Barracuda vs NetScaler (Gateway)

On 13 December 2013 by Pete Petersen


In a recent quest for a Baton Rouge-based client, one of the requirements is for users to access the XenDesktop 7 farm externally without the need for a VPN (and thus internal) connection. It was discovered that they already had in place a couple of Barracuda devices. A quest began to see if the Barracuda devices could replace the NetScaler Gateway (fka Access Gateway) functionality. In the past, the answer was negative, but a lot of time has passed since a good study has been done.

Boiling it down to five events that happen when a user interfaces with a StoreFront-fronted XenDesktop 7 environment.

  1. StoreFront (formerly Web Interface) GUI. This is just standard SSL Web traffic. Any ol’ load balancer can handle this. In a highly available environment, this would be load balanced between two or more StoreFront. Both NetScalers and Barracudas can handle this functionality. It should be noted, however, that the NetScaler Gateway appliance does not have load balancing; going with higher NetScaler edition (Standard, Enterprise, or Platinum) may be needed.
  2. Authentication on behalf of the user. The gateway interfaces with the authentication service in order to verify the identity of the user. This process can also include two-factor authentication.
  3. List available desktops and applications. This is still basically just Web traffice at this point, so port 443 on the front-end. Any load balancer will do.
  4. Deliver the ICA file. This is when the user clicks on their desktop or application in the StoreFront interface. The key thing during this process is the injection of STA information into the ICA file by the gateway. If you’re on the inside of the network connecting directly, your ICA file will contain server addressing information. If you’re external through the gateway, you’ll instead get back STA and connection information. This is the part that the Barracuda does not do.
  5. ICA session through gateway. Traversing the Internet with an SSL connection over port 443, the gateway translates that session display stream to port 1494 for communication with the XenDesktop VDA, whether server or client VDA. This takes some doing, but some have reported success in getting non-Citrix load balancers to perform this task.

Summarizing this in a different way, there are two difficult problems in the process and one impossible one. In the end, we have yet to discover a device that can perform step 4.

ICA Process

In step 4, instead of server info (as would be internally), you get ticket information that the Gateway still has to handle on the client’s behalf (eg: Address=;40;STA5A1FB064DB01;F5CFC0750CE0F1AFB5BBD06E883D2B27).

Which NetScaler appliance that gets recommended in the end will depend on the XenDesktop 7 edition that gets implemented since a NetScaler Gateway Universal License is included with the Platinum edition.