by
Brian Madden
Is Citrix Presentation Server “worth” the extra $300-400 on top of Terminal Server? What about one of the server-based computing products from one of the other companies that costs less? (Jetro Platforms, 2X, Sun/New Moon/Tarantella/ProPalms, etc.) This question is as old as Terminal Server itself.
I’ve done point-by-point technical comparisons of the products in the past, but those reviews were more tactical than strategic. They don’t really help you understand when you should use a third-party product.
Let’s start this conversation by clearing up two myths / misconceptions about this whole “Citrix versus Terminal Server” thing.
Misconception #1: ICA is better than RDP. This is false. They are the same. Years ago, Citrix’s ICA protocol was much better than Microsoft’s RDP protocol. However, with RDP 5.2 (the version of RDP that comes with Windows Server 2003), the protocols are basically the same. They both support 24-bit color and huge resolutions. They both support port mapping, printer mapping, shadowing, audio, and encryption. In terms of performance, they both perform about the same. For every “study” that anecdotally shows that one protocol is lighter or performs better than the other, I can create the opposite results in my lab. (It’s all how you tweak and tune everything for whoever is sponsoring the research.) This is not to suggest that Citrix (or other third-party vendors) don’t expand on ICA or RDP in cool ways. The key point though is that the ICA and RDP protocols themselves are for all intents and purposes the same. (This is also true of client devices. There are plenty of open source RDP clients that let you connect from UNIX, Linux, etc.)
Misconception #2: If you have 50 (or 75, or 100, or whatever) number of users or less, you can use pure Terminal Server. With more users you need Citrix. This is false. There are plenty of pure Terminal Server environments with thousands of users and no Citrix. The opposite is also true. There are hundreds of customers with 15, 25, or 50 users who use (and need) Citrix. (In fact, Citrix has an SMB edition of their product called “Access Essentials” that’s specifically designed for this.) My point here is that whether you do or do not need Citrix has absolutely nothing to do with the number of users you have.
So if you can’t make the decision as to whether or not you need Citrix based on the number of users in your company, then how can you decide? I’ve been a consultant my entire career, so I take a very consultative approach to this whole decision. Do you need Citrix? It depends on whether Citrix has features that you need. As obvious as it sounds, the only way you can know for sure is to figure out your needs and see if you can solve them with Terminal Server alone. If not, then look at which third party product can solve those needs for you.
Without going off onto a tangent about project needs analysis, let’s take a look at the pure Terminal Server capabilities built-in to Windows Server 2003. Even though the RDP protocol offers the same functionality of ICA, there are a few key limitations of Terminal Server today:
- No published applications
- No seamless windows
- No SSL gateway or proxy
- No web interface
- No application-level load balancing
Let’s take a quick look at why each of these is a limitation.
No published applications
When using pure Terminal Server, a user must connect to a server and then run an application. Even though the application that is run can be specified as part of an RDP connection file, the file must first point the user to a specific server.
No seamless windows
Pure Terminal Server environments work great for connecting clients to full remote desktops, but when clients only need to connect to specific applications, the user is forced to experience a clunky, non-resizable window.
No SSL gateway or proxy
It is possible to fully encrypt an RDP connection with Service Pack 1 for Windows Server 2003. However, this encryption is done on a server-by-server basis. Therefore if you have ten Terminal Servers then you’ll need ten holes in your firewall for client connections.
No web interface
While it’s true that there is a Terminal Server client that can be launched via a web browser, Terminal Server does not include a full and automatic web interface like Citrix.
No application-level load balancing
The out-of-the-box load balancing capabilities of Windows Server 2003 only support load-balancing calculations based on network load. Citrix and the other third-party add-on tools can load balance servers based on several more appropriate characteristics, such as user load or CPU utilization. (As a quick aside, this is an area where Citrix lacks too. While better than Microsoft, Citrix only lets you load balance your servers based on 11 pre-selected performance counters while the other third-party products let you load-balance your servers based on any performance counter.)
Almost all of the third-party server-based computing vendors offer all five of these core capabilities in their products. It’s also widely assumed that Microsoft will be building most of this functionality into the next major release of Windows.
The title is this editorial suggests that it focuses on Citrix and Microsoft. To that end, there are two other features of Citrix that are worth mentioning that none of the other products really do. Citrix calls these capabilities SmartAccess and Workspace Control.
Citrix Smart Access
“Smart Access” is the stupid marketing name given to a set of really cool technologies that allow an administrator to specify how users can access their applications from various locations. In the old days you could build Citrix policies that enabled or disabled certain features of the ICA protocol based on where a user was connecting from. (Connect from your office and you can do everything; connect from outside the firewall and clipboard integration and client drive mapping is disabled, etc.)
