Why Government Agencies Are Urgently Replacing Citrix VPN
For over a decade, Citrix NetScaler (formerly Citrix Gateway/Access Gateway) served as the default remote access platform for government agencies. It delivered VPN tunnels, ICA proxies, RDP gateways, and SSL VPN concentrators – all from a single appliance. It was familiar. It was certified. It worked.
And then came CitrixBleed.
In October 2023, CVE-2023-4966 – a buffer overflow vulnerability in NetScaler ADC and NetScaler Gateway – enabled attackers to steal session tokens from internet-facing NetScaler devices and hijack authenticated sessions, bypassing MFA entirely. The vulnerability affected every NetScaler configured as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server – exactly the configurations every government agency runs. The exploitation was widespread. The breaches were severe. The recovery took months.
In June 2025, it happened again. CVE-2025-5777 – immediately labeled “CitrixBleed 2” – was disclosed as a nearly identical out-of-bounds read flaw with CVSS score 9.3. By July 10, 2025, CISA added it to the Known Exploited Vulnerabilities catalog, officially confirming active exploitation. Imperva reported 11.5 million exploitation attempts. Attackers leaked authentication tokens from memory, hijacked sessions, and bypassed MFA – again.
For government IT directors, the message is no longer ambiguous. The CitrixBleed pattern is not a one-time event. It is a structural vulnerability of the VPN architecture itself – internet-facing appliances that must accept inbound connections to authenticate users, combined with session tokens that, once stolen, grant the same access as a legitimate login.
This guide provides government IT directors a practical migration path to replace Citrix VPN government Zero Trust architecture – specifically, replacing Citrix NetScaler VPN deployments with Zero Trust Application Access that eliminates inbound ports, enforces per-session verification, and meets federal Zero Trust mandates.
Why the Citrix VPN Architecture Cannot Be Patched Into Zero Trust
Citrix patches address specific CVEs. They do not address the architectural reality that creates the CVEs in the first place.
The Citrix NetScaler VPN architecture requires:
Inbound port 443 exposed to the internet. Every remote user must reach the NetScaler appliance. That means the appliance must accept inbound connections from any IP on the internet. Every inbound port is a scannable, exploitable attack surface. No patch changes this fact.
Authentication at the network layer. Users authenticate to the VPN concentrator, which then grants network-level access. Once authenticated, users are “on the network” – with whatever network reachability the VPN configuration provides. Lateral movement becomes possible.
Session tokens with broad authority. A single authenticated session provides access to multiple backend resources. When CitrixBleed leaked session tokens, each token represented not a single application session but full VPN access for the user’s session duration.
One appliance, one failure domain. The NetScaler appliance handles authentication, session termination, ICA proxying, RDP proxying, and SSL termination. A vulnerability in any of these functions compromises all of them simultaneously.
The mandates are explicit. Executive Order 14028 (May 2021) required federal civilian agencies to move to Zero Trust Architecture. OMB Memorandum M-22-09 set specific goals by end of FY2024 – phishing-resistant MFA, encrypted DNS, network segmentation, application-level access. The complete federal Zero Trust implementation roadmap provides the full context for these mandates.
Citrix VPN architecture does not align with any of these requirements. It is a perimeter security model retained in a Zero Trust mandate environment – a structural mismatch that patches cannot resolve.
What Zero Trust Application Access Provides Instead
Zero Trust Application Access replaces the Citrix VPN model with an architecture that inverts the trust assumptions:
Zero inbound ports. Instead of the NetScaler appliance accepting inbound connections on port 443, an Access Controller inside the protected network initiates outbound connections to an Access Gateway in the DMZ or cloud. No ports are opened inbound. The internal network is architecturally invisible from the internet.
Application-level access, not network-level. Users authenticate and receive access to a specific application – not to a network segment. An authorized user who connects to a specific RDP target cannot reach other systems on the network. Lateral movement is eliminated by design.
Per-session verification. Every session requires MFA. Every session is evaluated against current device posture, user role, and access policy. A valid credential from two minutes ago does not automatically grant access now – the session is verified fresh.
