Systems integrators hoping to integrate Citrix servers and gateways for use with VoIP over a VPN should be aware of this strategy's potential problems. This tip, seen here courtesy of SearchVoIP.com, analyzes some of those weaknesses, including call and performance degradation and how customer hardware and OS limitations may come into play.
My customer is looking to integrate a Citrix P4 server with a Citrix Access Gateway 4.2 for VPN access. I believe the Citrix Access Gateway works with VoIP, although I've heard some reservations about integration. If so, which particular VoIP systems are problematic? What are your thoughts on Mitel?
Networks used for remote access can vary widely in terms of bandwidth and reliable delivery. Because VoIP and other real-time protocols are vulnerable to latency and jitter, poor quality links can impact user experience and application usability. VoIP users may experience call degradation, voice drop outs, and incomplete or disconnected calls. Remote access VPNs do not necessarily degrade VoIP calls, but encrypting a VoIP call placed over a poor quality link will make a bad situation that much worse.
Furthermore, application support varies widely across SSL VPN products. In Joel Snyder's December 2005 head-to-head test of 11 SSL VPNs, tested products were only able to pass 40% of VoIP test cases. Some products did not support VoIP, and several required administrative privileges to run client-side programs needed to relay VoIP protocols to SSL VPN gateways.
According to product literature, the Citrix Access Gateway (CAG) SSL VPN product that you are considering does indeed support VoIP tunneling. Several user forum posts describe successful SIP phone usage with commercial Cisco and open source Asterisk VoIP servers. However, the CAG 4.2 Administration Guide states that H.323 protocols are not supported. To achieve better VoIP performance, CAG routes UDP VoIP packets over SSL without requiring acknowledgement, providing UDP-like performance over TCP-based tunnels. A new 4.2 configuration option can also be used to shorten the key used to encrypt VoIP traffic, further reducing latency.
However, It is also critical to consider customer hardware and operating system limitations. IP softphones that run on general-purpose PCs are more easily combined with remote access VPNs. When you install a softphone and a VPN client, VoIP protocols can be forwarded over a secure tunnel to the VPN gateway. But most purpose-built devices, including desktop IP phones, run embedded software only; they usually cannot run third-party Windows or Linux programs. The Citrix Access Gateway does not use a permanently installed VPN client, but it does use a dynamically-invoked Secure Access Client, supplied as a Windows Java or Linux download from the VPN portal. This model seems to fit remote access users that run IP softphones, but not on-premises desktop IP phones that involve neither remote access nor Windows/Linux computers.
I was unable to find any published information regarding CAG / Mitel interoperability, but note that many Mitel products can use proprietary or SIP protocols. I also could not tell whether you plan to use IP softphones or desktop IP phones or both. I recommend that you ask Mitel's technical sales support about the specific network topology and client/server products that you hope to integrated. You may also want to ask for reference customers using any Mitel or third-party VPN with Mitel VoIP products.
About the author
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This tip originally appeared on SearchVoIP.com.