If you are a CISO or a security architect, one of your top priorities has likely become migrating workloads from on premises to the cloud. And you may find yourself in a bit of a Catch 22: Your organization wants to move to SaaS on cloud, but it still needs web applications hosted within your enterprise data center.

Traditional VPNs can be complex and tough to manage, and they aren’t designed to enable access beyond the boundaries of your enterprise network. Your users require a solution that can provide secure, SSO and seamless access to both SaaS and web applications. And you need it to be easy to configure and manage.

That’s exactly what we’re introducing. With Citrix Gateway Service, you can access web applications hosted within your corporate network from anywhere using Citrix Workspace. From a browser window or the Citrix Workspace app, you can access applications as well as Citrix Virtual Apps and Desktops, SaaS applications, files, and much more without having to establish a full tunnel VPN link. The solution provides a unified hybrid user experience.

But it’s not just about the great end-user experience. IT or security admins can now add secure access controls to SaaS and web apps. The enhanced security controls include watermarks and restrictions on downloads, printing, navigation and clipboard access, as well as web filtering and analytics. These are all part of Citrix Secure Workspace Access, which provides data governance and helps to protect the assets hosted in your SaaS and web applications.

For example, when a user accesses an internally hosted web application, they will see a watermarked page that includes their username and the IP address of the end user device. This prevents a user from performing an unauthorized action like taking screenshot or photo.

Admins can configure SSO to web applications and provide a great user experience and greater security through the following SSO options:

  • Form based SSO – If your backend applications are HTML based, Workspace can read the page and perform SSO on a user’s behalf when they click the web app.
  • 401 based SSO – Both NLTM- and Kerberos-based SSO can be used when the backend server presents a 401 challenge to user authentication.
  • Don’t use SSO – Used to access some internal dashboards that needs no user authentication

How It Works

Citrix Workspace securely connects to the on-prem data center using Citrix Cloud Gateway Connector, which is deployed on premises. This connector acts as a bridge between web apps deployed on premises and Citrix Workspace (or, more specifically, the Citrix Gateway service). These connectors can be deployed in an HA pair and require only an outbound connection. Refer to Gateway connector requirements for more information about requirements, and check out our deployment guide here.

A TLS connection between the Gateway connector and the Gateway service in the cloud secures the on-prem applications that are enumerated into the cloud service. Web applications are accessed and delivered through Workspace using a VPN-less connection. The diagram below shows a deployment.

End-user Experience

Currently, only applications that can be accessed using a browser are supported. Users can use either Citrix Workspace app or a browser to login into Citrix Workspace and access these applications.

How do I get started?

SSO and remote access to web apps are available as part of the following service packages:

  • Gateway Service Standard
  • Workspace Standard, Workspace Premium or Workspace Premium Plus

Go to your Citrix Cloud account and request a free trial.

If you already have Citrix Gateway Service, log in to Citrix Cloud today to be guided through setting up SSO for an on-prem web app. And refer to the Citrix Gateway Service documentation page for detailed information on configuring web apps.