Prerequisites

To ensure optimal integration between the Citrix Workspace™ application and Chrome Enterprise Premium, the following prerequisites must be met. Successful completion of these prerequisites results in a more efficient and seamless experience when launching applications from the Citrix Workspace app or the web-based user interface.

NetScaler prerequisites

Chrome Enterprise Premium + Citrix Secure Access deployment

• Ensure that a NetScaler Gateway exists with the required settings for Citrix Desktop as a Service (DaaS). This NetScaler Gateway is used to enumerate Secure Private Access apps and DaaS apps in Citrix Workspace App/Citrix Receiver for Web.

  • To create Gateway using the wizard, see Setting up NetScaler for Citrix Virtual Apps and Desktops.

  • To set up NetScaler Gateway, see How to configure NetScaler.

• Ensure that a new public IP address and the corresponding private IP address exist for the new fully qualified domain name (FQDN). The public IP must be NATed to the private IP. This information is used to configure a new NetScaler Gateway for Secure Private Access apps. This Gateway FQDN is used to access private web apps using a managed Chrome profile. End users can also connect to the gateway using this FQDN from Citrix Secure Access client to access internal apps. This private IP address must be used in the Internal IP address field in the UI. For more information, see Get started with Secure Private Access hybrid deployment.

• Ensure that you have an SSL server certificate for the NetScaler Gateway. The certificate must include the necessary Fully Qualified Domain Names (FQDNs), including the FQDN for the new Secure Private Access NetScaler Gateway. See NetScaler configuration for the relevant configuration details.
• Ensure that an authentication profile is configured on NetScaler. You can use an existing authentication profile and the corresponding authentication virtual server as well. See Configure authentication for details.

Note:

For using NetScaler Gateway as an IdP for Google OIDC, see Open ID Connect profile to use NetScaler Gateway as the IdP.

Citrix Secure Access only deployment

• A new public IP address and the corresponding private IP address must exist for the new fully qualified domain name (FQDN). The public IP must be NATed to the private IP address. This information is used to configure a new NetScaler Gateway for Secure Private Access apps. This gateway FQDN is used to access private web apps using a managed Chrome profile. End users can also connect to the gateway using this FQDN from Citrix Secure Access client to access internal apps. This private IP address must be used in the Internal IP address field in the UI. For more information, see Get started with Secure Private Access hybrid deployment.

• You must have an SSL server certificate for the NetScaler Gateway. The certificate must include the necessary Fully Qualified Domain Names (FQDNs), including the FQDN for the new Secure Private Access NetScaler Gateway. See NetScaler configuration for the relevant configuration details.

• Ensure that an authentication profile is configured on NetScaler.

  Existing authentication profile and the corresponding authentication virtual server can also be used.
  See Configure authentication to create a new authentication profile.

Cloud Connector prerequisites

• Ensure that the Secure Private Access service is enabled on the Cloud Connector. Reach out to Citrix Support if you need help.

• Ensure that the outbound calls to Connector Common and Secure Private Access FQDNs are allowed from Cloud Connectors on port 443. For more details, see System and Connectivity Requirements for Cloud Connectors.

See Cloud Connector configuration for details.

StoreFront prerequisites

• Ensure that a Store is created on StoreFront with enabled remote access (NetScaler Gateway is configured). See StoreFront documentation.

• Add Secure Private Access as a site in your StoreFront store:

  • Open your store and select Manage Sites.
  • Click Add Site, choose Secure Private Access as the type, and enter the display name and the Secure Private Access load balancer FQDN.

Note:

StoreFront is optional if you are using Secure Private Access only for TCP/UDP (client/server) applications.

See StoreFront Configuration for details.

Secure Private Access prerequisites

• Ensure that a Windows Cloud Connector inbound rule allows port 8443 from the data center network. Citrix Secure Private Access exposes a plain HTTP service at port 8443.

• Ensure that the internal load balancer for Citrix Secure Private Access targets the Cloud Connector backend on port 8443.

• Ensure that an SSL Bridge or SSL Offload is configured on the internal load balancer for Citrix Secure Private Access.

See Secure Private Access service for details.

Google prerequisites

Chrome Enterprise Premium license

Ensure that you have an active Chrome Enterprise Premium license, available through the Citrix Cloud Platform License (CPL) program.

Google Workspace Admin console

• Google customer ID: Obtain your Google Customer ID from the Google Admin console. This ID is required to configure Google services and integrations. Your customer ID can be retrieved through Account > Account Settings in the Google Admin console.
• Create a custom role in the Google Admin console: To onboard customers to Chrome Enterprise Premium (CEP) and enable Google Chrome integration, admins must create a custom role and assign the appropriate privileges in the Google Admin console. For details, see Admin roles and privileges.

• Proxy mode configuration: Set the proxy mode to Allow user to configure proxy. Avoid restrictive options such as No proxy, OS proxy, or Use this proxy only.

  Note:

  If the Google Admin console is set to use system proxy settings, the managed profile cannot apply the required proxy configuration for Citrix Secure Private Access, and the integration with Chrome Enterprise Premium fails.

• Restrict DevTools extensions: Chrome DevTools for force-installed extensions must be disabled to prevent exposure of sensitive data. This is the default option in the Google Admin console.

• Access restrictions are now configured in Google Admin console for Chrome Enterprise Premium: Access restrictions that were previously configured in the Secure Private Access console only apply to Citrix Enterprise Browser. When Google Chrome is the enterprise browser, access restrictions must be configured as policies and rules in the Google Admin console.

  • Policies are configured in the Google Admin console > Devices > Chrome > Settings. These settings allow you to manage browser settings, such as block JavaScript and allow list of printers.

  • Rules are configured in Google Admin console > Rules. These rules are advanced settings related to DLP, such as adding a watermark, blocking the download of files with social security numbers, and URL filtering.

  For details on creating policies and rules in the Google Workspace Admin console, see the following topics:

  • Set Chrome Enterprise connector policies for Chrome Enterprise
  • Data protection rules
• License: Ensure that you have an active Chrome Enterprise Premium license, available through the Citrix Cloud Platform License (CPL) program.

Google Chrome

Managed Chrome profiles

All end users must access Chrome using a managed profile. Managed profiles ensure that Chrome policies, extensions, and security settings are enforced on user devices.

Synchronize user directory configured in Citrix Workspace with the Google Cloud user directory

You must synchronize the user directory configured in Citrix Workspace or StoreFront with the Google Cloud user directory. Specifically, the following user directories are supported:

• Active Directory
• Microsoft Entra ID (previously known as Azure Active Directory)

Note:

Synchronize the user directory periodically to ensure that application access is appropriately enforced.

Populate Email Address fields (mandatory)

The Google Cloud user directory requires the email address field to be populated. To be synchronized with the Google Cloud user directory, a user or group object in Secure Private Access must have an email address. Otherwise, the synchronization fails.

Ensure that all users that require access to the integrated Chrome Enterprise Premium and Secure Private Access offering, as well as all groups involved in access security policies, have the email address field populated. The email address domain part must be a domain that is configured and verified in your Google Admin console.

Active Directory sync

You must synchronize your AD with the Google Cloud user directory to ensure seamless integration and consistent user management across your enterprise using the Google Cloud Directory Sync.

For details on how to sync your AD with Google Cloud to include custom AD fields under the custom schema “Citrix-schema”, see Connect Google Cloud Identity as an identity provider to Citrix Cloud.

Microsoft Entra ID

You must synchronize your Microsoft Entra ID with the Google Cloud user directory for user and group management across both Google and Microsoft cloud platforms. For details, see Get started with Directory Sync.

For more information, see Google Directory sync.