accelerator at the local end of the link.
CloudBridge Plug-in
An accelerator in the form of a Windows service. Provides client-side but not server-side acceleration. Intended largely
for laptops that use a VPN to connect remotely to a corporate network.
CloudBridge VPX
A CloudBridge instance packaged as a downloadable product for use in customer servers.
Compression
The process of reducing the data stream by encoding it in a way that removes redundancy.
Compression engine
The portion of the accelerator that performs compression and decompression.
Compression ratio
The ratio of uncompressed payload to compressed payload.
Configuration synchronization
The act of copying appliance configuration to relevant partners: high availability partners, group mode partners, or, in
a CloudBridge 4000/5000 appliance, other accelerator instances.
Connection termination
One end of a connection. Connections terminate at the client and the server. If a proxy is used, the connection also
terminates at the proxy.
citrix.com 739
Connector tunnel
The IPSec tunnel created by the NetScaler CloudBridge Connector feature.
Crypto license
A CloudBridge license that enables secure peering and features that depend on secure peering.
D
Datacenter
A site with servers and full-time IT personnel.
Device
A hardware product, usually from a company other than Citrix. For the Citrix Command Center product, device refers
to any entity being managed by Command Center.
E
End-around packet
F
Factory reset
A command to restore an appliance to near-factory state, destroying its previous configuration and taking it off the
network. Not to be confused with "reset to defaults."
Failover
The process by which one appliance in a high-availability pair takes control when the other appliance seems to have
failed.
Fail-to-wire (FTW)
Ethernet bypass, where loss of power or functionality causes the two ports of an Ethernet bridge to be connected via a
relay
Fast Ethernet
100 Mbps Ethernet.
forwarding modes
Methods of moving packets between the appliance and the network (for example, inline, WCCP, and virtual inline).
G
Generic Routing Encapsulation (GRE)
An IP protocol.
Group mode
A method of getting two appliances in two nearby datacenters with two separate links to behave as if they were a
single appliance. Rarely used.
H
Hardboost mode
An acceleration mode that uses rate-based TCP sender and rate negotiation with the partner appliance to decide the
speed at which to send traffic. Self-clocking, slow-start, and congestion avoidance algorithms are not used.
Health monitoring
Any method that detects whether a partner device is operational.
Heartbeat
A packet stream between the members of an HA pair, loss of which implies failure.
citrix.com 740
I
Inline mode
The accelerator's bridged mode, in which the accelerator masquerades as an Ethernet switch, performing acceleration
transparently to the customer's routing infrastructure.
IPSec tunnel
An encrypted, authenticated packet tunnel conforming to the IPSec standard.
J
Jitter
Variability in latency from one packet to another within the same data stream.
K
Kerberos
A computer network authentication protocol.
L
L2 mode
In WCCP, connections that use simple routing instead of GRE encapsulation.
Latency
Packet delay, usually stated in terms of round-trip time (RTT).
Link definitions
The user-defined rules that distinguish LAN from WAN traffic, and, if multiple WANs are present, distinguishe one
WAN's traffic from another.
Link-down propagation
A technique that, when Ethernet carrier is lost on one port, drops Ethernet carrier on the other ports so the router can
detect0 that connectivity was lost on the far side of the appliance.
M
Management IP address
The main IP address for an accelerated bridge.
Management service
A virtual machine that provides maintenance features on appliances, such as the CloudBridge 2000, that provide the
accelerator as a virtual machine.
Management subnet
A subnet that is used for management but not for accelerated data.
N
NetScaler instance
The NetScaler VPX instance on a CloudBridge 4000/5000 appliance.
O
One-arm mode
A non-bridged mode: WCCP, virtual inline, or redirector.
Optimization
citrix.com 741
Used as a synonym for "acceleration."
P
Pass-through traffic
Traffic that passes through the accelerator but is not accelerated. Includes non-TCP traffic.
Payload
The portion of a packet that is not the packet header.
Port affinity
When traffic is prevented from migrating from one port to another, it is said to have an affinity to a particular port.
Primary appliance
In high-availability, the active appliance.
Primary port
One of the motherboard ports on a CloudBridge appliance
Q
Quality of service (QoS)
Quality of service. An industry-standard term with essentially the same meaning as traffic shaping. (Only the latter
term is used in CloudBridge documentation.)
R
Redirector mode
A mode that allows the CloudBridge appliance to act as an explicit proxy for CloudBridge Plug-in connections.
Repeater
An older-model CloudBridge appliance, intended for use in datacenters. Only the 8500 and 8800 model Repeater
appliances are currently available.
Reset to default
A command that restores most parameters on an appliance to their default (factory) state, while leaving licensing and
IP addresses intact. Intended to be non-destructive.
S
SCPS
Space Communications Protocol Specification, a variation of the TCP protocol. Used for some satellite
communications.
Secondary appliance
In high availability, the standby appliance.
Secure peering
Use of a secure tunnel, between two accelerators, that encrypts all accelerated data between them (but not
unaccelerated data).
Send to Gateway
Normal routing, by which packets that require routing are sent to the default gateway for that interface.
Service classes
Connection categories. The accelerator divides connections into service classes based on the connection's
application. This in turn determines compression type and acceleration policy.
Signalling IP address
A virtual IP address used for secure peering or the CloudBridge Plug-in.
citrix.com 742
Softboost mode
An acceleration mode siimilar to standard TCP, but with additional features such as rate-based sending and advanced
retransmission algorithms.
Speculative retransmissions
Packet retransmissions that are sent before an ordinary network stack would send them, because they might have
been lost and the retransmission overhead is preferable to the delay of waiting for acknowledgement.
SYN packet
The initial (synchronization) packets of a TCP connection.
T
Traffic interface
An interface that carries accelerated data.
Traffic-shaping
Prioritized injection of data packets onto the WAN, or prioritized processing of data packets received from the WAN.
Either way, the data rate is constrained to be no faster than the specified bandwidth limit.
Traffic-shaping engine
The traffic shaper portion of the accelerator
Transparent mode
A mode that allows the CloudBridge appliance to act as an intercepting proxy for CloudBridge Plug-in connections.
Transparent operation
The ability to provide acceleration without reconfiguring any servers, clients, or (usually) routers in the network.
U
Unaccelerated connection
Any TCP connection that does not receive CloudBridge acceleration.
Update bundle
An archive containing all the files for all the VMs in a virtualized system such as the CloudBridge
2000/3000/4000/5000.
V
Video caching
The act of saving a copy of a video data stream for possible future use.
Virtual gateway
Another name for an accelerator, in its role of introducing bandwidth-limited fair queuing to the traffic passing through
it.
Virtual IP
An additional IP address declared on an interface that already has an IP address.
VLAN tagging
The act of assigning a VLAN to an interface or data stream.
VLAN trunking
The use of VLANs, and often multiple VLANs, on the same Ethernet segment.
citrix.com 743
W
WCCP mode
A forwarding mode where the appliance uses the WCCP protocol to communicate with the router.
Back to Top
citrix.com 744
CloudBridge NITRO API
The CloudBridge NITRO API allows you to configure and monitor the appliance programmatically. NITRO provides its
functionality through Representational State Transfer (REST) interfaces. Therefore, NITRO applications can be
developed in any programming language.
To use NITRO, you must have a basic understanding of the CloudBridge appliance and you must make sure that the
client application has the following:
Have a system to generate HTTP or HTTPS requests (payload in JSON format) to the CloudBridge
appliance. You can use any programming language or tool.
1. The client application sends REST request message to the NITRO web service.
2. The web service processes the REST request message.
3. The NITRO web service returns the corresponding REST response message to the client application.
NITRO APIs are synchronous in nature. This means that the client application waits for a response from the NITRO web
service before executing another NITRO API.
citrix.com 745
General API Usage
REST (Representational State Transfer) is an architectural style based on simple HTTP requests and responses
between the client and the server. REST is used to query or change the state of objects on the server side. In REST,
the server side is modelled as a set of entities where each entity is identified by a unique URL.
Note
This section provides a few examples for using the CloudBridge NITRO API. For a detailed description of all the
NITRO resources, see API Reference.
Each resource also has a state on which the following operations can be performed:
Create. Clients can create new server-side resources on a "container" resource. You can think of container
resources as folders, and child resources as files or subfolders. The calling client provides the state for the
resource to be created. The state can be specified in the request by using JSON format. The HTTP method
used for create requests is POST.
Read. Clients can retrieve the state of a resource by specifying its URL with the HTTP GET method. The
response message contains the resource state, expressed in JSON format.
Update. You can update the state of an existing resource by specifying the URL that identifies that object
and its new state in JSON, using the PUT HTTP method.
Delete. You can destroy a resource that exists on the server-side by using the DELETE HTTP method and
the URL identifying the resource to be removed.
In addition to the above four operations, resources can support other operations or actions. These operations use the
HTTP POST method, with the request body (if applicable) in JSON specifying the details of the operation.
Before going into the details of the NITRO operations, you must be aware of the following functionality:
Every NITRO request must be authenticated by providing the credentials in the request header. The
credentials must be provided in base64 encoded format as follows:
https://<cb_ip>/cb/nitro/v1/config/<resource>/<value_of_unique_id>
For resources which have multiple keys as the unique identifier, you can get its details or delete it by
providing the identifiers in the URL as follows:
https://<cb_ip>/cb/nitro/v1/config/<resource>/<unique-id1>=<value>&<unique-id2>=<value>
All NITRO operations are logged in the /var/log/nitro.log file on the CloudBridge appliance.
citrix.com 746
Adding a CloudBridge Resource
The request and response formats to add a single resource. The URL must specify the type of resource to be added.
The request header must provide the base64 encoded username and password.
Note: The examples in this documentation use the "user_account" resource type.
Request:
HTTP Method
POST
URL
https://<cb_ip>/cb/nitro/v1/config/user_account
Request Headers
Request Payload
{
"user_account":
{
"username":"test1",
"privilege":"admin",
"password":"123"
}
}
Response:
{
"user_account":
{
"username":"test1",
"privilege":"admin"
}
}
citrix.com 747
Retrieving CloudBridge Resource Details
Resource details can be obtained as follows:
Note: All examples in this documentation use the "user_account" resource type.
The request and response formats to get the details of a single resource. The URL must specify the type and name of
the resource to be retrieved. The request header must provide the base64 encoded username and password.
Request:
HTTP Method
GET
URL
https://<cb_ip>/cb/nitro/v1/config/user_account/test1
Request Headers
Response:
Content-Type: application/vnd.com.citrix.cloudbridge.user_account+json
Response Payload
{
"user_account":
{
"username":"test1",
"privilege":"admin"
}
}
The request and response formats to get the details of all resources of a specific resource type. The URL must specify
the type of the resource to be retrieved. The request header must provide the base64 encoded username and password.
Request:
HTTP Method
GET
URL
https://<cb_ip>/cb/nitro/v1/config/user_account
Request Headers
Response:
citrix.com 748
HTTP Status Code on Success
200 OK
HTTP Status Code on Failure
4xx <string> or 5xx <string>. The response provides details of the error. See Error Handling.
Response Header
Content-Type: application/vnd.com.citrix.cloudbridge.user_account_list+json
Response Payload
{
"user_account":
[
{
"username":"test1",
"privilege":"admin"
},
{
"username":"test2",
"privilege":"admin"
}
]
}
citrix.com 749
Updating a CloudBridge Resource
The request and response formats to update a single resource. The URL must specify the type and name of the
resource to be modified. The request header must provide the base64 encoded username and password.
Note: The examples in this documentation use the "user_account" resource type.
Request:
HTTP Method
PUT
URL
https://<cb_ip>/cb/nitro/v1/config/user_account/test1
Request Headers
Request Payload
{
"user_account":
{
"privilege":"admin",
"password":"123"
}
}
Response:
{
"user_account":
{
"username":"test1",
"privilege":"admin"
}
}
citrix.com 750
Deleting a CloudBridge Resource
The request and response formats to delete a single resource. The resource to be deleted must be specified in the
URL. The request header must provide the base64 encoded username and password.
Note: The examples in this documentation use the "user_account" resource type.
Request:
HTTP Method
DELETE
URL
https://<cb_ip>/cb/nitro/v1/config/user_account/test1
Request Header
Authorization: Basic <base64 encoded(username:password)>
Response:
citrix.com 751
Usage Scenarios
The above sections explain basic usage of CloudBridge NITRO API. Here, we document some scenarios that you might
come across while using NITRO.
Note
- This section provides a few examples for using the CloudBridge NITRO API. For a detailed description of all the
NITRO resources, see API Reference.
citrix.com 752
Adding SNMP Users
SNMP users must be associated with a SNMP view. Therefore, first check if the required SNMP view is already
available and then add the SNMP user.
Request:
HTTP Method
GET
URL
https://<cb_ip>/cb/nitro/v1/config/snmp_view
Request Headers
Response:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_view_list+json
Response Payload
{
"snmp_view":
[
...
...
]
}
Note: If the required SNMP view is available in the response payload, then skip to step 3. Else, add
the required SNMP as shown in step 2.
2. Add the required SNMP view.
Request:
HTTP Method
POST
URL
https://<cb_ip>/cb/nitro/v1/config/snmp_view
Request Headers
Request Payload
{
"snmp_view":
{
"name":"view1",
"subtree":"1.1",
"include":"true"
}
}
Response:
citrix.com 753
HTTP Status Code on Success
201 Created
HTTP Status Code on Failure
4xx <string> or 5xx <string>. The response provides details of the error. See Error Handling.
Request:
HTTP Method
POST
URL
https://<cb_ip>/cb/nitro/v1/config/snmp_user
Request Headers
Request Payload
{
"snmp_user":
{
"username":"snmp_user1",
"authprotocol":"MD5",
"authpassword":"password",
"viewname":"view1"
}
}
Response:
citrix.com 754
Enabling SNMP on the CloudBridge Appliance
To enable SNMP on the CloudBridge appliance, you must simply set the status of the snmp object to true. Optionally,
you can first check if SNMP is already enabled.
Request:
HTTP Method
GET
URL
https://<cb_ip>/cb/nitro/v1/config/snmp
Request Header
Response:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp+json
Response Payload
{
"snmp":
{
"status":"false"
}
}
Note: The "status=false" value in the response payload indicates that SNMP is not enabled.
2. Enable SNMP.
Request:
HTTP Method
PUT
URL
https://<cb_ip>/cb/nitro/v1/config/snmp
Request Headers
Request Payload
{
"snmp":
{
"status":"true"
}
}
Response:
citrix.com 755
4xx <string> or 5xx <string>. The response provides details of the error. See Error Handling.
citrix.com 756
Creating a Service Class
To add a service class on the CloudBridge appliance, you must use the "service_class" object.
Request:
HTTP Method
POST
URL
https://<cb_ip>/cb/nitro/v1/config/service_class
Request Header
Request Payload
{
"service_class":
{
"classname":"SC1",
"accelerationpolicy":"disk",
"qospolicy":"Very High Priority Traffic",
"enabled":"true",
"filterrules":
[
{
"applications":
[
{
"appname":"UDP"
},
{
"appname":"TCP"
}
]
}
]
}
}
Response:
Content-Type: application/vnd.com.citrix.cloudbridge.service_class+json
Response Payload
{
"service_class":
{
...
...
}
}
2. Modify the newly created service class SC1 by specifying the required changes. This example shows the modification
of accelerationpolicy to memory, qospolicy to Very Low Priority, and add some filter rules.
citrix.com 757
2.
