Citrix Secure Private Access

System requirements

September 27, 2024

Contributed by:

Ensure that your product meets the minimal version requirements.

Product	Minimum version
Citrix Workspace app	Windows – 2403 and later
Citrix Workspace app	macOS – 2402 and later
StoreFront	LTSR 2203 or CR 2212 and later
NetScaler	13.1, 14.1, and later. It is recommended to use the latest builds of the NetScaler Gateway version 13.1 or 14.1 for optimized performance.
NetScaler	For TCP/UDP apps - 14.1–25.56 and later
Citrix Secure Access client	Windows client - 24.6.1.17 and later
Citrix Secure Access client	macOS client - 24.06.2 and later
Director	2402 or later
Operating system for Secure Private Access plug-in server	Windows Server 2019 and later

Communication ports: Ensure that you have opened the required ports for the Secure Private Access plug-in. For details, see Communication ports.

Note:

The Secure Private Access for on-premises is not supported on Citrix Workspace app for iOS and Android.

The Citrix Secure Access client for Linux, iOS, and Android does not support Secure Private Access on-premisesTCP/UDP apps.

Prerequisites

For creating or updating an existing NetScaler Gateway, ensure that you have the following details:

A Windows server machine with IIS running, configured with a SSL/TLS certificate, on which the Secure Private Access plug-in will be installed.
StoreFront store URLs to enter during the setup.
Store on StoreFront must have been configured and the Store service URL must be available. The format of the Store service URL is https://store.domain.com/Citrix/StoreSecureAccess.
NetScaler Gateway IP address, FQDN, and NetScaler Gateway Callback URL.
IP address and FQDN of the Secure Private Access plug-in host machine (or a load balancer if the Secure Private Access plug-in is deployed as a cluster).
Authentication profile name configured on NetScaler.
SSL server certificate configured on NetScaler.
Domain name.
Certificate configurations are complete. Admins must ensure that the certificate configurations are complete. The Secure Private Access installer configures a self-signed certificate if no certificate is found in the machine. However, this might not always work.

Note:

The Runtime service (secureAccess application in the IIS default website) requires anonymous authentication to be enabled as it does not support Windows authentication. These settings are set by the Secure Private Access installer by default and must not be changed manually.

Admin account requirements

The following administrator accounts are required while setting up Secure Private Access.

Install Secure Private Access: You must be logged in with a local machine administrator account.
Set Up Secure Private Access: You must sign into the Secure Private Access admin console with a domain user which is also a local machine administrator for the machine where Secure Private Access is installed.
Manage Secure Private Access: You must sign into the Secure Private Access admin console with a Secure Private Access administrator account.

Communication ports

The following table lists the communication ports that are used by the Secure Private Access plug-in.

Source	Destination	Type	Port	Details
Admin Workstation	Secure Private Access plug-in	HTTPS	4443	Secure Private Access plug-in - Admin console
Secure Private Access plug-in	NTP Service	TCP, UDP	123	Time synchronization
	DNS Service	TCP, UDP	53	DNS lookup
	Active Directory	TCP, UDP	88	Kerberos
	Director	HTTP, HTTPS	80, 443	Communication to Director for performance management and enhanced troubleshooting
	License server	TCP	8083	Communication to license server for collecting and processing licensing data
		TCP	389	LDAP over Plaintext (LDAP)
		TCP	636	LDAP over SSL (LDAPS)
	Microsoft SQL Server	TCP	1433	Secure Private Access plug-in - Database communication
	StoreFront	HTTPS	443	Authentication validation
	NetScaler Gateway	HTTPS	443	NetScaler Gateway Callback
StoreFront	NTP Service	TCP, UDP	123	Time synchronization
	DNS Service	TCP, UDP	53	DNS lookup
	Active Directory	TCP, UDP	88	Kerberos
		TCP	389	LDAP over Plaintext (LDAP)
		TCP	636	LDAP over SSL (LDAPS)
		TCP, UDP	464	Native Windows authentication protocol to allow users to change expired passwords
	Secure Private Access plug-in	HTTPS	443	Authentication and application enumeration
	NetScaler Gateway	HTTPS	443	NetScaler Gateway Callback
NetScaler Gateway	Secure Private Access plug-in	HTTPS	443	Application authorization validation
	StoreFront	HTTPS	443	Authentication and Application enumeration
	Web applications	HTTP, HTTPS	80, 443	NetScaler Gateway communication to configured Secure Private Access applications (Ports can differ based on the application requirements)
User Device	NetScaler Gateway	HTTPS	443	Communication between end-user device and NetScaler Gateway

References

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

System requirements

September 27, 2024

Contributed by:

September 27, 2024

Contributed by:

System requirements

Prerequisites

Admin account requirements

Communication ports

References

In this article