Integrated session recording. Every RDP, SSH, and HTTPS session is recorded – video, keystrokes, file transfers. No separate PAM product required. The audit trail is built into the access path.
No VPN client on endpoints. Clientless access through a standard browser, or lightweight native clients for specific use cases. No software to deploy, patch, or manage at scale on government endpoints.
TerraZone’s truePass platform provides this architecture through patented Reverse Access technology, delivering Zero Trust Access that meets federal Zero Trust mandates without the architectural vulnerabilities of traditional VPN appliances.
The Citrix-to-Zero-Trust Component Mapping
Government agencies running Citrix NetScaler typically operate multiple Citrix components simultaneously. Understanding what each component does – and what replaces it – is the foundation of a successful migration.
Citrix Component | What It Does | Zero Trust Replacement | What You Gain |
NetScaler Gateway (VPN virtual server) | SSL VPN for remote employees accessing agency network | Access Gateway + Access Controller with per-session policy | Zero inbound ports, application-level access, per-session MFA |
NetScaler ICA Proxy | Proxies Citrix ICA sessions to internal Virtual Apps/Desktops | Browser-based application access with native RDP/HTTPS | No ICA-specific protocol exposure, works with any IdP |
NetScaler CVPN (Clientless VPN) | Clientless browser-based VPN access to internal web apps | Native clientless ZTNA through Access Gateway | Same user experience, no VPN virtual server exposed to internet |
NetScaler RDP Proxy | RDP gateway for remote desktop access to internal servers | Integrated RDP with session recording and per-session MFA | Video + keystroke recording, no separate PAM product needed |
NetScaler AAA Virtual Server | Authentication, authorization, auditing for NetScaler | Native integration with agency IdP (Entra ID, Okta, PingFederate) | Eliminates dedicated authentication virtual server as attack surface |
NetScaler ADC (load balancing) | Load balancing for backend applications | Retained separately – ADC function is not a security gateway | Load balancing stays where it belongs; security moves to Zero Trust |
The critical observation: most NetScaler deployments mix security functions (Gateway, ICA Proxy, RDP Proxy, AAA) with infrastructure functions (ADC load balancing). The migration replaces the security functions. The ADC load balancing function can remain, deployed behind the Zero Trust layer.
Migration Phases: A Practical 16-Week Plan
Replacing Citrix VPN with Zero Trust Application Access is not a single-weekend cutover. It is a phased migration that keeps the agency operational throughout. The following four-phase plan is structured for a typical government agency with 500–2,000 remote users, on-premises applications, and mixed remote access scenarios.
Phase 1: Discovery and Parallel Deployment (Weeks 1–4)
The first phase documents the existing Citrix deployment and stands up the Zero Trust platform in parallel – without disrupting any current user access.
What gets inventoried:
- All NetScaler virtual servers (Gateway, ICA Proxy, RDP Proxy, AAA, Load Balancing)
- All user groups, access policies, and authentication flows
- All backend applications reached through NetScaler
- All MFA integrations (RSA SecurID, Duo, PIV/CAC, etc.)
- Session recording requirements (PAM, compliance)
What gets deployed:
- Access Gateway in the DMZ (no inbound ports on the protected network)
- Access Controller inside the protected network (initiates outbound connections only)
- Integration with agency Active Directory / LDAP / IdP
- Integration with PIV/CAC infrastructure for smartcard authentication
The output of Phase 1 is a fully functional Zero Trust platform running alongside Citrix NetScaler – both operational, no users migrated yet.
Phase 2: Migrate High-Risk User Populations First (Weeks 5–8)
Not all user populations carry equal risk. The migration sequence prioritizes the populations where Citrix VPN exposure creates the highest risk:
Priority 1 – External vendors and contractors. These accounts are the most frequently compromised (Claroty data: 82% of OT intrusions originated from internet-facing remote access). Migrate vendor access first. Each vendor receives named account, time-bounded session, MFA per session, and full session recording.
Priority 2 – Privileged administrators. IT administrators, database administrators, and system engineers accessing production systems. Every session recorded. Every access request verified against current policy.
