System requirements
Ensure that your product meets the minimal version requirements.
- Citrix Workspace app
- Windows – 2309 and later
- macOS – 2309 and later
- Operating system for Secure Private Access plug-in server - Windows Server 2019 and later.
- StoreFront – LTSR 2203 or CR 2212 and later.
- NetScaler – 13.0, 13.1, 14.1, and later. It is recommended to use the latest builds of the NetScaler Gateway version 13.1 or 14.1 for optimized performance.
- Director 2402 or later.
- NetScaler FIPS - 13.1-37.219 and later FIPS builds.
- Communication ports: Ensure that you have opened the required ports for the Secure Private Access plug-in. For details, see Communication ports.
Note:
The Secure Private Access for on-premises is not supported on Citrix Workspace app for iOS and Android.
Prerequisites
For creating or updating an existing NetScaler Gateway, ensure that you have the following details:
- A Windows server machine with IIS running, configured with a SSL/TLS certificate, on which the Secure Private Access plug-in will be installed.
- StoreFront store URLs to enter during the setup.
- Store on StoreFront must have been configured and the Store service URL must be available. The format of the Store service URL is
https://store.domain.com/Citrix/StoreSecureAccess
. - NetScaler Gateway IP address, FQDN, and NetScaler Gateway Callback URL.
- IP address and FQDN of the Secure Private Access plug-in host machine (or a load balancer if the Secure Private Access plug-in is deployed as a cluster).
- Authentication profile name configured on NetScaler.
- SSL server certificate configured on NetScaler.
- Domain name.
- Certificate configurations are complete. Admins must ensure that the certificate configurations are complete. The Secure Private Access installer configures a self-signed certificate if no certificate is found in the machine. However, this might not always work.
-
Databases: The following is the list of supported Microsoft SQL server versions for the site configuration, configuration logging, and monitoring databases:
- SQL Server 2022, Express, Standard, and Enterprise Editions.
- SQL Server 2019, Express, Standard, and Enterprise Editions.
- SQL Server 2017, Express, Standard, and Enterprise Editions.
For new installations: By default, SQL Server Express 2017 with Cumulative Update 16 is installed when installing the Controller, if an existing supported SQL Server installation is not detected.
For upgrades, any existing SQL Server Express version is not upgraded.
The following database high availability solutions are supported (except for SQL Server Express, which supports only standalone mode):
- SQL Server Always On Failover Cluster Instances
- SQL Server AlwaysOn Availability Groups (including Basic Availability Groups)
- SQL Server Database Mirroring
Windows authentication is required for connections between the Controller and the SQL Server site database.
For more information about the databases, see Databases.
Note:
The Runtime service (secureAccess application in the IIS default website) requires anonymous authentication to be enabled as it does not support Windows authentication. These settings are set by the Secure Private Access installer by default and must not be changed manually.
Admin account requirements
The following administrator accounts are required while setting up Secure Private Access.
- Install Secure Private Access: You must be logged in with a local machine administrator account.
- Set Up Secure Private Access: You must sign into the Secure Private Access admin console with a domain user which is also a local machine administrator for the machine where Secure Private Access is installed.
- Manage Secure Private Access: You must sign into the Secure Private Access admin console with a Secure Private Access administrator account.
Communication ports
The following table lists the communication ports that are used by the Secure Private Access plug-in.
Source | Destination | Type | Port | Details |
---|---|---|---|---|
Admin Workstation | Secure Private Access plug-in | HTTPS | 4443 | Secure Private Access plug-in - Admin console |
Secure Private Access plug-in | NTP Service | TCP, UDP | 123 | Time synchronization |
DNS Service | TCP, UDP | 53 | DNS lookup | |
Active Directory | TCP, UDP | 88 | Kerberos | |
Director | HTTP, HTTPS | 80, 443 | Communication to Director for performance management and enhanced troubleshooting | |
License server | TCP | 8083 | Communication to license server for collecting and processing licensing data | |
TCP | 389 | LDAP over Plaintext (LDAP) | ||
TCP | 636 | LDAP over SSL (LDAPS) | ||
Microsoft SQL Server | TCP | 1433 | Secure Private Access plug-in - Database communication | |
StoreFront | HTTPS | 443 | Authentication validation | |
NetScaler Gateway | HTTPS | 443 | NetScaler Gateway Callback | |
StoreFront | NTP Service | TCP, UDP | 123 | Time synchronization |
DNS Service | TCP, UDP | 53 | DNS lookup | |
Active Directory | TCP, UDP | 88 | Kerberos | |
TCP | 389 | LDAP over Plaintext (LDAP) | ||
TCP | 636 | LDAP over SSL (LDAPS) | ||
TCP, UDP | 464 | Native Windows authentication protocol to allow users to change expired passwords | ||
Secure Private Access plug-in | HTTPS | 443 | Authentication and application enumeration | |
NetScaler Gateway | HTTPS | 443 | NetScaler Gateway Callback | |
NetScaler Gateway | Secure Private Access plug-in | HTTPS | 443 | Application authorization validation |
StoreFront | HTTPS | 443 | Authentication and Application enumeration | |
Web applications | HTTP, HTTPS | 80, 443 | NetScaler Gateway communication to configured Secure Private Access applications (Ports can differ based on the application requirements) | |
User Device | NetScaler Gateway | HTTPS | 443 | Communication between end-user device and NetScaler Gateway |