Audience
This document is intended for architects, network designers, technical professionals, partners, and consultants interested in implementing the Citrix Secure Private Access On-Premises solution. It is also designed for network administrators, Citrix administrators, managed service providers, or anyone looking to deploy this solution.
Solution Overview
Citrix Secure Private Access On-Premises is a customer-managed Zero Trust Network Access (ZTNA) solution that provides VPN less access to Internal web and SaaS applications with least privilege principle, single sign-on (SSO), Multifactor Authentication and Device posture assessment, application-level security controls and app protection features along with a seamless end-user experience. The solution uses the StoreFront on-premises and Citrix Workspace app to enable a seamless and secure access experience to web and SaaS apps within Citrix Enterprise Browser. This solution also uses the NetScaler Gateway to enforce authentication and authorization controls.
Citrix Secure Private Access On-Premises solution enhances an organization’s overall security and compliance posture by easily delivering Zero Trust access to browser-based (internal web apps and SaaS apps) apps using the StoreFront on-premises portal, which is a unified access portal to web and SaaS apps, along with virtual apps and desktops, as an integrated part of Citrix Workspace.
Citrix Secure Private Access combines NetScaler Gateway and StoreFront elements to deliver an integrated experience for end users and administrators.
Functionality |
Service/Component providing the functionality |
Consistent UI to access apps |
StoreFront on-premises/Citrix Workspace app |
SSO to SaaS and Web apps |
NetScaler Gateway |
Multifactor Authentication (MFA) and device posture (aka End-Point Analysis) |
NetScaler Gateway |
Security controls and App protection controls for web and SaaS apps |
Citrix Enterprise Browser |
Authorization policies |
Secure Private Access |
Configuration and Management |
Citrix Secure Private Access UI, NetScaler UI |
Visibility, Monitoring, and Troubleshooting |
Citrix Secure Private Access UI and Citrix Director |
Use Cases
Citrix Secure Private Access (SPA) On-Premises solution with Citrix Virtual Apps and Desktops On-Premises provides a unified and secure end-user experience to virtualized and browser-based apps (web apps and SaaS apps) with consistent security.
SPA On-Premises solution is designed to address the following use cases via a customer-managed solution.
Use case #1: Secure access for Employees and Contractors to internal web and SaaS apps from managed or unmanaged devices without publishing a browser or using a VPN.
Use case #2: Provide comprehensive last-mile Zero Trust enforcement with admin-configurable browser security controls for internal web and SaaS apps from managed or unmanaged devices without publishing a browser or using a VPN.
Use case #3: Accelerate Mergers and Acquisitions (M&A) user access across multiple identity providers, ensure consistent security, and provide seamless end-user access across multiple user groups.
System Requirements
This article guides you through deploying Secure Private Access with StoreFront and NetScaler Gateway. Citrix Enterprise Browser (included in the Citrix Workspace app) is the client software used to interact securely with your SaaS or internal web apps.
Global App Config Service (GACS) is a requirement for browser management of Citrix Enterprise Browser.
Note:
This article does not include guidance on deploying Citrix Virtual Apps and Desktops.
This guide assumes that the reader has a basic understanding of the following Citrix and NetScaler offerings and general Windows administrative experience:
-
Citrix Workspace app
-
Citrix Secure Access client
- StoreFront
- NetScaler Gateway
- Global App Configuration service
- Windows Server
- SQL Express or Server
Product communication matrix Secure Private Access for on-premises (Secure Private Access plug-in)
Versions:
-
Citrix Secure Access client (support for TCP/UDP apps)
-
-
Windows – 24.6.1.17 and later
-
-
-
macOS – 24.06.2 and later
-
-
StoreFront – LTSR 2203 or CR 2212 and
later
-
Director 2402 or later
-
NetScaler Gateway – 13.0 and above
We recommend using the latest build of NetScaler 13.1 or 14.1 for optimized performance.
-
-
NetScaler Gateway – 14.1–25.56 and later is required for TCP/UDP app support
-
- Windows Server – 2019 and above (.NET 6.x and above runtime must be supported)
- SQL Express or Server – 2019 and above
Note:
Citrix Secure Private Access On-Premises are not supported on Citrix Workspace app for iOS and Android.
