Secure Gateway is a Citrix component that has been used for long, to provide secure remote access to Citrix XenApp / XenDesktop deployments. The Secure Gateway transparently encrypts and authenticates all user connections, to protect against data tampering and theft.

Citrix has another product, that is actively used to secure access to XenApp / XenDesktop deployments – Citrix Access Gateway. Citrix Access Gateway is more than just a secure ICA proxy solution; it is a hardened DMZ appliance, with full SSL VPN capabilities. For some time, Citrix has offered many variants of this product, but has recently entered the path of product consolidation and has announced End of Life for all non-NetScaler based platforms. So going forward, the only Access Gateway is the Access Gateway based on NetScaler platform, which has traditionally been called as Access Gateway Enterprise edition.

So given the two alternatives, for secure remote access to your Citrix deployments, why would you choose one over the other. More interestingly, if you are already a Secure Gateway user, why would you consider a switch to Access Gateway. These are some of the questions, I hope to answer here.

This blog intends to help you figure out:

  1. Why you should migrate from Secure Gateway to Access Gateway, sooner rather than later
  2. Why Access Gateway is evolving into the best Secure Remote Access to any Citrix deployment
  3. How to migrate from Secure Gateway to Access Gateway

Why – Migrate sooner rather than later

  Citrix Secure Gateway Citrix Access Gateway
Cost Free Highly Competitive pricing
DMZ fitness No – Windows Appliance Yes – Hardened DMZ appliance
ICA Proxy Yes Yes
CVPN No Yes
SSL VPN No Yes
EPA No Yes
Smart Access No Yes
MDX Micro VPN No Yes
Upgradeable to NetScaler No Yes
Upgradeable to CloudGateway No Yes
Receiver Integration No Yes
Support for Storefront No Yes
Scalability No Yes

As is evident from the table above, the only inherent advantage of Citrix Secure Gateway is its cost – it’s free! But at that free price point, it essentially does only one thing – it proxies your ICA traffic. Secure Gateway is not designed a hardened DMZ appliance and hence is not best fit for the role.

On the other hand, Citrix Access Gateway has been built ground up as a secure hardened SSL VPN appliance, to be placed in your DMZ, providing adequate protection to your internal network, from the Internet. Access Gateway is based on the proven NetScaler platform, which is a highly scalable, high performance, networking appliance. In addition to ICAProxy, it provides CVPN, SSL VPN and MDX Micro VPN functionalities. It supports many advanced capabilities such as EPA (end point analysis), Smart Access, … As a platform, this ensures that your investments are future proof – easy and straight forward upgrades to NetScaler and CloudGateway.

Access Gateway – Best remote access to Citrix Deployments

Access gateway is a strategic product for any Citrix deployment, and provides seamless access to:

  1. Citrix XenApp – for your virtualized Windows apps, any time, any where
  2. Citrix XenDesktop – for your virtualized Windows Desktops, any time, any where
  3. Citrix CloudGateway – For every web/saas/HTML5/native mobile application, any time, any where
  4. Citrix Sharefile (StorageZones) – For Data, any time, any where
  5. Citrix Receiver – for any device access to all of above

Citrix Access gateway is designed to provide seamless access to any of your Citrix deployments. Citrix strives to deliver the simplest, most intuitive, and best performing experience to all remote Citrix users.

How to migrate from Secure Gateway to Access Gateway

There are multiple ways of replacing your Secure Gateway appliance, by an Access Gateway appliance.

Access Gateway – Secure Gateway mode

Access Gateway can run in a pure Secure Gateway mode, where it sheds all its advanced capabilities and simply proxies ICA traffic, essentially imitating Secure Gateway. In this mode, one disables Authentication at Access Gateway and sets Web Interface as the home page for all incoming users. Authentication and Authorization are handled by Web Interface, in a manner similar to what existing Secure Gateway users are used to.

Secure Gateway mode

Access Gateway – ICAProxy mode

Access Gateway provides an ICAProxy mode, which essentially:

  • Authenticates all incoming users
  • Authorizes the level of access
  • Proxies ICA traffic for all valid users

This is achieved by setting up a vServer in Basic mode, with Authorization policies in place and various session policies to define the level of access. Additionally, Web Interface is set as the home page, with SSO configured, so that all incoming valid users automatically see the list of apps and desktops that they are eligible for.

ICAProxy mode

Access Gateway – SmartAccess mode

Access Gateway is a very powerful appliance with various advanced features. These features are turned on by applying universal licenses to your appliance, and setting up a vServer in SmartAccess mode. This enables the vServer to leverage various functionalities like CVPN, SSL VPN, EPA, Smart Access, … Once again, the vServer is set up to do authentication, authorization, SSO to Web Interface and much more.

SmartAccess mode

 Please refer to my earlier post, for details on Licensing for these deployments, as well as understand ICAProxy and SmartAccess modes.