Citrix Licensing changes for NetScaler

This year has been interesting with many vendors changing their licensing and Cloud Software Group has definitely stirred the pot on their own behalf.

From where we’re standing, this also presents a great opportunity to get a lot more out of your investment.

Overview

So, what actually happened was that recently Cloud Software Group (or Citrix as you might know them better) changed their licensing quite drastically. The key takeaway for customer is that previously CSG had a ton of different SKUs (Stock Keeping Units), which meant that you’d had several product offerings and different feature levels for each one of these.

At leasth here in Finland there’s a lot of customers that have/had Citrix Virtual Apps Advanced and NetScaler Advanced editions, which effectively meant that they weren’t able to access some of the great features in the Premium editions.

This has now changed for many customers already and will change for others in near future as well. Most customers will need to pick from one of the following options:

  • Citrix Platform License (“CPL”)
  • Citrix Universal Hybrid Multi-Cloud (“UHMC”)
  • Citrix for Private Cloud
  • NetScaler Fixed Capacity

We’ll discuss about the first two in this post from NetScaler perspective and will post a separate article about the DaaS / Virtual Apps and Desktops. For more information, check Citrix Feature Matrix & What’s new with Citrix Licensing.

NetScaler licensing change

Key takeaways

Whether you ended up in Platform or the UHMC it’s good to be aware that your NetScaler licensing has changed.

We’ll break these down below with some examples:

  • (Almost) unlimited capacity (instances & throughput)
  • L4-7 traffic management
  • Application acceleration
  • Application and API security
  • Access control
  • Application Insights and Observability

(Almost) unlimited capacity

Previously a customer needed to carefully consider how to get most out of their investment. This often led to:

  • All eggs in one basket (consolidating all things NetScaler to a single HA pair)
  • Not using NetScaler for something even if needed
  • Lack of test environments

Bear in mind that with the UHMC license you’re entitled to 999 software instances* and 1000Gbps of total capacity.

So, you could theoretically spin up 2500 HA pairs with 200Mbps throughput (1,000,000 Mbps / 200Mbps / 2 per HA pair = 2500) with Premium features regardless of what you had before.

* you’ll get 999, but can request for more if needed

Photo by <a href="https://unsplash.com/@californong?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Nong</a> on <a href="https://unsplash.com/photos/white-and-brown-elephant-figurine-3XisDwg6jAE?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Unsplash</a>

Platform license takes this even further as there are no limits.

Also, the new physical appliances are now zero-capacity boxes that you just drop the license in and run and to my understanding they got a lot cheaper (the number of models went down). So whether you’re running VPXs on your hypervisor, on the NetScaler SDX platform or you want to have the dedicated hardware MPXs, use bare-metal BLX or even the Container appliances (CPX), you’re all covered.

Below you can read some of the features you could benefit from.

NetScaler Gateway

You’ve heard it, I’ve heard it… “VPN is dead”, but for some reason we’re deploying more NetScaler Gateway-based VPNs than ever. Here are a couple of highlights why:

Great with authentication – NetScaler integrates with pretty much everything. The most popular thing seems to be Entra ID that was either impossible or at least challenging to achieve with other vendors (based on the projects we received). Read more…

Always on VPN – Even that Zero-trust is thriving, there’s still a demand for reaching to endpoints and having them always connected for management purposes. We’re still getting rid of the last Direct Access installations (the old DA, I mean). Read more…

Cost savings – Now that the licensing allows you to run NetScaler, spinning up a new HA pair only costs for the compute part. You might end up running two separate vendors, one for “NetScaler stuff” like HDX/ICA Proxy and one for the SSL VPN, but you could now replace the other vendor with NetScaler VPN. This is especially interesting if you’re in the “crossroads” where your current VPN is running out of support or license term.

But if you’re over VPN, there’s also Secure Private Access, for Platform customers. The Citrix ZTNA solution is also made available, both as a Cloud Service as well as an on-premises solution. This solution is a “VPN killer” and gives much more granular control on the user access in comparison to the traditional VPN.

