VPNs are out, ZTNA is in

Citrix Secure Private Access provides zero trust network access (ZTNA) to deliver, secure, and manage any application for any user on any device — both managed and unmanaged — on-premises and in the cloud. More secure than a virtual private network (VPN) for protecting corporate data, Citrix Secure Private Access is an ideal VPN replacement. If you use NetScaler Gateway as a VPN with the Secure Access Client, you can easily roll out ZTNA using the same client for a seamless migration with no impact to your workforce. And because Citrix Secure Private Access is included in the Citrix platform, you can quickly extend ZTNA to web and SaaS applications — for no extra cost.

VPN challenges

VPNs rely on a perimeter-based security model, which is less effective in today's distributed and cloud-based environments. As more resources move outside the traditional network perimeter, VPNs become less effective at protecting these resources, increasing the attack surface. ZTNA is superior to traditional VPNs for remote access security. Unlike VPNs, which grant broad access once a user is authenticated, ZTNA operates on a "never trust, always verify" principle. With ZTNA, access is continuously validated based on user identity and context, significantly reducing the attack surface.

	VPN challenges	ZTNA advantages
Attack surface	VPNs use a perimeter security model, provide broad network access, and lack granular controls — all of which open the door to lateral movement within the corporate network by bad actors seeking to exploit other vulnerabilities and gain access to critical systems	ZTNA continuously validates user identity, location, and device and network status before granting access only to specific applications rather than the entire network, which significantly reduces the attack surface and minimizes the chance of an attack spreading across the corporate network
Granular access control	VPNs provide access through a secure tunnel, but that access is less restricted, increasing the potential attack surface	ZTNA provides granular access based on user roles and specific application needs so that users only get access to the applications they need, minimizing the risk of lateral movement by attackers
Performance	VPNs backhaul traffic through a central data center, which introduces latency that negatively impacts user experience	ZTNA connects users directly to the applications they need without routing traffic through a corporate data center, reducing latency and improving performance
Scalability and flexibility	VPNs often rely on legacy infrastructure that can be cumbersome to scale and maintain, especially in a work-from-anywhere scenario	ZTNA is designed to support modern, cloud-based environments and can easily scale to accommodate a growing number of remote user
Compliance and governance	VPNs allow broad access, which can make it challenging to meet compliance requirements for HIPAA, GDPR, and PCI-DSS and other regulations, which often mandate strict access controls and least-privilege access	ZTNA limits access to only specific applications and data, which reduces the risk of unauthorized access and helps organizations meet compliance requirements more effectively
User experience	VPNs often result in slower connections and can be less user friendly	ZTNA provides a better user experience due to its seamless and direct connections to applications, which affords faster and more reliable access
Management	VPNs are time-consuming to manage and maintain and make it challenging to secure endpoints at scale	ZTNA streamlines management with dynamic policy enforcement and enhanced monitoring, minimizing the likelihood of security misconfigurations

How Citrix Secure Private Access solves VPN challenges

A comprehensive ZTNA solution, Citrix Secure Private Access provides secure, identity-aware access to applications and data in hybrid environments. It uses the zero trust principles of deny-by-default and least-privilege access to ensure that access is continuously verified and contextual, reducing the risk of unauthorized access and data breaches.

Compared to a VPN, Citrix Secure Private Access delivers more flexible connectivity and better security

Remote and hybrid work

Liberate your workers from slow and glitchy VPNs with fast direct access to applications based on their identity

BYOD programs

Give your workers the freedom to use their personal devices (bring your own device, or BYOD) to securely access corporate resources in compliance with corporate security policies

Hybrid environments

Ensure consistent security policies for worker access to applications hosted across on-premises and cloud environments

ZTNA capabilities of Citrix Secure Private Access

Identity aware

Before a session is established, Citrix Secure Private Access authenticates a user’s identity using device posture assessment, multi-factor authentication (MFA), and adaptive authentication. This information is then used for contextual application access and single sign-on.

Citrix StoreFront integration

Citrix Secure Private Access integrates with Citrix StoreFront — the portal where users access their virtual desktops and applications via single sign-on (SSO) — to enforce access policies at a single point. And, conveniently for users, they can see and access all of their approved applications in Citrix StoreFront, including web and SaaS applications as well the applications they access through VDI.

User authentication

When a user attempts to access applications or desktops through Citrix StoreFront, Citrix Secure Private Access ensures that the user is authenticated using identity-aware authentication methods for added security, including MFA.

