Citrix licensed the CAG to WatchGuard. What does this really mean?

Last August, Citrix and WatchGuard jointly announced that Citrix had licensed the Citrix Access Gateway technology to WatchGuard and that WatchGuard would start selling an SSL VPN appliance based on Citrix’s technology. A lot of industry sites reported on this news, although they did nothing more than to regurgitate the information that was in the press release.

Last August, Citrix and WatchGuard jointly announced that Citrix had licensed the Citrix Access Gateway technology to WatchGuard and that WatchGuard would start selling an SSL VPN appliance based on Citrix’s technology. A lot of industry sites reported on this news, although they did nothing more than to regurgitate the information that was in the press release.

I’ve spent the past several months investigating the WatchGuard product, and I learned quite a bit about the licensing agreement and the relationship between Citrix and WatchGuard in general. Here’s what I found out:

Background Information about WatchGuard Security Appliances

WatchGuard is a firewall company (or application security company or whatever this is called now). The bottom line is that they make firewalls. Inside most firewalls you’ll find “standard” computer components, and WatchGuard is no different. Their appliances are based on standard Intel x86 architectures and they run a variant of Linux with some off-the-shelf apps and some custom WatchGuard code.

One of the unique things about WatchGuard is that they offer several different models of firewalls with several different options, but most of their equipment (in their “Firebox X Core” series of products) uses the exact same hardware. That means that whether you buy their cheapest firewall or their most expensive one, you get the same physical piece of hardware. This is very cool because you can buy a cheap firewall to start out with and then you can simply upgrade the software to enable new functionality.

For example, here’s a photo (from of the WatchGuard Firebox X Core appliance:

The “base” version of this firewall has three interfaces enabled, 110Mbps of firewall throughput and 30Mbps of VPN throughput. (I think that one costs around $1500.) You can upgrade this same appliance all the way up to supporting over 300Mbps of firewall throughput, 130Mbps of VPN throughput, 6 interfaces, 500k concurrent sessions, 256-bit AES encryption, 1000 branch office tunnels, hot failover, etc, etc. The idea is you buy one appliance and then get the software and licenses you need to do what you want to do.

This is the approach that WatchGuard took when they licensed the Citrix Access Gateway software from Citrix. (WatchGuard calls their version of this product the WatchGuard Firebox SSL VPN.) If you buy one then you get the exact same Firebox X Core hardware appliance that is pictured above.

The WatchGuard SSL VPN appliance runs the same code as the Citrix Access Gateway. Since both pieces of hardware are based on x86 architectures running Linux, it wasn’t very difficult to port it over. (And hey, if hackers can make a CAG run in a VM, then I’m sure that it wasn’t too hard for WatchGuard to make it run on their appliance.)

Even though the Firebox X Core appliance has six network interfaces, the CAG software still only supports two—so those other four are just for decoration. The CAG also has a 40GB hard drive in it, and the same is true for the WatchGuard version—it has a 40GB hard drive filling the slot above the network interfaces.

Using the WatchGuard SSL VPN

Using the WatchGuard SSL VPN is basically identical to using a “true” Citrix Access Gateway. The only difference is that WatchGuard has re-branded the visual elements. For example, the little blue status message that fades in when you connect to the VPN now says “WatchGuard SSL VPN, Powered by Citrix Secure Access.” Other than that, it is 100% identical to a CAG.

If you buy a WatchGuard SSL VPN, then all of your updates and support come from WatchGuard, not Citrix. This means that you’ll probably be a few months behind in terms of software releases. (i.e. WatchGuard is saying Q1 2006 for version 4.2 of the software, while Citrix is saying late December.)

The real limiting factor of the WatchGuard SSL VPN is that it supports a maximum of 205 concurrent VPN sessions and three kiosk sessions, while the Citrix Access Gateway supports 2000 concurrent VPN sessions and probably 20 kiosk sessions. In reality this is more of a result of differences in the hardware platforms. (1.26Ghz processor and 256MB of RAM in the WatchGuard device versus a 2.8Ghz processor and 1GB of RAM in the Citrix device.)

Why did Citrix license the CAG to WatchGuard?

A lot of people have openly wondered why Citrix decided to license their Citrix Access Gateway product to WatchGuard in the first place. The real answer requires a look at some history.

Remember that Citrix did not develop the Citrix Access Gateway themselves. They acquired it when they bought a company called Net6 in November 2004. Prior to being acquired by Citrix, Net6 was in talks of partnering with WatchGuard to produce a WatchGuard-branded SSL VPN. In fact, there were even discussions of WatchGuard investing in Net6. If you talk to WatchGuard people now, they feel like Citrix just swooped in with all their weight and cash and paid a ridiculous amount to buy Net6, but that’s a whole other story.

As 2005 opened, Citrix was the new owner of Net6, and they were driving hard towards the February release of their re-branded Net6 SSL VPN as the Citrix Access Gateway. WatchGuard was still in the picture too, and the three of them sat down to figure out what (if anything) they should do.

The reality is that WatchGuard’s strengths are in the SMB space, and Citrix’s strengths are in the enterprise space. That, combined with the fact that the weaker WatchGuard hardware platform could only support a fraction of the users that a Citrix Access Gateway could, meant that it would truly be a win-win for both companies to move forward with the licensing agreement began by Net6 and WatchGuard. So WatchGuard would get the market for the SMB space (with Citrix getting royalties), and Citrix would get the enterprise markets.

What does this all mean? Should you buy a Citrix Access Gateway or a WatchGuard SSL VPN?

