Cloud Gateway a Wrap-Up so far Part 2

Cloud Gateway a Wrap-Up so far Part 2

Table of Contents :

1 : Introduction
2 : Cloud Gateway architecture and components
3 : Cloud Gateway Mobile Experience (MDX) Technology
4 : Access Gateway : ICA Proxy, Clientless VPN and Secure Browse
5 : Native Receiver VS Receiver for Web
6 : ShareFile
7 : Conclusion

1 : Introduction

A few months ago I wrote a wrap-up about Citrix Cloud gateway and the upcoming 2.0 release, it’s one of the posts on my blog that gets the most hits so I thought I should write a follow-up. If you are new to Cloud Gateway you should read my previous wrap-up first to get a better understanding of the architecture. In this post I’m going through the new features of Cloud Gateway 2.0 and things I came across when setting up a demo environment.

2: Cloud Gateway architecture and components

Cloud Gateway consists of the following key components :

Appcontroller for User provisioning and SSO to Web (internal & external), SaaS and Native mobile apps
Citrix Receivers for connecting to Cloud Gateway

Optional components are :

Storefront Services for connecting to XenApp & XenDesktop back-end and providing access through Receiver for Web \ HTML5
Access Gateway Enterprise (Netscaler VPX/MPX) for external access to Cloud Gateway
Merchandising Services for controlled plugin distribution
– Integration with ShareFile infrastructure (Follow-Me-Data)

All optional components are included in the current Cloud Gateway Enterprise edition, except for the ShareFile subscription fee and the Access Gateway Platform license (universal licenses are included).

Citrix made a clever move by making Storefront services an optional component of Cloud Gateway, in this way they can sell Cloud Gateway as a separate stand-alone product, but on the other hand offer tight integration through Storefront for existing Citrix customers. I think the majority will use Cloud Gateway to extend their current Citrix back-end so Storefront will play a key role in most environments. In the use case that Storefront is not used, Citrix Receivers connects straight to Appcontroller or indirect through Access Gateway to Appcontroller.
Because I think a picture speaks 1000 words, I made a basic diagram of the Cloud Gateway components including ShareFile :

3 : Cloud Gateway Mobile Experience (MDX) Technology

Cloud Gateway MDX is the new marketing term for the features of Cloud Gateway, you can compare it with the marketing term HDX which stands for all the user experience optimizations around the ICA protocol. Let’s translate the MDX features into some more technical descriptions :

Feature Description
MDX App vault Sandboxed container controlled by Citrix Receiver which can be   remotely wiped
MDX Web Connect Embedded (mobile) web browser for secure browse connections
MDX Micro VPN Client side rewrite technology through Netscaler (Secure Browse)
MDX Policy Orchestration Management of (native) mobile apps through Appcontroller and   provides smart access like features

This MDX features gives IT control and security over their apps and data, but at the same time gives the users the freedom to control their own mobile device. I think this is best for both worlds and it prevents that users are going to work around the system.

MDX Ready Program
Citrix will initiate a MDX Ready partner program to validate apps for use with MDX, Citrix self will release an MDX native e-mail app which runs inside the App vault container and doesn’t expose itself to other apps on the mobile device improving security.

4: Access Gateway : ICA Proxy ,Clientless VPN and Secure Browse

Ok now things are getting very interesting, lets start with Access Gateway…

Access Gateway support
Cloud Gateway MDX features are only available in conjunction with Access Gateway Enterprise (Netscaler), there is no support for Access Gateway VPX (STD\ADV), in fact Citrix will shortly announce that Access Gateway VPX will go end-of-life. I wrote a blog about the future of Access Gateway a while ago, I wrote down my thoughts about why Citrix would support 2 products with almost identical features and why I think Access Gateway Enterprise (Netscaler) is the better product. At first I thought they should keep Access Gateway VPX as a replacement for Secure Gateway to provide basic connections and provide it for free, but then they would still need to support 2 products. If we look at the VPX appliances, we have a Netscaler VPX and the Access Gateway VPX, if we look at the MPX appliances we have the Netscaler MPX and Access Gateway Enterprise MPX, did you spot the outsider? Yep the big difference is that Access Gateway VPX is a very different product and the rest is Netscaler only licensed differently, if we look closer there is one edition missing :