Request:
HTTP Method
PUT
URL
https://<cb_ip>/cb/nitro/v1/config/service_class/SC1
Request Header
Request Payload
{
"service_class":
{
"accelerationpolicy":"memory",
"qospolicy":"Very Low Priority Traffic",
"filterrules":
[
{
"srcipaddresses":
[
{
"srcipaddress":
{
"ipaddressmask":"172.16.1.0/24",
"rangetype":"ipmask"
}
},
{
"srcipaddress":
{
"left":"172.16.1.10",
"right":"172.16.1.20",
"rangetype":"hyphen seperated"
},
"excluded":"true"
}
]
}
]
}
}
Response:
Content-Type: application/vnd.com.citrix.cloudbridge.service_class+json
Response Payload
{
"service_class":
{
...
...
}
}
citrix.com 758
Error Handling
In case of a failed request, NITRO provides the required information through the response.
Header.
HTTP status: <appropriate error status>
Content-Type: application/vnd.com.citrix.cloudbridge.error+json
Payload.
{
"errorcode":<integer>,
"message":<string>,
"severity":"ERROR"
}
Warnings
When an operation takes some time to execute, CloudBridge NITRO provides an interim response that indicates the
process is in operation. This is shown as a warning.
Header.
HTTP status: 202
Content-Type: application/vnd.com.citrix.cloudbridge.warning+json
Payload.
{
"errorcode":<integer>,
"message":"Operation in progress",
"severity":"WARNING"
}
citrix.com 759
API Reference
This documentation provides details of all operations that can be performed on the CloudBridge appliance by using the
REST API.
Configuration
Statistics
Error Messages
citrix.com 760
Configuration
List of the resources that can be configured:
Name Description
AAA server configuration. This NITRO resource is applicable for CloudBridge 400, 800, 1000,
aaa_server
2000, 2000WS, 3000, 4000, and 5000 platforms only.
additional_features Additional features for network and advance optimization
alert_options Alert Options
alert_retention Alert retention time
application Application classifier definition
boost_setting Configure boosting as Hardboost or Softboost as well as WAN bandwidth receive limit
callhome Call Home
cifs_features CIFS Protocol Optimization enabled or disabled
datetime_params Date, Time and TimeZone Configuration.
delegate_users Delegate Users and domain name
Configuration of Groups. This NITRO resource is applicable for CloudBridge 400, 800, 1000,
groups
2000, 2000WS, 3000, 4000, and 5000 platforms only.
http_params HTTP Configuration.
License Information. This NITRO resource is applicable for CloudBridge SM83, SM85, SM88,
license_info
VPX, 400, 800, 1000, 2000, 2000WS and 3000 platforms only.
Cloud Bridge Features of different licenses. This NITRO resource is applicable for
licensing_features CloudBridge SM83, SM85, SM88, VPX, 400, 800, 1000, 2000, 2000WS and 3000 platforms
only.
link_definition Links configured and their property
Local licenses configuration. This NITRO resource is applicable for CloudBridge SM83,
local_licenses
SM85, SM88, VPX, 400, 800, 1000, 2000, 2000WS and 3000 platforms only.
log_params Configuration of Logging parameters
log_stats Log Statistics
ntp_server NTP Server
plugin_acc_rules Configuration of plugin acceleration rules.
plugin_config Configuration of Redirector IP/port etc to establish signalling channel.
plugin_diag Configuration of FTP server/path for uploading plugin diagnostics.
qos_policies Traffic shaping policies
Configuration of RADIUS server. This NITRO resource is applicable for CloudBridge SM83,
radius_params
SM85, SM88 and VPX platforms only.
Configuration of RADIUS server. This NITRO resource is applicable for CloudBridge 400,
radius_servers
800, 1000, 2000, 2000WS, 3000, 4000, and 5000 platforms only.
service_class Configuration for service classes.
session_params Configuration of session parameters.
snmp Configure SNMP status.
snmp_manager SNMP Manager Configuration
snmp_trap_dest
snmp_user SNMP Users
snmp_view View Names
ssh Configure SSH status.
ssl_ca SSL CA store list.
ssl_cert_keys SSL Certificate-Key pair.
ssl_partner Configuration for setting up secure partner
citrix.com 761
ssl_profile SSL profiles list.
ssl_store Configuration of SSL Store
syslog_server Syslog Server
system_info System Information
Configuration of TACACS server. This NITRO resource is applicable for CloudBridge SM83,
tacacs_params
SM85, SM88 and VPX platforms only.
Configuration of TACACS server. This NITRO resource is applicable for CloudBridge 400,
tacacs_servers
800, 1000, 2000, 2000WS, 3000, 4000, and 5000 platforms only.
traffic_features Features related to network traffic
tune_setting Get and Set for parameters on tuning page
user_account User Accounts
videocaching_prepopulation Configure Video Caching Prepopulation.
video_caching_config Get and Set video caching global parameters and clear video cache
video_sources Get, Set, Add and Delete video sources for video caching
windows_domain Join Leave or Get status of windows domain
citrix.com 762
aaa_server
AAA server configuration. This NITRO resource is applicable for CloudBridge 400, 800, 1000, 2000, 2000WS, 3000,
4000, and 5000 platforms only.
Properties
Data Read-
Name Description
Type Only?
servername <String> No Name of AAA server. This server should be already configured
using radius_servers/tacacs_servers.
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get AAA server configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/aaa_server/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.aaa_server+json
{"aaa_server":{
"servertype": <string_value>,
"fallbacklocalauthentication": <string_value>,
"servername": <string_value>
}}
MODIFY
citrix.com 763
Use this operation to modify AAA server configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/aaa_server
Request Headers:
{"aaa_server":{
"servertype": <string_value>,
"fallbacklocalauthentication": <string_value>,
"servername": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.aaa_server+json
{"aaa_server":{
"servertype": <string_value>,
"fallbacklocalauthentication": <string_value>,
"servername": <string_value>
}}
citrix.com 764
additional_features
Additional features for network and advance optimization
Properties
Data Read-
Name Description
Type Only?
message <String> Yes
Read only message depending upon feature state
Value of feature
featurestate <Boolean> No
Possible values = [true, false]
Operations
GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET (ALL)
Use this operation to get additional features
URL: https://<cb_ip_address>/cb/nitro/v1/config/additional_features
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.
additional_features_list+json
{"additional_features": [{
"message": <string_value>,
citrix.com 765
"featurestate": <boolean_value>,
"featurename": <string_value>,
"uiname": <string_value>
}, ...]}
GET
Use this operation to get additional features
URL: https://<cb_ip_address>/cb/nitro/v1/config/additional_features/<featurename>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.additional_features+json
{"additional_features":{
"message": <string_value>,
"featurestate": <boolean_value>,
"featurename": <string_value>,
"uiname": <string_value>
}}
MODIFY
Use this operation to set additional features
URL: https://<cb_ip_address>/cb/nitro/v1/config/additional_features/<featurename>
Request Headers:
{"additional_features":{
"featurestate": <boolean_value>,
"featurename": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.additional_features+json
{"additional_features":{
"message": <string_value>,
"featurestate": <boolean_value>,
"featurename": <string_value>,
"uiname": <string_value>
}}
citrix.com 766
citrix.com 767
alert_options
Alert Options
Properties
Name Data Type Read-Only? Description
alertcondition <String> Yes
Condition on which the alert is generated.
Alert level
alertlevel <String> No
Possible values = [disable, log, alert]
Alert ID.
alertid <Integer> No
Minimum value = 0
Minimum configurable alert level supported for the specific alert ID.
minimumalertlevel <String> Yes
Possible values = [disable, log, alert]
Operations
GET | MODIFY | RESET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get alert options
URL: https://<cb_ip_address>/cb/nitro/v1/config/alert_options/
Request Headers:
Response Headers:
citrix.com 768
Content-Type: application/vnd.com.citrix.cloudbridge.alert_options+json
{"alert_options":{
"alertcondition": <string_value>,
"alertname": <string_value>,
"thresholdvalue": <integer_value>,
"alertlevel": <string_value>,
"alertid": <integer_value>,
"description": <string_value>,
"helptext": <string_value>,
"minimumalertlevel": <string_value>
}}
MODIFY
Use this operation to modify alert options
URL: https://<cb_ip_address>/cb/nitro/v1/config/alert_options
Request Headers:
{"alert_options":{
"thresholdvalue": <integer_value>,
"alertlevel": <string_value>,
"alertid": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.alert_options+json
{"alert_options":{
"alertcondition": <string_value>,
"alertname": <string_value>,
"thresholdvalue": <integer_value>,
"alertlevel": <string_value>,
"alertid": <integer_value>,
"description": <string_value>,
"helptext": <string_value>,
"minimumalertlevel": <string_value>
}}
RESET
Use this operation to reset alert options
URL: https://<cb_ip_address>/cb/nitro/v1/config/alert_options?action=reset
Request Headers:
citrix.com 769
Content-Type: application/vnd.com.citrix.cloudbridge.alert_options+json
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.alert_options+json
citrix.com 770
alert_retention
Alert retention time
Properties
Name Data Type Read-Only? Description
alertretentiontime <Integer> No
Alert retention time
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Get Alert retention time.
URL: https://<cb_ip_address>/cb/nitro/v1/config/alert_retention/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.alert_retention+json
{"alert_retention":{
"alertretentiontime": <integer_value>
}}
MODIFY
Set Alert retention time.
URL: https://<cb_ip_address>/cb/nitro/v1/config/alert_retention
Request Headers:
{"alert_retention":{
citrix.com 771
"alertretentiontime": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.alert_retention+json
{"alert_retention":{
"alertretentiontime": <integer_value>
}}
citrix.com 772
application
Application classifier definition
Properties
Data Read-
Name Description
Type Only?
description <String> No
Description of application.
name <String> No
Name of application.
classifierparamvalue <String> No Value of the classifier parameter.Required for all paramtypes but
Dynamic TCP
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add an Application
URL: https://<cb_ip_address>/cb/nitro/v1/config/application
Request Headers:
citrix.com 773
Content-Type: application/vnd.com.citrix.cloudbridge.application+json
{"application":{
"classifiertype": <string_value>,
"description": <string_value>,
"name": <string_value>,
"classifierparamvalue": <string_value>,
"appgroup": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.application+json
{"application":{
"classifiertype": <string_value>,
"description": <string_value>,
"name": <string_value>,
"classifierparamvalue": <string_value>,
"classifierparamname": <string_value>,
"appgroup": <string_value>,
}}
DELETE
Use this operation to delete an Application
URL: https://<cb_ip_address>/cb/nitro/v1/config/application/<name>
Request Headers:
GET (ALL)
Use this operation to get Applications.
URL: https://<cb_ip_address>/cb/nitro/v1/config/application
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.application_list+json
{"application": [{
"classifiertype": <string_value>,
"description": <string_value>,
citrix.com 774
"name": <string_value>,
"classifierparamvalue": <string_value>,
"classifierparamname": <string_value>,
"appgroup": <string_value>,
}, ...]}
GET
Use this operation to get Applications.
URL: https://<cb_ip_address>/cb/nitro/v1/config/application/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.application+json
{"application":{
"classifiertype": <string_value>,
"description": <string_value>,
"name": <string_value>,
"classifierparamvalue": <string_value>,
"classifierparamname": <string_value>,
"appgroup": <string_value>,
}}
MODIFY
Use this operation to modify an Application
URL: https://<cb_ip_address>/cb/nitro/v1/config/application/<name>
Request Headers:
{"application":{
"classifiertype": <string_value>,
"description": <string_value>,
"name": <string_value>,
"classifierparamvalue": <string_value>,
"appgroup": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.application+json
citrix.com 775
{"application":{
"classifiertype": <string_value>,
"description": <string_value>,
"name": <string_value>,
"classifierparamvalue": <string_value>,
"classifierparamname": <string_value>,
"appgroup": <string_value>,
}}
citrix.com 776
boost_setting
Configure boosting as Hardboost or Softboost as well as WAN bandwidth receive limit
Properties
Name Data Type Read-Only? Description
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get boost mode and bandwidth receive limit
URL: https://<cb_ip_address>/cb/nitro/v1/config/boost_setting/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.boost_setting+json
{"boost_setting":{
"boostmode": <string_value>,
"bandwidhtreceivelimit": <integer_value>
}}
MODIFY
Use this operation to modify boost mode and bandwidth receive limit
URL: https://<cb_ip_address>/cb/nitro/v1/config/boost_setting
citrix.com 777
Request Headers:
{"boost_setting":{
"boostmode": <string_value>,
"bandwidhtreceivelimit": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.boost_setting+json
{"boost_setting":{
"boostmode": <string_value>,
"bandwidhtreceivelimit": <integer_value>
}}
citrix.com 778
callhome
Call Home
Properties
Name Data Type Read-Only? Description
contact <String> No
Contact
proxyip <String> No
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Get Call Home Config
URL: https://<cb_ip_address>/cb/nitro/v1/config/callhome/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.callhome+json
{"callhome":{
"proxy": <boolean_value>,
"enable": <boolean_value>,
"proxyport": <integer_value>,
"contact": <string_value>,
citrix.com 779
"proxyip": <string_value>
}}
MODIFY
Use this operation to modify Call Home Configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/callhome
Request Headers:
{"callhome":{
"proxy": <boolean_value>,
"enable": <boolean_value>,
"proxyport": <integer_value>,
"contact": <string_value>,
"proxyip": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.callhome+json
{"callhome":{
"proxy": <boolean_value>,
"enable": <boolean_value>,
"proxyport": <integer_value>,
"contact": <string_value>,
"proxyip": <string_value>
}}
citrix.com 780
cifs_features
CIFS Protocol Optimization enabled or disabled
Properties
Name Data Type Read-Only? Description
message <String> Yes
Read only message depending upon feature state
Value of feature
featurestate <String> No
Possible values = [All, SMB1Only, SMB2Only, Disabled]
Name of feature
featurename <String> No
Possible values = [CIFSProtocolOptimization]
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get CIFS optimization state
URL: https://<cb_ip_address>/cb/nitro/v1/config/cifs_features/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.cifs_features+json
{"cifs_features":{
"message": <string_value>,
"featurestate": <string_value>,
"featurename": <string_value>,
"uiname": <string_value>
}}
MODIFY
citrix.com 781
Use this operation to set CIFS optimization state
URL: https://<cb_ip_address>/cb/nitro/v1/config/cifs_features
Request Headers:
{"cifs_features":{
"featurestate": <string_value>,
"featurename": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.cifs_features+json
{"cifs_features":{
"message": <string_value>,
"featurestate": <string_value>,
"featurename": <string_value>,
"uiname": <string_value>
}}
citrix.com 782
datetime_params
Date, Time and TimeZone Configuration.
