What is Citrix's SSL VPN Strategy?

There has been a lot of talk recently about Citrix’s SSL VPN strategy. In this editorial, I’ll discuss what an SSL VPN is, why it matters to Citrix, and what I think will happen with Citrix in this space.

There has been a lot of talk recently about Citrix’s SSL VPN strategy. In this editorial, I’ll discuss what an SSL VPN is, why it matters to Citrix, and what I think will happen with Citrix in this space. To begin, let’s take a look at the basics.

What is an SSL VPN?

An SSL VPN is a product that allows people to securely connect to internal corporate applications via the public Internet. Broadly speaking, there are two types of SSL VPNs—hardware solutions and software solutions. The hardware versions come in the form of an appliance that you drop into your datacenter. These appliances have internal web servers that users browse to for connection into the environment. By contrast, the software solutions come in the form of a piece of software that you install onto a web server that gives that web server the SSL VPN functionality.

To use a typical SSL VPN, a user connecting via the Internet simply browses to a regular web page via HTTP. Upon authenticating to that page (maybe with two factor authentication), their browser session becomes encrypted with SSL and they begin communicating with the web server via HTTPS over port 443.

But SSL VPNs provide much more functionality than regular HTTPS web sites.

Once the user authenticates, a Java applet or ActiveX control is typically launched on their client device. SSL VPNs allow users to securely access internal applications. In most cases this can be applications that communicate via HTTP, HTTPS, 3270 sessions, SMB file shares, ICA or RDP sessions, or any other port/protocol combination.

When using an SSL VPN, a user has an SSL-encrypted session with the web server / VPN device over the public Internet. The web server / VPN device decrypts the SSL session and passes the data to the appropriate back-end location (via 3270, or HTTP, or SMB, or whatever protocol and port the application uses). Essentially this means that the user can access any internal server or protocol via SSL.

SSL VPNs are conceptually similar to traditional IPSec VPNs, although the SSL VPNs are typically easier to deploy, available via the web, and do not require complex client installations.

So what does all this have to do with Citrix?

The release of Citrix’s Secure Gateway product a few years ago represented their first step in the SSL VPN direction. Citrix did not claim it was an SSL VPN solution at the time, but in hindsight we can see that it started them down the SSL VPN path.

Citrix Secure Gateway (CSG) allowed multiple users to access internal MetaFrame servers via an ICA protocol wrapped in SSL. Thousands of users could securely access a multitude of back-end MetaFrame Presentation Servers via a single external IP address and port over the public Internet.

In that sense, CSG pretty much fulfilled the definition of an SSL VPN, except that the only protocol it could encrypt was ICA.

More recently, Citrix released version 2 of its Secure Gateway product (rebranded as “MetaFrame Secure Gateway”). Secure Gateway v2 had the added functionality of being able to encrypt (by wrapping in SSL) HTTP, HTTPS, and Exchange RPC data (in addition to ICA data).

(I should point out for the sake of purists that “MetaFrame Secure Gateway v2” is not a stand-alone product per se. The functionality described above is available as part of Citrix’s portal product called “MetaFrame Secure Access Manager,” or “MSAM.” A watered-down version of Secure Gateway v2 that only supports ICA encryption is also included for free with MetaFrame Presentation Server.)

Citrix folks have said again and again that MSAM and/or Secure Gateway is not an SSL VPN and that it's not meant to compete in that space. Most people would agree with this since the Citrix product only supports a few protocols while most of the other products support just about every protocol imaginable.

However, don’t move too fast to believe Citrix when they say their product is not an SSL VPN... Citrix's own website links to this reprint of Gartner's SSL VPN Magic Quadrant for 1H04. (For those of you unfamiliar with this, Gartner's Magic Quadrant is an X-Y axis chart that shows how well different vendors can compete in a certain space and how mature their products are. All vendors strive to get into the "magic" upper right-hand quadrant, indicating that they're a leader in the space with a high ability to execute.)

I’m not sure what’s more interesting about this—the fact that Gartner even chose to include Citrix on the chart or the fact that Citrix linked this SSL VPN document off of their website even while claiming they’re not in that space.

All of this SSL VPN talk leads to the million-dollar question:

Does Citrix want to get into the SSL VPN space?

Absolutely. 100%. Yes. Citrix has claimed that MSAM / Secure Gateway is not a true SSL VPN, but they have never said anything about not wanting to get into that space.

At the Citrix Strategy Day webcast on April 27, 2004, Citrix’s CEO Mark Templeton made a comment about how big the security software market is. Even though he does not want to become a security company, he does want to flesh out the “access” capabilities of the MetaFrame Access Suite. An SSL VPN solution that supported more than MSAM’s handful of protocols would go a long way.

But wait, there’s more. Late last year Citrix tried (unsuccessfully) to buy an SSL VPN company called Neoteris. Citrix offered $250M, but that was $15M short of what a company called NetScreen offered. (In an interesting twist, Juniper Networks ended up buying the combined NetScreen / Neoteris company for $4B.)