Refer to the following documentation for more details as needed:
- Citrix Workspace app
- StoreFront
- NetScaler Gateway
- Global App Configuration service (GACS)
Technical Overview
Access to internal web apps is possible from any location and on any device at any time through NetScaler Gateway with Citrix Enterprise Browser (incl. in Citrix Workspace app) installed. The same applies to SaaS apps, with the difference that the access can be direct or indirect through NetScaler Gateway.
Citrix Enterprise Browser and Citrix Workspace app connect to NetScaler Gateway using a TLS-encrypted connection. NetScaler Gateway provides zero trust-based access by assessing the user’s device, strong nFactor user authentication, app authorization, and single sign-on (SSO).
StoreFront enumerates virtual and non-virtual apps through Citrix Desktop Delivery Controller and Secure Private Access (SPA) plug-in. Citrix Enterprise Browser tunnels internal traffic (for example, https://website.company.local) to NetScaler Gateway to allow access without needing a public-facing DNS entry. SaaS application access can be direct or, for special use cases. indirect through NetScaler Gateway. Citrix Secure Private Access with Citrix Enterprise Browser allows the configuration of additional security controls for web and SaaS apps like Watermarking, copy/paste-, up/download-, and print restrictions. These restrictions are dynamically applied on a per-app basis.
Scenarios
Citrix Secure Private Access On-Premises can be deployed in any environment with one or more StoreFront servers and NetScaler Gateways. This section describes a few different scenarios that have been successfully implemented and validated.
-
Scenario 1 – Single server deployment
Scenario 1 is for testing purposes only and should not be considered in production environments because of less redundancy. -
Scenario 2 – Scalable deployment
Scenario 2 is designed for performance and redundancy. This is a recommended production deployment. -
Scenario 3 – Geo deployment (Coming Soon)
Scenario 3 is for large enterprises with geographical data center redundancy.
Scenario 1 - Simple deployment
Scenario 1 is a straightforward deployment that uses the least infrastructure resources. Because of less redundancy, this scenario is not recommended for use in production.
Note:
We assume that a working Citrix Virtual Apps and Desktops infrastructure is installed and a NetScaler is deployed in a DMZ.
On-premises infrastructure environment
- Active Directory
- NetScaler VPX/MPX (Gateway)
- Combined StoreFront and SPA plug-in server
- Webserver containing websites
- Webserver certificate
Note:
This is a simplified architectural overview of scenario 1. For more detailed information on communication, please see Secure Private Access for on-premises (Secure Private Access plug-in).
Installation (Scenario 1)
StoreFront
1. Install a web server certificate on the StoreFront and Secure Private Access machine.
2. Download the Citrix Virtual Apps and Desktops ISO file from Citrix Download Center.
3. Run the ISO installer AutoSelect.exe.
4. Select Start from Virtual Apps and Desktops.
5. Because we want a combined StoreFront and SPA plug-in server, we first install Citrix StoreFront.
6. In the Citrix StoreFront installer, accept the license agreement and click Next.
7. In the Review prerequisites page, click Next.
8. In the Ready to Install page, click Install.
9. When the installation is successfully finished, click Finish.
10. Click Yes in the reboot dialog to restart the server.
Secure Private Access
1. After the reboot, run the ISO installer again.
2. Now that Citrix StoreFront is installed let’s continue installing Secure Private Access.
3. Accept the license agreement in the Secure Private Access installer and click Next.
4. On the Core Components page, click Next.
5. On the Additional Components page, select Use SQL Express on the same machine and click Next.
Note:
In a production environment, it is recommended to use a dedicated database server.
6. On the Firewall page, click Next to create local Windows Firewall rules automatically.
7. On the Summary page, review your installation settings and click Install.
8. On the Finish Installation page, click Finish.
Note:
The SPA admin console opens automatically in a browser window. Before we start configuring SPA, we need to configure a StoreFront store.
Configuration (Scenario 1)
StoreFront
1. Open the Internet Information Service (IIS) Manager console and verify that the correct web server certificate is assigned.
