A look at Citrix Gateway vs. Citrix Gateway Service
The features and functionality of Citrix Gateway and Citrix Gateway Service products may be confusing. Jo Harder delves into the difference between the two, as well as reasons to choose one over the other.
Simply put, Citrix Gateway is Citrix’s on-premises gateway solution, and Citrix Gateway Service is the cloud version. But deciding which to utilize is not quite that straightforward due to the features and capabilities, as well as the mix-and-match options. Plus, with recent vulnerabilities and patching on everyone’s mind, the decision becomes even more important.
The gateway is a necessary component for secure access when deploying Citrix products, including Citrix Virtual Apps (formerly XenApp), Citrix Virtual Desktops (formerly XenDesktop), Citrix Endpoint Management (formerly XenMobile), Citrix Content Collaboration (formerly ShareFile), and Citrix Workspace (all of the above and more). In addition to providing SSL/TLS encryption, the gateway controls remote access functionality. So, yes, you need it.
Of course, Citrix is strongly encouraging its customers to move to the cloud, and just how much cloud you choose to deploy also has a bearing in your decision.
Defining Citrix’s Gateway products
Let’s first understand what Citrix Gateway and Citrix Gateway Service each imply, and then review key features that would impact your decision.
Citrix Gateway (formerly NetScaler Gateway) is the on-premises solution for accessing Citrix resources. Citrix Gateway is a subset of Citrix Application Delivery Controller (ADC), and because of that, customers can elect to add features that are inherent to other editions, such as Web App Firewall.
Citrix Gateway Service is the cloud version, and a subscription to Citrix Cloud is required. Although the most common deployment includes all available Citrix Cloud components—including the Gateway Service and Workspace (known as StoreFront for on premises)—Citrix offers the ability to mix and match which of these security and presentation components are deployed where.
Deploying Citrix Gateway
As a Citrix architect or engineer, you can deploy your own Citrix Gateway on-premises and then use Citrix Workspace and the core components in Citrix Cloud to address requirements for additional features and functionality not available within Citrix Gateway Service, such as SAML. Of course, an on-premises Citrix Gateway does not necessarily imply a VM or physical appliance deployed onsite; it can just as easily be deployed in a cloud environment, such as Azure or AWS.
However, if you have the need to retain your own on-premises StoreFront servers to support features not yet available within Workspace, such as user interface customizations, then you must similarly deploy your own Citrix Gateway appliances. Likewise, StoreFront servers may be deployed in a cloud service and not necessarily reside physically on premises.
As the feature sets of both Citrix Gateway Service and Workspace continue to become more robust, the technical differences between the on-premises components and the Citrix Cloud components will narrow, thus making Citrix Cloud a more compelling solution.
Business consideration for Citrix Gateway
Of course, the greatest return on investment for Citrix Cloud is to take advantage of all the features available under your subscription. Including the Citrix Gateway Service not only provides a significant cost benefit, but maintenance of Citrix Gateway is also eliminated. That means no patching, no upgrading, no upkeep at all.
And that consequently eases the work effort associated with multi-geo deployments. Citrix Gateway Service’s global presence addresses high availability and business continuity, since customers do not have to host their own Gateways in every geographical region.
As much as I love Citrix ADC, I’m the first to admit that it, including Gateway, is a complex product to administer. Having the right skill set is critical, and individuals who are responsible for occasional administration may overlook configuration steps, patching, or upgrades. Especially in light of the recently announced Citrix ADC vulnerability, it became apparent that many organizations were ill-prepared to address the system modification and update that was required.
In addition to situations where there are technical features that aren’t available within Citrix Gateway Service, there are some enterprises that just can’t take advantage of this service. One use case is where country and/or industry requirements state that all data must remain within its borders, and thus, enterprises not located within the 14 points of presence (PoPs) for Citrix Cloud could not choose Citrix Gateway Service.
In those cases, it’s likely that an on-premises Citrix Gateway would be suitable in conjunction with the other Citrix Cloud components. Technically, only session initiation would pass through another country, but the ongoing user session (i.e., all application data transmissions) would remain in-country because that’s where the Citrix Gateway, Cloud Connectors, and VDAs are housed. Because an on-premises Citrix Gateway is deployed in this example, the ongoing user sessions would indeed pass through the Cloud Connector.
The new rendezvous protocol, which would eliminate passing user sessions through the Cloud Connector, could not be invoked because Citrix Gateway Service is required for that process. As Citrix expands its PoPs throughout the world, this use case will become less of an issue for tightly regulated enterprises.
Which option should I choose?
The minimal distinction in the naming of Citrix Gateway and Citrix Gateway Service can create some confusion, and the correct definition may drive the answer to this question. If you truly don’t have the time or resources to effectively maintain your Citrix Gateway appliances onsite and are considering transitioning to Citrix Cloud, using the embedded Citrix Gateway Service is a fabulously easy option. But if you have technical or business reasons that necessitate keeping your Citrix Gateway onsite, you can still move to Citrix Cloud sans Citrix Gateway.