Citrix Secure Private Access

View PDF

What’s new

November 14, 2024

Contributed by:

C C

14 November 2024

Enhancements to the policy modeling tool

Admins can now view a comprehensive list of policies associated with each application and utilize the drilldown feature to understand the specific policy application logic, why a specific policy was applied and why others were not. For details, Drilldown into access policies.

08 November 2024

Secure Private Access integration with Monitor

Secure Private Access is integrated with Monitor, the monitoring and troubleshooting console for Citrix DaaS. Administrators and help-desk personnel can monitor and troubleshoot Web/SaaS and TCP/UDP app sessions and events from the DaaS Monitor, in addition to the Secure Private Access dashboard. For details, see Integration with DaaS monitor.

23 September 2024

Support for context-based app routing and resource locations selection

The dynamic domain routing configuration in the access policy now allows admins to edit the internal routing type per URL based on the user context. Administrators can modify the resource locations so that the user requests are routed to the optimal data center, ensuring that user requests are handled efficiently and performance is optimized. For details, see Context-based app routing and resource locations selection.

15 August 2024

Option to configure a time duration for purging the entries in the blocked users list

Admins can now set a specific duration (1 to 99 days) for purging the entries in the blocked user list. For details, see Terminate active user sessions and add users to the user block list.
Additional security controls

The following additional security controls are now available for restricting application access.
- Microphone
- Webcam
- Notifications
- Pop-ups
- Insecure content
For details, see Access restriction options.
Enhancements to the unsanctioned websites (web filtering) feature

The unsanctioned websites (web filtering) feature enables admins to block access to all unsanctioned traffic by default or allow it by default via Citrix Enterprise Browser. For details, see Unsanctioned websites.

16 July 2024

Additional security controls

The following additional security controls are available for restricting application access.
- Download restriction by file type
- Upload restriction by file type
- Personal data masking
- Printer management
- Clipboard restriction for security groups
For details, see Access restriction options.
Display of embedded domains in the App discovery page

The App discovery feature enables admins to create new applications or add those domains to an existing application if a main domain or an embedded domain (HTTP/HTTPS) or the destination IP address (TCP/UDP) is not associated with an application. The App discovery page displays both the main domain and its underlying embedded domains in a tree structure. For details, see Discover domains or IP addresses accessed by end users.

11 June 2024

Policy modeling tool

The policy modeling tool (Access policies > Policy modeling) helps admins analyze and troubleshoot configuration issues from within the admin console. For details, see Policy modeling tool.
Support for filters in the Diagnostic logs chart

The filter option in the Diagnostic logs chart helps admins refine the search based on the various criteria such as app type, category, and description for easier logs analysis and troubleshooting. For details, see Diagnostic logs.

13 March 2024

Support to terminate active user sessions and add users to the disabled user list

Admins can now terminate all active end user sessions immediately and add the users to the disabled user list. Adding a user to this disabled user list terminates all active Secure Private Access application sessions and blocks future application access. For details, see Terminate active user sessions and add users to the disabled user list.

12 February 2024

General availability of the browser and antivirus scans

The browser and antivirus scans supported by the Device Posture service are now generally available. For details, see Scans supported by device posture.

23 January 2024

General availability of device certificate check with Device Posture service

Device certificate check with the Device Posture service is now generally available. For details, see Device certificate check with Device Posture service.

20 December 2023

General availability of Secure Private Access on-premises

Citrix Secure Private Access for on-premises is now generally available. For details, see What’s new.

16 October 2023

Secure Private Access on-premises solution preview features

The Secure Private Access on-premises solution now offers the following:
- Admin UI for the first-time setup.
- Admin UI for configuring the applications and access policies.
- Logs dashboard.
For details, see Secure Private Access for on-premises.
Device Posture service preview features

Device Posture service now supports the following checks:
- Device Posture service is now supported on the IGEL platforms.
- Device Posture service now supports geolocation and network location checks.
For details, see Device Posture.