Properties
Data Read-
Name Description
Type Only?
timezone parameter
citrix.com 783
Antarctica/McMurdo, Antarctica/Palmer, Antarctica/Rothera, Antarctica/Syowa,
Antarctica/Troll, Antarctica/Vostok, Arctic/Longyearbyen, Asia/Aden, Asia/Almaty,
Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashgabat,
Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut,
Asia/Bishkek, Asia/Brunei, Asia/Choibalsan, Asia/Chita, Asia/Colombo,
Asia/Damascus, Asia/Dhaka, Asia/Dili, Asia/Dubai, Asia/Dushanbe, Asia/Gaza,
Asia/Hebron, Asia/Ho_Chi_Minh, Asia/Hong_Kong, Asia/Hovd, Asia/Irkutsk,
Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka,
Asia/Karachi, Asia/Kathmandu, Asia/Khandyga, Asia/Kolkata, Asia/Krasnoyarsk,
Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macau, Asia/Magadan,
Asia/Makassar, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novokuznetsk,
Asia/Novosibirsk, Asia/Omsk, Asia/Oral, Asia/Phnom_Penh, Asia/Pontianak,
Asia/Pyongyang, Asia/Qatar, Asia/Qyzylorda, Asia/Rangoon, Asia/Riyadh,
Asia/Sakhalin, Asia/Samarkand, Asia/Seoul, Asia/Shanghai, Asia/Singapore,
Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Thimphu, Asia/Tokyo,
Asia/Ulaanbaatar, Asia/Urumqi, Asia/Ust-Nera, Asia/Vientiane, Asia/Vladivostok,
Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan, Atlantic/Azores,
Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faroe,
Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena,
Atlantic/Stanley, Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill,
Australia/Currie, Australia/Darwin, Australia/Eucla, Australia/Hobart,
Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/Perth,
Australia/Sydney, Europe/Amsterdam, Europe/Andorra, Europe/Athens,
Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels,
Europe/Bucharest, Europe/Budapest, Europe/Busingen, Europe/Chisinau,
Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Guernsey,
Europe/Helsinki, Europe/Isle_of_Man, Europe/Istanbul, Europe/Jersey,
Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana,
Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta,
Europe/Mariehamn, Europe/Minsk, Europe/Monaco, Europe/Moscow,
Europe/Oslo, Europe/Paris, Europe/Podgorica, Europe/Prague, Europe/Riga,
Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo,
Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm,
Europe/Tallinn, Europe/Tirane, Europe/Uzhgorod, Europe/Vaduz,
Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Volgograd,
Europe/Warsaw, Europe/Zagreb, Europe/Zaporozhye, Europe/Zurich,
Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos,
Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives,
Indian/Mauritius, Indian/Mayotte, Indian/Reunion, Pacific/Apia, Pacific/Auckland,
Pacific/Chatham, Pacific/Chuuk, Pacific/Easter, Pacific/Efate, Pacific/Enderbury,
Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier,
Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston,
Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro,
Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk,
Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn,
Pacific/Pohnpei, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan,
Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Wake, Pacific/Wallis,
UTC]
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get Date and Time details
citrix.com 784
HTTP Method: GET
URL: https://<cb_ip_address>/cb/nitro/v1/config/datetime_params/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.datetime_params+json
{"datetime_params":{
"timezone": <string_value>,
"datetime": <string_value>
}}
MODIFY
Use this operation to modify Date and Time configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/datetime_params
Request Headers:
{"datetime_params":{
"timezone": <string_value>,
"datetime": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.datetime_params+json
{"datetime_params":{
"timezone": <string_value>,
"datetime": <string_value>
}}
citrix.com 785
delegate_users
Delegate Users and domain name
Properties
Name Data Type Read-Only? Description
Password
delegateuserpassword <String> No
Minimum length = 7
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a user to the list of delegate users
URL: https://<cb_ip_address>/cb/nitro/v1/config/delegate_users
Request Headers:
{"delegate_users":{
"delegateusername": <string_value>,
"domainname": <string_value>,
"delegateuserpassword": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.delegate_users+json
citrix.com 786
{"delegate_users":{
"delegateusername": <string_value>,
"domainname": <string_value>,
"delegateuserpassword": <string_value>,
"userstatus": <string_value>
}}
DELETE
Use this operation to delete a user from list of delegate users
URL: https://<cb_ip_address>/cb/nitro/v1/config/delegate_users/delegateusername=<STRING>,domainname=
<STRING>
Request Headers:
GET (ALL)
Use this operation to get list of delegate users
URL: https://<cb_ip_address>/cb/nitro/v1/config/delegate_users
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.delegate_users_list+json
{"delegate_users": [{
"delegateusername": <string_value>,
"domainname": <string_value>,
"delegateuserpassword": <string_value>,
"userstatus": <string_value>
}, ...]}
GET
Use this operation to get list of delegate users
URL: https://<cb_ip_address>/cb/nitro/v1/config/delegate_users/delegateusername=<STRING>,domainname=
<STRING>
Request Headers:
Response Headers:
citrix.com 787
Content-Type: application/vnd.com.citrix.cloudbridge.delegate_users+json
{"delegate_users":{
"delegateusername": <string_value>,
"domainname": <string_value>,
"delegateuserpassword": <string_value>,
"userstatus": <string_value>
}}
MODIFY
Use this operation to update a user from list of delegate users
URL: https://<cb_ip_address>/cb/nitro/v1/config/delegate_users/<delegateusername>
Request Headers:
{"delegate_users":{
"delegateusername": <string_value>,
"domainname": <string_value>,
"delegateuserpassword": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.delegate_users+json
{"delegate_users":{
"delegateusername": <string_value>,
"domainname": <string_value>,
"delegateuserpassword": <string_value>,
"userstatus": <string_value>
}}
citrix.com 788
groups
Configuration of Groups. This NITRO resource is applicable for CloudBridge 400, 800, 1000, 2000, 2000WS, 3000,
4000, and 5000 platforms only.
Properties
Name Data Type Read-Only? Description
users <[String,...]> No
Users belong to the group.
name <String> No
Group Name.
sessiontimeout <String> No
Session timeout for the Group.
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a group
URL: https://<cb_ip_address>/cb/nitro/v1/config/groups
Request Headers:
{"groups":{
"enablesessiontimeout": <string_value>,
"users": <string_value>,
"sessiontimeoutunit": <string_value>,
"name": <string_value>,
"permission": <string_value>,
"sessiontimeout": <string_value>
citrix.com 789
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.groups+json
{"groups":{
"enablesessiontimeout": <string_value>,
"users": <string_value>,
"sessiontimeoutunit": <string_value>,
"name": <string_value>,
"permission": <string_value>,
"sessiontimeout": <string_value>
}}
DELETE
Use this operation to delete a group
URL: https://<cb_ip_address>/cb/nitro/v1/config/groups/<name>
Request Headers:
GET (ALL)
Use this operation to get group details
URL: https://<cb_ip_address>/cb/nitro/v1/config/groups
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.groups_list+json
{"groups": [{
"enablesessiontimeout": <string_value>,
"users": <string_value>,
"sessiontimeoutunit": <string_value>,
"name": <string_value>,
"permission": <string_value>,
"sessiontimeout": <string_value>
}, ...]}
GET
Use this operation to get group details
citrix.com 790
HTTP Method: GET
URL: https://<cb_ip_address>/cb/nitro/v1/config/groups/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.groups+json
{"groups":{
"enablesessiontimeout": <string_value>,
"users": <string_value>,
"sessiontimeoutunit": <string_value>,
"name": <string_value>,
"permission": <string_value>,
"sessiontimeout": <string_value>
}}
MODIFY
Use this operation to modify group
URL: https://<cb_ip_address>/cb/nitro/v1/config/groups/<name>
Request Headers:
{"groups":{
"enablesessiontimeout": <string_value>,
"users": <string_value>,
"sessiontimeoutunit": <string_value>,
"name": <string_value>,
"permission": <string_value>,
"sessiontimeout": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.groups+json
{"groups":{
"enablesessiontimeout": <string_value>,
"users": <string_value>,
"sessiontimeoutunit": <string_value>,
"name": <string_value>,
"permission": <string_value>,
"sessiontimeout": <string_value>
}}
citrix.com 791
http_params
HTTP Configuration.
Properties
Data Read-
Name Description
Type Only?
SSL Certificate.
sslcertificate <String> No
Valid char set = ^(-{1,}BEGIN CERTIFICATE-{1,}).+(-{1,}END
CERTIFICATE-{1,}\r{0,1}\n{0,1})$
HTTP port.
httpport <Integer> No
Minimum value = 1
HTTPS port.
httpsport <Integer> No
Minimum value = 1
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get HTTP configuration details
citrix.com 792
URL: https://<cb_ip_address>/cb/nitro/v1/config/http_params/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.http_params+json
{"http_params":{
"sslprivatekey": <string_value>,
"webaccessprotocol": <string_value>,
"status": <boolean_value>,
"sslcertificate": <string_value>,
"httpport": <integer_value>,
"httpforwarding": <boolean_value>,
"httpsport": <integer_value>
}}
MODIFY
Use this operation to modify HTTP configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/http_params
Request Headers:
{"http_params":{
"sslprivatekey": <string_value>,
"webaccessprotocol": <string_value>,
"status": <boolean_value>,
"sslcertificate": <string_value>,
"httpport": <integer_value>,
"httpforwarding": <boolean_value>,
"httpsport": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.http_params+json
{"http_params":{
"sslprivatekey": <string_value>,
"webaccessprotocol": <string_value>,
"status": <boolean_value>,
"sslcertificate": <string_value>,
"httpport": <integer_value>,
"httpforwarding": <boolean_value>,
"httpsport": <integer_value>
}}
citrix.com 793
license_info
License Information. This NITRO resource is applicable for CloudBridge SM83, SM85, SM88, VPX, 400, 800, 1000,
2000, 2000WS and 3000 platforms only.
Properties
Data Read-
Name Description
Type Only?
Base Model.
Possible values = [100, 200, 300, 5M, 10M, 20M, 45M, 100M,
basemodel <String> No
8510, 8520, 8530, 8540, 8310, 8320, 8810, 8820, V1, V2, V10,
V20, V45, V50, VEXP, V100, V200, V13500, 2000-010, 2000-020,
2000-050, 3000-050, 3000-100, 3000-155, 400-002, 400-006, 800-
002, 800-006, 800-010, 1000-006, 1000-010, 1000-020]
Server Location.
serverlocation <String> No
Possible values = [remote, local]
License server port number. This value should be present when the
server location is remote.
serverport <Integer> No
Minimum value = 1
is licensed or not
islicensed <Boolean> Yes
Possible values = [true, false]
Product Name.
productname <String> No
Possible values = [CBR, CWSDE, CWS, CCB]
serveraddress <String> No
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
citrix.com 794
GET
Use this operation to get license server configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/license_info/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.license_info+json
{"license_info":{
"requestcryptolicense": <boolean_value>,
"basemodel": <string_value>,
"hostid": <string_value>,
"basemodelstatus": <string_value>,
"serverlocation": <string_value>,
"serverstatus": <string_value>,
"serverport": <integer_value>,
"islicensed": <boolean_value>,
"productname": <string_value>,
"serveraddress": <string_value>
}}
MODIFY
Use this operation to modify license server configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/license_info
Request Headers:
{"license_info":{
"requestcryptolicense": <boolean_value>,
"basemodel": <string_value>,
"serverlocation": <string_value>,
"serverport": <integer_value>,
"productname": <string_value>,
"serveraddress": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.license_info+json
{"license_info":{
"requestcryptolicense": <boolean_value>,
citrix.com 795
"basemodel": <string_value>,
"hostid": <string_value>,
"basemodelstatus": <string_value>,
"serverlocation": <string_value>,
"serverstatus": <string_value>,
"serverport": <integer_value>,
"islicensed": <boolean_value>,
"productname": <string_value>,
"serveraddress": <string_value>
}}
citrix.com 796
licensing_features
Cloud Bridge Features of different licenses. This NITRO resource is applicable for CloudBridge SM83, SM85, SM88,
VPX, 400, 800, 1000, 2000, 2000WS and 3000 platforms only.
Properties
Name Data Type Read-Only? Description
details <String> Yes
Description of license
Operations
GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get list of licenses with features
URL: https://<cb_ip_address>/cb/nitro/v1/config/licensing_features/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.licensing_features+json
{"licensing_features":{
citrix.com 797
"details": <string_value>,
"graceperiodexpired": <boolean_value>,
"upgradedate": <string_value>,
"usagedate": <string_value>,
"name": <string_value>,
"settings": <string_value>,
"graceenddate": <string_value>,
"licensetype": <string_value>
}}
citrix.com 798
link_definition
Links configured and their property
Properties
Data Read-
Name Description
Type Only?
interfaces.interfacename <String> No
interface to be used for this rule
List of source ethernet addresses to be included or
<[Object,...]
filterrules.srcethernetaddresses No excludedin filter rules. Note: Not supported on CB
>
4000 and CB 5000 platform
citrix.com 799
Possible values = [true, false]
srcethernetaddresses.
<String> No
srcetheraddress
<[Object,...] list of source IPs to be included or excluded in filter
filterrules.srcipaddresses No
> rules
citrix.com 800
order <Integer> No Precedance order of link
Minimum value = 1
linkid <Integer> Yes Link Id unique for every link and mapped with
name
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to create a link
URL: https://<cb_ip_address>/cb/nitro/v1/config/link_definition
Request Headers:
citrix.com 801
Content-Type: application/vnd.com.citrix.cloudbridge.link_definition+json
{"link_definition":{
"enabled": <boolean_value>,
"filterrules": [{
"enabled": <boolean_value>,
"wccpservicegroups": [{
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...]
}, ...],
"order": <integer_value>,
"name": <string_value>,
"maxbandwidthout": <long_value>,
"maxbandwidthin": <long_value>,
"linktype": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.link_definition+json
{"link_definition":{
"enabled": <boolean_value>,
"filterrules": [{
"enabled": <boolean_value>,
"wccpservicegroups": [{
citrix.com 802
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...],
}, ...],
"order": <integer_value>,
"name": <string_value>,
"linkid": <integer_value>,
"maxbandwidthout": <long_value>,
"maxbandwidthin": <long_value>,
"propertyflags": <string_value>,
"modified": <boolean_value>,
"linktype": <string_value>
}}
DELETE
Use this operation to delete a link
URL: https://<cb_ip_address>/cb/nitro/v1/config/link_definition/<name>
Request Headers:
GET (ALL)
Use this operation to get list of delegate users
citrix.com 803
HTTP Method: GET
URL: https://<cb_ip_address>/cb/nitro/v1/config/link_definition
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.link_definition_list+json
{"link_definition": [{
"enabled": <boolean_value>,
"filterrules": [{
"enabled": <boolean_value>,
"wccpservicegroups": [{
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...],
"enabled": <boolean_value>,
"wccpservicegroups": [{
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
citrix.com 804
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...],
}, ...],
"order": <integer_value>,
"name": <string_value>,
"linkid": <integer_value>,
"maxbandwidthout": <long_value>,
"maxbandwidthin": <long_value>,
"propertyflags": <string_value>,
"modified": <boolean_value>,
"linktype": <string_value>
}, ...]}
GET
Use this operation to get list of delegate users
URL: https://<cb_ip_address>/cb/nitro/v1/config/link_definition/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.link_definition+json
{"link_definition":{
"enabled": <boolean_value>,
"filterrules": [{
"enabled": <boolean_value>,
citrix.com 805
"wccpservicegroups": [{
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...],
"enabled": <boolean_value>,
"wccpservicegroups": [{
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
citrix.com 806
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...],
}, ...],
"order": <integer_value>,
"name": <string_value>,
"linkid": <integer_value>,
"maxbandwidthout": <long_value>,
"maxbandwidthin": <long_value>,
"propertyflags": <string_value>,
"modified": <boolean_value>,
"linktype": <string_value>
}}
MODIFY
Use this operation to update a user from list of delegate users
URL: https://<cb_ip_address>/cb/nitro/v1/config/link_definition/<name>
Request Headers:
{"link_definition":{
"enabled": <boolean_value>,
"filterrules": [{
"enabled": <boolean_value>,
"wccpservicegroups": [{
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
citrix.com 807
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...]
}, ...],
"order": <integer_value>,
"name": <string_value>,
"maxbandwidthout": <long_value>,
"maxbandwidthin": <long_value>,
"linktype": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.link_definition+json
{"link_definition":{
"enabled": <boolean_value>,
"filterrules": [{
"enabled": <boolean_value>,
"wccpservicegroups": [{
"excluded": <boolean_value>,
"groupid": <integer_value>
}, ...],
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"interfaces": [{
"excluded": <boolean_value>,
"interfacename": <string_value>
}, ...],
"srcethernetaddresses": [{
"excluded": <boolean_value>,
"srcetheraddress": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
citrix.com 808
}, ...],
"dstethernetaddresses": [{
"excluded": <boolean_value>,
"dstetheraddress": <string_value>
}, ...],
}, ...],
"order": <integer_value>,
"name": <string_value>,
"linkid": <integer_value>,
"maxbandwidthout": <long_value>,
"maxbandwidthin": <long_value>,
"propertyflags": <string_value>,
"modified": <boolean_value>,
"linktype": <string_value>
}}
citrix.com 809
local_licenses
Local licenses configuration. This NITRO resource is applicable for CloudBridge SM83, SM85, SM88, VPX, 400, 800,
1000, 2000, 2000WS and 3000 platforms only.
