Audience

This document is intended for architects, network designers, technical professionals, partners, and consultants interested in implementing the Citrix Secure Private Access On-Premises solution. It is also designed for network administrators, Citrix administrators, managed service providers, or anyone looking to deploy this solution.

Solution Overview

Citrix Secure Private Access On-Premises is a customer-managed Zero Trust Network Access (ZTNA) solution that provides VPN less access to Internal web and SaaS applications with least privilege principle, single sign-on (SSO), Multifactor Authentication and Device posture assessment, application-level security controls and app protection features along with a seamless end-user experience. The solution uses the StoreFront on-premises and Citrix Workspace app to enable a seamless and secure access experience to web and SaaS apps within Citrix Enterprise Browser. This solution also uses the NetScaler Gateway to enforce authentication and authorization controls.

Citrix Secure Private Access On-Premises solution enhances an organization’s overall security and compliance posture by easily delivering Zero Trust access to browser-based (internal web apps and SaaS apps) apps using the StoreFront on-premises portal as a unified access portal to web and SaaS apps, along with virtual apps and desktops, as an integrated part of Citrix Workspace.

Citrix Secure Private Access combines elements of NetScaler Gateway and StoreFront to deliver an integrated experience for end users and administrators.

Use Cases

Citrix Secure Private Access (SPA) On-Premises solution with Citrix Virtual Apps and Desktops On-Premises provides a unified and secure end-user experience to virtualized and browser-based apps (web apps and SaaS apps) with consistent security.

SPA On-Premises solution is designed to address the following use cases via a customer-managed solution.

Use case #1: Secure access for Employees and Contractors to internal web and SaaS apps from managed or unmanaged devices without publishing a browser or using a VPN.

Use case #2: Provide comprehensive last-mile Zero Trust enforcement with admin-configurable browser security controls for internal web and SaaS apps from managed or unmanaged devices without publishing a browser or using VPN.

Use case #3: Accelerate Merger and Acquisitions (M & A) user access across multiple identity providers, ensure consistent security and provide seamless end-user access across multiple user groups.

System Requirements

This article guides deploying Secure Private Access with StoreFront and NetScaler Gateway. Citrix Enterprise Browser (incl. in Citrix Workspace app) is the client software used to interact with your SaaS or internal web apps securely.
Global App Config Service (GACS) is a requirement for browser management of Citrix Enterprise Browser.

This guide assumes that the reader has a basic understanding of the following Citrix and NetScaler offerings and general Windows administrative experience:

• Citrix Workspace app
• StoreFront
• NetScaler Gateway
• Global App Configuration service
• Windows Server
• SQL Express or Server

Product communication matrix Secure Private Access for on-premises (Secure Private Access plug-in)

Versions:

• Citrix Workspace app
  • Windows – 2311 and above
  • macOS – 2311 and above
• Citrix Virtual Apps and Desktops – Supported LTSR and current versions
• StoreFront – LTSR 2203 or CR 2212 and above
• NetScaler Gateway – 13.0 and above
  We recommend using the latest build of NetScaler 13.1 or 14.1 for optimized performance.
• Windows Server – 2019 and above (.NET 6.x and above runtime must be supported)
• SQL Express or Server – 2019 and above

Refer to the following documentation for more details as needed:

• Citrix Workspace app
  • Windows
  • macOS
• StoreFront
  • System requirements
  • Plan your StoreFront deployment
• NetScaler Gateway
  • Before Getting Started
  • Common Citrix Gateway deployments
• Global App Configuration service (GACS)
  • Manage Citrix Enterprise Browser through Global App Configuration service
  • Manage single sign‑on for Web and SaaS apps through the Global App Configuration service

Technical Overview

Access to internal web apps is possible from any location with any device at any time through NetScaler Gateway with Citrix Enterprise Browser (incl. in Citrix Workspace app) installed. The same applies to SaaS apps, with the difference that the access can be direct or indirect through NetScaler Gateway.

