Applications import tool - Preview

The Secure Private Access admin console includes a file import tool that allows administrators to bulk import multiple applications into the system using a CSV file or the nsconfig file. This tool is especially useful for organizations shifting from a traditional VPN to a more advanced solution like Secure Private Access. For example, organizations can use this tool to migrate applications that were delivered over a VPN to Secure Private Access and shift to a ZTNA-based architecture. Bulk upload of apps enables the organizations to eliminate the need for manual configuration.

• CSV file: You must ensure that all relevant application details are included within the CSV. These details include the application name, routing type, resource location, and any other necessary configuration parameters.

• nsconfig file: The nsconfig file can be directly imported into the Secure Private Admin console. This import automatically generates applications associated with the different virtual server types and the VPN URL. The following commands are used for creating the applications.

  • VPN intranet application - add vpn intranetApplication
  • Load balancing virtual server - add lb vserver
  • Content switching virtual server - add cs vserver

  • VPN URL - add vpn url

    All other commands in the nsconfig file are ignored.

    The following information is extracted from the commands for creating the applications.

    • Application name
    • URL/destinations
    • Related domains
    • Port
    • Protocol

How the import works

Here are the high-level steps that an admin must perform when using the CSV-based applications import tool:

1. Prepare the CSV file/validate the nsconfig file:
   • If using the CSV file - Populate the application details in the CSV file.
   • If using nsconfig file - Ensure to use a valid nsconfig file.
2. Import the CSV file: Import the completed CSV file into the Secure Private Access console.
3. Review the app details: Review and validate the imported application data.
4. Update the routing and resource location: Review and update the routing type and resource location details, if required. Ensure that at least one connector is up in the specified resource location.
5. View the applications in the Applications page: View the imported applications in the Applications page. Check if all the applications that you selected for import are imported successfully.

This structured process ensures a thorough migration and proper configuration of applications for secure and seamless access within the Secure Private Access environment.

Mapping of command parameters in nsconfig file to application details

The following sections provide information about the mapping of command parameters in the nsconfig file to application details and also some points to note related to the commands.

VPN intranet applications

Example command:

add vpn intranetApplication IT_test.com ANY "*.test.com" -destPort 1-65535 -interception TRANSPARENT

Extracted application:

The following table captures the application details extracted from the command.

Note:

• If the protocol is ANY, the import process creates two separate applications, one with the protocol set to TCP and another with the protocol set to UDP.
• If the VPN application command explicitly states the protocol as either TCP or UDP, only one application is created using the specified protocol.

Load balancing virtual server applications

Example command:

add lb vserver vs-STOREFRONT SSL 192.0.2.143 443 -persistenceType SOURCEIP -timeout 480 -state DISABLED -cltTimeout 180

Extracted application:

The following table captures the application details extracted from the command.

Note:

• Redirect URL: If the add lb vserver command includes either the ‘-httpsRedirectUrl’ or ‘-redirectUrl’ argument, the application’s URL is set to the specified redirect URL instead of the load balancing virtual server’s IP address.

  For example, consider the command add lb vserver "vs - secured.test.net - REDIRECT" HTTP 192.0.2.51 80 -persistenceType NONE -redirectURL <"https://secured.test.net"> -cltTimeout 180

  After the migration, the URL becomes https://secured.test.net instead of https://192.0.2.51

• Non-existent virtual server with redirect URL: If the load balancing virtual server IP address is 0.0.0.0 and the ‘add’ command includes a redirect URL argument, the application is created using that redirect URL.

  For example, consider the command add lb vserver "vs - secured.test.net - REDIRECT" HTTP 0.0.0.0 -persistenceType NONE -redirectURL <"https://secured.test.net"> -cltTimeout 180

  After the migration, the URL becomes https://secured.test.net.

Content switching virtual server applications

Example command:

• add cs vserver Test-CS-HTTPS SSL 192.0.2.150 443 -cltTimeout 180 -persistenceType NONE
• add cs policy Test-Lab-Policy -rule "HTTP.REQ.HOSTNAME.eq(\"test.co.il\") || HTTP.REQ.HOSTNAME.eq(\"test\")" -action Test-Lab-Action
• bind cs vserver Test-CS-HTTPS -policyName Test-Lab-Policy -priority 100

Extracted application:

The following table captures the application details extracted from the command.

Note:

• No content switching policy: If the content switching virtual server does not have a content switching policy associated with it, then the import does not create the application.
• Content switching virtual server app creation: All content switching policies containing rule HTTP.REQ.HOSTNAME bound to a single content switching virtual server forms one application.
• Rules priority and related domains: If both .EQ/.eq/.EQUALS_ANY and .CONTAINS/.CONTAINS_ANY rules are present, the .EQ/.eq/.EQUALS_ANY rule takes precedence. The application is created with the .EQ/.eq/.EQUALS_ANYURL, and the .CONTAINS/.CONTAINS_ANY URLs are added as related domains.
• Multiple .EQ/.eq/.EQUALS_ANY rules: If multiple .EQ/.eq/.EQUALS_ANY rules are present, the application is created using the first parsed .EQ/.eq/.EQUALS_ANY URL. All other URLs are added as related domains.
• Only .CONTAINS/.CONTAINS_ANY rules: If the command includes only .CONTAINS/.CONTAINS_ANY rules, the application is created with the first occurrence of the rule.
• Port and protocol: The port and protocol is extracted from the add cs vserver command.
• Bind command: The command relation between add cs policy and add csvserver is determined by the bind csvserver command.