Properties
Data Read-
Name Description
Type Only?
Content of license file. The content of license file must be converted to string
programatically loading into string data type and then pass to JSON payload.
content <String> No Directly copy paste from license file to JSON objent may not work. Response of
get operation will also be in same format. Refer following C++ implementation for
example: std::ifstream t(licenseFilePath); std::stringstream buffer; buffer << t.
rdbuf(); std::string str = buffer.str(); This str can now be sent as value of content.
name <String> No
Name of license
Operations
ADD | DELETE | GET (ALL) | GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add and install a license
URL: https://<cb_ip_address>/cb/nitro/v1/config/local_licenses
Request Headers:
{"local_licenses":{
"content": <string_value>,
"name": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.local_licenses+json
{"local_licenses":{
"content": <string_value>,
"name": <string_value>
}}
citrix.com 810
DELETE
Use this operation to delete a license
URL: https://<cb_ip_address>/cb/nitro/v1/config/local_licenses/<name>
Request Headers:
GET (ALL)
Use this operation to get all licenses intalled
URL: https://<cb_ip_address>/cb/nitro/v1/config/local_licenses
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.local_licenses_list+json
{"local_licenses": [{
"content": <string_value>,
"name": <string_value>
}, ...]}
GET
Use this operation to get all licenses intalled
URL: https://<cb_ip_address>/cb/nitro/v1/config/local_licenses/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.local_licenses+json
{"local_licenses":{
"content": <string_value>,
"name": <string_value>
}}
citrix.com 811
log_params
Configuration of Logging parameters
Properties
Name Data Type Read-Only? Description
Operations
GET | MODIFY
citrix.com 812
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get log settings
URL: https://<cb_ip_address>/cb/nitro/v1/config/log_params/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.log_params+json
{"log_params":{
"alertrecords": <boolean_value>,
"flowrecords": <boolean_value>,
"adapterrecords": <boolean_value>,
"maxsize": <integer_value>,
"cifssmbrecords": <boolean_value>,
"connectionrecords": <boolean_value>,
"opencloserecords": <boolean_value>,
"maxexportcount": <integer_value>,
"httprecords": <boolean_value>,
"systemrecords": <boolean_value>,
"textrecords": <boolean_value>
}}
MODIFY
Use this operation to modify log settings
URL: https://<cb_ip_address>/cb/nitro/v1/config/log_params
Request Headers:
{"log_params":{
"alertrecords": <boolean_value>,
"flowrecords": <boolean_value>,
"adapterrecords": <boolean_value>,
"maxsize": <integer_value>,
"cifssmbrecords": <boolean_value>,
"connectionrecords": <boolean_value>,
"opencloserecords": <boolean_value>,
"maxexportcount": <integer_value>,
"httprecords": <boolean_value>,
"systemrecords": <boolean_value>,
citrix.com 813
"textrecords": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.log_params+json
{"log_params":{
"alertrecords": <boolean_value>,
"flowrecords": <boolean_value>,
"adapterrecords": <boolean_value>,
"maxsize": <integer_value>,
"cifssmbrecords": <boolean_value>,
"connectionrecords": <boolean_value>,
"opencloserecords": <boolean_value>,
"maxexportcount": <integer_value>,
"httprecords": <boolean_value>,
"systemrecords": <boolean_value>,
"textrecords": <boolean_value>
}}
citrix.com 814
log_stats
Log Statistics
Properties
Name Data Type Read-Only? Description
firstdate <String> No
Start Date and time from which logs are available.
currentlogsize <Integer> No
Current Log Size in MB
firstnumber <Integer> No
First available log record number.
maxlogsize <Integer> No
Configured max log size in MB.
lastdate <String> No
Date and time till which logs are available.
lastnumber <Integer> No
Last available log record number.
Operations
GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get log statistics
URL: https://<cb_ip_address>/cb/nitro/v1/config/log_stats/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.log_stats+json
{"log_stats":{
"firstdate": <string_value>,
"currentlogsize": <integer_value>,
"firstnumber": <integer_value>,
"maxlogsize": <integer_value>,
"lastdate": <string_value>,
"lastnumber": <integer_value>
}}
citrix.com 815
ntp_server
NTP Server
Properties
Name Data Type Read-Only? Description
Operations
ADD | DELETE | GET (ALL) | GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a NTP server
URL: https://<cb_ip_address>/cb/nitro/v1/config/ntp_server
Request Headers:
{"ntp_server":{
"ntpserver": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ntp_server+json
{"ntp_server":{
"ntpserver": <string_value>
}}
DELETE
Use this operation to delete a NTP server
URL: https://<cb_ip_address>/cb/nitro/v1/config/ntp_server/<ntpserver>
citrix.com 816
Request Headers:
GET (ALL)
Use this operation to get NTP servers.
URL: https://<cb_ip_address>/cb/nitro/v1/config/ntp_server
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ntp_server_list+json
{"ntp_server": [{
"ntpserver": <string_value>
}, ...]}
GET
Use this operation to get NTP servers.
URL: https://<cb_ip_address>/cb/nitro/v1/config/ntp_server/<ntpserver>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ntp_server+json
{"ntp_server":{
"ntpserver": <string_value>
}}
citrix.com 817
plugin_acc_rules
Configuration of plugin acceleration rules.
Properties
Data Read-
Name Description
Type Only?
Rule type to define if the rule is used to enable acceleration or exclude traffic
ruletype <String> No
Possible values = [accelerate, exclude]
Order specifies the priority in which the rules are applied. Lower the order,
higher the priority. If order is not provided in ADD or the order is bigger than
order <Integer> No order of the lowest rule, order is automatically truncated to be that of one more
than the existing maximum.
Minimum value = 1
portrange <String> No Comma seprated port ranges for which the rule is defined.Eg. 3000,4000-
5000,6000. For all ports use: all/All
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add plugin acceleration rule
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_acc_rules
Request Headers:
{"plugin_acc_rules":{
"ruletype": <string_value>,
"order": <integer_value>,
"destsubnet": <string_value>,
"portrange": <string_value>
}}
citrix.com 818
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_acc_rules+json
{"plugin_acc_rules":{
"ruletype": <string_value>,
"order": <integer_value>,
"destsubnet": <string_value>,
"portrange": <string_value>
}}
DELETE
Use this operation to remove plugin acceleration rule
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_acc_rules/ruletype=<STRING>,destsubnet=<IPADDRESS>
Request Headers:
GET (ALL)
Use this operation to get plugin acceleration rules
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_acc_rules
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_acc_rules_list+json
{"plugin_acc_rules": [{
"ruletype": <string_value>,
"order": <integer_value>,
"destsubnet": <string_value>,
"portrange": <string_value>
}, ...]}
GET
Use this operation to get plugin acceleration rules
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_acc_rules/ruletype=<STRING>,destsubnet=<IPADDRESS>
Request Headers:
citrix.com 819
Authorization: Basic <base64 encoded(username:password)>
Accept: application/vnd.com.citrix.cloudbridge.plugin_acc_rules+json
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_acc_rules+json
{"plugin_acc_rules":{
"ruletype": <string_value>,
"order": <integer_value>,
"destsubnet": <string_value>,
"portrange": <string_value>
}}
MODIFY
Use this operation to modify plugin acceleration rule
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_acc_rules/<ruletype>
Request Headers:
{"plugin_acc_rules":{
"ruletype": <string_value>,
"order": <integer_value>,
"destsubnet": <string_value>,
"portrange": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_acc_rules+json
{"plugin_acc_rules":{
"ruletype": <string_value>,
"order": <integer_value>,
"destsubnet": <string_value>,
"portrange": <string_value>
}}
citrix.com 820
plugin_config
Configuration of Redirector IP/port etc to establish signalling channel.
Properties
Data Read-
Name Description
Type Only?
Maximum value = 50
Signaling IP prefix
redirectoripprefix <Integer> No
Minimum value = 1
Maximum value = 31
redirectorip <String> No
<[Object,...]
filteringlist No Filtering list to allow/disallow traffic from configured subnets
>
Plugin enabled
redirectorenabled <Boolean> No
Possible values = [true, false]
Operations
citrix.com 821
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get plugin diagnostic configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_config/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_config+json
{"plugin_config":{
"landetectrttthreshold": <integer_value>,
"redirectoripprefix": <integer_value>,
"redirectorip": <string_value>,
"filteringlist": [{
"subnet": <string_value>,
"allow": <boolean_value>
}, ...],
"redirectorstatus": <string_value>,
"lanwandetectenabled": <boolean_value>,
"connectionmode": <string_value>,
"filteringenabled": <boolean_value>,
"redirectorport": <integer_value>,
"redirectorenabled": <boolean_value>
}}
MODIFY
Use this operation to modify plugin diagnostic configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_config
Request Headers:
{"plugin_config":{
"landetectrttthreshold": <integer_value>,
"redirectoripprefix": <integer_value>,
"redirectorip": <string_value>,
"filteringlist": [{
"subnet": <string_value>,
citrix.com 822
"allow": <boolean_value>
}, ...],
"lanwandetectenabled": <boolean_value>,
"connectionmode": <string_value>,
"filteringenabled": <boolean_value>,
"redirectorport": <integer_value>,
"redirectorenabled": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_config+json
{"plugin_config":{
"landetectrttthreshold": <integer_value>,
"redirectoripprefix": <integer_value>,
"redirectorip": <string_value>,
"filteringlist": [{
"subnet": <string_value>,
"allow": <boolean_value>
}, ...],
"redirectorstatus": <string_value>,
"lanwandetectenabled": <boolean_value>,
"connectionmode": <string_value>,
"filteringenabled": <boolean_value>,
"redirectorport": <integer_value>,
"redirectorenabled": <boolean_value>
}}
citrix.com 823
plugin_diag
Configuration of FTP server/path for uploading plugin diagnostics.
Properties
Data Read-
Name Description
Type Only?
diagftpserver <String> No
IP address of FTP Server
diagftpuser <String> No
FTP username.
diagftppassword <String> No
FTP password.
diagemail <String> No
Email account to send plugin diagnostic notification
diagautoupload <String> No
Automatically upload diagnostic reports
Allow pop ups on the plugin to prompt user for uploading diagnostic
diagpopups <Boolean> No report.
diagftpdirectory <String> No
Path on the FTP server to upload files
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get plugin diagnostic configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_diag/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_diag+json
citrix.com 824
Response Payload: JSON
{"plugin_diag":{
"diagftpserver": <string_value>,
"diagftpuser": <string_value>,
"diagftppassword": <string_value>,
"diagftpport": <integer_value>,
"diagemail": <string_value>,
"diagautoupload": <string_value>,
"diagpopups": <boolean_value>,
"diagftpdirectory": <string_value>
}}
MODIFY
Use this operation to modify plugin diagnostic configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/plugin_diag
Request Headers:
{"plugin_diag":{
"diagftpserver": <string_value>,
"diagftpuser": <string_value>,
"diagftppassword": <string_value>,
"diagftpport": <integer_value>,
"diagemail": <string_value>,
"diagautoupload": <string_value>,
"diagpopups": <boolean_value>,
"diagftpdirectory": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.plugin_diag+json
{"plugin_diag":{
"diagftpserver": <string_value>,
"diagftpuser": <string_value>,
"diagftppassword": <string_value>,
"diagftpport": <integer_value>,
"diagemail": <string_value>,
"diagautoupload": <string_value>,
"diagpopups": <boolean_value>,
"diagftpdirectory": <string_value>
}}
citrix.com 825
qos_policies
Traffic shaping policies
Properties
Data Read-
Name Description
Type Only?
citrix.com 826
Possible values = [true, false]
citrix.com 827
icapriorities.interactive <Integer> No Minimum value = 1
policyid <Integer> Yes Policy ID unique for every policy and mapped
with name
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to create a policy
URL: https://<cb_ip_address>/cb/nitro/v1/config/qos_policies
Request Headers:
{"qos_policies":{
"limitbandwidth": <boolean_value>,
"enabled": <boolean_value>,
"bandwidthlimittype": <string_value>,
"maxbandwidthoutpercent": <integer_value>,
"optimizeforvoice": <boolean_value>,
"icapriorityenabled": <boolean_value>,
"maxbandwidthinabsolute": <integer_value>,
"icadiffservenabled": <boolean_value>,
"diffservenabled": <boolean_value>,
"maxbandwidthoutabsolute": <integer_value>,
citrix.com 828
"priority": <integer_value>,
"name": <string_value>,
"diffserv": <string_value>,
"maxbandwidthinpercent": <integer_value>,
"icadiffservices": {
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
},
"icapriorities": {
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
}
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.qos_policies+json
{"qos_policies":{
"priorityenabled": <boolean_value>,
"limitbandwidth": <boolean_value>,
"enabled": <boolean_value>,
"bandwidthlimittype": <string_value>,
"maxbandwidthoutpercent": <integer_value>,
"optimizeforvoice": <boolean_value>,
"icapriorityenabled": <boolean_value>,
"modified": <boolean_value>,
"maxbandwidthinabsolute": <integer_value>,
"icadiffservenabled": <boolean_value>,
"diffservenabled": <boolean_value>,
"maxbandwidthoutabsolute": <integer_value>,
"priority": <integer_value>,
"name": <string_value>,
"diffserv": <string_value>,
"maxbandwidthinpercent": <integer_value>,
"icadiffservices": {
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
},
"icapriorities": {
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
},
"propertyflags": <string_value>,
"policyid": <integer_value>
}}
DELETE
Use this operation to delete a policy by policy name
URL: https://<cb_ip_address>/cb/nitro/v1/config/qos_policies/<name>
citrix.com 829
Request Headers:
GET (ALL)
Use this operation to get list of traffic shaping policies
URL: https://<cb_ip_address>/cb/nitro/v1/config/qos_policies
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.qos_policies_list+json
{"qos_policies": [{
"priorityenabled": <boolean_value>,
"limitbandwidth": <boolean_value>,
"enabled": <boolean_value>,
"bandwidthlimittype": <string_value>,
"maxbandwidthoutpercent": <integer_value>,
"optimizeforvoice": <boolean_value>,
"icapriorityenabled": <boolean_value>,
"modified": <boolean_value>,
"maxbandwidthinabsolute": <integer_value>,
"icadiffservenabled": <boolean_value>,
"diffservenabled": <boolean_value>,
"maxbandwidthoutabsolute": <integer_value>,
"priority": <integer_value>,
"name": <string_value>,
"diffserv": <string_value>,
"maxbandwidthinpercent": <integer_value>,
"icadiffservices": {
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
},
"icapriorities": {
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
},
"propertyflags": <string_value>,
"policyid": <integer_value>
}, ...]}
citrix.com 830
GET
Use this operation to get list of traffic shaping policies
URL: https://<cb_ip_address>/cb/nitro/v1/config/qos_policies/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.qos_policies+json
{"qos_policies":{
"priorityenabled": <boolean_value>,
"limitbandwidth": <boolean_value>,
"enabled": <boolean_value>,
"bandwidthlimittype": <string_value>,
"maxbandwidthoutpercent": <integer_value>,
"optimizeforvoice": <boolean_value>,
"icapriorityenabled": <boolean_value>,
"modified": <boolean_value>,
"maxbandwidthinabsolute": <integer_value>,
"icadiffservenabled": <boolean_value>,
"diffservenabled": <boolean_value>,
"maxbandwidthoutabsolute": <integer_value>,
"priority": <integer_value>,
"name": <string_value>,
"diffserv": <string_value>,
"maxbandwidthinpercent": <integer_value>,
"icadiffservices": {
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
},
"icapriorities": {
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
},
"propertyflags": <string_value>,
"policyid": <integer_value>
}}
MODIFY
citrix.com 831
Use this operation to modify a policy
URL: https://<cb_ip_address>/cb/nitro/v1/config/qos_policies/<name>
Request Headers:
{"qos_policies":{
"limitbandwidth": <boolean_value>,
"enabled": <boolean_value>,
"bandwidthlimittype": <string_value>,
"maxbandwidthoutpercent": <integer_value>,
"optimizeforvoice": <boolean_value>,
"icapriorityenabled": <boolean_value>,
"maxbandwidthinabsolute": <integer_value>,
"icadiffservenabled": <boolean_value>,
"diffservenabled": <boolean_value>,
"maxbandwidthoutabsolute": <integer_value>,
"priority": <integer_value>,
"name": <string_value>,
"diffserv": <string_value>,
"maxbandwidthinpercent": <integer_value>,
"icadiffservices": {
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
},
"icapriorities": {
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
}
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.qos_policies+json
{"qos_policies":{
"priorityenabled": <boolean_value>,
"limitbandwidth": <boolean_value>,
"enabled": <boolean_value>,
"bandwidthlimittype": <string_value>,
"maxbandwidthoutpercent": <integer_value>,
"optimizeforvoice": <boolean_value>,
"icapriorityenabled": <boolean_value>,
"modified": <boolean_value>,
"maxbandwidthinabsolute": <integer_value>,
"icadiffservenabled": <boolean_value>,
"diffservenabled": <boolean_value>,
"maxbandwidthoutabsolute": <integer_value>,
"priority": <integer_value>,
"name": <string_value>,
"diffserv": <string_value>,
"maxbandwidthinpercent": <integer_value>,
"icadiffservices": {
citrix.com 832
"multistreaminteractive": <string_value>,
"multistreamrealtime": <string_value>,
"multistreambackground": <string_value>,
"singlestreamallpriorities": <string_value>,
"multistreambulktransfer": <string_value>
},
"icapriorities": {
"interactive": <integer_value>,
"realtime": <integer_value>,
"bulktransfer": <integer_value>,
"background": <integer_value>
},
"propertyflags": <string_value>,
"policyid": <integer_value>
}}
citrix.com 833
radius_params
Configuration of RADIUS server. This NITRO resource is applicable for CloudBridge SM83, SM85, SM88 and VPX
platforms only.
