Migrating from Citrix NetScaler to F5 BIG-IP: History, Migration Strategies, and Feature Mapping.

It’s fascinating to reflect on the last 20+ years of competition between NetScaler and F5’s BIG-IP. Both products helped fuel the initial boom of the Internet by providing first of its kind scaling, high availability, security, and traffic intelligence for the new World Wide Web. In the early 2000s, the Internet was bursting at the seams, but because of F5’s and NetScalers technology, companies were able to scale their applications with little to no changes to their apps. Most folks don’t realize Citrix acquired NetScaler In 2005, which was a great fit at the time – as Citrix needed a proxy they could customize to provide visibility into their VDI solutions. They could continue to recommend F5 (yep at the time F5 was the preferred LB vendor for Citrix), or they could bring the functionality in house and have full control. Buying F5 at the time would have been tough, they had great momentum and no real motivation to be acquired. They also had a head start on NetScaler – F5’s first product shipped in 1997, vs NetScaler in 2000. NetScaler, likely feeling the pressure, was ripe for the picking. So what happened after that acquisition in 2005? Spoiler alert: Nearly 20 years later the answer to that question has never been more consequential for the thousands of orgs still running Netscalers today.

F5 & Citrix History – How did we get here?

How did we get to the point where the majority of Citrix customers are looking to migrate from Citrix NetScaler to F5 BIG-IP?  I believe the crux of NetScalers’ demise, and why F5 has become the clear winner in the ADC space, is focus, innovation, and strategic acquisitions. Remember, F5 started as a load balancing company, focused on application delivery. While that focus has evolved to include more security & AI, application delivery is still the main focus of the company. This focus has allowed F5 to keep innovating, evolving and acquiring companies that support their focused mission around application delivery and security. This was not the case for Citrix, NetScaler was an add-on acquisition and has always competed for attention with their main focus – Virtual Desktop Infrastructure (VDI).

Over the years Citrix has been severely distracted by the competitive pressure they’ve faced with their core VDI business and subsequently put very little focus on evolving NetScaler. Looking at their acquisition history, it tells a clear story where Citrixs’ focus has been. Outside of following acquiring Teros for their WAF in 2005 a few short months after the Netscaler pickup, the acquisition list has had very little to do with advancing NetScaler. Citrix was happy to keep the status quo with NetScaler after adding the WAF, and position it within their VDI architecture to provide high availability for the servers that made up their solutions and extra visibility into those VDI traffic streams. But as cloud apps became more popular, and continue to, there are less apps on premise, making it hard to justify the price tag for Citrix to deliver the handful of apps on premise folks still need to access remotely.  Additionally, there are now a multitude of alternatives for accessing apps on premise or hosted in the cloud, including offerings from heavy hitters like Microsoft, AWS, and Omnissa (what VMware turned into). To put it simply, since Citrix VDI has lost a lot of market share with their core solutions around VDI, there isn’t a good reason to stay on the NetScaler platform.

Interestingly enough, the covid-19 pandemic accelerated Citrix’s decline. One would think everyone in America forced to work from home would be good for Citrix’s remote app solutions, but that wasn’t the case. Overall Citrix didn’t do a good job of seizing the opportunity, and the situation fueled an appetite to try alternatives. During that time Citrix was busy focusing on the Wrike acquisition, what’s Wrike you ask? Wrike is project management software and was Citrix’s last acquisition in 2021 for 2.25 billion dollars – yes 2.25 with a B, before being acquired by private equity in 2022. Citrix’s intent with the acquisition is to bring project management features to the Citrix Workspace offering. I can see the potential with workspace, but I’m having a hard time making the connections between NetScaler and Wrike. It might open the doors to new customers, but I can’t see many benefits past that for Netscaler. Ironically, Wrike was a Vista Equity Partners portfolio company, who with Evergreen Coast Capital acquired Citrix in 2022 for 16.5 billion. What happened next is where things really started to fall apart.

Citrix isn’t really Citrix anymore. After the “take private” closed in late 2022, Vista and Elliott merged Citrix with TIBCO to form Cloud Software Group (CSG), which is a Fort Lauderdale-based holding company now run by ex-Broadcom Software exec Tom Krause. NetScaler is a business unit inside CSG’s Citrix BU — sharing oxygen with TIBCO, Spotfire, Jaspersoft, ShareFile, and a handful of other software assets. If you thought NetScaler had to compete for attention back when Citrix was just doing VDI, imagine how it fares inside a multi-brand PE conglomerate that’s done two rounds of layoffs since formation. The pattern is exactly what you’d expect — and the customer impact has been brutal.

