Update 1/17/2014 – Since I see this blog posts getting quite a few hits daily I felt compelled to add this: If you are using Citrix Secure Gateway you should be migrating to NetScaler Gateway, no discussion, there is nothing to consider, do it.
Update 9/16/2015 – Seriously, why are people still googling this and reading this article? Buy a NetScaler, if you are an F5 customer and fighting doing the right thing…slap someone elses badge on it to make you feel better, just do it, this is the easy and best way to support XenApp, XenDesktop, ShareFile, XenMobile….
For the last few weeks it seems that once or twice a week I talk to a customer using Citrix Secure Gateway, to those of you who have seen me grimace in pain when you say this I have decided to write this post to explain why it pains me to hear you say this.
First of all, the Citrix Secure Gateway is an application that you install on Windows 2003/2008+, it runs as a service once installed. The Citrix Secure Gateway (CSG) proxies connections from the internet to internal Citrix XenApp/XenDesktop. CSG allows a single https connection to the internet and proxies those sessions internally via ICA (port 1494) or CGP (port 2598) to XenApp/XenDesktop. This functionality allows users to connect to internal Citrix solutions without requiring a VPN. CSG requires the Citrix Web Interface to perform user authentication as well as provide the user’s web interface site or services site. CSG is available as a “free” download from Citrix, which I believe is the primary reason that people start using it.
The alternative to Citrix Secure Gateway (CSG ) is to use either the Citrix Access Gateway or the Netscaler, the latter which includes Access Gateway Enterprise edition functionality. I personally prefer Netscaler appliances, virtual or physical, to provide remote access to a Citrix environment…and this will be the basis for my comparisons below. Does the Netscaler cost money? Yes it does, but it comes with features that are necessary and beneficial to your IT administrators and your users.
- Certificate chaining – GoDaddy (and many others) intermediate certificates are not present on many client devices, if using the CSG you must manually load these intermediate certificates on client devices or they will fail when trying to verify the SSL certificate. When using Netscaler you can chain the intermediate certificate to the SSL certificate in just a few clicks, avoiding any need to touch the client endpoints.
- URL for Web Interface and Receiver (services) – In most environment a combination of web site(s) and services site(s) are deployed for users coming in from both a browser and/or mobile devices like iPads. In many cases services sites are created with non-standard configuration paths. When using CSG you have to distribute a long url (ex: https://citrix.company.com/citrix/pnagent/custom1/config.xml) for your Citrix Receiver clients and a different url, usually shorter for accessing the web site. When using Netscaler we can pass the Receiver client on to a specific services site by reading the http header, therefore users only need to remember a single url for web interface and services site access. Users enter the url (https://citrix.company.com) and if they’re using a mobile receiver the request automatically goes to the services site, if not it goes to the web site.
- Windows – CSG requires Windows, so if you want to use CSG you’re going to have Windows, probably in your DMZ, probably more than one for HA. Netscaler is a hardened security appliance running a proprietary OS (based on FreeBSD). It is not running a generic FreeBSD kernel and Netscaler is an application on that proprietary OS. Enough said.
- High availability – CSG has no built in high availability, you would need 2 CSG’s being load-balanced by either Windows or another device with affinity rules in place. Netscaler and Access Gateway, both the physical and virtual appliances can function in a high availability pair. All features on the appliances failover between devices when a failure is detected. Netscaler can in fact also load balance your critical Citrix infrastructure such as Citrix Web Interface, XML broker(s), and perform health monitoring of those functions to ensure the service is working properly before sending a request there.
- Advanced Access Controls – Advanced Access Controls allow us to vary the policies being applied to a user based on the results of an endpoint scan. For example, we can turn off the ability to copy files between remote session and local desktop if the user isn’t accessing the application/desktop from a “company” machine. These controls allow us to provide dynamic policy. Take a peek at http://citrix.opswat.com . Netscaler and Access Gateway have this (there is a slight difference but thats for a separate post)…CSG…no such thing exists.
- Authentication – CSG does not authenticate users, it relies on the Citrix Web Interface to authenticate users. It’s important to point out that CSG simply proxies all requests to the Citrix Web Interface server, no filtering, meaning internet badness is going straight to your IIS server running the Web Interface. If you want to deploy CSG in your DMZ you might be proxying the connection, but it won’t authenticate until it his the Web Interface, which now should definitely be in your DMZ (given it proxies all internet badness). Netscaler and Access Gateway both have the option of authenticating users on the device prior to sending them to the Citrix Web Interface, or you can authenticate them on the Citrix Web Interface, your choice. Since many people choose to deploy Netscaler and Access Gateway in the DMZ they also usually choose to authenticate them there prior to sending them to an internal Citrix Web Interface server.
- Performance – CSG per the Citrix guidance is for <500 concurrent connections, although I would definitely not recommend testing that limit, nor is anyone at Citrix going to encourage it. Netscaler appliance scale up to literally tens of thousands of connections, these appliances and the Netscaler engine are the basis for the future at Citrix for remote access.
- Product updates – CSG is up to version 3.2, over the last few years it has received a couple sporadic updates centered mainly around security patches. I’ve seen a lot of product roadmaps but I’ve never seen this product mentioned once. This is purely speculation but I don’t think there is much if any future in this product. Netscaler and Access Gateway product updates are frequent and include not just security updates but also new functionality. I don’t think I’m giving away anything NDA to say that these products are the future.
If I’ve overlooked any other reasons to prefer Netscaler or Access Gateway over the Secure Gateway please let me know, the same goes for if I have written anything that is incorrect.
Thank you to everyone who provided me feedback and/or critiques on this article, I hope that it helps get more people on to Netscaler or Access Gateway appliances as I truly believe it is a better experience for the IT administrator and end users of Citrix solutions.
I’ll be making updates to this post over the next few days i’m sure, I’ll tweet updates when I done.