Citrix Enterprise Browser and Citrix Workspace app connect to NetScaler Gateway using a TLS-encrypted connection. NetScaler Gateway provides zero trust-based access by assessing the user’s device, strong nFactor user authentication, app authorization, and single sign-on (SSO).
StoreFront enumerates virtual and non-virtual apps through Citrix Desktop Delivery Controller and Secure Private Access (SPA) plug-in.
Citrix Enterprise Browser tunnels internal traffic (for example, https://website.company.local) to NetScaler Gateway to allow access without needing a public-facing DNS entry. SaaS application access can be direct or, for special use cases. indirect through NetScaler Gateway. Citrix Secure Private Access with Citrix Enterprise Browser allows the configuration of additional security controls for web and SaaS apps like Watermarking, copy/paste-, up/download-, and print restrictions. These restrictions are dynamically applied on a per-app basis.

Scenarios

Citrix Secure Private Access On-Premises can be deployed in any environment with one or more StoreFront servers and NetScaler Gateways. This section describes a few different scenarios that have been successfully implemented and validated.

• Scenario 1 – Single server deployment
  Scenario 1 is for testing purposes only and should not be considered in production environments because of less redundancy.
• Scenario 2 – Scalable deployment
  Scenario 2 is designed for performance and redundancy. This is a recommended production deployment.
• Scenario 3 – Geo deployment (Coming Soon)
  Scenario 3 is for large enterprises with geographical data center redundancy.

Scenario 1 - Simple deployment

Scenario 1 is a straightforward deployment that uses the least infrastructure resources. Because of less redundancy, this scenario is not recommended for use in production.

On-premises infrastructure environment

• Active Directory
• NetScaler VPX/MPX (Gateway)
• Combined StoreFront and SPA plug-in server
• Webserver containing websites
• Webserver certificate

Installation (Scenario 1)

StoreFront

1. Install a web server certificate on the StoreFront and Secure Private Access machine.

2. Download the Citrix Virtual Apps and Desktops ISO file from Citrix Download Center.

3. Run the ISO installer AutoSelect.exe.

4. Select Start from Virtual Apps and Desktops.

5. Because we want a combined StoreFront and SPA plug-in server, we first install Citrix StoreFront.

6. In the Citrix StoreFront installer, accept the license agreement and click Next.

7. In the Review prerequisites page, click Next.

8. In the Ready to Install page, click Install.

9. When the installation is successfully finished, click Finish.

10. Click Yes in the reboot dialog to restart the server.

Secure Private Access

1. After the reboot, run the ISO installer again.

2. Now that Citrix StoreFront is installed let’s continue installing Secure Private Access.

3. Accept the license agreement in the Secure Private Access installer and click Next.

4. On the Core Components page, click Next.

5. On the Additional Components page, select Use SQL Express on the same machine and click Next.

6. On the Firewall page, click Next to create local Windows Firewall rules automatically.

7. On the Summary page, review your installation settings and click Install.

8. On the Finish Installation page, click Finish.

Configuration (Scenario 1)

StoreFront

1. Open the Internet Information Service (IIS) Manager console and verify that the correct web server certificate is assigned.

2. Open the Citrix StoreFront console and create a new deployment.

3. Enter the base URL and click Next.

4. On the getting started page, click Next.

5. On the store name and access page, enter a store name, for example, Store, and click Next.

6. On the Delivery Controllers page, enter your Citrix Delivery Controller and click Next.

7. On the Remote Access page, enable Remote Access, select No VPN tunnel, add your NetScaler Gateway appliance, and Next.

8. On the Configure Authentication Methods page, verify that the User name and password and Pass-through from Citrix Gateway are correct, and click Next.

9. On the XenApp Services URL page, click Create.

10. Verify that the store was successfully created on the Summary page and click Finish.

Secure Private Access – Initial configuration wizard

1. From the Start menu, open Citrix Secure Private Access.

2. Click Continue to start the initial configuration wizard on the SPA admin console page.

3. On the Step 1 page, select Create a new Secure Private Access site and click Next.

4. On the Step 2 page, enter your SQL server host and Site name and click Test connection.
The resulting database name is a combination of "CitrixAccessSecurity".

5. Select the type of deployment, Automatically or Manually. In this scenario, select Automatically and click Next.

6. On the Step 3 page, enter the Secure Private Access address, StoreFront Store URL, Public NetScaler Gateway address, the NetScaler Gateway virtual IP address, and callback URL.
When all URLs are successfully verified, click Next.

