Citrix Secure Private Access

Support for client-server apps

Secure Private Access service enables you to access client-server applications that are present in your on-premises environment either using a native browser or a native client application via the Citrix Secure Access client running on your machine. For details, see the following sections:

Prerequisites

  • Citrix Secure Access client - For details, see Citrix Secure Access client.
  • Connector Appliance – Citrix recommends installing two Connector Appliances in a high availability set-up in your resource location. The connector can be installed either on-premises, in the data center hypervisor, or in public cloud. For more information on Connector Appliance and its installation, see Connector Appliance for Cloud Services. You must use a Connector Appliance for client-server apps. The Connector Appliance must have a DNS server configuration for DNS resolution.

Configure Secure Private Access for client-server apps

Important:

For a complete end-to-end configuration of an app, see Admin-guided workflow for easy onboarding and set up.

  1. On the Citrix Secure Private Access tile, click Manage.
  2. Click Continue and then click Add an app.

    Note:

    The Continue button appears only for the first time that you use the wizard. In the subsequent usages, you can directly navigate to the Applications page and then click Add an app.

    App is a logical grouping of destinations. We can create an app for multiple destinations – Each destination means different servers in the back end. For example, one app can have one SSH, one RDP, one Database server, and one Web server. You don’t have to create one app per destination, but one app can have many destinations.

  3. In the Choose a template section, click Skip to configure the TCP/UDP app manually.
  4. In the App Details section, select Inside my corporate network, enter the following details, and click Next.

    TCP app details

    • App type – Select TCP/UDP.
    • App name– Name of the application.
    • App icon– An app icon is displayed. This field is optional.
    • App description – Description of the app you are adding. This field is optional.
    • Destinations – IP Addresses or FQDNs of the back-end machines residing in the resource location. One or more destinations can be specified as follows.
      • IP address v4
      • IP address Range – Example: 10.68.90.10-10.68.90.99
      • CIDR – Example: 10.106.90.0/24
      • FQDN of the machines or Domain name – Single or wildcard domain. Example: ex.destination.domain.com, *.domain.com

        Important:

        End users can access the apps using FQDN even if the admin has configured the apps using the IP address. This is possible because the Citrix Secure Access client can resolve an FQDN to the real IP address. The following table provides examples of various destinations and how to access the apps with these destinations:

        Destination input How to access the app
        10.10.10.1-10.10.10.100 End user is expected to access the app only through IP addresses in this range.
        10.10.10.0/24 End user is expected to access the app only through IP addresses configured in the IP CIDR.
        10.10.10.101 End user is expected to access the app only through 10.10.10.101
        *.info.citrix.com End user is expected to access subdomains of info.citrix.com and also info.citrix.com (the parent domain). For example, info.citrix.com, sub1.info.citrix.com, level1.sub1.info.citrix.com Note: The wildcard must always be the starting character of the domain and only one *. is allowed.
        info.citrix.com End user is expected to access info.citrix.com only and no subdomains. For example, sub1.info.citrix.com is not accessible.
    • Port – The port on which the app is running. Admins can configure multiple ports or port ranges per destination.

      The following table provides examples of ports that can be configured for a destination.

      Port input Description
      * By default, the port field is set to “*” (any port). The port numbers from 1 to 65535 are supported for the destination.
      1300–2400 The port numbers from 1300 to 2400 are supported for the destination.
      38389 Only the port number 38389 is supported for the destination.
      22,345,5678 The ports 22, 345, 5678 are supported for the destination.
      1300–2400, 42000-43000,22,443 The port number range from 1300 to 2400, 42000–43000, and ports 22 and 443 are supported for the destination.

      Note:

      Wildcard port (*) cannot co-exist with port numbers or ranges.

    • Protocol – TCP/UDP
  5. In the App Connectivity section, a mini version of the Application Domains table is available to make the routing decisions. For each destination, you can choose a different or same resource location. Destinations configured in the previous step are populated under the DESTINATION column. Destinations added here are also added to the main Application Domains table. The Application Domains table is the source of truth for making the routing decision to direct connection establishment and traffic to the correct resource location. For more information on the Application Domains table and possible IP conflict scenarios, see Troubleshoot application domains IP address conflict.
  6. For the following fields, select an input from the drop-down menu and click Next.

    • TYPE: Select one of the following traffic routing types:

      • Internal via Connector: DNS resolution is done via the remote DNS server through the Secure Private Access service. Therefore, traffic for the domain is intercepted and tunneled by the Secure Private Access service.
      • External: DNS resolution is done via the local DNS server. As a result, the traffic is not intercepted and tunneled by the Secure Private Access service.

        To enable client interception exclusion, you must set the routing type to External.

      You can view the routing type in the Settings > Application Domain page. The Secure Access client logs file displays the list of domains excluded from tunnel establishment.

    • RESOURCE LOCATION: – For Internal routing, you must connect to a resource location with at least one Connector Appliance installed.

      Note:

      -You can modify the routing type based on the user context. For details, see Context-based app routing and resource locations selection.

      • Connector Appliance installation is supported from the App Connectivity section. You can also install it under the Resource Locations section in the Citrix Cloud portal. For more information on creating a Resource Location, see Setup resource locations.

    App connectivity

  7. Click Finish. The app is added to the Applications page. You can edit or delete an app from the Applications page after you have configured the application. To do so, click the ellipsis button on an app and select the actions accordingly.