Priority 3 – Remote employees accessing sensitive systems. Finance, HR, legal – users who handle classified or controlled unclassified information.
For each population, Citrix access is retained as fallback for 2 weeks after Zero Trust access is validated. Then Citrix access for that population is revoked.
Phase 3: Migrate General Workforce (Weeks 9–12)
With high-risk populations migrated and validated, the general remote workforce follows. This phase addresses the largest user count – typically 70–85% of all remote users.
The critical success factor is user experience. If the Zero Trust platform is slower, more complex, or less reliable than the Citrix VPN, adoption will stall. The Zero Trust platform should be measurably better:
- Faster connection – no VPN tunnel establishment, direct application access
- No client installation – browser-based access for most applications
- Session continuity – no VPN reconnection when network changes
- Transparent MFA – integrated with existing PIV/CAC or authenticator apps
During Phase 3, Citrix NetScaler remains operational but is no longer the primary access path. User authentication attempts to NetScaler should be monitored – any legitimate attempts indicate migration gaps that need addressing.
Phase 4: Decommission Citrix NetScaler (Weeks 13–16)
The final phase removes the Citrix attack surface entirely. This is not “turn it off” – it is a controlled decommission with evidence preservation.
Week 13: Freeze all new NetScaler configurations. Any new access needs go through Zero Trust platform only.
Week 14: Block inbound internet access to NetScaler virtual servers (Gateway, ICA Proxy, RDP Proxy, AAA). Retain administrative access from agency network only. Monitor for authentication attempts from internet – these represent either attacks or users who have not yet migrated.
Week 15: Export all NetScaler logs, policies, configurations, and session records for compliance retention. Document the decommission in the System Security Plan.
Week 16: Power off NetScaler appliances. Remove from DMZ. Update network diagrams, firewall rules, and change management records.
The SANS ICS/OT 2025 survey found that 40% of OT security incidents caused operational disruption. The migration sequence above ensures that the replacement happens without creating new disruption – each phase has rollback capability, each population has parallel access during validation, and the Citrix decommission happens only after the Zero Trust platform has demonstrated full coverage.
For agencies following this pattern as part of a broader strategy, a complete cross-network consolidation approach extends the same principles to file sharing, vendor access, and inter-network data transfer – eliminating not just the VPN but the entire multi-vendor boundary security stack.
Compliance Mapping: Citrix VPN vs. Zero Trust Against Federal Mandates
Government IT directors cannot evaluate this transition on security merits alone. Federal mandates impose specific requirements, and the platform selection must map directly to them.
Federal Requirement | Citrix NetScaler VPN | Zero Trust Application Access |
EO 14028 – Zero Trust Architecture | Does not align – perimeter-based model | Directly aligned – never-trust-always-verify |
OMB M-22-09 – Phishing-resistant MFA | Configurable but applied at VPN login only | Applied per-session, integrated with PIV/CAC |
OMB M-22-09 – Network Segmentation | Network-level access enables lateral movement | Application-level access eliminates lateral movement |
OMB M-22-09 – Device Posture | Limited device posture checks at VPN login | Continuous device posture verification per session |
CISA ZTMM – Identity Pillar | Scores at Traditional maturity | Scores at Advanced/Optimal maturity |
CISA ZTMM – Network Pillar | Scores at Traditional – macro segmentation only | Scores at Advanced – per-application microsegmentation |
FedRAMP – Boundary Protection | Accepts inbound connections (SC-7) | Zero inbound ports – exceeds SC-7 requirements |
FISMA – Access Control (AC-17 Remote Access) | Meets baseline with VPN + MFA | Exceeds baseline with per-session verification |
NIST SP 800-207 | Does not align – network location as trust | Directly aligned – identity-based trust decisions |
DISA STIG – NetScaler Gateway | Requires extensive hardening, frequent CVE response | N/A – no NetScaler Gateway to harden |
The compliance evidence is not abstract. Auditors performing ATO reviews examine architecture diagrams, configuration baselines, and session logs. Zero Trust Application Access produces evidence that directly answers ZTMM maturity questions. Citrix VPN architecture requires compensating controls and documented exceptions to meet the same requirements.
