Secure Private Access for on-premises

As Citrix StoreFront and NetScaler Gateway customers, you can now access the Web and SaaS apps seamlessly along with Citrix Virtual Apps and virtual desktops using the Citrix Secure Private Access solution for on-premises deployments. The solution enables you to adopt the Zero Trust Network Access (ZTNA) solution in a phased manner. You can also route and control data traffic through your own WAN or private links or both, and also retain part of your deployments on-premises.

In addition, the Secure Private Access solution for on-premises provides the following benefits:

  • No changes required to the existing architecture or deployments to use this solution.
  • Enables single sign-on to the apps and reduces the dependency on the traditional VPNs.
  • Enables use of Citrix Enterprise Browser that provides enhanced security controls for applications.
  • Enables contextual security controls based on the context (user group, device, network location).

System requirements

Ensure that your product meets the minimal version requirements.

  • Citrix Workspace app
    • Windows – 2308 and later
    • macOS – 2308 and later
  • StoreFront – LTSR 2203 or CR 2212 and later
  • NetScaler – 13.0, 13.1, 14.1, and later


For creating or updating an existing NetScaler Gateway, ensure that you have the following details:

  • NetScaler Gateway IP address and FQDN
  • IP address and FQDN of the SPA plug-in host machine (or load balancer if Secure Private Access plug-in is deployed as a cluster)
  • Base URL of the StoreFront server or server group. If creating a new gateway, the store on StoreFront must have been configured and the Store service URL must be available. The format of Store service URL is
  • Authentication profile name configured on NetScaler
  • SSL server certificate configured on NetScaler
  • Domain name


Secure Private Access for on-premises