Hybrid data path for Secure Private Access service

The hybrid data path for Secure Private Access service leverages both on-premises and cloud infrastructures to provide secure access to applications. Organizations can use the hybrid data path to route all data traffic through an on-premises NetScaler Gateway. This ensures that sensitive data stays within the company’s network. Even though the data traffic is routed through the on-premises NetScaler Gateway, Citrix Cloud can still be used for monitoring and managing the applications and users.

Key advantages of using hybrid data path

The following are some of the key advantages of using the hybrid data path:

• Extended reach with on-premises gateway:
  • Utilize an on-premises NetScaler Gateway to provide access to on-premises applications in areas where a cloud PoP is distant.
  • Ensure consistent performance by avoiding routing traffic through distant cloud PoPs.
• Granular security and control:
  • Implement selective routing to direct sensitive applications through secure, on-premises pathways and route less critical applications through the cloud.
  • Enable custom routing for applications to meet data security and compliance requirements based on application data sensitivity
• Direct connectivity for enhanced user experience:
  • Establish direct connections between remote users and required applications, bypassing the cloud PoP.

How hybrid data path works

The following figure displays the hybrid data path work flow.

The following list explains the workflow involved in the hybrid data path:

1. A user logs in to the Citrix Secure Access client.
2. After successful authentication, a session is established.
3. The end user attempts to launch an application.

4. The access policies associated with the application are evaluated, and the app is launched.

   • If the application is configured to be routed through the Secure Private Access service, the request is sent to the Cloud Connector and then the specific app is launched.
   • If the application is configured to be routed through on-premises NetScaler Gateway, the request is sent to the on-premises NetScaler Gateway and the specific application is launched

Supported clients

The hybrid data path is supported by the following Citrix Secure Access clients:

• Windows - 25.1.1.17 and later
• macOS - 25.02.1 and later

Supported NetScaler Gateway builds

The hybrid data path is supported from NetScaler Gateway version 14.1 build 43.50.

Set up hybrid data path for Secure Private Access applications

The following high-level steps are involved in setting up the hybrid data path:

1. Connect to a gateway to establish a connection
2. Register NetScaler Gateway with Citrix Cloud
3. Enable routing of data traffic through the on-premises NetScaler Gateway

Connect to a gateway to establish a connection

To establish a connection with the Secure Private Access resources in a specific resource location, you must first connect to a gateway. Citrix Cloud enables you to establish a connection with DaaS and Secure Private Access resources in a specific resource location. The gateway type that you select determines the services you can access. For enhanced flexibility and to optimize resource utilization, you can add both a DaaS gateway and a Secure Private Access gateway within the same resource location.

• Gateway for DaaS: Citrix-managed gateway serves as the external access point for virtual applications and desktops hosted within the Citrix DaaS environment. This gateway acts as a secure proxy, mediating and managing the HDX connections between the clients (user devices) and the virtual desktop agents (VDAs) residing in Citrix Cloud.

  You can choose how you want to allow access to virtual apps and desktops based on different business requirements. For details, see Connectivity to resources.

• Gateway for Secure Private Access: The gateway for Secure Private Access ensures that organizations maintain control over sensitive data by routing all data traffic through an on-premises NetScaler Gateway, ensuring that it remains within the company’s network perimeter.

  While the on-premises NetScaler Gateway handles the data traffic, Citrix Cloud can be used for centralized management and monitoring capabilities, allowing administrators to oversee and manage applications and users seamlessly.

Perform the following steps to connect to a gateway:

1. Sign into Citrix Cloud.
2. Select Resource locations > Overview and then click Gateway.
3. In Choose Gateway type, select Gateway for Secure Private Access.
4. Register your gateway with Citrix Cloud. For details, see Register your NetScaler Gateway with Citrix Cloud.

