Yesterday I promised that I would look into the details of the new Citrix hardware appliances. I wrote in detail about the hardware that runs the Citrix Access Gateway. However, Citrix has plans to change the current model numbers and introduce some new ones, so I thought it would be a good idea to go through all of Citrix’s hardware from top to bottom since this information isn’t clearly available from Citrix.
The Citrix Access Gateway: New Models and Version Numbers
Let’s start with the Citrix Access Gateway (CAG). This is Citrix’s SSL-VPN that they bought from Net6 in 2004. It is also what is needed to use Advanced Access Control, the technology that provides super-cool integration between the VPN gateway and a Presentation Server. (I’ll write more on this next week.)
As I wrote yesterday, when you buy a CAG appliance you get a Supermicro 5013C-M server that runs Linux. The server cost $2500. Connection licenses are available in two flavors:
- $90 “Standard edition” connection licenses which are no-frills SSL-VPN licenses
- $150 “Enterprise edition” connection licenses which are SSL-VPN licenses plus all the cool Advanced Access Control stuff.
Moving forward, Citrix is still calling this a “Citrix Access Gateway.” However, they’re tacking on a model number to the appliance. The current Supermicro server-based hardware will be called a “model 2000” appliance and will support up to 2000 concurrent SSL-encrypted ICA sessions. It will still cost $2500.
They are also releasing a more powerful box that will be known as a “model 5000” that will cost $5500 and will support up to 5000 ICA sessions. The model 5000 box is actually based on the NetScaler hardware platform and will look (on the outside anyway) like a NetScaler device, however, this device will run the standard Citrix Access Gateway software.
Speaking of software, Citrix is also slightly modifying the software names. The $90 per connection version will still be called “standard” edition, but the $150 Advanced Access Control-enabled version will be called “advanced” edition instead of “enterprise” edition.
Here’s the important takeaway: You can use either CAG edition (standard or advanced) with either hardware platform (model 2000 or model 5000). So really you need to make two decisions. First decide whether you need Advanced Access Control or not, and then decide whether you want to buy a device that can support a maximum of 2000 or 5000 users. (Hey! The model numbers correspond to the maximum number of ICA sessions they can support. Cool!)
Now here’s where it gets tricky. Remember that in this new naming system, we now have a CAG “standard” edition and a CAG “advanced” edition. So of course Citrix is also offering a CAG “enterprise” edition.
However, the new CAG “enterprise” edition is actually a pure SSL-VPN based on the NetScaler operating system. It has many of the other HTTP application acceleration features of the other NetScaler devices, but it DOES NOT have Advanced Access Control.
This is because the NetScaler appliances have a different software architecture than the old Net6-based devices. The standard and advanced CAGs are applications that run on Linux. The NetScaler appliances are based on the FreeBSD Kernel. They run as a kernel component called the “NetScaler Core Packet Processing Engine”—they’re not just an application that’s dropped on top of an OS.
There’s another bit of background information that’s important here. Long before Citrix bought NetScaler, NetScaler had their own SSL-VPN. It was not a standalone product like Net6’s was. The NetScaler VPN was just one of the many features that was included in the NetScaler application accelerators. This was fine for NetScaler, but it posed a big problem for Citrix.
The problem for Citrix was that the Net6 / Citrix Access Gateway was licensed like a server. You bought the appliance and then paid for connection licenses. On the other hand, NetScaler licensed their SSL-VPN like a piece of networking equipment. (A “true” appliance, if you will!) With NetScaler you bought the hardware, and you could serve as many SSL-VPN connections as you could cram on there.
This was a problem because Citrix charged $90 for their no frills SSL-VPN which meant that if you wanted to fill a Supermicro-based CAG to capacity then you had to spend $90 x 2000 connections = $180,000 + $2500 for the hardware = $182,500 in licensing. On the other hand, you could buy a Netscaler appliance for $80,000 or so and run way more than 2000 concurrent SSL VPN tunnels.
So this meant that Citrix had to figure out what to do with the pre-merger NetScaler SSL-VPN module.
The solution? The new Citrix Access Gateway “enterprise” edition that I mentioned previously. The CAG enterprise edition is a NetScaler appliance running the NetScaler FreeBSD-based OS with the NetScaler SSL-VPN plug-in. As I mentioned earlier, it also has some of the other NetScaler application acceleration functions.
This new CAG enterprise edition is available on two hardware platforms: the NetScaler model 7000 for $17,500 and the NetScaler model 9000 for $25,000. (A FIPS-compliant version of the model 9000 is also available for $50,000.)
In some ways the NetScaler version of the SSL-VPN software is better than the Citrix / Net6 version. For instance, the NetScaler version has better auditing and compliance capabilities. However, remember that there is one major feature lacking in the NetScaler version. This NetScaler SSL-VPN / CAG Enterprise Edition does not support Citrix Advanced Access Control. What does this mean? Citrix can’t charge as much for these NetScaler-based SSL-VPN connection licenses. In fact, these enterprise CAG connection licenses cost $90 per connection—the same price as the standard edition that runs on the model 2000 or model 5000 hardware.
- CAG Standard, $90 per connection, runs on model 2000 or 5000
- CAG Advanced, $150 per connection, adds Advanced Access Control, runs on model 2000 or 5000
- CAG Enterprise, $90 per connection, no Advanced Access Control but adds auditing and application acceleration, runs on model 7000 or 9000
What about the other Citrix hardware?
I’m not really going to go into the details of Citrix’s other hardware products since they’re kind of outside the scope of what we write about on this site, however, I’ll quickly mention them for completeness.
The NetScaler model 7000 and 9000 devices can also be used for NetScaler’s Application Accelerator and Application Switch products. (In fact they also have model 10000 and model 12000 hardware platforms for really serious throughput.) This part of their product line also has the same type of flexibility as the Access Gateways. Citrix has three versions of their application acceleration products (called Application Accelerator, Application Switch Standard Edition and Application Switch Enterprise Edition), each with several options, that can be run on the various hardware platforms model 7000 and higher.
And don’t forget that Citrix also has a series of Application Firewalls that they got when they bought Teros a few months ago. (What’s an application firewall? It’s a box that examines traffic to make sure that no script insertions or credit card numbers are passing through it.) Right now these are their own product line, although they compliment the NetScaler stuff very well and I assume that they’ll be rolled into that product line very soon.
I think it’s safe to assume that Citrix will be consolidating their technologies and platforms as they move forward. One of the weird things right now is that the company is organized into several “divisions,” including a “Gateways Division” and an “Application Networking Division.” Of course the legacy Net6 / CAG falls in the former and the NetScaler stuff falls in the latter division, so it will be interesting to see how Citrix combines these two business groups. But I would imagine that eventually they’ll have one stack of technology that’s used on all of their appliances, and you’ll basically be able to pick and choose the modules and hardware capacities that you need to accomplish your task.
I also assume that as applications evolve, their appliances will evolve to manage, accelerate, and protect the new protocols and technologies. A great example of this is Longhorn terminal services. If WinFX primitives can be sent across the network as part of the RDP or ICA protocol, I would think that the NetScaler technology could be extended so that it can cache, multiplex, compress, and secure this content in the same way it does all this for HTTP traffic today.