Adaptive authentication

Citrix Secure Private Access uses adaptive authentication methods that can adjust based on the risk profile of the user’s activity. For example, users attempting to access sensitive applications may be required to provide additional verification.

Logging and monitoring

Detailed logging and monitoring help you meet regulatory requirements and improve your overall security posture.

Zero trust context

Citrix Secure Private Access uses the zero trust principle of "never trust, always verify" to ensure that access to applications and data is continuously verified. Access policies are dynamically evaluated based on contextual factors like user location, device status, and network trust. For example, access might be restricted or additional authentication might be required if a user connects from an untrusted network.

User identity

Unified identity management: Citrix Secure Private Access integrates with identity and access management (IAM) solutions like Cisco Duo, Ping, Entra ID, and Okta to ensure that user identities are verified and managed consistently. This integration supports single sign-on (SSO) and multi-factor authentication (MFA) to enhance security.
Role-based access control (RBAC): Least-privilege access rights are assigned based on the user’s role within the organization, ensuring that users only have access to the applications and data necessary for their job functions.
Verification: User identity is verified through strong authentication methods, including MFA, to confirm the identity of the user before granting access.

Device posture

Compliance checks: Real-time assessments of the device’s security posture include checking for antivirus status, OS updates, and other compliance requirements.
Endpoint management: Devices must meet certain security standards before access is granted, ensuring that only secure and compliant devices can connect to the network.

Location and network context

Geolocation: Access policies can take the user’s geographic location into account. For example, access may be restricted or additional authentication may be required if a user is attempting to connect from an unusual or high-risk location.
Network trust: Connections from unknown or untrusted networks can trigger stricter access controls or be blocked entirely.

Flexible access

Citrix Secure Private Access provides flexible options for your secure access needs with both agent-based and agentless options that allow you to balance advanced security with ease of use.

Agent-based secure access

Agent-based access requires installing a client or agent software on the user's device – unless you are already using NetScaler as a VPN. That’s because a NetScaler VPN shares the same agent as Citrix Secure Private Access, so new installs or upgrades are needed. Agent-based access is best for:

Managed devices: Ideal for corporate-owned devices in environments requiring strict security controls and comprehensive endpoint management.
Comprehensive security controls: Agent can enforce security policies on the endpoint, such as antivirus checks, firewall settings, and compliance with corporate security standards.
Device posture assessment: Agent continuously assesses the device's security posture, ensuring it meets the organization’s requirements before granting access to applications.
Full visibility and monitoring: Provides detailed insights into user activities, device status, and network traffic, enabling better monitoring and threat detection.
Dynamic access revocation: Enforces continuous zero trust network access so that if a user's behavior, device posture, or context changes and no longer meets the set security policies, access can be immediately revoked.
Advanced capabilities: Supports advanced capabilities like secure tunneling and encryption and, with the use of Citrix Enterprise Browser, also supports data loss prevention (DLP) measures.

Agentless browser-based secure access

Agentless access provides quick, easy, and flexible access through a secure web browser without compromising basic security requirements and is best for:

Ease of use: Users access resources through a standard web browser, eliminating the need for software installation, or through Citrix Enterprise Browser.
Unmanaged devices: Ideal for employees, partners, and contractors using personal devices because it does not require installing software on their devices.
Standard security controls: Ensures secure connections with web-based secure access methods, such as reverse proxies, without compromising security.
Full visibility and monitoring: Provides detailed insights into user activities, device status, and network traffic, enabling better monitoring and threat detection.
Dynamic access revocation: Enforces continuous zero trust network access so that if a user's behavior, device posture, or context changes and no longer meets the set security policies, access can be immediately revoked.
Quick deployment: Faster to deploy because it does not require installation software on users’ personal devices, making it easier to support bring-your-own device (BYOD) initiatives.
Temporary access: Provides quick, temporary access to resources without the need for software installation.

Application aware

Instead of granting broad network access, Citrix Secure Private Access enforces policies that grant access to specific applications. This reduces the attack surface by limiting user access to only the applications that are necessary for the user’s job function.

Application-specific access controls include:

Granular access: Access is granted on a per-application basis, ensuring that users can only access the specific applications they are authorized to use. This minimizes the risk of unauthorized access to other network resources
Policy enforcement: Access policies are defined based on user roles, device posture, and other contextual factors to determine which applications a user can access and under what conditions.
Continuous monitoring: Application access is continuously monitored, and any deviations from normal behavior can trigger security responses, such as additional verification steps or session termination.
Remote browser isolation: Secure access to unsanctioned websites via remote browser isolation protects against malware, phishing, and other web-based threats by executing web browsing sessions in the cloud, rather than on the user's local device.

