Original URL: https://www.theregister.co.uk/2010/03/01/citrix_app_firewall_vpx/

Citrix goes virtual with more appliances

Gets physical with web app firewall

By Timothy Prickett Morgan

Posted in The Channel, 1st March 2010 18:31 GMT

The profit margin on a virtual appliance is a lot higher than on a physical one, and when you own your own hypervisor, as Citrix Systems does, then that's two reasons to promote the running of appliance applications inside virtual machines. And so, after some dabbling last year, when it put its NetScaler network acceleration code inside of a Xen VM, Citrix is going all the way with the idea.

At the same time, the company is breaking the key code in what used to be called its WANscaler product (and which was rebranded as Branch Repeater) into separate access gateway and Branch Repeater WAN acceleration modules and selling them separately as virtual appliances running atop XenServer 5.5.

None of this means that Citrix will not sell companies the physical appliances it has been selling for years. If you want to pay the premium or need more bandwidth than the virtual appliances can deliver, then by all means, get physical. And according to Greg Smith, director of the Cloud and Network Products group at Citrix, when it comes to security appliances in particular, some companies still feel more comfortable with a physical appliance. Which is why the NetScaler physical appliances are now being supplemented with five new pieces of gear.

For more than four years, the NetScaler physical appliances, which accelerate applications and provide caching for applications running on the internal network, have included a Web application firewall. This firewall is designed to protect HTML and XML applications from denial of service, SQL injection, and cross-site scripting attacks, and it also secures data and works in conjunction with virtual private networks that give employees remote access to applications. The NetScaler application firewall is the belt that goes alone with the network firewall suspenders. And until now, you had to buy a whole NetScaler appliance (at the Platinum Edition level) if you wanted the firewall.

With today's announcement, Citrix is putting out five models of NetScaler physical appliances that just have the application firewall running on them. These boxes are cheaper than the full NetScaler appliances, obviously. The five machines, which are multicore, Intel-based servers, run a hardened version of BSD Unix. Pricing on the NetScaler appliances range according to the amount of network bandwidth they can handle.

The MPX 5500 application firewall costs $20,000 and it's rated at 500 Mb/sec, the MPX 7500 costs $35,000 and has twice the bandwidth. If you double the bandwidth again to 2 Gb/sec, the MPX 9500 only costs $45,000, and bumping it up to the MPX 10500 and its 3 Gb/sec of bandwidth raises the price to $55,000. The top-end MPX 12500 application firewall is rated at 5 Gb/sec and costs $85,000.

Net-cost software upgrades are available to move from the MPX 7500 to the MPX 9500 and from the MPX 10500 to the MPX 12500. You can also upgrade the software running on the box to get the full NetScaler software stack (acceleration and caching), not just the application firewall. The pricing for that upgrade is basically the net cost between the app firewall and the full NetScaler appliance plus a little premium on top for the hassle.

On the virtual appliance front, Citrix is adding two different products, both of which are derived from the WANscaler product. Branch Repeater VPX encapsulates the WAN caching and acceleration code in a XenServer 5.5 virtual machine and can support 2 Mb/sec, 10 Mb/sec, or 45 Mb/sec of bandwidth depending on the version you buy.

The base Branch Repeater VPX-2 virtual appliance is rated at 2 Mb/sec and costs $4,000. The base Branch Repeater MPX physical appliance is rated at the same throughput and costs $6,000. Basically, you are paying for your own server and saving a little on top. Branch Repeater VPX ships on March 12.

The Access Gateway VPX virtual appliance is a just what it says it is, a virtual private network gateway to allow remote offices to get access to applications running back in the data center. The Access Gateway VPX costs $995 and supports 500 concurrent users. The hardware version of the gateway from Citrix rated at the same number of users costs $3,500. Citrix actually started shipping the Access Gateway VPX on February 3, but didn't tell anyone.

The NetScaler VPX virtual appliance that went into beta last May and became generally available in September also runs atop XenServer 5.5; it costs $2,000 for a virtual appliance rated at 10 Mb/sec.

According to Sai Allavarpu, senior director of product marketing at Citrix, companies can put all three virtual appliances on a single server if they want all three functions and push them out into the network as easily as deploying any other server-based workload. With hardware-based appliances, you need to figure out what you need ahead of time, by the physical appliance, and install it.

When you need more bandwidth or to support more users, you need to do a procurement for new hardware. This takes time, and usually meets with some resistance. What Allavarpu envisions is that companies will deploy physical appliances in their data centers for basic needs and use virtual appliances to augment this capability and to push some of this acceleration and caching function out to the branch offices as well.

All three of the virtual appliances - NetScaler VPX, Branch Repeater VPX, and Access Gateway VPX - come with freebie Express variants that have crimped bandwidth and user support so you can test the code out before shelling out cash. The virtual appliances also support XenServer HA clustering for failover and load balancing. Service providers can get pay-as-you-go utility pricing on the virtual appliances and enterprises can get annual licenses if they don't want to pay for a perpetual license and annual support fees.

Citrix is well aware that XenServer is not the only hypervisor for x64 machines and plans to support Branch Repeater VPX on Microsoft's Hyper-V sometime in the second half of 2010, with an Amazon EC2 image coming out before year's end. VMware's ESX Server hypervisor will be supported at some unnamed later date. Access Gateway VPX will get an Amazon AMI later in 2010, and it will have the same future ESX Server support. No word on Hyper-V for this one. NetScaler VPX is already in tech preview for ESX Server, and it would be surprising if Hyper-V support didn't make it to market ahead of ESX Server. ®