Properties
Name Data Type Read-Only? Description
sharedsecretkey <String> No
RADIUS server's shared secret key.
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get RADIUS configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/radius_params/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.radius_params+json
{"radius_params":{
"sharedsecretkey": <string_value>,
"status": <boolean_value>,
"serverip": <string_value>,
"serverport": <integer_value>
}}
citrix.com 834
MODIFY
Use this operation to modify RADIUS configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/radius_params
Request Headers:
{"radius_params":{
"sharedsecretkey": <string_value>,
"status": <boolean_value>,
"serverip": <string_value>,
"serverport": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.radius_params+json
{"radius_params":{
"sharedsecretkey": <string_value>,
"status": <boolean_value>,
"serverip": <string_value>,
"serverport": <integer_value>
}}
citrix.com 835
radius_servers
Configuration of RADIUS server. This NITRO resource is applicable for CloudBridge 400, 800, 1000, 2000, 2000WS,
3000, 4000, and 5000 platforms only.
Properties
Data Read-
Name Description
Type Only?
port <String> No
RADIUS server port
nasid <String> No
NAS ID.
ipaddress <String> No
RADIUS server IP address.
groupsprefix <String> No Prefix string that precedes group names within a RADIUS
attribute for RADIUS group extraction.
ipvendorid <String> No The vendor ID of the attribute in the RADIUS response which
denotes the intranet IP.
groupseparator <String> No Group separator string that delimits group names within a
RADIUS attribute for RADIUS group extraction.
vendorid <String> No
Vendor ID for RADIUS group extraction.
name <String> No
Name of RADIUS server.
attributetype <String> No
Attribute type for RADIUS group extraction.
defaultauthenticationgroup <String> No This is the default group that is chosen when the authentication
succeeds in addition to extracted groups.
authtimeout <String> No The maximum number of seconds the system will wait for a
response from the RADIUS server.
key <String> No
Key of radius server.
citrix.com 836
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a RADIUS server
URL: https://<cb_ip_address>/cb/nitro/v1/config/radius_servers
Request Headers:
{"radius_servers":{
"port": <string_value>,
"ipattributetype": <string_value>,
"nasid": <string_value>,
"passencoding": <string_value>,
"pwdvendorid": <string_value>,
"accounting": <string_value>,
"ipaddress": <string_value>,
"groupsprefix": <string_value>,
"ipvendorid": <string_value>,
"groupseparator": <string_value>,
"vendorid": <string_value>,
"name": <string_value>,
"enablenasip": <string_value>,
"attributetype": <string_value>,
"defaultauthenticationgroup": <string_value>,
"pwdattributetype": <string_value>,
"authtimeout": <string_value>,
"key": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.radius_servers+json
{"radius_servers":{
"port": <string_value>,
"ipattributetype": <string_value>,
"nasid": <string_value>,
"passencoding": <string_value>,
"pwdvendorid": <string_value>,
"accounting": <string_value>,
"ipaddress": <string_value>,
"groupsprefix": <string_value>,
"ipvendorid": <string_value>,
"groupseparator": <string_value>,
citrix.com 837
"vendorid": <string_value>,
"name": <string_value>,
"enablenasip": <string_value>,
"attributetype": <string_value>,
"defaultauthenticationgroup": <string_value>,
"pwdattributetype": <string_value>,
"authtimeout": <string_value>,
"key": <string_value>
}}
DELETE
Use this operation to delete a RADIUS server
URL: https://<cb_ip_address>/cb/nitro/v1/config/radius_servers/<name>
Request Headers:
GET (ALL)
Use this operation to get RADIUS configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/radius_servers
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.radius_servers_list+json
{"radius_servers": [{
"port": <string_value>,
"ipattributetype": <string_value>,
"nasid": <string_value>,
"passencoding": <string_value>,
"pwdvendorid": <string_value>,
"accounting": <string_value>,
"ipaddress": <string_value>,
"groupsprefix": <string_value>,
"ipvendorid": <string_value>,
"groupseparator": <string_value>,
"vendorid": <string_value>,
"name": <string_value>,
"enablenasip": <string_value>,
"attributetype": <string_value>,
"defaultauthenticationgroup": <string_value>,
"pwdattributetype": <string_value>,
"authtimeout": <string_value>,
"key": <string_value>
}, ...]}
citrix.com 838
GET
Use this operation to get RADIUS configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/radius_servers/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.radius_servers+json
{"radius_servers":{
"port": <string_value>,
"ipattributetype": <string_value>,
"nasid": <string_value>,
"passencoding": <string_value>,
"pwdvendorid": <string_value>,
"accounting": <string_value>,
"ipaddress": <string_value>,
"groupsprefix": <string_value>,
"ipvendorid": <string_value>,
"groupseparator": <string_value>,
"vendorid": <string_value>,
"name": <string_value>,
"enablenasip": <string_value>,
"attributetype": <string_value>,
"defaultauthenticationgroup": <string_value>,
"pwdattributetype": <string_value>,
"authtimeout": <string_value>,
"key": <string_value>
}}
MODIFY
Use this operation to modify RADIUS configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/radius_servers/<name>
Request Headers:
{"radius_servers":{
"port": <string_value>,
"ipattributetype": <string_value>,
"nasid": <string_value>,
"passencoding": <string_value>,
"pwdvendorid": <string_value>,
"accounting": <string_value>,
"ipaddress": <string_value>,
"groupsprefix": <string_value>,
"ipvendorid": <string_value>,
"groupseparator": <string_value>,
citrix.com 839
"vendorid": <string_value>,
"name": <string_value>,
"enablenasip": <string_value>,
"attributetype": <string_value>,
"defaultauthenticationgroup": <string_value>,
"pwdattributetype": <string_value>,
"authtimeout": <string_value>,
"key": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.radius_servers+json
{"radius_servers":{
"port": <string_value>,
"ipattributetype": <string_value>,
"nasid": <string_value>,
"passencoding": <string_value>,
"pwdvendorid": <string_value>,
"accounting": <string_value>,
"ipaddress": <string_value>,
"groupsprefix": <string_value>,
"ipvendorid": <string_value>,
"groupseparator": <string_value>,
"vendorid": <string_value>,
"name": <string_value>,
"enablenasip": <string_value>,
"attributetype": <string_value>,
"defaultauthenticationgroup": <string_value>,
"pwdattributetype": <string_value>,
"authtimeout": <string_value>,
"key": <string_value>
}}
citrix.com 840
service_class
Configuration for service classes.
Properties
Data Read-
Name Description
Type Only?
qospolicy <String> No QoS policy applied for this service class. This field
applies only when QOS policy applied not per link.
<[Object,...]
filterrules No Filter rules defining the service class
>
<[String,...]
filterrules.sslprofiles No SSL profile attached with rule to enable SSL
>
optomization
<[Object,...]
filterrules.applications No Applications defining the rule.
>
applications.appname <String> No
app to be used for this rule
<[Object,...]
filterrules.srcipaddresses No Source IP address range defining the rule
>
citrix.com 841
srcipaddresses.excluded <Boolean> No If true, use the rule component as an exclude entity
order <Integer> Yes Precedence order of the service class. Higher the
order, more the precedence
classname <String> No
Service class name.
<[Object,...]
qoslinkpolicies No Per link QOS policy for the service class.
>
citrix.com 842
qoslinkpolicies.linkname <String> No Use ipaddressmask paramter to define ip or ip/mask
type range or use left/right parameters to define hyphen
seperated range
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to get plugin diagnostic configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/service_class
Request Headers:
{"service_class":{
"enabled": <boolean_value>,
"qospolicy": <string_value>,
"filterrules": [{
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"diffservices": [{
"excluded": <boolean_value>,
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
citrix.com 843
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
}, ...],
"sslenabled": <boolean_value>
}, ...],
"accelerationpolicy": <string_value>,
"classname": <string_value>,
"qoslinkpolicies": [{
"qospolicyname": <string_value>,
"linkname": <string_value>
}, ...]
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.service_class+json
{"service_class":{
"enabled": <boolean_value>,
"index": <integer_value>,
"qospolicy": <string_value>,
"filterrules": [{
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"diffservices": [{
"excluded": <boolean_value>,
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"sslenabled": <boolean_value>
}, ...],
citrix.com 844
"accelerationpolicy": <string_value>,
"order": <integer_value>,
"classname": <string_value>,
"qoslinkpolicies": [{
"qospolicyname": <string_value>,
"linkname": <string_value>
}, ...],
"modified": <boolean_value>,
"classid": <integer_value>,
"propertyflags": <string_value>
}}
DELETE
Use this operation to get plugin diagnostic configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/service_class/<classname>
Request Headers:
GET (ALL)
Use this operation to get plugin diagnostic configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/service_class
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.service_class_list+json
{"service_class": [{
"enabled": <boolean_value>,
"index": <integer_value>,
"qospolicy": <string_value>,
"filterrules": [{
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"diffservices": [{
"excluded": <boolean_value>,
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
citrix.com 845
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"sslenabled": <boolean_value>
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"diffservices": [{
"excluded": <boolean_value>,
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"sslenabled": <boolean_value>
}, ...],
"accelerationpolicy": <string_value>,
"order": <integer_value>,
"classname": <string_value>,
"qoslinkpolicies": [{
"qospolicyname": <string_value>,
"linkname": <string_value>
"qospolicyname": <string_value>,
"linkname": <string_value>
}, ...],
"modified": <boolean_value>,
"classid": <integer_value>,
"propertyflags": <string_value>
}, ...]}
citrix.com 846
GET
Use this operation to get plugin diagnostic configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/service_class/<classname>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.service_class+json
{"service_class":{
"enabled": <boolean_value>,
"index": <integer_value>,
"qospolicy": <string_value>,
"filterrules": [{
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"diffservices": [{
"excluded": <boolean_value>,
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"sslenabled": <boolean_value>
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"diffservices": [{
"excluded": <boolean_value>,
citrix.com 847
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"sslenabled": <boolean_value>
}, ...],
"accelerationpolicy": <string_value>,
"order": <integer_value>,
"classname": <string_value>,
"qoslinkpolicies": [{
"qospolicyname": <string_value>,
"linkname": <string_value>
"qospolicyname": <string_value>,
"linkname": <string_value>
}, ...],
"modified": <boolean_value>,
"classid": <integer_value>,
"propertyflags": <string_value>
}}
MODIFY
Use this operation to modify plugin diagnostic configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/service_class/<classname>
Request Headers:
{"service_class":{
"enabled": <boolean_value>,
"qospolicy": <string_value>,
"filterrules": [{
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
citrix.com 848
"diffservices": [{
"excluded": <boolean_value>,
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
}
}, ...],
"sslenabled": <boolean_value>
}, ...],
"accelerationpolicy": <string_value>,
"classname": <string_value>,
"qoslinkpolicies": [{
"qospolicyname": <string_value>,
"linkname": <string_value>
}, ...]
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.service_class+json
{"service_class":{
"enabled": <boolean_value>,
"index": <integer_value>,
"qospolicy": <string_value>,
"filterrules": [{
"directiontype": <string_value>,
"vlans": [{
"vlanid": <integer_value>,
"excluded": <boolean_value>
}, ...],
"diffservices": [{
"excluded": <boolean_value>,
"bitsvalue": <string_value>
}, ...],
"sslprofiles": <string_value>,
"applications": [{
"excluded": <boolean_value>,
"appname": <string_value>
}, ...],
"srcipaddresses": [{
"excluded": <boolean_value>,
"srcipaddress": {
"rangetype": <string_value>,
citrix.com 849
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"dstipaddresses": [{
"excluded": <boolean_value>,
"dstipaddress": {
"rangetype": <string_value>,
"ipaddressmask": <string_value>,
"left": <string_value>,
"ipaddress": <string_value>,
"right": <string_value>
},
}, ...],
"sslenabled": <boolean_value>
}, ...],
"accelerationpolicy": <string_value>,
"order": <integer_value>,
"classname": <string_value>,
"qoslinkpolicies": [{
"qospolicyname": <string_value>,
"linkname": <string_value>
}, ...],
"modified": <boolean_value>,
"classid": <integer_value>,
"propertyflags": <string_value>
}}
citrix.com 850
session_params
Configuration of session parameters.
Properties
Data Read-
Name Description
Type Only?
guibanner <String> No
GUI banner text.
Minimum value = 0
Minimum value = 0
clibanner <String> No
CLI banner text.
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get session parameter details
citrix.com 851
URL: https://<cb_ip_address>/cb/nitro/v1/config/session_params/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.session_params+json
{"session_params":{
"guibanner": <string_value>,
"guibannerenable": <boolean_value>,
"clisessiontimeout": <integer_value>,
"loginfailurelimit": <integer_value>,
"guisessiontimeout": <integer_value>,
"maxuserfailures": <integer_value>,
"clibanner": <string_value>,
"clibannerenable": <boolean_value>,
"lockouttime": <integer_value>
}}
MODIFY
Use this operation to modify session parameter configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/session_params
Request Headers:
{"session_params":{
"guibanner": <string_value>,
"guibannerenable": <boolean_value>,
"clisessiontimeout": <integer_value>,
"loginfailurelimit": <integer_value>,
"guisessiontimeout": <integer_value>,
"maxuserfailures": <integer_value>,
"clibanner": <string_value>,
"clibannerenable": <boolean_value>,
"lockouttime": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.session_params+json
{"session_params":{
"guibanner": <string_value>,
"guibannerenable": <boolean_value>,
"clisessiontimeout": <integer_value>,
"loginfailurelimit": <integer_value>,
"guisessiontimeout": <integer_value>,
citrix.com 852
"maxuserfailures": <integer_value>,
"clibanner": <string_value>,
"clibannerenable": <boolean_value>,
"lockouttime": <integer_value>
}}
citrix.com 853
snmp
Configure SNMP status.
