Product documentation
Citrix Secure Private Access™ Hybrid Deployment
2507-Current Release 2503 2411 2408 2407 2405 2402
View PDF

Step 3: Configure and analyze

November 26, 2025
Contributed by: 
C

Configuration can now be applied to the on-premises StoreFront and NetScaler components.

Before proceeding, ensure that all prerequisites for both StoreFront and NetScaler are met.

Download and run NetScaler and StoreFront scripts

NetScaler script

Note:

All Secure Private Access configurations on the NetScaler must be performed using the Command Line Interface (CLI).

  1. Click NetScaler to download the setup script. This script is a diagnostic tool designed to configure and analyze your NetScaler Gateway for the Secure Private Access deployment, and collect the required information. For more information, see NetScaler Gateway Analyzer.

    The script file name has the following format:

    gateway_analyzer_<tenant-id>_<timestamp>.tar.gz

  2. Use an SCP client (like scp or WinSCP) to copy the downloaded *.tar.gz file to your NetScaler.

  3. Place the file in the /var/tmp/ directory.

  4. Log in to your NetScaler’s command-line interface (CLI) using SSH (for example with PuTTY) with administrative (nsroot) privileges.

  5. Type “shell” on the CLI prompt to access the NetScaler shell. Navigate to the temporary directory:

cd /var/tmp/

  1. Extract the archive.

    Note:

    Your file name is specific to your download.

    tar -xzf gateway_analyzer_<tenant-id>_<timestamp>.tar.gz

  2. The tar command creates a directory. Use ls to see the new folder’s name, then navigate into it.

  3. Run the analyzer script using python3:

    python3 analyzer.py

  4. When the script prompts for the Shared Secret:

    1. Return to the Secure Private Access setup page in your browser.

    2. Copy the Shared Secret from the Set up NetScaler Gateway section (the one you saved in the earlier step).

    3. Paste the secret into the CLI and press Enter.

    Note:

    The Shared Secret is a password field. Characters are not visible on the screen as you paste or type. This is expected.

  5. After the script is successfully run, it generates an analysis report in the current folder.

  6. Download and save this report using scp/winscp. You need it for the Analyzer in Step 3.

StoreFront script

Note:

This step is optional for CSA-only mode, that is, if CEP configuration is skipped in step 1.

  1. Click StoreFront to download the PowerShell script.

  2. This script is a diagnostic tool designed to:

    1. Analyze your on-premises StoreFront configuration.

    2. Collect the information needed for your deployment.

    Warning:

    Administrator and execution policy required: You must run this PowerShell script with administrator privileges (example, right-click and “Run as Administrator”).

    Additionally, you might need to adjust the PowerShell execution policy to allow the script to run. If necessary, you can do so by running Set-ExecutionPolicy Bypass (or an appropriate policy for your organization) from an elevated PowerShell prompt.

    The script file name has the following format:

    storefront_analyzer_<tenant-id>_<timestamp>.zip.

  3. Copy the downloaded .zip file to your StoreFront server.

  4. On the StoreFront server, extract the contents of the .zip file (for example, to a folder like C:\temp\spa-sf-script).

  5. Open a PowerShell window with Administrator privileges (right-click, “Run as Administrator”).

  6. In the PowerShell window, navigate (using cd) to the directory where you extracted the script.

  7. Execute the script by running the following command:

    .\CollectAnalyzerStorefrontInfo.ps1

Once the script is successfully run, it generates an analysis report. Download and save it for the next step.

Upload reports and analyze configuration

You can now upload the reports generated by the on-premises scripts to validate your configuration.

  1. Click Analyze.

  2. You are prompted to upload your analysis reports. Upload the two files that you generated:

    • The NetScaler analysis report.

    • The StoreFront analysis report.

  3. Once both files are successfully uploaded, click Analyze.

  4. Wait for the analysis to complete. The system displays the Success/Failed results for all checks.

  5. Review the analysis results:

    1. If all analyzer steps have passed: You have successfully validated your configuration and can proceed to the next step.

      Analyzer - pass

    2. If any of the steps failed:

      1. The report suggests remediation steps.

      2. Follow the suggested instructions to fix the error on the failed component (NetScaler or StoreFront).

      3. After fixing the issues, re-run the diagnostic script on that component to generate a new report.

      4. Return to this step and re-upload the new analysis report.

      Analyzer-fails

Complete onboarding and publish applications

Click Next: Publish applications to complete and exit the setup wizard.

This completes your initial hybrid onboarding.

Step 3: Configure and analyze
November 26, 2025
Contributed by: 
C
November 26, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.