With Citrix AG and CSG going away, how far can you get with NetScaler VPX? The answer: pretty far!

If you are following Citrix's networking product line I guess that you are already familiar with a fact that Citrix has finally decided to "End of Life" the Access Gateway product line in 2014. While we can debate for hours if this decision makes sense or not, from purely field perspective I don't believe it will be a life changer.

If you are following Citrix’s networking product line I guess that you are already familiar with a fact that Citrix has finally decided to “End of Life” the Access Gateway product line in 2014. While we can debate for hours if this decision makes sense or not, from purely field perspective I don’t believe it will be a life changer. The NetScaler product line is absolutely capable of addressing almost all AG use cases. The only exception might be an AG + AAC setup in some measure, but let’s be honest; AG+ AAC setup pushed to its limits is definitely a rare occurrence these days.

The Citrix networking world wouldn’t be as fun as it is if the only problem we had is an AG EoL, though. There is another thing that causes concern. Have you ever asked yourself a question what will happen with CSG? Every once in a while you hear people saying that CSG is dead, but in spite of that, Citrix delivers a new version with every major product release.

Well it looks like this time it is really over.

Currently, Citrix Secure Gateway is the only component that offers free ICA-Proxy connections using SSL. Secure Gateway 3.3 is supported up to 2016, but Secure Gateway-based configurations will become partially unsupported in 2015 due to the End of Life of Web Interface 5.4. At that time, StoreFront will be the only “web interface” to Citrix environments. StoreFront does not, and will not, support Secure Gateway in any way.

That means that all of you happily running 1000-1500 users over single CSG + Web Interface will have to get highly creative when explaining to your customers that they will have to migrate to a new platform and respectively start paying for a service they previously had for free.

Is that really a bad thing? The answer to that question is tricky, and I would have to say “yes” and “no”.

You can argue that it is a big deal because CSG is free and easy to setup. It’s been around a long time, and so we’ve come to know it well and depend on it. Of course, you could also argue that it is not such a bad thing because NetScaler is a much better product.

For starters with NetScaler you will get out-of-the-box XML load balancing and health checking capability for your farms. Web Interface load balancing, seamless failover to a working appliance in HA setups, smart access capabilities if you need them etc. The details of these features are worth an article by themselves, but suffice it to say these are important.

Let’s admit, having three different solutions (AG, CSG, and NetScaler) to wrap ICA sessions into SSL and route them to a single point of access must be overkill from product support perspective. It’s understandable that something had to change. I guess your next question now would be, “so know what?”

If you are not comfortable running unsupported components in production I would suggest that the best course of action is to try to find a replacement for your CSG setup. Do you really need to spend 150k in hardware to do so? The answer is “definitely no.” 

This brings us at last to the moment of truth, one of the reasons why I wrote this article in the first place. The fundamental question on NetScaler VPX product line is ultimately expressed and answers start varying depending on who you ask. That question, of course, is:

How many users I can take on a single NetScaler VPX instance?

The Official Citrix position on the matter is something like: 

“NetScaler VPX performance is dependent upon underlying server infrastructure”.

At the same time Citrix also states that AG VPX supports 500 concurrent users. I suppose that “Underlying server infrastructure” criterion applies only to NetScaler VPX product line (or I must have missed something).

On the other hand, the answer to the same question from a skilled sales professional might be:

“You can support 500 users max on a VPX. If you need more than that we have beautiful MPX 7500 that will take you up to 1500 users. For anything above 1500 users you will be invited to check the brand new MPX 11500.”

But, I am neither a sales professional nor a Citrix representative. I believe that if you have a large farm environment, the NetScaler VPX will be nothing more than a DEV appliance for you to do your testing and sandbox work on.  If you have over 200 users, it’s currently best practice to deploy the physical appliance instead of the VPX.

