Secure Private Access onboarding and set up
A new streamlined admin experience with step-by-step process to configure Zero Trust Network Access to SaaS apps, internal web apps, and TCP apps is available in the Secure Private Access service. It includes configuration of Adaptive Authentication, applications including user subscription, adaptive access policies, and others within a single admin console.
This wizard helps admins in achieving an error-free configuration either during onboarding or recurrent use. Also, a new dashboard is available with full visibility into the overall usage metrics and other key information.
The high-level steps include the following:
- Choose the authentication method for the subscribers to log in to Citrix Workspace.
- Add applications for your users.
- Assigns permissions for app access by creating the required access policies.
- Review the app configuration.
Access the Secure Private Access admin-guided workflow wizard
Perform the following steps to access the wizard.
- On the Secure Private Access service tile, click Manage.
- In the Overview page, click Continue.
Step 1: Set up identity and authentication
Select the authentication method for the subscribers to log in to Citrix Workspace. Adaptive Authentication is a Citrix Cloud service that enables advanced authentication for customers and users logging in to Citrix Workspace. Adaptive Authentication service is a Citrix hosted, Citrix managed, Cloud hosted Citrix ADC that provides all the advanced authentication capabilities such as the following.
- Multifactor authentication
- Device posture scans
- Conditional authentication
-
Adaptive access to Citrix Virtual Apps and Desktops
- To configure Adaptive Authentication, select Configure and use Adaptive Auth (Technical Preview) and then complete the configuration. For more details on Adaptive Authentication, see Adaptive Authentication service. After you configure Adaptive Authentication, you can click Manage to modify the configuration, if necessary.
- If you have initially selected a different authentication method and to switch to Adaptive Authentication, click Select and configure and then complete the configuration.
To change the existing authentication method or change the existing authentication method, click Workspace Authentication.
Step 2: Add and manage applications
After you have selected the authentication method, configure the applications. For the first-time users, the Applications landing page does not display any applications. Add an app by clicking Add an app. You can add SaaS apps, Web apps, and TCP/UDP apps from this page. To add an app, click Add an app.
Once you add an app, you can see it listed here.
Complete the steps displayed in the following figure to add an app.
- Add an Enterprise Web app
- Add a SaaS app
- Configure client-server apps
- Launch an app
- Enable read-only access to admins
Step 3: Configure an access policy with multiple rules
You can create multiple access rules and configure different access conditions for different users or user groups within a single policy. These rules can be applied separately for both HTTP/HTTPS and TCP/UDP applications, all within a single policy.
Access policies within Secure Private Access allow you to enable or disable access to the apps based on the context of the user or user’s device. In addition, you can enable restricted access to the apps by adding the following security restrictions:
- Restrict clipboard access
- Restrict printing
- Restrict downloads
- Restrict uploads
- Display watermark
- Restrict key logging
- Restrict screen capture
For more information on these restrictions, see Available access restrictions.
-
On the navigation pane, click Access Policies and then click Create policy.
For the first-time users, the Access Policies landing page does not display any policies. Once you create a policy, you can see it listed here.
- Enter the policy name and description of the policy.
- In Applications, select the app or set of apps on which this policy must be enforced.
-
Click Create Rule to create rules for the policy.
-
Enter the rule name and a brief description of the rule, and then click Next.
-
Select the users’ conditions. The Users condition is a mandatory condition to be met to grant access to the applications for the users. Select one of the following:
- Matches any of – Only the users or groups that match any of the names listed in the field and belonging to the selected domain are allowed access.
- Does not match any - All users or groups except those listed in the field and belonging to the selected domain are allowed access.
-
(Optional) Click + to add multiple conditions based on the context.
When you add conditions based on a context, an AND operation is applied on the conditions wherein the policy is evaluated only if the Users and the optional contextual based conditions are met. You can apply the following conditions based on context.
- Desktop or Mobile device – Select the device for which you want to enable access to the apps.
-
Geo location – Select the condition and the geographic location from where the users are accessing the apps.
- Matches any of: Only users or user groups accessing the apps from any of the geographic locations listed are enabled access to the apps.
- Does not match any: All users or user groups other than those from the listed geographic locations are enabled access.
-
Network location – Select the condition and the network using which the users are accessing the apps.
- Matches any of: Only users or user groups accessing the apps from any of the network locations listed are enabled access to the apps.
- Does not match any: All users or user groups other than those from the listed network locations are enabled access.
- Device posture check – Select the conditions that the user device must pass to access the application.
- User risk score – Select the risk score categories based on which the users must be provided access to the application.
-
Workspace URL - Admins can specify filters based on the fully qualified domain name corresponding to the Workspace.
- Matches any of - Allow access only when the incoming user connection meets any of the configured Workspace URLs.
- Matches all of - Allows access only when the incoming user connection meets all of the configured Workspace URLs.
- Click Next.
-
Select the actions that must be applied based on the condition evaluation.
- For HTTP/HTTPS apps, you can select the following:
- Allow access
- Allow access with restrictions
- Deny access
Note:
If you select Allow access with restrictions, then you must select the restrictions that you want to enforce on the apps. For details on the restrictions, see Available access restrictions. You can also specify if you want the app to open in a remote browser or in Citrix Secure Browser.
- For TCP/UDP access, you can select the following:
- Allow access
- Deny access
- For HTTP/HTTPS apps, you can select the following:
- Click Next. The Summary page displays the policy details.
-
You can verify the details and click Finish.
Points to remember after a policy is created
-
The policy that you created appears under the Policy rules section and is enabled by default. You can disable the rules, if required. However, ensure that at least one rule is enabled for the policy to be active.
-
A priority order is assigned to the policy by default. The priority with a lower value has the highest preference. The rule with a lowest priority number is evaluated first. If the rule (n) does not match the conditions defined, the next rule (n+1) is evaluated and so on.
Evaluation of rules with priority order example:
Consider that you have created two rules, Rule 1 and Rule 2. Rule 1 is assigned to user A and Rule 2 is assigned to user B, then both rules are evaluated. Consider that both rules Rule 1 and Rule 2 are assigned to user A. In this case, Rule 1 has the higher priority. If the condition in Rule 1 is met, then Rule 1 is applied and Rule 2 is skipped. Otherwise, if the condition in Rule 1 is not met, then Rule 2 is applied to user A.
Note:
If none of the rules are evaluated, then the app is not enumerated to the users.
Available access restrictions options
When you select the action Allow access with restrictions, you must select at least one of the security restrictions. These security restrictions are predefined in the system. Admins cannot modify or add other combinations. The following security restrictions can be enabled for the application. For details, see Available access restrictions options.
Step 4: Review summary of each configuration
From the Review page, you can view the complete app configuration and then click Close.
The following figure displays the page after you have completed the 4-step configuration.
Important:
- After you have completed the configuration using the wizard, you can modify the configuration of a section by directly going to that section. You do not have to follow the sequence.
- If you delete all the configured apps or the policies, you must add them again. In this case, the following screen appears if you have deleted all the policies.