Citrix NetScaler (10.5) licensing. What’s new with Access Gateway!

Just a few days ago Citrix announced the NetScaler 10.5, again packed with lots of cool new and useful features, but that’s not all, they also decided it was time to simplify the NetScaler license structure just a tat. And although that sounds wonderful to some, unfortunately, it has a downside as well. I’ll first elaborate a bit more on the licensing structure as we know it today and take it from there.

Other (related) articles from these series include:

1. Citrix NetScaler Gateway, the basics!
2. Citrix NetScaler… The basics continued, part one. VIP’s, Monitors and other objects!
3. Citrix NetScaler… The basics continued, part two. Static routes, SNIP and MIP
4. Citrix NetScaler… The basics continued, part three. High Availability!
5. Citrix NetScaler… The basics continued. Part four. What about SSL?
6. Citrix NetScaler… The basics continued, part five. Global Server Load Balancing!
7. Citrix NetScaler… The basics continued, Part six. Content Switching!
8. Citrix NetScaler… The basics continued, part seven. Split Tunneling!

NetScaler ADC and Gateway

Most of the confusion starts with the terms; Citrix NetScaler and Citrix NetScaler Gateway, although they sound very similar, and they do have an overlap, there are some distinct differences depending on the licenses used.

Citrix NetScaler refers to their Application Delivery Controller, or ADC, line of products, while the NetScaler Gateway, formerly know as the Citrix Access Gateway, or CAG, is primarily used for secure remote access. You basically buy a ‘normal’ NetScaler but with limited functionality due to the NetScaler Gateway License you upload. NetScaler ADC’s are capable of doing much more than ‘just’ remote access, they can be used for load balancing and HA, content switching, application offloading, application firewalling, cloud connectivity, hybrid cloud solutions and more. 

Physical and virtual

A NetScaler (ADC or Gateway) can either be physical, as in an appliance, or virtual. If you decide to go virtual, be aware that the underlying hypervisor, or virtual machine, that it runs on needs to have sufficient resources to handle your external connections, SSL offload and what not. As far as the physical appliances are concerned, Citrix offers a whole range to choose from. Depending on the physical model you choose your network throughput will increase (this goes for the virtual platforms as well) as does the amount of RAM and/or dedicated SSL chip capabilities. A NetScaler VPX is a virtual appliance which runs on your hypervisor of choice, a NetScaler MPX is a physical appliance, and last but not least, a NetScaler SDX is a physical appliance which is capable of running multiple VPX appliances, up to 40 in total, depending on your underlying physical resources. It comes with a (branded) XenServer pre-installed. Check out the main Citrix NetScaler products page it will provide you with an overview on all physical as well as virtual models available.

ADC Edition licenses

No matter which type, or model, of ADC NetScaler you pick, you have three different edition, or version, licenses to choose from (aka as platform licenses), knowing: standard, enterprise or platinum. Depending on the edition you purchase different functionality becomes available after you upload your license file. NetScalers are upgraded using the so called: pay as you grow, model. For example, you start out with a standard NetScaler license, never mind the physical or virtual underlying platform for now, after a while it turns out you need certain functionality not available within the standard license portfolio. Than you simply buy an enterprise license providing you with the feature, or features, you need (HA / load balancing between data centers for example), and all you have to do next is upload the license file and you’re done.

They’re basically all the same

This works because all NetScalers, and this goes for all (physical) models, are exactly alike when it comes to the features they can potentially offer. Which features become available all depends on the type of edition (or platform) license you purchase and upload. They’re sometimes also referred to as Retail NetScaler (physical box) Licenses. Yes, VPX licenses are separate, read on.

A whole bunch of licenses

Other NetScaler licenses include: Internal, Partner use, demo, evaluation, express, developer and/or VPX. Licenses are assigned to physical and virtual appliances. NetScaler SDX appliances require licenses for each physical appliance and each virtual instance. Although NetScaler VPX edition licenses are handled and purchased separately, they work in the same way as the ADC MPX and SDX licenses as far as feature enablement goes, the same applies to ‘Burst Packs’ by the way, see below.

Citrix also offers so called ‘Burst Pack’ licenses, these will temporarily increase the network throughput capabilities of your NetScaler appliance (physical and virtual). This way you can handle sudden, and perhaps unforeseen, traffic spikes without having to heavily invest in new hardware. Make sure you check out the Citrix NetScaler data sheet it will show you all the different features available per edition, it’s a lot to take in, so take your time and if you’re not sure about what you’re reading, it’s probably best to contact one of your Citrix sales representatives.

A breakdown

To keep it simple, think of it like this, when purchasing a NetScaler you follow these steps:

1. First you decide which physical or virtual model to go with, think about the amount of network throughput you may need, SSL offloading capabilities, that sort of thing. 2. Depending on specific features or functions you would like to use, you choose your edition (platform) license. 3. Finally you may want to purchase a maintenance contract with Citrix, they come in gold, silver or bronze, representing 1, 2 or 3 years of support. Contact your Citrix representative for more information.