With some perspective it appears that the vague answer that you can expect from Citrix is, ironically, the most accurate (if you forget the part on AG VPX limitation of course). Let’s see why:

Two years ago I was working on a frontal infrastructure redesign for a major corporate investment bank here in France. Without entering into details, I needed a solution capable of supporting around 3000 concurrent sessions running heavy trading applications in multi-screen setup. At the same time, the solution should load balance all production XML and Web interface servers.

Being faced with same questions, I decided to try NetScaler VPX myself. The first thing I realized is that the VPX and MPX are using exactly the same firmware.

That led me to a bold assumption that a VPX and MPX should perform similarly on equally performing hardware when it comes to ICA proxy.

My initial bandwidth analysis was more than promising, so I decided to check with the hypervisor guys to see how they felt about my idea to go with VPX. The virtualization architect responsible for the hypervisor stack, probably one of the best engineers I ever worked with, agreed to try. We provisioned two NetScaler VPX 200 appliances in HA, one in each datacenter and we were ready to roll.

Some say that one picture is worth a thousand words.

This is how NetScaler VPX 200 dashboard looks like with around 1900 concurrent sessions.

You can see that this implementation of NetScaler VPX is, not surprisingly, barely using any of 4 GB of RAM allocated. When running on latest generation hardware, 400 users will consume just 1 % of CPU. Additionally, network throughput really in my scenario it rarely goes over 30 Mb/s, although this is bound to be different in other use cases.

Personally, I would feel confident to scale up this environment to at least five times these numbers without a blink before considering any architectural change. 

So in case you’re looking for an ICA proxy solution based on NetScaler VPX, I would say that a sky is the limit as long as underlying server infrastructure is ok. And that is the only thing you should have in mind when going VPX for ICA proxy. 

On the other hand it would be a great thing if Citrix could make a clear stand on this subject. I believe the time has really come to stop with arbitrary limitations or senseless expert recommendations and let this product work the way it has been designed for.

Join the conversation

20 comments

Send me notifications when other members comment.

Please create a username to comment.

Hi,


Good one! Keep in mind that there is also a VPX for only CAGEE! The NetScaler Access Gateway with the same NetScaler firmware underneath. You can't use the Load Balancing feature on that particular device at the moment. This means no LB for WebInterface / Storefront. Also you can't redirect HTTP to HTTPS!


On the CAGEE MPX version there was a feature called Virtual Server and Services. With this feature you could create some kind of Load Balancing. At the moment this isn't available in the NetScaler Access Gateway VPX.


Like you mentioned go for the specific NetScaler VPX 10,200,1000 or 3000


Cheers!


Cancel

Julien,


Very good article. I 100% agree that the power of modern Intel CPUs will allow you to perform the relatively cheap SSL encrypt and decrypt operations at very low CPU cost!


The picture will change slightly though if you start using SSL-VPN and run other applications than ICA proxy.


A few concerns/questions for you:


- How exactly is Secure Gateway "free" when you have to shell out anywhere between 500 and 1500 dollars for a Windows Server license??


- As Anton pointed out, Access Gateway VPX is a VERY attractive entry point into Netscaler VPX. And Access Gateway VPX allows up to 50Mbps! And Access Gateway VPX will very much come at a lower cost than Windows Server with CSG!!


- Do you have any documentation on Web Interface End-of-Life? I have been searching for official public documents from Citrix that clearly state the EOL dates for WI 5.4 (I know that Citrite bloggers have mentioned EOL of WI 5.4 but I can't find anything on the Citrix Support pages)


Cheers,


Christoph


Cancel

@Anton: Absence of load balancing capabilities is the reason I would never go CAGEE VPX. I don’t believe access gateway product line will have a bright future.


Cancel

Hi Christoph,


You are right there are plenty of use cases for SSL offloading but not when it comes to ICA proxing.


As I said I would skip AG product line even in an entry level segment due to the lack of load balancing capabilities. From purely bang for the back perspective Netscaler is a better choice.  As you can imagine I don’t have anything official on WI 5.4


Cancel

You're right!