7. On the Step 4 page, click Save to start the configuration process.

8. After the configuration process is completed, click Close.

Secure Private Access – App creation

1. In the menu on the left, click Applications.

2. On the right side, click Add an app

3. In the Add an app dialog, add the required fields marked with a red star and click Save.

4. In the menu on the left, click Access Policies.

5. On the right side, click Create policy

6. In the Create policy dialog, add the required fields marked with a red star and click Save.

NetScaler Gateway

1. Open a new browser tab and navigate to https://www.citrix.com/downloads/citrix-secure-private-access/Shell-Script/Shell-Script-for-Gateway-Configuration.html.

2. When prompted, log on with your Citrix Cloud account.

3. Download the Shell Script for Gateway Configuration file archive and extract it to your local computer.

4. In this scenario, we have a working NetScaler Gateway configuration and must update it for Secure Private Access on-premises.
Use a tool of your choice to upload the script ns_gateway_secure_access_update.sh to the NetScaler /var/tmp folder.

5. Connect to the NetScaler CLI using an SSH client and log on.

6. Enter shell, press the return key, and change the directory to /var/tmp.

7. Change the file permissions using the command:

chmod +x /var/tmp/ns_gateway_secure_access_update.sh to make the script executable.

8. Run the script /var/tmp/ns_gateway_secure_access_update.sh.

Support for smart access tag

Starting with the following versions, NetScaler Gateway sends the smart access tags automatically. This enhancement removes the required gateway callback from SPA plug-in to NetScaler Gateway.

• 13.1 - 48.47 and later
• 14.1 - 4.42 and later

The above script automatically enables the enhancement flags ns_vpn_enable_spa_onprem and ns_vpn_disable_spa_onprem.

To make the changes persistent, run the following commands in the NetScaler shell.
root@xa04-adc01# echo "nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem">> /nsconfig/rc.netscaler root@xa04-adc01# echo "nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode">> /nsconfig/rc.netscaler

For more details, look at Support for smart access tags

1. A new NetScaler command script (the default is /var/tmp/ns_gateway_secure_access) is generated.

2. Switch back to the NetScaler CLI using the command exit.

3. Before executing the new NetScaler command script, let us verify the current NetScaler Gateway configuration and update it for Secure Private Access on-premises.

4. On the Gateway virtual server, verify the following: *ICA only is set to false (OFF)

• TCP Profile is set to nstcp_default_XA_XD_profile
• Deployment Type is set to ICA_STOREFRONT

• On the Gateway session action for the Workspace app, verify the following: *transparentInterception is set to OFF
  • SSO is set to ON *ssoCredential is set to PRIMARY
  • useMIP is set to NS *useIIP is set to OFF
  • icaProxy is set to OFF *wihome is set to "https://xa04-spa.training.local/Citrix/StoreWeb" - replace with real store URL
  • ClientChoices is set to OFF *ntDomain is set to "training.local" - used for SSO
  • defaultAuthorizationAction is set to ALLOW *authorizationGroup is set to SecureAccessGroup (Make sure that this group is created in NetScaler, not Active Directory. It’s used to bind Secure Private Access specific authorization policies)
  • clientlessVpnMode is set to ON *clientlessModeUrlEncoding is set to TRANSPARENT
  • SecureBrowse is set to ENABLED *Storefronturl is set to "https://xa04-spa.training.local" - replace with StoreFront FQDN
  • sfGatewayAuthType is set to domain

Note: For details on session action parameters, see the Command line reference for vpn-sessionAction.

Based on the above example, the default session action before adding SPA looks like:

add vpn sessionAction AC_OS_172.16.1.106 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xa04-spa.training.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode OFF -storefronturl "https://xa04-spa.training.local" -sfGatewayAuthType domain

Let’s create the authorization group and a new session action and modify it for Secure Private Access on-premises:

add aaa group SecureAccessGroup add vpn sessionAction AC_OS_172.16.1.106_SPAOP -transparentInterception OFF -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://xa04-spa.training.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://xa04-spa.training.local" -sfGatewayAuthType domain

Switch the session policy for the Workspace app to the new session action:

set vpn sessionPolicy PL_OS_172.16.1.106 -action AC_OS_172.16.1.106_SPAOP

1. Run the new NetScaler commands script with the batch command.
 

batch -fileName /var/tmp/ns_gateway_secure_access_update -outfile /var/tmp/ns_gateway_secure_access_update_output.log -ntimes 1.

