Citrix Secure Private Access™ Hybrid Deployment

Post-onboarding tasks

November 25, 2025

Contributed by:

Configure applications

Your next immediate task is to publish your first application. It is recommended that you test your setup by publishing at least one internal web application or one TCP/UDP application. Follow the detailed instructions in the Apps Configuration and Management.

Configure access policies

In the Secure Private Access admin console, navigate to Policies > Access Policies.
Create an access policy for your application, making sure to define the User conditions.
See the Access policies configuration and management for complete details.

Synchronize the configuration

After saving the changes (new applications or policies), the Secure Private Access component inside your on-premises Cloud Connectors must synchronize this new configuration from Citrix Cloud.

This process typically takes up to 10 minutes to complete.

How to verify: It is recommended to check if the new configuration has been applied by using the Policy Modeling tool (under Policies > Policy Modeling) to see if your new policies are active.

Access your applications (end users)

This section captures information about how end users access published applications on their devices.

Supported Devices:

Web/SaaS applications (via Google Chrome managed profile) are accessible from any desktop OS.

On Linux, iOS, and Android devices, Web/SaaS applications are accessible via the Citrix Secure Access client.
TCP/UDP applications (via the Citrix Secure Access client) are supported on Windows, macOS, Linux, iOS, and Android.

Accessing Web and SaaS applications

There are three primary ways for users to access their web applications on desktop devices. All these methods will automatically launch the app in the Google Chrome managed profile.

Method A: Using Chrome browser with managed profile (recommended)

This is the most seamless experience for the user.

Launch the Google Chrome browser.
If this is your first time, add a new browser profile using the corporate email address that is configured on the access policy. This creates a managed profile.
In the managed profile, navigate to your NetScaler Gateway URL (the one configured for StoreFront in Step 2).
Log in to your store.
Click a Web or SaaS application icon to launch it.

The app launches in a new tab in the managed profile.

Method B: Using a non-managed web browser

Note:

This method requires a supported version of the Citrix Workspace app to be installed on the desktop device.

Launch any browser of your preference (for example, non-managed Chrome, Edge, Firefox).
Navigate to your NetScaler Gateway URL (the one configured for StoreFront in Step 2).
Log in to your store.
Click a Web or SaaS application icon to launch it.
The browser displays a dialogue prompting you to open the Citrix Workspace App.
Click Continue or Open.
Citrix Workspace app takes over and launches the application in the Google Chrome managed profile. If a profile is not already created, a setup screen with your email address pre-populated appears for you to complete the profile.

Method C: Using Citrix Workspace app

Launch the Citrix Workspace App on your device.
If not already configured, add your store using the NetScaler Gateway URL (the one configured for StoreFront in Step 2).
Log in to your store.
You can see your list of enumerated applications.
Click a Web or SaaS application icon to launch it. The application automatically opens in the managed Google Chrome profile.

Accessing TCP/UDP (client/server) applications

Accessing TCP/UDP applications requires the Citrix Secure Access client.

You must install Citrix Secure Access with the supported version on the endpoint device.

Connect the Secure Access Client

Launch the Citrix Secure Access client.
When prompted for a URL, enter the Secure Private Access Gateway URL (the FQDN configured in Step 2).
Complete the login and authentication prompts.
The client connects and then runs securely in the background.

Launch your published applications

You can now use your native client software directly if allowed by Secure Private Access policies. For example:

Open Microsoft Remote Desktop and connect to the internal host name of your RDP server.
Open an SSH client and connect to the internal IP of your Linux server.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Post-onboarding tasks

November 25, 2025

Contributed by:

November 25, 2025

Contributed by:

Post-onboarding tasks

Configure applications

Configure access policies

Synchronize the configuration

Access your applications (end users)

Accessing Web and SaaS applications

Method A: Using Chrome browser with managed profile (recommended)

Method B: Using a non-managed web browser

Method C: Using Citrix Workspace app

Accessing TCP/UDP (client/server) applications

Connect the Secure Access Client

Launch your published applications

In this article