Understanding the New Citrix Hardware Naming & Numbering: Access Gateways & NetScaler appliances

Yesterday I promised that I would look into the details of the new Citrix hardware appliances. I wrote in detail about the hardware that runs the Citrix Access Gateway.

Yesterday I promised that I would look into the details of the new Citrix hardware appliances. I wrote in detail about the hardware that runs the Citrix Access Gateway. However, Citrix has plans to change the current model numbers and introduce some new ones, so I thought it would be a good idea to go through all of Citrix’s hardware from top to bottom since this information isn’t clearly available from Citrix.

The Citrix Access Gateway: New Models and Version Numbers

Let’s start with the Citrix Access Gateway (CAG). This is Citrix’s SSL-VPN that they bought from Net6 in 2004. It is also what is needed to use Advanced Access Control, the technology that provides super-cool integration between the VPN gateway and a Presentation Server. (I’ll write more on this next week.)

As I wrote yesterday, when you buy a CAG appliance you get a Supermicro 5013C-M server that runs Linux. The server cost $2500. Connection licenses are available in two flavors:

  • $90 “Standard edition” connection licenses which are no-frills SSL-VPN licenses
  • $150 “Enterprise edition” connection licenses which are SSL-VPN licenses plus all the cool Advanced Access Control stuff.

Moving forward, Citrix is still calling this a “Citrix Access Gateway.” However, they’re tacking on a model number to the appliance. The current Supermicro server-based hardware will be called a “model 2000” appliance and will support up to 2000 concurrent SSL-encrypted ICA sessions. It will still cost $2500.

They are also releasing a more powerful box that will be known as a “model 5000” that will cost $5500 and will support up to 5000 ICA sessions. The model 5000 box is actually based on the NetScaler hardware platform and will look (on the outside anyway) like a NetScaler device, however, this device will run the standard Citrix Access Gateway software.

Speaking of software, Citrix is also slightly modifying the software names. The $90 per connection version will still be called “standard” edition, but the $150 Advanced Access Control-enabled version will be called “advanced” edition instead of “enterprise” edition.

Here’s the important takeaway: You can use either CAG edition (standard or advanced) with either hardware platform (model 2000 or model 5000). So really you need to make two decisions. First decide whether you need Advanced Access Control or not, and then decide whether you want to buy a device that can support a maximum of 2000 or 5000 users. (Hey! The model numbers correspond to the maximum number of ICA sessions they can support. Cool!)

Now here’s where it gets tricky. Remember that in this new naming system, we now have a CAG “standard” edition and a CAG “advanced” edition. So of course Citrix is also offering a CAG “enterprise” edition.

However, the new CAG “enterprise” edition is actually a pure SSL-VPN based on the NetScaler operating system. It has many of the other HTTP application acceleration features of the other NetScaler devices, but it DOES NOT have Advanced Access Control.

This is because the NetScaler appliances have a different software architecture than the old Net6-based devices. The standard and advanced CAGs are applications that run on Linux. The NetScaler appliances are based on the FreeBSD Kernel. They run as a kernel component called the “NetScaler Core Packet Processing Engine”—they’re not just an application that’s dropped on top of an OS.

There’s another bit of background information that’s important here. Long before Citrix bought NetScaler, NetScaler had their own SSL-VPN. It was not a standalone product like Net6’s was. The NetScaler VPN was just one of the many features that was included in the NetScaler application accelerators. This was fine for NetScaler, but it posed a big problem for Citrix.

The problem for Citrix was that the Net6 / Citrix Access Gateway was licensed like a server. You bought the appliance and then paid for connection licenses. On the other hand, NetScaler licensed their SSL-VPN like a piece of networking equipment. (A “true” appliance, if you will!) With NetScaler you bought the hardware, and you could serve as many SSL-VPN connections as you could cram on there.

This was a problem because Citrix charged $90 for their no frills SSL-VPN which meant that if you wanted to fill a Supermicro-based CAG to capacity then you had to spend $90 x 2000 connections = $180,000 + $2500 for the hardware = $182,500 in licensing. On the other hand, you could buy a Netscaler appliance for $80,000 or so and run way more than 2000 concurrent SSL VPN tunnels.

So this meant that Citrix had to figure out what to do with the pre-merger NetScaler SSL-VPN module.

The solution? The new Citrix Access Gateway “enterprise” edition that I mentioned previously. The CAG enterprise edition is a NetScaler appliance running the NetScaler FreeBSD-based OS with the NetScaler SSL-VPN plug-in. As I mentioned earlier, it also has some of the other NetScaler application acceleration functions.

This new CAG enterprise edition is available on two hardware platforms: the NetScaler model 7000 for $17,500 and the NetScaler model 9000 for $25,000. (A FIPS-compliant version of the model 9000 is also available for $50,000.)