11 September 2023

General availability of Device Posture Integration with Microsoft Intune

Device Posture Integration with Microsoft Intune is now generally available. For details, see Microsoft Intune integration with Device Posture.

30 August 2023

Manage Citrix Endpoint Analysis Client for Device Posture service

The EPA client can be used together with NetScaler and Device Posture. Some configuration changes are required to manage EPA client when used with NetScaler and Device Posture. For details, see Manage Citrix Endpoint Analysis Client for Device Posture service.

28 August 2023

Device Posture service support on iOS platforms

Device Posture service is now supported on iOS platforms. For details, see Device Posture.

This feature is in preview.

22 August 2023

Device Certificate check with Citrix Device Posture service

Citrix Device Posture service can now enable contextual access (Smart Access) to Citrix DaaS and Secure Private Access resources by checking the end device’s certificate against a corporate certificate authority to ascertain if the end device can be trusted. For details, see Device certificate check with Device Posture service.

This feature is in preview.

17 August 2023

Device Posture events on Citrix DaaS Monitor

Device Posture service events and monitoring logs are now searchable on DaaS Monitor. For details, see Device posture events on Citrix DaaS Monitor.

07 June 2023

Tool for configuring Secure Private Access for on-premises

A simplified user interface is now available to configure the Secure Private Access for on-premises solution. The config tool can be run on a Citrix Virtual Apps and Desktops delivery controller to create a SaaS or Web application quickly. In addition, you can use this tool to set application restrictions, traffic routing, and NetScaler Gateway settings. For details, see /en-us/citrix-secure-private-access/service/secure-private-access-for-on-premises-config-tool.html.

29 May 2023

General availability of creation of access policies with multiple rules

You can create multiple access rules and configure different access conditions for different users or user groups within a single policy. These rules can be applied separately for both HTTP/HTTPS and TCP/UDP applications, all within a single policy. For details, see Configure an access policy with multiple rules.

[SPA-746]

10 April 2023

Application discovery

Application discovery feature helps an admin get visibility into the internal private applications such as web apps and client server apps (TCP and UDP based apps) in their organization and the users accessing those applications. Admins can discover the apps by specifying the scope of the domains (wildcard domains) or IP subnets. For details, see Application discovery.

[ACS-2325]

29 March 2023

Secure Private Access solution for on-premises deployments

As a Citrix StoreFront and NetScaler Gateway customer, you can now access the Web and SaaS apps seamlessly along with Citrix Virtual Apps and virtual desktops using the Citrix Secure Private Access solution for on-premises deployments. For details, see Secure Private Access for on-premises.

[SPAOP-1]

07 March 2023

Configure DNS suffixes

The DNS suffix feature of the Citrix Secure Private Access service can be used for the following use cases:
- Enable the Citrix Secure Access client to resolve a non-fully qualified domain name (host name) to a fully qualified domain name (FQDN) by adding the DNS suffix domain for the back-end servers.
- Enable admins to configure applications using IP addresses (IP CIDR/IP range), so that the end users can access the applications using the corresponding FQDN under the DNS suffix domain.
For details, see DNS suffixes to resolve FQDNs to IP addresses.

[ACS-2490]

23 January 2023

Device posture service

Citrix Device Posture service is a cloud-based solution that helps admins to enforce certain requirements that the end devices must meet to gain access to Citrix DaaS (virtual apps and desktops) or Citrix Secure Private Access resources (SaaS, Web apps, TCP, and UDP apps). For details, see Device Posture.

[AAUTH-90]
Microsoft Endpoint Manager integration with Device Posture

In addition to the native scans offered by the Device Posture service, the Device Posture service can also be integrated with other third-party solutions. Device Posture is integrated with Microsoft Endpoint Manager (MEM) on Windows and macOS. For details, see Microsoft Endpoint Manager integration with Device Posture.

