Citrix NetScaler Gateway What’s the real amount of ICA proxy users you can handle?

The results of this article can be found in the following articles

Citrix NetScaler platform sizing guides

How to maximize your virtual Citrix NetScaler Access Gateway performance

Citrix NetScaler Access Gateway VPX user scalability numbers explained

During the years Citrix is working on moving customers from the Citrix Secure Gateway to Citrix NetScaler Gateway platform. Last year Citrix announced that they will move to one Gateway platform based on the Citrix NetScaler platform. Up to now they had several code bases for similar functionality.

NetScaler Access Gateway

NetScaler Access Gateway retro

Let me start by mentioning that I think it’s a great step to get customers of the Secure Gateway platform. Citrix NetScaler Gateway is more secure and offers more functionality. The latest step to move to one base platform for Access Gateway is understandable because it saves a lot of time in development and support for Citrix. It also makes a consultants life easier because we had a hard time explaining the differences.

There is one thing that puzzles me! The physical layer on which we run virtual appliances offers us far more performance than a couple of years ago while Citrix lowers the amount of concurrent users on a VPX appliance in every next step. When discussing this with Citrix employees they say this is caused by heavier SSL transactions due to 2K and nowadays 4K certificates.

I get that but the amount of users we can handle on a VPX shouldn’t be a hard number because it completely depends on how many and what kind of CPU resources we are using.

By speaking with community friends like Andrew Morgan, Kees Baggerman and Shawn Bass I know for sure that there are a lot of customers working with numbers far above the Citrix magic spot.

Citrix NetScaler Gateway Research

To start my research I would like to know how many users you are handling concurrently on a single Access Gateway VPX. The number where users will notice even the slightest degree of performance degradation. I trust on all of you to help me out and provide me with real every day numbers.

[poll id=”2″]

[poll id=”3″]

Please feel free to leave as much information as possible in a comment. I will try to bundle it all in a NetScaler Gateway research results post. Keep you posted and might even  work on another poll if I need more information. Thanks so much for helping out!


Tagged , , . Bookmark the permalink.

About Barry Schiffer

Barry is an IT Architect with 15 years of IT experience. He has gained both a broad and deep knowledge in the sphere of IT. Throughout the years, Barry has developed into a specialist in the field of Microsoft Windows, Server Based Computing, desktop and server virtualisation.Barry is co-founder and member of the Board of the Dutch Citrix User Group.Barry is awarded with the Citrix Technology Professional award in 2015 and received the RES Software Valued Professional award in 2012.

7 Responses to Citrix NetScaler Gateway What’s the real amount of ICA proxy users you can handle?

  1. Prashant Batra says:

    Scalability numbers are always tricky! There is always a balance between quoting too much and too less. At Citrix, we try and quote these numbers, from a real world perspective. Our traffic profile does not use a single data connection, but simulates multiple connections per user session, with each connection representing varying content streams.

    • Hi Prashant, thanks for your comment.

    • Martijn Hoogenbosch says:

      Okay, fair enough, but what are the numbers? What is Citrix’s advice?!

      Is it still ~ 500 CCU?! Or even lower?

      • Hi Martijn, I have spoken to Prashant and other NetScaler/CAG gurus. My follow up will hopefully answer all of your questions.

        • Martijn Hoogenbosch says:

          Any ETA for the followup? Because i’m always struggeling with these numbers (don’t want to be pushy, but nevertheless).

          If you check the ‘official’ Citrix guidelines it says 300 CCU for SSL VPN. Now I don’t know if the load on ICAPROXY is the same as SSL VPN, I can imagine it being lower.

  2. infraVirt says:

    It would be nice to see some load stats to go with the numbers above to see if the appliance has in fact reached capacity or whether folks are simply staying within the supported numbers. As for processing encryption/decryption, if we’re talking virtual appliances, adding more cores and/or RAM resources would have to make a difference would it not?

Leave a Reply