Blog -‐ Access Gateway Licensing Demystified - Citrix
Blog -‐ Access Gateway Licensing Demystified - Citrix
Blog -‐ Access Gateway Licensing Demystified - Citrix
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Blog</strong> -<strong>‐</strong> <strong>Access</strong> <strong>Gateway</strong> <strong>Licensing</strong> <strong>Demystified</strong><br />
<strong>Access</strong> <strong>Gateway</strong> discussed in this article is the <strong>Access</strong> <strong>Gateway</strong> based on<br />
NetScaler, which is popularly referred to as <strong>Access</strong> <strong>Gateway</strong> Enterprise. <strong>Citrix</strong><br />
has recently announced End of Life for all non-<strong>‐</strong>NetScaler based <strong>Access</strong> <strong>Gateway</strong><br />
platforms, which then makes Enterprise edition, the de-<strong>‐</strong>facto <strong>Access</strong> <strong>Gateway</strong>.<br />
In this article, we will discuss the two license types used on your <strong>Access</strong> <strong>Gateway</strong><br />
appliance, the two kinds of vServers you can set up to leverage these licenses to<br />
provide standard / advanced functionalities, and an example scenario towards<br />
the end, to help illustrate these concepts in a real scenario.<br />
License Types<br />
<strong>Access</strong> <strong>Gateway</strong> is licensed at two levels:<br />
• Platform License<br />
• Universal License<br />
Platform Licenses<br />
Every <strong>Access</strong> <strong>Gateway</strong> (VPX/MPX) comes with a Platform license, which enables<br />
all the basic functionality in <strong>Access</strong> <strong>Gateway</strong>. After purchasing an appliance, this<br />
license is automatically made available in your My<strong>Citrix</strong> account, and can be<br />
easily downloaded and installed on your appliance.<br />
Platform licenses can be used to provide seamless access to:<br />
• ICAProxy access to XenApp / XenDesktop, using Web Interface<br />
• ICAProxy access to XenApp / XenDesktop, using Storefront<br />
(Cloud<strong>Gateway</strong> Express)<br />
Universal Licenses<br />
Universal Licenses are used to enable additional/advanced functionality on<br />
access gateway appliances. These are add-<strong>‐</strong>on licenses and work along with the<br />
Platform licenses to provide seamless access to your <strong>Citrix</strong> deployments.<br />
Universal licenses are purchased separately from the appliance, and can be<br />
installed in the same manner as the platform license.<br />
Universal licenses can be used to turn on the following advanced functionalities:<br />
• End Point Analysis<br />
• Smart <strong>Access</strong> to XenApp/XenDesktop<br />
• CVPN – Clientless access to internal web resources<br />
• Full Tunnel (SSL VPN)<br />
• MDX Micro VPN<br />
Universal Licenses are required to support the following <strong>Citrix</strong> deployments:<br />
• ICAProxy access to XenApp / XenDesktop with Smart <strong>Access</strong> (both Web<br />
Interface and Storefront)<br />
• Cloud<strong>Gateway</strong> Enterprise Mobility (AppController)<br />
• Cloud<strong>Gateway</strong> Enterprise (AppController + Storefront)
Virtual Servers<br />
On <strong>Access</strong> <strong>Gateway</strong>, one needs to set up vServers (virtual servers) to act as logon<br />
points for all incoming remote connections. Such vServers can be set up in two<br />
modes:<br />
• Basic Mode<br />
• Smart <strong>Access</strong> Mode<br />
Basic Mode vServer<br />
A basic mode vServer is a server that consumes platform licenses and hence can<br />
be used to provide ICAProxy access to your XenApp / XenDesktop deployments,<br />
both via Web Interface and Storefront. A basic mode vServer essentially works<br />
out of the box, without the need to purchase any additional licenses. Once the<br />
platform licenses are consumed, this vServer can start consuming Universal<br />
licenses, if available. This leads to increased concurrent user support, which can<br />
go beyond the default that the appliance ships with.<br />
Smart <strong>Access</strong> mode vServer<br />
A smart access mode vServer essentially consumes Universal licenses and can be<br />
used to provide access to any <strong>Citrix</strong> deployment. Including XenApp / XenDesktop<br />
/ Cloud<strong>Gateway</strong>. Hence one can set up such a vServer only if additional Universal<br />
licenses are purchased, or are received as a bundles offering with Cloud<strong>Gateway</strong><br />
Enterprise / Xen Desktop platinum offerings. Note that a Smart <strong>Access</strong> vServer<br />
can only consume Universal licenses and will start dropping connections, once<br />
all universal licenses are consumed.<br />
Both these vServers can be set up using the new Simplified wizard that has been<br />
built into the latest <strong>Access</strong> <strong>Gateway</strong> offerings. This new wizard dramatically<br />
