System requirements

Ensure that your product meets the minimal version requirements.

Product Minimum version
Citrix Workspace app
Windows – 2403 and later
macOS – 2402 and later
StoreFront LTSR 2203 or CR 2212 and later
NetScaler
13.1, 14.1, and later. It is recommended to use the latest builds of the NetScaler Gateway version 13.1 or 14.1 for optimized performance.
For TCP/UDP apps - 14.1–25.56 and later
NetScaler FIPS 13.1-37.219 and later FIPS builds
Citrix Secure Access client
Windows client - 24.6.1.17 and later
macOS client - 24.06.2 and later
Director 2402 or later
Operating system for Secure Private Access plug-in server Windows Server 2019 and later

Communication ports: Ensure that you have opened the required ports for the Secure Private Access plug-in. For details, see Communication ports.

Databases: The following is the list of supported Microsoft SQL server versions for the site configuration, configuration logging, and monitoring databases:

  • SQL Server 2022, Express, Standard, and Enterprise Editions.
  • SQL Server 2019, Express, Standard, and Enterprise Editions.
  • SQL Server 2017, Express, Standard, and Enterprise Editions.

For new installations: By default, SQL Server Express 2017 with Cumulative Update 16 is installed when installing the Controller, if an existing supported SQL Server installation is not detected.

For upgrades, any existing SQL Server Express version is not upgraded.

The following database high availability solutions are supported (except for SQL Server Express, which supports only standalone mode):

  • SQL Server Always On Failover Cluster Instances
  • SQL Server AlwaysOn Availability Groups (including Basic Availability Groups)
  • SQL Server Database Mirroring

Windows authentication is required for connections between the Controller and the SQL Server site database.

For more information about the databases, see Databases.

Note:

  • The Secure Private Access for on-premises is not supported on Citrix Workspace app for iOS and Android.
  • The Citrix Secure Access client for Linux, iOS, and Android does not support Secure Private Access on-premisesTCP/UDP apps.

Prerequisites

For creating or updating an existing NetScaler Gateway, ensure that you have the following details:

  • A Windows server machine with IIS running, configured with a SSL/TLS certificate, on which the Secure Private Access plug-in will be installed.
  • StoreFront store URLs to enter during the setup.
  • Store on StoreFront must have been configured and the Store service URL must be available. The format of the Store service URL is https://store.domain.com/Citrix/StoreSecureAccess.
  • NetScaler Gateway IP address, FQDN, and NetScaler Gateway Callback URL.
  • IP address and FQDN of the Secure Private Access plug-in host machine (or a load balancer if the Secure Private Access plug-in is deployed as a cluster).
  • Authentication profile name configured on NetScaler.
  • SSL server certificate configured on NetScaler.
  • Domain name.
  • Certificate configurations are complete. Admins must ensure that the certificate configurations are complete. The Secure Private Access installer configures a self-signed certificate if no certificate is found in the machine. However, this might not always work.

Note:

The Runtime service (secureAccess application in the IIS default website) requires anonymous authentication to be enabled as it does not support Windows authentication. These settings are set by the Secure Private Access installer by default and must not be changed manually.

Admin account requirements

The following administrator accounts are required while setting up Secure Private Access.

  • Install Secure Private Access: You must be logged in with a local machine administrator account.
  • Set Up Secure Private Access: You must sign into the Secure Private Access admin console with a domain user which is also a local machine administrator for the machine where Secure Private Access is installed.
  • Manage Secure Private Access: You must sign into the Secure Private Access admin console with a Secure Private Access administrator account.

Communication ports

The following table lists the communication ports that are used by the Secure Private Access plug-in.

Source Destination Type Port Details
Admin Workstation Secure Private Access plug-in HTTPS 4443 Secure Private Access plug-in - Admin console
Secure Private Access plug-in NTP Service TCP, UDP 123 Time synchronization
  DNS Service TCP, UDP 53 DNS lookup
  Active Directory TCP, UDP 88 Kerberos
  Director HTTP, HTTPS 80, 443 Communication to Director for performance management and enhanced troubleshooting
  License server TCP 8083 Communication to license server for collecting and processing licensing data
    TCP 389 LDAP over Plaintext (LDAP)
    TCP 636 LDAP over SSL (LDAPS)
  Microsoft SQL Server TCP 1433 Secure Private Access plug-in - Database communication
  StoreFront HTTPS 443 Authentication validation
  NetScaler Gateway HTTPS 443 NetScaler Gateway Callback
StoreFront NTP Service TCP, UDP 123 Time synchronization
  DNS Service TCP, UDP 53 DNS lookup
  Active Directory TCP, UDP 88 Kerberos
    TCP 389 LDAP over Plaintext (LDAP)
    TCP 636 LDAP over SSL (LDAPS)
    TCP, UDP 464 Native Windows authentication protocol to allow users to change expired passwords
  Secure Private Access plug-in HTTPS 443 Authentication and application enumeration
  NetScaler Gateway HTTPS 443 NetScaler Gateway Callback
NetScaler Gateway Secure Private Access plug-in HTTPS 443 Application authorization validation
  StoreFront HTTPS 443 Authentication and Application enumeration
  Web applications HTTP, HTTPS 80, 443 NetScaler Gateway communication to configured Secure Private Access applications (Ports can differ based on the application requirements)
User Device NetScaler Gateway HTTPS 443 Communication between end-user device and NetScaler Gateway

References

System requirements