As I mentioned earlier, the software and experience is the same across both platforms, so except for a slight delay in the availability of new features for the WatchGuard platform, it really doesn’t matter which option you choose. If you want more that 205 concurrent users, you’ll have to go with Citrix. Other than that, it’s your call.

The MSRP of a Citrix Access Gateway is $2500, while the MSRP of the WatchGuard Firebox SSL VPN is about $2800. However, the WatchGuard SSL VPN includes five connection licenses, and the Citrix one does not. Buy the time you add the connection licenses to the Citrix appliance the price between the two is about the same.

One of the big advantages that WatchGuard has over Citrix is their support. (This is how WatchGuard became so popular in the SMB space in the first place.) WatchGuard has this service called “LiveSecurity.” The LiveSecurity service costs around $500 per year for the SSL VPN, and it includes unlimited software upgrades AND support. (You have to pay a separate LiveSecurity fee for the user licenses as well.) Contrast that to Citrix who makes you pay a ridiculous amount for support or asks you to go through a partner.

The Future

There is one potential cool thing that I didn’t mention yet about this whole WatchGuard SSL VPN thing: If Watchguard uses the same hardware for both their firewalls and their SSL VPN, couldn’t they build a single device that did both? Couldn’t they make the SSL VPN a software “upgrade” for any customer who has a Firebox X Core hardware appliance?

The answer is yes, they could, and yes, they plan to.

However, they “plan to” in the sense that it’s on the roadmap, but this is something that will not be available for the next 12-18 months. The reality is that they’re selling these Firebox SSL VPNs as fast as they can make them, so they’ll probably wait for that to calm down a bit first.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This is an interesting relationship between companies. Thanks for sorting out this information, Brian.

(And hey, if hackers can make a CAG run in a VM, then I’m sure that it wasn’t too hard for WatchGuard to make it run on their appliance.)

no need to be a hacker to run the CAG in VM, just create the proper hardware (vm) specs to have it run,

see a post of one of my dear and valued vmware collegue petje @

subsequently, rad
Now, everybody, including me, is wondering Why didn't I think of that?
So, what CAN'T you virtualize?

The Citrix Access Gateway will support Advanced Access Controls ie..Smart Access
This functionality will not be available on the Watchguard VPN


Hopefully, you won't have to reboot the Watchguard anytime you make a change to the thing!!
I agree that the biggest flaw in watchguard is the reboot required for CETAIN changes only. Would it ever be possible if Citrix would partner with Cisco and make a CAG that would run on PIX or a Cisco VPN concentrator? That would be awesome for me at least. I am sure that there is a lot of coding changes involved but think about the benefits of both!!
I have two Firebox X500s running Fireware Pro. You do not have to reboot them to make a config change. (Like Cisco, the OS and config are stored in two different areas of flash memory.)
Rebooting for config changes only applied to the older WFS OS, but that's not really current anymore.
And just to add another note...  Although I am a major proponent of the Juniper NetScreen firewalls, I will say that the WatchGuard probably has the most bang for the buck.  Who else offers a decent firewall appliance that includes HTTP/SMTP/Other proxying AND HTTP URL filtering (similar to WebSense) built in?  Not to mention their management applications that they include are better than most...
what is the command for rebooting a netscreen 25 via the CLI
Have you ever tried to use WatchGuard support lines or Web support online?
I have been using WG products for years but very dispapointed with their recent support model changes.
You'd be routed to Indian 7/24, repsonse time sucks... I have not yet get any problem
sesolved by their helpline since the changes. better luck to look into the users forum
I have 2 WatchGuard 700's and one Netscreen 25. While I think the NetScreen is a fine appliance I have found the WatchGuard to be much more user friendly and easier to admin.
The Watchguard SSL VPN Appliance has now been upgraded to run the more recent 4.2 Secure Access Gateway software, but notably, the ICA Client has been withdrawn from the Watchguard SSL Appliance in this release. Having initially concluded that this would have been due to political reasons, when we queried it, we were informed that the the ICA client in Kiosk mode had a critical security hole, which it seems Citrix has not yet patched.
Therefore, if you are worried about maximum security, and don't need the higher number of users the real Citrix Access Gateway supports, then you may actually be better off with the Watchguard unit.
I'm sorry to hear that people also posting in this forum have had trouble with Watchguard - we have always found it to be superb (though we at Onega are WG partners so I'm sure we're somewhat biased).
The Juniper netscreens are definately nice, but much too far into the Enterprise space ... (although they claim to have an SMB device, i found that pricing is definately NOT smb friendly) ...
Now check out Sonicwall and their appliances ... SMB Friendly in pricing and their SSL VPN is not too shabby.  Need to work out a few bugs, but definately worth checking out especially since access licenses are based on hardware not users.
one price and as many users can connect as the hardware can support.  That being said i wish they'd crank up the hardware a little. 
Tried to order a Watchguard SSL Core appliance today and found that they are no longer selling them.  They will continue to support the appliances until 2010.

The only thing Watchguard is good for is wringing every dime out of you. Dont let your registrations expire. There is fee upon fee if it does.  Have several Core 750s and I could have bought new units for what it has cost me over the last month to get them back on line. If you dont buy there update when they say to buy it, they penalize you with a reinstatement fee along with the the renewal.  If I could find a sucker to buy them I would dump them in a heart beat.If your considering Watchguard, I encourage you to look elsware!Watchguard...  may your stock and corporate value turn to pennies you slugs!