Properties
Name Data Type Read-Only? Description
SNMP status.
status <Boolean> No
Possible values = [true, false]
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get SNMP status
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp+json
{"snmp":{
"status": <boolean_value>
}}
MODIFY
Use this operation to modify SNMP status
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp
Request Headers:
citrix.com 854
{"snmp":{
"status": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp+json
{"snmp":{
"status": <boolean_value>
}}
citrix.com 855
snmp_manager
SNMP Manager Configuration
Properties
Name Data Type Read-Only? Description
Community
community <String> No
Valid char set = ^[-_.@0-9a-zA-Z]+
Operations
ADD | DELETE | GET (ALL) | GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a SNMP Management Community Entry
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_manager
Request Headers:
{"snmp_manager":{
"community": <string_value>,
"snmpmanager": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_manager+json
{"snmp_manager":{
"community": <string_value>,
"snmpmanager": <string_value>
}}
DELETE
citrix.com 856
Use this operation to delete a SNMP Management Community Entry
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_manager/community=<STRINGX>,snmpmanager=
<IPADDRESS>
Request Headers:
GET (ALL)
Use this operation to get SNMP Management Communities
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_manager
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_manager_list+json
{"snmp_manager": [{
"community": <string_value>,
"snmpmanager": <string_value>
}, ...]}
GET
Use this operation to get SNMP Management Communities
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_manager/community=<STRINGX>,snmpmanager=
<IPADDRESS>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_manager+json
{"snmp_manager":{
"community": <string_value>,
"snmpmanager": <string_value>
}}
citrix.com 857
snmp_trap_dest
Properties
Name Data Type Read-Only? Description
Authentication Protocol
authprotocol <String> No
Possible values = [SHA1, MD5]
User Name
username <String> No
Valid char set = ^[-_.@0-9a-zA-Z]+
Authentication Password
Minimum length = 8
authpassword <String> No
Maximum length = 31
Privacy Protocol
privacyprotocol <String> No
Possible values = [AES, DES]
Trap Community
community <String> No
Valid char set = ^[-_.@0-9a-zA-Z]+
Privacy Password
Minimum length = 8
privacypassword <String> No
Maximum length = 31
Snmp Version
snmpversion <String> No
Possible values = [v1, v2c, v3]
Trap Type
traptype <String> No
Possible values = [trap, inform]
Operations
ADD | DELETE | GET (ALL) | GET
citrix.com 858
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a SNMP Trap Destination
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_trap_dest
Request Headers:
{"snmp_trap_dest":{
"authprotocol": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"trapdestip": <string_value>,
"trapdestport": <integer_value>,
"privacyprotocol": <string_value>,
"community": <string_value>,
"privacypassword": <string_value>,
"trapdestname": <string_value>,
"snmpversion": <string_value>,
"traptype": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_trap_dest+json
{"snmp_trap_dest":{
"authprotocol": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"trapdestip": <string_value>,
"trapdestport": <integer_value>,
"privacyprotocol": <string_value>,
"community": <string_value>,
"privacypassword": <string_value>,
"trapdestname": <string_value>,
"snmpversion": <string_value>,
"traptype": <string_value>
}}
DELETE
Use this operation to delete a SNMP Trap Destination
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_trap_dest/<trapdestname>
Request Headers:
citrix.com 859
Authorization: Basic <base64 encoded(username:password)>
GET (ALL)
Use this operation to get SNMP Trap Destinations
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_trap_dest
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_trap_dest_list+json
{"snmp_trap_dest": [{
"authprotocol": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"trapdestip": <string_value>,
"trapdestport": <integer_value>,
"privacyprotocol": <string_value>,
"community": <string_value>,
"privacypassword": <string_value>,
"trapdestname": <string_value>,
"snmpversion": <string_value>,
"traptype": <string_value>
}, ...]}
GET
Use this operation to get SNMP Trap Destinations
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_trap_dest/<trapdestname>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_trap_dest+json
{"snmp_trap_dest":{
"authprotocol": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"trapdestip": <string_value>,
"trapdestport": <integer_value>,
"privacyprotocol": <string_value>,
citrix.com 860
"community": <string_value>,
"privacypassword": <string_value>,
"trapdestname": <string_value>,
"snmpversion": <string_value>,
"traptype": <string_value>
}}
citrix.com 861
snmp_user
SNMP Users
Properties
Name Data Type Read-Only? Description
Authentication Protocol
authprotocol <String> No
Possible values = [SHA1, MD5]
View
viewname <String> No
Valid char set = ^[-_.@0-9a-zA-Z]+
User Name
username <String> No
Valid char set = ^[-_.@0-9a-zA-Z]+
Authentication Password
Minimum length = 8
authpassword <String> No
Maximum length = 31
Privacy Protocol
privacyprotocol <String> No
Possible values = [AES, DES]
Privacy Password
Minimum length = 8
privacypassword <String> No
Maximum length = 31
Operations
ADD | DELETE | GET (ALL) | GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a SNMP user entry
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_user
Request Headers:
citrix.com 862
Authorization: Basic <base64 encoded(username:password)>
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_user+json
{"snmp_user":{
"authprotocol": <string_value>,
"viewname": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"privacyprotocol": <string_value>,
"privacypassword": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_user+json
{"snmp_user":{
"authprotocol": <string_value>,
"viewname": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"privacyprotocol": <string_value>,
"privacypassword": <string_value>
}}
DELETE
Use this operation to delete a SNMP user entry
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_user/<username>
Request Headers:
GET (ALL)
Use this operation to get SNMP user entries
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_user
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_user_list+json
{"snmp_user": [{
citrix.com 863
"authprotocol": <string_value>,
"viewname": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"privacyprotocol": <string_value>,
"privacypassword": <string_value>
}, ...]}
GET
Use this operation to get SNMP user entries
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_user/<username>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_user+json
{"snmp_user":{
"authprotocol": <string_value>,
"viewname": <string_value>,
"username": <string_value>,
"authpassword": <string_value>,
"privacyprotocol": <string_value>,
"privacypassword": <string_value>
}}
citrix.com 864
snmp_view
View Names
Properties
Name Data Type Read-Only? Description
View Name
name <String> No
Valid char set = ^[-_.@0-9a-zA-Z]+
View Type
include <Boolean> No
Possible values = [true, false]
Operations
ADD | DELETE | GET (ALL) | GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a SNMP View entry
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_view
Request Headers:
{"snmp_view":{
"subtree": <string_value>,
"name": <string_value>,
"include": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_view+json
citrix.com 865
{"snmp_view":{
"subtree": <string_value>,
"name": <string_value>,
"include": <boolean_value>
}}
DELETE
Use this operation to delete a SNMP View entry
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_view/subtree=<STRING>,name=<STRING>
Request Headers:
GET (ALL)
Use this operation to get SNMP View entries
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_view
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_view_list+json
{"snmp_view": [{
"subtree": <string_value>,
"name": <string_value>,
"include": <boolean_value>
}, ...]}
GET
Use this operation to get SNMP View entries
URL: https://<cb_ip_address>/cb/nitro/v1/config/snmp_view/subtree=<STRING>,name=<STRING>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.snmp_view+json
citrix.com 866
{"snmp_view":{
"subtree": <string_value>,
"name": <string_value>,
"include": <boolean_value>
}}
citrix.com 867
ssh
Configure SSH status.
Properties
Name Data Type Read-Only? Description
Enable/Disable SSH.
enable <Boolean> No
Possible values = [true, false]
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get SSH status
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssh/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssh+json
{"ssh":{
"status": <boolean_value>,
"enable": <boolean_value>
}}
MODIFY
Use this operation to modify SSH status
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssh
Request Headers:
citrix.com 868
Authorization: Basic <base64 encoded(username:password)>
Content-Type: application/vnd.com.citrix.cloudbridge.ssh+json
{"ssh":{
"enable": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssh+json
{"ssh":{
"status": <boolean_value>,
"enable": <boolean_value>
}}
citrix.com 869
ssl_ca
SSL CA store list.
Properties
Data Read-
Name Description
Type Only?
certpem <String> No Cert input in pem format. This is write only parameter. To fetch
certicate pem text or other details, see certinfo parameter.
name <String> No
CA Store Name
<[Object,...] Certificate pem text and expiry info for each certificate in the input
certinfo Yes
> bundle
certinfo.
<String> Yes
certexpirydate Certificate expiry date.
certinfo.certpem <String> No
Certificate Pem.
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a SSL CA store
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_ca
Request Headers:
{"ssl_ca":{
"certpem": <string_value>,
"name": <string_value>
}}
citrix.com 870
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_ca+json
{"ssl_ca":{
"certificatedetails": <string_value>,
"certpem": <string_value>,
"name": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}}
DELETE
Use this operation to remove a SSL CA store
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_ca/<name>
Request Headers:
GET (ALL)
Use this operation to get SSL CA store configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_ca
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_ca_list+json
{"ssl_ca": [{
"certificatedetails": <string_value>,
"certpem": <string_value>,
"name": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}, ...]}
citrix.com 871
GET
Use this operation to get SSL CA store configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_ca/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_ca+json
{"ssl_ca":{
"certificatedetails": <string_value>,
"certpem": <string_value>,
"name": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}}
MODIFY
Use this operation to modify a SSL CA store
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_ca/<name>
Request Headers:
{"ssl_ca":{
"certpem": <string_value>,
"name": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_ca+json
{"ssl_ca":{
"certificatedetails": <string_value>,
"certpem": <string_value>,
"name": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
citrix.com 872
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}}
citrix.com 873
ssl_cert_keys
SSL Certificate-Key pair.
Properties
Data Read-
Name Description
Type Only?
<[String,...]
certificatedetails Yes Certificate details text providing Version,Serial Number,
>
Signature Algorithm,Issuer etc
certpem <String> No Cert input in pem format. This is write only parameter. To fetch
certicate pem text or other details, see certinfo parameter.
name <String> No
Certificate Name
certinfo.certpem <String> No
Certificate Pem.
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a SSL Certificate-Key pair
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_cert_keys
citrix.com 874
Request Headers:
{"ssl_cert_keys":{
"modifyaction": <string_value>,
"certpem": <string_value>,
"name": <string_value>,
"keypem": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_cert_keys+json
{"ssl_cert_keys":{
"certificatedetails": <string_value>,
"modifyaction": <string_value>,
"certpem": <string_value>,
"keytype": <string_value>,
"name": <string_value>,
"keypem": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}}
DELETE
Use this operation to remove a SSL Certificate-Key pair
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_cert_keys/<name>
Request Headers:
GET (ALL)
Use this operation to get SSL Certificate-Key pair configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_cert_keys
Request Headers:
Response Headers:
citrix.com 875
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_cert_keys_list+json
{"ssl_cert_keys": [{
"certificatedetails": <string_value>,
"modifyaction": <string_value>,
"certpem": <string_value>,
"keytype": <string_value>,
"name": <string_value>,
"keypem": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}, ...]}
GET
Use this operation to get SSL Certificate-Key pair configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_cert_keys/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_cert_keys+json
{"ssl_cert_keys":{
"certificatedetails": <string_value>,
"modifyaction": <string_value>,
"certpem": <string_value>,
"keytype": <string_value>,
"name": <string_value>,
"keypem": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}}
MODIFY
Use this operation to modify a SSL Certificate-Key pair
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_cert_keys/<name>
Request Headers:
citrix.com 876
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_cert_keys+json
{"ssl_cert_keys":{
"modifyaction": <string_value>,
"certpem": <string_value>,
"name": <string_value>,
"keypem": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_cert_keys+json
{"ssl_cert_keys":{
"certificatedetails": <string_value>,
"modifyaction": <string_value>,
"certpem": <string_value>,
"keytype": <string_value>,
"name": <string_value>,
"keypem": <string_value>,
"certinfo": [{
"certexpirydate": <string_value>,
"certpem": <string_value>,
"certexpired": <boolean_value>
}, ...],
"certcount": <integer_value>
}}
citrix.com 877
ssl_partner
Configuration for setting up secure partner
Properties
Data Read-
Name Description
Type Only?
ciphers <String> No
Configured cipher specification
<[String,...]
listenonchoices Yes
> IP subnet vailable to chose listening IP from.
certkeyname <String> No
Certificate/Key pair to be use for secure tunneling.
castorename <String> No
Ca store used for authenticating negotiation with secure peer
citrix.com 878
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get SSL CA store configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_partner/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_partner+json
{"ssl_partner":{
"valid": <boolean_value>,
"discoveredpeers": <string_value>,
"defaultport": <integer_value>,
"availablecipherlist": <string_value>,
"ciphers": <string_value>,
"listenonchoices": <string_value>,
"autodiscovery": <boolean_value>,
"securepeerenabled": <boolean_value>,
"certkeyname": <string_value>,
"certverifyaction": <string_value>,
"connectto": <string_value>,
"publish": <string_value>,
"publishenabled": <boolean_value>,
"certverifycommonnames": <string_value>,
"listenon": <string_value>,
"castorename": <string_value>,
"cipherlist": <string_value>
}}
MODIFY
Use this operation to modify a SSL CA store
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_partner
Request Headers:
citrix.com 879
Request Payload: JSON
{"ssl_partner":{
"ciphers": <string_value>,
"autodiscovery": <boolean_value>,
"securepeerenabled": <boolean_value>,
"certkeyname": <string_value>,
"certverifyaction": <string_value>,
"connectto": <string_value>,
"publish": <string_value>,
"publishenabled": <boolean_value>,
"certverifycommonnames": <string_value>,
"listenon": <string_value>,
"castorename": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_partner+json
{"ssl_partner":{
"valid": <boolean_value>,
"discoveredpeers": <string_value>,
"defaultport": <integer_value>,
"availablecipherlist": <string_value>,
"ciphers": <string_value>,
"listenonchoices": <string_value>,
"autodiscovery": <boolean_value>,
"securepeerenabled": <boolean_value>,
"certkeyname": <string_value>,
"certverifyaction": <string_value>,
"connectto": <string_value>,
"publish": <string_value>,
"publishenabled": <boolean_value>,
"certverifycommonnames": <string_value>,
"listenon": <string_value>,
"castorename": <string_value>,
"cipherlist": <string_value>
}}
citrix.com 880
ssl_profile
SSL profiles list.
