Month: June 2012

The mystery of the Citrix Interceptor BHO

/ Bram Wolfs / 1 Comment

The mystery of the Citrix Interceptor BHO

When there is a new fix or update released for a product I am working with frequently, I always like to read the release notes to see what has been fixed or what kind of new features has been added. This helps in calculating what kind of impact the fix\update will have when installing it in a environment. It frustrates me when there is new functionality added that is not listed in the release notes, and to make it worse when a production environment is suffering because of this.
This is exactly the case with the Internet Explorer Add-On from Citrix called the Citrix Interceptor BHO. (BHO = Browser Helper Object)

This Citrix Interceptor BHO is automatically added through one of the following ways :

CtxVDAIEInterceptorBHO Class installed through Hotfix 025 for XenApp 6.5

CtxIEInterceptorBHO Class installed through Citrix Receiver 3.2

When one of the above is installed, you will likely see popups  when opening Internet Explorer to allow this BHO and its components to load outside of Internet Explorer protected mode.
If you were lucky you spot this popup when going through a test procedure, but if Internet Explorer was not on your test list you will get a lot of calls to the support desk from frustrated users.
Imagine that your users (or worse some management staff) ask you what this Internet Explorer Add-on is about and you cannot really give a good answer to it, will they take you serious about the things you are installing in a production environment? I think this is really bad…

Neither the release notes of Citrix Receiver 3.2 or XenApp 6.5 Hotfix 025 has some details about this BHO, it looks like it’s kept top secret, the only information from Citrix I could find is the following :

“In recent releases of Citrix Receiver for Windows, Citrix has implemented a new Browser Helper Object (BHO) – CtxIEInterceptorBHO (IEInterceptor.dll). This BHO does not currently provide any additional functionality for the majority of customers running XenApp or XenDesktop and is actively used only by certain XenApp Cloud Service Provider customers.”

Ok so it’s not used for the majority of customers running XenApp or XenDesktop, only by certain XenApp Cloud Service Providers… Why is it (already) added to a public release of Receiver and a public release of a XenApp hotfix with so less information provided?

I think only Citrix can answer this question, my guess is that the BHO adds functionality for some reverse seamless\content redirection functionality from project Dorado and that Citrix will keep this secret till the functionality is officially announced (maybe with the release of XenApp 6.5 Rollup Pack 1)

Since there is so little information about this BHO, I now choose to disable this add-ons entirely till there is more information about it from Citrix. The BHO add-ons can easily be disabled through a group policy see this CTX KB for more details on how to do this.
In this way it’s easy to enable the add-on again when Citrix comes with more information about the BHO and you decide you want to use it.

In a previous blog I wrote a workaround to get rid of the annoying popup in IE and enable the BHO and its components for everybody, but for now I would advise to disable the Citrix BHO entirely till Citrix comes with more information about it.
If someone has additional information about the interceptor BHO please let me know.

Please note that the information in this blog is provided as is without warranty of any kind.

The future of Access Gateway

/ Bram Wolfs / 3 Comments

The future of Access Gateway

5 June was the second Citrix CiTIE 2012 event in the Benelux, I wasn’t able to join the event but I would like to thanks everybody on twitter for the live updates and Wilco van Bragt for the summary of the event.

One of the announcements I noticed was the retirement of the Access Gateway Standard edition.
I was surprised about this retirement at first, because of the effort Citrix put into the new 5.x version (new flash based GUI, more advanced HA options, etc) but second I thought why would Citrix support 2 products with almost exactly the same set of features?
Below I have summarized a quick list of features, between the Netscaler CAGEE and CAG Standard in combination with the advanced access control software. Of course Netscaler can do a lot more other things, but we will concentrate on the Access Gateway functionality here.

Netscaler (CAGEE) CAG Standard + AAC*
ICA Proxy Yes Yes
SSL VPN Yes Yes
Multiple Logon points (Basic + Smart access) Yes Yes
Clientless Access Yes Yes
Endpoint Analysis Yes Yes
High Availability Yes Yes
LDAP \ Radius authentication Yes Yes
Simultaneous user sessions 5,000 and up** 500

* Advanced Access Control software
** Depends on the model

As you can see a lot of the same features are present on both products, a big difference is the scalability and concurrent user limits.
But although a lot of the features are the same, they are working in very different ways for example :

They use a different SSL VPN plugin
Imagine the following scenario:
One day you will install the Access Gateway Enterprise plugin to access customer A through SSL VPN, then you need remote access to customer B which uses Access Gateway Standard.
The plugins cannot co-exist so you will have to remove the Enterprise plugin, install the Standard plugin and vice versa…

They use different types of logon points
Netscaler uses virtual IP’s (VIPs) that can be configured in Basic mode or Smart Access mode (see my previous blog post for more details about this modes), more VIPs can be created depending on the use case. Each VIP can be accessed through its own FQDN.