2. Verify the log file that there is no error For example:

shell cat /var/tmp/ns_gateway_secure_access_update_output.log

Note: In this scenario, one error is shown in the log file because StoreFront and SPA plug-in are installed on the same machine. ERROR: Specified pattern or range is already bound to dataset/patset

3. On the StoreFront and SPA plug-in machine, open Citrix Secure Private Access from the Start menu.

4. On the SPA admin console page, click Mark as done in the Configure Gateway section.

Scenario 2 – Scalable deployment

In Scenario 2, the NetScaler Gateway, StoreFront, SPA plug-in, and SQL server are deployed in Microsoft Azure, whereas all other services are deployed on-premises.

Note: NetScaler Gateway, StoreFront, SPA plug-in, and SQL server can also be deployed in the local data center.This scenario should only showcase that deploying in any cloud is possible too. We assume that a working Citrix Virtual Apps and Desktops infrastructure is installed and a NetScaler is deployed in Azure.

Cloud Infrastructure environment

• Azure Load Balancer for NetScaler with static public IP
• 2x NetScaler VPX (Gateway) on Azure
• 2x StoreFront server
• 2x SPA plug-in server
• 1x Database server
• 2x Active Directory server
• Webserver containing websites
• Webserver certificates

Note: This is a simplified architectural overview of scenario 2. For more detailed communication information, see Secure Private Access for on-premises (Secure Private Access plug-in).

Installation (Scenario 2)

StoreFront

1.On the StoreFront machine, install a web server certificate containing the load balancing FQDN and StoreFront server FQDNs.
For more information about certificates, have a look at StoreFront certificate requirements.

2. Download the Citrix Virtual Apps and Desktops ISO file from Citrix Download Center.

3. Run the ISO installer AutoSelect.exe.

4. Select Start from Virtual Apps and Desktops.

5. Because we want to have a combined StoreFront and SPA plug-in server, we first install Citrix StoreFront.

6. In the Citrix StoreFront installer, accept the license agreement and click Next.

7. In the Review prerequisites page, click Next.

8. In the Ready to install page, click Install.

9. When the installation is successfully finished, click Finish.

10. Click Yes in the reboot dialog to restart the server.

11. For redundancy, install a second StoreFront server following the same steps.

Secure Private Access

1. On the Secure Private Access machine, install a web server certificate matching the load balancer FQDN name.
The same certificate must be installed on the other SPA plug-in nodes.
If the load balancing protocol used is SSL, the same certificate must be used on the load balancer.

2. Mount the downloaded Citrix Virtual Apps and Desktops ISO file and run the installer AutoSelect.exe.

3. Select Start from Virtual Apps and Desktops.

4. Click Secure Private Access to start the installation.

5. Accept the license agreement in the Secure Private Access installer and click Next.

6. On the Core Components page, click Next.

7. On the Additional Components page, deselect Use SQL Express on the same machine and click Next.

Note: A dedicated database server is recommended for production deployment.

8. On the Firewall page, click Next to automatically create local Windows Firewall rules.

9. On the Summary page, review your installation settings and click Install.

10. On the Finish Installation page, click Finish.

11. For redundancy, install a second SPA plug-in server following the same steps.

Note: The SPA admin console opens automatically in a browser window. Before we start configuring SPA, we need to configure a StoreFront store.

Configuration (Scenario 2)

StoreFront

1. Open the Internet Information Service (IIS) Manager console and verify that the correct web server certificate is assigned.

2. Open the Citrix StoreFront console and create a new deployment.

3. Enter the base URL using the load balancer FQDN and click Next.
For example, https://stf-lb.training.local/.

Note: The load balancing configuration is done later.

4. On the getting started page, click Next.

5. On the store name and access page, enter a store name, for example, StoreLB, and click Next.

6. On the Delivery Controllers page, enter your Citrix Delivery Controller and click Next.

7. On the Remote Access page, enable Remote Access, select No VPN tunnel, add your NetScaler Gateway appliance, and Next.

8. On the Configure Authentication Methods page, verify that User name and password and Pass-through from Citrix Gateway, and click Next.

