Route tables to resolve conflicts resulting from same related domains

The application domains feature of the Citrix Secure Private Access service enables customers to make routing decisions that allow related domains of applications to be routed externally or internally through Connector Appliances.

Consider that the customer has configured the same related domains within both a SaaS app and an internal web app. For example, if Okta is the SAML IdP for both Salesforce (SaaS app) and Jira (internal web app), then the admin might configure *.okta.com as a related domain in both apps’ configuration. This leads to a conflict and the end user experiences inconsistent behavior. In this scenario, the admin can define rules to route these applications either externally or internally through the Connector Appliances, as per the requirement.

How the route table works

The admins can define the following route types for the apps depending on how they want to define the traffic flow.

  • Internal – Bypass Proxy - The domain traffic is routed through Citrix Cloud Connector, bypassing the customer’s web proxy configured on the Connector Appliance.
  • Internal via Connector - The apps are external but the traffic must flow through the Connector Appliance to the outside network.
  • External – The traffic flows directly to the internet.

Note:

  • Route entries do not impact the security policies that are configured on the apps.
  • If admins do not intend to use an entry in the route table or if the corresponding apps are not working as intended, admins can simply disable the entry instead of deleting it.
  • All Connector Appliances for a particular customer, irrespective of the app type, get the SSO settings. Previously, the SSO setting for a particular app was tied to a resource location.

Main route table

The main routing table in the Secure Private Access console (Settings > Application Domains) is a view-only dashboard that gives you all details about the configured domains in all the applications. This can be used to see the following information for any domain:

Main route table

The main route table can be used to see the following information for any domain:

  • FQDN/IP: FQDN or the IP address for which the type of traffic routing is desired to be configured.
  • Type: App type. Internal, Internal – Bypass Proxy, or External as selected when adding the app.

    Important:

    If there are conflicts, then an alert icon is displayed for the respective row in the table. To resolve the conflict, admins must click the triangular icon and change the app type from the main table.

  • Resource location: Resource location for routing of type Internal. If a resource location is not allocated, a triangular icon appears in the Resource location column for the respective app. When you hover on the icon, the following message is displayed.

    Missing resource location. Ensure that a resource location is associated with this FQDN.

  • Status: The toggle switch in the Status column can be used to disable the route for a route entry without deleting the app. When the toggle switch is turned OFF, the route entry does not take effect. Also, if FQDNs of exact match exist, admins can select the route to be enabled or disabled.
  • Comments: Displays comments, if any.
  • Actions: The edit icon is used to add a resource location or change the type of route entry. The delete icon is used to delete the route.

Mini route table

A mini version of the Application Domains table is available to make the routing decisions during app configuration. The mini route table available in the App Connectivity section in the Citrix Secure Private Access service user interface.

To add routes to the mini route table

The steps to add an app in the Citrix Secure Private Access service remain the same as described in the topics Support for software as service apps and Support for Enterprise web apps except for the following two changes:

  1. Complete the following steps:
    • Choose a template.
    • Enter app details.
    • Choose enhanced security details, as applicable.
    • Select the single sign-on method, as applicable.
  2. Click App Connectivity. - A mini version of the Application Domains table is available to make the routing decisions during app configuration.

    Mini route table

    • Domains: The Domains column displays one or more rows for a particular app. The first row displays the actual app URL that the admin has entered while adding the app details. The other rows are all related domains that are entered while adding the app details. If the app URL and the related domains are the same, they are displayed in one row.

    One row displays the SAML assertion URL, if SAML SSO is selected.

    • Type: Select one of the following options.
      • Internal – Bypass Proxy - The domain traffic is routed through Citrix Cloud Connector, bypassing the customer’s web proxy configured on the Connector Appliance.
      • Internal via Connector - The apps are external but the traffic must flow through the Connector Appliance to the outside network.
      • External – The traffic flows directly to the internet.
    • Resource Location: Autopopulated when you select the type Internal for an app. Change it if a different resource location is desired.
    • Connector Appliance Status: Autopopulated, along with resource location, when you select the type Internal for an app.
Route tables to resolve conflicts resulting from same related domains