One-click NetScaler Gateway deployment and configuration… it sounds too good to be true for a product as complex as NetScaler. Well, it is true… mostly.
Currently, all Citrix Cloud products provide a degree of bundled NetScaler Gateway Service functionality. Citrix takes complete responsibility and puts a generic configuration in place so that users may access their resources. From there, you have to decide if the bundled functionality satisfies your needs or if you’ll eventually require additional features not currently included.
Before we discuss this functionality, please be aware that Citrix is in the process of renaming many of its products, including those under the NetScaler umbrella. However, it will likely take a long time to discontinue the NetScaler name and replace it with just Citrix, so for now, we’ll continue to call it NetScaler Gateway Service.
Let’s take a closer look at NetScaler Gateway Service. We’ll explain the bundled functionality you get from the Virtual Apps and Desktops version and what additional features will require an upgrade to the premium single sign-on offering.
The good news
As part of the Citrix Cloud bundled functionality for NetScaler Gateway Service, Citrix takes on full administration. We all know NetScaler admins are expensive and hard to find because it is a complex product, probably too complex. By automating the deployment and maintenance of NetScaler Gateway within Citrix Cloud, organizations can worry less about their cloud infrastructure.
Maintenance of NetScaler appliances, even as related to security updates, is typically a lax area for many organizations. After initial configuration, an on-premises NetScaler Gateway is deployed, it is often infrequently upgraded or modified. Further, the default password, nsroot, sometimes never gets changed. By having Citrix address NetScaler maintenance in conjunction with Workspace/XenApp/XenDesktop Service, your cloud environment is more secure and gets updated regularly.
Automation by means of NetScaler Gateway Service also includes the appliance SSL certificate, which may be easily overlooked in an enterprise. If certificate renewal notices are not centralized and the employee who obtained it leaves, this could result in a very bad day for the company when the certificate expires.
And don’t worry about stressing the system, as high availability and scalability are inherent features. It’s similar to going to the store and needing more bags because you bought more stuff—you’re going to leave with as many bags as necessary. NetScaler Gateway Service scales to match the number of subscribed users.
By default, Session Reliability comes enabled, but the administrator can elect to disable it. Only in rare situations would Session Reliability not be enabled for on-premises deployments. As we will discuss below, Enlightened Data Transport (EDT) and perhaps some other features should have a similar checkbox.
Down the road, Citrix plans to offer a premium version of NetScaler Gateway Service (as in, at a cost) that will support SaaS applications and multi-factor authentication (MFA). As can be gleaned from the tech preview, the premium service includes single sign-on (SSO) integration that ultimately allows web apps such as Salesforce to work seamlessly from the user standpoint.
The not-so-good news
Here is where we hit a road bump: Citrix only deploys a generic ICA/HDX proxy configuration in the current Virtual Apps and Desktops version. This means that if your organization requires multiple log-on URLs, SmartAccess, MFA, or other customizations, these can’t be accommodated because as an administrator, you can’t manage your NetScaler. However, if you require a customized configuration right now, NetScaler Gateway can be deployed separately to front-end your Citrix Cloud environment; however, this is distinct (i.e., at a cost) from the included NetScaler Gateway Service. In the future, the premium offering may address these requirements.
Along with the generic configuration, a generic feature set is deployed. For example, EDT, which allows ICA/HDX traffic to traverse via UDP rather than TCP, is not employed for user connections. As a result, your user experience may not be fully optimized. (Please note that Citrix has committed to addressing this item.)
Also, NetScaler Gateway Service requires Citrix Cloud-hosted StoreFront. With the exception of those that have customized sites or functionality, this is likely not an issue.
Lastly, as related to network throughput, each user receives a 1 GB data transfer cap per month. If your business requires more data, you can purchase an add-on pack of 300 GB data transfer for $144/user/year, which equates to $12/user/month. Should your enterprise need this additional network usage, the 35% add-on to Workspace Service (which is $34.38/user/month with 3-year subscription) and 55% add-on to XenApp/XenDesktop Service ($22.50/user/month with 3-year subscription) could negatively affect your budget.
There is some additional administrative effort involved with SaaS, SSO, and MFA integration as part of the premium NetScaler Gateway Service release. While these features are extremely useful for users and system security, the administrative effort requirement adds more complexity as compared with the original concept of a simple one-click NetScaler Gateway deployment. Further, we don’t yet know the cost of this premium service.
So what version should you choose?
Overall, the good news about the NetScaler Gateway Service bundled functionality outweighs the not-so-good news if you’re implementing Citrix Cloud and have generic requirements, as well as minimal data throughput. Allowing Citrix to administer the NetScaler Gateway Service as part of Citrix Cloud subscriptions, in general, is a positive move because in many cases the generic configuration will suffice. In addition, the benefits of having Citrix deploy and maintain NetScaler Gateway can improve the security posture for many organizations.
When available, enabling SaaS, SSO, and MFA as part of the premium NetScaler Gateway Service should gain some traction; however, confusion related to naming and the unknown cost factor are still wild cards.