Product documentation
Citrix Tech Zone

Deployment Guide: Citrix Secure Private Access On-Premises

September 12, 2023
Author:  Rainer Hasenzagl
Special thanks:  Akshay Muralidharan, Praveen Kumar V, Santosh Sampath, Vijay Pulipaty, Praveen Raghuraman

Audience

This document is intended for architects, network designers, technical professionals, partners, and consultants interested in implementing the Citrix Secure Private Access On-Premises solution. It is also designed for network administrators, Citrix administrators, managed service providers, or anyone looking to deploy this solution.

Solution Overview

Citrix Secure Private Access On-Premises is a customer-managed Zero Trust Network Access (ZTNA) solution that provides VPN less access to Internal web and SaaS applications with least privilege principle, single sign-on (SSO), Multifactor Authentication and Device posture assessment, application-level security controls and app protection features along with a seamless end-user experience. The solution leverages the StoreFront on-premises and Citrix Workspace app to enable a seamless and secure access experience to access web and SaaS apps within Citrix Enterprise Browser. This solution also leverages the NetScaler Gateway to enforce authentication and authorization controls.

Citrix Secure Private Access On-Premises solution enhances an organization’s overall security and compliance posture with the ability to easily deliver Zero Trust access to browser-based (internal web apps and SaaS apps) using the StoreFront on-premises portal as a unified access portal to web and SaaS apps, along with virtual apps, and desktops as an integrated part of Citrix Workspace.

Citrix Secure Private Access combines elements of NetScaler Gateway and StoreFront to deliver an integrated experience for end users and administrators.

Functionality Service/Component providing the functionality
Consistent UI to access apps StoreFront on-premises/Citrix Workspace app
SSO to SaaS and Web apps NetScaler Gateway
Multifactor Authentication (MFA) and device posture (aka End-Point Analysis) NetScaler Gateway
Security controls and App protection controls for web and SaaS apps Citrix Enterprise Browser
Authorization policies NetScaler Gateway
Configuration and Management Citrix Studio UI, NetScaler UI, ADM
Visibility, Monitoring, and Troubleshooting NetScaler Gateway, ADM, and Citrix Director

Use Cases

Citrix Secure Private Access (SPA) On-Premises solution with Citrix Virtual Apps and Desktops (CVAD) On-Premises provides a unified and secure end-user experience to both virtualized resources and browser-based apps (web apps and SaaS apps) with consistent security.

SPA On-Premises solution is designed to address the following use cases by using a customer-managed solution.

Use case #1: Secure access for Employees & Contractors to internal web and SaaS apps from managed or unmanaged devices without publishing a browser or using VPN.

Use case #2: Provide comprehensive last mile Zero Trust enforcement with admin configurable browser security controls for internal web and SaaS apps from managed or unmanaged devices without publishing a browser or using VPN.

Use case #3: Accelerate Merger & Acquisitions (M & A) user access across multiple identity providers, ensure consistent security, and provide seamless end-user access across multiple user groups.

Requirements

This article provides step-by-step guidance to deploy Secure Private Access with StoreFront and NetScaler Gateway. Citrix Enterprise Browser (incl. in Citrix Workspace app) is the client software used to securely interact with your SaaS or internal web apps.
Global App Config Service (GACS) is a requirement for browser management of Citrix Enterprise Browser.
This guide assumes the reader has a basic understanding of the following Citrix and NetScaler offerings and general Windows administrative experience:

  • Citrix Virtual Apps and Desktops
  • StoreFront
  • NetScaler Gateway
  • Global App Configuration service

Versions:

  • Citrix Workspace app
  • Citrix Virtual Apps and Desktops – Supported LTSR and current versions
  • StoreFront – LTSR 2203 or non-LTSR 2212 and above
  • NetScaler Gateway – 12.1 and above

Refer to the following documentation for more details as needed:

Technical Overview

Access to internal web apps is possible from any location with any device at any time through NetScaler Gateway with Citrix Enterprise Browser (incl. in Citrix Workspace app) installed. The same applies to SaaS apps, with the difference that the access can be direct or indirect through NetScaler Gateway.

