Secure Private Access 2311 compatibility with legacy versions

Secure Private Access 2311 is incompatible with the legacy versions. NetScaler Gateway must be configured using the new script as described earlier in Configure NetScaler Gateway. No configuration is required in the Citrix Virtual Apps and Desktops delivery controller for Secure Private Access legacy versions.

The best way to migrate from legacy versions to 2311 is to clean up the following:

  • Citrix Virtual Apps and Desktops Delivery controller from Web/SaaS apps
  • Update Citrix StoreFront to default configuration or create a new store on StoreFront
  • NetScaler Gateway

Citrix Virtual Apps and Desktops Delivery Controller cleanup

The Secure Private Access applications created on Citrix Virtual Apps and Desktops Delivery Controller can be removed manually or using the PowerShell script.

Manual:

  1. Open Citrix Studio or Citrix WebStudio.
  2. Click Applications.
  3. Select the app, right click, and then select Delete.

Using a script:

  1. Fetch the current Secure Private Access apps by running the following command:

    Get-BrokerApplication -Description "KEYWORDS:SPAENABLED"

    For details, see Remove-BrokerApplication.

  2. After verifying the apps, run the following command to remove them:

    Get-BrokerApplication -Description "KEYWORDS:SPAENABLED" | Remove-BrokerApplication

Citrix StoreFront cleanup

You can either create a new StoreFront store or clean up the existing store.

  • Create a new StoreFront store: You must create a new StoreFront store for Secure Private Access 2311 as the existing StoreFront stores created for legacy versions aren’t compatible with 2311. This is the recommended option to avoid configuration related issues.
  • Clean up existing StoreFront store: The existing store on StoreFront can be cleaned manually or using the script. However, the best option for migrating Secure Private Access on-premises to 2311 is to create a new Store on StoreFront.

Manual:

  1. Find and remove policy.json (e.g C:\inetpub\wwwroot\Citrix\Store\Resources\SecureBrowser\policy.json).
  2. Find and remove folders SecureBrowser (for example C:\inetpub\wwwroot\Citrix\Store\Resources\SecureBrowser) and Resources (for example C:\inetpub\wwwroot\Citrix\Store\Resources).
  3. Remove the “route” node from web.config (you can find it in C:\inetpub\wwwroot\Citrix\Store) with the name “webSecurePolicy” routing to the URL “Resources\SecureBrowser\policy.json”.
  4. Restart the Default Web Site on Internet Information Service (IIS) Manager console to apply changes.

Using a script:

  1. Download the script from https://www.citrix.com/downloads/citrix-secure-private-access/.
  2. Upload the script to a StoreFront machine.
  3. Run the script as administrator on PowerShell.
  4. Enter the Store name.

    The Script removes the C:\inetpub\wwwroot\Citrix\Store\Resources folder, subfolder and files, and updates the web.config file.

  5. Restart the Default Web Site on Internet Information Service (IIS) Manager console to apply changes.

NetScaler Gateway cleanup

NetScaler Gateway virtual server

The NetScaler Gateway virtual server created for legacy versions can be reused for Secure Private Access 2311.

Session policies and actions

Session policies and actions created for legacy versions can be reused by Secure Private Access 2311.

The script also creates fully configured session policies/actions.

Authorization policies

Authorization policies created on NetScaler Gateway for legacy versions can interfere with Secure Private Access 2311 policies and break the flow.

You can do the following to clean up the authorization policies.

  • Manually unbind the authorization policies from authentication and authorization groups that are used as default groups on NetScaler Gateway. In this case, the policies can be reused.
  • Remove the authorization policies.
Secure Private Access 2311 compatibility with legacy versions