Introduction
Since private equity took over Citrix and undertook a business transformation (to put it in politically correct terms), there have been a lot of changes.
One positive outcome has been the rapid pace of innovation in the Citrix and NetScaler product stacks. In fact, this was likely one of the more unexpected changes considering private equity tech acquisitions are often notorious for axing R&D and focusing purely on milking customers with little additional value offered to them. Over the past couple of years, there have been some genuinely awesome additions to customer licensing entitlements and new features rapidly being added to the products.
We will focus on the Citrix Gateway service for the StoreFront feature today, which became generally available (production-ready) in September 2024. This article takes a more business and architectural view of this feature, while the Citrix articles available on this new capability are a little more engineering and technical focused. This article is intended to contextualize and complement Citrix’s documentation for greater clarity and consideration for useful application in your environment.
Notes: We will use the terms region, Resource Location, and zone interchangeably in this article; they mean similar things. Similarly, the reference to Citrix Gateway implies a NetScaler (briefly known as Citrix ADC), as Citrix Gateway is a feature of NetScaler. Finally, HDX proxy refers to the TLS encryption of Citrix ICA session data encapsulated by Citrix Gateway or Citrix Gateway service. It is the core function of Citrix Gateway — to securely encrypt the Citrix protocol between client (user endpoint) and server (Citrix VDA) as it traverses trusted to untrusted networks.
What Is Any of This?
This is a fair question for many, and for various reasons. Perhaps you are still focused on on-premises (or rather, customer-managed) Citrix Virtual Apps and Desktops deployments and have not paid much attention to Citrix Workspace service and Citrix DaaS from the Citrix Cloud platform. Or, perhaps as with many others, the speed at which Citrix has been releasing features has made it challenging to keep up. So we’ll provide a little more background.
What’s Citrix Cloud?
Citrix Cloud is the Citrix-managed platform of various “cloud” versions of popular Citrix and NetScaler technology components. It provides an alternative to having customers host all management plane and access tier components on their own, either in on-premises datacentres or public clouds. It allows amongst several benefits, customers to reduce the infrastructure footprint of their deployments, reducing some costs. Citrix Cloud is also home to certain cloud-only features such as the Global App Configuration Service (GACS), Citrix Analytics, and more.
What is Citrix DaaS?
Citrix DaaS (formerly known as Citrix Virtual Apps and Desktops service) is the cloud version of Citrix Virtual Apps and Desktops (CVAD). Through a dependency on Internet connectivity to Citrix Cloud, customers install Cloud Connectors in place of Delivery Controllers within their public cloud or datacentres (referred to as Resource Locations in Citrix which operate similar to zones in CVAD). Customers do not need to deploy Delivery Controllers, SQL, WEM servers, Citrix License servers, Director servers, or Web Studio servers (a new addition). Customers can opt to not deploy NetScalers for HDX proxy nor StoreFront (we’ll get to that as well). Collectively this provides an opportunity to reduce the infrastructure components, with the customer being chiefly responsible for maintaining their Citrix VDA workloads while Citrix maintains the other components, reducing administrative overhead. Citrix becomes managed through Citrix Cloud, which, thanks to various IdP integrations, can be protected by conditional access policies to restrict access to the administration control plane.
What is Citrix Workspace + Gateway service?
These two features of Citrix Cloud the represent cloud-hosted access tier capabilities on offer as alternatives to customer-managed equivalents. They allow customers choice in doing away with customer-managed Citrix StoreFront servers and NetScalers that handle secure HDX proxy (NetScalers handling load balancing and authentication would be retained). Citrix Workspace service is the cloud-hosted equivalent to StoreFront + authentication front-end and is similar in functionality and features, with some limitations and differences. Citrix Gateway service is a cloud-hosted secure HDX proxy solution which leverages points of presence (PoPs) made of Citrix-managed NetScaler infrastructure around the globe to securely route Citrix sessions from a customer’s corporate network through to the end-user who may either be within or outside the corporate network.
There are advantages and disadvantages to each scenario, and customers can mix and match what they use as well, to suit their needs. And that is a key focus of this particular article. Uzair Ali over at Citrix wrote up a design considerations article in early 2023 that contrasts common design decisions for using customer-managed Citrix access tier components vs. cloud-hosted options to better understand trade-offs and benefits. You can read that here should you require more context. The inclusion of this integration brings more feature parity between Citrix Workspace service and Citrix StoreFront.
The Value of Citrix Gateway service + StoreFront
Citrix has already produced various articles delving into this new feature and its use cases, we will attempt to summarize this here from our viewpoint, but encourage you to read the links at the end of this article for the official details.