Conceptual Architecture

Citrix Enterprise Browser and Citrix Workspace app talk to NetScaler Gateway using a TLS-encrypted connection. NetScaler Gateway provides zero trust-based access by assessing the user’s device, strong nFactor user authentication, app authorization, and single sign-on (SSO).
Citrix Enterprise Browser uses the Citrix Secure Browse protocol to allow access to internal domain names (for example, https://website.company.local) without needing a public-facing DNS name.
Citrix Secure Private Access with Citrix Enterprise Browser allows the configuration of additional security control for web apps like Watermarking, copy/paste-, up/download-, and print restrictions. These restrictions are configured in a file called “policy.json”.

Configuration process

IMPORTANT

A config tool is available to quickly onboard apps and policies for the apps and also configure NetScaler Gateway and StoreFront settings.
However, note the following before using the tool.

  • Read the Publish a web application and Create and publish the policy file sections to ensure that you have the complete understanding of the configuration requirements for the on-premises solution configuration.
  • This tool can only be used as a complement to the existing procedures documented in this topic and does not replace the configuration that must be performed manually.

For complete details about the tool, see Configure apps and policies using the Secure Private Access config tool.

Step 1 – Publish a web application

Initial publishing of a new web app uses a Windows PowerShell cmdlet installed with Citrix Virtual Apps and Desktops. As soon as the web app is created, future editing can be done using the Citrix Studio console.

  • Open a Windows PowerShell on a machine with the PowerShell SDK installed.
  • Run the following command to load the Citrix cmdlets:
    Add-PSSnapIn citrix*
  • Define the necessary variables for the web app:
    Before running the commands, replace the placeholders marked with angle brackets. (< >) 
$deliveryGroupName = "<delivery-group-name>"
$appURL = "<URL-of-the-app>"
$appName = "<app-name>"
$appIconFilePath = "<app-Icon>"
$appDescription = "KEYWORDS:SPAENABLED"
<!--NeedCopy-->

Example

$deliveryGroupName = "CVAD-On-Prem"
$appURL = "https://finance.training.local"
$appName = "Finance-Portal"
$appIconFilePath = "C:\temp\Icon\finance.ico"
$appDescription = "KEYWORDS:SPAENABLED"
<!--NeedCopy-->
  • Run the following commands to publish the new web app:
$deliveryGroupUid = (Get-BrokerDesktopGroup -Name $deliveryGroupName).Uid
New-BrokerApplication -ApplicationType PublishedContent -CommandLineExecutable $appURL -Name $appName -DesktopGroup $deliveryGroupUid -Description $appDescription
<!--NeedCopy-->
  • (Optional) Run the following commands to change the icon on the web app:
$encodedIconData = [convert]::ToBase64String((Get-Content $appIconFilePath -Encoding byte))
New-BrokerIcon -EncodedIconData $encodedIconData
$UidEncode = Get-BrokerIcon | Select-Object Uid
$testUid = $UidEncode[-1].Uid
$IconUid = [int]$testUid
Set-BrokerApplication -name $appName -IconUid $IconUid
<!--NeedCopy-->
  • Run the following command to verify the web app:
Get-BrokerApplication -ApplicationType PublishedContent | Format-Table @{Label="Type"; Expression={$_.ApplicationType}},Name,@{Label="URL"; Expression={$_.CommandLineExecutable}},@{Label="Delivery group"; Expression={(Get-BrokerDesktopGroup -Uid $_.AssociatedDesktopGroupUids[0]).Name}},Description
<!--NeedCopy-->

Example output

Type Name URL Delivery group Description
PublishedContent Finance-Portal https://finance.training.local CVAD-On-Prem KEYWORDS:SPAENABLED
PublishedContent Doctor https://doctor.training.local CVAD-On-Prem KEYWORDS:SPAENABLED
  • In Citrix Studio, under the Applications section, you see the new web application.
    All future changes are done in the Citrix Studio console.

Note

For more information on how to publish content, click here.
For more information on how to change the default icon, click here.

Step 2 – Create and publish the policy file

The policy file named policy.json defines each published web app’s routing and security controls.
For example, should an Office 365 SaaS app have security controls enabled and routed through your data center, or should the traffic go direct?

Note: If you know the policy file structure and values, continue with Complete policy.json file example.

Policy file structure

The policy file is in JSON format and contains the following sections:

  • policies
    The policies section defines security controls and traffic routing for all published SaaS/web apps. For non-published websites, a catch-all policy is defined.
    Note: If the web app consists of different domain names, you must specify all to apply the security controls correctly.

