Support for client-server apps 编辑

With Citrix Secure Private Access, you can now access all private apps including TCP/UDP and HTTPS apps either using a native browser or a native client application via the Citrix Secure Access agent running on your machine.

With the additional support of client-server applications within Citrix Secure Private Access, you can now eliminate the dependency on a traditional VPN solution to provide access to all private apps for remote users.

Preview features

Support for UDP apps

• For Windows, the agent version (22.6.1.5 and later) supports UDP apps.
• For macOS, the agent version (22.06.1 and later) supports UDP apps.

How it works

End users can easily access all their sanctioned private apps by simply installing the Citrix Secure Access agent on their client devices.

• For Windows, the agent version (22.3.1.5 and later) can be downloaded from https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html.

• For macOS, the agent version (22.02.3 and later) can be downloaded from the App Store.

Admin Configuration – ZTNA agent-based access to TCP/UDP apps

Prerequisites

Ensure that the following requirements are met to access TCP/UDP apps.

• Access to Citrix Secure Private Access in Citrix Cloud.
• Citrix Cloud Connector - Install a Citrix Cloud Connector for Active Directory domain configuration as captured in Cloud Connector Installation.
• Identity and access management - Complete the configuration. For details, see Identity and access management.
• Connector Appliance – Citrix recommends installing two Connector Appliances in a high availability set-up in your resource location. The connector can be installed either on-premises, in the data center hypervisor, or in public cloud. For more information on Connector Appliance and its installation, see Connector Appliance for Cloud Services.
• You must use a Connector Appliance for TCP/UDP apps.

Important:

For a complete end-to-end configuration of an app, see Admin guided workflow for easy onboarding and set up.

1. On the Citrix Secure Private Access tile, click Manage.

2. Click Continue and then click Add an app.

   Note:

   The Continue button appears only for the first time that you use the wizard. In the subsequent usages, you can directly navigate to the Applications page and then click Add an app.

   App is a logical grouping of destinations. We can create an app for multiple destinations – Each destination means different servers in the back end. For example, one app can have one SSH, one RDP, one Database server, and one Web server. You don’t have to create one app per destination, but one app can have many destinations.

3. In the Choose a template section, click Skip to configure the TCP/UDP app manually.

4. In the App Details section, select Inside my corporate network, enter the following details, and click Next.

   

   • App type – Select TCP/UDP.
   • App name– Name of the application.
   • App icon– An app icon is displayed. This field is optional.
   • App description – Description of the app you are adding. This field is optional.
   • Destinations – IP Addresses or FQDNs of the back-end machines residing in the resource location. One or more destinations can be specified as follows.
     • IP address v4
     • IP address Range – Example: 10.68.90.10-10.68.90.99
     • CIDR – Example: 10.106.90.0/24

     • FQDN of the machines or Domain name – Single or wildcard domain. Example: ex.destination.domain.com, *.domain.com

       Important:

       • When configuring IP address based applications, ensure not to use IP addresses in the spoof IP address range (176.16.0.0 to 172.31.0.0).
       • If the admin has configured the IP based destinations, end users are expected to access the app with the IP address only. Similarly, if the application is configured with an FQDN, the users are expected to access the application through the FQDN only. You cannot access an app through the FQDN if the app is configured based on IP address.

       The following table provides examples of various destinations and how to access the apps with these destinations.

       Destination input	How to access the app
       10.10.10.1-10.10.10.100	End user is expected to access the app only through IP addresses in this range.
       10.10.10.0/24	End user is expected to access the app only through IP addresses configured in the IP CIDR.
       10.10.10.101	End user is expected to access the app only through 10.10.10.101
       *.info.citrix.com	End user is expected to access subdomains of info.citrix.com and also info.citrix.com (the parent domain). For example, info.citrix.com, sub1.info.citrix.com, level1.sub1.info.citrix.com Note: The wildcard must always be the starting character of the domain and only one *. is allowed.
       info.citrix.com	End user is expected to access info.citrix.com only and no subdomains. For example, sub1.info.citrix.com is not accessible.

   • Port – The port on which the app is running. Admins can configure multiple ports or port ranges per destination.

     The following table provides examples of ports that can be configured for a destination.

