Blog -‐ Access Gateway Licensing Demystified - Citrix

Blog -‐ Access Gateway Licensing Demystified 

Access Gateway discussed in this article is the Access Gateway based on 

NetScaler, which is popularly referred to as Access Gateway Enterprise. Citrix 

has recently announced End of Life for all non-‐NetScaler based Access Gateway 

platforms, which then makes Enterprise edition, the de-‐facto Access Gateway. 

In this article, we will discuss the two license types used on your Access Gateway 

appliance, the two kinds of vServers you can set up to leverage these licenses to 

provide standard / advanced functionalities, and an example scenario towards 

the end, to help illustrate these concepts in a real scenario. 

License Types 

Access Gateway is licensed at two levels: 

• Platform License 

• Universal License 

Platform Licenses 

Every Access Gateway (VPX/MPX) comes with a Platform license, which enables 

all the basic functionality in Access Gateway. After purchasing an appliance, this 

license is automatically made available in your MyCitrix account, and can be 

easily downloaded and installed on your appliance. 

Platform licenses can be used to provide seamless access to: 

• ICAProxy access to XenApp / XenDesktop, using Web Interface 

• ICAProxy access to XenApp / XenDesktop, using Storefront 

(CloudGateway Express) 

Universal Licenses 

Universal Licenses are used to enable additional/advanced functionality on 

access gateway appliances. These are add-‐on licenses and work along with the 

Platform licenses to provide seamless access to your Citrix deployments. 

Universal licenses are purchased separately from the appliance, and can be 

installed in the same manner as the platform license. 

Universal licenses can be used to turn on the following advanced functionalities: 

• End Point Analysis 

• Smart Access to XenApp/XenDesktop 

• CVPN – Clientless access to internal web resources 

• Full Tunnel (SSL VPN) 

• MDX Micro VPN 

Universal Licenses are required to support the following Citrix deployments: 

• ICAProxy access to XenApp / XenDesktop with Smart Access (both Web 

Interface and Storefront) 

• CloudGateway Enterprise Mobility (AppController) 

• CloudGateway Enterprise (AppController + Storefront)

Virtual Servers 

On Access Gateway, one needs to set up vServers (virtual servers) to act as logon 

points for all incoming remote connections. Such vServers can be set up in two 

modes: 

• Basic Mode 

• Smart Access Mode 

Basic Mode vServer 

A basic mode vServer is a server that consumes platform licenses and hence can 

be used to provide ICAProxy access to your XenApp / XenDesktop deployments, 

both via Web Interface and Storefront. A basic mode vServer essentially works 

out of the box, without the need to purchase any additional licenses. Once the 

platform licenses are consumed, this vServer can start consuming Universal 

licenses, if available. This leads to increased concurrent user support, which can 

go beyond the default that the appliance ships with. 

Smart Access mode vServer 

A smart access mode vServer essentially consumes Universal licenses and can be 

used to provide access to any Citrix deployment. Including XenApp / XenDesktop 

/ CloudGateway. Hence one can set up such a vServer only if additional Universal 

licenses are purchased, or are received as a bundles offering with CloudGateway 

Enterprise / Xen Desktop platinum offerings. Note that a Smart Access vServer 

can only consume Universal licenses and will start dropping connections, once 

all universal licenses are consumed. 

Both these vServers can be set up using the new Simplified wizard that has been 

built into the latest Access Gateway offerings. This new wizard dramatically 

simplifies setting up of such vServers and automates the process of integrating 

this into your existing Citrix infrastructure. This wizard auto sets up all the 

required policies on Access Gateway to provide authentication and integrate 

with other Citrix products. More details on these policies can be found on my 

earlier blog available at -‐ http://blogs.citrix.com/2012/08/06/whats-‐new-‐with-‐ 

citrix-‐access-‐gateway-‐10-‐0-‐69-‐6/ 

Scenario 

Lets take an example scenario of how a Citrix deployment would look like and 

how Access Gateway can be best used in such a scenario, to provide seamless 

access to apps and desktops. 

Lets take a customer who needs to provide: 

1. 3000 users with access to their essential applications 

2. 1000 users with access to a full blown desktop 

3. 1000 users who need access to their web/saas/native mobile apps on the 

move 

In order to support the above scenario, lets say the customer procures: 

1. 3000 XenApp Enterprise licenses 

2. 1000 XenDesktop Platinum licenses 

3. 1000 CloudGateway Enterprise licenses

With the above, the customer would have received the following Access Gateway 

Universal licenses (CCUs): 

1. 0 AG CCUs 

2. 1000 AG CCUs 

3. 1000 AG CCUs 

Given the above scenario and licenses, the customer would have to do the 

following Access Gateway purchases & configurations to provide any time, any 

where, secure and seamless remote access to their Citrix infrastructure: 

• Procure two AG MPX platforms set up in HA, which will be able to support 

the required number of users – 5000. 

• Download the platform licenses for both. Download the 2000 AG CCUs, 

which came with the XD Platinum and CG Enterprise purchases. Install 

these licenses on the MPX appliances. 

• Configure a vServer in Basic mode, to provide access to the 3000 users 

who need access to their basic apps. Use the simplified wizard to do so, 

which will set up all the policies so that users get redirected to their 

virtual apps, as soon as they log in. 

• Configure a 2nd vServer in Smart Access mode. This will be used to 

provide access to 1000 XD users and 1000 CG users. Use the Simplified 

wizard again, to set this up, which should set up all the relevant policies 

for both. 

• Note that since the 2 nd vServer is a Smart Access vServer, it is possible to 

set up EPA (End Point Analysis) policies on this to granularly control the 

level of access based on the end point health. Essentially, since the users 

on this vServer get access to a full blown desktop, the admin may want to 

be more careful and calculated on the conditions when a user should be 

allowed access to the desktop. This is done by setting up EPA policies to 

ensure that the endpoint is in compliance with all the required company 

policies, such as a working firewall, latest security updates, no malware 

detected, … Only when the required compliance is met, the users get 

access to their desktop. Even better, based on the results of the detailed 

scans that run on the end point, Access Gateway can pass this information 

to XD, which can then enable / disable certain functionalities within those 

desktops, to really control the extent of access. 

• Also note that, if you choose to set up EPA policies on the 2 nd vServer 

above, you may have to set up a 3 rd vServer, in Smart Access mode, to 

provide access to the CloudGateway users. This is because the mobile 

Citrix receivers (iOS / Android) today, do not have EPA support and hence 

will not be allowed access through s vServer set up with EPA. They will 

then have to talk to this 3 rd vServer, configured to provide them with 

access to their web/saas/native mobile apps access. 

The illustration below depicts this graphically:

3000#XA#users# 

1000#XD#users# 

1000#CG#users# 

PlaAorm# 

License# 

PlaAorm# 

License# 

AG#Basic# 

mode#vServer# 

AG#SmartAccess# 

mode#vServer# 

Universal# 

License# 

Citrix#XenApp# 

Citrix#XenDesktop# 

Citrix# 

CloudGateway# 

Enterprise#

Blog -‐ Access Gateway Licensing Demystified - Citrix

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?