Access Gateway Enterprise VPX
To replace Access Gateway VPX, there will be a Access Gateway Enterprise VPX edition (Finally!), this is a stripped down Netscaler which only gives you access to Access Gateway features. Citrix will also provide trade-ups and will adjust the pricing accordingly. So at the end we will have the following Access Gateway appliances left :

CAGEE Physical Appliance (MPX) CAGEE Virtual Appliance (VPX)
MPX 5500 Access Gateway Enterprise VPX
MPX 7500/9500
MPX 9700/10500/12500/15500

If you have a Netscaler MPX\VPX appliance you can enable the Access Gateway component and use it besides all other Netscaler functionality.

Access Gateway Policies and Profiles
The power of Access Gateway Enterprise IMHO is its flexible architecture, Access Gateway Enterprise fits like a glove in a lot of different environments and different access scenarios, because of its modular design. Since the Cloud Gateway release there are a lot of Access Gateway policies and profiles needed for different access scenarios and Receiver types, it will take some time to create and configuring them manually. To address this Citrix added a wizard (since version which will create a baseline of policies and profiles for you. After the baseline is set you can still configure and adjust everything  according your needs, so the wizard helps you with the baseline but there will be no compromise on the flexibility afterwards.

ICA Proxy
ICA Proxy will enable you to do SSO pass-through to Webinterface, it doesn’t use Clientless VPN so you can use it on a VIP in basic mode. ICA Proxy provides the same functionality as Secure Gateway, which means basic ICA connections only. It is not documented anywhere but I can confirm that ICA proxy still works with Receiver for Web so if you want to provide basic access to Xenapp or XenDesktop you can use it just like with Webinterface. If you want more Cloud Gateway functionality you need Smart Access functionality like CVPN :

Clientless VPN
Clientless VPN (CVPN) has been around in Access Gateway for a while now, this Server side rewriting technology is great for providing access to OWA and other webapps behind Access Gateway. But the downside of CVPN is that not every webapp supports it, I can remember spending a lot of time in troubleshooting rewrite policies to intranet applications, but if it works it works pretty well and you don’t have to leverage a full VPN tunnel to allow access to webapps securely. CVPN in a Cloud Gateway setup is only used for traffic to Receiver for Web and traffic to Appcontroller, besides that CVPN is turned off so external Web\SaaS apps are not rewritten by Access Gateway but instead opened directly by Receiver (after SSO is done by Appcontroller), for internal webapps there is a new feature in Cloud Gateway :

Secure Browse
Secure Browse is one of the features I’m most excited about, instead of leveraging CVPN or a Full VPN tunnel, the Receiver for IPAD uses a secure channel between Receiver and Access Gateway called Secure Browse (or MDX Micro VPN). Secure Browse provides secure session based access to internal webapps behind Access Gateway. Another cool thing about Secure Browse is that it’s using an embedded webbrowser (MDX Web Connect) to render both internal and external webapps controlled by Appcontroller. Web Connect is totally controlled by Citrix Receiver and doesn’t expose critical data on the mobile device, Secure Browse will support any webapp because there is nothing rewritten by Access Gateway so no more troubleshooting of rewrite policies and broken links.
Secure Browse is currently only available on the Receiver for IPAD, other Receivers will still leverage a full VPN tunnel to provide access to internal webapps, but it’s expected that Citrix will extend Secure Browse to other Receivers as well.
I tested Secure Browse with OWA and SharePoint and it works really well, I can’t wait to see this functionality on other Receivers to.

5: Receiver for Web VS Native Receiver

In my previous wrap-up I talked about the difference between Receiver for Web and Webinterface, it’s clear that there are still features missing in Receiver for Web in comparison to Webinterface, but Citrix is closing this gap in upcoming releases of Storefront, in version 1.2 for example they already made some enhancements by separating Desktops from Apps and allowing user initiated desktop restarts. In this wrap-up I made a list of different functionality I noticed when using the Receiver for Web and the Native Receiver, please note that this list can quickly become out dated when updates of the Receivers are released.