The ability to mix and match cloud and customer-managed components is useful in designing the right architecture for different Citrix use cases and access scenarios. While many enterprise customers continue to front Citrix DaaS with customer-managed NetScalers and StoreFront servers for various reasons ranging from flexibility, performance, greater security and observability control, to full control over SLAs, there can be cases where further flexibility is required by leveraging features of Citrix Cloud’s access tier.
The value of this new capability is greater choice and architectural flexibility. Citrix Workspace service has long provided customers the ability to define the use of Citrix Gateway service (either automatic PoP selection or a specific PoP) or customer-managed Citrix Gateways (the HDX proxy feature of NetScaler) on a per-Resource Location basis within the Citrix Cloud control plane. This is the equivalent to the Optimal HDX Routing feature in StoreFront, just with two platform options to choose from (cloud-hosted or customer-managed) versus one (Citrix Gateway) historically found in StoreFront. This new feature brings similar flexibility to customers who primarily use Citrix StoreFront as their core access tier and not Citrix Workspace service, allowing them to choose Citrix Gateway service or customer-managed Citrix Gateways on a per-zone (term used in StoreFront to represent a Resource Location) basis in their Remote Access and Citrix Gateway configurations define within StoreFront’s admin console. We will cover relevant use cases in more detail shortly.
The case for bringing Citrix Gateway service into the solution allows amongst other things, latency reduction without the need to deploy more NetScalers. Internet routing is not exactly efficient and optimal for all end-user scenarios and locations versus the location of the Citrix environment, so with having a user connect to their most local HDX proxy over the Internet, the less latency their session should be subjected to overall, translating into better digital user experience (DEX). We are in essence trying to “on-ramp” the user into the corporate network faster, instead of relying on inefficient routing of the Internet in general. It is akin to taking a toll road to get from A to B versus the regular route with more traffic lights (routers), congestion, and in some instances a longer distance to travel across multiple roads (routes) as compared to the toll road.
Can I Displace ALL NetScalers With This New Feature?
The short answer is no. Customers still need to load balance components such as StoreFront and the Cloud Connectors (XML), and NetScaler remains the best platform for the job there. In fact, it remains the best platform for nearly any enterprise-level load balancing job and customers would reap significant cost-saving and performance benefits from displacing load balancing and application delivery controller infrastructure from other vendors. NetScaler is after all, the world’s most battle-tested network appliance of its kind, processing over 75% of the Internet’s daily traffic, most major online retailers, two of the largest public clouds, and the two largest global smartphone networks, among other claims to fame. While heavily found in Citrix deployments, its Citrix integration is but a footnote compared to its overall industry-leading capabilities. You can read more in our NetScaler Myths Debunked article.
In the Citrix Gateway service + StoreFront use case scenarios, you also retain your NetScalers for authentication into the network if you are providing secure access to remote users over the Internet. Albeit, you can now do so with much smaller appliances potentially, depending on whether or not you retain any NetScalers for HDX proxy (discussed in the next section).
The new integration provides customers the ability to reduce their customer-managed NetScaler footprint in certain deployment scenarios, reducing administrative burden and improving performance and user experience (latency reduction via optimal paths) for most Citrix use cases.
Will This Work with CVAD?
CVAD is the traditional on-prem or “fully customer-managed” version of Citrix that relies on no cloud components. In its current release and as of November 2024, the answer is no. It only works with Citrix DaaS Sites defined in StoreFront. However, Citrix Product Management has advised us that the ability to use Citrix Gateway service with StoreFront for customer-managed CVAD Sites is forthcoming. So in the hopefully near future we will see this feature available, as StoreFront is often employed in deployments with CVAD-only or hybrid CVAD and DaaS Sites.
Real-World Use Cases
To be clear, this new feature is great, but it is not suitable for every deployment. There are many customers we have worked with recently who might benefit from this new capability, however. We will go through some real-world examples with greater context than Citrix has provided to-date. Note that configuration and lower-level details are not covered here, but Citrix Documentation does a decent job of going deeper in how to get the feature integrated into your environment.
Special thanks to Zeljko Macanovic for the visuals!
Multi-Region Deployments (Hybrid HDX Proxy Model)
We often work with customers with three or more Citrix Resource Locations to optimize application and user experience for different workloads across the globe as well as HA or DR architectures. In a typical multi-region Citrix deployment that uses a customer-managed access tier (Citrix Gateway + StoreFront), the customer typically deploys NetScalers for authentication and HDX proxy in key regions, and NetScalers that handle HDX proxy only, in other regions. This is defined through the the Optimal HDX Routing configuration within StoreFront, which works for both DaaS and on-prem CVAD Citrix Sites.