L4-7 traffic management

SSL Forward Proxy – This feature was available only for Premium customers previously. We’ve run in to this use-case more than once, where the customer has some “factory floor” endpoints that aren’t allowed to access the internet. However, with services evolving, the demand to have a limited internet connectivity from these endpoints is needed. The endpoints might need to access Microsoft Online Services (Outlook, Teams, etc…) or Microsoft Azure Monitor Agent (AMA) needs network connectivity to work properly. The proxy is feature-packed, but just being able to whitelist allowed URLs might be a game-changer for many environments. Read more…

GSLB – Global Server Load Balancing is something you could use to publish your resources from different sites. Setting up a backup site to a public cloud could get a lot cheaper when you can just spin up workstations using DaaS / Virtual Apps and Desktops and use GSLB to route your users there during blackout in the main datacenter. You can use this technology for many other use-cases as well, but redundancy and offering services around the globe are the most obvious use-cases Read more…

Application acceleration

SSL Offloading – With NetScaler you’re able to offload the SSL transactions from the server and also harden the TLS/SSL posture on protocol level with a wide support for modern protocols and ciphers. We’ve discussed this topic in an earlier post extensively. Read more…

Application and API security

Application Firewall is included with the Premium license of NetScaler and has been bolted in to the core components of NetScaler’s latest builds. The same technology can be used to protect web sites as well as APIs. The Application Firewall comes with positive and negative security model allowing you protect your environments for known and unknown threats. Bear in mind that Application Firewall is not the simpliest one to deploy, but protecting from web threats is no walk in the park with any technology. Read more…

Bot Management is also one of the Premium features. This feature introduces a lot of features that come in handy especially when protecting web sites and APIs. You can and should combine this with IP Reputation feature (below). Read more…

IP Reputation continues the series of Premium features. This feature is super-easy to implement and greatly improves the security posture in any environment. NetScaler uses the Webroot reputation database, which is updated every 5 minutes, keeping you safe from a great deal of threats. Read more…

Access control

SmartControl is a Premium feature on NetScaler that helps you to enable different restrictions on virtual channels passed through the NetScaler Gateway based on the policy engine results. Read more…

SmartAccess policies takes this up a notch and allows controlling the Citrix policies based on the Citrix Gateway information allowing even more granular control on what users are able to do within published apps and desktops.

Application Insights and Observability

As the NetScaler Console (on-prem or cloud) is required for the new licenses, it can be used for other things as well.

Historical data on both HDX and web sessions can help you greatly in diagnosing problems the users are experiencing. One of the drivers for many customers to upgrade their NetScalers to Premium licensing has been to enable this feature, as the Advanced license only allows real-time data.

Integrations with other monitoring tools like uberAgent allow you to get the whole picture of your application delivery environment status, bearing in mind that the more advanced tools are included only with the Platform license.

Key takeaways

Replacing other solutions with NetScaler – As you’ll have (almost) unlimited NetScaler capacity at your disposal, consider the following:

  • Current appliance distribution, separate test environment, segmenting network (separate boxes per role and/or internal vs. external)
  • Existing VPN, load balancing, WAF, Forward Proxy, etc… solutions you could replace with NetScaler

Protect your environment with NetScaler – Web servers in DMZ?

  • Start raising the bar just by using NetScaler as a reverse proxy in front your web front ends, fix the posture (see Security basics, part 1 – Why?) or implement Geoblocking and/or Reputation (see Security basics, part 3 – Where?)
  • Enable strong authentication for free just using Citrix OTP, or integrate NetScaler with your modern authentication capable IdPs (such as Entra ID, Okta, Google). See NetScaler Identity handling capabilities
  • Get a better grip of what’s going on in your environment. Instead of integrating monitoring with all the different web server technologies, use NetScaler instead and integrate it with your favorite monitoring tool (see https://blog.comping.fi/?p=112)

Followup

We’re here to help you

Photo by <a href="https://unsplash.com/@tirconnaill?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Jude Mack</a> on <a href="https://unsplash.com/photos/a-life-preserver-on-a-boat-in-the-water-E1jSTmYKatg?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Unsplash</a>

We sure hope you learned something new here or got reminded of something you already knew but forgot about.

There’s a lot of links here to help you to dig deeper, but if you want to explore these things further and need a buddy to work with, drop us an email at sales@comping.fi.