[ACS-1399]

22 December 2022

Single sign-on support for the Workspace URL for users logged in via Citrix Workspace app

Citrix Secure Access client now supports single sign-on for the Workspace URL when already logged in via Citrix Workspace app. This SSO functionality enhances the user experience by avoiding multiple authentications. For details, see Single sign-on support for the Workspace URL.

[ACS-1888]
Enable access to apps using access policies

To grant access to the apps for the users, admins are now required to create access policies with a matching user subscription list for the apps to be available for end users. Previously, admins had to add users as subscribers for enabling access. For details, see Create access policies.

[ACS-3018]

03 October 2022

Access policies to grant access to the apps

The App Subscribers configuration option is removed from the Applications section in the configuration wizard. To grant access to the apps for the users, admins are required to create access policies. In access policies, admins add app subscribers and configure security controls. For details, see Create access policies.

[ACS-3018]
Support for UDP apps

The Secure Private Access service now supports access to UDP apps. For details, see Preview features.

[ACS-1430]

09 September 2022

Adaptive access based on user risk score

Admins can now configure an adaptive access policy with the user risk score provided by Citrix Analytics for Security (CAS). For details, see Adaptive access based on user risk score.

[ACS-877]
Adaptive access based on user’s network location

Admins can now configure the adaptive access policy based on the location from where the user is accessing the application. The location can be the country from where the user is accessing the application or the user’s network location. For details, see Adaptive access based on the location.

[ACS-99]
Enhanced adaptive access policy builder

Access to the apps is now enabled only after the configured conditions are met. Apps subscription alone does not provide your customers access to the applications. Admins must add access policies to provide access to the apps in addition to the app subscription. Also, users or groups is a mandatory condition in the access policies that must be met to access the apps. For details, see Create access policies.

[ACS-1850]
Restrict file uploads into SaaS/web apps

This feature allows the customer admins to control (allow or restrict) who can upload files into their business-critical applications. With this, only authorized users can upload files into the applications. For details, see Create access policies.

[ACS-655]
Enhanced dashboard

The Secure Private Access dashboard now provides detailed visibility into several user metrics such as app usage, top app users, top apps accessed, diagnostic logs, and so on. For details, see Dashboard.

[ACS-2480]
Library deprecation

The Secure Private Access applications are now not visible inside the Citrix Cloud Library. All Secure Private Access configured applications are inside the application section within the Secure Private Access service tile. This helps admins to easily navigate, edit, and configure the applications.

[ACS-1546]
Audit logs for Secure Private Access

The Citrix Secure Private Access service related events are now captured in the Citrix Cloud > System Log. For details, see Audit logs.

[ACS-876]
Diagnostic logs for Enterprise Web and SaaS apps access

The Citrix Secure Private Access events are now integrated with Citrix Analytics. Citrix Analytics provides a public endpoint that enables admins to access and download the events. These events can be accessed through a PowerShell script. For details, see Diagnostic logs for Enterprise Web and SaaS apps access.

[ACS-805]
Troubleshooting Guide

The admins can use the troubleshooting guide to resolve configuration-related issues. For details, see Troubleshoot apps related issues.

[ACS-2719]

15 July 2022

Enable access to an application only if an access policy is configured

Access to the apps is now enabled only after the admin adds an access policy in addition to the app subscription. App subscription alone does not enable access to the applications. With this change, admins can enforce adaptive security based on context like users, location, device, risk. Admins must migrate the existing app security controls and access policies to the new access policy framework. For details, see Migration of app security controls and access policies.

[ACS-1850]

01 June 2022

Adaptive Authentication service

Adaptive Authentication is now generally available (GA). For detailed information about Adaptive Authentication, see Adaptive Authentication service.

[CGS-6510]

04 April 2022

Rebranding changes

Citrix Secure Workspace Access service is now rebranded to Citrix Secure Private Access service.