2. Open the Citrix StoreFront console and create a new deployment.
3. Enter the base URL and click Next.
Note:
Multiple StoreFront servers are load-balanced in a production environment for redundancy and scalability. Therefore, the base URL will be the FQDN of the load balancer virtual server IP.
4. On the getting started page, click Next.
5. On the store name and access page, enter a store name, for example, Store, and click Next.
6. On the Delivery Controllers page, enter your Citrix Delivery Controller and click Next.
7. On the Remote Access page, enable Remote Access, select No VPN tunnel, add your NetScaler Gateway appliance, and Next.
8. On the Configure Authentication Methods page, verify that the User name and password and Pass-through from Citrix Gateway are correct, and click Next.
9. On the XenApp Services URL page, click Create.
10. Verify that the store was successfully created on the Summary page and click Finish.
Secure Private Access – Initial configuration wizard
Note:
Please create a StoreFront store before running the Secure Private Access initial configuration wizard! Configuring Kerberos authentication for the browser you use for the Secure Private Access admin console is recommended. Secure Private Access uses Integrated Windows Authentication (IWA) for admin authentication. If Kerberos authentication isn’t set, the browser will prompt you to enter your credentials when accessing the Secure Private Access admin console. Please refer to our SSO to admin console documentation.
1. From the Start menu, open Citrix Secure Private Access.
2. Click Continue to start the initial configuration wizard on the SPA admin console page.
3. On the Step 1 page, select Create a new Secure Private Access site and click Next.
4. On the Step 2 page, enter your SQL server host and Site name and click Test connection.
The resulting database name is a combination of "CitrixAccessSecurity".
5. Select the type of deployment, Automatically or Manually. In this scenario, select Automatically and click Next.
Note:
For more information on a manual database setup, follow the instructions documented at Step 2: Configure databases - Manual configuration.
6. On the Step 3 page, enter the Secure Private Access address, StoreFront Store URL, Public NetScaler Gateway address, the NetScaler Gateway virtual IP address, and callback URL.
When all URLs are successfully verified, click Next.
7. On the Step 4 page, click Save to start the configuration process.
Note:
Because the SPA plug-in is installed on the StoreFront machine, we do not need to run the StoreFront script manually on the StoreFront server. The setup routine automatically does this.
8. After the configuration process is completed, click Close.
Secure Private Access – App creation
1. In the menu on the left, click Applications.
2. On the right side, click Add an app
3. In the Add an app dialog, add the required fields marked with a red star and click Save.
Note:
For details on application parameters, see Configure applications.
4. In the menu on the left, click Access Policies.
5. On the right side, click Create policy
6. In the Create policy dialog, add the required fields marked with a red star and click Save.
Note:
For details on application access policies, see Configure access policies for the applications.
NetScaler Gateway
The NetScaler Gateway scripts used with Citrix Secure Private Access are reviewed and updated frequently. For the latest scripts and processes to create or update the NetScaler Gateway configuration, please follow the instructions on the NetScaler gateway configuration for Web/SaaS applications product documentation site.
Support for smart access tag
NetScaler Gateway sends the smart access tags automatically starting with the following versions. This enhancement removes the required gateway callback from the SPA plug-in and adds it to NetScaler Gateway.
- 13.1 - 48.47 and later
- 14.1 - 4.42 and later
The above script automatically enables the enhancement flags ns_vpn_enable_spa_onprem and ns_vpn_disable_spa_onprem.
To make the changes persistent,
1. A new NetScaler command script (the default is /var/tmp/ns_gateway_secure_access) is generated.
2. Switch back to the NetScaler CLI using the command exit.
3. Before executing the new NetScaler command script, let us verify the current NetScaler Gateway configuration and update it for Secure Private Access on-premises.
