Secure Private Access integration with Director (Preview)

The Secure Private Access integration with Director allows help desk admin or full admin to monitor and troubleshoot all Secure Private Access sessions in Director. To support this feature, you must use the 2402 or later versions of Director, Secure Private Access, Citrix Workspace app, and VDA.

Available actions include viewing the details of the following:

  • Secure Private Access active sessions for a user under the Select a Session popup > Sessions tab > Web SaaS and Client/Server Apps
  • Secure Private Access failed or blocked enumerations and failed app launches under the Select a Session popup > Denied Access tab
  • Session and application details view for active and failed app launches
  • Session and application details view for failed and blocked enumerations

Note:

The Secure Private Access integration with Director is only supported for Director Forms-based authentication and not supported for Integrated Windows Authentication or Smart Card based authentication.

Prerequisites

  1. To support this feature, you must use the following:

    • Director 2402 or later version
    • Secure Private Access 2402 or later version
    • Citrix Workspace app 2402 or later version
  2. Ensure that at least one Citrix Virtual Apps and Desktops site is configured on Director.
  3. Set up Secure Private Access.
  4. Make sure that Director server has network connectivity to the Secure Private Access server.

    Note:

    A trusted certificate must be installed on the Secure Private Access server to successfully establish a connection to Citrix Director.

  5. Ensure that the Director admin user has the following permissions:

    1. Secure Private Access Full Admin or ReadOnly Admin in the Secure Private Access Admin console.
    2. Citrix Virtual Apps or Desktops help desk or Full Admin or ReadOnly Admin in the Citrix Studio console.

Configure Director with Secure Private Access

  1. Open a command prompt as admin on the machine where Director is installed.
  2. Go to the path of the DirectorConfig tool by running the following command:

    cd c:\inetpub\wwwroot\Director\tools
    <!--NeedCopy-->
    
  3. Run the following command to configure Secure Private Access:

    DirectorConfig.exe /configspa
    <!--NeedCopy-->
    
  4. Enter the FQDN of the machine where Secure Private Access is installed along with the port number.

  5. Make sure that the connection to the Secure Private Access (server or load balancer) is secure and has a trusted certificate applied to it.

    Director SPA config tool

Note:

The admins must be added to the Secure Private Access console to view the Secure Private Access session details in Director. For more information, see Manage administrators.

View a Secure Private Access session by user

On the Director dashboard, click Search and enter the user name. The Select a session screen appears.

Full admin:

Director SPA Full admin

Help desk admin:

Director SPA help desk admin

View the Activity Manager for Secure Private Access session

Citrix Director offers the Activity Manager view for Secure Private Access sessions which gives you an overall view of the session activities. The Activity Manager provides a comprehensive view of all apps and desktops that are successfully opened, failed to open, and the outcome of the policies set in the Secure Private Access app. This feature is available from Citrix Virtual Apps and Desktops version 2407 or later.

Prerequisites:

  • Director 2407 or later version
  • Secure Private Access 2407 or later version

The Activity Manager is displayed with the Available Apps and Launched Apps details. You can find the following session details:

  • Launch time
  • Resource name
  • Resource type
  • Accessed resource
  • Status
  • Transaction ID

To view the Activity Manager, do the following:

  1. On the Director dashboard, click Search and enter the user name. The Select a session screen appears.
  2. Select a session that is opened using the Secure Private Access session. The Activity Manager for the selected session appears.

    Activity Manager

  3. Click Available Apps to view apps that are available in the Citrix Workspace app.

Or,

Click Launched Apps (sessions) to view the apps that are opened in the Citrix Workspace app.

You can filter the resources with the status of the resource set in the Secure Private Access app:

  • Allow - Resources that are allowed for a user to access. This status is set using a policy under the Secure Private Access app. This resource is present for the user in the Citrix Workspace app.
  • Deny - Resources that are denied for a user to access. This status is set using a policy under the Secure Private Access app. This resource is present for the user in the Citrix Workspace app.
  • Error - Resources that are allowed to access for a user under the Secure Private Access app. However, because of some error, the resource isn’t available in the Citrix Workspace app. There are two types of errors such as enumeration error and session error.

View available apps

The Web and SaaS apps that are available in the Citrix Workspace app are displayed under the Available Apps section. This section shows the last enumeration attempt of the apps and the status of the enumeration attempt.

You can view the following details:

  • Resource name
  • Status
  • Transaction ID

You can also filter the preceding details with the application status such as Allow, Deny, and Error. You also sort the details using the up and down arrow.

Note:

TCP/UDP apps aren’t present in the Available Apps section.