F5 on the other hand has stayed focused, evolving BIG-IP far past the original Local Traffic Manager (LTM) module, and has a history of solid acquisitions that advance their platform. Lets take a look ath the F5 acquisitions in a chronological order:

• uRoam, Inc. – July 2003 – SSL VPN / clientless secure remote access software. Became the basis for the FirePass SSL VPN appliance and, ultimately, BIG-IP APM (Access Policy Manager) – one of the first acquisitions to push BIG-IP beyond LTM into a modular platform, and still a core BIG-IP module today.
• MagniFire Websystems, Inc. – May 2004 – Israeli web application firewall vendor (TrafficShield product). Became BIG-IP Application Security Manager (ASM), later rebranded BIG-IP Advanced WAF – the anchor security module on the BIG-IP platform for two decades and the foundation of F5’s modern WAF franchise.
• Swan Labs Corporation – September 2005 (closed Q1 FY2006) – WAN optimization (WANJet appliance) and web application acceleration (WebAccelerator). WebAccelerator was ported onto TMOS as a BIG-IP module; WANJet was eventually shelved. A failed bet against Riverbed in the WAN-opt market.
• Acopia Networks, Inc. – August 2007 (closed September 2007) – Intelligent file virtualization (ARX switches creating a global namespace over heterogeneous NAS). Became F5’s “Data Solutions” / ARX product line. End-of-sale by 2013 – widely regarded as F5’s worst acquisition; the market collapsed as NetApp/EMC absorbed file virtualization natively.
• Crescendo Networks (IP assets only) – August 2011 – Asset purchase out of Crescendo’s Israeli liquidation. L4–7 application delivery IP plus engineering talent that seeded F5’s Tel Aviv R&D office. Effectively a fire-sale acqui-hire.
• Traffix Systems – February 2012 – Israeli 4G/LTE Diameter signaling router and load balancer (Signaling Delivery Controller / Diameter Routing Agent). Became BIG-IP Diameter Traffic Manager – F5’s foothold in the telco/service-provider control plane and the basis for its mobile carrier business.
• LineRate Systems – February 2013 – Boulder, CO software-based L7 proxy/load balancer running on commodity x86 with a Node.js datapath scripting model (a software ADC before software ADCs were a category). Productized as BIG-IP LineRate Proxy; later EOL’d, but the programmability concept presaged the software-ADC direction that NGINX eventually filled properly.
• Versafe Ltd. – September 2013 – Israeli web anti-fraud, anti-phishing, anti-malware platform with browser-side JavaScript injection and a 24/7 SOC. Became F5 WebSafe and MobileSafe. Functionally superseded six years later by Shape Security.
• Defense.Net, Inc. – May 2014 – Cloud-scrubbing DDoS mitigation service founded by Barrett Lyon (the godfather of DDoS mitigation, ex-Prolexic). Became F5 Silverline – F5’s first real managed cloud service. Silverline brand retired December 2022; the capability now lives in F5 Distributed Cloud DDoS.
• Lyatiss / CloudWeaver – 2015 – French “application-defined networking” startup (multi-cloud network automation and visualization). Small tuck-in; primarily a talent/IP grab that fed F5’s automation roadmap. Never became a standalone product. Notably the last meaningful acquisition under John McAdam before the four-year M&A silence preceding NGINX.
• NGINX, Inc. – March 2019 (closed May 8, 2019) – Open-source web server, reverse proxy, and load balancer (with the NGINX Plus commercial product). NGINX was and is the #1 web server and ingress controller for Kubernetes. The pivotal deal: gave F5 software-first developer credibility, Kubernetes ingress, API gateway, and microservices – and became one of the three official F5 product brands (BIG-IP / NGINX / Distributed Cloud). Strained later when original author Igor Sysoev left in January 2022 and the freenginx/Angie forks emerged.
• Shape Security, Inc. – December 2019 (closed January 24, 2020) – AI/ML-based bot mitigation and online fraud prevention; entrenched in top-10 US banks, airlines, and retailers. Largest acquisition in F5’s history at $1B. Shape – now F5 Distributed Cloud Bot Defense – was and continues to be the #1 bot defense mitigation solution for account takeovers, and the deal came with serious AI & ML IP before AI & ML were sexy. Arguably the most strategically successful acquisition F5 has ever made.
• Volterra, Inc. – January 2021 (closed January 22, 2021) – Multi-cloud and edge-native SaaS platform (VoltMesh service mesh + VoltStack distributed Kubernetes) with global anycast PoPs. Volterra was a very strategic addition; it instantly enabled F5 to become a major player in the cloud space and uniquely positioned them to become the “cloud for clouds.” Volterra is now dubbed F5 Distributed Cloud – the foundation of F5’s entire SaaS franchise covering WAAP, API security, multi-cloud networking, and now the AI security stack. Strategically more consequential than Shape, though half the price.
• Threat Stack, Inc. – September 2021 (closed October 5, 2021) – Boston-based cloud workload protection (CWPP) with runtime intrusion detection for Linux and containers. Pieces folded into F5 Distributed Cloud.

