Seamless access to local LAN resources (printers, file servers)
When employees are connected through Secure Private Access from their home or remote locations using Citrix Secure Access clients, they might lose the ability to access local network resources if the private IP address range conflicts with published corporate apps. Secure Private Access supports seamless access to local LAN resources while maintaining a secure connection to corporate resources.
For example, if a home printer is configured with IP address 192.0.2.0 and corporate applications are configured with the private IP address 192.0.2.0/30 range, then when a user tries to access the printer, the printer traffic is tunneled through SPA as well which results in an error. By enabling local LAN access, the user can access printers through local LAN without disconnecting the Citrix Secure Access client.
Note:
- Admins can enable the local LAN access feature in session policies for all users or a set of users. For details, see Configure direct routing within the corporate network using session policies.
- If users enable the local LAN access feature when logging in to the Citrix Secure Access client, they can access local LAN resources like home printers, network-attached storage (NAS) devices while connected to Secure Private Access. This helps the user perform basic local tasks with minimal disruption.
Important considerations
-
Enabling local LAN access for all users: Session policies are evaluated in the order of priority. If local LAN access is required for all users, then the Local LAN Access option must be explicitly enabled within each active session policy. When a user matches a session policy, evaluation stops at the first applicable policy. If that policy does not allow Local LAN access, then the user is not evaluated against other subsequent policies, even if those policies have the Local LAN Access option enabled.
-
Differences in handling printer traffic by the Citrix Secure Access client for Windows and macOS: Citrix Secure Access for Windows prioritizes local LAN access. That is, if a printer’s IP address conflicts with that of a corporate application, the Citrix Secure Access client for Windows might send the application traffic locally instead of sending it through Secure Private Access. In contrast, the Citrix Secure Access client for macOS can send the printer traffic to the local LAN while simultaneously tunneling application traffic over Secure Private Access.
-
Periodic update: Because the local LAN access feature is session-specific, any configuration changes to the local LAN setting on the Windows filter (WFP) takes effect upon login and is maintained until logout. Periodic update is not supported.
Enable the local LAN access feature
Secure Private Access admin console:
- Navigate to Policies > Session Policies and click Create Session Policy.
- Create a session policy. For details, see Configure direct routing within the corporate network using session policies.
- Ensure that you select the Local LAN access option.
Citrix Secure Access client:
- In the Citrix Secure Access client window, select Allow Local LAN Access.
- Click Connect.