In some ways the NetScaler version of the SSL-VPN software is better than the Citrix / Net6 version. For instance, the NetScaler version has better auditing and compliance capabilities. However, remember that there is one major feature lacking in the NetScaler version. This NetScaler SSL-VPN / CAG Enterprise Edition does not support Citrix Advanced Access Control. What does this mean? Citrix can’t charge as much for these NetScaler-based SSL-VPN connection licenses. In fact, these enterprise CAG connection licenses cost $90 per connection—the same price as the standard edition that runs on the model 2000 or model 5000 hardware.


To summarize:

  • CAG Standard, $90 per connection, runs on model 2000 or 5000
  • CAG Advanced, $150 per connection, adds Advanced Access Control, runs on model 2000 or 5000
  • CAG Enterprise, $90 per connection, no Advanced Access Control but adds auditing and application acceleration, runs on model 7000 or 9000

What about the other Citrix hardware?

I’m not really going to go into the details of Citrix’s other hardware products since they’re kind of outside the scope of what we write about on this site, however, I’ll quickly mention them for completeness.

The NetScaler model 7000 and 9000 devices can also be used for NetScaler’s Application Accelerator and Application Switch products. (In fact they also have model 10000 and model 12000 hardware platforms for really serious throughput.) This part of their product line also has the same type of flexibility as the Access Gateways. Citrix has three versions of their application acceleration products (called Application Accelerator, Application Switch Standard Edition and Application Switch Enterprise Edition), each with several options, that can be run on the various hardware platforms model 7000 and higher.

And don’t forget that Citrix also has a series of Application Firewalls that they got when they bought Teros a few months ago. (What’s an application firewall? It’s a box that examines traffic to make sure that no script insertions or credit card numbers are passing through it.) Right now these are their own product line, although they compliment the NetScaler stuff very well and I assume that they’ll be rolled into that product line very soon.

The Future

I think it’s safe to assume that Citrix will be consolidating their technologies and platforms as they move forward. One of the weird things right now is that the company is organized into several “divisions,” including a “Gateways Division” and an “Application Networking Division.” Of course the legacy Net6 / CAG falls in the former and the NetScaler stuff falls in the latter division, so it will be interesting to see how Citrix combines these two business groups. But I would imagine that eventually they’ll have one stack of technology that’s used on all of their appliances, and you’ll basically be able to pick and choose the modules and hardware capacities that you need to accomplish your task.

I also assume that as applications evolve, their appliances will evolve to manage, accelerate, and protect the new protocols and technologies. A great example of this is Longhorn terminal services. If WinFX primitives can be sent across the network as part of the RDP or ICA protocol, I would think that the NetScaler technology could be extended so that it can cache, multiplex, compress, and secure this content in the same way it does all this for HTTP traffic today.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Thanks for the summary Brian! It seems I never have enough time to getting to the big picture until you publish a article like this.
Great stuff!

Hi Brian,
I agree with Michel, another very good summary that puts it in perspective with out having to wade through Citrix's version of events.
BTW, I was chatting about AG Capacity with others and this has come to light?
...organized a conference call with the CAG team in San Jose earlier
this week to confirm our sizing methodology. The one new bit of news was
that they are recommending using 1000 as the metric for ICA connections and
500 (or less) for full VPN. Using 2000 as the metric for ICA connections is
one of those theoretical maximums.
As well as this, if you are running AAC and want to use things like Outlook syncronisation you could quite possible be needing 3 - 4 connections just for this in addition to the ICA. So what with this and the issue where it "sort of has failover, but not true Load Balancing" we can start to understand that Citrix want to build on the Marketing and make sure that they can deliver the hardware that does what it says?

Unless things are changing, NetScaler also requires client licenses for the VPN as well. License packs are available up to 5,000 users (but the system can handle many, many more concurrent users than that). List price for a 2500 user pack is somewhere in the ballpark of $85k, separate of hardware cost.
Thank you for effectively summarizing the Secure Access products from Citrix. The pricing is still murky as the Netscaler folks still charge a SSL-VPN charge which does not seem to align with what you stated in your article! Could you confirm that it is $90/concurrent user?Thanks for another great arcticle!!!
I think it's important to note that whilst the 2000 and 5000 series CAG devices may offer a theoretical maximum of 2000 and 5000 simultaneous VPN connections in the real world it is important to test this in your own environment. Different applications incur different load on the device which could reduce concurrency. Additionally, some applications may use multiple VPN tunnels simultaneously.
As usual for any of this stuff, test, test, test and when you think your sure, do it once more just for peace of mind
I think what you actually mean is 2000 TCP sessions, not tunnels or users. That makes a big difference when you are talking about actually number of connected users. Also NetScaler always charged a fee for SSL VPN tunnels based on concurrency not the network equipment model you spoke of.

The problem with using a Netscaler device as a CAG is that it wasn't really designed to be a CAG appliance (like the CAG2000)...Therefore, features like changing the CAG Web page display and redirection of port 80 to 443 no longer work. Any changes you make to these, will disappear after a reboot of the appliance!! So, clients are presented with a Webpage that says things like Password1 and Password2 (if you had RSA integration!) This is so confusing for them. But there doesn't seem to be a way of changing it :(

Has anyone had any experience with this?