Citrix Vs VPN/Terminal Services advice

[jatkinson]

Hi, my firm are looking to implement a remote access solution and having spoke with several suppliers we have been left with a Citrix Solution v Terminal Services via VPN.

I get most of the basics for the solutions but am trying to get an understanding of the differences between the 2. I know it would be very difficult to simply ask which is better but would appreciate any help in understanding differences for which I can then form an opinion.

For example, which solution uses what type of security and what are each solutions weaknesses.

Personally I would prefer to go the Citrix route but feel I'm going to be rail-roaded into going with VPN/TS

Any advice please?

PS initially we are looking to provide accesss for upto 20 people.

 

[Nostferatu]

jatkinson

Firstly, sorry for the length (and excuse the typos), I hope this doesn't confuse you more than it helps. I also apologise if some of this makes you think "Well, duh....!" but I am trying to cover as many bases as possible.

The first thing to consider is whether you actually want to go to a Citrix implementation or not.
In a nutshell Citrix is a bolt on for terminal services that dots the i's and crosses the t's but I would think that for an implemtation of your size it may not be required.

Citrix themselves suggest that W2K/W2003 terminal services are stable enough for a user base of up to 40 concurrent users any more than that and IMHO Citrix is a must.

I personally have only used Windows TS for very small numbers of users (5-10 concurrent) so have no real advice for how good it is or not as the case may be fro your environment.

You also need to consider the applications you will be supplying via terminal services.
Are you going to be using off the shelf apps like MS Office ? Or Bespoke applications such as in house Databases, modified CRM or ERP packages such as Maximo or PeopleSoft etc ? If you are providing the latter I would suggest the Citrix route as it is far more stable (Again IMO) than TS alone.

Then consider the security aspect.

I gather from your note that you are being offered a Citrix package that includes NFuse, the ability to browse to a web site and get access to your applications without directly logging into your network via VPN.
The three words to keep at the forefront of your mind here are SECURITY SECURITY SECURITY.
Again in my opinion you cannot provide an NFuse offering without the infrastructure behind it, IE a DMZ, Radius, Certificate and RSA authentication.
I have seen companies provide NFuse access for their clients and have their citrix server farm with public IP's using only NT authentication to log onto the network, to me your just asking to be attacked.
With RSA tokens for your clients you are getting almost an impregnable shield (Unless someone leaves their PIN, token username and password in a neat little package in a taxi somewhere).
With this in mind It's a wonderful tool, and one that is generally accepted with open arms from remote clients as they have the ability to get to their corporate apps from any computer anywhere in the world with simple internet access, and with the beauty of the ICA client can get excellent responce times even with dial up access.

The VPN route is a slightly different method of delivering those apps. There are tangible benefits to getting this architecture if you don't have it already.
Stronger security on your existing WAN connections, being able to filter web traffic into and out of your corporate environment, from being able to force browsing through a proxy server for logging purposes to ensuring none of those damn viruses cause significant damage to your network by filtering packets, but that's a whole different story. In the case you mention it will be the method your clients get into the network before running the apps.

Their is additional work required on the client for this implementation. Each client will need the VPN client obviously and it would need to be configured, it also adds maybe a 15% weight on the links due to the encryption, but as far as security is concerned it cannot be equaled.
I would assume at that point you will provide connectivity to your apps and bob's your uncle, fanny's your aunt, they have access to their apps, the added benefit of a VPN connection is the ability to get access to the corporate environment as if they were at their desks (With the added consideration of the link lag of course) so will be able to browse the network and perform any other tasks as if they were local.

Another consideration should be offlne access. One benefit of providing email access to remote clients over VPN as opposed to purely Citrix is that you can enable Offline access for the clients, so they can compose and read syncronised mail which will be delivered/updated the next time they connect with the VPN. I have yet to see a succesful citrix only solution for offline email access other than configuring both the local client and have a seperate installation of the app for remote access via VPN.

Both soutions have financial overhead of course, the NFuse, RSA etc being the heavier as their is more background architecture required to do this right. You could buy a VPN box such as Cisco PIX and install the VPN client and be off relatively cheaply, this has to be considered, especially for smaller role outs.

At this point their are too many intangibles in your question, but I hope some of the points I have made help a little, if you'd care to be more specific with what you hope to offer the clients by way of applications and what your existing architecture is like I will happily get more specific (And try and not make things more confusing)

Many regards,


Nostferatu

"Yesterday is History,
Tomorrow A Mystery,
Today is a gift,
That's why they call it the Present"

 

[jatkinson]

Hi there

Thanks for your reply, this is great information. Thanks for your time on this.