You and I are aware of this limitation. But most of the new customers don't. They are offered a CAG upgrade, or order a new one and think they ordered a full blown product.  


Nobody gonna spend money on a real NetScaler VPX for only the use of Remote Access! They will order a NetScaler Access Gateway VPX because it's cheap :-(


That's a pitty!


Cancel

This is a great article, thank you for writing it!


There is not enough of this type of real world information available in regards to ICA Proxy on the NetScaler VPX.  Citrix has to stick to the company line, but they are severely under-selling this product.


Cancel

@Anton  CAGEE doesn't redirect HTTP to HTTPS, it does using the following


Putty onto the server


add lb vserver HTTP_redirect_for_AGEE HTTP 10.0.0.19 80 -redirectURL https://citrix.company.com


Also, can't see CAGEE going end of life, lots of smaller companies don't need Netscaler functionality, they simply want to get remote access to their Citrix servers, previously CSG was enough, why do they now all of a sudden need more?


Netscaler CAGEE is the best option for that.  


Cancel

@Mark


That's my point exactly:


Because Load Balancing is not licensed in the NetScaler Access Gateway VPX (CAGEE VPX). You can't use this feature.


In case of a NetScaler VPX then you can use a LB vserver for redirection; Or better make a responder action!


Cheers!


Cancel

I guess we'll have to wait and see. It might happen sooner than you think.


Enough?  Or we just didn't have anything better than a CSG? Anyway, I’ve already said what I think on AG vs NS...


Cancel

@Anton:  try it, whilst it states that it isn't licensed it redirects http to https for the CAGEE.  


Cancel

jsut to add that the 500 user limit mentioned in the article actually refers to the VPN users and not ICA proxy.


I have had confirmation back from Citrix that ICA proxy connections are only limited by the hardware resources.


With the modern processing power of servers this should scale to levels almost identically to a physical NetsSaler.


Cancel

Access Gateway VPX is much simpler and much cheaper, as compared to a full blown NetScaler VPX. No doubt that its worth investing in an NS VPX, for what it beings on the table. But, if you are just looking for plain ICAProxy to your XA/XD farm, or you are just looking for the new world of MDX for CloudGateway, Access Gateway makes it straightforward to setup, without having to get confused with all other NS features.


And whenever you decide, its time you leverage some of the awesome functionality that comes with NS, there is an upgrade path. Citrix offers an upgrade SKU from AG VPX to NS VPX 200.


Cancel

Note that testing @ Citrix is real world testing, where multiple connections with varying data trends, are pumped per session, and what you see in the DataSheets are the concurrent sessions supported per appliance. Also note that post the concurrent session limit, Access Gateway will not drop packets, but the latency of the over all session will increase. We cap the limits to what we consider as good end user experience.


Cancel

Do refer to my blog for Secure Gateway to Access Gateway migration here - blogs.citrix.com/.../secure-gateway-to-access-gateway-migration


Cancel

www.citrix.com/.../xendesktop.html


shows Web Interface EOL date as 14-JUN-2015.


Cancel

You say: "Of course, you could also argue that it is not such a bad thing because NetScaler is a much better product."


But for customers between 20 and 300 users it really isn't a 'much better product'. Yeah for Citrix.


I LOVE the CSG, because it's a replacement for VPN, but the Netscaler is there to replace VPN, which I really don't want. And then I've got a overprices CSG? No thanks!


But my choice has been taken... :'( Bad decision for small to medium businesses...


Cancel

@erottier It is a better product independently of the size of your business. Netscaler is not a VPN replacement nor is CSG. I believe you missed completely the point of my post.


Cancel

How were 1900 sessions acheived on a PVX 200? Is there not a connection limit lock by the license purchased?


Cancel

Be aware of this issue with poodle and TLS 1.2;


discussions.citrix.com/.../356789-csg-and-cve-2014-3566-poodle


Cancel

Hi Julien,


Did you use a stress testing tool? Or did you use real world users to generate the load?


Cheers,


Chris


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close