9. On the XenApp Services URL page, click Create.

10. On the Summary page, verify that the store was successfully created and click Finish.

11. Open Windows PowerShell to update the StoreFront monitoring service URL and run the following commands:

$ServiceUrl = "https://localhost:443/StorefrontMonitor"
    Set-STFServiceMonitor -ServiceUrl $ServiceUrl
    Get-STFServiceMonitor
    

Default StoreFront monitoring service URL

If you want to revert the service URL change, run the above commands again with a changed $ServiceUrl = "http://localhost:8000/StorefrontMonitor".

1. Verify that the Receiver for Web Sites loopback communication is set to On.

Get-STFWebReceiverService -VirtualPath "/Citrix/StoreLBWeb" | Get-STFWebReceiverCommunication | Format-Table Loopback
    
    Loopback
    --------
    On
    

2. Join the second StoreFront server in the server group.
Please follow the documented instructions for Join an existing server group.

Secure Private Access – Initial configuration wizard

Note: Please create a StoreFront store before running the Secure Private Access initial configuration wizard!

Information

It is recommended that you configure Kerberos authentication for the browser that you use for the Secure Private Access admin console. This is because Secure Private Access uses Integrated Windows Authentication (IWA) for its admin authentication.
If Kerberos authentication isn’t set, you’re prompted by the browser to enter your credentials when accessing the Secure Private Access admin console. Refer to our SSO to admin console documentation.

1. From the Start menu, open Citrix Secure Private Access.

Important

Within the web browser, verify the web server certificate that protects the SPA admin console. The certificate must be uploaded before the Secure Private Access installation.

2. On the SPA admin console page, click Continue to start the initial configuration wizard.

3. On the Step 1 page, select Create a new Secure Private Access site and click Next.

4. On the Step 2 page, enter your SQL server host and Site name and click Test connection.
The resulting database name is a combination of "CitrixAccessSecurity".

5. Select the type of deployment, Automatically or Manually. In this scenario, select Manually and click Download script.

Note: The displayed error is expected because the database does not exist.

Secure Private Access – manual database setup

1. Open the SQL Server Management Studio and connect to the database engine using a database administrator account.

2. In the SQL Server Management Studio, click File, select Open and select File.

3. In the Open File dialog, search for the downloaded SQL script and click Open.

4. Verify the script content and click Execute. The script creates the database and a login for the Windows server training\xa05-spa.

5. Switch back to the SPA admin console and click Test connection.
The connection is now successful and the server has write permissions to the database.

6. Click Next.

7. On the Step 3 page, enter the Secure Private Access address, StoreFront Store URL, Public NetScaler Gateway address, the NetScaler Gateway virtual IP address, and callback URL.
When all URLs are successfully verified, click Next.

8. On the Step 4 page, click Save to start the configuration process.

Note: Because StoreFront is installed on a different server, the SPA plug-in PowerShell script must manually be executed on the StoreFront server. The StoreFront server group replication mechanism propagates the changes to all members.

9. After the configuration process is completed, click Close.

10. Join the second SPA plug-in server to the cluster.
Open another browser and open the second SPA plug-in admin console and click Continue.

11. On the Step 1 page, select Join an existingSC Secure Private Access site and click Next.

12. On the Step 2 page, enter your SQL server host and Site name, click Test connection, select Manually and click Download script.

Secure Private Access – manual database setup

1. Open the SQL Server Management Studio and connect to the database engine using a database administrator account.

2. In the SQL Server Management Studio, click File, select Open and select File.

3. In the Open File dialog, search for the downloaded SQL script and click Open.

4. Verify the script content and click Execute. The script verifies that the database exits and creates the login for the Windows server training\xa04-spa.

5. Switch back to the SPA admin console and click Next.
The server now has write permissions to the database.
Click Next.

6. On the Step 4 page, click Save to start the configuration process.

7. After the configuration process is completed, click Close.

8. The SPA plug-in cluster can be managed over each node.

Secure Private Access – App creation

1. In the menu on the left, click Applications.

2. On the right side, click Add an app

3. In the Add an app dialog, add the required fields marked with a red star and click Save.

Note: For details on application parameters, see Configure applications.

4. In the menu on the left, click Access Policies.

5. On the right side, click Create policy

6. In the Create policy dialog, add the required fields marked with a red star and click Save.

Note: For details on application access policies, see Configure access policies for the applications.

