Configure rules for unsanctioned websites


The Website filtering feature is renamed to Unsanctioned Websites.

Applications, Intranet or Internet, that are not configured within Secure Private Access are regarded as ‘Unsanctioned Websites’. By default, Secure Private Access denies access to all intranet web applications if there are no applications and access policies configured for those applications.

For all other internet URLs or SaaS applications that do not have an app configured, admins can use the Settings > Unsanctioned Websites tab from the admin console to allow or deny access via Citrix Enterprise Browser. Access can also be redirected to a remote browser isolated environment to prevent browser-based attacks. You can use wildcards, such as *, to control access to all the domains in that website and all the pages within that domain. By default, settings are configured to allow access to all internet URLs or SaaS apps via Citrix Enterprise Browser.

The following illustration explains the end user traffic flow.

End user traffic flow

When a request arrives, the following checks are performed, and corresponding actions are taken:

  1. Does the request match the global allow list?

    1. If it matches, the user can access the requested website.

    2. If it does not match, website lists are checked.

  2. Does the request match the configured website list?

    1. If it matches, the following sequence determines the action.

      1. Block

      2. Redirect

      3. Allow

    2. If it does not match, the default action (ALLOW) is applied. The default action cannot be changed.

To configure rules for unsanctioned websites

  1. In the Secure Private Access console, click Settings > Unsanctioned Websites.

    Web filtering


    • The web filtering feature is enabled by default and access to all unsanctioned internet URLs is allowed.
    • You can change the settings to Block all users from accessing unsanctioned websites to block access to any internet URL via Citrix Enterprise Browser for all users.

    Configure rules

    You can also change settings for specific URLs by adding them to blocked websites, allowed websites, or redirected to Remote Browser Isolation list.

    For example, if you have blocked access to all unsanctioned URLs by default and want to allow access to only a few specific internet URLs, then you can do so by performing the following steps:

    1. Click the Allowed Websites tab, and then click Allow a Website.
    2. Add the website address that must be allowed access. You can either manually add the website address or drag and drop a CSV file containing the website address.
    3. Click Add a URL and then click Save.

      The URL is added to the list of allowed websites.


  • You can enable the web filtering feature and still pass all traffic through the Citrix Enterprise Browser to your existing firewalls, content filtering or SIEM tools. Traffic for unsanctioned URLs is not sent to Secure Private Access service.
  • A paid Secure Browser Standard service customer (organization) gets 5,000 hours of use per year by default. For more hours, they must buy the secure browser add-on packs. You can track the usage of the Remote Browser Isolation service. For more information, see Manage and monitor remote isolated browsers.
  • For information about the Remote Browser Isolation service, see Remote Browser Isolation.
Configure rules for unsanctioned websites