Citrix Secure Gateway is EOL…Now What?

Is Citrix Secure Gateway really End of Life?

Not really…it’s tied to the lifecycle of the latest product that it was released with which would be XenApp 6.5 – which is incidentally the last product that it works with. Secure Gateway also does not work with any version of StoreFront, so you’re stuck with Web Interface. What does secure gateway do? It allows for an SSL connection to XenApp and XenDesktop resources to be proxied from the outside world. That’s it – more on that later.

I’ve been on several calls lately talking about upgrades and moving on from Citrix Secure Gateway – upgrading to NetScaler Gateway or even full NetScaler. Why does this keep coming up? I thought we were done with this. I get it – it was a free companion product that worked fairly well for what it was and SMBs used it quite extensively. So now that those same customers are looking to make the move from WI to StoreFront or from XenApp 6.5 to the 7.x line – this is becoming an issue. Let’s talk about why CSG had such wide adoption.

It’s free.

My response to this was that you get what you pay for. Yes it worked, but post 2013 Snowden leaks, cryptography and security have become more important than ever. If you want to argue about security, the fact that CSG is a Windows box in your DMZ will pretty much lose any argument.

So that’s really the only point I can come up with that is valid – if the environment is too small to warrant the need for a paid solution, then how about a full NetScaler Standard VPX express license. Yes that’s right – not only do you get CSG functionality replacement, but you also get all of the NetScaler standard features – albeit limited by 5 Mbps of throughput. But again, it’s free. And it is FAR more secure than the CSG ever was. NetScaler VPX express info is available here.

What’s wrong with Secure Gateway

Or, why you should look forward to upgrading – yes, upgrading – your CSG deployment. OK, so a lot of this is exactly what Dan said in his post here, but I’m going to re-write it…because again, it’s apparently a hot topic (5 years later).

It requires a Windows box in your DMZ

As I alluded to earlier, CSG runs on a Windows system that likely needs to go in your DMZ. Any security conscious person will tell you that this is a bad idea. The NetScaler is a hardened security appliance that meets the requirements to be used in even the most secure federal networks.

High Availability

I commonly see Windows NLB in place to load balance CSG servers – so now not only do you have multiple Windows systems in your DMZ, but Windows NLB is severely limited in functionality. The NetScaler has advanced high availability built in and is also able to intelligently load balance other services – StoreFront, XML servers, for example.

Access Controls

The NetScaler gateway allows customers to intelligently allow access based on numerous factors such as A\V software, domain membership, etc (see http://citrix.opswat.com/ for a full list). To explain that, lets consider the following example chart showing how CSG and NetScaler Gateway would perform with different remote access requests:

Citrix Secure Gateway NetScaler Gateway
Company Laptop Full access granted Full access granted
Company Laptop without A\V Full access granted Custom access to XenApp\XenDesktop: clipboard and printing allowed, but no local drive mappings
Personal Laptop without A\V Full access granted Minimal access to XenApp\XenDesktop; No clipboard, local drive mappings, or printing allowed
Company Laptop requesting VPN N/A Full VPN access granted
Company Laptop without A\V requesting VPN N/A Full VPN access denied; Clientless VPN and XenApp\XenDesktop minimal access granted

As you can see, SmartAccess and SmartControl offer more granular controls over remote access connections – neither of these technologies exist in CSG.

Authentication

All authentication happens at the Web Interface when using CSG – with a NetScaler Gateway, this can be done at the gateway (in the DMZ) before the end user ever gets to the web interface or StoreFront server. And yes, NetScaler Gateway supports two factor authentication (and many other types of authentication – smart card, SAML…)

Where do you go from here

I’m sorry to say that you just might have to purchase something – but realize that it is for the better…more features, better security and more scalability. Here are your options:

  1. NetScaler Standard VPX Express
    1. $0.00
    2. Full NetScaler Standard featureset, including NetScaler Gateway
    3. Limited to 5Mbps throughput

Edit Feb. 15 2019: Citrix ADC Express edition is now the ‘Freemium’ edition; any ADC that does not carry a valid license will drop to this Freemium edition which includes all of the above with the exception of Gateway functionality; so this edition is not an option for those that need Gateway capabilities. This change occurred with build 12.0

  1. NetScaler Gateway Enterprise On-premises VPX
    1. $Very Reasonable (Visit the Citrix Store – they’re cheap (seriously))
    2. NetScaler Gateway functionality only
  2. Full NetScaler Standard\Enterprise\Platinum
    1. $Wide range of cost based on numerous different platforms
    2. Full NetScaler featureset

The best part? If you end up starting with the VPX express, then need to upgrade – it’s just a license file. The underlying code and configuration stay the same. Need to upgrade to a full NetScaler MPX physical appliance? Not a problem.

Questions? Feel free to ask in the comment section.

3 thoughts on “Citrix Secure Gateway is EOL…Now What?”

  1. Why do otherwise bright people still come up with arguments like “it’s bad because you need a windows system in your DMZ” in 2017 (or 2016, or even 2013) is beyond me. In particular when the advise that follows is to replace it with an OS using “a custom kernel based on FreeBSD that runs a set of java software” (and don’t get me started on the fact that there is still no automatic update feature for the whole thing).

    The reality is that Netscaller/AG is forced migration that does not provide any additional features to the CSG+WI but that does cost a lot more money both upfront and recurring.

    Reply
    • Hi Stephane,

      Leaked State-sponsored vulnerabilities against Windows aside…I would argue that there are significant additional features when looking at CAG vs CSG\WI, including EPA, SmartAccess\SmartControl, SSLVPN to name a few. This would likely turn into a conversation about software life cycle, legacy applications, and upgrades\new features. Web Interface is written in j sharp which was retired some time ago, thus the whole platform needed to be rewritten.

      That said the NetScaler Gateway virtual appliance is no where near the cost of a full NetScaler – might be worth taking a look.

      Reply
  2. Like Stephane said, It’s beyond me why Windows is not up to par. There is NO professional (or otherwise) audit that states every public faced protocol and port is secured. There are always bug tp be found. I think it’s easier to update and harden (without issues) a Windows box that a NSG appliance.

    That being said, I only like a Citrix-proxy. Nothing more. Get the heck away with all those bells and whistles I don’t care about. I want all my bandwidth available and no extra features. But oh no, Citrix want more money and decided to kill the best thing in Citrix-world: CSG… Sad days.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.