Citrix’s Smart Access technologies take this a step further and let you apply Citrix policies to an ICA session based on certain characteristics of the client device (beyond the simple IP address). Does the client device have current antivirus software installed? Give them full access to their local drives from with their session. If not, the user still could get access to their applications—they just wouldn’t be able to access their client device’s drives. You can apply these policies based on a myriad of client characteristics. Is the client device in the corporate domain? Did the user two-factor authenticate? Is certain software installed on the client? etc.
Without wanting to sound like a blatant marketing pitch for Citrix, it’s important to know that from an objective standpoint, Citrix Smart Access technologies are very cool and a set of technologies that are only offered by Citrix. (Sure there are competing products from Cisco, WholeSecurity, and (soon) Microsoft, but these technologies do not tie into Presentation Server in the way that Citrix’s Smart Access does.) If you need these capabilities today, then you have to buy Citrix regardless of the size of your user base.
With all the upside of Smart Access, there are a few negative points. The first is that in order to use these Smart Access technologies, users must access your Citrix Presentation Servers via one of Citrix’s 1U hardware appliances called the “Citrix Access Gateway” (or CAG). Even though Citrix tries to spin it as something else, the CAG is basically an SSL VPN appliance that’s very tightly integrated into Citrix Presentation Server. The $2500 price tag notwithstanding (double that if you want failover by buying two), selling the Citrix Access Gateway internally at a company that already has a VPN strategy can be tough. I can’t tell you how many times the “Citrix team” at a large company goes to the “Network Team” and tells them that they want to implement so CAGs. “You wanna buy a what? Who is Citrus?” (What ends up happening is that the Citrix team buys the CAGs anyway, and they just put them in their rack with the new Citrix servers and don’t ever mention that they’re SSL VPNs.)
The other downside is the fact that in order to use the Smart Access technologies, you’ll need to plunk down another $150 per concurrent user (in addition to the $300-400 that you’re already paying for Presentation Server itself).
Citrix Workspace Control
The other significant capability that Citrix brings to the table that no one else does right now is Workspace Control—the marketing name applied to a set of technologies that allow a user to log in to different client devices and pull (or “flow”) all of their applications to the new device. (It’s like a one-button logon and logoff of all their applications from all remote servers.) Workspace Control is one of those technologies that isn’t very sexy from a marketing standpoint but that quietly makes server-based computing just “work” and feel natural. A user logging on from a different location will have all of their applications reconnected for them without having to re-authenticate or manually “click click click” on all of their icons to fire up the applications.
Citrix’s SmoothRoaming (no space between those words) technologies also contribute to this Workspace Control fluidity in that applications can be reconnected from client devices with different characteristics (resolution, color depth, etc.) and the remote application sessions are automatically reconfigured to fit on the new client. This capability also fully integrates with the Citrix policies and Smart Access technologies as described previously, with specific client device characteristics affecting session capabilities even when reconnecting to existing sessions from different client devices.
Conclusion
So really I’ve boiled down Citrix’s 60-page PDF marketing document about why you should use Citrix into seven key capabilities that Citrix adds to Terminal Server:
- Application Publishing
- Seamless Windows
- Intelligent Load Balancing
- SSL Gateway / Proxy
- Intelligent Web Interface
- Smart Access
- Workspace Control
What does this mean moving forward? This topic probably deserves its own article, but here’s the 30-second version:
Many, many other vendors offer products that are much cheaper than Citrix that offer the first five capabilities on the list. (In fact, it seems as Microsoft will even build application publishing, seamless windows, an SSL gateway, and a cool web interface into some future version of Windows.)
The real value for Citrix is in the last two capabilities (Smart Access and Workspace Control). If you’re not starting to make use of these technologies in your company then you’re not getting the full value out of Citrix, and you can probably get away with one of the other third party server-based computing products. If you’re only connecting users to server desktops (instead of seamlessly published applications) from inside the firewall then you probably don’t need any third party product at all.
Note about the future
Here’s a little teaser about the future: Looking at the value that Citrix provides today and comparing it to what the other third party vendors offer (and what Microsoft will offer), it’s obvious that the Smart Access and Workspace Control capabilities will be where Citrix focuses their future efforts. When thinking this way, it’s easy to see why Citrix made the NetScaler acquisition earlier this year. Three years from now when the five core capabilities are built-in to the platform, Citrix will provide value with intelligence about how users are connecting and how they flow their applications from one client to another.