Citrix NetScaler Access Gateway VPX user scalability numbers explained

The Citrix NetScaler Access Gateway VPX  and MPX are great platforms for secure remote access to your company network.

When working with Access Gateway there are two methods of setting up your connection.

  1. An integrated connection to Citrix XenApp and XenDesktop, which we call ICA proxy.
  2. A full SSL VPN connection for access to company servers, which we call SSL-VPN. Both Access methods can be used combined or separate on a Access Gateway node. Both have their own use cases and based on the customer needs you will use either one of them.

Citrix NetScaler Access Gateway is available as a virtual platform (VPX) and as a hardware platform (MPX).

Citrix_Netscaler_MPX_7500_Enterprise_EditionAGVPX

Figure 1. NetScaler Access Gateway MPX

Figure 2. NetScaler Access Gateway VPX

 

A very important question to ask when choosing between a VPX and MPX model is the amount of users you need to facilitate on the Access Gateway solution. The amount of users is divided between the amount of ICA Proxy users and the amount of SSL-VPN users. A single SSL-VPN user load consumes a lot more resources then a single ICA Proxy user and the resource load of a single SSL-VPN session is impossible to predict because it changes all the time.

So what does Citrix have to say about this?

The official Citrix statement is:

sslvpn

 

Figure 3. NetScaler spec sheet (click on picture for full spec sheet)

Although we now know the maximum amount of concurrent SSL-VPN sessions on a VPX this says nothing about ICA Proxy. When speaking to Citrix representatives I hear different numbers, maximum ICA Proxy is 500 sessions and maximum SSL-VPN is 200 sessions.
Their explanation is that the earlier figures are based on 1k  certificates instead of 2k certificates. Because a VPX does not have the physical SSL offload chips a VPX is using CPU resources. This would mean that if we go for 4k certificates we would be screwed even further because the SSL transaction load does not grow linear with the certificate bits size. This is not something to under estimate, the difference in resource consumption between 1 and 2k is 5x, between 2k and 4k this could be as much as 20 times!

Now that we know these numbers we have some guidelines but what about guys like Julien Stanojevic who are reporting an enormous amount of ICA Proxy users as described in his article on brianmadden.com. He reports 1900 concurrent ICA Proxy sessions with a huge amount of space to grow even further, Julien is not telling fairy tales. I know that there are a lot of customers with user amounts just like this even on Windows based Citrix Secure Gateway instances, even Citrix reports over 1.000 concurrent sessions on a P4 system link.

To prove my statements about the amount of concurrent ICA Proxy sessions on a single Access Gateway VPX appliance I started a quest for the magic number. Ok, not really but I did start a small research on how many ICA users would fit on a virtual Citrix NetScaler Access Gateway. You can find the research article here.

The results of the survey are just like I would expect them to be and I will give you a short summary of the results. Please do keep reading after you have seen the results because these are only numbers and they are misleading!

Question 1 What kind of certificate are you using on your CAG VPX

The outcome is exactly what you’d expect, some of you are still doing 1k certificates and most of you are using 2k certificates while no one is using 4k certificates yet. If we would ask you this next year no one should be doing 1k, most of you are doing 2k and some of you are already doing 4k. This is going to be important so remember this!

What is the maximum amount of users on your CAG/NS VPX on one VPX appliance

As Citrix recommends using a VPX up to 500 ICA proxy users it’s expected that most of you are using it in situations up to 500 concurrent users. This is exactly what is shown in the results of the survey.
What the survey clearly shows is that there are more then a handful of customers with well over the maximum amount of users that Citrix states it can handle. Remember the Julien Stanojevic article I mentioned?

So what can we conclude from this? The clear and positive conclusion is, Yes we can do a lot more concurrent ICA-Proxy sessions on a Citrix NetScaler Access Gateway VPX appliance. The negative side to this conclusion is, sorry, unfortunately this will not assure any of us that YOU actually will!

Citrix NetScaler Access Gateway VPX What’s the real deal?