Properties
Data Read-
Name Description
Type Only?
virtualhostname <String> No Virtual host name of server for which the SSL profile is
being configured
clientsideciphers <String> No
Chosen ciphers for client side
serversideciphers <String> No
Chosen ciphers for server side
name <String> No
CA Store Name
citrix.com 881
certchainstorename <String> No
CA store to be used to validate client side negotiation
<[String,...]
certverifycommonnames No
> List of black/white listed server CN
serversideauthkeycertname <String> No
Key/Cert to be used for server side authentication
Enable/Disable profile
profileenabled <Boolean> No
Possible values = [true, false]
caverifystorename <String> No
CA store to be used to validate server side negotiation
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a SSL profile
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_profile
citrix.com 882
Request Headers:
{"ssl_profile":{
"clientsideprotoversion": <string_value>,
"serversideauthrequired": <boolean_value>,
"clientsiderenegotiation": <string_value>,
"virtualhostname": <string_value>,
"keycertname": <string_value>,
"clientsideciphers": <string_value>,
"disablesessionreuse": <boolean_value>,
"proxytype": <string_value>,
"serversideciphers": <string_value>,
"name": <string_value>,
"serversiderenegotiation": <string_value>,
"certchainstorename": <string_value>,
"certverifycommonnames": <string_value>,
"transparentkeyname": <string_value>,
"serversideauthkeycertname": <string_value>,
"buildcertchain": <boolean_value>,
"serversideauthbuildcertchain": <boolean_value>,
"profileenabled": <boolean_value>,
"caverifystorename": <string_value>,
"serversideprotoversion": <string_value>,
"certverifyaction": <string_value>,
"parsesubjectalternativenames": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_profile+json
{"ssl_profile":{
"clientsideprotoversion": <string_value>,
"profileinuse": <boolean_value>,
"serversideauthrequired": <boolean_value>,
"clientsiderenegotiation": <string_value>,
"availablecipherlist": <string_value>,
"virtualhostname": <string_value>,
"keycertname": <string_value>,
"clientsideciphers": <string_value>,
"disablesessionreuse": <boolean_value>,
"proxytype": <string_value>,
"serviceclasses": <string_value>,
"serversideciphers": <string_value>,
"name": <string_value>,
"clientsidecipherlist": <string_value>,
"serversiderenegotiation": <string_value>,
"certchainstorename": <string_value>,
"certverifycommonnames": <string_value>,
"transparentkeyname": <string_value>,
"serversideauthkeycertname": <string_value>,
"buildcertchain": <boolean_value>,
"serversideauthbuildcertchain": <boolean_value>,
"serversidecipherlist": <string_value>,
"profileenabled": <boolean_value>,
"caverifystorename": <string_value>,
"serversideprotoversion": <string_value>,
"certverifyaction": <string_value>,
"parsesubjectalternativenames": <boolean_value>
}}
citrix.com 883
DELETE
Use this operation to remove a SSL profile
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_profile/<name>
Request Headers:
GET (ALL)
Use this operation to get SSL profile configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_profile
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_profile_list+json
{"ssl_profile": [{
"clientsideprotoversion": <string_value>,
"profileinuse": <boolean_value>,
"serversideauthrequired": <boolean_value>,
"clientsiderenegotiation": <string_value>,
"availablecipherlist": <string_value>,
"virtualhostname": <string_value>,
"keycertname": <string_value>,
"clientsideciphers": <string_value>,
"disablesessionreuse": <boolean_value>,
"proxytype": <string_value>,
"serviceclasses": <string_value>,
"serversideciphers": <string_value>,
"name": <string_value>,
"clientsidecipherlist": <string_value>,
"serversiderenegotiation": <string_value>,
"certchainstorename": <string_value>,
"certverifycommonnames": <string_value>,
"transparentkeyname": <string_value>,
"serversideauthkeycertname": <string_value>,
"buildcertchain": <boolean_value>,
"serversideauthbuildcertchain": <boolean_value>,
"serversidecipherlist": <string_value>,
"profileenabled": <boolean_value>,
"caverifystorename": <string_value>,
"serversideprotoversion": <string_value>,
"certverifyaction": <string_value>,
"parsesubjectalternativenames": <boolean_value>
}, ...]}
citrix.com 884
GET
Use this operation to get SSL profile configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_profile/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_profile+json
{"ssl_profile":{
"clientsideprotoversion": <string_value>,
"profileinuse": <boolean_value>,
"serversideauthrequired": <boolean_value>,
"clientsiderenegotiation": <string_value>,
"availablecipherlist": <string_value>,
"virtualhostname": <string_value>,
"keycertname": <string_value>,
"clientsideciphers": <string_value>,
"disablesessionreuse": <boolean_value>,
"proxytype": <string_value>,
"serviceclasses": <string_value>,
"serversideciphers": <string_value>,
"name": <string_value>,
"clientsidecipherlist": <string_value>,
"serversiderenegotiation": <string_value>,
"certchainstorename": <string_value>,
"certverifycommonnames": <string_value>,
"transparentkeyname": <string_value>,
"serversideauthkeycertname": <string_value>,
"buildcertchain": <boolean_value>,
"serversideauthbuildcertchain": <boolean_value>,
"serversidecipherlist": <string_value>,
"profileenabled": <boolean_value>,
"caverifystorename": <string_value>,
"serversideprotoversion": <string_value>,
"certverifyaction": <string_value>,
"parsesubjectalternativenames": <boolean_value>
}}
MODIFY
Use this operation to modify a SSL profile
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_profile/<name>
Request Headers:
{"ssl_profile":{
"clientsideprotoversion": <string_value>,
citrix.com 885
"serversideauthrequired": <boolean_value>,
"clientsiderenegotiation": <string_value>,
"virtualhostname": <string_value>,
"keycertname": <string_value>,
"clientsideciphers": <string_value>,
"disablesessionreuse": <boolean_value>,
"proxytype": <string_value>,
"serversideciphers": <string_value>,
"name": <string_value>,
"serversiderenegotiation": <string_value>,
"certchainstorename": <string_value>,
"certverifycommonnames": <string_value>,
"transparentkeyname": <string_value>,
"serversideauthkeycertname": <string_value>,
"buildcertchain": <boolean_value>,
"serversideauthbuildcertchain": <boolean_value>,
"profileenabled": <boolean_value>,
"caverifystorename": <string_value>,
"serversideprotoversion": <string_value>,
"certverifyaction": <string_value>,
"parsesubjectalternativenames": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_profile+json
{"ssl_profile":{
"clientsideprotoversion": <string_value>,
"profileinuse": <boolean_value>,
"serversideauthrequired": <boolean_value>,
"clientsiderenegotiation": <string_value>,
"availablecipherlist": <string_value>,
"virtualhostname": <string_value>,
"keycertname": <string_value>,
"clientsideciphers": <string_value>,
"disablesessionreuse": <boolean_value>,
"proxytype": <string_value>,
"serviceclasses": <string_value>,
"serversideciphers": <string_value>,
"name": <string_value>,
"clientsidecipherlist": <string_value>,
"serversiderenegotiation": <string_value>,
"certchainstorename": <string_value>,
"certverifycommonnames": <string_value>,
"transparentkeyname": <string_value>,
"serversideauthkeycertname": <string_value>,
"buildcertchain": <boolean_value>,
"serversideauthbuildcertchain": <boolean_value>,
"serversidecipherlist": <string_value>,
"profileenabled": <boolean_value>,
"caverifystorename": <string_value>,
"serversideprotoversion": <string_value>,
"certverifyaction": <string_value>,
"parsesubjectalternativenames": <boolean_value>
}}
citrix.com 886
ssl_store
Configuration of SSL Store
Properties
Data Read-
Name Description
Type Only?
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get SSL store state/password and disk encryption
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_store/
Request Headers:
Response Headers:
citrix.com 887
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_store+json
{"ssl_store":{
"passwordconfigured": <boolean_value>,
"storepassword": <string_value>,
"passwordenabled": <boolean_value>,
"diskencryption": <boolean_value>,
"storeopened": <boolean_value>
}}
MODIFY
Use this operation to modify SSL store state/password and disk encryption
URL: https://<cb_ip_address>/cb/nitro/v1/config/ssl_store
Request Headers:
{"ssl_store":{
"storepassword": <string_value>,
"passwordenabled": <boolean_value>,
"diskencryption": <boolean_value>,
"storeopened": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.ssl_store+json
{"ssl_store":{
"passwordconfigured": <boolean_value>,
"storepassword": <string_value>,
"passwordenabled": <boolean_value>,
"diskencryption": <boolean_value>,
"storeopened": <boolean_value>
}}
citrix.com 888
syslog_server
Syslog Server
Properties
Name Data Type Read-Only? Description
Operations
ADD | DELETE | GET (ALL) | GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a syslog server
URL: https://<cb_ip_address>/cb/nitro/v1/config/syslog_server
Request Headers:
{"syslog_server":{
"port": <integer_value>,
"serverip": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.syslog_server+json
{"syslog_server":{
"port": <integer_value>,
"serverip": <string_value>
}}
DELETE
citrix.com 889
Use this operation to delete a syslog server
URL: https://<cb_ip_address>/cb/nitro/v1/config/syslog_server/port=<INT>,serverip=<IPADDRESS>
Request Headers:
GET (ALL)
Use this operation to get syslog servers.
URL: https://<cb_ip_address>/cb/nitro/v1/config/syslog_server
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.syslog_server_list+json
{"syslog_server": [{
"port": <integer_value>,
"serverip": <string_value>
}, ...]}
GET
Use this operation to get syslog servers.
URL: https://<cb_ip_address>/cb/nitro/v1/config/syslog_server/port=<INT>,serverip=<IPADDRESS>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.syslog_server+json
{"syslog_server":{
"port": <integer_value>,
"serverip": <string_value>
}}
citrix.com 890
system_info
System Information
Properties
Name Data Type Read-Only? Description
platform <String> No
Platform
swreleasedate <String> No
Software Release Date
hostname <String> No
Hostname of CB system
serial_number <String> No
Serial Number of CB system
Operations
GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Get System Information.
URL: https://<cb_ip_address>/cb/nitro/v1/config/system_info/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.system_info+json
{"system_info":{
"platform": <string_value>,
"swreleasedate": <string_value>,
"hostname": <string_value>,
"serial_number": <string_value>
}}
citrix.com 891
tacacs_params
Configuration of TACACS server. This NITRO resource is applicable for CloudBridge SM83, SM85, SM88 and VPX
platforms only.
Properties
Name Data Type Read-Only? Description
sharedsecretkey <String> No
TACACS server's shared secret key.
Use Encryption.
useencryption <Boolean> No
Possible values = [true, false]
serverip <String> No
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get TACACS configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/tacacs_params/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tacacs_params+json
{"tacacs_params":{
"sharedsecretkey": <string_value>,
"status": <boolean_value>,
"useencryption": <boolean_value>,
citrix.com 892
"serverip": <string_value>,
"serverport": <integer_value>
}}
MODIFY
Use this operation to modify TACACS configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/tacacs_params
Request Headers:
{"tacacs_params":{
"sharedsecretkey": <string_value>,
"status": <boolean_value>,
"useencryption": <boolean_value>,
"serverip": <string_value>,
"serverport": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tacacs_params+json
{"tacacs_params":{
"sharedsecretkey": <string_value>,
"status": <boolean_value>,
"useencryption": <boolean_value>,
"serverip": <string_value>,
"serverport": <integer_value>
}}
citrix.com 893
tacacs_servers
Configuration of TACACS server. This NITRO resource is applicable for CloudBridge 400, 800, 1000, 2000, 2000WS,
3000, 4000, and 5000 platforms only.
Properties
Data Read-
Name Description
Type Only?
port <String> No
TACACS server port
tacacskey <String> No
TACACS server's shared secret key.
name <String> No
Name of TACACS server.
authtimeout <String> No The maximum number of seconds the system will wait for a response from
the TACACS server.
ip <String> No
TACACS server IP address.
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a TACACS server
URL: https://<cb_ip_address>/cb/nitro/v1/config/tacacs_servers
Request Headers:
{"tacacs_servers":{
"port": <string_value>,
"tacacskey": <string_value>,
"name": <string_value>,
"accounting": <string_value>,
"authtimeout": <string_value>,
"ip": <string_value>
}}
citrix.com 894
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tacacs_servers+json
{"tacacs_servers":{
"port": <string_value>,
"tacacskey": <string_value>,
"name": <string_value>,
"accounting": <string_value>,
"authtimeout": <string_value>,
"ip": <string_value>
}}
DELETE
Use this operation to delete a TACACS server
URL: https://<cb_ip_address>/cb/nitro/v1/config/tacacs_servers/<name>
Request Headers:
GET (ALL)
Use this operation to get TACACS configuration details
URL: https://<cb_ip_address>/cb/nitro/v1/config/tacacs_servers
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tacacs_servers_list+json
{"tacacs_servers": [{
"port": <string_value>,
"tacacskey": <string_value>,
"name": <string_value>,
"accounting": <string_value>,
"authtimeout": <string_value>,
"ip": <string_value>
}, ...]}
GET
Use this operation to get TACACS configuration details
citrix.com 895
URL: https://<cb_ip_address>/cb/nitro/v1/config/tacacs_servers/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tacacs_servers+json
{"tacacs_servers":{
"port": <string_value>,
"tacacskey": <string_value>,
"name": <string_value>,
"accounting": <string_value>,
"authtimeout": <string_value>,
"ip": <string_value>
}}
MODIFY
Use this operation to modify TACACS configuration
URL: https://<cb_ip_address>/cb/nitro/v1/config/tacacs_servers/<name>
Request Headers:
{"tacacs_servers":{
"port": <string_value>,
"tacacskey": <string_value>,
"name": <string_value>,
"accounting": <string_value>,
"authtimeout": <string_value>,
"ip": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tacacs_servers+json
{"tacacs_servers":{
"port": <string_value>,
"tacacskey": <string_value>,
"name": <string_value>,
"accounting": <string_value>,
"authtimeout": <string_value>,
"ip": <string_value>
}}
citrix.com 896
traffic_features
Features related to network traffic
Properties
Data Read-
Name Description
Type Only?
message <String> Yes
Read only message depending upon feature state
Value of feature
featurestate <Boolean> No
Possible values = [true, false]
Operations
GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET (ALL)
Use this operation to get traffic features
URL: https://<cb_ip_address>/cb/nitro/v1/config/traffic_features
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.traffic_features_list+json
{"traffic_features": [{
"message": <string_value>,
"featurestate": <boolean_value>,
"featurename": <string_value>,
"uiname": <string_value>
}, ...]}
citrix.com 897
GET
Use this operation to get traffic features
URL: https://<cb_ip_address>/cb/nitro/v1/config/traffic_features/<featurename>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.traffic_features+json
{"traffic_features":{
"message": <string_value>,
"featurestate": <boolean_value>,
"featurename": <string_value>,
"uiname": <string_value>
}}
MODIFY
Use this operation to set traffic features
URL: https://<cb_ip_address>/cb/nitro/v1/config/traffic_features/<featurename>
Request Headers:
{"traffic_features":{
"featurestate": <boolean_value>,
"featurename": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.traffic_features+json
{"traffic_features":{
"message": <string_value>,
"featurestate": <boolean_value>,
"featurename": <string_value>,
"uiname": <string_value>
}}
citrix.com 898
tune_setting
Get and Set for parameters on tuning page
Properties
Data Read-
Name Description
Type Only?
Maximum value = 27
Maximum value = 20
citrix.com 899
timeoutenabled <Boolean> No Timeout Enabled flag
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get tuning parameters
URL: https://<cb_ip_address>/cb/nitro/v1/config/tune_setting/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tune_setting+json
{"tune_setting":{
"virtualinlinemode": <string_value>,
"ftpcontrolports": <integer_value>,
"privilegedportslowest": <integer_value>,
"tcpmaximummss": <integer_value>,
"tcpdefaultmss": <integer_value>,
"idletimeout": <double_value>,
"wanscalelimit": <integer_value>,
"lanscalelimit": <integer_value>,
"timeoutenabled": <boolean_value>,
citrix.com 900
"privilegedportshighest": <integer_value>,
"fwdloopprevent": <boolean_value>,
"rshellports": <integer_value>,
"daisychain": <boolean_value>
}}
MODIFY
Use this operation to set tuning parameters
URL: https://<cb_ip_address>/cb/nitro/v1/config/tune_setting
Request Headers:
{"tune_setting":{
"virtualinlinemode": <string_value>,
"ftpcontrolports": <integer_value>,
"privilegedportslowest": <integer_value>,
"tcpmaximummss": <integer_value>,
"tcpdefaultmss": <integer_value>,
"idletimeout": <double_value>,
"wanscalelimit": <integer_value>,
"lanscalelimit": <integer_value>,
"timeoutenabled": <boolean_value>,
"privilegedportshighest": <integer_value>,
"fwdloopprevent": <boolean_value>,
"rshellports": <integer_value>,
"daisychain": <boolean_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.tune_setting+json
{"tune_setting":{
"virtualinlinemode": <string_value>,
"ftpcontrolports": <integer_value>,
"privilegedportslowest": <integer_value>,
"tcpmaximummss": <integer_value>,
"tcpdefaultmss": <integer_value>,
"idletimeout": <double_value>,
"wanscalelimit": <integer_value>,
"lanscalelimit": <integer_value>,
"timeoutenabled": <boolean_value>,
"privilegedportshighest": <integer_value>,
"fwdloopprevent": <boolean_value>,
"rshellports": <integer_value>,
"daisychain": <boolean_value>
}}
citrix.com 901
user_account
User Accounts
Properties
Data Read-
Name Description
Type Only?