Register your NetScaler Gateway with Citrix Cloud

You must first select the gateway for Secure Private Access and then register the on-premises NetScaler Gateway with Citrix Cloud. This registration establishes a secure connection between your on-premises NetScaler Gateway and the Citrix Cloud environment for the Secure Private Access service.

Prerequisites:

Ensure that the following configurations are complete for successful execution of the registration script:

• A subnet IP (SNIP) must be configured on NetScaler.
• A DNS name server must be configured, if not already present.
• An IP address designated for the new VPN virtual server is required.
• The SSL certificate key name for binding to the new VPN virtual server must be specified. This SSL certificate key name must be added to NetScaler before script execution.

Perform the following steps to register your gateway with Citrix Cloud:

1. Sign into Citrix Cloud.
2. Select Resource locations > Overview and then click Gateway.
3. In Choose Gateway type, select Gateway for Secure Private Access.

1. Enter the FQDN of the gateway to register with Citrix Cloud.

2. Click Generate metadata. You can also regenerate the metadata by clicking Regenerate metadata.

   • Copy the metadata into a clipboard.
   • Establish a secure shell (SSH) connection to the NetScaler Gateway located within the on-premises environment. This connection enables you to run the commands and scripts remotely on the NetScaler device.

   • After successfully connecting to the NetScaler Gateway, run the following command:

     python3 /var/spa/scripts/spa_registration.py <copied metadata>

   • Replace <copied metadata> with the actual metadata that you copied earlier.

     The script generates an 8-digit registration code. This code is critical for the registration process.

3. Enter the 8-digit code in the Register with Citrix Cloud section.

4. Click Validate.

   A warning message appears if the code is invalid. If the validation is successful, the Register button appears.

5. Click Register.

6. Return to the script execution window. The system must move to the next step and prompt you for the following details for completing the configuration.

   • An IP address designated for the VPN virtual server.
   • The SSL certificate key name to be associated with the VPN virtual server.

You can now configure the routing of applications through the on-premises NetScaler.

Enable routing of data traffic through the on-premises NetScaler Gateway

Perform the following steps to enable routing of data traffic through on-premises NetScaler Gateway.

1. Configure the app. For details, the following topics:

   • Support for Enterprise web apps
   • Agentless access to Enterprise web apps
   • Support for Software as a Service apps
   • Support for client-server apps

2. In the App Connectivity section, you define the routing preferences for the application domains, specifying whether traffic must be routed externally or internally through the Citrix Connector Appliance or through the on-premises NetScaler Gateway.

   

3. In Routing Type, select Internal via NetScaler Gateway. This ensures that data traffic is routed through the on-premises NetScaler Gateway. You can also update the routing type to Internal via NetScaler Gateway for the related domains.

   • Click the edit icon in the Actions column of the Related Domains table.
   • In Routing Type, select Internal via NetScaler Gateway.
   • Click Save.

Modify the routing details from access policies

You can override the routing behavior to vary based on a specific context. These contexts can include factors such as user groups, geographical location, platform, and other relevant criteria. By modifying the routing behavior based on the context, you can provide an optimized user experience.

Perform the following steps to modify routing of data traffic through on-premises NetScaler Gateway from the access policy.

1. Create or edit an access policy. For details, see Create access policies.

   

2. In Step 3: Action page, enable the Routing exceptions toggle. The Routing exceptions toggle allows you to edit the resource locations and routing information for domains of the applications added in the access policy.
3. Click the edit icon next to the domain for which you want to modify the routing type.
4. In Routing type, select Internal via NetScaler Gateway.
5. Click Save.

Points to note

• Supported NetScaler Gateway deployment types - The hybrid data path is currently supported only for environments with a high availability setup.
• Fallback mechanism - In the current release, there is no failover or fallback mechanism that automatically redirects traffic to the cloud infrastructure in the event that the on-premises gateway experiences an outage or becomes unavailable.

• The following features are not supported for hybrid data path in the current release:

  • Application discovery
  • Policy modeling
  • Session policies
  • Observability