Since then F5 hasn’t slowed down, they’ve made 8 more strategic acquisitions since 2023, every one of them in-line with my thesis, directly advancing their application delivery & security position:

• Lilac Cloud – CDN, January 2023 – integrated into F5’s Distributed Cloud
• Suborbital – Wasm, July 2023 – integrated into F5’s Distributed Cloud
• Wib Security – API security, February 2024 – extending WAAP story
• Heyhack – Automated pen testing – March 2024)
• LeakSignal – Data in transit governance, March 2025
• Fletch – Agentic AI threat intel, June 2025
• MantisNet – eBPF observability, August 2025) rounded out the security and visibility portfolio.
• CalypsoAI – The big one was in September 2025 for $180M. It became the foundation of F5 AI Guardrails and F5 AI Red Team – F5’s purpose built answer for securing LLM and AI API workloads.

Citrix NetScalers – What’s Going to Happen With The Technology?

Since being acquired by private equity in 2022, it’s been clear the new Citrix is continuing to focus on other parts of the business. In March 2023 Citrix ended the sale of NetScaler perpetual hardware & software licenses, and moved to a subscription only model. They also invented a new acronym in the process – “Notice of Change”, which combines End of Sale & End of Maintenance – this was a major breaking point for a lot of NetScaler customers. While this is nice for Citrix’s recurring revenue, a lot of companies still want to account for technology as CapEx vs OpEx.

And the licensing pain didn’t stop with subscriptions. In March 2024, CSG announced a 100% price increase on CSP monthly licenses, effective September 2024 – customers watched their costs double overnight. Legacy CSP “monthly consumption” licensing reached EOL in December 2024. And the next forcing function is here: on April 15, 2026, file-based licensing reached end of life and the new License Activation Service (LAS) becomes mandatory. Customers on legacy perpetual licenses without active maintenance will effectively become unlicensed when they upgrade.

New licensing limitations aside, and questions if hardware will continue, support has had major issues since the split. I’ve had multiple colleagues in the industry who use NetScalers tell me about the struggles they’ve had dealing with support. Check out this reddit post from a few years ago that highlights their website was down when a critical patch was released. One would hope support situation would improve since then, but it’s been more of the same in 2026 – “Citrix Support is just terrible” and “Downgraded Support, No Escalation Method and Phone Support Gone?”.  But this post on Linkedin takes the cake – this gentleman said their Citrix sales rep told them to get off the Netscaler platform. See this public LinkedIn post from a frustrated NetScaler customer, “Citrix sales said that we should move to F5 for load balancing. They have officially given up” – and that’s not the first time I’ve heard that.

When this all went down a few years ago I speculated Citrix could go the same route with Netscaler as Cisco did with the Content Services Switches & Global Site Selectors CSS/GSS technologies and eventually sunset the solution completely to focus on their core solutions, or maybe sold off for parts by the PE parents. Cut scene to today mid-year 2026 we can see that didn’t quite happen. Instead the brand has been separated from Citrix internally, Netscaler now has their own GM and SVP of Engineering. Whether that’s a precursor to an eventual spinoff or just PE portfolio re-orging is unclear.   

Moving on from Citrix NetScaler

For engineers, managers, and lines of businesses that relied on Citrix NetScaler, there’s a distinct feeling of being left holding the bag. The current situation marks a significant turning point for teams that relied heavily on the product, some folks even shaping much of their careers around it. Because of that, the decision around which technology to migrate your NetScalers not only affects your organization, it affects you personally – this is how some of us put food on the table.

I’m here to tell you don’t worry, there’s a silver lining to all of this! F5, the technology that leads the application delivery space, has done all the right things around acquisitions and innovations.  Managers and lines businesses at companies can rest easy knowing in 2026:

• F5 has no plans of removing perpetual licensing options and gives customers the choice of perpetual, subscriptions, and flexible consumption plans that support hardware, software, and their cloud offerings.
• The company financials are very healthy. F5 has long been profitable – as of March 31st 2026 they held 1.443 billion in cash, and reported revenue of $812 million, up 11% year-over-year, driven by particularly strong product momentum.
• Today F5’s BIG-IP powers the majority of leading companies
• There is parity with feature sets of the NetScalers, and more advanced optimizations will be available to you
• There are tried and true migration strategies to minimize risk
• F5 has a clear roadmap for the future of BIG-IP and their cloud offerings, and is investing heavily in their distributed cloud
• F5 has doubled down on BIG-IP’s and has released a plethora of modern features in their new v21 BIG-IP.
• F5 has released their new hardware platforms, the rSeries and Velos, with the new sSeries right behind it – and they are blazing fast. If you prefer HW, you won’t have to worry about your future with F5 and being prepared for the post quantum world.
• F5 now has F5 AI Guardrails & Red-Teaming – specifically designed to secure LLM and AI API traffic.

