Configure rules for unsanctioned websites


  • Category-based web filtering will be deprecated by 31-Dec-2022. For details, see Feature deprecations.

  • The Website filtering feature is renamed to Unsanctioned Websites.

Unsanctioned websites are the apps that are not configured within the Secure Private Access configuration but can be accessed from the Citrix Enterprise Browser. You can configure rules for these unsanctioned websites. For example, a link within a SaaS app can point to a malicious website. With these rules, an administrator can take a specific website URL or a website category and allow access, block access, or redirect the request to a hosted, secure browser instance, helping to prevent browser-based attacks. You can use wildcards, such as, to control access to all the domains in that website and all the pages within that domain.

The following illustration explains the end user traffic flow.

End user traffic flow

When a request arrives, the following checks are performed, and corresponding actions are taken:

  1. Does the request match the global allow list?

    1. If it matches, the user can access the requested website.

    2. If it does not match, website lists are checked.

  2. Does the request match the configured website list?

    1. If it matches, the following sequence determines the action.

      1. Block

      2. Redirect

      3. Allow

    2. If it does not match, website categories are checked.

  3. If it does not match, the default action (ALLOW) is applied. The default action cannot be changed.

To configure rules for unsactioned websites

  1. In the Secure Private Access home page, click Settings in the navigation pane.

  2. Click Unsanctioned Websites and then click Edit.

  3. Enable Filter website list. Click Add in the respective section to block websites, allow websites, or redirect the user to a secure browser. For example, to block websites, in the blocked categories section, click Add.

    Enable filter website

    • Enter a website that users cannot access and click Add.

    • To allow websites, in the allowed websites section, click Add. Enter the website that users can access and click Add.

    • To redirect users to a secure browser, in the redirected to secure browser websites section, click Add. Enter a website that end users can access only from a Citrix hosted browser and click Add.

  4. Click Save for the changes to take effect.


  • The filter website lists feature redirects all Citrix Enterprise Browser traffic through Secure Private Access service, bypassing any existing firewalls and content filtering. If you want the existing firewalls or content filtering or both to be applied to the Citrix Enterprise Browser traffic, you must disable the Filter Website lists option. The Filter Website list option is enabled by default.

  • A paid Secure Browser Standard service customer (organization) gets 5,000 hours of use per year by default. For more hours, they must buy the secure browser add-on packs. You can track the usage of the Remote Browser Isolation service. For more information, see Monitor usage. For more information about the Remote Browser Isolation service, see Secure Browser Standard service.

Configure rules for unsanctioned websites