Receiver for Web Native Receiver
User initiated Desktop restarts Yes No
Desktop viewer used Only for XenDesktop Also for XenApp published desktops
ShareFile integration Through web SSO Embedded in Receiver
Location aware with Web Beacons No* Yes
SSO through Appcontroller Yes Yes
Initiate full VPN by clicking app No Yes
Separated views for Apps and Desktops Yes No
Auto Subscribed applications Yes Yes
Auto launch applications Yes** No
Sticky (mandatory) applications Yes*** No

* When connecting with Receiver for Web through Access Gateway, the connection is always established through Access Gateway. In Webinterface it was possible to configure the connection method based on the IP range, Web beacons makes the decision based on internal and external URLs but this only works for the Native Receiver.

** Auto launch is default enabled in Receiver for Web when there is only 1 published desktop, if you have more desktops published you can manually edit the Default.htm.script.min.js file to define which one should be auto launched, expected is that auto launch will be enabled through a keyword  just like with auto subscribed applications

*** Sticky applications removes the delete cross when you hover over the app icon, to enable this you need to manually edit the Default.htm.script.min.js file, expected is that sticky apps will also be enabled through a keyword in the app description

So it’s clear that there are some functional differences between this Receivers, which one you should use depends on the functionality you want and the access scenario you need to provide.
For example : If you want ShareFile integration besides published apps go for the Native Receiver, if you want to provide a (kiosk) access model for published desktops go for Receiver for Web.

6: ShareFile

ShareFile is another element of Cloud Gateway i’m very excited about, if you integrate ShareFile into your Cloud Gateway setup, you can give your users a true follow-me-data experience on every device without compromising on security. IT can remotely wipe data from lost or stolen devices and data is stored in an encrypted format to further improve security. Data is also available offline with ShareFile sync. Besides follow-me-data ShareFile enables users to share (large) files with colleagues, but also with external contacts, you can trace who downloads files or control the amount of downloads. Besides that file versioning, drive mappings and Outlook integration are all features that are available with ShareFile. Some elements are comparable with other follow-me-data solutions like RES Hyper-Drive, which is also a nice on-premise follow-me-data concept from RES Software, because ShareFile is now part of Citrix there is a tight integration with Cloud Gateway and the Receivers.

ShareFile and Appcontroller
You can establish a SAML trust between Appcontroller and ShareFile to provide account provisioning, in this way your AD users are automatically created inside ShareFile, I noticed in my demo environment that  this process sometimes take a while, so before you start troubleshooting wait a bit. Also be sure to create a role for ShareFile users inside Appcontroller, because if you select All Users, every AD account will be created in ShareFile consuming all your licenses (learned this the hard way). What’s very cool is that you can configure ShareFile to only allow authentication through Appcontroller and SSO, in this way users cannot connect to ShareFile directly further improving security. If SSO to ShareFile isn’t working please check the time settings on Appcontroller, if it’s a few minutes of SSO doesn’t work correctly, it took me some time to figure that out.

ShareFile Storage Zones
With ShareFile storage zones you can control where data is stored, a Storage Zone can also be On-Premise, more awesomeness will come in feature releases of Storage Zones when we can connect ShareFile to existing CIFS shares and SharePoint environments, imagine the possibilities!

7: Conclusion

Congratulations! you made it to the conclusion section 😉 sorry it was a bit of lengthy post but that’s because Cloud Gateway and surrounding technologies are a big deal and there is so much to cover. Cloud Gateway lets you aggregate and secure Cloud services and On-premise services into one logical logon point with the same look and feel on every device. Integration plays the key role in Cloud Gateway. I’m very excited about Cloud Gateway 2.0 and the upcoming features, on one hand its giving IT the flexibility and control over data, apps and security they need and on the other hand gives the user freedom to choose whichever device they like to use, I really think this concept is the future and I think it will change the traditional desktop as we know it today.

If you want to be notified when Part 3 or another blogpost comes out, subscribe to my blog site or follow me on Twitter : @bramwolfs

Please note that the information in this blog is provided as is without warranty of any kind, it is a mix of own research and information provided by Citrix. Some information is based on speculations and predictions.

