In this blog we are going to discuss about how to leverage Citrix Secure private access service to enable ZTNA features for SaaS/Web Applications without the need for VPN or Citrix XenApp Servers.
Publishing Internal SaaS application via Secure Private Access.
Navigate to Citrix Cloud, under my services select “secure private access”.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5ysmf2ay2b0p3pgwxgel.png)
In the Secure private access console, click on the Applications tab.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/da5ymi9hm1h1n50xyvrn.png)
Click on “Add an App” to initiate the application addition process.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/f7l5tijymzqehecwg1e9.png)
You can either choose the pre-configured templates like deploying OWA, Service now etc. Else you can click on “Skip” to skip the templates.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/np87op901c8je9sl09il.png)
In the “App details” section select the “where is the application located?” as “Inside my corporate network”.
Provide the App name, description, category, the webapp URL and also the domain name which will be used for DNS resolution. For example, if I am publishing http://mymail.amalcloud.xyz, then make sure amalcloud.xyz is configured in the related domains for DNS resolution.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/f6smmul9906a95bz3ds2.png)
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/6rc7kjh0yk5i2zh3c75x.png)
You can also change the app icon, option to set the app as a favorite in the workspace app.
You can configure the authentication type in the “single sign on” section. You can use SAML, Kerberos and other authentication modes for the application to authenticate. For this blog, I am skipping the authentication and select “Don’t use SSO”.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xjwntw5ltuw9z4vk97bv.png)
In the “app connectivity” section, you can specify how the connectivity to the app will happen. As we are publishing internal websites, you need to select the connection type as “Internal via Connector” and provide the resource location. It is mandatory to deploy Citrix Connector appliance for making the internal websites work as the web traffic will traverse via the connector appliance to the app server.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rgcer5q8sjr9h98dwmx5.png)
Click Finish to complete the app publishing.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xchmqvn8p9v5sd3rhitw.png)
Creating the Access policies
Just by creating the app publishing, the application will not be accessed or assigned to any users. For publishing an application to the end users/groups, we need to create access policies in the Secure private access portal.
To create the access policies, click on “access policies” in the left pane and click on “Create policy”.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/44zikabuer6gzr9zudna.png)
In the Create policy wizard, provide the policy name, description, and select the applications to be part of the rules and Click Save.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/b8wvt9u8t3203jnon09w.png)
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/a0rwtj26wlqjrxrh091l.png)
Under the policy rules, click on “create rule” to create the access policy rule. This is the place where we are publishing the application to specific end users/groups.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/88t2nqhfilds76qe5ett.png)
In the Create new rule wizard, provide the rule name and description and click Next.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xbcpncqemloujhc5fk9g.png)
In the conditions tab, select the user* as “matches any of” and select the domain. You need to search for the user/group and click Next.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3cuxtpodhyxptao331o7.png)
Note: – For enabling additional access rules like disabling clipboard, watermark etc. need additional “SPA Advanced” license.
In the “Action” conditions tab, select “allow access” and click next. Review the settings and click finish to create the rule.
Once the rule is selected, click on save and enable the tick box “enable policy on save” to enable the policy.
You cannot access web applications via HTML5 as secure private access leverages enterprise browser to securely publish the web application. You will get the below error once you access the web application via HTML5.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dffrtx0z5132nj3d33tw.png)
Configure the workspace app using the configuration file which can be downloaded from “Workspace configuration”.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8hbplimhl9d0ec2872fh.png)
You will be able to see the web application in the workspaces client. The web application will open in the enterprise browser part of the workspaces application.
The application has opened in the enterprise browser.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/uw14zlq1np89fo6063xv.png)
Hope this blog is informative to you. Please feel free to share your feedback.