Common Migration Objections and How to Address Them
Government IT directors planning Citrix-to-Zero-Trust migrations encounter predictable objections. Each has a direct response.
Objection 1: “We just upgraded our NetScaler licenses for three more years”
The licenses are a sunk cost. The question is not whether the licenses are paid for – the question is whether continuing to operate the NetScaler infrastructure creates more risk than the savings justify. CVE-2023-4966 and CVE-2025-5777 demonstrated that NetScaler is a repeat target for critical vulnerabilities. The cost of a single CitrixBleed-class breach – incident response, forensic investigation, notification, remediation – typically exceeds the value of remaining license terms.
Objection 2: “Our users are trained on Citrix Workspace, they’ll resist change”
User experience is the right concern. The answer is to demonstrate that the Zero Trust platform provides a better experience – faster connections, no client installation, session continuity across network changes. Run a pilot with power users from IT and a skeptical business unit. Let them compare. Document the results.
A side-by-side breakdown of ZTNA vs. VPN provides the user-experience comparison points that power users typically notice first – session establishment time, MFA integration, and reconnection behavior across network transitions.
Objection 3: “We need Citrix for ICA-specific features (HDX optimization, printer redirection, USB redirection)”
Some use cases genuinely require Citrix’s ICA-level features – typically CAD/CAM workstations, medical imaging, or specialized graphics. For these specific workloads, retain Citrix Workspace – but move the access boundary. Users reach Citrix Workspace through the Zero Trust platform, not through an internet-facing NetScaler Gateway. The NetScaler Gateway attack surface is eliminated; Citrix Workspace functionality is preserved.
Objection 4: “We need to maintain Citrix for legacy applications that can’t be migrated”
Legacy applications that cannot run through modern access protocols are accommodated through the Zero Trust platform’s protocol support – RDP, SSH, HTTP/HTTPS, and TCP-based applications. The access method changes (Zero Trust instead of VPN) but the backend application is untouched. If a genuinely unsupportable protocol exists, it typically runs through a dedicated application gateway behind the Zero Trust layer – not through a user-facing VPN.
Objection 5: “Our compliance requirements specifically mention VPN”
This objection is usually based on outdated compliance documents. Review the actual mandate text. EO 14028, OMB M-22-09, and NIST SP 800-207 all require Zero Trust Architecture – not VPN. If an agency-specific policy mentions VPN, that policy should be updated to align with federal Zero Trust mandates. The compliance direction moves away from VPN, not toward it.
How TerraZone’s truePass Platform Addresses Government Requirements
TerraZone’s truePass platform was designed specifically for environments where traditional VPN architectures cannot meet security and compliance requirements – classified networks, OT/SCADA infrastructure, data sovereignty constraints, and federal Zero Trust mandates.
Core capabilities relevant to Citrix VPN replacement:
Patented Reverse Access architecture. The Access Controller inside the protected network initiates outbound connections to the Access Gateway. No inbound ports are opened. The CitrixBleed attack vector – exploiting an internet-facing VPN appliance to leak session memory – is architecturally eliminated because there is no internet-facing appliance to exploit.
Native PIV/CAC integration. Federal employees authenticate with their PIV cards. DoD personnel use CAC tokens. truePass integrates with the PIV/CAC certificate chain natively – not through a third-party authentication broker.
Integrated session recording. Every RDP, SSH, and HTTPS session is recorded. The recording is part of the access path – not a separate PAM product. For government agencies that currently run NetScaler plus a separate session recording product, the consolidation eliminates a second vendor relationship.
On-premises deployment. All data stays within agency-controlled infrastructure. No traffic traverses commercial cloud infrastructure. This is critical for classified systems, ITAR-regulated data, and agencies with data sovereignty constraints.
truePass Gravity for OT/SCADA connectivity. Agencies with operational technology – water utilities, power systems, transportation infrastructure, border security OT – can extend the same Zero Trust architecture to OT environments. truePass Gravity provides the same zero-inbound-port architecture with OT-specific capabilities including SMB Proxy with CDR scanning for firmware updates and configuration files.
