Today’s post is brought to you by the Post Hoc logical fallacy and ambiguity

thoughtful

Generally speaking we don't respond to competitive commentary that's purposefully antagonistic. The reasons for that vary from corporate culture to the annoying reality that responding confers upon the claims some measure of veracity that it generally does not deserve.

But even technical agitprop can raise points that need to be addressed with respect to the underlying premises upon which the arguments are made. Of late, certain claims coming from Citrix has brought these premises to the fore, and those premises deserve to be addressed.

Issue: Misleading Communications

Recently there has been information from Citrix making the rounds that states or implies that customers should not deploy any F5 device in a Citrix environment, that Citrix will NOT support any XenApp or XenDesktop deployment where any device is used in a Citrix environment, and that devices that work today will not work in the future. Joint customers and potential customers have shared these statements – along with the accompanying Citrix support article and support policy (CTX131547) – for clarification on the part of F5.

Nothing could be further from the truth.

There are three confusing components to this communication: third-party devices use, Citrix not supporting XenApp or XenDesktop with third-party devices in place, and those devices working in the future.

Third Party Device Use 

In their published support policy, Citrix states;

“Citrix Systems recommends that any device (hardware or software-based) that rewrites ICA files not be used in any Citrix XenApp or XenDesktop environment. This technical recommendation applies to any product that is deployed in the XenApp or XenDesktop data path, and includes remote access solutions (e.g., SSL VPN products), WAN optimization products, and load balancing devices.

In-depth technical analysis by Citrix developers and engineers has determined that the introduction of any such device has the potential to impact the security, functionality and/or user experience of XenDesktop and XenApp deployments. “

Interestingly enough, this language appears to be contradictory to their own product's functionality and certainly confusing to customers. This paragraph states that Citrix does not condone any rewriting of the ICA files by any device, and that “introduction of any such device has the potential to impact the security…”. Yet, in his blog post on August 9th, 2010, John Gudmundson, Citrix's Sr. Product Marketing Manager responsible for Netscaler devices, stated that Citrix introduced new security-related features in Netscaler including one called ICA Rewrite:

"Some administrators would like to rewrite the ICA file directly via the NetScaler rather than using Citrix SmartAccess. This option allows them to control ICA features from the NetScaler without having to create policies on the Citrix XenApp servers for each application. Such rewrite is supported in NetScaler."

These two communications have left customers confused with respect to ICA rewriting and intermediate devices in their data center and its impact on their support and security because of the ambiguity inherent in the term “recommends” and “potential.” After all, any device inserted into the data path that manipulates that data has the “potential” to cause problems downstream. This is a vague and ambiguous statement that leaves the reader with the impression that the mere existence of such a solution in the data path can impact deployments, when reality is that there are likely mitigating factors such as misconfiguration or incompatible rewrites that are ultimately the cause of downstream trouble. The conflicting blog statement only compounds the confusion as it makes no mention of the official support policy and actually appears to suggest this option as not only viable, but supported.

Unfortunately, we have no clear answer to offer on whether these conflicting messages from Citrix means that NetScaler has no advantage in supporting XenApp and XenDesktop over any other load balancer, or if they are intentionally using one of their products to lock out competitors in another. We certainly invite Citrix to clarify their intentions with respect to ICA rewriting in the hopes that customers will understand its position and competitors will be better able to serve joint customers.

Citrix lack of support for XenApp and XenDesktop when used with other products.

Some customers have shared concerns asking what ramifications there may be to their heterogeneous environment. Specifically they cite the possibility of Citrix refusing them support for their XenApp or XenDesktop deployment because they have chosen to use F5 solutions to rewrite ICA files. This is understandable, but not entirely in line with Citrix’s statements on such architectures:

"Technical customer support issues that arise from the introduction of third-party devices that rewrite ICA files must be principally addressed by that third-party vendor. Citrix Technical Support resources will be assigned only after all devices that rewrite ICA files are removed from the environment, and the technical issue is demonstrated to persist. This is necessary to ensure that Citrix technical support teams can obtain proper troubleshooting information to correctly diagnose issues."

This language implies that in case of any third-party devices providing load-balancing or remote access into a XenApp/XenDesktop environment, any issues related to the traffic that passes through those devices must be first addressed by that vendor; Citrix Technical Support resources will only be assigned to the customer if the issue is demonstrated to persist while bypassing those devices. This is a Post Hoc fallacy that assumes because two things occur in a certain order – the introduction of third-party devices and then a technical customer support issue – that the former caused the latter. While it is certainly the case that in some situations this will be true, it is not universally the case.

