If you are following Citrix’s networking product line I guess that you are already familiar with a fact that Citrix has finally decided to “End of Life” the Access Gateway product line in 2014. While we can debate for hours if this decision makes sense or not, from purely field perspective I don’t believe it will be a life changer. The NetScaler product line is absolutely capable of addressing almost all AG use cases. The only exception might be an AG + AAC setup in some measure, but let’s be honest; AG+ AAC setup pushed to its limits is definitely a rare occurrence these days.
The Citrix networking world wouldn’t be as fun as it is if the only problem we had is an AG EoL, though. There is another thing that causes concern. Have you ever asked yourself a question what will happen with CSG? Every once in a while you hear people saying that CSG is dead, but in spite of that, Citrix delivers a new version with every major product release.
Well it looks like this time it is really over.
Currently, Citrix Secure Gateway is the only component that offers free ICA-Proxy connections using SSL. Secure Gateway 3.3 is supported up to 2016, but Secure Gateway-based configurations will become partially unsupported in 2015 due to the End of Life of Web Interface 5.4. At that time, StoreFront will be the only “web interface” to Citrix environments. StoreFront does not, and will not, support Secure Gateway in any way.
That means that all of you happily running 1000-1500 users over single CSG + Web Interface will have to get highly creative when explaining to your customers that they will have to migrate to a new platform and respectively start paying for a service they previously had for free.
Is that really a bad thing? The answer to that question is tricky, and I would have to say “yes” and “no”.
You can argue that it is a big deal because CSG is free and easy to setup. It’s been around a long time, and so we’ve come to know it well and depend on it. Of course, you could also argue that it is not such a bad thing because NetScaler is a much better product.
For starters with NetScaler you will get out-of-the-box XML load balancing and health checking capability for your farms. Web Interface load balancing, seamless failover to a working appliance in HA setups, smart access capabilities if you need them etc. The details of these features are worth an article by themselves, but suffice it to say these are important.
Let’s admit, having three different solutions (AG, CSG, and NetScaler) to wrap ICA sessions into SSL and route them to a single point of access must be overkill from product support perspective. It’s understandable that something had to change. I guess your next question now would be, “so know what?”
If you are not comfortable running unsupported components in production I would suggest that the best course of action is to try to find a replacement for your CSG setup. Do you really need to spend 150k in hardware to do so? The answer is “definitely no.”
This brings us at last to the moment of truth, one of the reasons why I wrote this article in the first place. The fundamental question on NetScaler VPX product line is ultimately expressed and answers start varying depending on who you ask. That question, of course, is:
How many users I can take on a single NetScaler VPX instance?
The Official Citrix position on the matter is something like:
“NetScaler VPX performance is dependent upon underlying server infrastructure”.
At the same time Citrix also states that AG VPX supports 500 concurrent users. I suppose that “Underlying server infrastructure” criterion applies only to NetScaler VPX product line (or I must have missed something).
On the other hand, the answer to the same question from a skilled sales professional might be:
“You can support 500 users max on a VPX. If you need more than that we have beautiful MPX 7500 that will take you up to 1500 users. For anything above 1500 users you will be invited to check the brand new MPX 11500.”
But, I am neither a sales professional nor a Citrix representative. I believe that if you have a large farm environment, the NetScaler VPX will be nothing more than a DEV appliance for you to do your testing and sandbox work on. If you have over 200 users, it’s currently best practice to deploy the physical appliance instead of the VPX.
With some perspective it appears that the vague answer that you can expect from Citrix is, ironically, the most accurate (if you forget the part on AG VPX limitation of course). Let’s see why:
Two years ago I was working on a frontal infrastructure redesign for a major corporate investment bank here in France. Without entering into details, I needed a solution capable of supporting around 3000 concurrent sessions running heavy trading applications in multi-screen setup. At the same time, the solution should load balance all production XML and Web interface servers.
Being faced with same questions, I decided to try NetScaler VPX myself. The first thing I realized is that the VPX and MPX are using exactly the same firmware.
That led me to a bold assumption that a VPX and MPX should perform similarly on equally performing hardware when it comes to ICA proxy.
My initial bandwidth analysis was more than promising, so I decided to check with the hypervisor guys to see how they felt about my idea to go with VPX. The virtualization architect responsible for the hypervisor stack, probably one of the best engineers I ever worked with, agreed to try. We provisioned two NetScaler VPX 200 appliances in HA, one in each datacenter and we were ready to roll.
Some say that one picture is worth a thousand words.
This is how NetScaler VPX 200 dashboard looks like with around 1900 concurrent sessions.
You can see that this implementation of NetScaler VPX is, not surprisingly, barely using any of 4 GB of RAM allocated. When running on latest generation hardware, 400 users will consume just 1 % of CPU. Additionally, network throughput really in my scenario it rarely goes over 30 Mb/s, although this is bound to be different in other use cases.
Personally, I would feel confident to scale up this environment to at least five times these numbers without a blink before considering any architectural change.
So in case you’re looking for an ICA proxy solution based on NetScaler VPX, I would say that a sky is the limit as long as underlying server infrastructure is ok. And that is the only thing you should have in mind when going VPX for ICA proxy.
On the other hand it would be a great thing if Citrix could make a clear stand on this subject. I believe the time has really come to stop with arbitrary limitations or senseless expert recommendations and let this product work the way it has been designed for.