Last week, Citrix posted the version 8.0 firmware for Access Gateway Enterprise Edition, referred to internally as Project Timpanogos. You can find it by logging onto citrix.com and looking in the Downloads > Product Software section. Access Gateway Enterprise Edition is the SSL VPN edition which runs on the NetScaler platform, sharing the same hardware and OS technology on which the Citrix NetScaler Application Switch is based. You’ll need a NetScaler appliance to run the firmware.
This is not the first release of the Enterprise Edition gateway, but it’s the first release to include the same ICA proxy capabilities as the Standard and Advanced editions of Access Gateway. This allows remote users to traverse the DMZ and access applications hosted on Citrix Presentation Servers without requiring any sort of VPN client. Citrix has been selling the Access Gateway Standard and Advanced Editions for the past couple years as a replacement for the Windows-based Secure Gateway component, allowing you to get those Windows servers out of your DMZ and replace them with hardened security appliances. Now Enterprise Edition is also on the table as an option to consider for SG Replacement.
If you’re looking to replace your Secure Gateway servers with an Access Gateway appliance, the most important difference Enterprise Edition 8.0 brings to the table is scalability. The Standard Edition Model 2000 appliance (or “Baby CAG” as some have called it) can host a maximum of 2000 concurrent ICA sessions, and that is when it does nothing but ICA. For Enterprise Edition, there are three appliance models to choose from, supporting up to 10,000 sessions per appliance:
- Model 7000 – 2,500 concurrent sessions
- Model 9000 – 5,000 concurrent sessions
- Model 10000 – 10,000 concurrent sessions
I won’t bore you with a full feature list but there are a few interesting things that stick out in terms of features only available on the Enterprise Edition:
- Client Certificate Authentication – Users can establish a VPN connection by presenting a smart card or soft certificate in lieu of a username and password.
- Multiple virtual servers – You can host as many “virtual” SSL VPNs as you want on a single physical appliance. Each SSL VPN virtual server can have its own IP address, its own certificate and its own set of policies.
- VPN traffic compression – Leveraging the NetScaler compression technology, you can have all user traffic within the VPN tunnel compressed to reduce bandwidth.
- Built-in high availability – You can deploy two appliances in an active/passive pair and all VPN session information is shared between the two. If the primary gateway fails, the secondary gateway takes over without requiring users to log back in.
Like the Advanced Edition, you also get "SmartAccess for Presentation Server" – that is, you can filter published applications and CPS policies in response to endpoint analysis. For example, hide some sensitive app icons and turn off client drive mapping when the user is connecting from an unmanaged endpoint. I posted an article on this concept a while back.
Unlike the Advanced Edition which consists of an appliance plus one or more Windows servers, the Enterprise edition is a standalone box – there’s no AAC server farm to install and configure.
Sadly though, the Enterprise Edition still has some things it won’t do, things which we offer today in the Advanced Edition. The Advanced Edition is nowhere near as scalable as the Enterprise edition, but it’s still the only edition right now that can do these things:
- Clientless access to internal web sites (web proxy) – the Enterprise edition requires a VPN client to reach web servers on the LAN.
- File Type Association– the ability to declare in a policy that certain documents must only be accessed via Presentation Server, not downloaded to the user’s device. (Though I suppose you could arrange your authorization policies to make this the case in Enterprise Edition, by denying direct access to the web servers or file servers.)
- HTML Preview – This is really a Windows function and I’m not sure it could be done effectively without requiring a Windows server.
So don’t assume that Enterprise Edition will be able to do absolutely everything that the Standard and Advanced editions can do at this point. Depending on what your needs are, the Advanced Edition might be a better fit, especially if you don’t need to support more than about 500 concurrent users. But if you really want high user density and connectivity to Presentation Server applications without tons of Windows servers in your DMZ, it’s time to take a look at Access Gateway Enterprise Edition. And you can rest assured that Citrix is working to close that feature gap as quickly as possible.
So is it a NetScaler?
In talking to people about this release, there seems to be a lot of confusion out there about how the Access Gateway Enterprise Edition lines up with Citrix NetScaler. Let me see if I can explain it:
- Access Gateway Enterprise Edition is sold as a standalone SSL VPN product. It shares the same core OS (derived from FreeBSD) and the same hardware platforms as the Citrix NetScaler, which is sold as a load balancer and application switch. But when you buy an Access Gateway, you cannot use it as a load balancer too.
- However – Access Gateway licenses can be added to a Citrix NetScaler load balancer, resulting in a single appliance that is both a load balancer and an SSL VPN. You can only add AG user licenses to the Enterprise or Platinum editions of the Citrix NetScaler.
Clear as mud?