4. On the Gateway virtual server, verify the following: *ICA only is set to false (OFF)
- TCP Profile is set to nstcp_default_XA_XD_profile
- Deployment Type is set to ICA_STOREFRONT
-
On the Gateway session action for the Workspace app, verify the following: *transparentInterception is set to OFF
- SSO is set to ON *ssoCredential is set to PRIMARY
- useMIP is set to NS *useIIP is set to OFF
- icaProxy is set to OFF *wihome is set to "https://xa04-spa.training.local/Citrix/StoreWeb" - replace with real store URL
- ClientChoices is set to OFF *ntDomain is set to "training.local" - used for SSO
- defaultAuthorizationAction is set to ALLOW *authorizationGroup is set to SecureAccessGroup (Make sure that this group is created in NetScaler, not Active Directory. It’s used to bind Secure Private Access specific authorization policies)
- clientlessVpnMode is set to ON *clientlessModeUrlEncoding is set to TRANSPARENT
- SecureBrowse is set to ENABLED *Storefronturl is set to "https://xa04-spa.training.local" - replace with StoreFront FQDN
- sfGatewayAuthType is set to domain
Note:
For details on session action parameters, see the Command line reference for vpn-sessionAction.
Based on the above example, the default session action before adding SPA looks like:
add vpn sessionAction AC_OS_172.16.1.106 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xa04-spa.training.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode OFF -storefronturl "https://xa04-spa.training.local" -sfGatewayAuthType domain
Let’s create the authorization group and a new session action and modify it for Secure Private Access on-premises:
add aaa group SecureAccessGroup add vpn sessionAction AC_OS_172.16.1.106_SPAOP -transparentInterception OFF -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://xa04-spa.training.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://xa04-spa.training.local" -sfGatewayAuthType domain
Switch the session policy for the Workspace app to the new session action:
set vpn sessionPolicy PL_OS_172.16.1.106 -action AC_OS_172.16.1.106_SPAOP
1. Run the new NetScaler commands script with the batch command.
batch -fileName /var/tmp/ns_gateway_secure_access_update -outfile /var/tmp/ns_gateway_secure_access_update_output.log -ntimes 1.
2. Verify the log file that there is no error For example:
shell cat /var/tmp/ns_gateway_secure_access_update_output.log
Note:
In this scenario, one error is shown in the log file because StoreFront and SPA plug-in are installed on the same machine. ERROR: Specified pattern or range is already bound to dataset/patset
3. On the StoreFront and SPA plug-in machine, open Citrix Secure Private Access from the Start menu.
4. On the SPA admin console page, click Mark as done in the Configure Gateway section.
Scenario 2 – Scalable deployment
In Scenario 2, the NetScaler Gateway, StoreFront, SPA plug-in, and SQL server are deployed in Microsoft Azure, whereas all other services are deployed on-premises.
Note:
NetScaler Gateway, StoreFront, SPA plug-in, and SQL server can also be deployed in the local data center. This scenario should only showcase that deploying in any cloud is possible too. We assume that a working Citrix Virtual Apps and Desktops infrastructure is installed and a NetScaler is deployed in Azure.
Cloud Infrastructure environment
- Azure Load Balancer for NetScaler with static public IP
- 2x NetScaler VPX (Gateway) on Azure
- 2x StoreFront server
- 2x SPA plug-in server
- 1x Database server
- 2x Active Directory server
- Webserver containing websites
- Webserver certificates
Note:
This is a simplified architectural overview of scenario 2. For more detailed communication information, see Secure Private Access for on-premises (Secure Private Access plug-in).
Installation (Scenario 2)
StoreFront
1.On the StoreFront machine, install a web server certificate containing the load balancing FQDN and StoreFront server FQDNs.
For more information about certificates, have a look at StoreFront certificate requirements.
2. Download the Citrix Virtual Apps and Desktops ISO file from Citrix Download Center.
3. Run the ISO installer AutoSelect.exe.
4. Select Start from Virtual Apps and Desktops.
5. Because we want to have a seperated StoreFront and SPA plug-in server, we first install Citrix StoreFront.
6. In the Citrix StoreFront installer, accept the license agreement and click Next.
7. In the Review prerequisites page, click Next.
8. In the Ready to install page, click Install.
9. When the installation is successfully finished, click Finish.
10. Click Yes in the reboot dialog to restart the server.
11. For redundancy, install a second StoreFront server following the same steps.
Secure Private Access
1. Install a web server certificate matching the load balancer FQDN name on the Secure Private Access machine. The same certificate must be installed on the other SPA plug-in nodes.
If the load balancing protocol used is SSL, the same certificate must be used on the load balancer.
