NetScaler Gateway redefined remote access for Mobility! In conjunction with Citrix XenMobile offering, NetScaler Gateway came up with the idea of MicroVPNs – VPN tunnels, which are application specific, rather than device wide.

The idea resonated with the masses, and I heard so many ‘Wowws’ in my conversations with many of our customers. Idea is simple – BYOD means end users using a device that IT does not own / manage / control. That means that the end user is free to install on his device, whatever he/she fancies. Sometimes, this installation could also lead to malware / malignant apps running on these end points. Now imagine what happens in a traditional VPN approach. The end user connects the VPN to his enterprise network, in order to say, access his email or access some document. The VPN tunnel that’s established, is device wide – once connected, any application can traverse this tunnel, and get access to corporate resources. This list of apps also includes the malware!

With MicroVPNs, the game changes radically. The logic / intelligence of how to establish a VPN tunnel, is no longer device wide. This intelligence is directly embedded into applications. Which Applications? The applications, which Administrator trusts, and wants to provide access to. Hence there is no device wide VPN that malware can traverse and cause damage to your corporate network / data. It is only the trusted applications, as deployed by the IT admin, that know how to traverse back into the enterprise – No one else!

But this concept of MicroVPN, has left some of us confused. I often get asked – “So does it mean that my device will now make multiple tunnels, and hence have an impact on the performance as well as battery life of my end point”?


Micro VPNs are no different in terms of end point performance / battery consumption than any traditional VPN. It is exactly the same. To understand this better, it is important to understand how NetScaler treats a normal SSL VPN session – this is the device wide VPN we were referring to earlier – NetScaler also offers this mode in the traditional desktop world, where it makes sense.

In a normal SSL VPN session, NetScaler does the following:

  • Authenticates the user
  • On successful authentication, presents to him a ‘Token’, that represents his successful session establishment.
  • From this point, any request that comes in from the end point, has to carry this ‘Token’, as a proof of it’s successful authentication.
  • Different applications automatically create different TCP sessions with the NetScaler, and use the ‘Token’ to get in.

So note that, while different applications do create multiple TCP sessions with the NetScaler, they all use the same ‘Token’, as a session identifier, and hence create and access a single logical VPN session on the NetScaler. Sometimes we refer to this as a single ‘Logical’ VPN Tunnel.

So what happens with MicroVPNs? The exact same thing! Different applications, use a ‘Token’, as a session identifier to get pass NetScaler, into the corporate network. There are still multiple TCP sessions, but the same ‘Logical’ VPN tunnel. The difference comes in the control that is established around applications, in order to ensure that only trusted applications have a mechanism in place to reach NetScaler, with this ‘Token’.

Myth Busted!