System requirements and prerequisites
Software version requirements
The following software versions are required for the Secure Private Access hybrid configuration:
-
NetScaler: 14.1–56.109
Reach out to your account specialist to get this NetScaler build.
- StoreFront: 2507 LTSR CU1 or 2511 CR and later
- Cloud Connector: 6.141.0 / 4.420.200 and later
The following minimum software versions are required on the end user devices:
-
For web/SaaS applications:
- Google Chrome: 142
- Citrix Workspace app for Windows: 2507.1 LTSR or 2508
- Citrix Workspace app for Mac: 2508.10
-
For TCP/UDP applications:
- Citrix Secure Access for Windows: 25.5.1.15
- Citrix Secure Access for Mac: 25.11.1.1
-
For endpoint analysis (EPA):
- EPA client for Windows: 25.10.1.7
- EPA client for Mac: 25.10.3
Firewall requirements
The following firewall requirements assume that the standard HTTPS port 443 is used for StoreFront servers and the StoreFront load balancer. If a non-standard port is used, adjust the port settings accordingly.
| Source | Source IP | Destination | Protocol | Port | Description |
|---|---|---|---|---|---|
| Internet | Any | NetScaler Gateway | TCP | 443 | - |
| StoreFront servers | StoreFront server machine IP address | Secure Private Access load balancer | TCP | 443 | - |
| Cloud Connector | Cloud Connector machine IP address | Active Directory | TCP | 389 or 636 | - |
If same NetScaler contains gateway and load balancers for StoreFront and Secure Private Access configurations:
| Source | Source IP | Destination | Protocol | Port | Description |
|---|---|---|---|---|---|
| NetScaler | NetScaler Subnet IP (SNIP) address | StoreFront servers | TCP | 443 | - |
| NetScaler | NetScaler Subnet IP (SNIP) address | Cloud Connector | TCP | 8443 | Assuming the default port is used for Secure Private Access |
| NetScaler | NetScaler Subnet IP (SNIP) address | NetScaler outbound proxy | TCP | Depends on the outbound proxy port | - |
| NetScaler | NetScaler Subnet IP (SNIP) address | Backend applications (Web app or client/server apps) | Depends on the back-end application protocol | Depends on the back-end application port | - |
If different NetScalers are used for gateway and load balancers for StoreFront and Secure Private Access configurations:
| Source | Source IP | Destination | Protocol | Port | Description |
|---|---|---|---|---|---|
| NetScaler Gateway | NetScaler Subnet IP (SNIP) address | StoreFront Load balancer | TCP | 443 | - |
| StoreFront load balancer | StoreFront load balancer IP address | StoreFront servers | TCP | 443 | - |
| NetScaler Gateway | NetScaler Subnet IP (SNIP) address | Secure Private Access load balancer | TCP | 443 | - |
| Secure Private Access load balancer | Secure Private Access load balancer IP | Cloud Connectors | TCP | 8443 | Assuming the default port is used for Secure Private Access |
| NetScaler Gateway | NetScaler Subnet IP (SNIP) address | NetScaler outbound proxy | TCP | Depends on the outbound proxy port | - |
| NetScaler Gateway | NetScaler Subnet IP (SNIP) address | Backend applications (Web app or client/server apps) | Depends on the backend application protocol | Depends on the back-end application port | - |