2. Mount the downloaded Citrix Virtual Apps and Desktops ISO file and run the installer AutoSelect.exe.
3. Select Start from Virtual Apps and Desktops.
4. Click Secure Private Access to start the installation.
5. Accept the license agreement in the Secure Private Access installer and click Next.
6. On the Core Components page, click Next.
7. On the Additional Components page, deselect Use SQL Express on the same machine and click Next.
Note:
A dedicated database server is recommended for production deployment.
8. On the Firewall page, click Next to automatically create local Windows Firewall rules.
9. On the Summary page, review your installation settings and click Install.
10. On the Finish Installation page, click Finish.
11. For redundancy, install a second SPA plug-in server following the same steps.
Note:
The SPA admin console opens automatically in a browser window. Before we start configuring SPA, we need to configure a StoreFront store.
Configuration (Scenario 2)
StoreFront
1. Open the Internet Information Service (IIS) Manager console and verify that the correct web server certificate is assigned.
2. Open the Citrix StoreFront console and create a new deployment.
3. Enter the base URL using the load balancer FQDN and click Next.
For example, https://stf-lb.training.local/.
Note:
The load balancing configuration is completed later.
4. On the getting started page, click Next.
5. On the store name and access page, enter a store name, for example, StoreLB, and click Next.
6. On the Delivery Controllers page, enter your Citrix Delivery Controller and click Next.
7. On the Remote Access page, enable Remote Access, select No VPN tunnel, add your NetScaler Gateway appliance, and Next.
8. On the Configure Authentication Methods page, verify that User name and password and Pass-through from Citrix Gateway, and click Next.
9. On the XenApp Services URL page, click Create.
10. On the Summary page, verify that the store was successfully created and click Finish.
11. Open Windows PowerShell to update the StoreFront monitoring service URL and run the following commands:
$ServiceUrl = "https://localhost:443/StorefrontMonitor"
Set-STFServiceMonitor -ServiceUrl $ServiceUrl
Get-STFServiceMonitor
Default StoreFront monitoring service URL
If you want to revert the service URL change, run the above commands again with a changed $ServiceUrl = "http://localhost:8000/StorefrontMonitor".
1. Verify that the Receiver for Web Sites loopback communication is set to On.
Get-STFWebReceiverService -VirtualPath "/Citrix/StoreLBWeb" | Get-STFWebReceiverCommunication | Format-Table Loopback
Loopback
--------
On
2. Join the second StoreFront server in the server group.
Please follow the documented instructions for Join an existing server group.
Secure Private Access – Initial configuration wizard
Important:
Please create a StoreFront store before running the Secure Private Access initial configuration wizard.
Information
It is recommended that you configure Kerberos authentication for the browser you use for the Secure Private Access admin console. Secure Private Access uses Integrated Windows Authentication (IWA) for its admin authentication.
If Kerberos authentication isn’t set, the browser prompts you to enter your credentials when accessing the Secure Private Access admin console. For more information, refer to our SSO to admin console documentation.
1. From the Start menu, open Citrix Secure Private Access.
Important
Verify the web server certificate protecting the SPA admin console within the web browser. The certificate must be uploaded before the Secure Private Access installation.
2. Click Continue to start the initial configuration wizard on the SPA admin console page.
3. On the Step 1 page, select Create a new Secure Private Access site and click Next.
4. On the Step 2 page, enter your SQL server host and Site name and click Test connection.
The resulting database name is a combination of "CitrixAccessSecurity".
5. Select the type of deployment, Automatically or Manually. In this scenario, select Manually and click Download script.
Note:
The displayed error is expected because the database does not exist.
Secure Private Access – manual database setup
1. Open the SQL Server Management Studio and connect to the database engine using a database administrator account.
2. In the SQL Server Management Studio, click File, select Open and select File.
3. In the Open File dialog, search for the downloaded SQL script and click Open.
4. Verify the script content and click Execute. The script creates the database and a login for the Windows server training\xa05-spa.
5. Switch back to the SPA admin console and click Test connection.
The connection is now successful and the server has write permissions to the database.
6. Click Next.
7. On the Step 3 page, enter the Secure Private Access address, StoreFront Store URL, Public NetScaler Gateway address, the NetScaler Gateway virtual IP address, and callback URL.