The honest and simple answer to the question how many concurrent ICA-Proxy sessions can we facilitate on a single VPX appliance is that no one is able to tell you, not even Citrix!

Let me explain this statement because it might be that time where you start thinking that we as the so called “experts” and even Citrix don’t know what we are talking about, right? I will try to explain this a bit further.

The problem with a virtual appliance is that we have zero control over the platform we will be hosting the virtual appliance on. This could be any of three big hypervisors on any of the supported hardware platforms by these hypervisors. Even if we would know this and everything works well simple changes like updating network firmware or drivers can cause issues. Just read this article by Trond Eirik Haavarstein, you will be amazed what can happen when a simple driver is not playing well combined with the running firmware.

Another problem is that the performance of a virtual appliance is highly dependent on CPU performance because of SSL transaction and virtual networking. If your hypervisor is over committed this may influence overall performance a lot. I will dig deeper on the why and how in my article “How to maximize your virtual Citrix NetScaler Access Gateway performance”.

So although there are situations in which you can facilitate more then the amount of users Citrix specifies I’ll bet you that there are just as many situations where even those numbers are way to positive. The problem with this is that Citrix needs to say something and who’s blaming them for choosing a fairly safe amount of users. Doing so we should be assured that when we follow the numbers Citrix gives us we should be safe, although a highly over committed platform will surely show you performance issues!

The final advice is “pilot pilot pilot and check scalability and performance counters!”.

If you still have questions please let me know in a comment and I will try to get them answered.

This article wouldn’t be possible without the help of the community. Special thanks to Kees Baggerman, Esther Barthel, Henny Louwers and two Citrix employees for their useful insights and reviews of this article!

Tagged , , , . Bookmark the permalink.

About Barry Schiffer

Barry is an IT Architect with 15 years of IT experience. He has gained both a broad and deep knowledge in the sphere of IT. Throughout the years, Barry has developed into a specialist in the field of Microsoft Windows, Server Based Computing, desktop and server virtualisation.Barry is co-founder and member of the Board of the Dutch Citrix User Group.Barry is awarded with the Citrix Technology Professional award in 2015 and received the RES Software Valued Professional award in 2012.

10 Responses to Citrix NetScaler Access Gateway VPX user scalability numbers explained

  1. Judy Ulm says:

    Please clarify the difference between the ICA Proxy and full SSL VPN….

    • This actually is quite easy. A ICA Proxy session is a limited connection to the DC just for launching a Citrix XenApp or XenDesktop session. A full SSL VPN connection obviously is a full connection to the DC, so you are for example able to connect a locally installed version of MS Outlook to the company exchange server.

  2. Mike says:

    Does this 500 concurrent user session guideline hold true on the NS VPX-10 as well. Seems you would hit 10mbps limit first or is that throughput limit not applied to ica proxy?

  3. Stuart Griffiths says:

    ‘…gateway vpx because that’s unlimited bandwidth…’
    I thought the NetScaler Gateway VPX was limited to 50mbps and NetScaler Gateway MPX 500mbps
    (see http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-gateway-secure-remote-access-from-anywhere-on-any-device.pdf)

  4. jiamei says:

    while many of the technical posts such as Stanojevic indicate more than 500 user icaproxy connections are possible the answer from Citrix in their latest datasheet is 500. I suspect when one calls Citrix support for assistance and they see more than 500 users connecting they will recommend a hardware appliance and stop further support. Designing and implementing a production system that is not supported by the vendor may be a big mistake. A Citrix engineer I spoke with last week reinforced this for me. Citrix has modified their datasheet of netscaler specs to say SSL/icaproxy for max connections

  5. Hi Barry,
    Say, If i have 50 Concurrent Citrix XenApp 7.5 Advance Edtn, and i want to use Citrix NetScaler Gateway Enterprise VPX for my secure connection, in matter or license…. what do i need? do still need additional concurrent license like the previous Citrix Access Gateway ? Plz Advice

Leave a Reply