We are looking at basically a 3-tier solution.
1. To provide remote access to our Practice Management System (Client/Server based but proven to run over thin-client), Outlook and Word.
2. For remote administration from the IT dept. This is where we feel a VPN solution is viable.
3. To provide access to email and diaries for users who are on the move

We have pretty much discounted VPN solutions on it's own (except for IT admin use) due to the amount of work involved in securing and maintaining the remote side, the restrictions imposed by bandwidth bottlenecks (a lot of our prospective remote users live in non-adsl enabled areas) and obvious fear of effectively inviting a 'foreign' PC onto our LAN.

I think Citrix looks appealing because of the scaleability factor, we are looking to the future and knowing the constraints of physical space within our office it isn't beyond the realms of possibility that we'd need to move to either a greenfield site, set up a 2nd office or negate the need for expansion by allowing home workers. This is where we're guessing the 'strengths' of Citrix lies. VPN/TS solution only got thrown into the mix at the last minute and what is confusing me is why use 2 solution i.e. a VPN secure tunnel to access a thin-client solution i.e. Terminal Services if Citrix provides a complete secure solution, or am I getting this wrong? It also seems to me that Terminal Services isn't as scaleable not only with respect to remote access but to also thin-client internal solutions and/or remote sites?

Cheers and thanks again

 

[Nostferatu]

JAtkinson,

Looking at this as a two part answer and seperating the main tasks your trying to achieve I would suggest (That's suggest mind) the following.

Your going to need to provide a remote access system of some description, regardless of the platform your going to use to deliver your apps. So do not discount VPN for this just yet. I am not sure on how many locations you have, but introducing VPN can have dramatic cost reductions on site to site links, negating the need for X25 or lease line connections so this could hit two birds with one stone... so regarless of citrix or terminal server do not discount a VPN solution just yet.

Taking the remote access to one side, the choice your making is between VPN or Nfuse, two very different technologies providing similar functionality in this deliverable.

VPN :

Pluses
1: Gives you total exposure ot the network and services available on the network (Not just published applications)through a secure tunnel established between client and VPN server.
2: Allows fully controlled access to resources.
3: Gives the opportunity to introduce tighter security on a LAN to the WAN. (most have fully configurable firewalls)
4: Allows for syncronisation of Mail services. (Quite a big plus) for remote email clients.

caveats
1: Slight weight on connection, can cause more tangible problems with low bandwidth connections.
2: Requires client installation and configuration.
3: Some VPN solutions can be flakey, some clients will encounter issues with the virtual adapters binding with NIC's (Something I have seen a lot of with multitude of various VPN solutions)
4: Does not imeditately solve application delivery to the client, will still require a "thin" way of delivering bandwidth hungry apps to remote users.

NFUSE:

1: Allows connection to controlled published applications simply through a web browser.
2: Ability to dynamically asign aforementioned apps (They will refresh in the webpage as soon as they are given permission to access those apps.
3: Connectivity to application dependant only on connectivity to the internet, regardless of bandwidth type. Only other requirements are a system with either ICA client of JAVA capable browser.
4: Secondary or tertiary security solution gives even tighter control of access. (IE RSA and/or Radius solution, I personally suggest both)
5: Continuation of point 3, access to apps is independant of location, an application delivered to a user at an internet cafe in Tunisia will have almost the same visible application use as a user in Heathrow International airport.

caveats
1: Potentially much more expensive implementation
2: No "offline" capability at all.
3: HAS to be implemented correctly, I have ended up picking up the pieces of one too many poorly setup Citrix solutions, CFO's and CEO's get irritated quickly by unstable technology, if its not going to be done right don't do it at all, as it will be top of the sh*t list quick.
4: Printing a long term bugbear under citrix, but (costly) solutions aleviate that problem somewhat and has improved dramatically in Metaframe XP.
5: Several new technologies required to be learnt by IT staff (Citrix, Radius, RSA) and therefore add to administrative cost, although overal admin is reduced as central administration makes a vast difference.