If you’re an engineer, you should be excited! Not only for the reasons above, but because:

• Your past knowledge will not be lost! While the terminology can be different from NetScaler to BIG-IP a lot of the core concepts stay the same, and your foundational networking knowledge will still apply. 
• F5 BIG-IP LTM has a ton more features and ways to solve common application delivery problems – more tools in your toolbelt!
• F5 LTM is just the base module! Did you know F5 has the #1 Web Application Firewall? This is a perfect entry into getting serious about boning up on HTTP & API security – extending your skill set more into the security space.
• It doesn’t stop there, additional modules include – DNS for Intelligent name resolution, APM (somebody in marketing recently renamed APM to “zero trust”” to augment and enforce authentication any which way you can dream up, and AFM – a full-fledged firewall w/added DoS capabilities. All those modules are part of the Good (LTM), Better(LTM + DNS & AFM) , and Best(Better + APM  & AWAF) bundles.  There’s actually even more modules and add-ons, like the Shape technology that is now integrated bot defense, SSLO for SSL/TLS intelligent air gaps, and CGNAT that most of the ISP’s and big carriers use. And that list is not even an exhaustive list!
• The door is now open to NGINX!  NGINX works in concert with F5 BIG-IP and is the #1 Ingress Controller for Kubernetes (K8)s – you know your butt needs to get up to speed on K8s 😉  F5 has also unified all the NGINX platforms into NGINX One – unifying mgmt planes across the nginx estates.
• F5 Engineers are some of the most sought-after engineers – you’re not going to have any issues finding work once you progress your skill set.
• F5 is an awesome company, with a great culture that is constantly innovating and staying ahead of technology. The community is strong – head over to DevCentral to start interacting with your new peers.

Migration Strategies

The April 2026 Netscaler LAS deadline has pushed folks to migrate off the Netscaler platform faster than they would have liked. Being forced into a migration conversation by a hard licensing date rather than your timeline can be frustrating, but fear not and read on ;).

Planning a migration for critical network infrastructure can be intimidating, but it doesn’t have to be. One of the best things I’ve ever heard is “We don’t plan to fail, we fail to plan” – there are no truer words when it comes to migrating your Netscaler load balancers – or any technology for that matter. With a proper plan in place, you can reduce risk, ensure success, all while raising stakeholders’ confidence in you and your new solution. There are pros and cons to all strategies, and what’s going to be best for you and your org depends on so many factors it’s impossible to give you static advice. With that in mind, I’ll cover two of the most common migration strategies and highlight pros and cons for each:

Forklift Migration

In this strategy you cutover all of your traffic in one night and preserve all layer 3 IP addressing. On the surface forklift migrations can seem very risky, but when planned out well, are actually quite risk averse and can save you a ton of time.  Here’s a quick list of some of the most common and critical pros & cons:

Pros:

• Re-using all layer 3 addressing & keeping layer 2 as similar as possible avoids issues with firewalls, and issues with hard coded IPs for server-to-server communication – Yes, I know you told them to use the hostnames, they still didn’t listen to you :-).
• Since the cutover is typically completed in one night, it drastically cuts down on the time of completion.
• You can further ensure your success by testing the layer 2 & 3 configurations you’re going to use in a separate change window before the cut with temporary addressing – proving out layer 2 and layer 3 works so you’re not chasing it the night of the big migration.
• The back out strategy is clean and fast. Facing an issue once cut-over? Shut down the new devices, bring the old ones back up, encourage the surrounding devices to associate the old macs with the IPs and you’re back in business.

Cons:

• By re-using all the layer 3 IP addresses you lose out on some of the opportunities to clean things up in firewalls, and the opportunity to rearchitect some aspects of the environment.
• Since the cut-over is in one night you don’t get the chance to slowly build up confidence in the new environment. Even a single hiccup with the cutover can result in a cut-back, which will lower confidence in the organization around the solution, putting the pressure on you for round 2.
• If you don’t have your act together around testing, and it takes a long time, it could be challenging to complete the cut in one window.

Piecemeal Migration Strategy

In this strategy you stage the new devices with new addressing, typically in the same vlans/subnets, but not always, app teams test with host files, and cut over an app at a time or batches of apps. While this is often the preference of the risk adverse, it could present more risk, as more is changing, and it’s a much slower process. List of some of the most common and critical pros & cons:

Pros:

• By using all new IPs you get to clean up firewall rules, documentation, and have an opportunity to revisit the l2 & l3 architecture in general.
• Allows ample time for testing via host files. This forces you and your co-workers to clean up hard-coded server to server communication by enforcing the use of DNS. This can be very important in identifying weak spots for high availability – for example, unless you’re using anycast, it’s very hard to provide high availability with one IP ;-).
• You can spend more time improving each application and really diving deep into optimizations the F5 BIG-IP can offer.
• Cutovers & cutbacks are simple DNS changes
• Every successful application / batch cutover raises the confidence for stakeholders and app owners – making it easier / faster as you get further along.

