Citrix SIA + SD-WAN Integration

Citrix SD-WAN and CSIA integration offers flexibility and choice for a mixed profile of branch users in an enterprise. An organisation typically has a mix of managed and unmanaged devices in the branch where a Citrix SD-WAN exists. With the integration, the CSIA Cloud Connector enables SD-WAN to securely breakout managed devices traffic to the CSIA cloud using the Internet service (with Load Balancing). The unmanaged devices like BYOD and Guest users are secured using the IPsec tunnel between Citrix SD-WAN and CSIA as the tunnel endpoints.


There are several ways to secure users as they access cloud and SaaS apps. The methods cover use cases where the user sits behind an SD-WAN appliance at the branch, or at home, or whether the user is fully mobile.


For a user sitting at a corporate office, SD-WAN automatically creates secure connectivity to the closest CSIA point of presence. Traffic is tunnelled via a GRE or IPsec tunnel. Redundancy is achieved both via the tunnel level and via multiple links to primary and secondary Points of Presence.


If a user leaves the corporate perimeter, the Cloud Connector installed on the device takes care of redirecting traffic to the CSIA cloud. The connector also serves the purpose of authenticating the user and installing appropriate certificates for SSL decryption.


Use-cases/Benefits

  • Seamless SIA for managed devices and reliable, secure DC workloads access via SD-WAN Virtual Path On managed devices behind SD-WAN, it is easy to use the Citrix SIA agent to have secure internet access. The SD-WAN overlay forwards the branch to data centre workload traffic securely and reliably.

  • SD-WAN’s multi-wan link reliable IPsec tunnel for local subnets based Secure Internet access of agentless devices BYOD or personal laptops that are not managed by the enterprise can be secured via Citrix SD-WAN + Citrix SIA’s highly reliable IPsec tunnel. The reliability is achieved via the tunnel having multiple wan links.

  • Simple security posture for Guest domains in a branch via DNS redirection or IPsec tunnel With a separate tunnel/Local subnet for guest domains and related security group mapping.


In the below image, you see a flow diagram for 3 primary use cases:


1) Branch Users

2) Remote Users WITHOUT Workspace Service

3) Remote Users WITH Workspace Service



Citrix SD-WAN and Citrix SIA integration offers flexibility and choice for a mixed profile of Branch users in an enterprise. An enterprise typically has a mix of managed and unmanaged devices in the Branch where a Citrix SD-WAN exists. With the integration, Citrix SIA agent allows to securely breakout managed devices traffic to the Citrix SIA cloud via the SD-WAN using Internet service (with Load Balancing). The unmanaged devices like BYOD and Guest users are secured using the IPsec tunnel between Citrix SD-WAN and Citrix SIA as the tunnel endpoints.


Together Citrix SD-WAN and Citrix SIA provide organisations with enterprise grade performance improvements and security benefits along with a great user experience. Talk to our team to learn more about how Citrix SIA can improve your organisation's security requirements.