[ACS-2322]
Admin guided workflow for easy onboarding and set up

Secure Private Access now has a new streamlined admin experience with a step-by-step process to configure Zero Trust Network Access to SaaS apps, internal web apps, and TCP apps. It includes configuration of Adaptive Authentication, applications including user subscription, adaptive access policies, and others within a single admin console. For details see, Admin-guided workflow for easy onboarding and set up.

This feature is now generally available (GA).

[ACS-1102]
Secure Private Access dashboard

The Secure Private Access dashboard provides admins full visibility into their top apps, top users, connectors health status, bandwidth usage, and in a single place for consumption. This data is fetched from Citrix Analytics. For details, see Secure Private Access dashboard.

This feature is now generally available (GA).

[ACS-1169]
Direct access to Enterprise web apps

Customers can now enable Zero Trust Network Access (ZTNA) to internal web apps, directly from native web browsers such as Chrome, Firefox, Safari, and Microsoft Edge. For details, see Direct access to Enterprise web apps.

This feature is now generally available (GA).
ZTNA agent-based access to TCP/HTTPS apps

Citrix customers can now enable Zero Trust Network Access (ZTNA) to all client-server applications and IP/Port based resources, in addition to internal web apps. For details, see Support for client-server apps.

This feature is now generally available (GA).

[ACS-970]
Adaptive access and security controls for Enterprise Web, TCP, and SaaS applications

The Citrix Secure Private Access service adaptive access feature offers a comprehensive Zero Trust Network Access (ZTNA) approach that delivers secure access to the applications. Adaptive access enables admins to provide granular level access to the apps that users can access based on the context. The term “context” here refers to:
- Users and groups (users and user groups)
- Devices (desktop or mobile devices)
- Location (geo-location or network location)
- Device posture (device posture check)
- Risk (user risk score)
For details, see Adaptive access and security controls for Enterprise Web, TCP, and SaaS applications.

This feature is now generally available (GA).

[ACS-878, ACS-879, ACS-882]
Audit logs for Secure Private Access

The Citrix Secure Private Access service related events are now captured in the Citrix Cloud > System Log. For details, see Audit logs.

This feature is now generally available (GA).

[ACS-876]
Diagnostic logs for Enterprise Web and SaaS apps access

The Citrix Secure Private Access events are now integrated with Citrix Analytics. Citrix Analytics provides a public endpoint that enables admins to access and download the events. These events can be accessed through a PowerShell script. For details, see Diagnostic logs for Enterprise Web and SaaS apps access.

This feature is now generally available (GA).

[ACS-805]
Adaptive authentication service

Citrix Cloud customers can now use Citrix Workspace to provide Adaptive Authentication to Citrix Virtual Apps and Desktops. Adaptive Authentication is a Citrix Cloud service that enables advanced authentication for customers and users logging in to Citrix Workspace. Adaptive Authentication service is a Citrix managed and Citrix Cloud hosted ADC. For details, see Adaptive Authentication service.

This feature is in preview.

[CGS-6510]

16 February 2022

Support for client-server apps With the support for client-server applications within Citrix Secure Private Access, you can now eliminate the dependency on a traditional VPN solution to provide access to all private apps for remote users.

For details, see Support for client-server apps - Preview

[ACS-870]

11 October 2021

Merger of Citrix Gateway service tile into a single Secure Private Access in Citrix Cloud

The Citrix Gateway service tile is now merged into a single Secure Private Access in Citrix Cloud.
- All Secure Private Access customers, including Citrix Workspace Essentials and Citrix Workspace Standard, can now use one single Secure Private Access tile for configuring SaaS and Enterprise web apps, enhanced security controls, contextual policies, in addition to web filtering policies.
- All Citrix DaaS customers can still enable the Citrix Gateway service as the HDX proxy from Workspace Configuration. However, the shortcut to enable Citrix Gateway service from the gateway service tile is removed. You can enable the Citrix Gateway service from Workspace configuration > Access > External Connectivity. For details, see External connectivity. There is no change in the functionality, otherwise.
[NGSWS-16761]

30 July 2021

Contextual access and security controls for the Enterprise Web and SaaS apps based on user’s geographic location

The Citrix Secure Private Access service now supports contextual access to the Enterprise Web and SaaS apps based on the user’s geographic location.