Cons:

• Changing IPs creates a lot of work around firewall rules and possibly routing changes. You’ll need to work hard to ensure you identify all the rules that need to be duplicated and deprecated, while ensuring l3 is going to function as expected.
• Because you’ve allowed each line of business to cutover their apps one at a time or in batches it can quickly turn into death by committee, crippling progress. This happens especially when your early cut-overs are unsuccessful, then everyone gets gun-shy.
• How do you think you’re going find out about those hard coded IPs?? Lol unfortunately for you, it’s typically going to be the hard way! i.e. during the cutover. These types of issues can encourage cutbacks if you’re not given ample time to track down the offending services – make a plan on how you’re going to track them down like sniffing for traffic at the old devices VIPs that were cut over.
• Your efforts to optimize applications if not tested thoroughly could cause problems in production, force cutbacks, and lower confidence in your efforts
• While it offers the opportunity for testing, it’s hard to test the server to server communication traffic, so if there’s a lot of that type of traffic, true testing might have to wait until the prod cutover.

Oh boy can this drag on! Coordinating testing between many groups for a large number of apps can take a lot of work and ultimately time. If you’re not going to be changing a lot in terms of optimizations or architecture, this might be a lot of unneeded busy work that accomplishes the exact opposite of what it was meant to.

How do the Citrix NetScaler and F5 BIG-IP license bundles compare to each other in 2026?

NetScalers’ perpetual and a la carte licensing is gone, instead NetScaler has consolidated into three subscription packages, their current bundles are listed publicly at netscaler.com/pricing:

• Citrix Universal Hybrid Multi-Cloud License (CUHML). Unlimited NetScaler instances across MPX/SDX/VPX/BLX/CPX, 1,000 Gbps aggregate throughput, Premium grade WAF, Bot, API, IP Reputation, and SSL forward proxy bundled in. NetScaler Console included.
• Citrix Platform License (CPL). Superset of CUHML with unlimited throughput. Also bundles Citrix DaaS and CVAD for shops keeping Citrix VDI around.
• NetScaler Fixed-Capacity Subscription. The only true standalone NetScaler option. The catalog is now narrow, just three SKUs: VPX1000 Advanced (1 Gbps), VPX5000 Premium (5 Gbps), and VPX5000 Premium FIPS.

Here’s where it can get confusing. The historic Standard / Advanced / Premium edition tiers still exist under the hood, but 2 of the 3 are effectively dead. Standard has been End of Sale for new purchases since March 22, 2023, existing customers can renew but you can’t buy it out of the gate. Advanced is still around but only in narrow Fixed-Capacity configurations like the VPX1000 (1 Gbps) SKU. Premium is the de facto default. It’s what comes with CUHML and CPL bundles by default, and it’s what most Fixed-Capacity SKUs ship as. If you’re buying NetScaler today, you’re almost certainly buying Premium.
Premium is where the extended features live, including Web App Firewall, Bot Management, API Security, IP Reputation, Integrated Caching (AppCache), and SSL Forward Proxy. Unlike F5, NetScaler doesn’t sell those as standalone add-on SKUs. You’re getting them by buying into one of the bundles or a Premium Fixed-Capacity SKU, or you’re not getting them at all.

To that end, Perpetual licensing is gone – and folks are not happy. Hardware perpetual ended March 2023, VPX perpetual ended March 2025, and on April 15, 2026 the file-based licensing system itself is shut off in favor of the new cloud-tethered License Activation Service (LAS). Translation: The clock is ticking if you’re holding a legacy perpetual license without active maintenance.

While F5 has Extended License Agreement offerings, and subscription options, F5 BIG-IP is still marketed as a suite of modules and can be purchased as perpetual bundles and a la carte – with Local Traffic Manager (LTM) as the base. The Good / Better / Best bundle structure hasn’t changed. Good is LTM. Better is LTM + DNS + AFM. Best is Better + APM + AWAF. Add-ons include SSL Orchestrator, integrated Bot Defense, CGNAT, and others, all of which you can buy à la carte without committing to a Citrix-wide platform subscription. You can read more about the modules and bundles in our article Understanding F5 BIG-IP.

F5 still offers perpetual, subscription, and flexible consumption across the board. What’s expanded around BIG-IP is the rest of the F5 portfolio. F5 Distributed Cloud is the SaaS delivered side for multi cloud networking, WAAP, API security, bot defense, and the AI Guardrails and AI Red Team work that came out of the CalypsoAI acquisition. NGINX One (GA September 2024) unifies NGINX Plus, NGINX OSS, NGINX Gateway Fabric, Unit, and the Kubernetes Ingress Controller under a single enterprise license with a SaaS console.

