Citrix Releases its first Hardware Device

Citrix officially entered the hardware market on Tuesday by releasing the 1U "Citrix Access Gateway" appliance. This box is basically a re-branded Net6 box.

Citrix officially entered the hardware market on Tuesday by releasing the 1U "Citrix Access Gateway" appliance. This box is basically a re-branded Net6 box. (Citrix acquired Net6 in November 2004 for about USD $50M.) I haven't seen any actual photos of one of these things yet, but here's a computer rendering from Citrix's promo literature:

The Citrix Access Gateway is basically a hardware SSL-VPN (even though Citrix claims it's not) that supports any protocol or application (unlike Citrix's current software-based Secure Gateway product which only supports the ICA and HTTP protocols).

The Citrix Access Gateway will be licensed like other Citrix products, based on concurrent user connections. However, since there’s a hardware component involved, customers will have to pay for that as a separate line item.

The hardware itself is USD $2500, and then you pay for each concurrent connection at $100 on top of that. Concurrent connections can be spread across multiple appliances. This means that you could, for example, spend $5k for two gateway appliances and then buy 100 connection licenses. Your connection licenses could be used on either appliance.

The $100 connection licenses include a year of subscription advantage. Additional years are $13 per user. In this case, Subscription Advantage only covers software updates to the gateway itself. Future new gateway products will require an upgrade license (which is a bit different than the way that Subscription Advantage works with Citrix software).

Entering the hardware market means that Citrix will have to deal with warrantees and repairs. Citrix is treating these devices as appliances, and they’re not user-serviceable. They come with a one-year warrantee, and additional warrantee time can be purchased.

“Power Up” Promotion

To celebrate the launch of the Access Gateway, Citrix has a pretty cool promotion where they’re giving away free Access Gateway connection licenses to people who already have MSAM licenses. (Well, if anyone out there actually has MSAM licenses. :-)  ) The basic deal is that if you pay the $2500 for the hardware, Citrix will give you as many connection licenses for the gateway as you have for MSAM.

So, is anyone out there using these gateways yet? I’d actually like to get my hands on one. I think it would be pretty cool although I’m not sure how much it has to do with server-based computing or how tightly (if at all) it integrates with Presentation Server. It will also be interesting to see how this plays out versus Citrix Secure Gateway. We'll have to figure out when you would use one or the other.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hi there. Based over in the UK we already have several of the appliances and they are really good. Anyway enough of the sales pitch, you mention about how it fits in with Presentation Server and I think its better to ask how Presentation Server fits in with it.

Obviously MPS 4 (from the Tech Preview) is due to give imporvements to Smart Access building on what is in MPS 3.0; however its the wider access strategy that underpins the Appliance and the fact that it will address several key problems with MSAM and MPS (to a lesser extent) proposition.

1. The channel struggles to position and sell the Access Strategy in general and MSAM specifically.
2. MSAM struggles to compete as a solution against other SSL VPN appliances because it has a more complicated infrastuructre and is Windows based which a big turn-off for a lot of security people. In addition to the inherent protocol imitatiosn it faces due to its architecture.

The appliance allows channel partners to start making a product sales pitch which suits a lot of them as solution selling usually has a long sales cycle and requires higher calibre sales people so it helps Citrix to start shipping more of its Access Strategy to customers through the channel.

The Appliance is Linux based so it boxes off the security issue of Microsoft in the DMZ in a number of organisations.

Finally being an appliance it is easier to implement than MSAM and does a lot more out of the box, in terms of supporting all protocols as well as VOIP something that MSAM 2.2 can't match.

In terms of Presentation Server it is clear that MSAM and the Access piece is becoming key to the strategy for Citrix, Presentation Server is still valid for delivery of applications (both legacy and heavy client-server) but it won't last forever and given the time taken to get Presentation Server mainstream its just as well Ctirix started 18 months ago with an Access Strategy!
What do you mean 'given the time taken to get presentation server mainstream'? Metaframe has been mainstream for years.
Sorry personal opinion of mine. I only count post FR1 which is only just over 3 years when it started to become enterprise ready and get adopted more widely.


