performanter und sicherer applikationbetrieb mit sd wan · what problems has microsoft seen with...

1 © 2018 Citrix | Confidential

MAY 24, 2019

© 2016 Citrix | Confidential

Performanter und sichererApplikationbetrieb mit SD Wan Intelligente Lösung für O365, SaaS und Apps aus dem eigenen RZ

Hans-Jörg FriedrichStrategic Partner Manager Networking

Hans-jorg.Friedrich@citrix.com

Central Europe

2 © 2016 Citrix | Confidential

AgendaWhy is there a need for SD Wan

What is SD Wan and what do I get

O365 as Use Case

SD-WAN and Office 365

ITM for Office 365

Summary

3 © 2016 Citrix | Confidential

Application explosion3

80% 80% 70%79%

In 2019, more than 80% of new applications will be distributed via the cloud

(IDC for AT&T)

Over 80% of employees use unapproved SaaS applications at work

(2018 McAfee)

Over 70% of bandwidth used by non-business critical

application(2018 Orange)

79% of organizations suffer application performance

problems(2018 BT)

Cloud Loss of control ?

4 © 2016 Citrix | Confidential

The WAN is impacted by changeDisruptions Impacting the Enterprise WAN

Explosion of bandwidth intensive applications

Dependence on always on connectivity

Growth in digital voice and video communications

Move of applications to cloud and SaaS

Security concerns at every level

Cost cutting and leaner IT staffs

Increase in virtualized applications and desktops

5 © 2016 Citrix | Confidential

…Wasn’t Designed for Internet Traffic Demands

Data Center

MPLS

Branch

Internet traffic on some enterprises’ MPLS networks

State of the WAN Report, Ashton Metzler & Associates, 2017

Up to 50%

6 © 2016 Citrix | Confidential

Citrix SD-WAN for HMC

Branch, Clinic or Store

Internetaccess

SWG

SaaSApplications

Cloud

Branch, Clinic or Store

Internetaccess

SaaSApplications

Cloud

SWG

DCCitrix SaaS Gateways

2Q18

Branch, Clinic or Store

Internetaccess

SaaSApplications

CloudAWS

Azure

7 © 2016 Citrix | Confidential

SD-WAN: Intelligent Path Control

MPLS

Internet

LTENetScaler SD-WAN NetScaler SD-WAN

Logical tunnel created by encapsulating in UDP

latency loss jitter cong.

latency loss jitter cong.

latency loss jitter cong.

latency loss jitter cong.

latency loss jitter cong.

latency loss jitter cong.

• The quality of every potential path is assessed with every packet, in each direction• QoS per Application; min/max bandwidth and priorization• Link aggregation/utilization• Security pattern user/app/location/device• Wan Optimization• Centralized Management • Z-Touch Deployment

Latency, loss, jitter, congestion and availability are monitored for each path and in each direction. And real traffic is used for the measurement, not probe data.

!

8 © 2016 Citrix | Confidential

Application-aware firewall with Centralized and Integrated Configuration

You can restrict which zones this application can come from and to

Control whether to allow, reject, or drop this traffic

Apply policies to groups of applications, individual applications, or subsets of traffic

within an application

9 © 2017 Citrix

Citrix SD-WAN – What do I get ?

Unified

Policies &

Management

Dynamic Path Control MPLS, Internet, LTE, Satelite1

2 Overlay RoutingFull Routing Capabilities

User Centric dependent on User/App/Location/DeviceSecurity Certificate Details

3

Wan Opt.Flow Control, De-Duplication and Acceleration4

Application Optimized Connectivity

Centralized ManagementOn Prem or Cloud Based5

10 © 2018 Citrix | Confidential

Citrix-Microsoft PartnershipFrom Desktop to Multi-Cloud Evolution

1989 July 2018 Sept 2018 Nov 2018

Virtual DesktopFor Windows

SD-WAN forAzure Virtual WAN

ADC forAzure DNS

SD-WAN forOffice 365

11 © 2018 Citrix | Confidential

Why Citrix SD-WAN for Office 365?

Accelerate Office 365 deployments through API

integration for automation

Routing of Internet traffic based on business policies

Lower latency for improved branch office user

experience

Faster Migration to Office 365 Improved User Experience Boost Workforce Productivity

© 2019 Citrix | Summit 2019 | Confidential – Content in this presentation is under NDA

Office 365—Traditional Enterprise Approach

Data CenterBranch

• All traffic is sent to the data center• Expensive• Slow

• All traffic has to be fully inspected for security• Poor use of resources

• Per Microsoft, latency must be <30 ms to O365 front door

{pi}

MPLS

ISP

13 © 2018 Citrix | Confidential

What problems has Microsoft seen with Office 365?Slide from Ignite 2018 conference (BRK3000)

“Existing internet connectivity to Office 365 will not be ‘good enough’ for most Office 365 usage scenarios”

Gartner

Network Design Best Practices for Office 365, August 2018

14 © 2018 Citrix | Confidential

Microsoft

Global

Network

aka.ms/pnc

© 2019 Citrix | Summit 2019 | Confidential – Content in this presentation is under NDA

Office 365 Use Cases

• Exchange Online

• Teams/Skype for Business

• SharePoint Online & OneDrive for Business

Per Microsoft, users should be <30 ms from the Office 365 front door

Branch MPLS Data Center

Backhauling through the data center?User complaints or performance issues?