User Name
username <String> No
Valid char set = ^[-_.@0-9a-zA-Z]+
Password
password <String> No
Minimum length = 1
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
citrix.com 902
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a user account
URL: https://<cb_ip_address>/cb/nitro/v1/config/user_account
Request Headers:
{"user_account":{
"enablesessiontimeout": <boolean_value>,
"username": <string_value>,
"sessiontimeoutunit": <string_value>,
"privilege": <string_value>,
"externalauthentication": <boolean_value>,
"password": <string_value>,
"groups": <string_value>,
"sessiontimeout": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.user_account+json
{"user_account":{
"enablesessiontimeout": <boolean_value>,
"username": <string_value>,
"sessiontimeoutunit": <string_value>,
"privilege": <string_value>,
"externalauthentication": <boolean_value>,
"password": <string_value>,
"groups": <string_value>,
"sessiontimeout": <string_value>
}}
DELETE
Use this operation to delete a user account
URL: https://<cb_ip_address>/cb/nitro/v1/config/user_account/<username>
Request Headers:
GET (ALL)
citrix.com 903
Use this operation to get user account details
URL: https://<cb_ip_address>/cb/nitro/v1/config/user_account
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.user_account_list+json
{"user_account": [{
"enablesessiontimeout": <boolean_value>,
"username": <string_value>,
"sessiontimeoutunit": <string_value>,
"privilege": <string_value>,
"externalauthentication": <boolean_value>,
"password": <string_value>,
"groups": <string_value>,
"sessiontimeout": <string_value>
}, ...]}
GET
Use this operation to get user account details
URL: https://<cb_ip_address>/cb/nitro/v1/config/user_account/<username>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.user_account+json
{"user_account":{
"enablesessiontimeout": <boolean_value>,
"username": <string_value>,
"sessiontimeoutunit": <string_value>,
"privilege": <string_value>,
"externalauthentication": <boolean_value>,
"password": <string_value>,
"groups": <string_value>,
"sessiontimeout": <string_value>
}}
MODIFY
Use this operation to modify user account
citrix.com 904
URL: https://<cb_ip_address>/cb/nitro/v1/config/user_account/<username>
Request Headers:
{"user_account":{
"enablesessiontimeout": <boolean_value>,
"username": <string_value>,
"sessiontimeoutunit": <string_value>,
"privilege": <string_value>,
"externalauthentication": <boolean_value>,
"password": <string_value>,
"groups": <string_value>,
"sessiontimeout": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.user_account+json
{"user_account":{
"enablesessiontimeout": <boolean_value>,
"username": <string_value>,
"sessiontimeoutunit": <string_value>,
"privilege": <string_value>,
"externalauthentication": <boolean_value>,
"password": <string_value>,
"groups": <string_value>,
"sessiontimeout": <string_value>
}}
citrix.com 905
videocaching_prepopulation
Configure Video Caching Prepopulation.
Properties
Data Read-
Name Description
Type Only?
urlinfo <String> No
URL information.
username <String> No
Username to access the specified URL. This is an optional parameter.
Start downloading and caching videos from the URL to the appliance
schedule <String> No immediately, or download them at a scheduled time.
Indicates whether the video has been fetched from the specified URL.
fetchedonce <Boolean> Yes
Possible values = [true, false]
Date and time at which to stop downloading and caching the videos
scheduleendtime <String> No from the URL. ( format dd/mm/yyyy[Thh[:mm[:ss]]]
Date and time at which start to download videos from the URL. (
schedulestarttime <String> No format dd/mm/yyyy[Thh[:mm[:ss]]]
name <String> No
Name of the prepopulation entry.
Date and time indicating when the video will be fetched again from the
nextscheduletime <String> Yes specified URL. ( format dd/mm/yyyy[Thh[:mm[:ss]]]
interface <String> No
The accelerated bridge port to download videos from the URL.
password <String> No
Password to access the specified URL. This is an optional parameter.
Date and time of video last fetch from the specified URL. ( format
lastfetchedtime <String> Yes dd/mm/yyyy[Thh[:mm[:ss]]]
citrix.com 906
url <String> No
URL of a specific video, or of a video folder on which directory
indexing is enabled, or of a video server to cache videos in advance.
Must be a complete URL, such as http://example.com/.
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY | STARTNOW | STATUSREFRESH
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add Video Caching Prepopulation entry.
URL: https://<cb_ip_address>/cb/nitro/v1/config/videocaching_prepopulation
Request Headers:
{"videocaching_prepopulation":{
"urlinfo": <string_value>,
"username": <string_value>,
"schedule": <string_value>,
"scheduleendtime": <string_value>,
"schedulestarttime": <string_value>,
"name": <string_value>,
"enable": <boolean_value>,
"repeat": <string_value>,
"interface": <string_value>,
"password": <string_value>,
"url": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.
videocaching_prepopulation+json
{"videocaching_prepopulation":{
"urlinfo": <string_value>,
"username": <string_value>,
"schedule": <string_value>,
"fetchedonce": <boolean_value>,
"status": <string_value>,
"scheduleendtime": <string_value>,
"schedulestarttime": <string_value>,
"name": <string_value>,
"enable": <boolean_value>,
"nextscheduletime": <string_value>,
citrix.com 907
"repeat": <string_value>,
"interface": <string_value>,
"password": <string_value>,
"lastfetchedtime": <string_value>,
"url": <string_value>
}}
DELETE
Use this operation to delete Video Caching Prepopulation entry.
URL: https://<cb_ip_address>/cb/nitro/v1/config/videocaching_prepopulation/<name>
Request Headers:
GET (ALL)
Use this operation to add Video Caching Prepopulation entries.
URL: https://<cb_ip_address>/cb/nitro/v1/config/videocaching_prepopulation
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.
videocaching_prepopulation_list+json
{"videocaching_prepopulation": [{
"urlinfo": <string_value>,
"username": <string_value>,
"schedule": <string_value>,
"fetchedonce": <boolean_value>,
"status": <string_value>,
"scheduleendtime": <string_value>,
"schedulestarttime": <string_value>,
"name": <string_value>,
"enable": <boolean_value>,
"nextscheduletime": <string_value>,
"repeat": <string_value>,
"interface": <string_value>,
"password": <string_value>,
"lastfetchedtime": <string_value>,
"url": <string_value>
}, ...]}
GET
Use this operation to add Video Caching Prepopulation entries.
citrix.com 908
HTTP Method: GET
URL: https://<cb_ip_address>/cb/nitro/v1/config/videocaching_prepopulation/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.
videocaching_prepopulation+json
{"videocaching_prepopulation":{
"urlinfo": <string_value>,
"username": <string_value>,
"schedule": <string_value>,
"fetchedonce": <boolean_value>,
"status": <string_value>,
"scheduleendtime": <string_value>,
"schedulestarttime": <string_value>,
"name": <string_value>,
"enable": <boolean_value>,
"nextscheduletime": <string_value>,
"repeat": <string_value>,
"interface": <string_value>,
"password": <string_value>,
"lastfetchedtime": <string_value>,
"url": <string_value>
}}
MODIFY
Use this operation to modify Video Caching Prepopulation entry.
URL: https://<cb_ip_address>/cb/nitro/v1/config/videocaching_prepopulation/<name>
Request Headers:
{"videocaching_prepopulation":{
"urlinfo": <string_value>,
"username": <string_value>,
"schedule": <string_value>,
"scheduleendtime": <string_value>,
"schedulestarttime": <string_value>,
"name": <string_value>,
"enable": <boolean_value>,
"repeat": <string_value>,
"interface": <string_value>,
"password": <string_value>,
"url": <string_value>
}}
Response Headers:
citrix.com 909
Content-Type: application/vnd.com.citrix.cloudbridge.
videocaching_prepopulation+json
{"videocaching_prepopulation":{
"urlinfo": <string_value>,
"username": <string_value>,
"schedule": <string_value>,
"fetchedonce": <boolean_value>,
"status": <string_value>,
"scheduleendtime": <string_value>,
"schedulestarttime": <string_value>,
"name": <string_value>,
"enable": <boolean_value>,
"nextscheduletime": <string_value>,
"repeat": <string_value>,
"interface": <string_value>,
"password": <string_value>,
"lastfetchedtime": <string_value>,
"url": <string_value>
}}
STARTNOW
Use this operation to start download for the specific Video Caching Prepopulation entry.
URL: https://<cb_ip_address>/cb/nitro/v1/config/videocaching_prepopulation?action=startnow
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.
videocaching_prepopulation+json
STATUSREFRESH
Use this operation to refresh status of a Video Caching Prepopulation entry.
URL: https://<cb_ip_address>/cb/nitro/v1/config/videocaching_prepopulation?action=statusrefresh
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.
videocaching_prepopulation+json
citrix.com 910
Response Payload: JSON
citrix.com 911
video_caching_config
Get and Set video caching global parameters and clear video cache
Properties
Data Read-
Name Description
Type Only?
maxobjectsize <Integer> No Maximum video object or file size in Megabytes. Allowed sizes are 100,
200, 300 MB
Operations
GET | MODIFY | RESET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get video caching global parameters
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_caching_config/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.video_caching_config+json
{"video_caching_config":{
"maxobjectsize": <integer_value>
}}
MODIFY
Use this operation to modify video caching global parameters
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_caching_config
Request Headers:
citrix.com 912
Request Payload: JSON
{"video_caching_config":{
"maxobjectsize": <integer_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.video_caching_config+json
{"video_caching_config":{
"maxobjectsize": <integer_value>
}}
RESET
Use this operation to reset or clear video cache
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_caching_config?action=reset
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.video_caching_config+json
citrix.com 913
video_sources
Get, Set, Add and Delete video sources for video caching
Properties
Name Data Type Read-Only? Description
name <String> No
Domain name or IP of video source
Operations
ADD | DELETE | GET (ALL) | GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
ADD
Use this operation to add a video source
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_sources
Request Headers:
{"video_sources":{
"cachestatus": <string_value>,
"name": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.video_sources+json
{"video_sources":{
"cachestatus": <string_value>,
"name": <string_value>
}}
DELETE
Use this operation to delete a video source
citrix.com 914
HTTP Method: DELETE
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_sources/<name>
Request Headers:
GET (ALL)
Use this operation to get one or all video sources configured
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_sources
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.video_sources_list+json
{"video_sources": [{
"cachestatus": <string_value>,
"name": <string_value>
}, ...]}
GET
Use this operation to get one or all video sources configured
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_sources/<name>
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.video_sources+json
{"video_sources":{
"cachestatus": <string_value>,
"name": <string_value>
}}
MODIFY
Use this operation to modify a video source
citrix.com 915
HTTP Method: PUT
URL: https://<cb_ip_address>/cb/nitro/v1/config/video_sources/<name>
Request Headers:
{"video_sources":{
"cachestatus": <string_value>,
"name": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.video_sources+json
{"video_sources":{
"cachestatus": <string_value>,
"name": <string_value>
}}
citrix.com 916
windows_domain
Join Leave or Get status of windows domain
Properties
Data Read-
Name Description
Type Only?
Password
domainuserpassword <String> No
Minimum length = 1
Operations
GET | MODIFY
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get status of registered windows domain
URL: https://<cb_ip_address>/cb/nitro/v1/config/windows_domain/
Request Headers:
citrix.com 917
Accept: application/vnd.com.citrix.cloudbridge.windows_domain+json
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.windows_domain+json
{"windows_domain":{
"domainname": <string_value>,
"registereddomain": <string_value>,
"registeredstatuserrormsg": <string_value>,
"domainaction": <string_value>,
"registeredstatus": <string_value>,
"domainuserpassword": <string_value>,
"domainuser": <string_value>,
"leaveorjoin": <string_value>
}}
MODIFY
Use this operation to trigger leave or join windows domain action
URL: https://<cb_ip_address>/cb/nitro/v1/config/windows_domain
Request Headers:
{"windows_domain":{
"domainname": <string_value>,
"domainaction": <string_value>,
"domainuserpassword": <string_value>,
"domainuser": <string_value>,
"leaveorjoin": <string_value>
}}
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.windows_domain+json
{"windows_domain":{
"domainname": <string_value>,
"registereddomain": <string_value>,
"registeredstatuserrormsg": <string_value>,
"domainaction": <string_value>,
"registeredstatus": <string_value>,
"domainuserpassword": <string_value>,
"domainuser": <string_value>,
"leaveorjoin": <string_value>
}}
citrix.com 918
Statistics
List of the resources for which you can get statistical information:
accel_connections
unaccel_connections
citrix.com 919
accel_connections
Accelerated Connections
Properties
Data Read-
Name Description
Type Only?
duration <Integer> Yes
Duration of connection in seconds
State of connection
state <String> Yes
Possible values = [Open, Opening, Closed, Closing]
Operations
GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get connection running
citrix.com 920
URL: https://<cb_ip_address>/cb/nitro/v1/stat/accel_connections/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.accel_connections+json
{"accel_connections":{
"duration": <integer_value>,
"idletime": <integer_value>,
"serviceclass": <string_value>,
"initiator": <string_value>,
"bytestransferred": <string_value>,
"iscompressed": <boolean_value>,
"state": <string_value>,
"issslproxy": <boolean_value>,
"compressionalgorithm": <string_value>,
"compressionratio": <double_value>,
"responder": <string_value>,
"partnerunit": <string_value>
}}
citrix.com 921
unaccel_connections
Unaccelerated Connections
Properties
Name Data Type Read-Only? Description
duration <Double> Yes
Duration of connection in seconds
State of connection
state <String> Yes
Possible values = [Open, Opening, Closed, Closing]
Operations
GET
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
GET
Use this operation to get connection running
URL: https://<cb_ip_address>/cb/nitro/v1/stat/unaccel_connections/
Request Headers:
Response Headers:
Content-Type: application/vnd.com.citrix.cloudbridge.unaccel_connections+json
{"unaccel_connections":{
"duration": <double_value>,
"idletime": <double_value>,
"passthroughreason": <string_value>,
"initiator": <string_value>,
citrix.com 922
"bytestransferred": <string_value>,
"state": <string_value>,
"responder": <string_value>
}}
citrix.com 923
Error Messages
Error Code Error Code Error Message
DONE 0 Done
ERR_BULK_OPERATION 30000 Bulk operation failed
ERR_FROM_ORBITAL 1005 Error message from orbital
ERR_INTERNAL 1200 Internal server error
ERR_INVALID_METHOD 1100 Invalid HTTP method
ERR_INVALID_OPERATION 1002 Invalid operation
ERR_INVALID_PARAM 1003 Invalid Parameter
ERR_INVALID_PAYLOAD 1001 Invalid payload
ERR_INVALID_RESOURCE 1000 Invalid Resource
ERR_MANDATORY_PARAM_MISSING 1004 Mandatory parameter missing
ERR_UNDEFINED -1 Dynamic error
WARN_FROM_ORBITAL 100 Warning from orbital
citrix.com 924
1999-2016 Citrix Systems, Inc. All Rights Reserved.
citrix.com 925