Secure Private Access integration with Director (Preview)
The Secure Private Access integration with Director allows help desk admin or full admin to monitor and troubleshoot all Secure Private Access sessions in Director. To support this feature, you must use the 2402 or later versions of Director, Secure Private Access, Citrix Workspace app, and VDA.
Available actions include viewing the details of the following:
- Secure Private Access active sessions for a user under the Select a Session popup > Sessions tab > Web SaaS and Client/Server Apps
- Secure Private Access failed or blocked enumerations and failed app launches under the Select a Session popup > Denied Access tab
- Session and application details view for active and failed app launches
- Session and application details view for failed and blocked enumerations
Note:
The Secure Private Access integration with Director is only supported for Director Forms-based authentication and not supported for Integrated Windows Authentication or Smart Card-based authentication.
Prerequisites
-
To support this feature, you must use the following:
- Director 2402 or later version
- Secure Private Access 2402 or later version
- Citrix Workspace app 2402 or later version
- Ensure that at least one Citrix Virtual Apps and Desktops site is configured on Director.
- Set up Secure Private Access.
-
Make sure that the Director server has network connectivity to the Secure Private Access server.
Note:
A trusted certificate must be installed on the Secure Private Access server to successfully establish a connection to Citrix Director.
-
Ensure that the Director admin user has the following permissions:
- Secure Private Access Full Admin or ReadOnly Admin in the Secure Private Access Admin console.
- Citrix Virtual Apps or Desktops help desk or Full Admin or ReadOnly Admin in the Citrix Studio console.
Configure Director with Secure Private Access
- Open a command prompt as admin on the machine where Director is installed.
-
Go to the path of the
DirectorConfig
tool by running the following command:cd c:\inetpub\wwwroot\Director\tools <!--NeedCopy-->
-
Run the following command to configure Secure Private Access:
DirectorConfig.exe /configspa <!--NeedCopy-->
-
Enter the FQDN of the machine where Secure Private Access is installed along with the port number.
-
Make sure that the connection to the Secure Private Access (server or load balancer) is secure and has a trusted certificate applied to it.
Note:
The admins must be added to the Secure Private Access console to view the Secure Private Access session details in Director. For more information, see Manage administrators.
View a Secure Private Access session by user
On the Director dashboard, click Search and enter the user name. The Select a session screen appears.
Full admin:
Help desk admin:
View the Activity Manager for Secure Private Access session
Citrix Director offers the Activity Manager view for Secure Private Access sessions which gives you an overall view of the session activities. The Activity Manager provides a comprehensive view of all apps and desktops that are successfully opened, failed to open, and the outcome of the policies set in the Secure Private Access app. This feature is available from Citrix Virtual Apps and Desktops version 2407 or later.
Prerequisites:
- Director 2407 or later version
- Secure Private Access 2407 or later version
The Activity Manager is displayed with the Available Apps and Launched Apps details. You can find the following session details:
- Launch time
- Resource name
- Resource type
- Accessed resource
- Status
- Transaction ID
To view the Activity Manager, do the following:
- On the Director dashboard, click Search and enter the user name. The Select a session screen appears.
-
Select a session that is opened using the Secure Private Access session. The Activity Manager for the selected session appears.
- Click Available Apps to view apps that are available in the Citrix Workspace app.
Or,
Click Launched Apps (sessions) to view the apps that are opened in the Citrix Workspace app.
You can filter the resources with the status of the resource set in the Secure Private Access app:
- Allow - Resources that are allowed for a user to access. This status is set using a policy under the Secure Private Access app. This resource is present for the user in the Citrix Workspace app.
- Deny - Resources that are denied for a user to access. This status is set using a policy under the Secure Private Access app. This resource is present for the user in the Citrix Workspace app.
- Error - Resources that are allowed to access for a user under the Secure Private Access app. However, because of some error, the resource isn’t available in the Citrix Workspace app. There are two types of errors such as enumeration error and session error.
View available apps
The Web and SaaS apps that are available in the Citrix Workspace app are displayed under the Available Apps section. This section shows the last enumeration attempt of the apps and the status of the enumeration attempt.
You can view the following details:
- Resource name
- Status
- Transaction ID
You can also filter the preceding details with the application status such as Allow, Deny, and Error. You also sort the details using the up and down arrow.
Note:
TCP/UDP apps aren’t present in the Available Apps section.
View launched apps
The apps that are opened in the Citrix Workspace app are displayed under the Launched Apps (sessions) section. You can view the following details:
- Launch time
- Resource name
- Resource type
- Accessed resource
- Status
- Transaction ID
You can also filter the preceding details with the application status such as Allow, Deny, and Error. You can also sort the details using the up and down arrow.
Session topology view for Secure Private Access apps
You can view the session topology for the apps opened using Secure Private Access. Click the required app from the Activity Manager to view the Session Topology of the selected app.
Web/SaaS apps:
TCP/UDP apps:
Session Topology view provides the flow of the app launch process. The endpoint connects to the Citrix Gateway and Citrix Gateway connects to the Secure Private Access plug-in. Using the information from the Secure Private Access plug-in, the app is launched. This feature is available from Citrix Virtual Apps and Desktops version 2407 or later.