Secure Private Access – StoreFront configuration

1. On the Secure Private Access server, open the Start menu and open Citrix Secure Private Access.

2, In the menu on the left, click Settings.

3, In the menu on the left, click Settings and select the Integrations tab.

4. In the StoreFront Store URL section, click Download script.

5. Copy the downloaded file StoreFrontScripts.zip to a StoreFront server and exact the files to any folder.

6. Open a Windows x64 bit compatible PowerShell window with admin privilege and run the PowerShell script ConfigureStorefront.ps1.
The script modifies the StoreFront store (in this scenario, StoreLB) to support Secure Private Access applications.

NetScaler StoreFront and SPA Plugin Load Balancing

Note: The below example has not enabled SSL Default Profiles. If your NetScaler configuration does, add the cipher directly into the SSL profile and ignore the virtual server cipher configuration.

The following servers are used -

• xa04-stf.training.local
• xa05-stf.training.local
• xa04-spa.training.local
• xa05-spa.training.local

IP addresses

• 172.16.1.107 (StoreFront load balancing VIP)
• 172.16.1.108 (SPA plug-in load balancing VIP)

Certificates

• dh5-2048.key (Diffie-Hellman key, group 5, 2048 bit)
• stf-lb.training.local
• spa-lb.training.local

Make sure to create the Diffie-Hellman key and replace the server names, IP addresses, and certificates before running the commands in NetScaler CLI.

1. Connect to NetScaler CLI using an SSH client and run the following commands:

## SSL Profile ##
    ## Do not forget to replace the Diffie-Hellmann key name ##
    add ssl profile SECURE_ssl_profile_frontend -dhCount 1000 -dh ENABLED -dhFile "/nsconfig/ssl/dh5-2048.key" -eRSA ENABLED -eRSACount 1000 -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED
    
    ## Monitors ##
    add lb monitor mon-StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -secure YES -storefrontcheckbackendservices YES
    add lb monitor mon-SPA-Plugin HTTP -respCode 200 -httpRequest "GET /secureAccess/health" -LRTM DISABLED -secure YES
    add lb monitor mon-SPA-Admin-console HTTP -respCode 200 -httpRequest "GET /accessSecurity/health" -LRTM DISABLED -secure YES
    
    ## Server ##
    ## Do not forget to replace server names ##
    add server xa04-stf.training.local xa04-stf.training.local
    add server xa05-stf.training.local xa05-stf.training.local
    add server xa04-spa.training.local xa04-spa.training.local
    add server xa05-spa.training.local xa05-spa.training.local
    
    ## Services ##
    ## Do not forget to replace service names ##
    add service xa04-stf.training.local_443 xa04-stf.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -state DISABLED
    bind service xa04-stf.training.local_443 -monitorName mon-StoreFront
    
    add service xa05-stf.training.local_443 xa05-stf.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
    bind service xa05-stf.training.local_443 -monitorName mon-StoreFront
    
    add service xa04-spa.training.local_443 xa04-spa.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -state DISABLED
    bind service xa04-spa.training.local_443 -monitorName mon-SPA-Plugin
    
    add service xa05-spa.training.local_443 xa05-spa.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
    bind service xa05-spa.training.local_443 -monitorName mon-SPA-Plugin
    
    add service xa04-spa.training.local_4443 xa04-spa.training.local SSL 4443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -state DISABLED
    bind service xa04-spa.training.local_4443 -monitorName mon-SPA-Admin-console
    
    add service xa05-spa.training.local_4443 xa05-spa.training.local SSL 4443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
    bind service xa05-spa.training.local_4443 -monitorName mon-SPA-Admin-console
    
    bind service xa04-spa.training.local_443 -monitorName mon-SPA-Plugin
    
    ## LB vServer ##
    ## Do not forget to replace vServer names and IP addresses ##
    add lb vserver lbvs-stf-lb.training.local_443 SSL 172.16.1.107 443 -persistenceType COOKIEINSERT -persistenceBackup SOURCEIP -cookieName STFPersistence -cltTimeout 180
    add lb vserver lbvs-spa-lb.training.local_443 SSL 172.16.1.108 443 -persistenceType NONE -cltTimeout 180
    add lb vserver lbvs-spa-lb.training.local_4443 SSL 172.16.1.108 4443 -persistenceType NONE -cltTimeout 180
    