The difference between F5 & NetScaler licensing is pretty clear –  NetScaler bet on fewer, fatter SKUs and forced cloud activation. F5 kept modularity and gave customers the choice of how to consume. I know why NetScaler did it, everyone loves subcriptions, Wall Street  has been punch drunk on SaaS and subs for years – but not all customers want that or are even allowed to spend opex budget vs capex.

Citrix NetScaler to F5 BIG-IP LTM Comparable Object & Feature Matrix

While there are differences in the concepts and terminology between F5 BIG-IP and the Citrix Netscaler, there are plenty of similarities. Below you’ll find an object naming matrix between the NetScaler vs BIG-IP LTM.

Citrix NetScaler Term	F5 BIG-IP LTM Equivalent – If not LTM, the relevant BIG-IP module is noted.
Subnet IP (SNIP)	Self-IP
SNIP + USNIP enabled	Floating Self-IP (confusing I know – as USNIPs are also used for SNATs, but cover the same functionality as a Floating Self-IP – think in the context of “what do I point my apps to that require me to preserve the source IP? You would point them to the SNIP of choice” ).
USIP	Default behavior for an VIP on an F5, ie no SNAT
USNIP	SNAT
Virtual Server (VS) aka Virtual IP (VIP)	Virtual Server (VS) aka Virtual IP (VIP)
Service Group	Pool
Services	Pool Members
Content Switching	Local Traffic Policies
Application Firewall	Advanced Web Application Firewall WAF module (legacy name ASM)
Responder Policy	Local Traffic Policies and/or iRules
Rewrite Policy	Local Traffic Policies and/or iRules
AppFlow	sFlow, IPFIX On-Box Analytics AVR Module – Included with LTM module by default
NetScaler Application Delivery Management (ADM) and Netscaler Management Analytics System (MAS)	NGINX One console, F5 Distributed Cloud console, BIG-IQ (where applicable), or Cloud.Red from WTIT.
GSLB (Global Server Load Balancing)	DNS module (renamed from GTM – Global Traffic Manager) – Much more robust offering vs legacy Netscaler GSLB
AAA for traffic management	Access Policy Manager (APM) module
IP Reputation	IP Intelligence
SSL Forward Proxy	Forwarding Virtual Server, but can do much more with SSL Orchestrator module for chaining together SSL/TLS decryption with a decision flow
Bot Management	Integrated Bot Defense
AppCache	Used to be Web Accelerator module (WAM), but now F5 includes all the the WAM module features within the LTM module and can be called within a VIP via http profiles like HTTP Caching and HTTP Compression

Citrix NetScaler to F5 BIG-IP LTM SSL / TLS Management

Often folks will have some serious concerns around how SSL management changes and for good reason – It’s something that’s caused sleepless nights for many of us over the years.  The good news is that not much changes conceptually between the platforms and you’ll get an added layer of flexibility & features. F5 uses SSL profiles to bind SSL to VIP’s rather than directly binding the certificates themselves.  Some might say this is just additional complexity, however, if used appropriately SSL profiles allow you to standardize SSL configurations through parent profiles, apply the same cert to multiple use-cases in a scalable fashion, and allows for you to marry the SSL Cipher configuration with the certificate rather than the VIP.  When using profiles appropriately, SSL management becomes easier, as you have far fewer places to update configuration when certificates are renewed/replaced. Additionally, you can enforce SSL ciphers either through parent/child relationships or as part of being married to a specific SSL certificate.

F5 & Citrix VDI Integrations

If you are going to keep Citrix VDI around, but put your NetScalers to sleep, there are a number of integrations F5 offers, and some things it can replace. First and foremost, F5 is not a competitor with the actual VDI technology Citrix offers, it’s the infrastructure pieces that they are competitors to. Below is a list of integrations as well as solutions BIG-IP can replace – like the ability to replace Citrix storefront & Citrix Access Gateways with the F5 BIG-IP APM aka Zero Trust module. Note: Without the NetScalers, you will indeed lose is some increased visibility into VDI user sessions and application usage. That might be a show stopper for you, but it’s more likely you are not using those features.

Citrix StoreFront Integrations & Replacement:

• NetScaler Gateway integrates with StoreFront to manage access to apps and desktops delivered by Citrix Virtual Apps and Desktops​
• F5 Solution: F5 BIG-IP APM can serve as a replacement to the Citrix Access Gateways (CAG), and can host applications on the APM webtop. With the CAGs replaced you have the choice to display the Citrix Storefront native interface, or utilize the APM webtop to obfuscate the Storefront interface. The advantage of doing that allows you to have the same look and feel for storefront and non storefront applications. For example if you could have a resource on your F5 APM webtop for a Citrix VDI resource, VMware horizon resource, 3rd party web application, and RDP resources etc. Check out the deployment guide for the most commonly configured deployments.