The following table lists the available access policy options and their values:

Key name Policy description Value
name Name of the published SaaS/web app Using the same name entered while publishing the app is recommended.
patterns Comma-separated list of domain names related to this app. You can also use wildcards. These domain names are used to apply policies on the apps by Citrix Enterprise Browser. Examples: “.office.com/”, “.office.net/”, “.microsoft.com/”, “.sharepoint.com/
watermark_v1 Display the watermark on the webpage enabled or disabled
clipboard_v1 Restrict clipboard on the webpage enabled or disabled
printing_v1 Restrict printing from the webpage enabled or disabled
download_v1 Restrict downloads from the webpage enabled or disabled
upload_v1 Restrict uploads to the webpage enabled or disabled
keylogging_v1 Enable or disable anti-keylogging for the webpage enabled or disabled
screencapture_v1 Enable or disable the anti-screen capture feature for the webpage enabled or disabled
proxytraffic_v1 Determines whether the Citrix Enterprise Browser tunnels the traffic to the webpage via NetScaler Gateway using the secure browse protocol or enables direct access secureBrowse or direct
browser_v1 This setting only applies when Citrix Enterprise Browser is configured as Work Browser. When set to embeddedBrowser, links related to configured Secure Private Access domains open in Citrix Enterprise Browser systemBrowser or embeddedBrowser

Note

The value enabled stands for ALLOW and disabled for BLOCK.

Anti-key logging and anti-screen capturing require the installation of the App protection feature that comes with the Citrix Workspace app.

Template

"policies": [{
    "name": "<app name>",
    "patterns": ["<FQDN 1>/*", "<FQDN 2>/*"],
    "policy": {
      "watermark_v1": "disabled",
      "clipboard_v1": "disabled",
      "printing_v1": "disabled",
      "download_v1": "disabled",
      "upload_v1": "disabled",
      "keylogging_v1": "disabled",
      "screencapture_v1": "disabled",
      "proxytraffic_v1": "secureBrowse",
      "browser_v1": "embeddedBrowser"
    }
 }, {
    "patterns": ["*/*"],
    "policy": {
      "proxytraffic_v1": "direct",
    }
 }
]
<!--NeedCopy-->
  • system
    The system section defines the NetScaler Gateway address to which the traffic is routed.

Template

"system": {
  "secureBrowseAddress": "https://<netscalergateway FQDN>"
}
<!--NeedCopy-->

Complete policy.json file example 

{
  "policies": [{
      "name": "Finance-Portal",
      "patterns": ["*.finance.training.local/*"],
      "policy": {
        "watermark_v1": "enabled",
        "clipboard_v1": "enabled",
        "printing_v1": "disabled",
        "download_v1": "disabled",
        "upload_v1": "disabled",
        "keylogging_v1": "disabled",
        "screencapture_v1": "disabled",
        "proxytraffic_v1": "secureBrowse",
        "browser_v1": "embeddedBrowser"
      }
   }, {
      "name": "Doctor",
      "patterns": ["*.doctor.training.local/*"],
      "policy": {
        "watermark_v1": "disabled",
        "clipboard_v1": "disabled",
        "printing_v1": "enabled",
        "download_v1": "enabled",
        "upload_v1": "enabled",
        "keylogging_v1": "disabled",
        "screencapture_v1": "disabled",
        "proxytraffic_v1": "secureBrowse",
        "browser_v1": "embeddedBrowser"
      }
   }, {
      "patterns": ["*/*"],
      "policy": {
        "proxytraffic_v1": "direct"
      }
    }
  ],
  "system": {
    "secureBrowseAddress": "https://citrix.training.com"
  }
}
<!--NeedCopy-->

Policy file location

The policy.json file must be placed on each StoreFront server at
C:\inetpub\wwwroot\Citrix\<store-name>\Resources\SecureBrowser.

Note: The folder structure “Resources” and “SecureBrowser” must be created first.

Example

In this example, we use the default StoreFront store called “Store”.

mkdir C:\inetpub\wwwroot\Citrix\Store\Resources
mkdir C:\inetpub\wwwroot\Citrix\Store\Resources\SecureBrowser
<!--NeedCopy-->

Place the policy.json file into the “SecureBrowser” directory.