    ## Do not forget to replace vServer names and service bindings ##
    bind lb vserver lbvs-stf-lb.training.local_443 xa04-stf.training.local_443
    bind lb vserver lbvs-stf-lb.training.local_443 xa05-stf.training.local_443
    bind lb vserver lbvs-spa-lb.training.local_443 xa04-spa.training.local_443
    bind lb vserver lbvs-spa-lb.training.local_443 xa05-spa.training.local_443
    bind lb vserver lbvs-spa-lb.training.local_4443 xa04-spa.training.local_4443
    bind lb vserver lbvs-spa-lb.training.local_4443 xa05-spa.training.local_4443
    
    ## Do not forget to replace vServer names ##
    set ssl vserver lbvs-stf-lb.training.local_443 -sslProfile SECURE_ssl_profile_frontend
    set ssl vserver lbvs-spa-lb.training.local_443 -sslProfile SECURE_ssl_profile_frontend
    set ssl vserver lbvs-spa-lb.training.local_4443 -sslProfile SECURE_ssl_profile_frontend
    
    ## Do not forget to replace vServer names ##
    bind ssl vserver lbvs-stf-lb.training.local_443 -cipherName SECURE
    bind ssl vserver lbvs-spa-lb.training.local_443 -cipherName SECURE
    bind ssl vserver lbvs-spa-lb.training.local_4443 -cipherName SECURE
    
    ## Do not forget to replace vServer names and certificates ##
    bind ssl vserver lbvs-stf-lb.training.local_443 -certkeyName stf-lb.training.local
    bind ssl vserver lbvs-spa-lb.training.local_443 -certkeyName spa-lb.training.local
    bind ssl vserver lbvs-spa-lb.training.local_4443 -certkeyName spa-lb.training.local
    

NetScaler Gateway

Note: To create a new NetScaler Gateway configuration, use ns_gateway_secure_access.sh. To update an existing NetScaler Gateway configuration, use ns_gateway_secure_access_update.sh.

1. Open a new browser tab and navigate to https://www.citrix.com/downloads/citrix-secure-private-access/Shell-Script/Shell-Script-for-Gateway-Configuration.html.

2. When prompted, log on with your Citrix Cloud account.

3. Download the Shell Script for Gateway Configuration file archive and extract it to your local computer.

4. In this scenario, we have a working NetScaler Gateway configuration and must update it for Secure Private Access on-premises.

5. Use a tool of your choice to upload the script ns_gateway_secure_access_update.sh to the NetScaler /var/tmp folder.

6. Connect to the NetScaler CLI using an SSH client and log on.

7. Enter shell, press the return key, and change the directory to /var/tmp.

8. Change the file permissions using the command
chmod +x /var/tmp/ns_gateway_secure_access_update.sh to make the script executable.

9. Run the script /var/tmp/ns_gateway_secure_access_update.sh.

Note: If you see the error -bash: ./ns_gateway_secure_access_update.sh: /bin/sh^M: bad interpreter: No such file or directory, run the following command tr -d '\r' < /var/tmp/ns_gateway_secure_access_update.sh > /var/tmp/ns_gateway_secure_access_update_unix.sh to convert the Windows line endings to Unix.Change the file permissions using the command chmod +x /var/tmp/ns_gateway_secure_access_update_unix.sh to make the converted script executable. Run the converted script and insert the required parameters.

Note: If you see the error -bash: ./ns_gateway_secure_access_update.sh: /bin/sh^M: bad interpreter: No such file or directory, run the following command tr -d '\r' < /var/tmp/ns_gateway_secure_access_update.sh > /var/tmp/ns_gateway_secure_access_update_unix.sh to convert the Windows line endings to Unix. Change the file permissions using the command chmod +x /var/tmp/ns_gateway_secure_access_update_unix.sh to make the converted script executable. Run the converted script and insert the required parameters.

Support for smart access tag

Starting with the following versions, NetScaler Gateway sends the smart access tags automatically. This enhancement removes the required gateway callback from SPA plug-in to NetScaler Gateway.

• 13.1 - 48.47 and later
• 14.1 - 4.42 and later

The above script automatically enables the enhancement flags ns_vpn_enable_spa_onprem and ns_vpn_disable_spa_onprem.

