Citrix Secure Private Access™ Hybrid Deployment

Load balancer and TLS for Secure Private Access

September 6, 2025

Contributed by:

We recommend that you configure load balancers for the Secure Private Access service. Citrix Secure Private Access uses HTTP on port 8443 on the Cloud Connector. This setup is suitable when a load balancer is configured with full SSL offload and a TLS/SSL certificate. Alternatively, you can configure a load balancer with SSL bridge to forward encrypted traffic to the Secure Private Access service.

Load balancer with SSL bridge

To configure NetScaler load balancer with SSL bridge, see Configure SSL bridging.

Note:

In this case it is required to enable TLS for Secure Private Access service on Cloud Connector.

Load balancer with SSL offload

To configure NetScaler load balancer with SSL offload, see Configure SSL offloading.

The virtual server intercepts and decrypts the incoming SSL traffic and forwards it to the bound service. To enable SSL offloading, you must import a valid certificate and key and bind the pair to the virtual server.

Note:

In an SSL offload configuration, the traffic between the load balancer and the Secure Private Access service is unencrypted HTTP.

Enable TLS for Secure Private Access

Perform the following steps to configure Citrix Secure Private Access™ service over TLS:

Install the TLS certificate in the Cloud Connector local machine personal certificate store.
Grant Network Service account permission to access the installed certificate. You can do this by using the Microsoft Management Console (MMC).
1. Open the Microsoft Management Console.
2. Add certificate snap-in for local computer account, follow the wizard, and click OK.
3. In the Microsoft Management Console, go to Console Root -> Certificates -> Personal -> Certificates.
4. Right-click the certificate that is required to configure for Secure Private Access.
5. Click All Tasks -> Manage Private Keys.
6. In the Permissions window, click Add and then search for the Network Service account.
7. Choose the permission Read only.
8. Click OK.
9. Copy the thumbprint from Certificate Details.
After copying the thumbprint, perform the following steps to enable TLS.
1. Navigate to the Citrix Secure Private Access installation folder (default path - C:\Program Files\Citrix\AccessSecurityService).
2. Run .\Citrix.AccessSecurityService.exe /CERTIFICATE_THUMBPRINT <ThumbprintValue>.
3. Restart the Citrix Secure Private Access service.
4. After the command is run successfully, the Secure Private Access service must be running as a TLS service. To confirm, enter the following URL in the browser:
https://<Cloud connector address>:<port>/secureAccess/health

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Load balancer and TLS for Secure Private Access

September 6, 2025

Contributed by:

September 6, 2025

Contributed by:

Load balancer and TLS for Secure Private Access

Load balancer with SSL bridge

Load balancer with SSL offload

Enable TLS for Secure Private Access

In this article