When all URLs are successfully verified, click Next.
8. On the Step 4 page, click Save to start the configuration process.
Note:
Because StoreFront is installed on a different server, the SPA plug-in PowerShell script must manually be executed on the StoreFront server. The StoreFront server group replication mechanism propagates the changes to all members.
9. After the configuration process is completed, click Close.
10. Join the second SPA plug-in server to the cluster. Open another browser and open the second SPA plug-in admin console and click Continue.
11. On the Step 1 page, select Join an existing SC Secure Private Access site and click Next.
12. On the Step 2 page, enter your SQL server host and Site name, click Test connection, select Manually and click Download script.
Secure Private Access – manual database setup
1. Open the SQL Server Management Studio and connect to the database engine using a database administrator account.
2. In the SQL Server Management Studio, click File, select Open and select File.
3. In the Open File dialog, search for the downloaded SQL script and click Open.
4. Verify the script content and click Execute. The script verifies that the database exits and creates the login for the Windows server training\xa04-spa.
5. Switch back to the SPA admin console and click Next.
6. The server now has write permissions to the database. Click Next.
6. On the Step 4 page, click Save to start the configuration process.
7. After the configuration process is completed, click Close.
8. The SPA plug-in cluster can be managed over each node.
Secure Private Access – App creation
1. In the menu on the left, click Applications.
2. On the right side, click Add an app
3. In the Add an app dialog, add the required fields marked with a red star and click Save.
Note:
For details on application parameters, see Configure applications.
4. In the menu on the left, click Access Policies.
5. On the right side, click Create policy
6. In the Create policy dialog, add the required fields marked with a red star and click Save.
Note:
For details on application access policies, see Configure access policies for the applications.
Secure Private Access – StoreFront configuration
1. On the Secure Private Access server, open the Start menu and open Citrix Secure Private Access.
2, In the menu on the left, click Settings.
3, In the menu on the left, click Settings and select the Integrations tab.
4. In the StoreFront Store URL section, click Download script.
5. Copy the downloaded file StoreFrontScripts.zip to a StoreFront server and exact the files to any folder.
6. Open a Windows x64 bit compatible PowerShell window with admin privilege and run the PowerShell script ConfigureStorefront.ps1.
The script modifies the StoreFront store (in this scenario, StoreLB) to support Secure Private Access applications.
NetScaler StoreFront and SPA Plugin Load Balancing
Note:
The example below does not enable SSL Default Profiles. If your NetScaler configuration does, add the cipher directly to the SSL profile and ignore the virtual server cipher configuration.
The following servers are used -
- xa04-stf.training.local
- xa05-stf.training.local
- xa04-spa.training.local
- xa05-spa.training.local
IP addresses
- 172.16.1.107 (StoreFront load balancing VIP)
- 172.16.1.108 (SPA plug-in load balancing VIP)
Certificates
- dh5-2048.key (Diffie-Hellman key, group 5, 2048 bit)
- stf-lb.training.local
- spa-lb.training.local
Create the Diffie-Hellman key and replace the server names, IP addresses, and certificates before running the commands in NetScaler CLI.
