Citrix Secure Private Access - On premises

Deploy Secure Private Access as a cluster

July 29, 2024

Contributed by:

The Secure Private Access on-premises solution can be deployed as a cluster to provide high availability, high throughput, and scalability. It is recommended to deploy standalone Secure Private Access nodes for large deployments (for example, more than 5000 users).

If you are using NetScaler Gateway versions 13.0 or 13.1 build 48.47 or earlier, it is recommended that you co-host Secure Private Access with StoreFront.

Create Secure Private Access nodes

Create a new Secure Private Access site. For details, see Setup a Secure Private Access site.
Add the required number of cluster nodes to the Secure Private Access site. For details, see Setup Secure Private Access by joining an existing site.
In each Secure Private Access node, configure the same server certificates. The certificate subject common name or subject alternative name must match the load balancer FQDN.

Load balancer configuration

There are no specific load balancing configuration requirements for the Secure Private Access cluster setup. If you are using NetScaler as the load balancer, note the following:

Secure Private Access services (both admin and runtime) are stateless, and so persistency is not required.
Secure Private Access services are recommended to run as HTTPS but this is not a mandatory requirement. Secure Private Access services can be deployed as HTTP as well.
SSL offload or SSL bridge is supported, so any load balancer configuration can be used. When using SSL bridge, ensure to configure the same server certificates in each Secure Private Access node. Also, the certificate subject common name or subject alternative name (SAN) must match the load balancer FQDN. Also, SAN must be configured in the Load Balancer service.
Load balancers (for example NetScaler) have default built-in monitors (probes) for back-end servers. If you must configure a custom HTTP based monitor (probe) for Secure Private Access on-premises servers, the following endpoint can be used:

/secureAccess/health

Expected response:
```
 Http status code: 200 OK
    
 Payload:
    
 {"status":"OK","details":{"duration":"00:00:00.0084206","status":"OK"}}
 
```

For details about configuring a NetScaler load balancer, see Setup basic load balancing.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Deploy Secure Private Access as a cluster

July 29, 2024

Contributed by:

July 29, 2024

Contributed by:

Deploy Secure Private Access as a cluster

Create Secure Private Access nodes

Load balancer configuration

In this article