Prerequisites:
- Director 2407 or later version
- Secure Private Access 2407 or later version
- Citrix Secure Access 24.8.1.x or later version
You can view the following:
- Endpoint - Displays the endpoint where the app is opened. The possible options are Citrix Workspace app and Citrix Secure Agent. The device ID is displayed.
- Internal network - Displays the number of enumerated apps and the number of configured policies.
- Policy evaluation - Displays the result of the policy that is set on the Secure Private Access app. The different values are Allowed, Denied, Access allowed with restrictions, and Error. This is applicable only for Web or SaaS apps.
- App launched - Displays the type of apps and the status of app launch. The possible values for app types are Web/SaaS app or TCP/UDP app. Similarly, the possible values for app launch statuses are Allowed, Denied, Access allowed with restrictions, and Error.
You can now view the following extra details in the Session Topology view for Secure Private Access apps. This change applies to both Web and SaaS apps, in addition to TCP/UDP apps.
Endpoint:
Click the link within Endpoint to view the following:
- Endpoint type: This can be either the Secure Access Agent or Citrix Workspace app.
- Access details: View how the endpoint is accessed, whether through StoreFront or Citrix Workspace app.
- Endpoint OS: For example, Windows.
- Location type: Indicates whether the location is internal or external.
Resource Location:
Click the link within Resource Location to view the following:
Note: This is applicable only for Web and SaaS apps.
- Number of enumerated applications: Displays the number of enumerated applications and the store URL.
- Access method: Indicates whether the endpoint is accessed through StoreFront or Citrix Workspace app.
Secure Private Access:
- Configured policies: Displays the number of configured policies.
- FQDN plug-in: Shows the FQDN of the agent that served the request.
Web and SaaS App / Client-Server App (TCP/UDP):
Click the link within Web and SaaS App / Client-Server App to view the following:
- App name: The name of the app.
- Top level URL: For Web or SaaS apps, the URL of the published app is displayed. For TCP/UDP apps, the protocol IP address of the app is displayed.
- App type: Indicates whether the app is a Web or SaaS app, or a TCP/UDP app.
- App publishing type: Indicates whether the app is published externally or internally.
View successfully launched Web apps and SaaS apps
The successfully launched apps are displayed on the Web SaaS and Client/Server Apps section.
Click an app from the Web SaaS and Client/Server Apps section to view the details.
For more information on success codes, see Citrix Director related codes.
View details about the access denied apps
Click Check Access Details on the Select a session screen.
Note:
The Check Access Details button appears when there is no active session.
Or,
Click the Denied Access tab to view the apps for which the access is denied.
The Denied Access tab opens.
The session details such as time, resource, endpoint name, and reason for failure are displayed. For more information on error codes, see Citrix Director related codes.
Currently, the following issues are identified:
- Enumeration denied due to policy conditions
- App launch error
- Enumeration errors
- App launch denied due to policy conditions
Select an app from the Denied Access tab > Resource column to view the details:
The following details are displayed for the successful or failed sessions:
- About the app
- Policy evaluation
- Session details
About the app
The name of the successful, failed, or denied app is displayed. Along with it, the following details of the app for the success or failure are displayed:
Field | Description |
---|---|
Transaction ID | Citrix Transaction ID during the session or enumeration. |
Resource Type | Displays the type of the resource. The possible values are Web, SaaS, TCP/UDP (Server to Client), and TCP/UDP (Client to Server). |
Accessed Resource | The URL of the accessed resource during the session or enumeration. In the case of a TCP or UDP app, it shows whether the type of accessed resource is TCP or UDP. |
Configured policies | The number of policies that are used within a session or enumeration. |
Reason | The analysis of the session or enumeration activity. |
Applied Security Restrictions | Displays the applied security restrictions which are applied in the Secure Private Access app. |
Policy evaluation
Displays that no issues found during evaluation for a successful session. For a failed session or enumeration, the following details of the policies evaluated are displayed:
Field | Description |
---|---|
ID | Citrix Transaction ID. |
Policy Name | The name of the policy. If there are multiple policies, the first policy that is matched with the set condition appears. |
Status | The status of the policy. |
Action applied | The action applied on the policy. For example, deny access. |
Policy Condition Evaluation | |
Type | The type of the policy condition. |
Condition Criteria | The condition criteria of the policy applied in the failed session or enumeration. |
Value | The value of the policy. |
Evaluation Status | The evaluation status of the policy. The different values are Allowed, Denied, Access allowed with restrictions, and Error. |
Session details
For a failed session, the reason for session failure is displayed. For a successful session, the following details are displayed:
Field | Description |
---|---|
Session State | Displays the state of the session whether it is active or inactive. |
Start time | Displays the session start time. |
Last active time | Displays the last active time of the successful session. |
Gateway Virtual IP | Displays the virtual IP address of the gateway to which the successful session is connected. |
Contextual Tags | Displays the contextual tags. The contextual tag on the Secure Private Access plug-in is the name of a NetScaler Gateway policy (session, preauthentication, EPA) that is applied to the sessions of the authenticated users. |
Domains visited (Internal) | Displays the internal domains accessed using the successful session. |
Domains visited (External) | Displays the external domains accessed using the successful session. |
In this article
- Prerequisites
- Configure Director with Secure Private Access
- View a Secure Private Access session by user
- View the Activity Manager for Secure Private Access session
- Session topology view for Secure Private Access apps
- View successfully launched Web apps and SaaS apps
- View details about the access denied apps