Secure Private Access integration with Director (Preview)

The Secure Private Access integration with Director allows help desk admin or full admin to monitor and troubleshoot all Secure Private Access sessions in Director. To support this feature, you must use the 2402 or later versions of Director, Secure Private Access, Citrix Workspace app, and VDA.

Available actions include viewing the details of the following:

  • Secure Private Access active sessions for a user under the Select a Session popup > Sessions tab > Web Apps and SaaS Apps
  • Secure Private Access failed or blocked enumerations and failed app launches under the Select a Session popup > Denied Access tab
  • Session and application details view for active and failed app launches
  • Session and application details view for failed and blocked enumerations

Note:

The Secure Private Access integration with Director is only supported for Director Forms-based authentication and not supported for Integrated Windows Authentication or Smart Card based authentication.

Prerequisites

  1. To support this feature, you must use the following:

    • Director 2402 or later version
    • Secure Private Access 2402 or later version
    • Citrix Workspace app 2402 or later version
  2. Ensure that at least one Citrix Virtual Apps and Desktops site is configured on Director.
  3. Set up Secure Private Access.
  4. Make sure that Director server has network connectivity to the Secure Private Access server.

    Note:

    A trusted certificate must be installed on the Secure Private Access server to successfully establish a connection to Citrix Director.

  5. Ensure that the Director admin user has the following permissions:

    1. Secure Private Access Full Admin or ReadOnly Admin in the Secure Private Access Admin console.
    2. Citrix Virtual Apps or Desktops help desk or Full Admin or ReadOnly Admin in the Citrix Studio console.

Configure Director with Secure Private Access

  1. Open a command prompt as an administrator on the machine where Director is installed.
  2. Go to the path of the DirectorConfig tool by running the following command:

    cd c:\inetpub\wwwroot\Director\tools
    <!--NeedCopy-->
    
  3. Run the following command to configure Secure Private Access:

    DirectorConfig.exe /configspa
    <!--NeedCopy-->
    
  4. Enter the FQDN of the machine where Secure Private Access is installed along with the port number.

  5. Make sure that the connection to the Secure Private Access (server or load balancer) is secure and has a trusted certificate applied to it.

    Director SPA config tool

Note:

The admins must be added to the Secure Private Access console to view the Secure Private Access session details in Director. For more information, see Manage administrators.

View a Secure Private Access session by user

On the Director dashboard, click Search and enter the user name. The Select a session screen appears.

Full admin:

Director SPA Full admin

Help desk admin:

Director SPA help desk admin

View successfully launched Web apps and SaaS apps

The successfully launched apps are displayed on the Web Apps and SaaS Apps section.

Director SPA web and SaaS app

Click an app from the Web Apps and SaaS Apps section to view the details.

Director SPA successful launch

For more information on success codes, see Citrix Director related codes.

View details about the access denied apps

Click Check Access Details on the Select a session screen.

Director SPA check access details

Note:

The Check Access Details button appears when there is no active session.

Or,

Click the Denied Access tab to view the apps for which the access is denied.

The Denied Access tab opens.

Director SPA denied access details

The session details such as time, resource, endpoint name, and reason for failure are displayed. For more information on error codes, see Citrix Director related codes.

Currently, the following issues are identified:

  • Enumeration denied due to policy conditions
  • App launch error
  • Enumeration errors
  • App launch denied due to policy conditions

Select an app from the Denied Access tab > Resource column to view the details:

Director SPA failed access details

The following details are displayed for the successful or failed sessions:

  • About the app
  • Policy evaluation
  • Session details

About the app

The name of the successful, failed, or denied app is displayed. Along with it, the following details of the app for the success or failure are displayed:

Field Description
Transaction ID Citrix Transaction ID during the session or enumeration.
Accessed URL The URL accessed during the session or enumeration.
Configured policies The number of policies that are used within a session or enumeration.
Reason The analysis of the session or enumeration activity.

Policy evaluation

Displays that no issues found during evaluation for a successful session. For a failed session or enumeration, the following details of the policies evaluated are displayed:

Field Description
ID Citrix Transaction ID.
Policy Name The name of the policy.
Status The status of the policy.
Action applied The action applied on the policy. For example, deny access.
Policy Condition Evaluation
Type The type of the policy condition.
Condition Criteria The condition criteria of the policy applied in the failed session or enumeration.
Value The value of the policy.
Evaluation Status The evaluation status of the policy.

Session details

For a failed session, the reason for session failure is displayed. For a successful session, the following details are displayed:

Field Description
Session State Displays the state of the session whether it is active or inactive.
Start time Displays the session start time.
Last active time Displays the last active time of the successful session.
Gateway Virtual IP Displays the virtual IP address of the gateway to which the successful session is connected.
Contextual Tags Displays the contextual tags. The contextual tag on the Secure Private Access plug-in is the name of a NetScaler Gateway policy (session, preauthentication, EPA) that is applied to the sessions of the authenticated users.
Domains visited (Internal) Displays the internal domains accessed using the successful session.
Domains visited (External) Displays the external domains accessed using the successful session.
Secure Private Access integration with Director (Preview)