In multi-region deployments it is preferable to have Citrix Gateway (thus NetScaler) close to the Citrix VDAs and/or end-users to optimize performance by reducing latency, versus having the user traverse more of the Internet’s routes to the primary Resource Locations hosting NetScalers for HDX proxy.
However, depending on the size of the various Resource Locations, it may be difficult to rationalize the cost and administrative burden of running NetScalers in each geographical area for HDX proxy, especially when they are on the smaller scale in contrast to other Resource Locations. On the flipside, having Citrix session traffic backhaul through the network is also not optimal, if both user an their Citrix VDA happen to be in close proximity of each other but remote from the main datacentres handling HDX proxy.
In this scenario, administrators can use Optimal HDX Routing and a mix of customer-managed Citrix Gateways and Citrix Gateway service to define the desired HDX routing on a per Resource Location (zone) basis within StoreFront. We refer to this as a hybrid HDX model as we are using a mix of customer-managed and cloud-hosted services to provide secure HDX proxy. Higher density regions would leverage the customer-managed NetScalers for HDX proxy, while smaller regions would benefit from Citrix Gateway service routing their connection through a local PoP to them. The user gets the most optimal path for their Citrix session, and the customer did not need to deploy additional NetScalers to manage in the remote Resource Location to achieve this.
Disaster Recovery Deployments (Hybrid HDX Proxy Model)
The hybrid model may also be useful in disaster recovery (DR) designs, to reduce the cost DR in certain scenarios (providing no issues with Citrix Cloud SLAs vs. your required service SLAs). For example, in production perhaps customer-managed NetScalers are used for authentication to StoreFront for external users and HDX proxy, and are sized accordingly for this. For DR, customer-managed NetScalers are used for authentication to StoreFront for external users, and Citrix Gateway service is used for HDX proxy. While both Resource Locations have NetScalers, we can potentially deploy fewer NetScalers or smaller NetScaler instances, reducing footprint and cost. Note that depending on the environment size, this may not make much sense. But as we often work with customers with large scale-out multi-tier NetScaler deployments or large numbers of users in general (thousands), the benefits of the hybrid model become more apparent. Scale is the key factor here for suitability.
Hybrid Site Architecture (Hybrid HDX Proxy Model)
In this scenario, the customer uses both Citrix DaaS and customer-managed CVAD Site(s). As at time of writing, Citrix Gateway service cannot be used with CVAD, so we use Optimal HDX Routing in StoreFront to define Citrix DaaS Resource Locations to use Citrix Gateway service, and customer-managed Citrix Gateways for customer-managed CVAD Sites. There could be multiple datacentres involves or just one. Depending on broader considerations, this particular use case might be temporary until CVAD Sites are supported with Citrix Gateway service in StoreFront, or may be permanent to address higher security environments where no use of cloud technology in the session flow is permissible.
Single Resource Location (Single HDX Proxy Model)
In contrast to the above scenarios, perhaps we have customers with only a single Resource Location and are serving users across multiple geographical areas. Perhaps the use cases do not warrant a multi-region deployment and DR is not in scope of the solution. In this model, we deploy NetScalers for the Resource Location to handle authentication for external users, and in StoreFront we only define Citrix Gateway service to be used for the Store with Citrix DaaS. We do not configure Optimal HDX Routing in StoreFront as there is no need. With this configuration, users are on-ramped to Citrix Gateway service via the closest PoP to their location, and take the most efficient path to the Citrix VDA. We on-ramp them faster, skipping less efficient paths that add latency (see the toll road example from earlier).
Multi-Region Deployments (Single HDX Proxy Model)
Let’s revisit the multi-region model. From a simplification standpoint, a customer, where considerations allow, may wish to standardize completely on Citrix Gateway service regardless of the number of Resource Locations present, or how disparate end-user density is from one region to the next. A key argument for this scenario would be to both simplify configuration, and keep a consistent, unified telemetry data set for HDX proxy traffic. When we adopt a hybrid model, session telemetry such as ICA RTT latency and other metrics may be inconsistent between the two platforms for the very same end-user and Citrix VDA scenario based on differing architectural factors. Sticking with one platform for HDX proxy keeps things consistent and eliminates the added burden of looking into different consoles for data (NetScaler Console + Director).
This scenario also allows us to reduce the NetScaler footprint as well, as we would only need a couple pairs of NetScalers for authentication in the key regions, allowing us to use much smaller appliance sizes (physical or virtual), translating to lower costs and administrative burden, especially in larger multi-tiered NetScaler deployment scenarios for large scale customers.
Current Limitations and Considerations
Before jumping in, there are a number of things to consider:
- Limitation: No HDX Insight. Citrix Gateway service does not support HDX Insight, so if this is a feature you have been used to for HDX proxy on your NetScalers, you’ll be out of luck. While Citrix Gateway service does have numerous telemetry data points, it isn’t as robust as HDX proxy (provided you had it configured and actually used it).