FedRAMP and DISA STIG alignment. truePass architecture directly addresses FedRAMP boundary protection controls and DoD STIG requirements. The compliance package is built into the platform, not assembled from multiple products.
Frequently Asked Questions
How long does replacing Citrix VPN with Zero Trust actually take?
A standard migration following the four-phase plan completes in 16 weeks for a government agency with 500–2,000 remote users. Larger agencies or more complex environments (multiple NetScaler clusters, extensive ICA customization, multiple AAA policies) may extend to 20–24 weeks. The critical path is not technical deployment – it is user migration and validation.
Do we have to replace Citrix Workspace too?
No. Citrix Workspace delivers virtual apps and desktops. It is the virtualization layer. The Zero Trust platform replaces the access gateway layer (NetScaler Gateway, ICA Proxy, RDP Proxy). Users continue using Citrix Workspace – they just reach it through Zero Trust Application Access instead of through an internet-facing NetScaler.
What about Citrix Cloud deployments?
Citrix Cloud changes the ownership model but not the architectural issue. Citrix-managed cloud services still route traffic through Citrix infrastructure, and Citrix-managed ADC/Gateway is subject to the same CVE patterns as customer-managed. Government agencies evaluating Citrix Cloud face additional data sovereignty questions – where is the Citrix infrastructure physically located, and what foreign government access might exist under CLOUD Act or equivalent foreign legislation. For classified or regulated workloads, on-premises Zero Trust deployment remains the appropriate architecture.
How do we handle PIV/CAC authentication during migration?
Zero Trust platforms designed for government environments integrate with PIV/CAC infrastructure natively – the user experience is identical to or better than NetScaler’s PIV/CAC handling. During parallel operation (Phases 1–3), users can authenticate with PIV/CAC to either platform. After migration, PIV/CAC authentication flows through the Zero Trust platform only.
What happens to our NetScaler ADC load balancers?
NetScaler ADC load balancing functionality is separate from NetScaler Gateway security functionality. The load balancing function can remain operational, deployed behind the Zero Trust layer. Users reach the load-balanced application through the Zero Trust platform; the load balancer distributes traffic across backend servers as before. The security boundary moves to Zero Trust; the load balancing function is preserved.
Will our ATO need to be re-approved?
Yes – but the re-approval is typically faster than the original ATO. Replacing a perimeter VPN architecture with a Zero Trust architecture directly aligns with the ZTMM maturity levels that ATOs increasingly require. The Authorizing Official is reviewing a system that moves toward compliance, not away from it. Documentation packages from Zero Trust vendors typically include pre-built ATO templates that accelerate the process.
Can we migrate incrementally instead of all at once?
Yes – and incremental migration is the recommended approach. The four-phase plan is specifically designed for incremental migration. Parallel operation throughout Phases 1–3 ensures that any issue with the Zero Trust platform does not disrupt user access, because Citrix remains available as fallback until each population is validated on the new platform.
Conclusion
For government IT directors, the decision to replace Citrix VPN government Zero Trust architecture is not about whether Citrix NetScaler appliances are patched. It is about whether the architectural model – internet-facing appliances accepting inbound connections, network-level access after VPN authentication, session tokens with broad authority – is appropriate for an agency operating under federal Zero Trust mandates and facing adversaries who have repeatedly demonstrated the ability to exploit that model.
CitrixBleed in 2023 and CitrixBleed 2 in 2025 were not isolated incidents. They were demonstrations that the VPN architecture itself is the vulnerability – not any specific patch level. The federal mandate environment – EO 14028, OMB M-22-09, CISA ZTMM, NIST SP 800-207 – is explicit about the required direction. Zero Trust. Not VPN.
The migration path is practical and proven. Four phases. Sixteen weeks. Parallel operation throughout. High-risk populations first, general workforce second, controlled Citrix decommission last. The replacement platform provides zero inbound ports, application-level access, per-session verification, integrated session recording, and native PIV/CAC – exactly the capability set that federal Zero Trust mandates require.
The question for government IT directors is no longer whether to replace Citrix VPN with Zero Trust Application Access. The question is which quarter this migration begins.
