System requirements and prerequisites
Ensure that your product meets the minimal version requirements.
| Product | Minimum version |
|---|---|
| Citrix Workspace app
|
Windows – 2403 and later |
| macOS – 2402 and later | |
| StoreFront | 2402, 2407 and later |
| NetScaler
|
13.1, 14.1, and later. It is recommended to use the latest builds of the NetScaler Gateway version 13.1 or 14.1 for optimized performance. |
|
Note:
|
|
| Citrix Secure Access client
|
Windows client - 24.6.1.17 and later |
| macOS client - 24.06.2 and later | |
| For details, see Citrix Secure Access client. | |
| Also, see Features and platforms supported by Citrix Secure Access client. | |
| Citrix Cloud Connector | See Cloud Connector for hybrid deployment. |
| Communication ports | Ensure that you have opened the required ports for the Secure Private Access provider. For details, see Communication ports. |
Prerequisites
-
For the Secure Private Access admin console access, ensure that the following requirements are met:
- Citrix Cloud account. For details, see Create a Citrix Cloud account.
- Secure Private Access service entitlement.
-
Ensure to get the Secure Private Access service in Cloud Connector enabled.
Once the Cloud Connector is updated, the Secure Private Access service is disabled. To enable the feature, customers must contact Citrix Support. Once enabled, the service status changes to Running and the Secure Private Access service automatically starts on the connector machine.
-
For creating or updating an existing NetScaler Gateway, ensure that you have the following details:
- StoreFront store URLs to enter during the setup.
- Store on StoreFront must have been configured and the Store service URL must be available. The format of the Store service URL is
https://store.domain.com/Citrix/StoreSecureAccess. - NetScaler Gateway virtual IP address, FQDN, and NetScaler Gateway callback URL (optional) that are required for versions 13.0, 13.1.48.47 and later, 14.1.4.42 and later.
- IP address and FQDN of the Secure Private Access provider host machine (or a load balancer if the Secure Private Access provider is deployed as a cluster).
- Authentication profile name and authentication virtual server name configured on NetScaler.
- SSL server certificate configured on NetScaler.
- Domain name.
- Certificate configurations are complete. Admins must ensure that the certificate configurations are complete and the certificates are trusted. The Secure Private Access provider configures a self-signed certificate if no certificate is found in the machine.
Communication ports
The following table lists the communication ports that are used by the Secure Private Access provider.
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| NetScaler Gateway
|
Secure Private Access provider | HTTPS | 443 | Application authorization validation |
| StoreFront | HTTPS | 443 | Authentication and Application enumeration | |
| Web applications | HTTPS | 443 | NetScaler Gateway communication to configured Secure Private Access applications (Ports can differ based on the application requirements) | |
| StoreFront | Cloud Connector | TCP | 8443 | Unless the customer is using custom ports |
| Secure Private Access provider | Cloud Connector | TCP | 8443 | Unless the customer is using custom ports |
| Cloud Connector | Internet | TCP | 443 | See Connectivity requirements |
| User device | NetScaler Gateway | HTTPS | 443 | Communication between the end-user device and NetScaler Gateway |
Features and platforms supported by Citrix Secure Access client
Unsupported features: The following features are not supported by the Citrix Secure Access client in the hybrid deployment.
- Always On before Windows Logon (machine tunnel)
- DNS-TCP
- Intranet IP
- Server initiated connections
Unsupported platforms: The following platforms are not supported by the Citrix Secure Access client in the hybrid deployment.
- Linux
- iOS
- Android