System requirements
Ensure that your product meets the minimal version requirements.
Product | Minimum version |
---|---|
Citrix Workspace app
|
Windows – 2403 and later |
macOS – 2402 and later | |
StoreFront | LTSR 2203 or CR 2212 and later |
NetScaler
|
13.1, 14.1, and later. It is recommended to use the latest builds of the NetScaler Gateway version 13.1 or 14.1 for optimized performance. |
For TCP/UDP apps - 14.1–25.56 and later | |
NetScaler FIPS | 13.1-37.219 and later FIPS builds |
Citrix Secure Access client
|
Windows client - 24.6.1.17 and later |
macOS client - 24.06.2 and later | |
Director | 2402 or later |
Operating system for Secure Private Access plug-in server | Windows Server 2019 and later |
Communication ports: Ensure that you have opened the required ports for the Secure Private Access plug-in. For details, see Communication ports.
Note:
- The Secure Private Access for on-premises is not supported on Citrix Workspace app for iOS and Android.
- The Citrix Secure Access client for Linux, iOS, and Android does not support Secure Private Access on-premisesTCP/UDP apps.
Prerequisites
For creating or updating an existing NetScaler Gateway, ensure that you have the following details:
- A Windows server machine with IIS running, configured with a SSL/TLS certificate, on which the Secure Private Access plug-in will be installed.
- StoreFront store URLs to enter during the setup.
- Store on StoreFront must have been configured and the Store service URL must be available. The format of the Store service URL is
https://store.domain.com/Citrix/StoreSecureAccess
. - NetScaler Gateway IP address, FQDN, and NetScaler Gateway Callback URL.
- IP address and FQDN of the Secure Private Access plug-in host machine (or a load balancer if the Secure Private Access plug-in is deployed as a cluster).
- Authentication profile name configured on NetScaler.
- SSL server certificate configured on NetScaler.
- Domain name.
- Certificate configurations are complete. Admins must ensure that the certificate configurations are complete. The Secure Private Access installer configures a self-signed certificate if no certificate is found in the machine. However, this might not always work.
Note:
The Runtime service (secureAccess application in the IIS default website) requires anonymous authentication to be enabled as it does not support Windows authentication. These settings are set by the Secure Private Access installer by default and must not be changed manually.
Admin account requirements
The following administrator accounts are required while setting up Secure Private Access.
- Install Secure Private Access: You must be logged in with a local machine administrator account.
- Set Up Secure Private Access: You must sign into the Secure Private Access admin console with a domain user which is also a local machine administrator for the machine where Secure Private Access is installed.
- Manage Secure Private Access: You must sign into the Secure Private Access admin console with a Secure Private Access administrator account.
Communication ports
The following table lists the communication ports that are used by the Secure Private Access plug-in.
Source | Destination | Type | Port | Details |
---|---|---|---|---|
Admin Workstation | Secure Private Access plug-in | HTTPS | 4443 | Secure Private Access plug-in - Admin console |
Secure Private Access plug-in | NTP Service | TCP, UDP | 123 | Time synchronization |
DNS Service | TCP, UDP | 53 | DNS lookup | |
Active Directory | TCP, UDP | 88 | Kerberos | |
Director | HTTP, HTTPS | 80, 443 | Communication to Director for performance management and enhanced troubleshooting | |
License server | TCP | 8083 | Communication to license server for collecting and processing licensing data | |
TCP | 389 | LDAP over Plaintext (LDAP) | ||
TCP | 636 | LDAP over SSL (LDAPS) | ||
Microsoft SQL Server | TCP | 1433 | Secure Private Access plug-in - Database communication | |
StoreFront | HTTPS | 443 | Authentication validation | |
NetScaler Gateway | HTTPS | 443 | NetScaler Gateway Callback | |
StoreFront | NTP Service | TCP, UDP | 123 | Time synchronization |
DNS Service | TCP, UDP | 53 | DNS lookup | |
Active Directory | TCP, UDP | 88 | Kerberos | |
TCP | 389 | LDAP over Plaintext (LDAP) | ||
TCP | 636 | LDAP over SSL (LDAPS) | ||
TCP, UDP | 464 | Native Windows authentication protocol to allow users to change expired passwords | ||
Secure Private Access plug-in | HTTPS | 443 | Authentication and application enumeration | |
NetScaler Gateway | HTTPS | 443 | NetScaler Gateway Callback | |
NetScaler Gateway | Secure Private Access plug-in | HTTPS | 443 | Application authorization validation |
StoreFront | HTTPS | 443 | Authentication and Application enumeration | |
Web applications | HTTP, HTTPS | 80, 443 | NetScaler Gateway communication to configured Secure Private Access applications (Ports can differ based on the application requirements) | |
User Device | NetScaler Gateway | HTTPS | 443 | Communication between end-user device and NetScaler Gateway |