Citrix Secure Private Access

Secure Private Access 2402 compatibility with legacy versions

February 21, 2024

Contributed by:

C C

Secure Private Access 2402 is incompatible with the legacy versions (2308 and earlier). NetScaler Gateway must be configured using the new script as described earlier in Configure NetScaler Gateway. No configuration is required in the Citrix Virtual Apps and Desktops delivery controller for Secure Private Access legacy versions.

The best way to migrate from legacy versions (2308 and earlier) to 2402 is to clean up the following:

Citrix Virtual Apps and Desktops Delivery controller from Web/SaaS apps
Update Citrix StoreFront to default configuration or create a new store on StoreFront
NetScaler Gateway

Citrix Virtual Apps and Desktops Delivery Controller cleanup

The Secure Private Access applications created on Citrix Virtual Apps and Desktops Delivery Controller can be removed manually or using the PowerShell script.

Manual:

Open Citrix Studio or Citrix WebStudio.
Click Applications.
Select the app, right click, and then select Delete.

Using a script:

Fetch the current Secure Private Access apps by running the following command:

Get-BrokerApplication -Description "KEYWORDS:SPAENABLED"

For details, see Remove-BrokerApplication.
After verifying the apps, run the following command to remove them:

Get-BrokerApplication -Description "KEYWORDS:SPAENABLED" | Remove-BrokerApplication

Citrix StoreFront cleanup

You can either create a new StoreFront store or clean up the existing store.

Create a new StoreFront store: You must create a new StoreFront store for Secure Private Access 2402 as the existing StoreFront stores created for legacy versions aren’t compatible with 2402. This is the recommended option to avoid configuration-related issues.
Clean up existing StoreFront store: The existing store on StoreFront can be cleaned manually or using the script. However, the best option for migrating Secure Private Access on-premises to 2402 is to create a new Store on StoreFront.

Manual:

Find and remove policy.json (e.g C:\inetpub\wwwroot\Citrix\Store\Resources\SecureBrowser\policy.json).
Find and remove folders SecureBrowser (for example C:\inetpub\wwwroot\Citrix\Store\Resources\SecureBrowser) and Resources (for example C:\inetpub\wwwroot\Citrix\Store\Resources).
Remove the “route” node from web.config (you can find it in C:\inetpub\wwwroot\Citrix\Store) with the name “webSecurePolicy” routing to the URL “Resources\SecureBrowser\policy.json”.
Restart the Default Web Site on Internet Information Service (IIS) Manager console to apply changes.

Using a script:

Download the script from https://www.citrix.com/downloads/citrix-secure-private-access/.
Upload the script to a StoreFront machine.
Run the script as administrator on PowerShell.
Enter the Store name.

The Script removes the C:\inetpub\wwwroot\Citrix\Store\Resources folder, subfolder and files, and updates the web.config file.
Restart the Default Web Site on Internet Information Service (IIS) Manager console to apply changes.

NetScaler Gateway cleanup

NetScaler Gateway virtual server

The NetScaler Gateway virtual server created for legacy versions can be reused for Secure Private Access 2402.

To update an existing NetScaler Gateway, see Update an existing NetScaler Gateway.
To configure a new NetScaler Gateway, see Configure NetScaler Gateway.

Session policies and actions

Session policies and actions created for legacy versions can be reused by Secure Private Access 2402.

To update an existing NetScaler Gateway session policies/actions, see NetScaler Gateway session actions.
To configure a new NetScaler Gateway, see Configure NetScaler Gateway

The script also creates fully configured session policies/actions.

Authorization policies

Authorization policies created on NetScaler Gateway for legacy versions can interfere with Secure Private Access 2402 policies and break the flow.

You can do the following to clean up the authorization policies.

Manually unbind the authorization policies from authentication and authorization groups that are used as default groups on NetScaler Gateway. In this case, the policies can be reused.
Remove the authorization policies.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Secure Private Access 2402 compatibility with legacy versions

February 21, 2024

Contributed by:

C C

February 21, 2024

Contributed by:

C C

Secure Private Access 2402 compatibility with legacy versions

Citrix Virtual Apps and Desktops Delivery Controller cleanup

Citrix StoreFront cleanup

NetScaler Gateway cleanup

NetScaler Gateway virtual server

Session policies and actions

Authorization policies

In this article