Supported features
Important:
Citrix SSO for iOS/Android is now called Citrix Secure Access. We are updating our documentation and the UI screenshots to reflect this name change.
The legacy VPN client was built using Apple’s private VPN APIs that are now deprecated. VPN support in Citrix Secure Access client for macOS/iOS is rewritten using Apple’s public Network Extension framework. NetScaler Gateway plug-in and VPN for iOS and macOS are no longer supported. Citrix Secure Access for iOS/macOS is the recommended VPN client to be used.
General availability of nFactor authentication support for Android devices would be available in one of the upcoming releases.
The Citrix Secure Access clients support NetScaler Gateway and Citrix Secure Private Access deployments.
-
Citrix Secure Access client features supported in NetScaler Gateway
-
Citrix Secure Access client features supported in Citrix Secure Private Access
Citrix Secure Access client features supported in NetScaler Gateway
The following table lists some of the commonly used features supported for each VPN client in NetScaler Gateway.
| Feature | Citrix Secure Access for Windows | Citrix Secure Access for macOS | Citrix Secure Access for iOS | Citrix Secure Access for Linux | Citrix Secure Access for Android |
|---|---|---|---|---|---|
| Always On (user mode) | Yes (11.1 and later) | No | No | No | Yes (via MDM) |
| PAC file | Yes (12.0 and later) | Yes | Yes | No | No |
| Client proxy support | Yes | No | No | No | Yes. See note 1 |
| Max limit of Intranet Applications | 512 | No limit | No limit | 128 | No limit |
| Intranet IP (IIP) address support | Yes | Yes | Yes | Yes | Yes |
| Split tunnel ON | Yes | Yes | Yes | Yes | Yes |
| Split tunnel reverse | Yes | Yes | Yes | Yes | Yes. See note 5 |
| Split DNS REMOTE | Yes | Yes | Yes | Yes | Yes. See note 6 |
| Split DNS BOTH | Yes | Yes | Yes | Yes. See note 8 | Yes. See note 6 |
| FQDN based split tunnel | Yes-Only ON (13.0 and later) | Yes | Yes | Yes | Yes. See note 5 |
| Client idle timeout | Yes | Yes | No | No | No |
| Endpoint analysis | Yes | Yes | No | Yes | No |
| Device certificate (classic) | Yes | Yes | No | No | No |
| nFactor authentication | Yes (12.1 and later) | Yes | Yes | Yes | Yes. See note 3 |
| EPA (nFactor) | Yes (12.1 and later) | Yes | No | Yes | No |
| Device certificate (nFactor) | Yes (12.1 and later) | Yes | No | No | No |
| Push notification | Yes (12.1 and later) | No | Yes | No | Yes |
| OTP token autofill support. See note 2 | No | No | Yes | No | Yes |
| TLS 1.3 support | Yes | Yes. See note 7 | Yes. See note 7 | Yes | Yes |
| DTLS support. See note 5 | Yes (13.0 and later) | Yes | Yes | No | No |
| HTTPOnly cookies | Yes | Yes | Yes | Yes | Yes |
| Global server load balancing (GSLB) | Yes | Yes | Yes | Yes | Yes |
| Local LAN access | Yes | Always enabled | Always enabled | No | No |
Note:
- Setting a proxy in the client configuration on the VPN virtual server in the gateway configuration for Android 10 and later is supported. Only basic HTTP proxy configuration with IP address and port is supported.
- Only QR code-scanned tokens are eligible for auto filling. Auto filling is not supported in the nFactor authentication flow.
- nFactor authentication support for Android devices is under preview and the feature is disabled by default. Contact NetScaler support for enabling this feature. Customers must provide their NetScaler Gateway’s FQDN to the support team for enabling nFactor authentication for Android devices.
- For details, see Configure DTLS VPN virtual server using SSL VPN virtual server.
- FQDN-based split tunnel support and reverse split tunnel for Android devices is under preview and the feature is disabled by default. Contact NetScaler support for enabling this feature. Customers must provide their NetScaler Gateway’s FQDN to the support team for enabling it for Android devices.
- For “Split DNS BOTH” mode, DNS suffixes must be configured on the gateway and only DNS A record queries ending in those suffixes are sent to the gateway. Rest of the queries are resolved locally. Citrix Secure Access for Android also supports “Split DNS LOCAL” mode.
- TLS 1.3 is disabled by default in the Citrix Secure Access client for macOS and iOS. If required, contact Citrix Support.
- The “Split DNS BOTH” mode functions the same as the “Split DNS LOCAL” mode in the Citrix Secure Access client for Linux.
