Last August, Citrix and WatchGuard jointly announced that Citrix had licensed the Citrix Access Gateway technology to WatchGuard and that WatchGuard would start selling an SSL VPN appliance based on Citrix’s technology. A lot of industry sites reported on this news, although they did nothing more than to regurgitate the information that was in the press release.
I’ve spent the past several months investigating the WatchGuard product, and I learned quite a bit about the licensing agreement and the relationship between Citrix and WatchGuard in general. Here’s what I found out:
Background Information about WatchGuard Security Appliances
WatchGuard is a firewall company (or application security company or whatever this is called now). The bottom line is that they make firewalls. Inside most firewalls you’ll find “standard” computer components, and WatchGuard is no different. Their appliances are based on standard Intel x86 architectures and they run a variant of Linux with some off-the-shelf apps and some custom WatchGuard code.
One of the unique things about WatchGuard is that they offer several different models of firewalls with several different options, but most of their equipment (in their “Firebox X Core” series of products) uses the exact same hardware. That means that whether you buy their cheapest firewall or their most expensive one, you get the same physical piece of hardware. This is very cool because you can buy a cheap firewall to start out with and then you can simply upgrade the software to enable new functionality.
For example, here’s a photo (from WatchGuard.com) of the WatchGuard Firebox X Core appliance:
The “base” version of this firewall has three interfaces enabled, 110Mbps of firewall throughput and 30Mbps of VPN throughput. (I think that one costs around $1500.) You can upgrade this same appliance all the way up to supporting over 300Mbps of firewall throughput, 130Mbps of VPN throughput, 6 interfaces, 500k concurrent sessions, 256-bit AES encryption, 1000 branch office tunnels, hot failover, etc, etc. The idea is you buy one appliance and then get the software and licenses you need to do what you want to do.
This is the approach that WatchGuard took when they licensed the Citrix Access Gateway software from Citrix. (WatchGuard calls their version of this product the WatchGuard Firebox SSL VPN.) If you buy one then you get the exact same Firebox X Core hardware appliance that is pictured above.
The WatchGuard SSL VPN appliance runs the same code as the Citrix Access Gateway. Since both pieces of hardware are based on x86 architectures running Linux, it wasn’t very difficult to port it over. (And hey, if hackers can make a CAG run in a VM, then I’m sure that it wasn’t too hard for WatchGuard to make it run on their appliance.)
Even though the Firebox X Core appliance has six network interfaces, the CAG software still only supports two—so those other four are just for decoration. The CAG also has a 40GB hard drive in it, and the same is true for the WatchGuard version—it has a 40GB hard drive filling the slot above the network interfaces.
Using the WatchGuard SSL VPN
Using the WatchGuard SSL VPN is basically identical to using a “true” Citrix Access Gateway. The only difference is that WatchGuard has re-branded the visual elements. For example, the little blue status message that fades in when you connect to the VPN now says “WatchGuard SSL VPN, Powered by Citrix Secure Access.” Other than that, it is 100% identical to a CAG.
If you buy a WatchGuard SSL VPN, then all of your updates and support come from WatchGuard, not Citrix. This means that you’ll probably be a few months behind in terms of software releases. (i.e. WatchGuard is saying Q1 2006 for version 4.2 of the software, while Citrix is saying late December.)
The real limiting factor of the WatchGuard SSL VPN is that it supports a maximum of 205 concurrent VPN sessions and three kiosk sessions, while the Citrix Access Gateway supports 2000 concurrent VPN sessions and probably 20 kiosk sessions. In reality this is more of a result of differences in the hardware platforms. (1.26Ghz processor and 256MB of RAM in the WatchGuard device versus a 2.8Ghz processor and 1GB of RAM in the Citrix device.)
Why did Citrix license the CAG to WatchGuard?
A lot of people have openly wondered why Citrix decided to license their Citrix Access Gateway product to WatchGuard in the first place. The real answer requires a look at some history.
Remember that Citrix did not develop the Citrix Access Gateway themselves. They acquired it when they bought a company called Net6 in November 2004. Prior to being acquired by Citrix, Net6 was in talks of partnering with WatchGuard to produce a WatchGuard-branded SSL VPN. In fact, there were even discussions of WatchGuard investing in Net6. If you talk to WatchGuard people now, they feel like Citrix just swooped in with all their weight and cash and paid a ridiculous amount to buy Net6, but that’s a whole other story.
As 2005 opened, Citrix was the new owner of Net6, and they were driving hard towards the February release of their re-branded Net6 SSL VPN as the Citrix Access Gateway. WatchGuard was still in the picture too, and the three of them sat down to figure out what (if anything) they should do.
The reality is that WatchGuard’s strengths are in the SMB space, and Citrix’s strengths are in the enterprise space. That, combined with the fact that the weaker WatchGuard hardware platform could only support a fraction of the users that a Citrix Access Gateway could, meant that it would truly be a win-win for both companies to move forward with the licensing agreement began by Net6 and WatchGuard. So WatchGuard would get the market for the SMB space (with Citrix getting royalties), and Citrix would get the enterprise markets.
What does this all mean? Should you buy a Citrix Access Gateway or a WatchGuard SSL VPN?
As I mentioned earlier, the software and experience is the same across both platforms, so except for a slight delay in the availability of new features for the WatchGuard platform, it really doesn’t matter which option you choose. If you want more that 205 concurrent users, you’ll have to go with Citrix. Other than that, it’s your call.
The MSRP of a Citrix Access Gateway is $2500, while the MSRP of the WatchGuard Firebox SSL VPN is about $2800. However, the WatchGuard SSL VPN includes five connection licenses, and the Citrix one does not. Buy the time you add the connection licenses to the Citrix appliance the price between the two is about the same.
One of the big advantages that WatchGuard has over Citrix is their support. (This is how WatchGuard became so popular in the SMB space in the first place.) WatchGuard has this service called “LiveSecurity.” The LiveSecurity service costs around $500 per year for the SSL VPN, and it includes unlimited software upgrades AND support. (You have to pay a separate LiveSecurity fee for the user licenses as well.) Contrast that to Citrix who makes you pay a ridiculous amount for support or asks you to go through a partner.
There is one potential cool thing that I didn’t mention yet about this whole WatchGuard SSL VPN thing: If Watchguard uses the same hardware for both their firewalls and their SSL VPN, couldn’t they build a single device that did both? Couldn’t they make the SSL VPN a software “upgrade” for any customer who has a Firebox X Core hardware appliance?
The answer is yes, they could, and yes, they plan to.
However, they “plan to” in the sense that it’s on the roadmap, but this is something that will not be available for the next 12-18 months. The reality is that they’re selling these Firebox SSL VPNs as fast as they can make them, so they’ll probably wait for that to calm down a bit first.