Get started

This page walks you through how to get started with onboarding and setting up the Access Control service for the first time. As an admin, you must set up authentication, configure access to SaaS apps, and specify the content access settings in Access Control service. Once the settings are complete, the end users can access the service from the Citrix Workspace app or the workspace URL.

Prerequisites and limitations

  1. You must have a Citrix cloud account. For detailed instructions on how to proceed, see Sign up for Citrix Cloud.

  2. You must have the Access Control service entitlement. On the Citrix Cloud screen, in the Available Sevices section, click Request Trial.

    Request trial

    After you receive the service entitlement, the tile is available in My Services. Click Manage to access the service UI.

    Manage

  3. For your end users to use the workspace and access the apps, they must download and use the Citrix Workspace app or use the workspace URL. You must have a few SaaS apps published to your workspace to test the access control solution. The Workspace app can be downloaded from https://www.citrix.com/downloads. In Find Downloads list, select Citrix Workspace app.

  4. If you have an outbound firewall configured, ensure that access to the following domains is allowed.

  • *.cloud.com
  • *.nssvc.net
  • *.netscalergateway.net

More details are available at Cloud Connector Proxy and Firewall Configuration and Internet Connectivity Requirements.

Limitation: You can add only one Workspace account.

Admin settings

The following diagram shows the high-level steps to get started with Access Control service.

high-level-workflow

  1. Set up end user authentication. You must first configure the user’s workspace with the organization’s preferred identity provider, which could be Citrix identity (a unique identity with Citrix Cloud), Active Directory, Active Directory and token, or Azure Active Directory. For information about the different authentication methods and how to select them, see Workspace configuration and Identity and access management.

  2. Configure end user access to SaaS and virtual apps. For detailed steps to configure and publish SaaS apps, see Support for Software as a Service Apps.

  3. Configure web filtering for internet access from SaaS apps. If you have added a SaaS app from the Citrix Gateway service, to return to the Access Control service, click the hamburger icon on the top left of the navigation pane. In My Services list, select Access Control. Click Configure content access settings.

Configure web filtering for internet access from SaaS apps

You are now ready to configure content access settings for your end users accessing the SaaS apps. For example, a link within a SaaS app could point to a malicious website. With content access settings, an administrator can take a specific website URL or a website category and allow access, block access, or redirect the request to a hosted, secure browser instance, helping to prevent browser-based attacks. For more information about secure browser service, see Secure Browser Standard Service documentation at Secure Browser Standard Service.

Note:

A paid Secured Browser Standard Service customer (organization) gets 5000 hours of use per year by default. For more hours, they need to buy secure browser add-on packs. You can track the usage of Secure Browser Service. For more information, see Monitor usage.

The following illustration explains the end user traffic flow.

End user traffic flow

When a request arrives, the following checks are performed, and corresponding actions are taken:

  1. Does the request match the global allow list?

    1. If it matches, the user can access the requested website.

    2. If it does not match, website lists are checked.

  2. Does the request match the configured website list?

    1. If it matches, the following sequence determines the action.

      1. Block

      2. Redirect

      3. Allow

    2. If it does not match, website categories are checked.

  3. Does the request match the configured website category?

    1. If it matches, the following sequence determines the action.

      1. Block

      2. Redirect

      3. Allow

    2. If it does not match, the default action (ALLOW) is applied. The default action cannot be changed.

Perform the following steps to configure enhanced security settings.

  1. Click Configure Content Access.

    Configure content access

  2. Configure website category filtering and/or website lists.

Configure website category filtering

Website categorization restricts user access to specific website categories. Administrators can select from a preset list or customize the categories depending on the deployment. The preset list enables organizations to filter web traffic by using a commercial categorization database. The auto-updating database classifies billions of websites into different categories, such as social networking, gambling, adult content, new media, and shopping. In addition to categorization, each website has a reputation score kept up-to-date based on the site’s historical risk profile. Presets are classified as strict, moderate, lenient, none, and custom. Administrators can tweak presets to add or remove website categories.

  • Strict preset minimizes the risk of accessing unsecured or malicious websites. End users can still access websites with very low risk. Includes most business travel and social media websites.
  • Moderate preset minimizes the risk while allowing additional categories with low probability of exposure from unsecure or malicious sites. Includes most business travel, leisure, and social media websites.
  • Lenient preset maximizes access while still controlling risk from illegal and malicious websites.
  • None preset allows all categories.
  • Custom allows configuring custom filtering of categories.

Perform the following steps to configure website category filtering.

  1. Enable Filter website categories.

    Enable filter website categories

  2. Click Add in the respective section to block website categories, allow website categories, or redirect the user to a secure browser. For example, to block categories, in the blocked categories section, click Add.

    Add website category

  3. Select the categories to block from the list and click Add.

    Add category to block

  4. To allow categories, in the allowed categories section, click Add. Select the categories to allow from the list and click Add.

    Add category to allow

  5. To redirect users to a secure browser, in the redirected to secure browser categories section, click Add. Select the categories from the list and click Add.

    Add category to redirect to a secure browser

  6. Click Save.

    Save website category settings

Configure website lists filtering

The website list feature enables you to control access to specific websites. You can use wildcards, such as *.example.com/*, to control access to all the domains in that website and all the pages within that domain. Perform the following steps to configure website lists filtering.

  1. Enable Filter website list. Click Add in the respective section to block websites, allow websites, or redirect the user to a secure browser. For example, to block websites, in the blocked categories section, click Add.

    Enable filter website

  2. Enter a website that users cannot access and click Add.

    Add website to block

  3. To allow websites, in the allowed websites section, click Add. Enter the website that users can access and click Add.

    Add website to allow

  4. To redirect users to a secure browser, in the redirected to secure browser websites section, click Add. Enter a website that end users can access only from a Citrix hosted browser and click Add.

    Add website to redirect to a secure browser

  5. Click Save for the changes to take effect.

    Add website filter settings

End user workflow

As an end user, you must do the following:

  1. Download the Citrix Workspace app from https://www.citrix.com/downloads. In Find Downloads list, select Citrix Workspace app.

  2. Log on and search for your SaaS apps. Click the app to launch it.

You can now use the SaaS app from within the Citrix Workspace app or from the Citrix Workspace web portal.

Depending on the admin configured settings, your SaaS apps open by using the browser engine within the Workspace app or you are redirected to a secure browser.

The following diagram shows the high-level flow for the Citrix Workspace app.

End user experience with Citrix Workspace app

The following diagram shows the high-level flow for the Citrix Workspace web portal.

End user experience Citrix Workspace web portal

Operating systems support

Citrix Workspace app is supported on Windows 7, 8, 10, and Mac 10.11 and above.

Browser support

Access workspaces using Internet Explorer 11, or the latest versions of Edge, Chrome, Firefox, or Safari.

Citrix Workspace support

Access workspaces using Citrix Workspace for any of the desktop platforms (Windows, Mac).