The future of Access Gateway

The future of Access Gateway

5 June was the second Citrix CiTIE 2012 event in the Benelux, I wasn’t able to join the event but I would like to thanks everybody on twitter for the live updates and Wilco van Bragt for the summary of the event.

One of the announcements I noticed was the retirement of the Access Gateway Standard edition.
I was surprised about this retirement at first, because of the effort Citrix put into the new 5.x version (new flash based GUI, more advanced HA options, etc) but second I thought why would Citrix support 2 products with almost exactly the same set of features?
Below I have summarized a quick list of features, between the Netscaler CAGEE and CAG Standard in combination with the advanced access control software. Of course Netscaler can do a lot more other things, but we will concentrate on the Access Gateway functionality here.

Netscaler (CAGEE) CAG Standard + AAC*
ICA Proxy Yes Yes
Multiple Logon points (Basic + Smart access) Yes Yes
Clientless Access Yes Yes
Endpoint Analysis Yes Yes
High Availability Yes Yes
LDAP \ Radius authentication Yes Yes
Simultaneous user sessions 5,000 and up** 500

* Advanced Access Control software
** Depends on the model

As you can see a lot of the same features are present on both products, a big difference is the scalability and concurrent user limits.
But although a lot of the features are the same, they are working in very different ways for example :

They use a different SSL VPN plugin
Imagine the following scenario:
One day you will install the Access Gateway Enterprise plugin to access customer A through SSL VPN, then you need remote access to customer B which uses Access Gateway Standard.
The plugins cannot co-exist so you will have to remove the Enterprise plugin, install the Standard plugin and vice versa…

They use different types of logon points
Netscaler uses virtual IP’s (VIPs) that can be configured in Basic mode or Smart Access mode (see my previous blog post for more details about this modes), more VIPs can be created depending on the use case. Each VIP can be accessed through its own FQDN.

CAG Standard has one public facing FQDN, logon points are created after this FQDN like https:\\\lp\xenapp, this logon points can be in Basic mode or Smart Access mode, only one Logon Point can be set as the default.

They use different clientless access methods and have a different policy structure
Netscaler is very flexible when it comes to profiles and policies, you can manage policies on almost every level (Global, VIP, Groups\Users) and apply them based on different expression filters, this is why CAGEE really fits like a glove in a lot of different access scenarios.  There is no extra software needed to enable advanced functionality like clientless access.

CAG Standard in Smart Access Mode has some advanced features like Smart groups and SSL VPN. But if you really want all the advanced features (clientless access etc) you need to connect the appliance to the Advanced Controller software, which then synchronizes with the appliance. This software runs on a windows server which can be a security concern (not because it’s windows but you would need to update and secure 2 components in this setup)

They are different in architecture and hardware
Netscaler software runs on top of FreeBSD and has a large range of appliances you can choose from depending on your needs, this are the Netscaler models available today :

Physical Appliance (MPX) Virtual Appliance (Netscaler VPX)
MPX 5500 Licensed based on bandwidth (10,200,1000,3000)
MPX 7500/9500
MPX 9700/10500/12500/15500

The higher the range the more performance you get, physical appliances can have more concurrent connections because they have SSL offloading capabilities and because there is no Hypervisor layer. Physical appliances in higher ranges also have redundant components, like power supplies.

The Access Gateway Standard appliance runs on a stripped Red Hat kernel and comes in 2 flavors :

Physical Appliance (2010) Virtual Appliance (Access Gateway VPX)

The hardware of the 2010 appliance is really low level, it’s nothing more than hardware you find in a cheap PC.
I was a little bit ashamed when i opend this appliance on a customer site a while ago because of a bad harddrive, there is no way you can explain the amount of money paid for this appliance.