Presentation Server may have been mainstream for a few years now but lets not forget the beginning when all that organisations used the software for was mainly tactical deployments, It is only recently (recently being relative in terms of Citrix's SBC products) that we now see the truly enterprise deployments. Citrix had to help define and create the SBC market and business case, now they will need to do the same again in the Access space.

Only the naive will believe that this can happen overnight, Citrix can produce results quicker now due to its size and resources but even still you are not going to see comprehensive adoption of Citrix's Access technologies until the access market in general matures...
Yeah, I think he means that Presentation Server took a while to become mainstream. (He is saying that it's mainstream now.)

So, following that same logic, Citrix is planning that access infrastructure will also take a while to become mainstream, which is why they started 18 months ago.
The device is quite slick. I'll have one in the next week or two and will post how it goes. The things I have worked with so far on the device are very promising.

Enterprsie ready and mainstream are two different things though, at least IMHO. I work/live in a not so large market (it's no New York) but almost every company over the past 7 - 10 years had an implementation of Winframe or Metaframe 1.x at some point. You also have to keep in mind of what was considered Enterprise all those years ago; Mainframe/Unix was enterprise not Windows or Novell.
Saw it in action at Solutions Summit and can't wait to get it over here in the UK. (when they sort out the distribution)

I think we'll see lots of integration with Web Interface/Secure Gateway and the next release of MSAM. The fact that Citrix are exhibiting at the RSA security conference really highlights their intent to muscle in on the security market.
Been using the CAG for a couple of days now, anyone used to CSG only access will love the extra functionality offered by a network layer VPN and those users used to IPSEC VPNs will love the simplicity offered to the user by the CAG. The split DNS capabilities are very useful and really do allow the user to have a fairly seamless experience when accessing their corporate resources from an external location.

Compared to the Advanced Gateway Client, the CAG performs a lot better. Having run some tests comparing Outloook synchronisations over the two technologies, the CAG provides a connection that performs a lot better and is a lot more stable.

There are a couple of gripes (no proxy autodetection for the client requiring users to know proxy configuration information if residing behind a proxy) that are not major but I expect will be addressed in subsequent versions. The admin interface is also fairly clunky, The interface itself is not necessarily bad but the fact that it is run by using a VNC connection to the CAG itself means that performance can be slow. I would prefer to see the admin consoles web based (as indeed the previous NET6 boxes had). I expect that Citrix will look into integrating administration of the CAG into the Access Suite Console (although administrating DMZ based boxes from the internal network may present some security implications).

All in all a great product!
We took delivery of a couple last week, havnt had long to take a look but looks ok, Been using Array Networks SP SSL VPN for a while, compared to the CAG the array is more polished. Wasnt to impressed with the documentation on the CAG, about 2 pages! And its currently not supported in the UK. All in all looks a decent product for the low cost. How many have set it up so that the kiosk has access to Citrix apps, I havnt had time to do this yet. Is it easy?
SPAN suite of products software from vfortress ( does the job of the citrix appliance ssl vpn and gives the same efect
If its that good I wonder why Citrix didn't buy them? it a traditional SSL VPN or does it work in the same (superior) way that the CAG does? Also I didn't see VoIP support mentioned on the website.
From their web site

"The vFortress Security platform is a clientless, SSL VPN solution that offers secure access to a wide range of centralized application resources, from client/server applications to web-based intranets--all from a web-browser."

As a clientless solution then it will rely upon port forwarding technology. This in itself is no bad thing but does have limitations such as the ability to only work with certain applications. Compared to CAG, these are two different products with two different feature sets. The CAG offers the functionality of IPSEC with the flexibility offered by using SSL as a transport.

Itis pointless getting into a feature by feature comparison of these products as they are both fundamentally different in their approach and functionality offered to the user.
The key words to this statement..."vFortress Security platform is a clientless, SSL VPN solution that offers secure access to a wide range of centralized application resources". The CAG offers secure access to any and all centralized application resources.