The future of Access Gateway
5 June was the second Citrix CiTIE 2012 event in the Benelux, I wasn’t able to join the event but I would like to thanks everybody on twitter for the live updates and Wilco van Bragt for the summary of the event.
One of the announcements I noticed was the retirement of the Access Gateway Standard edition.
I was surprised about this retirement at first, because of the effort Citrix put into the new 5.x version (new flash based GUI, more advanced HA options, etc) but second I thought why would Citrix support 2 products with almost exactly the same set of features?
Below I have summarized a quick list of features, between the Netscaler CAGEE and CAG Standard in combination with the advanced access control software. Of course Netscaler can do a lot more other things, but we will concentrate on the Access Gateway functionality here.
|Netscaler (CAGEE)||CAG Standard + AAC*|
|Multiple Logon points (Basic + Smart access)||Yes||Yes|
|LDAP \ Radius authentication||Yes||Yes|
|Simultaneous user sessions||5,000 and up**||500|
* Advanced Access Control software
** Depends on the model
As you can see a lot of the same features are present on both products, a big difference is the scalability and concurrent user limits.
But although a lot of the features are the same, they are working in very different ways for example :
They use a different SSL VPN plugin
Imagine the following scenario:
One day you will install the Access Gateway Enterprise plugin to access customer A through SSL VPN, then you need remote access to customer B which uses Access Gateway Standard.
The plugins cannot co-exist so you will have to remove the Enterprise plugin, install the Standard plugin and vice versa…
They use different types of logon points
Netscaler uses virtual IP’s (VIPs) that can be configured in Basic mode or Smart Access mode (see my previous blog post for more details about this modes), more VIPs can be created depending on the use case. Each VIP can be accessed through its own FQDN.
CAG Standard has one public facing FQDN, logon points are created after this FQDN like https:\\my.cag.com\lp\xenapp, this logon points can be in Basic mode or Smart Access mode, only one Logon Point can be set as the default.
They use different clientless access methods and have a different policy structure
Netscaler is very flexible when it comes to profiles and policies, you can manage policies on almost every level (Global, VIP, Groups\Users) and apply them based on different expression filters, this is why CAGEE really fits like a glove in a lot of different access scenarios. There is no extra software needed to enable advanced functionality like clientless access.
CAG Standard in Smart Access Mode has some advanced features like Smart groups and SSL VPN. But if you really want all the advanced features (clientless access etc) you need to connect the appliance to the Advanced Controller software, which then synchronizes with the appliance. This software runs on a windows server which can be a security concern (not because it’s windows but you would need to update and secure 2 components in this setup)
They are different in architecture and hardware
Netscaler software runs on top of FreeBSD and has a large range of appliances you can choose from depending on your needs, this are the Netscaler models available today :
|Physical Appliance (MPX)||Virtual Appliance (Netscaler VPX)|
|MPX 5500||Licensed based on bandwidth (10,200,1000,3000)|
The higher the range the more performance you get, physical appliances can have more concurrent connections because they have SSL offloading capabilities and because there is no Hypervisor layer. Physical appliances in higher ranges also have redundant components, like power supplies.
The Access Gateway Standard appliance runs on a stripped Red Hat kernel and comes in 2 flavors :
|Physical Appliance (2010)||Virtual Appliance (Access Gateway VPX)|
The hardware of the 2010 appliance is really low level, it’s nothing more than hardware you find in a cheap PC.
I was a little bit ashamed when i opend this appliance on a customer site a while ago because of a bad harddrive, there is no way you can explain the amount of money paid for this appliance.
So Citrix have 2 products that have very similar features, because of the difference in architecture of this products, Citrix needs to update both to support new receivers and to provide new functionality (think of Cloud Gateway functionality for example). This may be one of the core reasons why Citrix will retire one of them.
I think CAGEE (Netscaler) is the best Access Gateway edition there is, it’s far more flexible and fits in a lot more different scenarios and use cases. Access Gateway on Netscaler is also future prove because of :
– Access Gateway is lifting on Netscalers success (build on good hardware and install base)
– All Smart Access functionality is on board of the appliance no need for external software
– Fits in a lot of different scenarios based on the modular design of Netscaler
– Can be used for more functionality then Access Gateway only, Load balancing of services for example
Ok so what will be the future of Access Gateway?
If Citrix will retire CAG Standard + Advanced and Citrix makes some changes in the licensing model of Enterprise edition to replace the other editions, then we are done right?
Not really, I think Access Gateway VPX is a good replacement for the Secure Gateway software, a Netscaler can be a bridge to far for some customers. Also if a customer is already using a competitor of Netscaler (like F5), there may be some friction with adapting Netscaler to enable Access Gateway functionality.
The perfect future if you ask me, is that Citrix will strip the Access Gateway VPX to provide standard functionality (providing access to XenApp and XenDesktop) and give it to customers for free as a replacement of the Secure Gateway software.
Then they should retire the Advanced Controller software and ditch the 2010 appliance.
So at the end there will be 2 editions of Access Gateway left :
– Access Gateway VPX for providing basic functionality to access XA/XD
– Netscaler with Access Gateway Platform license for providing basic functionality to access XA/XD, which can be extended with Access Gateway Universal licenses (also included in Cloud Gateway Enterprise) to provide Smart Access functionality.
Please note that the information in this blog is provided as is without warranty of any kind, some information is based on speculations and predictions.
3 thoughts on “The future of Access Gateway”
Another big advantage of AGEE for many government and banking customers is Smart card support which you do not list in your features comparison table.
Indeed also a big advantage, i totally forgot to mention the Smart Card support, thanks Neil.
You mentioned it in a oneliner but load balancing is really a great feature of the NetScaler / CagEE. This will makes the whole chain high available. LDAP, XML, RSA, WI, CloudGateway, Sharepoint, Exchange etc. And this even with the VPX.
In my opinion HA should be default, even with smaller companies! Its like a domain controller you can’t live with one anymore!
I totally agree, there will be some work left in developing a attractive licensing model. Or add a stripped down NetScaler with only the basic features (SSL,LB,AG,HA).