There has been a lot of talk recently about Citrix’s SSL VPN strategy. In this editorial, I’ll discuss what an SSL VPN is, why it matters to Citrix, and what I think will happen with Citrix in this space. To begin, let’s take a look at the basics.
What is an SSL VPN?
An SSL VPN is a product that allows people to securely connect to internal corporate applications via the public Internet. Broadly speaking, there are two types of SSL VPNs—hardware solutions and software solutions. The hardware versions come in the form of an appliance that you drop into your datacenter. These appliances have internal web servers that users browse to for connection into the environment. By contrast, the software solutions come in the form of a piece of software that you install onto a web server that gives that web server the SSL VPN functionality.
To use a typical SSL VPN, a user connecting via the Internet simply browses to a regular web page via HTTP. Upon authenticating to that page (maybe with two factor authentication), their browser session becomes encrypted with SSL and they begin communicating with the web server via HTTPS over port 443.
But SSL VPNs provide much more functionality than regular HTTPS web sites.
Once the user authenticates, a Java applet or ActiveX control is typically launched on their client device. SSL VPNs allow users to securely access internal applications. In most cases this can be applications that communicate via HTTP, HTTPS, 3270 sessions, SMB file shares, ICA or RDP sessions, or any other port/protocol combination.
When using an SSL VPN, a user has an SSL-encrypted session with the web server / VPN device over the public Internet. The web server / VPN device decrypts the SSL session and passes the data to the appropriate back-end location (via 3270, or HTTP, or SMB, or whatever protocol and port the application uses). Essentially this means that the user can access any internal server or protocol via SSL.
SSL VPNs are conceptually similar to traditional IPSec VPNs, although the SSL VPNs are typically easier to deploy, available via the web, and do not require complex client installations.
So what does all this have to do with Citrix?
The release of Citrix’s Secure Gateway product a few years ago represented their first step in the SSL VPN direction. Citrix did not claim it was an SSL VPN solution at the time, but in hindsight we can see that it started them down the SSL VPN path.
Citrix Secure Gateway (CSG) allowed multiple users to access internal MetaFrame servers via an ICA protocol wrapped in SSL. Thousands of users could securely access a multitude of back-end MetaFrame Presentation Servers via a single external IP address and port over the public Internet.
In that sense, CSG pretty much fulfilled the definition of an SSL VPN, except that the only protocol it could encrypt was ICA.
More recently, Citrix released version 2 of its Secure Gateway product (rebranded as “MetaFrame Secure Gateway”). Secure Gateway v2 had the added functionality of being able to encrypt (by wrapping in SSL) HTTP, HTTPS, and Exchange RPC data (in addition to ICA data).
(I should point out for the sake of purists that “MetaFrame Secure Gateway v2” is not a stand-alone product per se. The functionality described above is available as part of Citrix’s portal product called “MetaFrame Secure Access Manager,” or “MSAM.” A watered-down version of Secure Gateway v2 that only supports ICA encryption is also included for free with MetaFrame Presentation Server.)
Citrix folks have said again and again that MSAM and/or Secure Gateway is not an SSL VPN and that it's not meant to compete in that space. Most people would agree with this since the Citrix product only supports a few protocols while most of the other products support just about every protocol imaginable.
However, don’t move too fast to believe Citrix when they say their product is not an SSL VPN... Citrix's own website links to this reprint of Gartner's SSL VPN Magic Quadrant for 1H04. (For those of you unfamiliar with this, Gartner's Magic Quadrant is an X-Y axis chart that shows how well different vendors can compete in a certain space and how mature their products are. All vendors strive to get into the "magic" upper right-hand quadrant, indicating that they're a leader in the space with a high ability to execute.)
I’m not sure what’s more interesting about this—the fact that Gartner even chose to include Citrix on the chart or the fact that Citrix linked this SSL VPN document off of their website even while claiming they’re not in that space.
All of this SSL VPN talk leads to the million-dollar question:
Does Citrix want to get into the SSL VPN space?
Absolutely. 100%. Yes. Citrix has claimed that MSAM / Secure Gateway is not a true SSL VPN, but they have never said anything about not wanting to get into that space.
At the Citrix Strategy Day webcast on April 27, 2004, Citrix’s CEO Mark Templeton made a comment about how big the security software market is. Even though he does not want to become a security company, he does want to flesh out the “access” capabilities of the MetaFrame Access Suite. An SSL VPN solution that supported more than MSAM’s handful of protocols would go a long way.
But wait, there’s more. Late last year Citrix tried (unsuccessfully) to buy an SSL VPN company called Neoteris. Citrix offered $250M, but that was $15M short of what a company called NetScreen offered. (In an interesting twist, Juniper Networks ended up buying the combined NetScreen / Neoteris company for $4B.)
Remember from the early part of this article that SSL VPN solutions can be hardware- or software-based. The weird thing about Citrix trying to buy Neoteris is that Neoteris was a hardware-based solution, so I’m not exactly sure what Citrix was thinking there. In my opinion it’s a good thing that Citrix didn’t end up getting Neoteris.
That being said, I think that buying a software-based SSL VPN solution could be a really good fit for Citrix. It certainly would fit nicely into their “Access Infrastructure” messaging and they could combine a newly-purchased SSL VPN solution with MSAM to create a “real” SSL VPN offering. I’m sure they could further integrate such an offering with MetaFrame Presentation Server and Secure Gateway to create a truly compelling product.
So who would be on Citrix’s shopping list? I would think it would be one of the smaller software-only SSL VPN vendors, like NetSilica or Permeo Technologies. The software-only SSL VPN solutions have a harder time selling in the hardware appliance-dominated space, so I would think those types of companies might even be amiable to a Citrix acquisition.