This is just a few pointers, by no means an exclusive list (Sorry, I just resigned from my current post and I have been quested with getting a huge amount complete before the new IT manager takes his place on the steel throne) so don't have time to go into huge detail (Anyone else wanna add comments.... please

Regarding the IT administration, I can STRONGLY reccomend installing "Dameware" onto the citrix boxes as a published app for your IT admins and helpdesk, especially in a multi LAN environment, we have found it has increaed our helpdesk productivity by rediculous extremes even when it was a localised application. Almost every tool an IT geek would need to administer a clients machine is at your finger tips without any need to pre install a client you can take direct desktop control, edit the registry, run a remote dos session, check the open files/sessions/logons of any client machine available to you +lots more. So long as your remote clients are not being NAT'ed off your network and are available to you when they connect you will even be able to remote to them (just remember link speed in this case WILL be a concern).

Overal there seems to be two "do we, don't we's". Do we implement a VPN for client access or not ? do we implemtent Citrix or Terminal services ?

In an ideal open check environment I would suggest VPN should be installed as a backup to client access even if you dont actively enable it, it will add security on your WAN and LAN as a device if nothing else, and if your looking at scaleability then Citrix is the only way to go as you'll end up being bitten on the butt if your terminal services implentation is a success and the user base increases significantly.

Of course you could implement VPN then connection to your citrix applications off a local client that attaches to the farm once authenticated on the network, you would also be able to use syncronised mail and still benefit from the thiness of a terminal session... But then you need to ensure you have a water tight anti virus solution too...

I'm rambling

If you find this useful and want more please let me know, i'll happily answer in as much detail required any questions my humble experience can bring to the best of my ability. Sorry for any delay in responces for the aforementioned reasons, it's a madhouse in here !!!

Many regards,


Nostferatu

"Yesterday is History,
Tomorrow A Mystery,
Today is a gift,
That's why they call it the Present"

 

[jatkinson]

Hi

Thanks again for your time especially in your current situation. I've found your posts extremely helpful and have gone a long way to help me understand our position that much better.

We currently only have one site so I'm thinking overall and without going into the nitty gritty that a VPN solution combined with Citrix is the way forward in terms of allowing scaleability and also options in terms of solutions, i.e. VPN on it's own for remote admin or VPN tunnel then Citrix or Citrix on it's own etc

Cheers and good luck in your new post.

 

[CitrixEngineer]

Very, very useful information, Nostferatu - this would make a good FAQ, if re-stylised!

I Hope you don't mind me picking you up on the (minor) point that printing under Microsoft Terminal services is the real bugbear. Yes, I know Citrix developed TS in the 1st place, but, unlike Microsoft, they have been actively developing the ICA printing Virtual Channel and, as you point out, more recently the Universal Printer Driver.

To an end user of course, this is moot, as all they see is what they use. To technical people, however, I think this difference is important as it is one of the ways in which MetaFrame improves upon vanilla Terminal Services.


I would add that running a pilot with "trusted" users would be a good way to introduce this service - get problems ironed out quickly before the general user populace find them and you can keep this project low on the list that Nostferatu mentioned...

Hope this helps

 

[Nostferatu]

Hiya CitrixEngineer,

Heh, I don't mind you picking up on my error, I know the problem is TS, but because I have very rarely implemented a purely TS solution whenever I am considering thin solutions I (wrongly) automatically associate everything as "Citrix". But yes, of course your absolutely correct.

Thank you for your positive comments, I have valued your opinions for a long time on this forum, so an accolade from you is one I welcome very much, cheers !

Jatkinson,

I believe you have come to the right decision, simply for pure scaleability and the benefits you will see and more importantly that your clients will see. One of the great beauties of a thin solution implemented right is that everyone wins, clients cannot help but notice some of the cool features that are brought to the table and the ease and speed they are delivered.

Very best of luck to you and your company, I'm glad my meanderings have been useful.

Best wishes,

Nostferatu

"Yesterday is History,
Tomorrow A Mystery,
Today is a gift,
That's why they call it the Present"

 

[dietcokebottle]

Also remember VPN is a very high threat to your network have encountered where vpn clients have actually introduced a virus into the network like welchia

 

[patrickrouse]

I've previously answered a similar question (do I need Citrix or what is the difference between it an Terminal Server) here:

http://x220.minasi.com/forum/topic.asp?TOPIC_ID=8681

Patrick Rouse
Microsoft MVP - Terminal Server

http://www.workthin.com

 

[jatkinson]

I wasn't aware that Citrix required TS CALs to run, which has put a serious hole in part of my arguement!

Damn

 

[EGarner]

Nostferatu what is your findings and take on a Microsoft Windows 2003 Remote routing and VPN solution accross a ISA backend Web connected server.