Verify policy file download

  • Open an installed web browser on your StoreFront server.
  • Navigate to the following address https://<StoreFront server FQDN>/Citrix/<Store name>/Resources/SecureBrowser/policy.json and download the policy file.
    Before running the download, replace the placeholders marked with angle brackets. (< >)
    Example: https://xa02.training.local/Citrix/Store/Resources/SecureBrowser/policy.json
  • The file should download successfully.

Note

Follow the steps below if an IIS 404.7 error page shows up, indicating Request Filtering is blocking the download.

  • Open Internet Information Services (IIS) Manager.
  • Navigate to the previously created SecureBrowser folder.
  • In the Feature View section, double-click Request Filtering.
  • In the Action pane, click Allow File Name Extension.
  • Enter “.json” and click OK.
  • Test the download again.

For more information on how to configure Request Filtering, click here.

StoreFront store web.config

To make the new policy details available for the Citrix Workspace app and Citrix Enterprise Browser, we must modify the web.config file in the StoreFront store directory.
(For example, C:\inetpub\wwwroot\Citrix\Store\web.config)

  • Create a backup of the current web.config file at C:\inetpub\wwwroot\Citrix\<store-name>\
    Example: copy C:\inetpub\wwwroot\Citrix\Store\web.config C:\inetpub\wwwroot\Citrix\Store\web.config.orig
  • Open notepad, insert the following code and save the file as ModifyWebConf.ps1 to correctly edit the web.config file.
function Editwebconf {
param (
[parameter(Mandatory = $true)][String]$Global:webconfigfile
  )

# Read in the contents of the file
$content = Get-Content $Global:webconfigfile

# Define the multi-line string you want to replace
$oldText = '<add name="endpointCapabilities" value="clientAssistantGetIcaFile" />'

# Define the new string you want to replace it with
$newText = '<add name="endpointCapabilities" value="clientAssistantGetIcaFile" />
            </data>
          </route>
          <route name="webSecurePolicy" order="22" url="Resources/SecureBrowser/policy.json">
            <defaults>
              <add param="controller" value="BrowserPolicy" />
              <add param="action" value="BrowserResources" />
            </defaults>
            <data>
              <add name="endpointId" value="WebSecurePolicy" />
              <add name="endpointCapabilities" value="webSecurePolicy" />
              <add name="CommonData" factory="Citrix.DeliveryServices.Configuration.ObjectCollectionFactory, Citrix.DeliveryServices.Configuration, Version=3.23.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856" path="citrix.deliveryservices/dazzleResources" property="commonData" />'

# Iterate through each line in the content and replace the old text with the new text
for ($i = 0; $i -lt $content.Count; $i++) {
    if ($content[$i] -match '<route name="webSecurePolicy" order="22" url="Resources/SecureBrowser/policy.json">') {
        Write-Host "web.config has already been modified"
        exit
    }
    if ($content[$i] -match $oldText) {
        $content[$i] = $content[$i] -replace $oldText, $newText
    }
}

# Write the modified content back to the file
Set-Content $Global:webconfigfile $content
Write-Host "$newText"
}

Editwebconf
<!--NeedCopy-->
  • Open a Windows PowerShell.
  • Switch to the directory of ModifyWebConf.ps1.
  • Run the following command .\ModifyWebConf.ps1.
  • When prompted for the Global:webconfigfile:, insert the full path, including the file name to your web.conf file.
    Example: C:\inetpub\wwwroot\Citrix\Store\web.config

Output

PS C:\temp> .\ModifyWebConf.ps1

cmdlet Editwebconf at command pipeline position 1
Supply values for the following parameters:
Global:webconfigfile: C:\inetpub\wwwroot\Citrix\Store\web.config
<add name="endpointCapabilities" value="clientAssistantGetIcaFile" />
            </data>
          </route>
          <route name="webSecurePolicy" order="22" url="Resources/SecureBrowser/policy.json">
            <defaults>
              <add param="controller" value="BrowserPolicy" />
              <add param="action" value="BrowserResources" />
            </defaults>
            <data>
              <add name="endpointId" value="WebSecurePolicy" />
              <add name="endpointCapabilities" value="webSecurePolicy" />
              <add name="CommonData" factory="Citrix.DeliveryServices.Configuration.ObjectCollectionFactory, Citrix.DeliveryServices.Configuration, Version=3.23.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856" path="citrix.deliveryservices/dazzleResources" property="commonData" />
<!--NeedCopy-->

Step 3 – On-Premises NetScaler Gateway configuration

The NetScaler Gateway configuration includes four essential steps:

Note

Clientless access only works when ICA Only is set to false on the NetScaler Gateway virtual server. (Default setting on new deployments)

For clientless access to work with StoreFront, specify a Callback URL within your StoreFront configuration.