Conclusion : 
So Citrix have 2 products that have very similar features, because of the difference in architecture of this products, Citrix needs to update both to support new receivers and to provide new functionality (think of Cloud Gateway functionality for example). This may be one of the core reasons why Citrix will retire one of them.
I think CAGEE (Netscaler) is the best Access Gateway edition there is, it’s far more flexible and fits in a lot more different scenarios and use cases.  Access Gateway on Netscaler is also future prove because of :

– Access Gateway is lifting on Netscalers success (build on good hardware and install base)
– All Smart Access functionality is on board of the appliance no need for external software
– Fits in a lot of different scenarios based on the modular design of Netscaler
– Can be used for more functionality then Access Gateway only, Load balancing of services for example

Ok so what will be the future of Access Gateway?
If Citrix will retire CAG Standard + Advanced and Citrix makes some changes in the licensing model of Enterprise edition to replace the other editions, then we are done right?

Not really,  I think Access Gateway VPX is a good replacement for the Secure Gateway software, a Netscaler can be a bridge to far for some customers. Also if a customer is already using a competitor of Netscaler (like F5), there may be some friction with adapting Netscaler to enable Access Gateway functionality.

The perfect future if you ask me, is that Citrix will strip the Access Gateway VPX to provide standard functionality (providing access to XenApp and XenDesktop) and give it to customers for free as a replacement of the Secure Gateway software.
Then they should retire the Advanced Controller software and ditch the 2010 appliance.
So at the end there will be 2 editions of Access Gateway left :

– Access Gateway VPX for providing basic functionality to access XA/XD
– Netscaler with Access Gateway Platform license for providing basic functionality to access XA/XD, which can be extended with Access Gateway Universal licenses (also included in Cloud Gateway Enterprise) to provide Smart Access functionality.

Please note that the information in this blog is provided as is without warranty of any kind, some information is based on speculations and predictions.

Citrix Cloud Gateway, a wrap-up so far

Citrix Cloud Gateway, a wrap-up so far

Table of contents :

1 : Introduction
2 : Cloud Gateway Editions
3 : Storefront services
4 : Access Gateway services
5 : Cloud Gateway Enterprise and the Access Gateway Universal License
6 : Cloud Gateway Express and the Platform License
7 : Webinterface V.S. Receiver for Web
8 : Conclusion

1 : Introduction

In this blog post I wanted to talk about Citrix Cloud Gateway, as you may already know, Cloud Gateway will replace Citrix Webinterface and Webinterface will go end of live in 2015. Webinterface has grown into a key component in almost every Citrix environment, and it is a so called “proven technology” product. Webinterface is great in providing access to XenApp and XenDesktop environments in many different ways and  different scenarios, but that is also its limitation, there is no possibility to integrate it with Cloud services like follow-me-data or SaaS applications. This is why Citrix made a new product from scratch, called Cloud Gateway. This blog post is a wrap-up so far about Cloud Gateway, because Citrix is working hard on the product things in this blog post may be very soon changed or outdated.

2 : Cloud Gateway Editions

There are currently 2 editions of Cloud Gateway :

Cloud Gateway Enterprise

Cloud Gateway Enterprise is the paid version and provides the following features :

– Access to XenApp and XenDesktop (through Storefront)
– ShareFile integration (new in version 2.0)
– Single Sign On (SSO) and account provisioning for Web and SaaS applications through AppController
– Mobile (native) app management + remote wipe (new in version 2.0)
– Access Gateway Universal License included

Cloud Gateway Express

Cloud Gateway Express is free for XenApp and XenDesktop customers and provides access to XenApp and XenDesktop and Merchandising services only.This version will be the direct replacement of Webinterface.
With Merchandising services you can manage the complete Citrix Receiver (and other plugins) life cycle.

3 : Storefront Services

As you can see in the above pictures Storefront is one of the key components in Cloud Gateway, it’s the broker for all the services behind it and provides a SSO experience for the users.
Storefront provides access to XenApp and XenDesktop in the following 3 ways :

1 : Access through the Native Receiver (Self Service plugin)
2:  Access through StoreWeb (Receiver for Web)
3:  Access through Legacy mode (PNAgent)

The native receiver can be configured with a provisioning file (.cr file which is XML based) downloaded from the Receiver for Web or distributed by Email or something like that.
To make the internal access to Storefront more clear I made the following drawing :

Every login point is used by different type of client devices, some Receivers (older Thinclients, Android devices and Iphones) still uses the legacy mode (PNAgent). But newer Receivers will talk to Storefront directly and not using Legacy mode anymore.

