Is Citrix Secure Gateway really End of Life?
Not really…it’s tied to the lifecycle of the latest product that it was released with which would be XenApp 6.5 – which is incidentally the last product that it works with. Secure Gateway also does not work with any version of StoreFront, so you’re stuck with Web Interface. What does secure gateway do? It allows for an SSL connection to XenApp and XenDesktop resources to be proxied from the outside world. That’s it – more on that later.
I’ve been on several calls lately talking about upgrades and moving on from Citrix Secure Gateway – upgrading to NetScaler Gateway or even full NetScaler. Why does this keep coming up? I thought we were done with this. I get it – it was a free companion product that worked fairly well for what it was and SMBs used it quite extensively. So now that those same customers are looking to make the move from WI to StoreFront or from XenApp 6.5 to the 7.x line – this is becoming an issue. Let’s talk about why CSG had such wide adoption.
My response to this was that you get what you pay for. Yes it worked, but post 2013 Snowden leaks, cryptography and security have become more important than ever. If you want to argue about security, the fact that CSG is a Windows box in your DMZ will pretty much lose any argument.
So that’s really the only point I can come up with that is valid – if the environment is too small to warrant the need for a paid solution, then how about a full NetScaler Standard VPX express license. Yes that’s right – not only do you get CSG functionality replacement, but you also get all of the NetScaler standard features – albeit limited by 5 Mbps of throughput. But again, it’s free. And it is FAR more secure than the CSG ever was. NetScaler VPX express info is available here.
What’s wrong with Secure Gateway
Or, why you should look forward to upgrading – yes, upgrading – your CSG deployment. OK, so a lot of this is exactly what Dan said in his post here, but I’m going to re-write it…because again, it’s apparently a hot topic (5 years later).
It requires a Windows box in your DMZ
As I alluded to earlier, CSG runs on a Windows system that likely needs to go in your DMZ. Any security conscious person will tell you that this is a bad idea. The NetScaler is a hardened security appliance that meets the requirements to be used in even the most secure federal networks.
I commonly see Windows NLB in place to load balance CSG servers – so now not only do you have multiple Windows systems in your DMZ, but Windows NLB is severely limited in functionality. The NetScaler has advanced high availability built in and is also able to intelligently load balance other services – StoreFront, XML servers, for example.
The NetScaler gateway allows customers to intelligently allow access based on numerous factors such as A\V software, domain membership, etc (see http://citrix.opswat.com/ for a full list). To explain that, lets consider the following example chart showing how CSG and NetScaler Gateway would perform with different remote access requests:
|Citrix Secure Gateway||NetScaler Gateway|
|Company Laptop||Full access granted||Full access granted|
|Company Laptop without A\V||Full access granted||Custom access to XenApp\XenDesktop: clipboard and printing allowed, but no local drive mappings|
|Personal Laptop without A\V||Full access granted||Minimal access to XenApp\XenDesktop; No clipboard, local drive mappings, or printing allowed|
|Company Laptop requesting VPN||N/A||Full VPN access granted|
|Company Laptop without A\V requesting VPN||N/A||Full VPN access denied; Clientless VPN and XenApp\XenDesktop minimal access granted|
All authentication happens at the Web Interface when using CSG – with a NetScaler Gateway, this can be done at the gateway (in the DMZ) before the end user ever gets to the web interface or StoreFront server. And yes, NetScaler Gateway supports two factor authentication (and many other types of authentication – smart card, SAML…)
Where do you go from here
I’m sorry to say that you just might have to purchase something – but realize that it is for the better…more features, better security and more scalability. Here are your options:
- NetScaler Standard VPX Express
- Full NetScaler Standard featureset,
including NetScaler Gateway
- Limited to 5Mbps throughput
Edit Feb. 15 2019: Citrix ADC Express edition is now the ‘Freemium’ edition; any ADC that does not carry a valid license will drop to this Freemium edition which includes all of the above with the exception of Gateway functionality; so this edition is not an option for those that need Gateway capabilities. This change occurred with build 12.0
- NetScaler Gateway Enterprise On-premises VPX
- $Very Reasonable (Visit the Citrix Store – they’re cheap (seriously))
- NetScaler Gateway functionality only
- Full NetScaler Standard\Enterprise\Platinum
- $Wide range of cost based on numerous different platforms
- Full NetScaler featureset
The best part? If you end up starting with the VPX express, then need to upgrade – it’s just a license file. The underlying code and configuration stay the same. Need to upgrade to a full NetScaler MPX physical appliance? Not a problem.
Questions? Feel free to ask in the comment section.