Direct access to Enterprise web apps

Enterprise web applications like SharePoint, JIRA, Confluence, and others which are hosted by the customer either on-premises or on public clouds, can now be accessed directly from a client browser. End users no longer need to initiate access to their enterprise web apps from the Citrix Workspace experience. This feature also enables end users access to the web apps by clicking links from their emails, collaboration tools, or browser bookmarks. Thus provisioning a true zero footprint solution to the customers.

How it works

  • Add a new DNS record or modify an existing DNS record for the configured Enterprise web apps.

  • IT administrator would add a new public DNS record or modify an existing public DNS record for the configured enterprise web app FQDN to redirect the user to the Citrix Secure Private Access service.

  • When the end-user initiates access to the configured enterprise web app, the app traffic is steered to the Citrix Secure Private Access service, which then will proxy the access to the app.

  • Once the request lands on the Citrix Secure Private Access service, it checks for user authentication and application authorization, including contextual access policies checks.

  • Upon successful validation, the Citrix Secure Private Access service communicates with Citrix Cloud Gateway Connectors or Connector Appliances, deployed at the customer’s environment (either in on-premises or cloud) to enable access to the configured enterprise web app.

Configure Citrix Secure Private Access for direct access to Enterprise web apps

Prerequisites

Before you begin, you need the following for the application to be configured.

  • Application FQDN
  • SSL certificate – Public certificate for the app to be configured
  • Resource location – Install Citrix Cloud Gateway Connectors or Connector Appliances
  • Access to the public DNS record to update it with the canonical name (CNAME) provided by Citrix during the app configuration.

Procedure to configure direct access to Enterprise web apps:

Important:

For a complete end-to-end configuration of an app, see Admin guided workflow for easy onboarding and set up.

  1. On the Secure Private Access home page, click Continue.

    Note:

    The Continue button appears only for the first time that you use the wizard. In the subsequent usages, you can directly navigate to the Applications page and, then click Add an app.

  2. Set up identity and authentication. For details, see Admin guided workflow for easy onboarding and set up.

  3. Proceed to add an app. For details, see Add and manage applications.

  4. Select the app that you want to add and click Skip.

  5. In Where is the application location?, select the location.

  6. Enter the following details in the App Details section and click Next.

    • App type – Select the app type (HTTP or HTTPS).

    • App name – Name of the application.

    • App description - A brief description of the app. This description that you enter here is displayed to your users in the workspace.

    • App icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. If you do not change the icon, the default icon is displayed.

      If you do not want to display the app icon, select Do not display application icon to users.

  7. Select Direct Access to enable users access the app directly from a client browser. Enter the following details.

    • URL – URL for the back-end application. The URL must be in HTTPS format and a corresponding DNS entry must be added by the admin.
    • SSL certificate – Select an existing SSL certificate from the drop-down menu or add a new SSL certificate by clicking Add New SSL Certificate.

      Points to note:

      • Only a public or a trusted CA certificate is supported. Self-signed certificates are not supported.
      • Full chain of certificate must be uploaded.
    • Related Domains – The related domain is auto-populated based on the URL that you have provided. Related domain helps the service to identify the URL as part of the app and route traffic accordingly. You can add more than one related domain. You can bind an SSL certificate to each related domain, this is optional.

    • CName record – Auto generated by Secure Private Access. This is the value that must be entered in the DNS to enable direct access to the application.

    Agentless access

  8. Click Next.

  9. In the Single sign on section, select your preferred single sign-on type to be used for your application and click Next.

    SPA single sign-on

  10. In the App Connectivity section, you can either select an existing resource location or create one and deploy a new Gateway connector or a Connector Appliance. To choose an existing resource location, click one of the resource locations from the list of resource locations, for example My Resource Location, and click Next. For details, see Route tables to resolve conflicts if the related domains in both SaaS and web apps are the same.

    SPA application connectivity

  11. In the App Subscribers section, assign users or groups to the app.

    SPA application subscribers

    • In Choose a domain, select the domain applicable to the app, and then in Choose a group or user, select the group or user to whom you are subscribing this app. You can differentiate between a user and a group based on the appearance of the alphabets U or G that against the name.

    • Click Save. The subscriber details are loaded automatically.

    You can unsubscribe a subscribed user or a group by clicking the delete icon next to Status.

  12. Click Finish. The app is added to the Applications page. You can delete, manage subscribers, or edit an app from the Applications page after you have configured the application. To do so, click the ellipsis button on an app and select the actions accordingly.

    • Manage Subscribers
    • Edit Application
    • Delete

With this configuration in place, the end users can access the configured web app directly using their client browser.

Direct access to Enterprise web apps