Best Practices for Deployment of CITRIX SD-WAN
Article ID: CTX228225
Updated On:
Description
To configure the management access of SDWAN in a secure manner.
https://docs.netscaler.com/en-us/citrix-sd-wan
Citrix SD-WAN editions are typically deployed in an enterprise private network. We recommend that you
deploy the Citrix SD-WAN solution wherein the management IPs are accessible only from a trusted
network and the management interface is secured with the required authentication policies.
Best practices:
As a guideline to secure your Citrix SD-WAN deployment, configure the management IP addresses of
your Citrix SD-WAN appliances to be accessible only from a trusted network.
We recommend that you store the management IP addresses in an isolated network, preferably in a
separate VLAN. This limits the number of users or devices that can access the management IP address.
Instructions
These are some guidelines on making the deployment secure for SE/PE Edition:
Below are some guidelines on making the deployment secure for WANOP Edition:
-
Keep the Management IPs (NSIP and the management service IP) on an isolated management network
In general, we always recommend keeping the management IPs on an isolated network, preferably on separate VLAN. This limits the number of users or devices that can access see the IP address. -
Enhance security by generating a SSH key pair and using it for authentication
SSH keys means that an attacker cannot get to the front door without a cryptographically sound login. This will disallow malicious users from connecting to the NetScaler SDWAN. For more on configuring SSH keys, refer to CTX109011 - How to Secure SSH Access to the NetScaler Appliance with Public Key Authentication. -
Use Transport Layer Security when Accessing Administrator Interface:
- Use HTTPS to access the GUI management interface.
- Use 2048-bit keys
- Use only strong cipher suites
- Use a valid certificate, do not use the default SSL certificate
Issue/Introduction