- Connect to NetScaler CLI using an SSH client and run the following commands:
## SSL Profile ##
## Do not forget to replace the Diffie-Hellmann key name ##
add ssl profile SECURE_ssl_profile_frontend -dhCount 1000 -dh ENABLED -dhFile "/nsconfig/ssl/dh5-2048.key" -eRSA ENABLED -eRSACount 1000 -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED
## Monitors ##
add lb monitor mon-StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -secure YES -storefrontcheckbackendservices YES
add lb monitor mon-SPA-Plugin HTTP -respCode 200 -httpRequest "GET /secureAccess/health" -LRTM DISABLED -secure YES
add lb monitor mon-SPA-Admin-console HTTP -respCode 200 -httpRequest "GET /accessSecurity/health" -LRTM DISABLED -secure YES
## Server ##
## Do not forget to replace server names ##
add server xa04-stf.training.local xa04-stf.training.local
add server xa05-stf.training.local xa05-stf.training.local
add server xa04-spa.training.local xa04-spa.training.local
add server xa05-spa.training.local xa05-spa.training.local
## Services ##
## Do not forget to replace service names ##
add service xa04-stf.training.local_443 xa04-stf.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -state DISABLED
bind service xa04-stf.training.local_443 -monitorName mon-StoreFront
add service xa05-stf.training.local_443 xa05-stf.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind service xa05-stf.training.local_443 -monitorName mon-StoreFront
add service xa04-spa.training.local_443 xa04-spa.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -state DISABLED
bind service xa04-spa.training.local_443 -monitorName mon-SPA-Plugin
add service xa05-spa.training.local_443 xa05-spa.training.local SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind service xa05-spa.training.local_443 -monitorName mon-SPA-Plugin
add service xa04-spa.training.local_4443 xa04-spa.training.local SSL 4443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -state DISABLED
bind service xa04-spa.training.local_4443 -monitorName mon-SPA-Admin-console
add service xa05-spa.training.local_4443 xa05-spa.training.local SSL 4443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind service xa05-spa.training.local_4443 -monitorName mon-SPA-Admin-console
bind service xa04-spa.training.local_443 -monitorName mon-SPA-Plugin
## LB vServer ##
## Do not forget to replace vServer names and IP addresses ##
add lb vserver lbvs-stf-lb.training.local_443 SSL 172.16.1.107 443 -persistenceType COOKIEINSERT -persistenceBackup SOURCEIP -cookieName STFPersistence -cltTimeout 180
add lb vserver lbvs-spa-lb.training.local_443 SSL 172.16.1.108 443 -persistenceType NONE -cltTimeout 180
add lb vserver lbvs-spa-lb.training.local_4443 SSL 172.16.1.108 4443 -persistenceType NONE -cltTimeout 180
## Do not forget to replace vServer names and service bindings ##
bind lb vserver lbvs-stf-lb.training.local_443 xa04-stf.training.local_443
bind lb vserver lbvs-stf-lb.training.local_443 xa05-stf.training.local_443
bind lb vserver lbvs-spa-lb.training.local_443 xa04-spa.training.local_443
bind lb vserver lbvs-spa-lb.training.local_443 xa05-spa.training.local_443
bind lb vserver lbvs-spa-lb.training.local_4443 xa04-spa.training.local_4443
bind lb vserver lbvs-spa-lb.training.local_4443 xa05-spa.training.local_4443
## Do not forget to replace vServer names ##
set ssl vserver lbvs-stf-lb.training.local_443 -sslProfile SECURE_ssl_profile_frontend
set ssl vserver lbvs-spa-lb.training.local_443 -sslProfile SECURE_ssl_profile_frontend
set ssl vserver lbvs-spa-lb.training.local_4443 -sslProfile SECURE_ssl_profile_frontend
## Do not forget to replace vServer names ##
bind ssl vserver lbvs-stf-lb.training.local_443 -cipherName SECURE
bind ssl vserver lbvs-spa-lb.training.local_443 -cipherName SECURE
bind ssl vserver lbvs-spa-lb.training.local_4443 -cipherName SECURE
## Do not forget to replace vServer names and certificates ##
bind ssl vserver lbvs-stf-lb.training.local_443 -certkeyName stf-lb.training.local
bind ssl vserver lbvs-spa-lb.training.local_443 -certkeyName spa-lb.training.local
bind ssl vserver lbvs-spa-lb.training.local_4443 -certkeyName spa-lb.training.local
NetScaler Gateway
The NetScaler Gateway scripts used with Citrix Secure Private Access are reviewed and updated frequently. For the latest scripts and processes to create or update the NetScaler Gateway configuration, please follow the instructions on the NetScaler gateway configuration for Web/SaaS applications product documentation site.
Support for smart access tag
NetScaler Gateway sends the smart access tags automatically, starting with the following versions. This enhancement removes the required gateway callback from the SPA plug-in and adds it to NetScaler Gateway.
- 13.1 - 48.47 and later
- 14.1 - 4.42 and later
The above script automatically enables the enhancement flags ns_vpn_enable_spa_onprem and ns_vpn_disable_spa_onprem.