Citrix Endpoint Management (EOL Announced):

• Deployment with NetScaler Gateway allows for load balancing and ActiveSync Filtering for Citrix Endpoint Management.
• It also facilitates access from mobile devices using Citrix Mobile Productivity Apps and configures domain and security token authentication​.
• F5 Solution: F5 BIG-IP APM has numerous integrations for dealing with End Point management (Most commonly deployed MDM solutions) as well as has its own endpoint inspection solution powered by OpSwat.  This provides flexibility to use existing enterprise MDM for posture assessment of internal assets as well as the ability to run posture assessment on devices not under management such as BYOD or Business Partners.  Read the article here

Microsoft Intune Integration:

• NetScaler Gateway integrates with Microsoft Intune for Mobile Device Management (MDM), allowing for network access control checks and the setup of micro-VPNs with Microsoft Endpoint Manager.
• This integration includes configuring NetScaler Gateway Virtual Server for Microsoft ADAL Token Authentication and extended support for Azure AD Graph​
• F5 Solution: Microsoft Intune is one of the major MDM solutions that F5 BIG-IP APM supports integration with. Read the Article here

Citrix VDI Alternatives

If you’re not planning to keep any of Citrix’s VDI solutions around, here’s the list of alternatives we’ve seen work well in customer environments, with and without F5. The market has consolidated meaningfully since 2023, so what was a five-item list is now nine entries plus a few honorable mentions. Each option has different strengths, and the best choice depends on your existing infrastructure, integration requirements, and budget constraints. Evaluate each on the usual criteria: ease of management, scalability, user experience, integration capabilities, and total cost of ownership.

For context, Gartner’s August 2025 Magic Quadrant for DaaS names Microsoft, AWS, Citrix, and Omnissa as Leaders, with Parallels, XTIUM, and Dizzion as Visionaries. The market is projected to grow from $4.3B in 2025 to $6.0B by 2029, and net new desktop virtualization deployments are now almost exclusively DaaS, not traditional on-prem VDI.

Omnissa Horizon (formerly VMware Horizon)

• Overview: What used to be VMware Horizon was sold to KKR in July 2024 for roughly $4B and is now its own standalone company called Omnissa, led by CEO Shankar Iyer. The product is officially Omnissa Horizon as of the 8 2412 release. Omnissa reports $1.5B ARR and 26,000 customers.
• Key Features: Mature VDI platform with Blast Extreme protocol, App Volumes, Workspace ONE integration, and GA support for Nutanix AHV as of Horizon 8.2512.
• Strengths: Best-in-class enterprise VDI maturity, and Nutanix AHV support is the big one, it lets you avoid the vSphere requirement and the Broadcom subscription pricing that comes with it. If you’re fleeing one PE-driven licensing mess (Citrix), recommending a product that drags you into another (Broadcom) doesn’t make sense without that escape hatch.

Microsoft Azure Virtual Desktop (AVD)

• Overview: Microsoft’s flagship DaaS platform on Azure with consumption based pricing. The only platform on the market with Windows 10/11 multi-session.
• Key Features: Multi-session Windows 10/11, deepest M365 integration of any DaaS, FSLogix profile management, granular scaling controls.
• Strengths: If you’re already standardized on Azure and Entra ID and have the internal ops chops to manage VMs, FSLogix, and scaling rules, this is where most Microsoft-first enterprises are landing. The DaaSLikeAPro 2024-2025 industry survey ranked it the leading DaaS choice in the market. Trade off: it’s more configurable than Windows 365, which means more rope to hang yourself with.

Microsoft Windows 365 Cloud PC

• Overview: Microsoft’s turnkey, fully vendor managed cloud PC offering. Fixed per user pricing, persistent desktops, no scaling rules to babysit.
• Key Features: Per user per month subscriptions ($28 to $315 depending on spec), full integration with Intune, M365, and Entra, plus the new Windows 365 Reserve preview that lets users spin up temporary cloud PCs for up to 10 days per year.
• Strengths: For SMB and Microsoft-first organizations that don’t want to babysit Azure infrastructure, this is the path of least resistance. Trade off: no multi-session, limited customization, and the cost adds up at scale compared to AVD.

Amazon WorkSpaces (family)

• Overview: AWS’s managed virtual desktop service, now a product family rather than a single SKU. Includes WorkSpaces Personal (persistent), WorkSpaces Pools (non-persistent), WorkSpaces Core (third-party broker integration), and WorkSpaces applications (the rebranded AppStream 2.0).
• Key Features: Hourly metering, fully managed by AWS, browser accessible, Windows Server 2025 bundle support added March 2026. Named a Leader in the 2025 Gartner MQ for the second year in a row.
• Strengths: The simplest hyperscaler-native DaaS if your shop is already on AWS. Pay as you go pricing works well for variable workforces. Trade off: no multi-session Windows (you have to use Server bundles), feature pace has been slower than Microsoft’s, and latency complaints are real if your users are far from an AWS region.

