Secure Private Access for on-premises
As Citrix customers, you can now access Web and SaaS apps seamlessly along with Citrix Virtual Apps and Desktops using the Citrix Secure Private Access solution for on-premises deployments. The solution enables you to adopt a Zero Trust Network Access (ZTNA) solution in a phased manner. You can route and control data traffic through your own WAN or private links or both, and also retain all components that are deployed on-premises.
In addition, the Secure Private Access solution for on-premises provides the following benefits:
- No changes required to the existing architecture or deployments to use this solution.
- Enables single sign-on to the apps and reduces the dependency on the traditional VPNs.
- Enables use of Citrix Enterprise Browser that provides enhanced security controls for applications.
- Enables contextual security controls based on the context (user group, device, network location).
System requirements
Ensure that your product meets the minimal version requirements.
- Citrix Workspace app
- Windows – 2309 and later
- macOS – 2309 and later
- Operating system for Secure Private Access plug-in server - Windows Server 2019 and later
- StoreFront – LTSR 2203 or CR 2212 and later
- NetScaler – 13.0, 13.1, 14.1, and later. It is recommended to use the latest builds of the NetScaler Gateway version 13.1 or 14.1 for optimized performance.
Note:
The Secure Private Access for on-premises is not supported on Citrix Workspace app for iOS and Android.
Prerequisites
For creating or updating an existing NetScaler Gateway, ensure that you have the following details:
- A Windows server machine with IIS running, configured with a SSL/TLS certificate, on which the Secure Private Access plug-in will be installed.
- StoreFront store URLs to enter during the setup.
- Store on StoreFront must have been configured and the Store service URL must be available. The format of the Store service URL is
https://store.domain.com/Citrix/StoreSecureAccess. - NetScaler Gateway IP address, FQDN, and NetScaler Gateway Callback URL.
- IP address and FQDN of the Secure Private Access plug-in host machine (or a load balancer if the Secure Private Access plug-in is deployed as a cluster).
- Authentication profile name configured on NetScaler.
- SSL server certificate configured on NetScaler.
- Domain name
- Certificate configurations are complete. Admins must ensure that the certificate configurations are complete. The Secure Private Access installer configures a self-signed certificate if no certificate is found in the machine. However, this might not always work.
Admin account requirements
The following administrator accounts are required while setting up Secure Private Access.
- Install Secure Private Access: You must be logged in with a local machine administrator account.
- Set Up Secure Private Access: You must sign into the Secure Private Access admin console with a domain user which is also a local machine administrator for the machine where Secure Private Access is installed.
- Manage Secure Private Access after setup: You must sign into the Secure Private Access admin console with a Secure Private Access administrator account.