Configure Citrix Secure Private Access

  1. You must have a Citrix Cloud account. For detailed instructions on how to proceed, see Sign up for Citrix Cloud.

  2. You must have the Citrix Secure Private Access service entitlement. On the Citrix Cloud screen, in the Available Sevices section, click Request Trial.

    Request trial

    After you receive the service entitlement, the tile is available in My Services. Click Manage to access the service UI.

    Manage

  3. For your end users to use the workspace and access the apps, they must download and use the Citrix Workspace app or use the workspace URL. You must have a few SaaS apps published to your workspace to test the Citrix Secure Private Access solution. The Workspace app can be downloaded from https://www.citrix.com/downloads. In Find Downloads list, select Citrix Workspace app.

  4. If you have an outbound firewall configured, ensure that access to the following domains is allowed.

  • *.cloud.com
  • *.nssvc.net
  • *.netscalergateway.net

More details are available at Cloud Connector Proxy and Firewall Configuration and Internet Connectivity Requirements.

Limitation: You can add only one Workspace account.

Admin settings

The following diagram shows the high-level steps to get started with Citrix Secure Private Access service.

High-level-workflow

  1. Set up end user authentication. You must first configure the user’s workspace with the organization’s preferred identity provider, which can be Citrix identity (a unique identity with Citrix Cloud), Active Directory, Active Directory and token, or Azure Active Directory. For information about the different authentication methods and how to select them, see Workspace configuration and Identity and access management.

  2. Configure end user access to SaaS and virtual apps. For detailed steps to configure and publish SaaS apps, see Support for Software as a Service Apps.

  3. Configure web filtering for internet access from SaaS apps. If you have added a SaaS app from the Citrix Gateway service, to return to the Citrix Secure Private Access service, click the hamburger icon on the top left of the navigation pane. In My Services list, select Access Control. Click Configure content access settings.

Configure web filtering for internet access from SaaS apps

You are now ready to configure content access settings for your end users accessing the SaaS apps. For example, a link within a SaaS app can point to a malicious website. With content access settings, an administrator can take a specific website URL or a website category and allow access, block access, or redirect the request to a hosted, secure browser instance, helping to prevent browser-based attacks. For more information about the Remote Browser Isolation service, see Secure Browser Standard Service documentation at Secure Browser Standard Service.

Note:

A paid Secured Browser Standard Service customer (organization) gets 5,000 hours of use per year by default. For more hours, they need to buy secure browser add-on packs. You can track the usage of the Remote Browser Isolation service. For more information, see Monitor usage.

The following illustration explains the end user traffic flow.

End user traffic flow

When a request arrives, the following checks are performed, and corresponding actions are taken:

  1. Does the request match the global allow list?

    1. If it matches, the user can access the requested website.

    2. If it does not match, website lists are checked.

  2. Does the request match the configured website list?

    1. If it matches, the following sequence determines the action.

      1. Block

      2. Redirect

      3. Allow

    2. If it does not match, website categories are checked.

  3. Does the request match the configured website category?

    1. If it matches, the following sequence determines the action.

      1. Block

      2. Redirect

      3. Allow

    2. If it does not match, the default action (ALLOW) is applied. The default action cannot be changed.

Perform the following steps to configure enhanced security settings.

  1. Click Configure Content Access.

    Configure content access

  2. Configure website category filtering or website lists or both.

Configure website category filtering

Website categorization restricts user access to specific website categories. Administrators can select from a preset list or customize the categories depending on the deployment. The preset list enables organizations to filter web traffic by using a commercial categorization database. The auto-updating database classifies billions of websites into different categories, such as social networking, gambling, adult content, new media, and shopping. In addition to categorization, each website has a reputation score kept up-to-date based on the site’s historical risk profile. Presets are classified as strict, moderate, lenient, none, and custom. Administrators can tweak presets to add or remove website categories.

  • Strict preset minimizes the risk of accessing unsecured or malicious websites. End users can still access websites with low risk. Includes most business travel and social media websites.
  • Moderate preset minimizes the risk while allowing more categories with low probability of exposure from unsecure or malicious sites. Includes most business travel, leisure, and social media websites.
  • Lenient preset maximizes access while still controlling risk from illegal and malicious websites.
  • None preset allows all categories.
  • Custom allows configuring custom filtering of categories.

Perform the following steps to configure website category filtering.

  1. Enable Filter website categories.

    Enable filter website categories

  2. Click Add in the respective section to block website categories, allow website categories, or redirect the user to a secure browser. For example, to block categories, in the blocked categories section, click Add.

    Add website category

  3. Select the categories to block from the list and click Add.

    Add category to block

  4. To allow categories, in the allowed categories section, click Add. Select the categories to allow from the list and click Add.

    Add category to allow

  5. To redirect users to a secure browser, in the redirected to secure browser categories section, click Add. Select the categories from the list and click Add.

    Add category to redirect to a secure browser

  6. Click Save.

    Save website category settings

Configure website lists filtering

The website list feature enables you to control access to specific websites. You can use wildcards, such as *.example.com/*, to control access to all the domains in that website and all the pages within that domain. Perform the following steps to configure website lists filtering.

  1. Enable Filter website list. Click Add in the respective section to block websites, allow websites, or redirect the user to a secure browser. For example, to block websites, in the blocked categories section, click Add.

    Enable filter website

  2. Enter a website that users cannot access and click Add.

    Add website to block

  3. To allow websites, in the allowed websites section, click Add. Enter the website that users can access and click Add.

    Add website to allow

  4. To redirect users to a secure browser, in the redirected to secure browser websites section, click Add. Enter a website that end users can access only from a Citrix hosted browser and click Add.

    Add website to redirect to a secure browser

  5. Click Save for the changes to take effect.

    Add website filter settings

Configure Citrix Secure Private Access