CAG Standard has one public facing FQDN, logon points are created after this FQDN like https:\\my.cag.com\lp\xenapp, this logon points can be in Basic mode or Smart Access mode, only one Logon Point can be set as the default.

They use different clientless access methods and have a different policy structure
Netscaler is very flexible when it comes to profiles and policies, you can manage policies on almost every level (Global, VIP, Groups\Users) and apply them based on different expression filters, this is why CAGEE really fits like a glove in a lot of different access scenarios.  There is no extra software needed to enable advanced functionality like clientless access.

CAG Standard in Smart Access Mode has some advanced features like Smart groups and SSL VPN. But if you really want all the advanced features (clientless access etc) you need to connect the appliance to the Advanced Controller software, which then synchronizes with the appliance. This software runs on a windows server which can be a security concern (not because it’s windows but you would need to update and secure 2 components in this setup)

They are different in architecture and hardware
Netscaler software runs on top of FreeBSD and has a large range of appliances you can choose from depending on your needs, this are the Netscaler models available today :

Physical Appliance (MPX) Virtual Appliance (Netscaler VPX)
MPX 5500 Licensed based on bandwidth (10,200,1000,3000)
MPX 7500/9500
MPX 9700/10500/12500/15500

The higher the range the more performance you get, physical appliances can have more concurrent connections because they have SSL offloading capabilities and because there is no Hypervisor layer. Physical appliances in higher ranges also have redundant components, like power supplies.

The Access Gateway Standard appliance runs on a stripped Red Hat kernel and comes in 2 flavors :

Physical Appliance (2010) Virtual Appliance (Access Gateway VPX)

The hardware of the 2010 appliance is really low level, it’s nothing more than hardware you find in a cheap PC.
I was a little bit ashamed when i opend this appliance on a customer site a while ago because of a bad harddrive, there is no way you can explain the amount of money paid for this appliance.

Conclusion : 
So Citrix have 2 products that have very similar features, because of the difference in architecture of this products, Citrix needs to update both to support new receivers and to provide new functionality (think of Cloud Gateway functionality for example). This may be one of the core reasons why Citrix will retire one of them.
I think CAGEE (Netscaler) is the best Access Gateway edition there is, it’s far more flexible and fits in a lot more different scenarios and use cases.  Access Gateway on Netscaler is also future prove because of :

– Access Gateway is lifting on Netscalers success (build on good hardware and install base)
– All Smart Access functionality is on board of the appliance no need for external software
– Fits in a lot of different scenarios based on the modular design of Netscaler
– Can be used for more functionality then Access Gateway only, Load balancing of services for example

Ok so what will be the future of Access Gateway?
If Citrix will retire CAG Standard + Advanced and Citrix makes some changes in the licensing model of Enterprise edition to replace the other editions, then we are done right?

Not really,  I think Access Gateway VPX is a good replacement for the Secure Gateway software, a Netscaler can be a bridge to far for some customers. Also if a customer is already using a competitor of Netscaler (like F5), there may be some friction with adapting Netscaler to enable Access Gateway functionality.

The perfect future if you ask me, is that Citrix will strip the Access Gateway VPX to provide standard functionality (providing access to XenApp and XenDesktop) and give it to customers for free as a replacement of the Secure Gateway software.
Then they should retire the Advanced Controller software and ditch the 2010 appliance.
So at the end there will be 2 editions of Access Gateway left :

– Access Gateway VPX for providing basic functionality to access XA/XD
– Netscaler with Access Gateway Platform license for providing basic functionality to access XA/XD, which can be extended with Access Gateway Universal licenses (also included in Cloud Gateway Enterprise) to provide Smart Access functionality.

Please note that the information in this blog is provided as is without warranty of any kind, some information is based on speculations and predictions.