To make the changes persistent, run the following commands in the NetScaler shell.
root@xa04-adc01# echo "nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem">> /nsconfig/rc.netscaler
root@xa04-adc01# echo "nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode">> /nsconfig/rc.netscaler

For more details, look at Support for smart access tags

1. A new NetScaler command script (the default is /var/tmp/ns_gateway_secure_access) is generated.

2. Switch back to the NetScaler CLI using the command exit.

3. Before executing the new NetScaler command script, let us verify the current NetScaler Gateway configuration and update it for Secure Private Access on-premises.

4. On the Gateway virtual server, verify the following: *ICA only is set to false (OFF)

• TCP Profile is set to nstcp_default_XA_XD_profile
• Deployment Type is set to ICA_STOREFRONT

• On the Gateway session action for the Workspace app, verify the following: *transparentInterception is set to OFF
  • SSO is set to ON *ssoCredential is set to PRIMARY
  • useMIP is set to NS *useIIP is set to OFF
  • icaProxy is set to OFF *wihome is set to "https://stf-lb.training.local/Citrix/StoreLBWeb" - replace with real store URL
  • ClientChoices is set to OFF *ntDomain is set to "training.local" - used for SSO
  • defaultAuthorizationAction is set to ALLOW *authorizationGroup is set to SecureAccessGroup (Make sure that this group is created in NetScaler, not Active Directory. It’s used to bind Secure Private Access specific authorization policies)
  • clientlessVpnMode is set to ON *clientlessModeUrlEncoding is set to TRANSPARENT
  • SecureBrowse is set to ENABLED *Storefronturl is set to "https://stf-lb.training.local" - replace with StoreFront FQDN
  • sfGatewayAuthType is set to domain

Note: For details on session action parameters, see the Command line reference for vpn-sessionAction.

Based on the above example, the default session action before adding SPA looks like:
add vpn sessionAction AC_OS_172.16.1.106 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://stf-lb.training.local/Citrix/StoreLBWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode OFF -storefronturl "https://stf-lb.training.local" -sfGatewayAuthType domain

Let’s create the authorization group and a new session action and modify it for Secure Private Access on-premises:
add aaa group SecureAccessGroup
add vpn sessionAction AC_OS_172.16.1.106_SPAOP -transparentInterception OFF -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://stf-lb.training.local/Citrix/StoreLBWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://stf-lb.training.local" -sfGatewayAuthType domain

Switch the session policy for the Workspace app to the new session action:
set vpn sessionPolicy PL_OS_172.16.1.106 -action AC_OS_172.16.1.106_SPAOP

5. Run the new NetScaler commands script with the batch command.
For example,
batch -fileName /var/tmp/ns_gateway_secure_access_update -outfile /var/tmp/ns_gateway_secure_access_update_output.log -ntimes 1.

6. Verify the log file that there is no error For example,
shell cat /var/tmp/ns_gateway_secure_access_update_output.log

Note: In this scenario, one error is shown in the log file because StoreFront and SPA plug-in are installed on the same machine. ERROR: Specified pattern or range is already bound to dataset/patset

7. On the StoreFront and SPA plug-in machine, open Citrix Secure Private Access from the Start menu.

8. On the SPA admin console page, click Mark as done in the Configure Gateway section.

Scenario 3 – Geo deployment (Coming Soon)

Testing any scenario

1. Open the Citrix Workspace app and create a new account.
In our scenarios, the URL https://citrix.training.com was used.

2. Log on to NetScaler Gateway.

3. Secure Private Access apps along with Citrix Virtual Apps and Desktops are displayed.
In this scenario, no CVAD app is marked as a favorite. Thus, they are only displayed under APPS.

4. Launch web app Extranet.

Note: All security controls are enabled on this application.

• Restrict clipboard access
• Restrict printing
• Restrict downloads
• Restrict uploads
• Display Watermark
• Restrict key logging
• Restrict screen capture

The above screenshot shows "Display Watermark".
The screenshot below shows "Restrict screen capture".

Summary

Citrix Secure Private Access for on-premises allows zero trust-based access to SaaS and internal web apps. This deployment guide covered publishing web apps and setting security controls. The result is an integrated solution with single sign-on for users to access SaaS and internal web apps like virtual apps.