4 : Access Gateway Services

Another key component in Cloud Gateway is the Access Gateway, there are 2 types of Access Gateways that can be used with Cloud Gateway:

1: Access Gateway VPX (with or without advanced controller software)
2: Access Gateway Enterprise (Netscaler VPX\MPX)

Whether you go for Cloud Gateway Express or Enterprise you need to buy a Access Gateway Platform license for one of this Access Gateways. The platform license will give you unlimited access to XenApp and XenDesktop, this is called ICA proxy. With ICA proxy you are allowed to land on the Webinterface and launch a XenApp and/or a XenDesktop session but you cannot use any advanced features of the Access Gateway (for example Clientless Access, VPN plugin, EPA scans, etc), if you want to use this features you need to purchase a Access Gateway Universal License per concurrent user (included with Cloud Gateway Enterprise license).
In Access Gateway you can choose between the following logon point\virtual server modes :

1: Basic Mode (ICA Proxy only) (Platform license needed)
2: Smart Access Mode (Advanced Features) (Platform license + Universal License needed)

To make this more clear I made a drawing how the access to storefront looks like with the Access Gateway Enterprise edition :

As you can see the Netscaler will check, if it is correctly configured, the type of Receiver based on expression filters and HTTP headers. Netscaler will then contact Storefront the right way depending on the Receiver type. With Access Gateway VPX you cannot configure this expression filters, Access Gateway VPX works with Receiver for Web, but I have not yet seen this working with the native receiver from the outside.
My guess is that Citrix will enable this in a feature release of Access Gateway VPX.

5: Cloud Gateway Enterprise and the Access Gateway Universal License

If you purchase Cloud Gateway Enterprise you are also entitled to use the Access Gateway Universal License, i think this is a logical step because Cloud Gateway Enterprise leverages the clientless access and VPN features of the Access Gateway, for example Appcontroller can be configured with keywords to start the VPN plugin and for access to Storefront clientless access is used.

6: Cloud Gateway Express and the Platform License (ICA Proxy)

As you may have noticed you need clientless access when you want to use the Native Receiver through Access Gateway, though it works on a VIP in basic mode the documentation says that you need a VIP in Smart Access mode to make this work. I can imagine that Citrix is going to allow one of the following when using Cloud Gateway Express with the platform license only :

1: Only allow landing on the Receiver for Website (same as ICA proxy using Webinterface)
2: Allow access for all type of Receivers, but only for use with XenApp and XenDesktop

Option 2 is most preferred imho! 😉

6 : Webinterface V.S. Receiver for Web

First : Webinterface cannot be directly compared to Storefront, because Storefront enables a lot more other features then Webinterface (SSO to other services, Application subscription, more advanced HA, etc.) But if we compare Webinterface with the Receiver for Website, it is safe to say that Webinterface has still a lot more features. Thomas Koetzing made a list of missing features here, but I am certain that Citrix is working hard on this feature list, remember that they are only at version 1.1 so there is a lot more to come.

The total redesign has also some very positive points, for example a big plus of Storefront is that it includes a new user authentication method which directly queries Active Directory rather than the existing double-hop Web Interface process where user credentials are sent from the Web Interface server to the XML broker who then negotiates authentication with the Domain Controller.

7: Conclusion

I think Cloud Gateway and Storefront have a lot of potential, it gives the user a true single logon experience with all of the applications and data they need in one place on almost every device. Integration is the key here as more and more companies are starting to use Cloud services,  Cloud Gateway aggregates and secures this services into one logical logon point with the same look and feel on every device.

On the down side, Storefront is still missing a lot of features compared to Webinterface, if you already installed Storefront and walked through the console you were probably done in 30 seconds 😉 not much to customize there. This is why Storefront is not yet a tight fit in scenarios with special needs and requirements. I hope Citrix will make it as flexible and customizable as Webinterface is today in feature releases!

If you want to know more about Fine-tuning Adaptive Display, please read my previous blog post and follow me on twitter or subscribe on this blogsite if you want to be notified when a new blog post is available! thanks!

Please note that the information in this blog is provided as is without warranty of any kind, it is a mix of own research and information provided by Citrix.