- Limitation: PoP selection. Unlike in Citrix Workspace service, you cannot select specific Citrix Gateway service PoPs to use, they are automatically selected based on optimal network traffic routing determination of the service for the end-user. However, this feature is in the works, as per Product Management.
- Limitation: DaaS support only. Citrix Gateway service + StoreFront does not support CVAD Sites, only Citrix DaaS. However, this feature is in the works, as per Product Management. If this affects your current deployment, the Hybrid Site Architecture scenario is applicable.
- Limitation: StoreFront version. Citrix Gateway service with StoreFront requires StoreFront 2407 at minimum. This is a Current Release (CR) version of StoreFront and not a Long-term Service Release (LTSR). This means customers should expect to keep current on StoreFront releases until a new LTSR is released, if their standard is to remain on an LTSR track as a general practice. In consultation with Product Management, using the 2407 version of StoreFront will not imperil LTSR supportability, however. So it may very well be worth upgrading for some customers.
- Consideration: Security. Citrix Gateway service is a managed service hosted by Citrix. Customers who require fine-grained observability for their SIEM platforms for user sessions traversing the edge of the network will lose some visibility. Furthermore, Citrix manages the private keys, protocols, and ciphers, the customer does not have any control or say over them. While this isn’t a problem for most, and is the case for most cloud services, it remains a consideration point for some customers or some use cases.
- Consideration: Feature parity. While Product Management has made great strides to make Citrix Gateway service feature parity with Citrix Gateway, there may still be minor capability gaps between the two regarding HDX technology support or TLS cipher or protocol support. You are encouraged to keep up-to-date on any discrepancies in case they affect your use case.
- Consideration: Telemetry differences. If using a hybrid HDX proxy model, be aware that you will need to use different consoles (Director in Citrix Cloud and NetScaler Console) to see different network-level telemetry. Not all telemetry parameters will be the same between the two.
- Consideration: Use case bandwidth. Citrix Gateway service is ideal for many use cases, but it may not be suitable for bandwidth-intensive scenarios such as rich multimedia (without using browser content redirection, client offloading for Teams, Zoom, etc.), HDX 3D Pro and GPU-powered workloads, which can demand over 20 Mbps compared to the typical 100-400 Kbps for most Citrix sessions. While bandwidth efficiency improves with each Citrix release, high-performance workloads might face challenges with Citrix Gateway service. In such cases, customer-managed NetScalers for Citrix Gateway may be a better choice. Ultimately, testing over time is crucial to determine the best solution for your use case.
- Consideration: PoP routing and DNS. Routing decisions in global PoP-based services, like Citrix Gateway, can be affected by reliance on LDNS (Local DNS) proximity. In simple terms, the service uses the IP address of the client’s DNS resolver (assumed to be “local”) to determine geo-location. However, if a user’s DNS resolver isn’t truly local—e.g., they’re using public DNS services like Google’s 8.8.8.8 or Quad9’s 9.9.9.9, or one configured by a ZTNA client—they might be routed to a suboptimal PoP.While LDNS is only one factor in routing, it’s worth considering if performance issues arise. In such cases, compare the user’s physical location with the PoP they are routed to (viewable in Citrix Cloud). This is a rare issue but can occur occasionally. DNS extensions like EDNS0/ECS help mitigate this by including the client’s IP in DNS resolution requests, but have dependencies in the DNS infrastructure in the path.
Conclusion
It is our hope this article has improved understanding (and not added more confusion) about this new feature integration for StoreFront, providing cloud functionality benefits to customer-managed StoreFront. For the right use cases, this new capability offers significant benefits and simplification to end-users, administrators, and IT budgets alike. If you have any questions, please drop us a note, we would be happy to assist.
Links
- https://community.citrix.com/tech-zone/build/tech-papers/gateway-service-for-storefront-deployment
- https://docs.citrix.com/en-us/storefront/current-release/integrate-with-citrix-gateway-and-citrix-adc/configure-citrix-gateway#add-citrix-gateway-service
- https://www.citrix.com/blogs/2024/09/19/citrix-gateway-service-for-storefront-a-turnkey-hdx-proxy-solution/
- https://docs.citrix.com/en-us/citrix-gateway-service/citrix-gateway-service-cloud-release-notes.html
-
Michael Shuster
Michael is Ferroque's founder and a noted Citrix authority, overseeing operations and service delivery while keeping a hand in the technical cookie jar. He is a passionate advocate for end-user infrastructure technology, with a rich history designing and engineering solutions on Citrix, NetScaler, VMware, and Microsoft tech stacks.