So last week I got the privilege of going to UK Citrix HQ Chalfont House for a partner deep dive on cloud gateway2. As well as this I got to meet the Architects behind cloud gateway and receiver, which was something that doesn’t normally occur at these events. Unfortunately some of the conversations at this event were under NDA so I can’t mention any upcoming features or possible theories/thoughts we had during this session.
In this Part 1 of my cloud gateway blog I will be going over what cloud gateway is, how it works theoretically and why you should be looking at getting this implemented. Part 2 will be a dive into configuration of cloud gateway, HA config and integration with the awesome Citrix Netscaler.
The first question that most people I speak to is what is cloud gateway, so that would be a good place to start.
Cloud Gateway comes in 2 flavours; Cloud Gateway Express and Cloud Gateway Enterprise. Express is a free install of just one component of the Cloud Gateway product set. As of 17-12-2014 Web interface will be end of maintenance and as of 14-06-2015 it will be end of life. Over the next few months you will notice Web Interface slowly move out of the base component pack for Xenapp and Xendesktop, and be replaced with the storefront part of cloud gateway (cloud gateway express). There are a couple of aspects that slow down this phase out, one being smart card integration currently not being supported with the Cloud Gateway product suite.
As we are all probably aware Cloud Gateway 1.0 wasn’t fantastic, so Citrix have now redesigned and come up with something that actually gets us part of the way there. So what is new in Cloud Gateway 2:
- Re-designed web admin console
- Initial configuration workflow updated
- New AppController direct connections (you don’t necessarily need storefront)
- Access Gateway Enterprise integration
- ShareFile integration
- Mobile App Management (MAM) integration
- Mobile application preparation tool
- Secure Browse feature for Mobile connections via Access Gateway Enterprise
As an FYI the secure browse feature is currently only supported on iOS devices running receiver 3.1 and Android 5.6.
Why Cloud Gateway? – Well apart from Web Interface going EOM/EOL, it offers any device access using web browser, receiver client, single pane of glass look and feel as well as the opportunity to deliver data, mobile apps, SaaS apps, web apps and windows apps through the new app controller module. This new module also allows you to create policies per application…. Which gives you more control over your users experience.
As mentioned earlier there are 2 flavours of Cloud Gateway of which I will outline each one and its differences next:
- Cloud Gateway Express
- Cloud Gateway Enterprise
1 – Cloud Gateway Express
ITS FREE!! For all Xenapp/Xendesktop licensed customers. CG Express is the direct replacement or soon to be replacement of Web Interface. It is based around a windows server running IIS, as like Web Interface… but on top of this it requires a SQL database.
In most small environments you can get away with using a SQL express database, but for growth and resilience you want to look at installing it in “multi device mode” which separates out the SQL install and allows you to have more than 1 Storefront server. Making Storefront resilient will be covered in Part 2 but in essence you will be using Netscaler Load Balancing with source IP persistency!
What does CG Express give me…. Well it provides you with follow me apps/desktop from Xenapp and/or Xendesktop deployments, integration with Netscaler AGEE and a user self-service & SSO. With CG Express you also get the ability to run it alongside your current Web Interface install.
How does CG Express look from an architectural point of view? In essence it is just the right hand side of the diagram below, as for a full deployment you would really want Access Gateway(netscaler code) running in your DMZ to allow external connection.
PNagent used to store password on the local device.. But using the new Wallet credential with storefront you store the key on client device which then forms part of the process to access your credentials within the wallet on the SF server/DB. Overall this is better security architecture as no passwords are stored locally.
2 – Cloud Gateway Enterprise
As you would of guessed Cloud Gateway Enterprise comes at a cost. This cost at the moment is not in any of your current license models… it is a separate license for Appcontroller, which is the work horse for Cloud Gateway Enterprise. On top of this as you will be using the smart access feature of the AGEE (Netscaler code) you will need Universal Client Access License from Citrix. This enabled you to use the smart access features like EPA, SSL VPN, CVPN.
What does CG Enterprise give me…. Well it provides you with the features from CG Express as well as the functionality to publish, maintain and administer SaaS apps, Web apps, Sharefile, Mobile apps. When running Cloud Gateway 2 Enterprise you can either front it with Storefront and provision XA/XD, Mobile, SaaS apps etc together but if you don’t run XA or XD at the moment you can just run with the appcontroller part connecting to the Access Gateway and rule out the storefront server. This way you can still do SaaS, Mobile apps, sharefile integration without the need to deploy a XA/XD environment.
AppController comes as a virtual appliance and doesn’t require any database servers etc to function. Configuration of this will be covered in part 2.
How does CG Enterprise look from an architectural point of view?
The integration of the appcontroller allows you to also run a workflow for self-sign up of applications. The workflow for this on appcontroller can initiate an email to an authorisor to accept or deny the request. At the moment this is the only method of workflow.
As well as the above you can integrate appcontroller with “some” products/sites and it can auto provision you an account with that product. For example: if you configure the SAML connection for sharefile you can get it to auto provision a sharefile account within your sharefile enterprise environment.
AppController is primarily run on a role based configuration. By this I mean that you can create roles for each business area and link this to an AD group. Once a user is a member of this group they then can self-subscribe to the apps within their catalogue of apps that have been identified for the workgroup.
As mentioned earlier MAM is now a part of CG Enterprise, a part of this is the App wrapping and containerization:
- Full support for both personal and corporate use (BYOD)
- Corporate apps
- No risk of data loss
- Governance built in
- Policies can be updated on all apps with no requirements to change source code
- No requirement for developers to change the way they develop apps or learn mobile app
Within Cloud Gateway 2 Enterprise a new app wrap tool is available to generate the relevant file format for custom built android or iOS based applications This is a .cma file(citrix mobile application).. The wrapping tool only works on a MAC!… it also allows android apps to be packaged but also must be run on a MAC.
The wrapping tool works by opening up the native app code , adds few lines of code for citrix files and then recertifies the app and generates into the .cma file. This then can be imported into appcontroller and pushed out to your end users. As it is deployed by appcontroller it can be managed and controlled by appcontroller policies. In house developed apps as far as I am aware dont have to be signed and approved by apple before use as it should fall under the Apple Enterprise license, which should be part of your apple developer license kit for Business deployments.
Support for native iOS, android, Micro VPN, citrix developed apps but controlled by receiver not natively on the app.
Delivered apps by app controller are in a separate silo so personal and corporate is separate on device. This then allows you to wipe the corporate data but not impact the personal data.
Using the policies within appcontroller you can force users to login once every hour or each time it is brought to view.. This allows you to force levels of security to BYOD devices whilst not hindering the user on the personal use of the device.
Another great new feature for CG Enterprise is the Secure Access/Micro VPN feature that forms part of the Access Gateway integration. What this does is run a clientless vpn from your receiver client on iOS or android device. This is only supported on the versions mentioned earlier in this article and must you must be running AGEE version 10.
Citrix recommend that you only use 1 store, as you can filter application access from AD groups or Smart access scans on your AGEE. There is no need for an internal and external store being separate as out of the box storefront factors this in. It recognises the internal or external access via the beacons feature.
Next week I will release Part 2 of this blog which will go into detail about what needs configuring to get these features working within an internal and external network. As well as show how you make this solution fault tolerant with regards to HA.
Feedback is much appreciated on any of my posts 🙂