Remember from the early part of this article that SSL VPN solutions can be hardware- or software-based. The weird thing about Citrix trying to buy Neoteris is that Neoteris was a hardware-based solution, so I’m not exactly sure what Citrix was thinking there. In my opinion it’s a good thing that Citrix didn’t end up getting Neoteris.

That being said, I think that buying a software-based SSL VPN solution could be a really good fit for Citrix. It certainly would fit nicely into their “Access Infrastructure” messaging and they could combine a newly-purchased SSL VPN solution with MSAM to create a “real” SSL VPN offering. I’m sure they could further integrate such an offering with MetaFrame Presentation Server and Secure Gateway to create a truly compelling product.

So who would be on Citrix’s shopping list? I would think it would be one of the smaller software-only SSL VPN vendors, like NetSilica or Permeo Technologies. The software-only SSL VPN solutions have a harder time selling in the hardware appliance-dominated space, so I would think those types of companies might even be amiable to a Citrix acquisition.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This message was originally posted by an anonymous visitor on July 16, 2004
Brian, your comments about Citrix's SSL VPN strategy are right on. We were having problems deploying nFuse and CSG with MSAM and had to look for an alternative solution because of our strict HIPAA infrastructure requirements. We found out about Netsilica through a local Citrix VAR. We love the product and the fact that we can avoid having to put an IIS nFuse server in the DMZ and have secure clientless browser access to all of our applications running on Metaframe. What's even nicer about the solution is Netsilica's ability to have all our users single signon to our ADS environment. I hope your right about Citrix buying Netsilica because that would be awesome!
This message was originally posted by an anonymous visitor on July 16, 2004
Citrix Did aquire a software product that started the ssl vpn "trend" called extranet
This message was originally posted by an anonymous visitor on July 19, 2004
Why can't they just expand on the MSAM Secure Gateway Client to allow it to be used without MSAM?
This message was originally posted by an anonymous visitor on July 16, 2004
<no comment entered>
This message was originally posted by the hairy yak on July 21, 2004
Citrix do need to extend the Advanced Gateway Client for MSAM, but they need to get rid of the administrative install dependency or it breaks the any, any, any mantra. Hence one of the reasons for the slow adoption of MSAM.

What they also need to think about doing is bundling the ICA client and a password manager client with the Gateway client into one package too prevent it getting too complicated.

Citrix need a hardware based gateway for several reasons:

To get around of the prejudice (rightly or wrongly) of Microsoft based security solutions;
MSAM has too many dependencies and boxes to make it truly appealing to the enterprise customer.

Another alternative would be to get the Common Gateway Protocol (CGP) adopted by the bigger players as a supported standard (Nokia, Cisco, etc...) and then the Citrix product simply works with whatever a customer already has, you don't have to try and sell a new solution to them.

It would still need a client download, but as long as it was more platform independent than Active-X and didn't need an Admin install it would be a lot more widely adopted.

Just for information, it is also possible to customise MSAM 2.2 to support additional protocols (e.g. to allow Lotus Notes synchronisation) but you can run into support issues from Citrix.

Problem is it all takes time, so we just need to wait and see what happens.
This message was originally posted by an anonymous visitor on August 25, 2004
This message was originally posted by an anonymous visitor on October 3, 2004
What about Whale Communications? We use that, it's a very solid product, better than others we've evaluated.
This message was originally posted by Brian Madden on October 19, 2004
Not that it wouldn't be cool, though... :)
Such solutions provided by Citrix are expensive.

One should look for an open source option to secure their citrix, providing greater security, affordability, and enormouse scalability.

Example solutions are the Inventigo SSL Encryptor, which is provided both as an Appliance and also as source code and compiled binaries.

Features in the Inventigo SSL Encryptor are:

SSL Clientless VPN
Active Directory Authentication
Access to any Application via API
Citrix over SSL
VNC over SSL
Remote Desktop over SSL
Secure Folder Access
Source Code must be Available
An Appliance option must be Available
Scalable SSL VPN

Find more about the product at
Inventigo Open Source Solutions
Interesting that you're pimping open source as the best thing since sliced bread and yet I was unable to find source code on your site or on SourceForge. Perhaps you should share download links...Unless of course you're only interested in selling your appliances...

Hi Shawn,

Please return to the site in the next few weeks as we are currently building a customised knopix solution to run the Inventigo SSL Encryption solution as we have had numerous requests for a live CD.

Please register on our site, and you will receive a notification of the download URL as soon as the Knopix version of the Inventigo SSL Encryption Solution is ready.

I appologise for the delay.
We have to use Juniper's SSL VPN with our web Citrix environment. I have found a bunch of examples of the standard Citrix designs (i.e. DMZ with Secure Gateway server). However, as I will be using a SSL VPN/extranet, I need an example that does not use Secure Gateway. (Or do I still need it?) How did others incorporate an extranet box into their Citirx design?
does it requires router