View launched apps

The apps that are opened in the Citrix Workspace app are displayed under the Launched Apps (sessions) section. You can view the following details:

  • Launch time
  • Resource name
  • Resource type
  • Accessed resource
  • Status
  • Transaction ID

You can also filter the preceding details with the application status such as Allow, Deny, and Error. You can also sort the details using the up and down arrow.

Session topology view for Secure Private Access apps

You can view the session topology for the apps opened using Secure Private Access. Click the required app from the Activity Manager to view the Session Topology of the selected app.

Activity Manager

Session Topology

Session Topology view provides the flow of the app launch process. The endpoint connects to the Citrix Gateway and Citrix Gateway connects to the Secure Private Access plug-in. Using the information from the Secure Private Access plug-in, the app is launched. This feature is available from Citrix Virtual Apps and Desktops version 2407 or later.

Prerequisites:

  • Director 2407 or later version
  • Secure Private Access 2407 or later version
  • Citrix Secure Access 24.8.1.x or later version

You can view the following:

  • Endpoint - Displays the endpoint where the app is opened. The possible options are Citrix Workspace app and Citrix Secure Agent. The device ID is displayed.
  • Internal network - Displays the number of enumerated apps and the number of configured policies.
  • Policy evaluation - Displays the result of the policy that is set on the Secure Private Access app. The different values are Allowed, Denied, Access allowed with restrictions, and Error.
  • App launched - Displays the type of apps and the status of app launch. The possible values for app types are Web/SaaS app or TCP/UDP app. Similarly, the possible values for app launch statuses are Allowed, Denied, Access allowed with restrictions, and Error.

View successfully launched Web apps and SaaS apps

The successfully launched apps are displayed on the Web SaaS and Client/Server Apps section.

Director SPA web and SaaS app

Click an app from the Web SaaS and Client/Server Apps section to view the details.

Director SPA successful launch

For more information on success codes, see Citrix Director related codes.

View details about the access denied apps

Click Check Access Details on the Select a session screen.

Director SPA check access details

Note:

The Check Access Details button appears when there is no active session.

Or,

Click the Denied Access tab to view the apps for which the access is denied.

The Denied Access tab opens.

Director SPA denied access details

The session details such as time, resource, endpoint name, and reason for failure are displayed. For more information on error codes, see Citrix Director related codes.

Currently, the following issues are identified:

  • Enumeration denied due to policy conditions
  • App launch error
  • Enumeration errors
  • App launch denied due to policy conditions

Select an app from the Denied Access tab > Resource column to view the details:

Director SPA failed to access details

The following details are displayed for the successful or failed sessions:

  • About the app
  • Policy evaluation
  • Session details

About the app

The name of the successful, failed, or denied app is displayed. Along with it, the following details of the app for the success or failure are displayed:

Field Description
Transaction ID Citrix Transaction ID during the session or enumeration.
Resource Type Displays the type of the resource. The possible values are Web, SaaS, TCP/UDP (Server to Client), and TCP/UDP (Client to Server).
Accessed Resource The URL of the accessed resource during the session or enumeration. In the case of a TCP or UDP app, it shows whether the type of accessed resource is TCP or UDP.
Configured policies The number of policies that are used within a session or enumeration.
Reason The analysis of the session or enumeration activity.
Applied Security Restrictions Displays the applied security restrictions which are applied in the Secure Private Access app.

Policy evaluation

Displays that no issues found during evaluation for a successful session. For a failed session or enumeration, the following details of the policies evaluated are displayed:

Field Description
ID Citrix Transaction ID.
Policy Name The name of the policy. If there are multiple policies, the first policy that is matched with the set condition appears.
Status The status of the policy.
Action applied The action applied on the policy. For example, deny access.
Policy Condition Evaluation
Type The type of the policy condition.
Condition Criteria The condition criteria of the policy applied in the failed session or enumeration.
Value The value of the policy.
Evaluation Status The evaluation status of the policy. The different values are Allowed, Denied, Access allowed with restrictions, and Error.

Session details

For a failed session, the reason for session failure is displayed. For a successful session, the following details are displayed:

Field Description
Session State Displays the state of the session whether it is active or inactive.
Start time Displays the session start time.
Last active time Displays the last active time of the successful session.
Gateway Virtual IP Displays the virtual IP address of the gateway to which the successful session is connected.
Contextual Tags Displays the contextual tags. The contextual tag on the Secure Private Access plug-in is the name of a NetScaler Gateway policy (session, preauthentication, EPA) that is applied to the sessions of the authenticated users.
Domains visited (Internal) Displays the internal domains accessed using the successful session.
Domains visited (External) Displays the external domains accessed using the successful session.

Known issues

  • In the case of a TCP or UDP app, the enumeration details are not displayed in the Activity Manager page.
  • You might notice that the terminated sessions are available as active in the Session Selector pop-up.
Secure Private Access integration with Director (Preview)