Route tables to resolve conflicts if the related domains in both SaaS and web apps are the same
The application domains feature of the Citrix Secure Private Access service enables customers to make routing decisions that allow related domains of applications to be routed externally or internally through Citrix Gateway connectors.
Consider that the customer has configured the same related domains within both a SaaS app and an internal web app.
For example, if Okta is the SAML IdP for both Salesforce (SaaS app) and Jira (internal web app), then the admin might configure
*.okta.com as a related domain in both apps’ configuration. This leads to a conflict and the end user experiences inconsistent behavior. In this scenario, the admin can define rules to route these applications either externally or internally through the Citrix Gateway Connectors, as per the requirement.
Application Domains feature also enables admins to configure the Citrix Gateway connectors to bypass the customer’s web proxy servers to reach the internal web servers. These bypass policies were previously configured manually by running the NSCLI commands on the Citrix Gateway connector.
How the route table works
The admins can define the route type for the apps as External, Internal, or External via Gateway Connector depending on how they want to define the traffic flow.
- External – The traffic flows directly to the internet.
Internal – The traffic flows via the Gateway Connector.
- For a web app, the traffic flows within the data center.
- For a SaaS app, the traffic is routed outside the network through the Citrix Gateway Connector.
- Internal – bypass proxy - The domain traffic is routed through Citrix CloudGateway Connectors, bypassing the customer’s web proxy configured on the Gateway Connector.
- External via Gateway Connector - The apps are external but the traffic must flow through the Citrix Gateway Connector to the outside network.
- Route entries do not impact the enhanced security policies that are configured on the apps.
- If admins do not intend to use an entry in the route table or if the corresponding apps are not working as intended, admins can simply disable the entry instead of deleting it.
- All Citrix Gateway Connectors for a particular customer, irrespective of the app type, get the SSO settings. Previously, the SSO setting for a particular app was tied to a resource location.
Main route table
The main route table is accessible from the Secure Private Access tile.
- Log on to Citrix Cloud account.
- On the Secure Private Access tile, click Manage.
- In the navigation pane, click Settings. The Application Domains page appears.
The main route table displays the following columns.
- FQDN/IP: FQDN or the IP address for which the type of traffic routing is desired to be configured.
Type: App type. Internal, External, or External via Gateway Connector as selected when adding the app.
If there are conflicts, then an alert icon is displayed for the respective row in the table. To resolve the conflict, admins must click the triangular icon and change the app type from the main table.
Resource location: Resource location for routing of type Internal. If a resource location is not allocated, a triangular icon appears in the Resource location column for the respective app. When you hover on the icon, the following message is displayed.
Missing resource location. Ensure that a resource location is associated with this FQDN.
- Status: The toggle switch in the Status column can be used to disable the route for a route entry without deleting the app. When the toggle switch is turned OFF, the route entry does not take effect. Also, if FQDNs of exact match exist, admins can select the route to be enabled or disabled.
- Comments: Displays comments, if any.
- Actions: The edit icon is used to add a resource location or change the type of route entry. The delete icon is used to delete the route.
Add an FQDN to the Application Domains table
Admins can add an FQDN into the Application Domains table and choose the appropriate routing type for it.
- Click Add in the Applications Domain page.
- Enter the FQDN name and select the appropriate routing type for the FQDN.
Mini route table
A mini version of the Application Domains table is available to make the routing decisions during app configuration. The mini route table available in the App Connectivity section in the Citrix Gateway Service user interface.
To add routes to the mini route table
The steps to add an app in the Citrix Gateway Service UI remain the same as described in the topics Support for software as service apps and Support for Enterprise web apps except for the following two changes:
- Complete the following steps:
- Choose a template.
- Enter app details.
- Choose enhanced security details, as applicable.
- Select the single sign-on method, as applicable.
Click App Connectivity. - A mini version of the Application Domains table is available to make the routing decisions during app configuration.
- Domains: The Domains column displays one or more rows for a particular app. The first row displays the actual app URL that the admin has entered while adding the app details. The other rows are all related domains that are entered while adding the app details. If the app URL and the related domains are same, they are displayed in one row.
One row displays the SAML assertion URL, if SAML SSO is selected.
Type: Select one of the following options.
- External – The traffic flows directly to the internet.
Internal – The traffic flows via the Gateway Connector and the app is treated as a web app.
For a web app, the traffic flows within the data center.
For a SaaS app, the traffic is routed outside the network through the Citrix Gateway Connector.
- Internal – bypass proxy - Domain traffic is routed through Citrix Cloud Gateway Connectors, bypassing the customer’s web proxy configured on the Gateway Connector.
- External via Gateway Connector – The apps are external but the traffic must flow via the Citrix Gateway Connector to the outside network.
- Resource Location: Autopopulated when you select the type Internal for an app. Change it if a different resource location is desired.
- Gateway Connector Status: Autopopulated, along with resource location, when you select the type Internal for an app.
You can also add a Gateway Connector in a new resource location using the “Install Gateway Connector” link and get the activation code for registration. For details, see Ways to install Citrix Gateway Connector.