Load balancer and TLS for Secure Private Access
We recommend that you configure load balancers for the Secure Private Access service. Citrix Secure Private Access uses HTTP on port 8443 on the Cloud Connector. This setup is suitable when a load balancer is configured with full SSL offload and a TLS/SSL certificate. Alternatively, you can configure a load balancer with SSL bridge to forward encrypted traffic to the Secure Private Access service.
Load balancer with SSL bridge
To configure NetScaler load balancer with SSL bridge, see Configure SSL bridging.
Note:
In this case it is required to enable TLS for Secure Private Access service on Cloud Connector.
Load balancer with SSL offload
To configure NetScaler load balancer with SSL offload, see Configure SSL offloading.
The virtual server intercepts and decrypts the incoming SSL traffic and forwards it to the bound service. To enable SSL offloading, you must import a valid certificate and key and bind the pair to the virtual server.
Note:
In an SSL offload configuration, the traffic between the load balancer and the Secure Private Access service is unencrypted HTTP.
Enable TLS for Secure Private Access
Perform the following steps to configure Citrix Secure Private Access service over TLS:
- Install the TLS certificate in the Cloud Connector local machine personal certificate store.
-
Grant Network Service account permission to access the installed certificate. You can do this by using the Microsoft Management Console (MMC).
- Open the Microsoft Management Console.
- Add certificate snap-in for local computer account, follow the wizard, and click OK.
- In the Microsoft Management Console, go to Console Root -> Certificates -> Personal -> Certificates.
- Right-click the certificate that is required to configure for Secure Private Access.
-
Click All Tasks -> Manage Private Keys.
- In the Permissions window, click Add and then search for the Network Service account.
- Choose the permission Read only.
- Click OK.
-
Copy the thumbprint from Certificate Details.
-
After copying the thumbprint, perform the following steps to enable TLS.
- Navigate to the Citrix Secure Private Access installation folder (default path - C:\Program Files\Citrix\AccessSecurityService).
- Run .\Citrix.AccessSecurityService.exe /CERTIFICATE_THUMBPRINT
<ThumbprintValue>
. -
Restart the Citrix Secure Private Access service.
- After the command is run successfully, the Secure Private Access service must be running as a TLS service. To confirm, enter the following URL in the browser:
https://<Cloud connector address>:<port>/secureAccess/health