To make the changes persistent, run the following commands in the NetScaler shell.
root@xa04-adc01# echo "nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem">> /nsconfig/rc.netscaler
root@xa04-adc01# echo "nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode">> /nsconfig/rc.netscaler
For more details, look at Support for smart access tags
1. A new NetScaler command script (the default is /var/tmp/ns_gateway_secure_access) is generated.
2. Switch back to the NetScaler CLI using the command exit.
3. Before executing the new NetScaler command script, let us verify the current NetScaler Gateway configuration and update it for Secure Private Access on-premises.
4. On the Gateway virtual server, verify the following: *ICA only is set to false (OFF)
- TCP Profile is set to nstcp_default_XA_XD_profile
- Deployment Type is set to ICA_STOREFRONT
-
On the Gateway session action for the Workspace app, verify the following: *transparentInterception is set to OFF
- SSO is set to ON *ssoCredential is set to PRIMARY
- useMIP is set to NS *useIIP is set to OFF
- icaProxy is set to OFF *wihome is set to "https://stf-lb.training.local/Citrix/StoreLBWeb" - replace with real store URL
- ClientChoices is set to OFF *ntDomain is set to "training.local" - used for SSO
- defaultAuthorizationAction is set to ALLOW *authorizationGroup is set to SecureAccessGroup (Make sure that this group is created in NetScaler, not Active Directory. It’s used to bind Secure Private Access specific authorization policies)
- clientlessVpnMode is set to ON *clientlessModeUrlEncoding is set to TRANSPARENT
- SecureBrowse is set to ENABLED *Storefronturl is set to "https://stf-lb.training.local" - replace with StoreFront FQDN
- sfGatewayAuthType is set to domain
Note:
For details on session action parameters, see the Command line reference for vpn-sessionAction.
Based on the above example, the default session action before adding SPA looks like:
add vpn sessionAction AC_OS_172.16.1.106 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://stf-lb.training.local/Citrix/StoreLBWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode OFF -storefronturl "https://stf-lb.training.local" -sfGatewayAuthType domain
Let’s create the authorization group and a new session action and modify it for Secure Private Access on-premises:
add aaa group SecureAccessGroup
add vpn sessionAction AC_OS_172.16.1.106_SPAOP -transparentInterception OFF -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://stf-lb.training.local/Citrix/StoreLBWeb" -ClientChoices OFF -ntDomain training.local -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://stf-lb.training.local" -sfGatewayAuthType domain
Switch the session policy for the Workspace app to the new session action:
set vpn sessionPolicy PL_OS_172.16.1.106 -action AC_OS_172.16.1.106_SPAOP
5. Run the new NetScaler commands script with the batch command.
For example:
batch -fileName /var/tmp/ns_gateway_secure_access_update -outfile /var/tmp/ns_gateway_secure_access_update_output.log -ntimes 1.
6. Verify the log file that there is no error For example:
shell cat /var/tmp/ns_gateway_secure_access_update_output.log
Note:
In this scenario, one error is shown in the log file because StoreFront and SPA plug-in are installed on the same machine. ERROR: Specified pattern or range is already bound to dataset/patset
7. On the StoreFront and SPA plug-in machine, open Citrix Secure Private Access from the Start menu.
8. On the SPA admin console page, click Mark as done in the Configure Gateway section.
Testing any scenario
1. Open the Citrix Workspace app and create a new account.
In our scenarios, the URL https://citrix.training.com was used.
2. Log on to NetScaler Gateway.
3. Secure Private Access apps along with Citrix Virtual Apps and Desktops are displayed.
In this scenario, no CVAD app is marked as a favorite. Thus, they are only displayed under APPS.
4. Launch web app Extranet.
Note:
All security controls are enabled on this application.
- Restrict clipboard access
- Restrict printing
- Restrict downloads
- Restrict uploads
- Display Watermark
- Restrict key logging
- Restrict screen capture
The above screenshot shows "Display Watermark".
The screenshot below shows "Restrict screen capture".
Summary
Citrix Secure Private Access for on-premises allows zero trust-based access to SaaS and internal web apps. This deployment guide covered publishing web apps and setting security controls. The result is an integrated solution with single sign-on for users to access SaaS and internal web apps like virtual apps.
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now