Access to published web apps is only possible using the Citrix Workspace app and Citrix Enterprise Browser.

Enable clientless access

Clientless access is required for Citrix Enterprise Browser to connect to web apps.

There are two options to enable clientless access:

Citrix recommends enabling it per session policy to allow better control of clientless access.

Clientless access Globally

Globally enabled clientless access applies to all configured NetScaler Gateway virtual servers.

You can either enable it using the NetScaler GUI or CLI.

  • NetScaler GUI

    1. On the Configuration tab, expand Citrix Gateway and then click Global Settings.
    2. In the Global Settings page, click Change global settings.
    3. On the Client Experience tab, select On for Clientless Access.
    4. On the Published Applications tab, select OFF for ICA Proxy, and click OK.

  • NetScaler CLI

    1. Run the following command:
      set vpn parameter -clientlessVpnMode On -icaProxy OFF
Clientless access Session policy

Configuring clientless access per session policy allows for narrowing down the setting for users, groups, or Gateway virtual servers. Creating a new session policy/action with the same settings is good for easily switching between icaProxy and clientless access configuration.

You can either enable it using the NetScaler GUI or CLI.

  • NetScaler GUI

    1. On the Configuration tab, expand Citrix Gateway, expand Policies, and then click Session.
    2. In the Session page, switch to the Session Profiles tab and open the session profile for the Citrix Workspace app. (for example, AC_OS_192.168.0.100)
    3. On the Client Experience tab, next to Clientless Access, click Override Global, select On.
    4. On the Published Applications tab, next to ICA Proxy, click Override Global, select OFF, and click OK.
  • NetScaler CLI
    1. Run the following command:
      Before running the command, replace the placeholders marked with angle brackets. (< >)
      set vpn sessionAction <session-profile-name> -clientlessVpnMode On -icaProxy OFF

Configure web address encoding

Enabling clientless access allows you to encode the addresses of internal web apps or leave the address as clear text. Clientless access URL encoding is recommended to be set to clear.

There are two options to set clientless access URL encoding:

URL encoding Globally

Globally enabled clientless access applies to all configured NetScaler Gateway virtual servers.

You can either enable it using the NetScaler GUI or CLI.

  • NetScaler GUI
    1. On the Configuration tab, expand Citrix Gateway and then click Global Settings.
    2. In the Global Settings page, click Change global settings.
    3. On the Client Experience tab, select Clear for Clientless Access URL Encoding, and click OK.
  • NetScaler CLI
    1. Run the following command:
      set vpn parameter -clientlessModeUrlEncoding TRANSPARENT
URL encoding Session policy

Configuring clientless access URL encoding per session policy allows for narrowing down the setting for users, groups, or Gateway virtual servers.

You can either enable it using the NetScaler GUI or CLI.

  • NetScaler GUI
    1. On the Configuration tab, expand Citrix Gateway, expand Policies, and then click Session.
    2. In the Session page, switch to the Session Profiles tab and open the session profile for the Citrix Workspace app. (for example, AC_OS_192.168.0.100)
    3. On the Client Experience tab, next to Clientless Access URL Encoding, click Override Global, select Clear, and click OK.
  • NetScaler CLI
    1. Run the following command:
      Before running the command, replace the placeholders marked with angle brackets. (< >)
      set vpn sessionAction <session-profile-name> -clientlessModeUrlEncoding TRANSPARENT

Enable Secure Browse

Citrix Enterprise Browser uses the secure browse mode to access apps without needing a legacy VPN.

There are two options to configure secure browse mode:

Secure Browse Globally

Globally enabled Secure Browse applies to all configured NetScaler Gateway virtual servers.

You can either enable it using the NetScaler GUI or CLI.

  • NetScaler GUI
    1. On the Configuration tab, expand Citrix Gateway and then click Global Settings.
    2. In the Global Settings page, click Change global settings.
    3. On the Security tab, select ENABLED for Secure Browse, and click OK.
  • NetScaler CLI
    1. Run the following command:
      set vpn parameter -secureBrowse ENABLED
Secure Browse Session policy

Configuring Secure Browse per session policy allows for narrowing down the setting for users, groups, or Gateway virtual servers.