     Port input	Description
     *	By default, the port field is set to “*” (any port). The port numbers from 1 to 65535 are supported for the destination.
     1300–2400	The port numbers from 1300 to 2400 are supported for the destination.
     38389	Only the port number 38389 is supported for the destination.
     22,345,5678	The ports 22, 345, 5678 are supported for the destination.
     1300–2400, 42000-43000,22,443	The port number range from 1300 to 2400, 42000–43000, and ports 22 and 443 are supported for the destination.

     Note:

     Wildcard port (*) cannot co-exist with port numbers or ranges.

   • Protocol – TCP/UDP
5. In the App Connectivity section, a mini version of the Application Domains table is available to make the routing decisions. For each destination, you can choose a different or same resource location. Destinations configured in the previous step are populated under the DESTINATION column. Destinations added here are also added to the main Application Domains table. The Application Domains table is the source of truth for making the routing decision to direct connection establishment and traffic to correct resource location. For more information on the Application Domains table and possible IP conflict scenarios, see Application Domains - IP address conflict resolution section.

6. For the following fields, select an input from the drop-down menu and click Next.

   Note:

   Only the Internal route type is supported.

   • RESOURCE LOCATION – From the drop-down menu, you must connect to a resource location with at least one Connector Appliance installed.

     Note:

     Connector Appliance installation is supported from the App Connectivity section. You can also install it under the Resource Locations section in the Citrix Cloud portal. For more information on creating a Resource Location, see Set up resource locations.

   

7. Click Finish. The app is added to the Applications page. You can edit or delete an app from the Applications page after you have configured the application. To do so, click the ellipsis button on an app and select the actions accordingly.

   • Edit Application
   • Delete

Note:

• To grant access to the apps for the users, admins are required to create access policies. In access policies, admins add app subscribers and configure security controls. For details, see Create access policies.

• To configure the authentication methods required for the users, see Set up identity and authentication.

• To obtain the Workspace URL to be shared with the users, from the Citrix Cloud menu, click Workspace Configuration, and select the Access tab.

Admin Configuration – ZTNA agent-based access to HTTP(S) apps

Note:

To access existing or new HTTP/HTTPS apps using the Citrix Secure Access agent, in addition to a Gateway connector you must also install at least one (recommended two for high-availability) Connector Appliance in your resource location. The connector can be installed on-premises, in the data center hypervisor, or in the public cloud. For details of Connector Appliance and its installation, see Connector Appliance for Cloud Services.

Prerequisites

• Access to Citrix Secure Private Access in Citrix Cloud.

Points to note

• Internal web apps enforced with enhanced security controls cannot be accessed through the Citrix Secure Access agent.

• If you try to access an HTTP(S) application which has enhanced security controls enabled, then the following pop-up message is displayed. Additional security controls are enabled for <”app name”(FQDN) > app. Please access it from Citrix Workspace.

  

• If you want to enable SSO experience, access the web apps using Citrix Workspace app or web portal.

The steps to configure HTTP(S) apps remain the same as existing functionality explained under Support for Enterprise web apps.

Adaptive access to TCP/UDP and HTTP(S) apps

Adaptive access provides the ability for admins to govern access to business-critical apps based on multiple contextual factors like device posture check, user geo-location, user role, and the Citrix Analytics service provided risk score.

Note:

• You can deny access to TCP/UDP applications, admins create policies based on the users, user groups, the devices from which the users access the applications, and the location (country) from where an application is accessed. Access to applications is allowed by default.

• The user subscription made for an app is applicable for all the TCP/UDP app destinations configured for the ZTNA application.

To create an adaptive access policy

Admins can use the admin-guided workflow wizard to configure Zero Trust Network Access to SaaS apps, internal web apps, and TCP/UDP apps in the Secure Private Access service.

Note:

• For details on creating an adaptive access policy, see Create access policies.
• For an end-to-end configuration of Zero Trust Network Access to SaaS apps, internal web apps, and TCP/UDP apps in the Secure Private Access service, see Admin guided workflow for easy onboarding and set up.

Points to note

• Access to an existing web app for which enhanced security is enabled is denied via the Secure Access agent. An error message suggesting to log in using Citrix Workspace app is displayed.
• Policy configurations for web app based on user risk score, device posture check and so on via Citrix Workspace app holds good while accessing the app via the Secure Access agent.
• The policy bound to an application is applicable for all the destinations in the application.

