There is a lot of (mis)information out there about the Citrix Access Gateway (Citrix’s SSL VPN appliance) with regards to how it works and whether you can make your own in VMware. In this article I plan to clear up all the uncertainty with real information and real facts, both from the technology and legal standpoints.
The Citrix Access Gateway “Appliance”
Citrix calls their Citrix Access Gateway (CAG) an appliance. The term “appliance” has many uses in the IT world, but the essence of the term is that an appliance is an IT device that you turn on and it just works. Period.
When people think of an IT appliance, they mostly think of things like routers or firewalls or wireless access points. They don’t think of Pentium-based Windows or Linux servers. Of course a router and a Windows Pentium server have many things in common. They both have CPU, memory, and an OS stored on some kind of media. The main difference is that an appliance usually has a custom or real-time OS that is stored in NVRAM as opposed to something like Windows stored on a hard drive.
The CAG is an appliance in practice. What that means is that it is used like an “appliance,” although some might argue that calling it an “appliance” is a stretch. Consider these facts:
- Fact: The Citrix Access Gateway hardware is a standard off-the-shelf server made by Supermicro that can be bought anywhere. (It’s a Supermicro SuperServer 5013C-M.)
- Fact: This particular Supermicro server configuration includes an Intel P4 processor, 1GB of memory, a 40GB hard drive, a CD-ROM drive, and a floppy drive.
- Fact: The operating system that powers the Citrix Access Gateway is a hardened version of Linux. (Hey, doesn’t the GPL specify that Citrix needs to give away their source code with this? ..That’s an article for another day.)
My point is that the Citrix Access Gateway is not an “appliance” in the truest sense of the word. It’s just an Intel server running Linux that’s supposed to be treated like an appliance. Fair enough.
The 227% Citrix “Tax”
The Supermicro 5013C-M chassis can be bought online for about $600. Throw in another $500 or so for the memory, hard drive, and CPU, and you’re looking at about $1100 in hardware. Citrix charges $2500 for this $1100 device (except they also throw in a custom plastic bezel that snaps on the front that says “Citrix”).
So is it fair for Citrix to take an $1100 device and mark it up over 200%? That depends on your perspective. On one hand, Citrix has put considerable time and effort into the software that runs on this device. So in essence the $2500 Access Gateway can be viewed as a pass-through cost of $1100 for hardware plus $1400 for the CAG server software.
The problem with that line of thinking is that it doesn’t really jive with the licensing policies in the rest of the Access Suite. (The CAG is part of the Citrix Access Suite.) In the rest of the Citrix Access Suite, the licensing is such that you pay for each concurrent user, and then you are allowed to build as many servers as you want to support your users. From a licensing standpoint, there’s nothing wrong with buying 10 user connection licenses and then building 20 servers. As long as you don’t have more than 10 concurrent users across all 20 of your servers, you’re legal.
The CAG’s user-based licensing is no different. That $2500 for the CAG is for the hardware only—that $2500 does not include any connection licenses. In other words, for $2500 you buy a Taiwanese paperweight. If you want to actually use the thing then you need to buy connection licenses which start at $90 per user.
So in that sense, the CAG is no different than the other members of the Citrix Access Suite, and Citrix makes their licensing money off of your connection licenses, just like the other products in the suite.
So can I just build my own CAG on my own hardware?
What makes this more interesting is that the CAG “appliance” ships with a CD-ROM that, when booted, will wipe out and image whatever device it’s inserted into. Also, when you download updates to the CAG from Citrix, you can actually download ISO images that you are instructed to burn onto a CD-ROM. The upgrade process is to insert the CD-ROM into your CAG “appliance” and then to restart it. The CD-ROM re-images the appliance with the new CAG image.
This leads to an interesting question. Is it okay to buy a Supermicro SuperServer 5013C-M, a P4 processor, a 40GB hard drive, and a gig of RAM and make your own CAG while saving about $1400 in hardware costs?
From a legal standpoint, the answer is “No.” The license agreement that is included with the Citrix Access Gateway software clearly states that you can only use the server software on a device with a CPU that you bought from Citrix.
From a technical standpoint, however, there is nothing stopping you from doing this.
Before I go on, I understand that a lot of people at Citrix will be upset to read this. It is in Citrix’s interest (for valid reasons that I will get to in a moment) for the community to view the CAG as a real appliance and not as a Supermicro 5013C-M running Linux. However, Citrix not admitting this does not make it less true, and it does not stop the rumors from half-informed people that are easily uncovered via basic Google searches. So I view my purpose to get ALL the REAL information out there—technical possibilities, legal ramifications, and why you wouldn’t want to do this on your own.
Also, while I’m off on this tangent, in case anyone is wondering whether I “hacked” or “reverse engineered” my CAG to figure out that it was a Supermicro 5013C-M, the answer is “no.” I just turned it over and read the sticker from Supermicro that had the specific make, model, and serial number.
When will Citrix start enforcing the use of their own hardware?
Some people have suggested that Citrix might start building a custom BIOS or some other mechanism into these servers to ensure that the CAG software is only installed onto a server that was purchased from Citrix. The problem with this is that there are thousands of these CAGs in the field now that do not have custom BIOSes, so if Citrix started making a protected version of their CAG server software then they would have to do field replacements of all the current devices.
A more likely outcome is that Citrix will release a new CAG that’s based on NetScaler hardware (more of a “real” appliance) that will be a different platform, and the current CAG will be end-of-lifed. I think they’re planning on calling this a NetScaler 2000 series, although I need to do more research to work out all of these details.
The bigger question is why does Citrix care about whether you use their server or a generic server (besides the fact that they are undoubtedly making several hundred dollars in profit for each CAG device they sell)? The main reason has to do with support. Can you imagine the nightmare it would be for Citrix support if they publicly endorsed, encouraged, or even acknowledged that you could install a CAG onto non-supported hardware? They would have to ask people on the phone about the type of device they’re using, and the callers would probably lie anyway.
What about installing the CAG into a VMware session?
The last “fact” that I want to discuss has to do with running the CAG in a VMware session. Again, let’s be perfectly clear about two facts here:
- Fact: It is possible to run a CAG in a VMware session.
- Fact: Citrix is doing this internally for testing and training purposes.
Should you do it? No. Why not? Because it violates the license agreement as it’s currently written.
Since the Supermicro 5013C-M server is just a pretty generic Intel server, it is possible to build a VM with similar specs to the CAG and then to “boot” the CAG installation CD-ROM to install the CAG into that VM. (Just configure the appropriate NICs in the VMX file and you're all set.)
Remember though that doing this is a direct violation of the Citrix license agreement. But again I wanted to be clear here that this technically works since it’s easy to find descriptions of this via Google, and unfortunately those descriptions don’t include the full legal and technical conversation presented here.
The other important fact about running a CAG server in a VM is that performance would be terrible. Without getting into all the details, the short explanation is it has to do with the fact that the virtualization layer has to translate TCP/IP calls between the various virtualized and physical processor ring layers on the host, and this gets expensive in terms of performance. (This performance problem goes away in the new Vanderpool Xeon CPUs, but those are so expensive that you might as well just buy a CAG.)