simplifies setting up of such vServers and automates the process of integrating<br />
this into your existing <strong>Citrix</strong> infrastructure. This wizard auto sets up all the<br />
required policies on <strong>Access</strong> <strong>Gateway</strong> to provide authentication and integrate<br />
with other <strong>Citrix</strong> products. More details on these policies can be found on my<br />
earlier blog available at -<strong>‐</strong> http://blogs.citrix.com/2012/08/06/whats-<strong>‐</strong>new-<strong>‐</strong>with-<strong>‐</strong><br />
citrix-<strong>‐</strong>access-<strong>‐</strong>gateway-<strong>‐</strong>10-<strong>‐</strong>0-<strong>‐</strong>69-<strong>‐</strong>6/<br />
Scenario<br />
Lets take an example scenario of how a <strong>Citrix</strong> deployment would look like and<br />
how <strong>Access</strong> <strong>Gateway</strong> can be best used in such a scenario, to provide seamless<br />
access to apps and desktops.<br />
Lets take a customer who needs to provide:<br />
1. 3000 users with access to their essential applications<br />
2. 1000 users with access to a full blown desktop<br />
3. 1000 users who need access to their web/saas/native mobile apps on the<br />
move<br />
In order to support the above scenario, lets say the customer procures:<br />
1. 3000 XenApp Enterprise licenses<br />
2. 1000 XenDesktop Platinum licenses<br />
3. 1000 Cloud<strong>Gateway</strong> Enterprise licenses
With the above, the customer would have received the following <strong>Access</strong> <strong>Gateway</strong><br />
Universal licenses (CCUs):<br />
1. 0 AG CCUs<br />
2. 1000 AG CCUs<br />
3. 1000 AG CCUs<br />
Given the above scenario and licenses, the customer would have to do the<br />
following <strong>Access</strong> <strong>Gateway</strong> purchases & configurations to provide any time, any<br />
where, secure and seamless remote access to their <strong>Citrix</strong> infrastructure:<br />
• Procure two AG MPX platforms set up in HA, which will be able to support<br />
the required number of users – 5000.<br />
• Download the platform licenses for both. Download the 2000 AG CCUs,<br />
which came with the XD Platinum and CG Enterprise purchases. Install<br />
these licenses on the MPX appliances.<br />
• Configure a vServer in Basic mode, to provide access to the 3000 users<br />
who need access to their basic apps. Use the simplified wizard to do so,<br />
which will set up all the policies so that users get redirected to their<br />
virtual apps, as soon as they log in.<br />
• Configure a 2nd vServer in Smart <strong>Access</strong> mode. This will be used to<br />
provide access to 1000 XD users and 1000 CG users. Use the Simplified<br />
wizard again, to set this up, which should set up all the relevant policies<br />
for both.<br />
• Note that since the 2 nd vServer is a Smart <strong>Access</strong> vServer, it is possible to<br />
set up EPA (End Point Analysis) policies on this to granularly control the<br />
level of access based on the end point health. Essentially, since the users<br />
on this vServer get access to a full blown desktop, the admin may want to<br />
be more careful and calculated on the conditions when a user should be<br />
allowed access to the desktop. This is done by setting up EPA policies to<br />
ensure that the endpoint is in compliance with all the required company<br />
policies, such as a working firewall, latest security updates, no malware<br />
detected, … Only when the required compliance is met, the users get<br />
access to their desktop. Even better, based on the results of the detailed<br />
scans that run on the end point, <strong>Access</strong> <strong>Gateway</strong> can pass this information<br />
to XD, which can then enable / disable certain functionalities within those<br />
desktops, to really control the extent of access.<br />
• Also note that, if you choose to set up EPA policies on the 2 nd vServer<br />
above, you may have to set up a 3 rd vServer, in Smart <strong>Access</strong> mode, to<br />
provide access to the Cloud<strong>Gateway</strong> users. This is because the mobile<br />
<strong>Citrix</strong> receivers (iOS / Android) today, do not have EPA support and hence<br />
will not be allowed access through s vServer set up with EPA. They will<br />
then have to talk to this 3 rd vServer, configured to provide them with<br />
access to their web/saas/native mobile apps access.<br />
The illustration below depicts this graphically:
3000#XA#users#<br />
1000#XD#users#<br />
1000#CG#users#<br />
PlaAorm#<br />
License#<br />
PlaAorm#<br />
License#<br />
AG#Basic#<br />
mode#vServer#<br />
AG#Smart<strong>Access</strong>#<br />
mode#vServer#<br />
Universal#<br />
License#<br />
<strong>Citrix</strong>#XenApp#<br />
<strong>Citrix</strong>#XenDesktop#<br />
<strong>Citrix</strong>#<br />
Cloud<strong>Gateway</strong>#<br />
Enterprise#