VPN URL applications

Example command:

add vpn url XenApp XenApp "https://test.eportal.com/Citrix/Eportal-CitrixWeb/" -clientlessAccess ON -applicationtype CVPN

Extracted application:

The following table captures the application details extracted from the command.

Preparing the CSV file

Download the CSV file from the Secure Private Access console and add the application details.

1. Navigate to Applications > App Configuration.
2. Click Import Applications.

3. In Learn how to import using:, click the CSV icon.

   The Import using CSV page appears.

4. Download the CSV file (CSV template) and populate the app details. The page also displays sample information on the app data that must be entered.

   Click Download examples to view a sample CSV file with the data.

Note the following points when preparing the CSV file:

• The App Location must be one of the following values:

  • Inside Corporate Network
  • Outside Corporate Network

• The App Type can be one of the following values:

  • SaaS
  • HTTP/HTTPS
  • TCP/UDP

• The Routing Type must be one of the following values based on the app type.

  • Internal – Bypass Proxy - The domain traffic is routed through Citrix Cloud Connector, bypassing the customer’s web proxy configured on the Connector Appliance.
  • Internal via Connector - The apps can be external but the traffic must flow through the Connector Appliance to the outside network.
  • External – The traffic flows directly to the internet.

• Mandatory fields:

  • SaaS and HTTP/HTTPS - App Name, App Location, App Type, URL, Related Domains, Routing Type, and Resource Location.
  • TCP/UDP - App Name, App Location, App Type, Destination/Port/Protocol, Routing Type, and Resource Location.
  • The destination, port, and protocol must be formatted as:
    • Destination:Port:Protocol. Example: 192.0.2.254:5050:PROTOCOL_TCP.

    • If there are multiple destinations, ports, and protocols, separate them with commas.

      Example: 192.0.2.254:5050:PROTOCOL_TCP,2.2.2.2:1-65535:PROTOCOL_UDP.

    • The destination can be an IP address, IP address range, CIDR, host name, domain, or FQDN.
    • The port can be a single port (example 5050) or a port range (example 1–65335).
    • The protocol must be specified in the format PROTOCOL_TCP or PROTOCOL_UDP.

• Optional fields: Description, Category.

Important:

• The column names are case sensitive and must not be modified/edited.
• The columns must not be interchanged or deleted.

Steps to migrate applications using the CSV-based tool

You can import applications while setting up Secure Private Access or after the setup is complete.

1. On the Secure Private Access service tile, click Manage.
2. In the Overview page, click Continue.
3. Set up identity and authentication for the users to log in to Citrix Workspace. For details, see Setup identity and authentication.

4. In Step2: Applications page, click Import application.

   Alternatively, if your Secure Private Access is already set up, click Import the application from the Applications page (Secure Private Access > Applications).

5. Upload the CSV file. You can either drag the CSV file here or browse to select it.

6. Click Next: Review Applications.

   Note:

   • For import using a CSV file, the Next: Review Applications button is enabled only if the file contains no errors.
   • When importing a nsconfig file, the Next: Review Applications button is disabled if the nsconfig file does not contain the commands required for application creation.
   • If you upload the same CSV/nsconfig file with additional applications, only the diff is imported.

7. Select the applications that you want to import.

   If an application with the same domain or wildcard domain already exists, that application is disabled for import. You cannot select those applications.

8. Click Next: Review Connectivity.
9. The Next: Review Connectivity button is enabled only if at least one application is selected.

10. Review and update the connectivity settings. Make necessary changes to routing type and resource locations, if required.

    Note:

    • If the specified resource location does not exist, the first resource location available in the list of resource locations associated with the customer is selected by default. if the Connector Appliance in the specified resource location is not up, the application creation fails.

11. Click: Next: Import.

    The Summary page displays the imported application details. These applications are also added to the list of applications in the Applications page.

12. Click Go to Applications to view the imported applications in the Applications page.

The following images capture the migration workflow:

Failures to import or create applications when using the CSV file

The following issues can cause import or application creation failures when using the CSV file:

• Modifications or changes to the column names or their casing.
• Deletion or swapping of the columns in the CSV file.
• Missing mandatory application fields in the CSV file.
• An empty CSV file or a CSV file that contains only column names is imported. For an empty file, an error message appears. If the file contains only column names, the Next button remains disabled.
• No Connector Appliance is available in the resource location specified in the CSV file.

References

Refer to the following topics for information on creating applications in Secure Private Access.

• Support for Enterprise web apps
• Support for SaaS apps
• Support for TCP/UDP apps