Parallels Remote Application Server (RAS)

• Overview: A comprehensive VDI and app virtualization platform from Parallels, part of Alludo (the 2022 rebrand of Corel). RAS 21.0 shipped in November 2025 with expanded AVD integration, a Cloud Cost Insight dashboard, and Windows Server 2025 Hyper-V support. Visionary in the 2025 Gartner MQ.
• Key Features: Multi cloud and hybrid deployments, built in load balancing, broad protocol and hypervisor support, transparent per user licensing.
• Strengths: This is the cleanest “Citrix replacement” if you want centralized app and desktop delivery across on-prem, Azure, and AWS without committing to Citrix or locking into one hyperscaler. Particularly strong fit for midmarket and enterprise IT teams looking to cut TCO.

Dizzion Frame (formerly Nutanix Frame)

• Overview: Quick correction from the previous version of this article: Frame is no longer a Nutanix product. Nutanix sold Frame to Dizzion (an LLR Partners portfolio company) in May 2023 for $12M, and it’s been operated as part of Dizzion ever since. Nutanix’s current EUC direction is an Omnissa Horizon partnership, not its own DaaS.
• Key Features: Multi cloud delivery across AWS, Azure, GCP, IBM Cloud, and Nutanix, browser based access, broad identity provider integration.
• Strengths: Best fit for compliance heavy mid-enterprise customers (PCI, HIPAA, SOC, GDPR) who want fully vendor managed DaaS without standing up the infrastructure themselves. Dizzion is a Visionary in the 2025 Gartner MQ.

HP Anyware (formerly Teradici)

• Overview: HP Inc. acquired Teradici, the originator of the PCoIP protocol, back in 2021. The Teradici CAS to HP Anyware rebrand is now complete (the dl.teradici.com domain retires October 2025).
• Key Features: PCoIP based remote workstation software with color accurate, lossless remoting. Broad host and client OS support, deploys anywhere from physical workstation to cloud.
• Strengths: The dominant pick for GPU heavy workloads. VFX, CAD, EDA, M&E, AI workstations, financial trading floors, anywhere color fidelity and low latency on 4K matter, PCoIP outperforms ICA, Blast, and RDP. Caveat: HP Anyware isn’t a full DaaS broker on its own, you’ll need to combine it with a management or broker layer.

Workspot

• Overview: Independent cloud native DaaS SaaS, CEO Brad Tompkins. Multi region fabric spanning Azure, AWS, and GCP. Marquee customer Siemens Energy. Niche Player in the 2025 Gartner MQ.
• Key Features: Single console managing cloud PCs across all three major hyperscalers, partner integrations with IGEL for endpoint management.
• Strengths: Best fit for global enterprises that need a single pane of glass across multiple clouds and want to avoid lock-in to any one hyperscaler.

Kasm Workspaces

• Overview: Independent, container based VDI and browser isolation on Kubernetes. Released v1.18 in November 2025, signed an F5 BIG-IP partnership in December 2025, Nutanix-Ready validated.
• Key Features: Containerized streaming of browsers, Linux desktops, and Windows applications. Deploys on Docker or Kubernetes. Strong fit with modern DevOps tooling.
• Strengths: Best fit for DevOps mature orgs, secure browsing use cases, OSINT, government and intel, and education labs. The closest thing to a “modern” alternative on this list and the fastest growing credible upstart in the space. The F5 partnership is particularly relevant if you’re already standardizing on F5 for application delivery and security.

Honorable mentions:

• Microsoft RDS: Still has a role for fully disconnected or third-party cloud deployments, but Microsoft is clearly winding it down. RDS-on-Azure via SPLA ended September 30, 2025, the standalone Remote Desktop client (MSI) reaches end of support March 27, 2026, and M365 Apps support on RDS is committed only through the mainstream support window of each Windows Server release (roughly 2029 for Server vNext). Treat this as legacy, not strategic.
• XTIUM and Anunta: Both are managed DaaS providers, layered on top of Citrix, Microsoft AVD, or Omnissa. Worth a look if you’d rather offload the operational burden to someone else. XTIUM (formed March 2025 from the ATSG and Evolve IP merger) is a Visionary in the 2025 MQ. Anunta is a Niche Player, headquartered in India, particularly strong in APAC and Middle East.
• IGEL OS: Not a VDI broker, but worth mentioning because it converts old hardware into managed thin clients for any of the platforms above (Citrix, AVD, Windows 365, Omnissa Horizon, WorkSpaces). The new “IGEL for Windows” app unifies AVD, Windows 365, and published app access.

Where are you in your Journey? Ready to talk?

​Whether you’ve made up your mind and are navigating away from NetScaler or still deciding, WorldTech IT can help you make the decision that is best for you, and your organization. We’ll give you honest technical answers, and help you work through architecture approaches that are specific to your environment. Contact us today to schedule a call with one of our experts, or ask any questions you have below! 🙂