You can either enable it using the NetScaler GUI or CLI.

  • NetScaler GUI
    1. On the Configuration tab, expand Citrix Gateway, expand Policies, and then click Session.
    2. In the Session page, switch to the Session Profiles tab and open the session profile for the Citrix Workspace app. (for example, AC_OS_192.168.0.100)
    3. On the Security tab, next to Secure Browse, click Override Global, select ENABLED, and click OK.
  • NetScaler CLI
    1. Run the following command:
      Before running the command, replace the placeholders marked with angle brackets. (< >)
      set vpn sessionAction <session-profile-name> -secureBrowse ENABLED

Exclude domains from being rewritten in clientless access mode

After enabling clientless access mode, NetScaler will do server-side rewrites for “/cvpn” requests. Exclude StoreFront server FQDN(s) or StoreFront Load Balancer FQDN and citrix.com.

This configuration is only available in the global NetScaler Gateway settings.

You can either configure the exclusion using the NetScaler GUI or CLI.

  • NetScaler GUI
    1. On the Configuration tab, expand Citrix Gateway and then click Global Settings.
    2. In the Global Settings page, click Configure Domains for Clientless Access.
    3. Select Exclude Domains, insert the StoreFront server FQDN(s) or the StoreFront Load Balancer FQDN, and click the Plus.
    4. Repeat step 3 for citrix.com.
    5. Click OK.
  • NetScaler CLI

    1. Run the following command:
      Before running the command, replace the placeholders marked with angle brackets. (< >)

      bind policy patset ns_cvpn_default_bypass_domains <StoreFront-FQDN>
bind policy patset ns_cvpn_default_bypass_domains citrix.com
<!--NeedCopy-->

Step 4 – Authorizing users to access published web apps

Publishing web apps in CVAD does not allow you to control user access. This has to be done on NetScaler Gateway using Authorization policies. Authorization policies are bound to a user or group.

It is essential to know how the policies are applied:

  • User
  • Group

User policies always have a higher priority than group-bound policies. Allowing a website at the user level and denying this site at a group level will allow access, whatever of whether the policy priority on the group level is higher.

Multiple policies bound to the same user or group are differentiated by priority. Knowing that the higher priority (low number) matches before the lower priority (high number) is essential. Ensure that allowed policies have a higher priority than denied policies.

We recommend creating a group per published web application to control access permissions. (Zero trust approach)

Default authorization policies

Two authorization policies should be created per default to allow access to the StoreFront server and deny access to all published web apps:

  • Allow_StoreFront
  • Deny_ALL

Web app authorization policies

Now that we have the default authorization policies, the next step is creating authorization policies for each published web app.

  • Allow_<app1>
  • Allow_<app2>

Creating authorization policies

You can either configure the authorization policies using the NetScaler GUI or CLI.

  • NetScaler GUI
    1. On the Configuration tab, expand Citrix Gateway, expand Policies, and click Authorization.
    2. On the Authorization page, click Add.
    3. Insert an authorization policy Name, select the Action, select Advanced Policy and create your Expression.
    4. Click Create.
  • NetScaler CLI
    1. Run the following command:
      Before running the command, replace the placeholders marked with angle brackets. (< >)
      add authorization policy <policy-name> "HTTP.REQ.HOSTNAME.CONTAINS(\"<StoreFront-FQDN>\")" ALLOW

Example

Default authorization policies:

add authorization policy Allow_StoreFront "HTTP.REQ.HOSTNAME.CONTAINS(\"<StoreFront-FQDN>\")" ALLOW
add authorization policy Deny_ALL true DENY
<!--NeedCopy-->

Web app authorization policies:

add authorization policy Allow_Finance "HTTP.REQ.HOSTNAME.CONTAINS(\"finance.training.local\")" ALLOW
add authorization policy Allow_Doctor "HTTP.REQ.HOSTNAME.CONTAINS(\"doctor.training.local\")" ALLOW
<!--NeedCopy-->

Binding authorization policies

You can either bind the authorization policies using the NetScaler GUI or CLI.

