What’s new

April 2025

• Device Posture checks on on-premises NetScaler Gateway

  Citrix Device Posture checks can now be configured to work with on-premises NetScaler Gateway. This integration allows administrators to evaluate the security posture of devices attempting to access network resources and ensure that only trusted devices can access corporate resources.

  For details, see the following topics:

  • Device Posture
  • Device Posture checks on on-premises NetScaler Gateway
  • Citrix Device Posture service for NetScaler Gateway authentication

• Key-based authentication for StoreFront to Secure Private Access communication

  A security key-based authentication method is introduced for StoreFront to Secure Private Access communication. Key based authentication is enabled by default for the new customers whereas it is disabled for the existing customers. Existing customers must enable the security key and run the StoreFront configuration script again. For details, see Configure StoreFront.

• Support for Web/SaaS apps in ICA Proxy mode

  The ICA Proxy mode now supports enumeration and launching of Web/SaaS applications. This also enables the use of the new StoreFront UI to enumerate apps.

  The ICA Proxy mode support is only available in NetScaler Gateway release 14.1 build 43.x and later. For details on configuration, see NetScaler Gateway session actions settings.

• Enforce application rules based on the machine’s context

  You can now enforce application access rules based on the machine’s context in addition to the user’s context. You can select the machine or user context when creating an access policy. For details, see Configure access policies for the applications.

• Exclude domains from being tunneled through NetScaler Gateway

  You can now configure domains that can be excluded from being intercepted and tunneled through NetScaler Gateway. You can set the application connectivity type as Internal or External to allow or exclude domains from being intercepted and tunneled respectively. For details, see Configure TCP/UDP apps.

• DNS over TCP support for Secure Private Access hybrid deployments

  DNS over TCP is now supported for Secure Private Access hybrid deployments. The application FQDNs can now be resolved using TCP.

December 2024

• Support for Secure Private Access hybrid solution on FIPS platform

  The Secure Private Access hybrid solution is now supported on NetScaler platforms that comply with Federal Information Processing Standards (FIPS) and running the 13.1–37.219 and later FIPS builds. For more information, see Federal Information Processing Standards.

October 2024

Initial release

Citrix Secure Private Access for hybrid deployment allows customers to implement a Zero Trust Network Access (ZTNA) solution using on-premises StoreFront and NetScaler Gateway components and use Citrix Cloud for managing the configuration, administration, and monitoring functions.

The following are some of the key features of the Citrix Secure Private Access for hybrid deployment.

• Web/SaaS and TCP/UDP support:

  Citrix Secure Private Access for hybrid deployment supports Web/SaaS and TCP/UDP apps. For details, see the following topics:

  • System requirements and prerequisites.
  • Configure Web/SaaS applications
  • Configure TCP/UDP apps

• Enhanced access restriction options:

  While creating access policies for applications, you can select access restrictions that must be enforced on the applications. These security restrictions are predefined in the system. Admins cannot modify or add other combinations. For details, see Access restriction options.

  

• Secure Private Access integration with DaaS Monitor:

  Secure Private Access is integrated with Monitor, the monitoring and troubleshooting console for Citrix DaaS. Administrators and help-desk personnel can monitor and troubleshoot Web/SaaS and TCP/UDP app sessions and events from the DaaS Monitor. For details, see Secure Private Access integration with DaaS monitor.

  

  

• Application Discovery:

  The Application Discovery feature helps an admin get visibility into the external and internal applications (HTTP/HTTPS and TCP/UDP apps) that are being accessed in an organization. This feature discovers and lists all the domains/IPs addresses, published or unpublished. Thus, admins can see what domains/IP addresses are getting accessed, by whom, and decide if they want to publish them as applications, providing access to those users. For details, see Discover domains or IP addresses accessed by end users.

  

• Policy modeling tool:

  The policy modeling tool (Access policies > Policy modeling) provides the administrators full visibility into the expected application access result (allowed/allowed with restriction/denied). Admins can check the access results for specific users and add a user condition for contextual tags. For details, see Policy modeling tool.

  

• Support for Unsanctioned websites:

  Applications (intranet or internet) that are not configured within Secure Private Access are regarded as “Unsanctioned Websites”. By default, Secure Private Access denies access to all intranet web applications if there are no applications and access policies configured for those applications. For all other internet URLs or SaaS applications that do not have an app configured, admins can use the Settings > Unsanctioned Websites tab from the admin console to allow or deny access via Citrix Enterprise Browser. For details, see Unsanctioned websites.