Citrix Secure private access - SPA Onprem

[Shahzad Siddique 2]

Hi Folks,

Evaluating Citrix SPA Onprem for publishing intranet Web Url, followed below link

 

https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/secure-private-access-on-premises.html#configuration-process

 

Setup Details:

 

Citrix CVAD 2203 -Cu2

Netscaler - 13.1 build 45

Workspace App: 2303 (Embedded enterprise browser)

 

Configuration Steps followed for building SPA Onprem 

 

1. Created Blank Delivery Group and published Content and associated to blank DeliveryGroup

Add-PsSnapin Citrix*

new-BrokerDesktopGroup -Name "SPA-DG" -DesktopKind 1

$deliveryGroupName = "SPA-DG"
$appURL = "https://dc01.xen.lab/certsrv/"
$appName = "Cert-Portal"
$appIconFilePath = "C:\g2m.ico"
$appDescription = "KEYWORDS:SPAENABLED"
$deliveryGroupUid = (Get-BrokerDesktopGroup -DesktopGroupName $deliveryGroupName).Uid

New-BrokerApplication -ApplicationType PublishedContent -CommandLineExecutable $appURL -Name $appName -DesktopGroup $deliveryGroupUid -Description $appDescription
 Get-BrokerApplication -ApplicationType PublishedContent | Format-Table @{Label="Type"; Expression={$_.ApplicationType}},Name,@{Label="URL"; Expression={$_.CommandLineExecutable}},@{Label="Delivery group"; Expression={(Get-BrokerDesktopGroup -Uid $_.AssociatedDesktopGroupUids[0]).Name}},Description

 

2.  Created Policy.json file on Storefront under below path

mkdir C:\inetpub\wwwroot\Citrix\spa\Resources
mkdir C:\inetpub\wwwroot\Citrix\spa\Resources\SecureBrowser

 

Copied policy.json file to Secure browser directory

 

3. Run PowerShell script with the code mentioned in Above link to change web.config

 

4. Configure Onprem Netscaler gateway for enabling CLientAccess,Web address encoding, enabling secure browse, excluding SF & Citrix FQDNs from clientless access mode (globally)

 

add vpn sessionAction SPA-act -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://ddc01.xen.lab/Citrix/spaWeb" -ClientChoices OFF -ntDomain xen.lab -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://ddc01.xen.lab"

 

add vpn sessionPolicy SPA_SessionPol "aaa.USER.IS_MEMBER_OF(\"rabale-group\")" SPA-act

bind policy patset ns_cvpn_default_bypass_domains citrix.com -index 4
bind policy patset ns_cvpn_default_bypass_domains ddc01.xen.lab -index 5

 

5. Created Authorization policy and bind Web resources to AAA group

add aaa group rabale-group

add authorization policy Allow_StoreFront "HTTP.REQ.HOSTNAME.CONTAINS(\"ddc01.xen.lab\")" ALLOW
add authorization policy Deny_ALL true DENY
add authorization policy Allow_Cert-Portal "HTTP.REQ.HOSTNAME.CONTAINS(\"dc01.xen.lab\")" ALLOW

bind aaa group rabale-group -policy Allow_Cert-Portal -priority 100 -gotoPriorityExpression END
bind aaa group rabale-group -policy Allow_StoreFront -priority 110 -gotoPriorityExpression END
bind aaa group rabale-group -policy Deny_ALL -priority 120 -gotoPriorityExpression END

 

Problem Statement >

Testing SPA resources using WorkspaceApp 2303 version from end-user system. Only able to get see CVAD resources. Published Web content is not visible to users.

 

Thanks in Advance

 

Shahzad Siddique

 

nsrunning (4).conf

 

 

SPA-Onprem Steps.txt

[Jeff Riechers]

Are you seeing the resources in Studio, or from the Web Interface?

 

It sounds like your Storefront might be filtering out those published resources.

[Shahzad Siddique 2]

Hi Jeff,

   There is a catch, we also need to create a broker access rule, post that I can able to see Weblinks published content.

 

Create Broker Accessrule for above delivery group to define user assignment

 

Get-BrokerDesktopGroup |fl name, Uid

 

New-BrokerAccessPolicyRule -Name "SPA-DG_Direct" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections NotViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13

 

New-BrokerAccessPolicyRule -Name "SPA-DG_AG" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections ViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13

 

 

[Geungha Choi]

On 6/12/2023 at 8:42 PM, Shahzad Siddique 2 said:

Hi Jeff,

   There is a catch, we also need to create a broker access rule, post that I can able to see Weblinks published content.

 

Create Broker Accessrule for above delivery group to define user assignment

 

Get-BrokerDesktopGroup |fl name, Uid

 

New-BrokerAccessPolicyRule -Name "SPA-DG_Direct" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections NotViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13

 

New-BrokerAccessPolicyRule -Name "SPA-DG_AG" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections ViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13

 

 

Hi Shahzad Siddique,

 

Thank you for your method. 

[quadra_karthikeyankvbmail.com]

Hi guys,

 

Our security team have found the ASP. Net version bug in Citrix SPA cloud.

 

am repotted this to Citrix technical support engineer, after that I have receive the RFE ID from Citrix support team for this Vulnerability.

 

I didn't have any idea, how to check this vulnerability has fix?

 

For More Info: https://security.snyk.io/package/npm/moment