Citrix Secure Gateway…(sigh)

Update 1/17/2014 – Since I see this blog posts getting quite a few hits daily I felt compelled to add this: If you are using Citrix Secure Gateway you should be migrating to NetScaler Gateway, no discussion, there is nothing to consider, do it.

Update 9/16/2015 – Seriously, why are people still googling this and reading this article? Buy a NetScaler, if you are an F5 customer and fighting doing the right thing…slap someone elses badge on it to make you feel better, just do it, this is the easy and best way to support XenApp, XenDesktop, ShareFile, XenMobile….

For the last few weeks it seems that once or twice a week I talk to a customer using Citrix Secure Gateway, to those of you who have seen me grimace in pain when you say this I have decided to write this post to explain why it pains me to hear you say this.

First of all, the Citrix Secure Gateway is an application that you install on Windows 2003/2008+, it runs as a service once installed.  The Citrix Secure Gateway (CSG) proxies connections from the internet to internal Citrix XenApp/XenDesktop.  CSG allows a single https connection to the internet and proxies those sessions internally via ICA (port 1494) or CGP (port 2598) to XenApp/XenDesktop.  This functionality allows users to connect to internal Citrix solutions without requiring a VPN.  CSG requires the Citrix Web Interface to perform user authentication as well as provide the user’s web interface site or services site.  CSG is available as a “free” download from Citrix, which I believe is the primary reason that people start using it.

The alternative to Citrix Secure Gateway (CSG ) is to use either the Citrix Access Gateway or the Netscaler, the latter which includes Access Gateway Enterprise edition functionality.  I personally prefer Netscaler appliances, virtual or physical, to provide remote access to a Citrix environment…and this will be the basis for my comparisons below.  Does the Netscaler cost money?  Yes it does, but it comes with features that are necessary and beneficial to your IT administrators and your users.

  • Certificate chaining – GoDaddy (and many others) intermediate certificates are not present on many client devices, if using the CSG you must manually load these intermediate certificates on client devices or they will fail when trying to verify the SSL certificate.  When using Netscaler you can chain the intermediate certificate to the SSL certificate in just a few clicks, avoiding any need to touch the client endpoints.
  • URL for Web Interface and Receiver (services) – In most environment a combination of web site(s) and services site(s) are deployed for users coming in from both a browser and/or mobile devices like iPads.  In many cases services sites are created with non-standard configuration paths.  When using CSG you have to distribute a long url (ex: https://citrix.company.com/citrix/pnagent/custom1/config.xml) for your Citrix Receiver clients and a different url, usually shorter for accessing the web site.  When using Netscaler we can pass the Receiver client on to a specific services site by reading the http header, therefore users only need to remember a single url for web interface and services site access.  Users enter the url (https://citrix.company.com) and if they’re using a mobile receiver the request automatically goes to the services site, if not it goes to the web site.
  • Windows – CSG requires Windows, so if you want to use CSG you’re going to have Windows, probably in your DMZ, probably more than one for HA.  Netscaler is a hardened security appliance running a proprietary OS (based on FreeBSD).  It is not running a generic FreeBSD kernel and Netscaler is an application on that proprietary OS.  Enough said.
  • High availability – CSG has no built in high availability, you would need 2 CSG’s being load-balanced by either Windows or another device with affinity rules in place.  Netscaler and Access Gateway, both the physical and virtual appliances can function in a high availability pair.  All features on the appliances failover between devices when a failure is detected.  Netscaler can in fact also load balance your critical Citrix infrastructure such as Citrix Web Interface, XML broker(s), and perform health monitoring of those functions to ensure the service is working properly before sending a request there.
  • Advanced Access Controls – Advanced Access Controls allow us to vary the policies being applied to a user based on the results of an endpoint scan.  For example, we can turn off the ability to copy files between remote session and local desktop if the user isn’t accessing the application/desktop from a “company” machine.  These controls allow us to provide dynamic policy.  Take a peek at http://citrix.opswat.com .  Netscaler and Access Gateway have this (there is a slight difference but thats for a separate post)…CSG…no such thing exists.
  • Authentication – CSG does not authenticate users, it relies on the Citrix Web Interface to authenticate users.  It’s important to point out that CSG simply proxies all requests to the Citrix Web Interface server, no filtering, meaning internet badness is going straight to your IIS server running the Web Interface.  If you want to deploy CSG in your DMZ you might be proxying the connection, but it won’t authenticate until it his the Web Interface, which now should definitely be in your DMZ (given it proxies all internet badness).  Netscaler and Access Gateway both have the option of authenticating users on the device prior to sending them to the Citrix Web Interface, or you can authenticate them on the Citrix Web Interface, your choice.  Since many people choose to deploy Netscaler and Access Gateway in the DMZ they also usually choose to authenticate them there prior to sending them to an internal Citrix Web Interface server.
  • Performance – CSG per the Citrix guidance is for <500 concurrent connections, although I would definitely not recommend testing that limit, nor is anyone at Citrix going to encourage it.  Netscaler appliance scale up to literally tens of thousands of connections, these appliances and the Netscaler engine are the basis for the future at Citrix for remote access.
  • Product updates – CSG is up to version 3.2, over the last few years it has received a couple sporadic updates centered mainly around security patches.  I’ve seen a lot of product roadmaps but I’ve never seen this product mentioned once.  This is purely speculation but I don’t think there is much if any future in this product.  Netscaler and Access Gateway product updates are frequent and include not just security updates but also new functionality.  I don’t think I’m giving away anything NDA to say that these products are the future.

