As my friend in marketing likes to say, licensing is not a feature. More like a necessary evil. But we have made some important changes to the way we license the Access Gateway product that are worth going over. The changes are driven by our desire to simplify Access Gateway, make it behave more like Secure Gateway, and to make licensing less of an ongoing hassle as you expand and evolve your XenApp or XenDesktop environment. Here then is more than you ever wanted to know about what’s changed in the Access Gateway licensing world with version 5.0.

User Licenses are Now Optional

In earlier versions of Access Gateway, the appliance by itself was useless until you added Access Gateway user licenses. Whether the user was opening up a full VPN tunnel, using endpoint analysis, accessing internal web sites and file shares or just using the gateway as a Secure ICA proxy a la Secure Gateway, every remote session consumed a CCU. In version 5, that’s no longer the case – Access Gateway allows unlimited connections to XenApp or XenDesktop without requiring an Access Gateway user license. Besides making deployments easier, this also offers a huge cost advantage over other VPN solutions where a VPN client and a VPN license would be required for each ICA connection. And as you expand your XenApp or XenDesktop deployment, you no longer need to worry about adding corresponding Access Gateway licenses for remote users.

User licenses are only required if you’re using other Access Gateway features like Endpoint Analysis, network-layer tunneling or clientless access to web sites and file shares, collectively referred to as SmartAccess features. These features are now enabled or disabled at the Logon Point level. A Logon Point defines a unique combination of authentication requirements and preferences, and each appliance can now host multiple logon points. Logon points come in two varieties:

  • Basic – used for access to XenApp or XenDesktop only
  • SmartAccess – used for all types of applications, web sites, file shares, network tunneling and endpoint analysis

Only logins to SmartAccess logon points will consume an Access Gateway user license. The user licenses are sold separately and also included as part of XenApp and XenDesktop Platinum editions.

A Platform License is Now Required

Like NetScaler and Branch Repeater, the Access Gateway appliance itself must be licensed in order to function. Once that is done the gateway allows unlimited connections through Basic logon points. The appliance license is called the “Access Gateway Platform License” and is delivered electronically when you order an appliance (whether physical or virtual).

Install Licenses Onboard or Use a Citrix License Server

Platform and user licenses can be loaded directly onto the appliance or you can use a Citrix license server and point the gateway to the license server IP address. When you allocate your licenses at MyCitrix you will be asked to provide a license server host name. If you’re using a license server then enter the case-sensitive license server hostname; if you’re going to install licenses directly onto the appliance then enter the host name of the gateway appliance. The gateway’s host name is configured on the Networking panel and must match the fully-qualified domain name that users connect to. Unlike earlier versions, one Access Gateway cannot act as a license server for other gateways—that task is best served by the Citrix License Server virtual appliance.

License Traffic Always Sourced from the Appliance

If you’re using the optional Access Controller server, note that both platform and user licenses are always consumed by the gateway appliance, not by the Access Controller. This is a change from the way Access Gateway Advanced Edition worked, where license traffic was sourced from the controller. Therefore you may need to have a talk with your firewall administrator about allowing traffic from the gateway in the DMZ to reach your Citrix License Server on the LAN.

Upgrade Eligibility

If you’re an existing Access Gateway customer with a Model 2010 appliance that is covered by warranty and user licenses covered by Subscription Advantage, you’re entitled to upgrade to version 5.0 at no charge. You can re-use your existing AG Standard Edition or AG Universal user licenses as long as they have a Subscription Advantage expiration date that falls on or after September 1, 2010. AG Standard Edition CCUs are no longer sold but will continue to be honored as long as the Subscription Advantage is valid – effectively a free upgrade from Standard Edition to SmartAccess.

But don’t forget about the new platform license requirement. If you upgrade from 4.6 to 5.0 and don’t have a platform license in place, you’ll see warning on the admin console and users won’t be able to log in. If you have an eligible appliance, you can obtain the required platform license using the Upgrade My Products toolbox on MyCitrix.

Try it Free with VPX Express Edition

At, anyone can download Access Gateway VPX Express Edition, our free virtual appliance that lets you try before you buy. The Access Gateway VPX Express license enables full functionality (Basic or SmartAccess logins) for up to 5 concurrent users. To use the Express license, you must place the gateway into Express mode: when you get to the licensing screen on the appliance, click the ‘Configure’ button and you’ll find where you can switch between Retail and Express.

As you can see, there are lots of disruptive changes to Access Gateway licensing in version 5. We’re always reluctant to make licensing changes because they add complexity to the migration process, but the end goal is a simpler, leaner product line with easy-to-understand platform licensing and just one type of user license. The new licensing model allows you to start small with Basic connections at a low price point and expand later into SmartAccess features just by adding a license to your existing deployment. Licensing may be necessary and evil, but we’re aiming for less of the latter.