Access Gateway discussed in this blog is the Access Gateway based on NetScaler, which is popularly referred to as Access Gateway Enterprise. Citrix has recently announced End of Life for all non-NetScaler based Access Gateway platforms, which then makes Enterprise edition, the de-facto Access Gateway.
In this blog, we will discuss the two license types used on your Access Gateway appliance, the two kinds of vServers you can set up to leverage these licenses to provide standard / advanced functionalities, and an example scenario towards the end, to help illustrate these concepts in a real scenario.
Access Gateway is licensed at two levels:
- Platform License
- Universal License
Every Access Gateway (VPX/MPX) comes with a Platform license, which enables all the basic functionality in Access Gateway. After purchasing an appliance, this license is automatically made available in your MyCitrix account, and can be easily downloaded and installed on your appliance.
Platform licenses can be used to provide seamless access to:
- ICAProxy access to XenApp / XenDesktop, using Web Interface
- ICAProxy access to XenApp / XenDesktop, using Storefront (CloudGateway Express)
Universal Licenses are used to enable additional/advanced functionality on access gateway appliances. These are add-on licenses and work along with the Platform licenses to provide seamless access to your Citrix deployments. Universal licenses are purchased separately from the appliance, and can be installed in the same manner as the platform license.
Universal licenses can be used to turn on the following advanced functionalities:
- End Point Analysis
- Smart Access to XenApp/XenDesktop
- CVPN – Clientless access to internal web resources
- Full Tunnel (SSL VPN)
- MDX Micro VPN
Universal Licenses are required to support the following Citrix deployments:
- ICAProxy access to XenApp / XenDesktop with Smart Access (both Web Interface and Storefront)
- CloudGateway Enterprise Mobility (AppController)
- CloudGateway Enterprise (AppController + Storefront)
On Access Gateway, one needs to set up vServers (virtual servers) to act as logon points for all incoming remote connections. Such vServers can be set up in two modes:
- Basic Mode
- Smart Access Mode
Basic Mode vServer
A basic mode vServer is a server that consumes platform licenses and hence can be used to provide ICAProxy access to your XenApp / XenDesktop deployments, both via Web Interface and Storefront. A basic mode vServer essentially works out of the box, without the need to purchase any additional licenses. Once the platform licenses are consumed, this vServer can start consuming Universal licenses, if available. This leads to increased concurrent user support, which can go beyond the default that the appliance ships with.
Smart Access mode vServer
A smart access mode vServer essentially consumes Universal licenses and can be used to provide access to any Citrix deployment. Including XenApp / XenDesktop / CloudGateway. Hence one can set up such a vServer only if additional Universal licenses are purchased, or are received as a bundles offering with CloudGateway Enterprise / XenApp Platinum / XenDesktop Platinum offerings. Note that a Smart Access vServer can only consume Universal licenses and will start dropping connections, once all universal licenses are consumed.
Both these vServers can be set up using the new Simplified wizard that has been built into the latest Access Gateway offerings. This new wizard dramatically simplifies setting up of such vServers and automates the process of integrating this into your existing Citrix infrastructure. This wizard auto sets up all the required policies on Access Gateway to provide authentication and integrate with other Citrix products. More details on these policies can be found on my earlier blog available at – /blogs/2012/08/06/whats-new-with-citrix-access-gateway-10-0-69-6/
Lets take an example scenario of how a Citrix deployment would look like and how Access Gateway can be best used in such a scenario, to provide seamless access to apps and desktops.
Lets take a customer who needs to provide:
- 3000 users with access to their essential applications
- 1000 users with access to a full blown desktop
- 1000 users who need access to their web/saas/native mobile apps on the move
In order to support the above scenario, lets say the customer procures:
- 3000 XenApp Enterprise licenses
- 1000 XenDesktop Platinum licenses
- 1000 CloudGateway Enterprise licenses
With the above, the customer would have received the following Access Gateway Universal licenses (CCUs):
- 0 AG CCUs
- 1000 AG CCUs
- 1000 AG CCUs
Given the above scenario and licenses, the customer would have to do the following Access Gateway purchases & configurations to provide any time, any where, secure and seamless remote access to their Citrix infrastructure:
- Procure two AG MPX platforms set up in HA, which will be able to support the required number of users – 5000.
- Download the platform licenses for both. Download the 2000 AG CCUs, which came with the XD Platinum and CG Enterprise purchases. Install these licenses on the MPX appliances.
- Configure a vServer in Basic mode, to provide access to the 3000 users who need access to their basic apps. Use the simplified wizard to do so, which will set up all the policies so that users get redirected to their virtual apps, as soon as they log in.
- Configure a 2nd vServer in Smart Access mode. This will be used to provide access to 1000 XD users and 1000 CG users. Use the Simplified wizard again, to set this up, which should set up all the relevant policies for both.
- Note that since the 2nd vServer is a Smart Access vServer, it is possible to set up EPA (End Point Analysis) policies on this to granularly control the level of access based on the end point health. Essentially, since the users on this vServer get access to a full blown desktop, the admin may want to be more careful and calculated on the conditions when a user should be allowed access to the desktop. This is done by setting up EPA policies to ensure that the endpoint is in compliance with all the required company policies, such as a working firewall, latest security updates, no malware detected, … Only when the required compliance is met, the users get access to their desktop. Even better, based on the results of the detailed scans that run on the end point, Access Gateway can pass this information to XD, which can then enable / disable certain functionalities within those desktops, to really control the extent of access.
- Also note that, if you choose to set up EPA policies on the 2nd vServer above, you may have to set up a 3rd vServer, in Smart Access mode, to provide access to the CloudGateway users. This is because the mobile Citrix receivers (iOS / Android) today, do not have EPA support and hence will not be allowed access through s vServer set up with EPA. They will then have to talk to this 3rd vServer, configured to provide them with access to their web/saas/native mobile apps access.
UPDATE: To cover details on how AG Licensing works in HA (High Availability) configurations, I have written a follow-up post here – Access Gateway Licensing Demystified Part 2 (HA)