DNS resolution

The connector appliance must have a DNS server configuration for DNS resolution.

Steps to install Citrix Secure Access agent on a Windows machine

Supported OS versions:

Windows – Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019.

Following are the steps to install the Citrix Secure Access agent on a Windows machine.

1. Download the Citrix Secure Access agent from https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html.
2. Click Install to install the agent on your Windows machine. If you have an existing Citrix Gateway agent, the same gets upgraded.
3. Click Finish to complete the installation.

Note:

Multi-user session in Windows is not supported.

Microsoft Edge Runtime installation steps

Microsoft Edge Runtime is now required for the authentication UI on the Secure Access agent. It is installed by default in the latest Windows 10 and Windows 11 machines. For machines on earlier versions, perform the following steps.

1. Go to the following link, https://go.microsoft.com/fwlink/p/?LinkId=2124703.
2. Download and install Microsoft Edge. If the user system doesn’t have the Microsoft Edge runtime installed, the Citrix Secure Access agent client prompts you to install when you try to connect to the Workspace URL.

Note:

You can use an automated solution like SCCM software or a group policy to push Citrix Secure Access agent or Microsoft Edge Runtime to the client machines.

Steps to install Citrix Secure Access agent on a macOS machine

Prerequisites:

• Download the Citrix Secure Access app for macOS from the App Store. This app is available from macOS 10.15 (Catalina) and later.
• Preview builds are available in the TestFlight app only for macOS Monterey (12.x).
• If you are switching between the App Store app and the TestFlight preview app, you must recreate the profile you want to use with the Citrix Secure Access app. For example, if you have been using a connection profile with blr.abc.company.com, delete the VPN profile, and create the same profile again.

Supported OS versions:

macOS – 12.x (Monterey). 11.x (Big Sur) and 10.15 (Catalina) are supported.

Note:

Mobile devices - iOS and Android are not supported.

Launch a configured app - End-user flow

1. Launch the Citrix Secure Access agent on the client device.
2. Enter the Workspace URL provided by the customer admin in the URL field in the Citrix Secure Access agent and click Connect. It is a one-time activity and the URL is saved for subsequent use.
3. User is prompted for authentication based on the authentication method configured in Citrix Cloud. Upon successful authentication, the user can access the configured private apps.

User notification messages

A pop-up notification message appears in the following scenarios:

• The app is not authorized by the admin for the user.

  Cause: The application configured for the accessed destination IP address or FQDN is not subscribed for the logged in user.

  

• The access policy evaluation results in denial of access.

  Cause: Access to the destination IP address or FQDN is denied because the policy bound to the application is evaluated to “Deny Access” to the logged in user.

  

• The enhanced security control is enabled for the app.

  Cause: The enhanced security control is enabled to the application for the accessed destination. The application can be launched using the Citrix Workspace App.

  

Additional Information

Application Domains - IP address conflict resolution

Destinations added while creating an app are added to a main routing table. The routing table is the source of truth for making the routing decision to direct connection establishment and traffic to correct resource location.

• The destination IP address must be unique across resource locations.
• Citrix recommends that you avoid overlap of the IP addresses or domains in the routing table. In case you encounter an overlap, you must resolve it.

Following are the types of conflict scenarios. Complete Overlap is the only error scenario that restricts admin configuration until the conflict is resolved.

Note:

• If the destinations added results in a complete overlap, an error is displayed while configuring the app in the App Details section. The admin must resolve this error by modifying the destinations in the App Connectivity section.

  If there are no errors in the App Details section, the admin can proceed to save the app details. However, in the App Connectivity section, if the destinations have a subset and partial overlap with each other or existing entries in the main routing table, a warning message is displayed. In this case, the admin can choose to either resolve the error or continue with the configuration.

• Citrix recommends keeping a clean Application Domain table. It is easier to configure new routing entries if the IP address domains are broken into appropriate chunks without overlaps.

Login and logout script configuration registries

The Citrix Secure Access client accesses the login and logout script configuration from the following registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service.

Registry: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix>Secure Access Client

• Login script path: SecureAccessLogInScript type REG_SZ
• Logout script path: SecureAccessLogOutScript type REG_SZ

Release notes references

• Citrix Secure Access for Windows plug-in release notes

• Citrix Secure Access for macOS release notes

• Citrix Secure Private Access release notes