    • Edit Application
    • Delete

Note:

  • To grant access to the apps for the users, admins are required to create access policies. In access policies, admins add app subscribers and configure security controls. For details, see Create access policies.
  • To configure the authentication methods required for the users, see Setup identity and authentication.

  • To obtain the Workspace URL to be shared with the users, from the Citrix Cloud menu, click Workspace Configuration, and select the Access tab.

Identity access management

Admin Configuration – Citrix Secure Access client-based access to HTTP/HTTPS apps

Note:

To access existing or new HTTP/HTTPS apps using the Citrix Secure Access client, you must install at least one (recommended two for high-availability) Connector Appliance in your resource location. The connector appliance can be installed on-premises, in the data center hypervisor, or in the public cloud. For details of Connector Appliance and its installation, see Connector Appliance for Cloud Services.

Prerequisites

  • Access to Citrix Secure Private Access in Citrix Cloud.

Points to note

  • Internal web apps enforced with enhanced security controls cannot be accessed through the Citrix Secure Access client.
  • If you try to access an HTTP(S) application which has enhanced security controls enabled, then the following pop-up message is displayed. Additional security controls are enabled for <”app name”(FQDN) > app. Please access it from Citrix Workspace.

    Error message

  • If you want to enable SSO experience, access the web apps using Citrix Workspace app or web portal.

The steps to configure HTTP(S) apps remain the same as existing functionality explained under Support for Enterprise web apps.

Adaptive access to TCP/UDP and HTTP(S) apps

Adaptive access provides the ability for admins to govern access to business-critical apps based on multiple contextual factors like device posture check, user geo-location, user role, and the Citrix Analytics service provided risk score.

Note:

  • You can deny access to TCP/UDP applications, admins create policies based on the users, user groups, the devices from which the users access the applications, and the location (country) from where an application is accessed. Access to applications is allowed by default.

  • The user subscription made for an app is applicable for all the TCP/UDP app destinations configured for the ZTNA application.

To create an adaptive access policy

Admins can use the admin-guided workflow wizard to configure Zero Trust Network Access to SaaS apps, internal web apps, and TCP/UDP apps in the Secure Private Access service.

Note:

Login and logout script configuration registries

The Citrix Secure Access client accesses the login and logout script configuration from the following registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service.

Registry: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix>Secure Access Client

  • Login script path: SecureAccessLogInScript type REG_SZ
  • Logout script path: SecureAccessLogOutScript type REG_SZ

Troubleshoot application domains IP address conflict

Destinations added while creating an app are added to a main routing table. The routing table is the source of truth for making the routing decision to direct connection establishment and traffic to the correct resource location.

  • The destination IP address must be unique across resource locations.
  • Citrix recommends that you avoid overlap of the IP addresses or domains in the routing table. In case you encounter an overlap, you must resolve it.

Following are the types of conflict scenarios. Complete Overlap is the only error scenario that restricts admin configuration until the conflict is resolved.

Conflict Scenarios Existing application domain entry New entry from app addition Behavior
Subset Overlap 10.10.10.0-10.10.10.255 RL1 10.10.10.50-10.10.10.60 RL1 Allow; Warning info - Subset overlap of IP domain with existing entries
Subset Overlap 10.10.10.0-10.10.10.255 RL1 10.10.10.50-10.10.10.60 RL2 Allow; Warning info - Subset overlap of IP domain with existing entrieS
Partial Overlap 10.10.10.0-10.10.10.100 RL1 10.10.10.50-10.10.10.200 RL1 Allow; Warning info - Partial overlap of IP domain with existing entries
Partial Overlap 10.10.10.0-10.10.10.100 RL1 10.10.10.50-10.10.10.200 RL2 Allow; Warning info - Partial overlap of IP domain with existing entries
Complete Overlap 10.10.10.0/24 RL1 10.10.10.0-10.10.10.255 RL1 Error; <Completely overlapping IP domain's value> IP domain completely overlaps with existing entries.Change the existing routing IP Entry or configure a different destination
Complete Overlap 10.10.10.0/24 RL1 10.10.10.0-10.10.10.255 RL2 Error; <Completely overlapping IP domain's value> IP domain completely overlaps with existing entries. Change the existing routing IP Entry or configure a different destination
Exact Match 20.20.20.0/29 RL1 20.20.20.0/29 Allow; Domains already exist in the domain routing table. Changes made updates the domain routing table

Note:

  • If the destinations added results in a complete overlap, an error is displayed while configuring the app in the App Details section. The admin must resolve this error by modifying the destinations in the App Connectivity section.

    If there are no errors in the App Details section, the admin can proceed to save the app details. However, in the App Connectivity section, if the destinations have a subset and partial overlap with each other or existing entries in the main routing table, a warning message is displayed. In this case, the admin can choose to either resolve the error or continue with the configuration.

  • Citrix recommends keeping a clean Application Domain table. It is easier to configure new routing entries if the IP address domains are broken into appropriate chunks without overlaps.

Points to note

  • Access to an existing web app for which enhanced security is enabled is denied via the Secure Access client. An error message suggesting to log in using Citrix Workspace app is displayed.
  • Policy configurations for web app based on user risk score, device posture check and so on via Citrix Workspace app are applicable while accessing the app via the Secure Access client.
  • The policy bound to an application is applicable for all the destinations in the application.