Still, this is not unexpected, as Citrix cannot possess necessary expertise in the F5 BIG-IP’s unique advanced functionality. In contrast, F5 encourages its customers to leverage F5’s support organization, which maintains an ISO 9001 certification for quality , to troubleshoot remote access issues into their XenApp/XenDesktop environment. F5 possesses necessary expertise in many customer applications from many different vendors, such as Microsoft, Oracle, IBM, VMware, Citrix, and many more - and F5 Support regularly takes support calls when access issues to their applications from these and many other vendors arise. F5 Solution SOL13336 fully explains F5's position on supporting customers that use F5 products in front of their Citrix XenApp and XenDesktop environments and outlines all the F5 information and support resources for Citrix integration that joint F5/Citrix customers can utilize.  This statement is also of interest to customers interested in using their NetScaler to support applications other than Citrix as it suggests their potential support response with any heterogeneous environments.

In case that F5 encounters an issue that requires cooperation from Citrix, it can leverage its membership in the Technical Support Alliance Network (TSANET), which provides bilateral support in the event it is necessary between vendor support organizations. Since both F5 and Citrix are members of the TSANET, both have committed to leveraging each other's support departments to cooperate to resolve interoperability issues for their joint customer. F5 is not sure why Citrix does not seem to live up to these commitments to an organization in which it maintains a premium membership. Please feel free to visit http://www.tsanet.org for more information about TSANET and how it should facilitate cooperation between various vendors, including F5 and Citrix.

The Citrix support article does not state they will take the same stance if the device in front of XenApp or XenDesktop environment is not rewriting ICA files, although that is often implied in communications to potential customers. For example, F5 can load balance Citrix Web Interface servers and XML broker servers - which does not involve any ICA rewrite at all. But does this mean that Citrix expects to troubleshoot those environments without referring customers to F5? What about the use case where F5 is completely replacing Web Interface by publishing Citrix resources on its own by gathering necessary information from the XML broker? Of course, you, as a customer, are going to call F5 to troubleshoot issues first, as F5 is the first point of entry in the environment and has the responsibility for routing connections to proper servers and also providing proper ICA files to the clients.

F5 and Future Citrix Support

Citrix official stance on ICA development continues;

“Citrix is not responsible for any future technical support issues that result from any changes or modifications made to ICA file structures" and “reserves the right to make changes to ICA file structures, syntax, file signing capabilities and validation methods. Citrix does not provide formal notice or technical information to any third-party IT vendor regarding such changes for the purposes of preserving interoperability."

While Citrix continues to develop and enhance the ICA protocol and associated configurations, they have not abandoned older software and client versions, which would ultimately force customers into a mass migration. Citrix’s strategy remains to retain support for legacy clients and authentication methods for existing clients until customers have time to complete migration to newer technology, as evidenced with the introduction of its next-generation Web Interface solution – CloudGateway Express - which brings with it new authentication services and methods.

Despite Citrix’s policy of non-notice regarding such changes, F5 remains committed to ICA and its long history of support for Citrix core virtualization solutions. Most recently, F5 demonstrated this commitment with support for the most recent ICA protocol enhancement, Multi-Stream ICA. Multi-Stream ICA functionality was released by Citrix in August of 2011 as part of XenApp 6.5 and XenDesktop 5.5 release, which F5 began supporting in its BIG-IP Access Policy Manager (APM) in November 2011 –about the same time support for the new functionality was offered by Citrix in Netscaler Access Gateway Enterprise Edition.

F5 has been providing load balancing and remote access services to Citrix and its customers for over a decade. In fact, Citrix was an F5 customer prior to its acquisition of Netscaler in 2005. F5 has been providing successful remote access into Citrix Presentation Server/XenApp/XenDesktop environments for many customers since 2003 with Firepass SSL VPN and in more recent years with BIG-IP APM and Edge Gateway.

Throughout those years, Citrix has made many changes to XenApp and XenDesktop, as well as ICA protocol enhancements, and F5 has a proven track record in supporting those new features and enhancements to our customer's satisfaction throughout these years.

F5 Citrix Resources:

Connect with F5:
o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1] rss[8]google
    

Latest F5 Information