Configure TCP/UDP apps
Prerequisites:
- Secure Private Access setup is complete.
- Client versions meet the following requirements:
- Windows - 24.6.1.17 and later
- macOS - 24.06.2 and later
Perform the following steps to configure TCP/UDP apps from the admin console:
- In the admin console, click Applications and then click Add an app.
-
Select the location Inside my corporate network.
-
Enter the following details:
-
App type – Select TCP/UDP for initiating connections with the back-end servers residing in the data center.
Note:
The TCP/UDP option appears grayed out if the SPAOP-3315-EnableZTNAApplications feature flag is disabled. You must manually update the database to enable this feature flag.
- App name– Name of the application.
- App description – Description of the app you are adding. This field is optional.
-
Destinations – IP Addresses or FQDNs of the back-end machines residing in the data center. One or more destinations can be specified as follows.
- IP address v4
- IP address Range – Example: 10.68.90.10-10.68.90.99
- CIDR – Example: 10.106.90.0/24
-
FQDN of the machines or Domain name – Single or wildcard domain. Example: ex.destination.domain.com, *.domain.com
Note:
- End users can access the apps using FQDN even if the admin has configured the apps using the IP address. This is possible because the Citrix Secure Access client can resolve an FQDN to the real IP address.
The following table provides examples of various destinations and how to access the apps with these destinations:
Destination input How to access the app 10.10.10.1-10.10.10.100 The end user is expected to access the app only through IP addresses in this range. 10.10.10.0/24 The end user is expected to access the app only through IP addresses configured in the IP CIDR. 10.10.10.101 The end user is expected to access the app only through 10.10.10.101 *.info.citrix.com
The end user is expected to access subdomains of info.citrix.com
and alsoinfo.citrix.com
(the parent domain). For example,info.citrix.com, sub1.info.citrix.com, level1.sub1.info.citrix.com
Note: The wildcard must always be the starting character of the domain and only one *. is allowed.info.citrix.com The end user is expected to access info.citrix.com
only and no subdomains. For example,sub1.info.citrix.com
is not accessible.The destination IP address must be unique across resource locations. If a conflicting configuration exists, a warning symbol is displayed against the specific IP address in the Application Domain table (Settings > Application Domain).
-
Port – The destination port on which the app is running. Admins can configure multiple ports or port ranges per destination.
The following table provides examples of ports that can be configured for a destination.
Port input Description * By default, the port field is set to “*”
(any port). The port numbers from 1 to 65535 are supported for the destination.1300–2400 The port numbers from 1300 to 2400 are supported for the destination. 38389 Only the port number 38389 is supported for the destination. 22,345,5678 The ports 22, 345, 5678 are supported for the destination. 1300–2400, 42000-43000,22,443 The port number range from 1300 to 2400, 42000–43000, and ports 22 and 443 are supported for the destination. Note:
Wildcard port (*) cannot co-exist with port numbers or ranges.
- Protocol – TCP/UDP
-
App Connectivity: Define how your applications traffic must be routed.
Internal: DNS resolution is done via a remote DNS server.
By default, all the traffic to the domain marked as Internal is intercepted and tunneled through NetScaler Gateway. For example, if the connectivity for .example.net is set as Internal, all of its related domains/subdomains (for example; code.example.net, test.example.net, 123.example.net) are intercepted and tunneled through NetScaler Gateway.
External: DNS resolution is done via a local DNS server.
When a related domain/subdomain is marked as External, traffic to that domain is not intercepted and tunneled through NetScaler Gateway. For example, if connectivity to code.example.net is set as External, then traffic to this domain is routed directly through the internet while traffic to subdomains (for example text.example.net and 123.example.net) is tunneled through NetScaler Gateway.
-
App type – Select TCP/UDP for initiating connections with the back-end servers residing in the data center.
- Click Add to add additional destinations or servers accordingly.
-
Click Save. The app is added to the App Configuration page. You can edit or delete an app from the Applications page after you have configured the application. To do so, click the ellipsis button in line with the app and select the actions accordingly.
- Edit Application
- Delete
Configure access policies for TCP/UDP apps
To enable access to the apps for the users, admins are required to create access policies. For details, see Configure access policies.