[ACS-833]
Option to hide a specific Web or a SaaS app from Citrix Workspace portal

Admins can now hide a specific Web or SaaS app from the Citrix Workspace portal. When an app is hidden from the Citrix Workspace portal, the Citrix Gateway service does not return this app during enumeration. However, users can still access the hidden app.

[ACS-944]

09 June 2021

Route table to define the rules to route the app traffic

Admins can now use the route table to define the rules to route the app traffic directly to the internet or through the Citrix Gateway Connector. The admins can define the route type for the apps as External, Internal, Internal-Bypass Proxy, or External via Gateway Connector depending on how they want to define the traffic flow.

[ACS-243]

22 May 2021

Contextual access to Enterprise Web and SaaS applications

The Citrix Secure Private Access service contextual access feature offers a comprehensive zero-trust access approach that delivers secure access to the applications. Contextual access enables admins to provide granular level access to the apps that users can access based on the context. The term “context” here refers to users, user groups, and the platform (mobile device or a desktop computer) from which the user is accessing the application.

[ACS-222]
Rebranding of Citrix Gateway Connector user interface

The Citrix Cloud Gateway Connector user interface is rebranded as per the Citrix branding guidelines.

[NGSWS-17100]

01 May 2021

Deletion of customer data from the Citrix Secure Private Access service datastore

Customer data, including backups, is deleted from the Citrix Secure Private Access service datastore after 90 days of service entitlement expiry.

[ACS-388]
Simplified steps to federate a domain from Azure AD to Citrix Workspace

The steps to federate a domain from Azure AD to Citrix Workspace app is now simplified for faster onboarding in Citrix Workspace. Domain federation can now be performed in the Citrix Gateway service user interface, from the Single sign on page.

[ACS-351]
Enhancement to the Connectivity Test tool

The Connectivity Test tool in the Citrix Gateway Connector is enhanced to handle timeout errors and to generate the necessary logs.

[NGSWS-17212]

15 March 2021

Platform enhancements

Various platform enhancements are made to increase reliability in propagating customer’s admin configurations to the Citrix Gateway Connectors.

[ACS-85]
Improved web apps performance

The web apps performance when the web applications are accessed from the system browser using clientless VPN has been improved.

[NGSWS-16469]
Enabling Citrix Gateway Connector to use TLS1.2 Grade A or above cipher suites

The Citrix Gateway Connector now uses TLS1.2 with Grade A or above cipher suites to connect to Citrix Cloud service and other back end servers.

[NGSWS-16068]

11 November 2020

Renaming of Citrix Access Control service

The Access Control service is now renamed as Secure Private Access.

[NGSWS-14934]

15 October 2020

Enhanced security option to launch SaaS and Enterprise Web apps within Remote Browser Isolation service

Admins can now use the enhanced security option, Select Launch application always in Citrix Remote Browser Isolation service to always launch an application in the Remote Browser Isolation service regardless of other enhanced security settings.

[ACS-123]

08 October 2020

Configure session timeouts for the Citrix Secure Private Access browser extension

Admins can now configure session timeouts for the Citrix Secure Private Access browser extension. Admins can configure this setting from the Manage tab in the Citrix Gateway service user interface.

[NGSWS-13754]
RBAC control on Citrix Secure Private Access browser extension admin settings

RBAC control is now enforced on Citrix Secure Private Access browser extension admin settings.

[NGSWS-14427]

24 September 2020

Enable VPN-less access to Enterprise Web apps through a local browser

You can now use the Citrix Secure Private Access browser extension to enable VPN-less access to Enterprise Web apps through a local browser. The Citrix Secure Private Access browser extension is supported on both Google Chrome and Microsoft Edge browsers.

