Citrix Secure Private Access

Context-based app routing and resource locations selection

September 20, 2024

Contributed by:

When an app is configured, the app URL is assigned to one routing type and for each URL routed internally, a resource location is selected. Admins do not have an option to edit the domain routing type or the resource location once an application is published. There might be scenarios where for a set of users;

An internal app URL must be routed externally to prevent traffic from being routed to the Secure Private Access service.
There is a need to change the resource locations to route requests to the optimal data center to improve performance.

The dynamic domain routing configuration (Routing exceptions) in the access policy allows admins to edit the internal routing type per URL based on the user context. Administrators can modify the resource locations so that the user requests are routed to the optimal data center, ensuring that user requests are handled efficiently and performance is optimized.

The following examples demonstrate the dynamic domain routing configuration use cases.

Use case: Context-based routing

Scenario:

Group A Users: Employees of company ABC who access the Outlook app and Microsoft Teams app via Secure Private Access which is routed internally.
Group B Users: Employees of a third-party company working with ABC. They access certain applications (excluding Outlook) via Secure Private Access. They also have their own Outlook application accessed over the internet and do not want to route their Outlook traffic via Secure Private Access.

Problem:

Group B users log in to the Secure Access Agent to access ABC apps.
Their requests to access Outlook via their native browser are routed through Secure Private Access, resulting in access denial.
The destination domain for the Outlook application is the same for both Group A and Group B users.
The access policy allows access only for Group A users, causing access denial for Group B users when they try to launch Microsoft Teams or Outlook.
Group B users cannot access their company Outlook because of this routing issue.

Solution:

The ABC company admin can make the following configuration changes to resolve this issue:

Define a new access policy specifically for Group B users accessing the Office 365 app.
In the access policy, enable the dynamic domain routing configuration (Routing exceptions).

The admin can view the list of all URLs and related domains of all internal apps associated with the access policy.
For all Office365 app URLs, configure the routing to happen externally.

This ensures that Group B users’ requests to access their Outlook application are routed over the internet, bypassing Secure Private Access.

By implementing these changes, Group B users can access their company Outlook application over the internet without being routed through Secure Private Access, while still maintaining access to other ABC applications as needed.

Use Case: User context-based resource location selection

Scenarios:

Company XYZ: It has two sets of users located in the US East Coast and the US West Coast.
Data centers: Two data centers, one on the East Coast and one on the West Coast, both hosting the same Jira application.
Objective: The admin wants to route the access requests of end users to the selected resource locations based on user context (geo location, network location, user name, and user group) to ensure optimal performance and routing.

Solution:

Edit the access policy associated with the Jira application to accommodate the new routing requirements.
Within the access policy, enable the dynamic domain routing configuration (Routing exceptions).
Modify the resource locations per user context.

The admin can ensure that user requests are routed to the optimal data center based on their context, thereby improving performance and managing routing effectively for all users in the company.

Steps to change the routing type or resource location

Create or edit an access policy. For details, see Create access policies.
In Step 3: Action page, enable the contextual routing domain configuration by sliding the Routing exceptions toggle switch.

The Routing exceptions toggle allows you to edit the resource locations and routing information for domains configured within the application.
- When the toggle is ON: A list of all the apps’ URLs and related domains that are routed internally is displayed in a tabular format. You can click the edit icon next to a domain to modify its resource location and routing type. This routing exception is applicable to all users in the access policy only.
- When the toggle is OFF: Existing routing exceptions for the domains are removed and are not applicable. End users are routed based on the global configuration set during the application setup only. This routing exception is applicable to all users in the access policy only.
Note:

The FQDN/ID column in the table only lists the FQDNs and host names and not the IP addresses of the applications.
Click the edit icon next to the domain for which you want to modify the routing type.
In Edit domain details, select the routing type:
- Internal: The traffic flows via the Connector Appliance.
  - For a web app, the traffic flows within the data center.
  - For a SaaS app, the traffic is routed outside the network through the Connector Appliance.
- Internal – Bypass Proxy: The domain traffic is routed through Citrix Cloud Connector appliances, bypassing the customer’s web proxy configured on the Connector Appliance.
- External: The traffic flows directly to the internet.
Modify the resource location, if necessary. This option is applicable only for the internally routed domains.
Click Save.

Note:

You can only change the routing and resource location, but cannot add or delete routing domain in the routing table.

If you delete a domain that has contextual routing enabled from the main routing table, the domain is not deleted from the Routing exceptions table within the access policy. This means that the contextual routing configuration for that domain remains intact in the access policy.

If you delete an app that has contextual routing enabled, then the domain is deleted from the Routing exceptions table within the access policy. This means that all contextual routing configurations associated with that app are removed from the access policy.

The selected related domain overwrites the default setting when the condition meets for the users that are part of this access policy. Otherwise the default routing is applied.

If the routing is not modified or if the Routing exceptions feature is not enabled, the routing happens based on the default settings in the main routing table (Settings > Application domain).

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Context-based app routing and resource locations selection

September 20, 2024

Contributed by:

September 20, 2024

Contributed by:

Context-based app routing and resource locations selection

Use case: Context-based routing

Use Case: User context-based resource location selection

Steps to change the routing type or resource location

In this article