  • NetScaler GUI
    1. On the Configuration tab, expand Citrix Gateway, expand User Administration, and click AAA Groups or AAA Groups.
    2. In the AAA Groups or AAA Users page, click Add.
    3. Insert a User or Group Name and click OK.
    4. In Advanced Settings click Authorization Policies.
    5. In the Policy Binding page, select a policy to bind, set the Priority, as type select Request, and click Bind.
    6. Repeat step 5 for each policy to bind.
    7. Click Done.
  • NetScaler CLI

    1. Run the following command:
      Before running the command, replace the placeholders marked with angle brackets. (< >)

      add aaa group <group-name>
bind aaa group <group-name> -policy <policy-name> -priority <priority> -gotoPriorityExpression END
<!--NeedCopy-->

Example

User - Allow access to a specific published web app:

add aaa user testuser01
bind aaa user testuser01 -policy Allow_Doctor -priority 63000 -gotoPriorityExpression END
<!--NeedCopy-->

Group - Allow access to the published web app, StoreFront, and deny all other requests:

add aaa group Doctor
bind aaa group Doctor -policy Allow_Doctor -priority 10 -gotoPriorityExpression END
bind aaa group Doctor -policy Allow_StoreFront -priority 999 -gotoPriorityExpression END
bind aaa group Doctor -policy Deny_ALL -priority 1000 -gotoPriorityExpression END
<!--NeedCopy-->

add aaa group Finance
bind aaa group Finance -policy Allow_Finance -priority 10 -gotoPriorityExpression END
bind aaa group Finance -policy Allow_StoreFront -priority 999 -gotoPriorityExpression END
bind aaa group Finance -policy Deny_ALL -priority 1000 -gotoPriorityExpression END
<!--NeedCopy-->

Testing

  • Open and log in to the Citrix Workspace app on an internal or external client

Workspace app

Troubleshooting

Seeing an error message after successfully logging in, refer to NetScaler - No Intranet IP available.

  • Launch web app
    Note: The logged-on user can access the Doctor application but is denied access to Finance-Portal.

Doctor Doctor

Finance-Portal Finance-Portal

Troubleshooting

Seeing an error code in the Citrix Enterprise Browser:

Visibility, Monitoring, and Troubleshooting

ADM – Gateway Insight
Gateway Insight provides visibility into the failures encountered by all users, regardless of the access mode, at the time of logging on to NetScaler Gateway. View a list of all available users, number of active users, number of active sessions, and bytes and licenses used by all users at any given time. View the end-point analysis (EPA), authentication, single sign-on (SSO), and application launch failures for a user.

For more information, refer to ADM – Gateway Insight documentation.

Citrix Director
Citrix Director’s troubleshooting dashboard provides real-time and historical health monitoring of the Citrix Virtual Apps or Desktops site. This allows seeing failures in real time, providing a better idea of what the end users are experiencing.

For more information, refer to Citrix Virtual Apps and Desktops – Director documentation.

Summary

Citrix Secure Private Access for on-premises allows zero trust-based access to SaaS and internal web apps. This deployment guide covered the specific steps necessary to publish web apps and set security controls. The end result is an integrated solution with true single sign-on for users to access SaaS and internal web apps the same way as virtual apps.

Deployment Troubleshooting

NetScaler - No Intranet IP available

After a successful login to the Citrix Workspace app, the user does not see applications, and the following message is written in ns.log.
default SSLVPN Message 659106 0 : "Failed to process setclient for id <d8>, user <user> due to <failed to get IIP>"

This is a known issue (CTX461242) and can be solved by setting Use Mapped IP to NS and Use Intranet IP to OFF in your session profile for Citrix Workspace app.

NetScaler GUI: CTX461242

NetScaler CLI:
set vpn sessionAction AC_OS_192.168.0.100 -useMIP NS -useIIP OFF

CEB – PS1001

This error code indicates that the Citrix Workspace app cannot fetch the “policy.json” file from StoreFront.
Review the following sections:

CEB – PS1003

This error code indicates something is wrong with the “policy.json” file.
Review the section Complete policy.json file example.

Deployment Guide: Citrix Secure Private Access On-Premises
September 12, 2023
Author:  Rainer Hasenzagl
Special thanks:  Akshay Muralidharan, Praveen Kumar V, Santosh Sampath, Vijay Pulipaty, Praveen Raghuraman
September 12, 2023
Author:  Rainer Hasenzagl
Special thanks:  Akshay Muralidharan, Praveen Kumar V, Santosh Sampath, Vijay Pulipaty, Praveen Raghuraman

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.