Secure Private Access On-Premise

Posted byJeff Riechers Leave a comment on Secure Private Access On-Premise

Tunnel resources to your remote workforce, without having to tie down a full VPN tunnel? Yes please.

As of right now the on-premise Secure Private Access implementation is only for URLs on Windows and Apple computers. Also, there is a lot of manual configuration on this as this feature utilizes NetScalers, Storefront, and Delivery Controllers to define the resources.

NetScaler Settings

First add your storefront URL to the Domains for Clientless Access

bind policy patset ns_cvpn_default_bypass_domains <FQDN Storefront URL>

Next create Session Actions similar to as set here.

add vpn sessionAction vpn._WebReceiverSecureBrowse_Profile -sessTimeout 30 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -icaProxy OFF -wihome "https://<FQDN Storefront URL>/Citrix/<Storename>Web/" -ClientChoices ON -ntDomain cv -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -AdvancedClientlessVpnMode ENABLED
add vpn sessionAction vpn._NativeReceiverSecureBrowse_Profile -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://<FQDN Storefront URL>/Citrix/<Storename>" -ClientChoices OFF -ntDomain <NetBios Domain Name> -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://<FQDN Storefront URL>" -iconWithReceiver ON -AdvancedClientlessVpnMode ENABLED

Create Session Policies to connect to the Session Actions. Even though you are using a Native Workspace instance, it still calls the Web Receiver policy, so you need both items.

add vpn sessionPolicy vpn._NativeSecureBrowse "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" vpn._NativeReceiverSecureBrowse_Profile
add vpn sessionPolicy vpn._WebSecureBrowse "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" vpn._WebReceiverSecureBrowse_Profile

Create an http Profile and bind it to your Citrix Gateway, and Storefront Load Balancer

add ns httpProfile nshttp_default_profile_Drop_Extra_Data -dropInvalReqs ENABLED -dropExtraData ENABLED -http3 ENABLED

Create a Citrix Gateway virtual server. You will set it up as normal, and make sure the following settings are in place.

  1. Set ICA Only to false.
  2. Bind an SSL certificate, this certificate must be setup as needed for clientless access (For example, vpn.website.com and *.vpn.website.com need to be setup as SAN names on the certificate)
  3. Use an Authentication Profile for authentication
  4. Bind STAs either directly, or globally
  5. Use a hardened SSL Profile (see my wiki page on getting an A+ on your certs)

Storefront Settings

Create a new Store specifically for Secure Private Access, set it up as you would normally.

Create a Citrix Gateway definition for the URL you used above for the Citrix Gateway configuration. Make sure to populate the Callback URL: field.

On Authentication Methods, under Pass-through from Citrix Gateway select Fully delegate credential validation to Citrix Gateway

Under Manage Receiver for Web Sites –>Advanced–>Set Enable loopback communication to OnUsingHTTP

In File Explorer go to C:\inetpub\wwwroot\Citrix\<storename> and create a Resources Folder.

Under that Resources Folder create a SecureBrowser Folder.

Under that SecureBrowser Folder create a policy.json file with the following information. You will have a separate {} section under policies for each URL you are publishing with SPA. Modify the policy settings as needed for your environment.

{
  "policies": [{
      "name": "<Name of Published Content>",
      "patterns": ["*.<URL of Published Content>/*"],
      "policy": {
        "watermark_v1": "enabled",
        "clipboard_v1": "disabled",
        "printing_v1": "disabled",
        "download_v1": "disabled",
        "upload_v1": "disabled",
        "keylogging_v1": "disabled",
        "screencapture_v1": "disabled",
        "proxytraffic_v1": "secureBrowse"
      }
   },{
      "patterns": ["*/*"],
      "policy": {
        "proxytraffic_v1": "direct"
      }
    }
  ],
  "system": {
    "secureBrowseAddress": "https://<URL to Citrix Gateway>"
  }
}

Under the C:\inetpub\wwwroot\Citrix\<Storename> folder you will need to edit the web.config. Citrix provides a powershell script for generating these changes here.

If you are load balancing your Storefront servers, these modifications might not copy over as part of the propagate changes processes. So copy them manually if necessary.

Publish Content on Delivery Controller

You need to create the Web URLs from powershell on a Delivery Controller. Follow this guide from Citrix for more info.

https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/secure-private-access-on-premises.html#step-1–publish-a-web-application

The important parts on this are the SPAENABLED keyword, and the icon creation.

Leave a comment

Your email address will not be published. Required fields are marked *