If I’ve overlooked any other reasons to prefer Netscaler or Access Gateway over the Secure Gateway please let me know, the same goes for if I have written anything that is incorrect.

Thank you to everyone who provided me feedback and/or critiques on this article, I hope that it helps get more people on to Netscaler or Access Gateway appliances as I truly believe it is a better experience for the IT administrator and end users of Citrix solutions.

I’ll be making updates to this post over the next few days i’m sure, I’ll tweet updates when I done.

6 thoughts on “Citrix Secure Gateway…(sigh)

  1. Dan, great article. I think CSG should only be used for PoCs for all of the reasons you mentioned above. By the time the project becomes a pilot you’re doing your organization a disservice to keep using CSG.

    I also like the new look and feel around here. Looking forward to your next article.

  2. Good article, and I can understand the ‘sigh’ (and that makes it really easy to find the page again in Google). But there are a few things I’d like to point out as a long time Citrix reseller to SMB customers.

    CSG has been around a long time, and I’m sure no one at Citrix will say it is a bad product 😉 Ever since the CAG was introduced, the line has been to favor it over CSG, but really both are valid solutions which fit (or don’t) with customer requirements.

    For simple implementations, CSG is a valid choice and it is still maintained and updated (now at v3.3).

    I don’t get your first point about the chained certificates. Having an intermediate certificate at the webserver/csg has been a universal requirement for a couple of years now with the new 2048-bit root CA’s. I’ve not had any client issues with certs from ‘proper’ top-level CA’s (like those mentioned here http://support.microsoft.com/kb/929395). I personally like GeoTrust certs which ‘can be got’ cheaply if you shop around.

    There is an easy solution for your second bullet point as well (in IIS7 and up); it’s called the “URL Rewrite” module (http://www.iis.net/download/urlrewrite). Which is really also how CAG/Netscaler does it.

    For redundancy virtualization can offer a solution.

    The other points I agree with and separate the two solutions thus making each one fit (or not) with customer requirements.

    I’m all for appliances mind you, but I’m also for choosing the solutions that best fits the customers’ requirements (current and planned).

    For a PoC I’d prefer to use the product that (most likely) will be used in the final solutions/production. There are (virtualized) demo and trial units to be used for that.

    Regards,
    George/

    1. CSG is not maintained and updated…yes it has received some security hotfixes but it absolutely is not being developed. All the new products…CloudGateway (StoreFront, AppController) do not integrate with CSG…time to move on. AGEE via the Netscaler line is what I would be implementing.

  3. Great article and I totally agree. Sadly I am one of the people using Secure Gateways currently but this is only because the network team at my company could not get the Access Gateways to work correctly so I had to take over so I could own the product end-to-end.

    I am looking into the Netscaler Access Gateway (VPX) though with Storefront currently…it looks promising and I can pretend it isn’t a network device to still own it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s