Front-door

Front-door

Front-door

© 2019 Citrix | Summit 2019 | Confidential – Content in this presentation is under NDA

Skype for Business / Teams

© 2019 Citrix | Summit 2019 | Confidential – Content in this presentation is under NDA

Exchange Online

© 2019 Citrix | Summit 2019 | Confidential – Content in this presentation is under NDA

Sharepoint Online & OneDrive for Business

© 2019 Citrix | Summit 2019 | Confidential – Content in this presentation is under NDA

21 © 2018 Citrix | Confidential

Good connectivity is required for Office 365

Send directly where possible and recommend not to SSL break & inspect

Some endpoints will have URLs only

Some network latency is not expected to cause major performance issues

Microsoft hosted IPs and URLs

Expect slow rate of change

Should not SSL break & inspect the traffic to these endpoints

Recommend for local egress from the user’s location

Represents over 75% of Office 365 bandwidth

Direct network traffic similar to web browsing

Some endpoints clearly marked optional, lost functionality is described

May not be in Microsoft datacenters

Most endpoints will have URLs only

Standard Internet latency is okay

Office 365 IP & URL Categories

Optimize (Required)(~8 URLs)

Allow (Required)(~100 URLs)

Default (Optional)(Remaining URLs)

22 © 2018 Citrix | Confidential

Microsoft’s Office 365 Connectivity Principleshttps://docs.microsoft.com/en-us/office365/enterprise/office-365-network-connectivity-principles

23 © 2018 Citrix | Confidential

The New Approach: Identify Office 365 traffic using Microsoft APIs

ISP

Low priority / non/untrusted-O365 traffic

Branch

{api}

SD-WAN SD-WAN Data center

Microsoft global networkFront-door

• Optimal routing and traffic management• Local breakout direct to O365 front door• ID and categorize traffic– optimize, allow or

default• Reduced load on corporate resources

• Security devices• Network

• Higher productivity

24 © 2018 Citrix | Confidential

Resolve DNS locally on SD-WAN

Branch

DNS

SD-WAN SD-WAN

{api}

Low priority / non/untrusted-O365 traffic

Data center

ISP

Microsoft global networkFront-door

(Quad 9)

25 © 2018 Citrix | Confidential

Policy integration with Azure Virtual WAN

26 © 2018 Citrix | Confidential

Office 365 Policy Integration with Azure Virtual WAN

Citrix SD-WAN

Internet

Microsoft global

network

Branch

Virtual WAN

• Enable fetching of Office 365 policy settings in Azure Virtual WAN (via Azure Resource Center)

• Enable Office 365 detection and firewall rules to be added automatically

• SD-WAN then splits O365 traffic locally at branch for direct connectivity to the nearest Office 365 front door

Read more: https://bit.ly/2puHp2a

{api}

Azure Resource Manager

Front-door

ISP

27 © 2018 Citrix | Confidential

Simplified O365 Policy ConfigurationPolicy import from Azure

28 © 2018 Citrix | Confidential

• In some cases, if the latency penalty is small, it may be desirable to use Azure as an on-ramp to Office

• Why?

– In some areas of the world, latency on Internet connections varies wildly (50-200ms), far beyond typical “jitter”

– Some jurisdictions unpredictably restrict O365 traffic

• SD-WAN VPX in Azure provides additional functionality not possible with an asymmetric solution, esp. handling of link degradation (“brown-outs”) by leveraging two ISPs

• When? Use this approach if there is an Azure data center near the closest O365 front door to the branch office, when always-on connectivity to O365 is a requirement

Azure as an On-ramp to Office 365

Azure Network

SD-WAN VPX

Citrix SD-WAN

29 © 2018 Citrix | Confidential

Roadmap: Intelligent Traffic Management for O365

30 © 2018 Citrix | Confidential

Path selection using Citrix ITM

Citrix SD-WAN Citrix SD-WAN

Internet (DIA/DSL/Cable)

MPLS

CY’19

60 msISP245 ms

© Citrix – CONFIDENTIAL – The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.

Branch

Microsoft global network

ISP1

Front-door

31 © 2018 Citrix | Confidential

Overall Improvement in Office 365 Experience

Faster opening Word documents in Office Online

Faster opening PowerPoint documents in Office Online

Faster upload speeds Faster download speeds

Better call quality

32 © 2018 Citrix | Confidential