The future of Access Gateway

科技动态 2012-06-13

The future of Access Gateway

5 June was the second Citrix CiTIE 2012 event in the Benelux, I wasn’t able to join the event but I would like to thanks everybody on twitter for the live updates and Wilco van Bragt for the
summary of the event

One of the announcements I noticed was the retirement of the Access Gateway Standard edition.

I was surprised about this retirement at first, because of the effort Citrix put into the new 5.x version (new flash based GUI, more advanced HA options, etc) but second I thought why would Citrix support 2 products with almost exactly the same set of features?

Below I have summarized a quick list of features, between the Netscaler CAGEE and CAG Standard in combination with the advanced access control software. Of course Netscaler can do a lot more other things, but we will concentrate on the Access Gateway functionality here.

Netscaler (CAGEE) CAG Standard + AAC
ICA Proxy Yes Yes
Multiple Logon points (Basic + Smart access) Yes Yes
Clientless Access Yes Yes
Endpoint Analysis Yes Yes
High Availability Yes Yes
LDAP Radius authentication Yes Yes
Simultaneous user sessions 5,000 and up** 500

* Advanced Access Control software

** Depends on the model

As you can see a lot of the same features are present on both products, a big difference is the scalability and concurrent user limits.

But although a lot of the features are the same, they are working in very different ways for example :

They use a different SSL VPN plugin

Imagine the following scenario:

One day you will install the Access Gateway Enterprise plugin to access customer A through SSL VPN, then you need remote access to customer B which uses Access Gateway Standard.

The plugins cannot co-exist so you will have to remove the Enterprise plugin, install the Standard plugin and vice versa…

They use different types of logon points

Netscaler uses virtual IP’s (VIPs) that can be configured in Basic mode or Smart Access mode (see my
blog post for more details about this modes), more VIPs can be created depending on the use case. Each VIP can be accessed through its own FQDN.

CAG Standard has one public facing FQDN, logon points are created after this FQDN like https:\my.cag.comlpxenapp, this logon points can be in Basic mode or Smart Access mode, only one Logon Point can be set as the default.

They use different clientless access methods and have a different policy structure

Netscaler is very flexible when it comes to profiles and policies, you can manage policies on almost every level (Global, VIP, GroupsUsers) and apply them based on different expression filters, this is why CAGEE really fits like a glove in a lot of different access scenarios. There is no extra software needed to enable advanced functionality like clientless access.

CAG Standard in Smart Access Mode has some advanced features like Smart groups and SSL VPN. But if you really want all the advanced features (clientless access etc) you need to connect the appliance to the Advanced Controller software, which then synchronizes with the appliance. This software runs on a windows server which can be a security concern (not because it’s windows but you would need to update and secure 2 components in this setup)

They are different in architecture and hardware

Netscaler software runs on top of FreeBSD and has a large range of appliances you can choose from depending on your needs, this are the Netscaler models available today :

Physical Appliance (MPX) Virtual Appliance (Netscaler VPX)
MPX 5500 Licensed based on bandwidth (10,200,1000,3000)
MPX 7500/9500
MPX 9700/10500/12500/15500

The higher the range the more performance you get, physical appliances can have more concurrent connections because they have SSL offloading capabilities and because there is no Hypervisor layer. Physical appliances in higher ranges also have redundant components, like power supplies.

The Access Gateway Standard appliance runs on a stripped Red Hat kernel and comes in 2 flavors :

Physical Appliance (2010) Virtual Appliance (Access Gateway VPX)

The hardware of the 2010 appliance is really low level, it’s nothing more than hardware you find in a cheap PC.

I was a little bit ashamed when i opend this appliance on a customer site a while ago because of a bad harddrive, there is no way you can explain the amount of money paid for this appliance.

Conclusion :

So Citrix have 2 products that have very similar features, because of the difference in architecture of this products, Citrix needs to update both to support new receivers and to provide new functionality (think of Cloud Gateway functionality for example). This may be one of the core reasons why Citrix will retire one of them.

I think CAGEE (Netscaler) is the best Access Gateway edition there is, it’s far more flexible and fits in a lot more different scenarios and use cases. Access Gateway on Netscaler is also future prove because of :

- Access Gateway is lifting on Netscalers success (build on good hardware and install base)

- All Smart Access functionality is on board of the appliance no need for external software

- Fits in a lot of different scenarios based on the modular design of Netscaler

- Can be used for more functionality then Access Gateway only, Load balancing of services for example

Ok so what will be the future of Access Gateway?

If Citrix will retire CAG Standard + Advanced and Citrix makes some changes in the licensing model of Enterprise edition to replace the other editions, then we are done right?

Not really, I think Access Gateway VPX is a good replacement for the Secure Gateway software, a Netscaler can be a bridge to far for some customers. Also if a customer is already using a competitor of Netscaler (like F5), there may be some friction with adapting Netscaler to enable Access Gateway functionality.

The perfect future if you ask me, is that Citrix will strip the Access Gateway VPX to provide standard functionality (providing access to XenApp and XenDesktop) and give it to customers for free as a replacement of the Secure Gateway software.

Then they should retire the Advanced Controller software and ditch the 2010 appliance.

So at the end there will be 2 editions of Access Gateway left :

- Access Gateway VPX for providing basic functionality to access XA/XD

- Netscaler with Access Gateway
Platform license
for providing basic functionality to access XA/XD, which can be extended with Access Gateway
Universal licenses
(also included in Cloud Gateway Enterprise) to provide Smart Access functionality.

Please note that the information in this blog is provided as is without warranty of any kind, some information is based on speculations and predictions.

责编内容by:Bram Wolfs blog (源链)。感谢您的支持!


微服务设计模式之 API 网关 API 网关是目前非常成熟的一种微服务与外界通讯方式的一种选型,当前你的架构是从单体架构 Monolithic 迁移过来的时候,你会发现新的服务无法很好...
(插播)Proxmox VE安装RouterOS CHR版本 一.介绍 RouterOS,大名鼎鼎的软路由系统,简称ROS,我是一直知道但是没咋着用。最近某P总给我介绍了这货的一个特殊版本,CHR版,全称Clo...
API网关性能比较:NGINX vs. ZUUL vs. Spring Cloud Gateway ... 前几天拜读了 OpsGenie 公司(一家致力于 Dev & Ops 的公司)的资深工程师 Turgay Çelik 博士写的一篇文章(链...
‘Peak faith’ in the cloud only 12-18 months away w... "Digital transformation" to collapse into "digital disillusion...
API Gateway as a Node and Moving Beyond Backend an... The more I study where the API management, gateway, and proxy layer is headed, t...