[ACS-286]

07 July 2020

Validate Kerberos configuration on Citrix Gateway Connector

You can now use the Test button in the Single sign on section to validate the Kerberos configuration.

[NGSWS-8581]

19 June 2020

Read-only access to admins of the Citrix Gateway service and Citrix Secure Private Access service

Security admin teams using the Citrix Gateway service can now provide granular controls, such as read-only access to admins of the Citrix Gateway service and Citrix Secure Private Access service.
- Admins with read-only access to the Citrix Gateway service have access to only view the app details.
- Admins with read-only access to the Citrix Secure Private Access service can only view the content access settings.
[ACS-205]

08 May 2020

New troubleshooting tools in Citrix Gateway Connector 13.0
- Network tracing: You can now use the Trace feature to troubleshoot Citrix Gateway Connector registration issues. You can download the trace file and share it with the administrators for troubleshooting. For details, see Troubleshoot Citrix Gateway Connector registration issues.
  
  [NGSWS-10799]
- Connectivity tests: You can now use the Connectivity Test feature to confirm that there are no errors in the Gateway Connector configuration and the Gateway Connector is able to connect to the URLs. For details, see Log on and set up the Citrix Gateway Connector.
  
  [NGSWS-8580]

V2019.04.02

Kerberos authentication support for Citrix Gateway Connector to outbound proxy [NGSWS-6410]

Kerberos authentication is now supported for the traffic from the Citrix Gateway Connector to the outbound proxy. Gateway Connector uses the configured proxy credentials to authenticate to the outbound proxy.

V2019.04.01

Web/SaaS apps traffic can now be routed via a corporate-network-hosted Gateway-Connector thus avoiding two factor authentication. If a customer has published a SaaS app that is hosted outside the corporate network, support is now added to authenticate traffic for that app to go through an on-premises Gateway Connector.

For example, consider that a customer has an Okta protected SaaS app (like Workday). The customer might want that even though the actual Workday data traffic is not routed via the Citrix Gateway service, the authentication traffic to the Okta server is routed through the Citrix Gateway service via an on-premises Gateway Connector. This helps a customer to avoid a second factor authentication from the Okta server as the user is connecting to the Okta server from within the corporate network.

[NGSWS-6445]
Disabling Filtering Website Lists and Website Categorization. Filtering Website Lists and Website Categorization can be disabled if the admin chooses not to apply these functionalities for a specific customer.

[NGSWS-6532]
Automatic geo routing for Remote Browser Isolation service redirects. Automatic geo routing is now enabled for Remote Browser Isolation service redirects.

[ NGSWS-6926]

V2019.03.01

“Detect” button is added in the “Add a Gateway Connector” page. The Detect button is used to refresh the list of connectors, allowing the newly added connector to reflect in the Web app connectivity section.

[CGOP-6358]
A new category “Malicious and Dangerous” is added in the “Access Control Web Filtering” categories. A new category named Malicious and Dangerous in the Access Control Web Filtering categories is added under the Malware and Spam group.

[CGOP-6205]

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

What’s new

November 14, 2024

Contributed by:

C C

November 14, 2024

Contributed by:

C C

What’s new

14 November 2024

08 November 2024

23 September 2024

15 August 2024

16 July 2024

11 June 2024

13 March 2024

12 February 2024

23 January 2024

20 December 2023

16 October 2023

11 September 2023

30 August 2023

28 August 2023

22 August 2023

17 August 2023

07 June 2023

29 May 2023

10 April 2023

29 March 2023

07 March 2023

23 January 2023

22 December 2022

03 October 2022

09 September 2022

15 July 2022

01 June 2022

04 April 2022

16 February 2022

11 October 2021

30 July 2021

09 June 2021

22 May 2021

01 May 2021

15 March 2021

11 November 2020

15 October 2020

08 October 2020

24 September 2020

07 July 2020

19 June 2020

08 May 2020

V2019.04.02

V2019.04.01

V2019.03.01

In this article