Citrix Secure Access client features supported in Citrix Secure Private Access
| Feature | Citrix Secure Private Access - on-premises (Windows) | Citrix Secure Private Access - on-premises (macOS) | Citrix Secure Private Access - on-premises (Linux) | Citrix Secure Private Access service (Windows) | Citrix Secure Private Access service (macOS) | Citrix Secure Private Access service (iOS) | Citrix Secure Private Access service (Linux) | Citrix Secure Private Access hybrid (Windows) | Citrix Secure Private Access hybrid (macOS) | Citrix Secure Private Access hybrid (iOS) | Citrix Secure Private Access hybrid (Linux) |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Always On (machine + user tunnel) | Yes | No | No | Yes | No | No | No | Yes. See note 1 | No | No | No |
| Always On (only user tunnel) | Yes | No | No | Yes | No | No | No | Yes | No | No | No |
| Always On service (only machine tunnel) | Yes | No | No | Yes | No | No | No | Yes. See note 1 | No | No | No |
| Client idle timeout | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes |
| SSO to Citrix Workspace™ app | No | No | No | Yes | Yes | No | No | No | No | No | No |
| Datagram Transport Layer Security (DTLS) | Yes | Yes | No | No | No | No | No | Yes | Yes | Yes | No |
| EPA v2 or Device Posture service | Yes | Yes. See note 4 | Yes | Yes | Yes. See note 4 | No | Yes | Yes. See note 3 | Yes. See note 3 and 4 | No | Yes. See note 3 |
| Exclude domain DNS | Yes | Yes | No | Yes | Yes | Yes | No | Yes. See note 7 | Yes. See note 7 | Yes. See note 7 | No |
| Forced timeout | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Global Server Load Balancing (GSLB) | Yes | Yes | Yes | No | No | No | No | Yes | Yes | Yes | Yes |
| HttpOnly cookie | Yes | Yes | Yes | No | No | No | No | Yes | Yes | Yes | Yes |
| Intranet IP address and Server Initiated Connection (SIC)) | Yes | Yes | Yes | Yes. See note 5 | Yes. See note 5 | Yes. See note 5 | Yes. See note 5 | Yes | Yes | Yes | Yes |
| Local LAN access | Yes | Yes | No | No | No | No | No | Yes | Yes | Yes | No |
| nFactor authentication | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Device certificate authentication | Yes | Yes | No | Yes. See note 2 | Yes. See note 2 | No | No | Yes | Yes | No | No |
| Session timeout | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Smart spoofed IP address | Yes | No | No | Yes | No | No | No | Yes | No | No | No |
| Split tunnel OFF | No | No | No | No | No | No | No | No | No | No | No |
| Split tunnel ON (hostname-based) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Split tunnel ON (IP address based) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Split tunnel REVERSE (hostname-based) | No | No | No | No | No | No | No | No | No | No | No |
| Split tunnel REVERSE (IP address based) | No | No | No | No | No | No | No | No | No | No | No |
| Spoofed IP address support for both UDP and TCP DNS | Yes | Yes. See note 8 | Yes | Yes | Yes. See note 8 | Yes. See note 8 | Yes | Yes | Yes. See note 8 | Yes. See note 8 | Yes |
| SSO using PRT token | Yes | No | No | Yes | No | No | No | Yes | No | No | No |
| SSO using Windows Hello | Yes | No | No | Yes | No | No | No | Yes | No | No | No |
| TCP split DNS support | Yes | No | Yes | Yes | No | No | Yes | Yes | No | No | Yes |
| Transmission Layer Security (TLS) 1.3 | Yes | Yes. See note 6 | Yes | Yes | Yes. See note 6 | Yes. See note 6 | Yes | Yes | Yes. See note 6 | Yes. See note 6 | Yes |
| Plug-in upgrade through Gateway Appliance Configuration Service (GACS) | No | No | No | No | No | No | No | No | No | No | No |
| Observability | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes |
Notes:
The hybrid deployments of Citrix Secure Private Access version 2502 and later supports Always On (machine and user tunnel) and Always On service (only machine tunnel) modes.
In the Citrix Secure Private Access service, device certificate authentication is not supported using third-party issued certificates.
The hybrid deployments of Citrix Secure Private Access version 2502 and later supports Device Posture service.
The Device Posture service for macOS requires a standalone EPA client.
UDP is not supported in Citrix Secure Private Access service. So VoIP, SCCM, and GPO push from the server does not work in the Citrix Secure Private Access service.
For the macOS and iOS platforms, TLS 1.3 is behind a feature flag and is disabled by default. Contact Citrix Support to enable this feature.
The hybrid deployments of Citrix Secure Private Access version 2502 and later supports exclude domain DNS feature.
The spoofed IP address support for TCP DNS in Citrix Secure Private Access for macOS/iOS is behind a feature flag. Contact Citrix Support to enable this feature.