The NetScaler Gateway before version 10.5

Formerly know as the Citrix Access Gateway, or CAG, and primarily used for secure remote access (SSL Proxy). You basically buy a ‘normal’ NetScaler but with limited functionality due to the Access Gateway platform (edition) license you upload, so it’s slightly different from the other ADC licenses mentioned earlier. This ‘platform’ license enables secure access only to the XenApp hosted applications or XenDesktop hosted desktops. It also increases the Independent Computing Architecture (ICA) connections up to 10.000 which by default is 0, this applies to the other NetScaler editions, or platforms, as well. Just to be clear, these 10.000 ICA connection licenses are, or were, part of the Access Gateway Platform license by default and didn’t cost anything extra, let’s just call them administrative overhead.

Next to the Access gateway edition, or platform license, you might also need a Access Gateway universal license. This license enables the Access Gateway Enterprise Edition appliance to support a specific number of concurrent users to make use of some specific Access Gateway features like full SSL VPN’s, Smart Access Endpoint Analysis, clientless access to the Web sites or Micro VPN’s in the case of Citrix XenMobile for example. Due note that, these licenses also apply to the ADC NetScaler family highlighted earlier and that they are optional, you don’t necessarily need them.  The NetScaler Gateway is available as a virtual appliance as well as physical and upgrading, if it’s more than standard Gateway functionality that you need, also works by uploading a standard, enterprise or platinum (ADC) license file. So you see, there’s a lot of overlap between the two platforms, it basically all comes down to the license you purchase and upload, with the NetScaler Gateway license being the most ‘basic’ one.

Note: The ADC NetScalers, and this goes for all editions, offer gateway functionality by default. It’s just that, if secure remote access is all you’re looking for, there’s no need in buying a ADC NetScaler license since they’re more expensive.

What’s new with NetScaler 10.5

Of course the NetScaler 10.5 offers a lot of new functionality and features, sure, but that’s not all, they’ve also slightly changed the NetScaler Gateway licensing model. To start, you’ll still need the universal license to use and control features like full SSL VPN’s, Smart Access or Microso VPN’s as mentioned earlier, no changes there, but… You will no longer need to buy a Access Gateway platform license, or perhaps better said, you can’t. What does this mean?

No more Access Gateway platform license

The ICA Proxy, or Access Gateway platform, license is now build-in by default and instead of increasing the number of ICA users up to 10.000, it’s now set to unlimited. The Proxy functionality (for unlimited users) is now included in all platform / editions by default, NSGW, Std, Entp and Plat. So with the exception of Universal licenses, if it’s Smart Access or Micro VPN’s that you might need for example, you will no longer need to buy any additional licenses. Let me give you an example:

Before: If you had a NetScaler Std, Entp or Platinum license / appliance and you also wanted to do ICA proxy, then you needed to buy an additional Access gateway Platform license (to increase ICA users to 10.000), and perhaps an additional universal license (optional).

New situation: If you have a NetScaler Std, Entp or platinum license / appliance and you also want to do ICA proxy, well, you’re good to go! You won’t need any more additional Access Gateway platform licenses, it’s all build-in. Again, the Universal license is still optional depending on your needs.

If ICA proxy is all you need you can simply buy a NetScaler Gateway edition license, yes they’re still there, either in the form of VPX or MPX and that’s it. By default it will be configured to except an unlimited number of ICA users.

Just one more thing, as mentioned, the number of allowed ICA users is now set to unlimited by default, and this goes for all platforms, editions, licenses or whatever you would like to call them ;-) However, that doesn’t mean that the underlying (virtual) hardware can handle an unlimited amount of ICA connections as well. For example, if we take the virtual NetScaler platform, the VPX, it can handle up to 1500 concurrent ICA connections, if you need more then you’ll have to upgrade and purchase a physical MPX appliance, which, depending on the model, can handle anything ranging from 10.000 to 35.000 concurrent ICA connections at a time. You will find the exact numbers in the NetScaler Datasheet.

Conclusion

Some of you might have visited this post before, if so, you’ve probably noticed that I changed / updated the part with regards to Access Gateway Platform license. It turned out that the information I picked up earlier (which, back than, was shared under NDA), wasn’t written in stone so the speak, and as such slightly changed afterword’s. I didn’t mean to cause any confusion, so if I did, my apologies! At least now you know what’s new! Citrix took a step in the right direction, simplifying the licensing structure slightly without forcing the consumer to spend more money then needed!

Reference materials used: Citrix.com

Bas van Kaam

Field CTO EMEA by day, author by night @ Nerdio

Father of three, EMEA Field CTO @ Nerdio, Author of the book Van de Basis tot aan Meester in de Cloud, Co-author of the book Project Byte-Sized and Yuthor of the book: Inside Citrix – The FlexCast Management Architecture, over 500 blog posts and multiple (ultimate) cheat sheets/e-books. Public speaker, sport enthusiast­­­­­­­­: above-average runner, 3 x burpee-mile finisher and a former semiprofessional snooker player. IT community participant and initiator of the AVD User group Community world wide.