ANALYST REPORT

Careful considerations for choosing a zero trust network access product and vendor

Get the report

What makes ZTNA with Citrix different

ZTNA does not need to be expensive or complex to implement. Because the Citrix platform is built with a zero trust architecture that protects all applications — not just VDI — there’s no need to buy additional point solutions to cobble together a ZTNA solution when you already have one.

ZTNA with Citrix Secure Private Access provides:

Faster deployment

For deployment flexibility, Citrix Secure Private Access is available as a cloud service (Citrix Secure Private Access service), on-premises (NetScaler Gateway), and as a hybrid deployment.
Quickly secure managed and unmanaged devices in accordance with deny-by-default and least-privilege access principles that are built into the zero trust access architecture of Citrix VDI.
The same Citrix Secure Access Client you already use makes it easy to switch from a VPN to ZTNA with Citrix Secure Private Access.
If you use NetScaler as a VPN with the Citrix Secure Access Client, then implementing ZTNA is easy — simply turn on Citrix Secure Private Access on the NetScaler Gateway for on-premises deployments or connect to the Citrix Secure Private Access service for cloud deployments.

Easier management

A single-vendor solution provides operational consistency for all application delivery, access security, and VDI needs.
Use Citrix capabilities that you already have, like Citrix Director, for managing and monitoring secure access.
Gain end-to-end observability with included Citrix uberAgent for faster troubleshooting and resolution.

Consistent security

Citrix Secure Private Access enables consistent zero trust security by providing common identity, device posture, and security policies and integrations for virtualized, web, and client-server applications.
Integrates with all third-party identity providers, including Cisco Duo, Ping, Entra ID, and Okta, to enable single sign-on (SSO) for all applications.
Granular controls enforce consistent security policies across all users and devices to protect against compromised credentials or insider threats.
Users get the same Citrix Workspace experience of accessing virtual applications and desktops but in a secure browser.
Citrix Secure Private Access complements the secure web gateway (SWG) and cloud access security broker (CASB) capabilities of a security service edge (SSE) solution that you may already be using to secure external traffic.

Better end-user experience

Users save time with SSO access to all of their applications — including web and SaaS applications as well as the applications they access through VDI — which are displayed in a single consolidated Citrix StoreFront.
Users are more productive because they can conveniently access applications securely and quickly from any device or location without the frustration of slow and dropped VPN connections.

ZTNA with Citrix Secure Private Access graph

Capabilities only Citrix Secure Private Access offers

On-premises deployment mode

Routes traffic entirely through your on-premises Citrix environment, making it easier to get security approval because it uses existing approved components

Flexible authentication

Works seamlessly with modern authentication methods as well as legacy authentication methods like Kerberos and NTLM; supports form-based authentication; and eliminates the need to rewrite authentication protocols for legacy applications

Attribute-based IdP selection

Supports attribute-based identity providers, which is a common use case for M&A

Cloud VDI-to-data center secure application access

Provides secure access on a per-application basis from cloud VDI to internal applications in a data center or private cloud without using Azure ExpressRoute or any other VPN solution; uses microsegmentation for granular access control to on-premises resources from cloud VDI; and supports single and multi-session VDI

Remote browser isolation

Provides a seamless workflow for admins to configure end-user access permissions for launching web applications in a remote browser in the cloud

Unified end-user experience

Integrates with Citrix StoreFront — a secure portal that uses SSO to enforce access policies at a single point — which conveniently allows users to access all of their approved applications, including web and SaaS applications as well as VDI applications, in one place

Unified admin experience

Provides a much simpler admin experience because admins can click a button in Citrix Web Studio to access the Citrix Secure Private Access UI to configure access to web and SaaS applications

Unified support experience

Makes it easy to pinpoint issues because a single admin portal for management and operations and the use of a single tool, Citrix Director, streamlines help desk triage and the troubleshooting of virtual and private applications

VPN and ZTNA co-existence

Enables a seamless transition from VPN to ZTNA on an end-user device because NetScaler Gateway (configured as a VPN) and the Citrix Secure Private Access agent are built with the same code base, allowing for a smooth and phased VPN-to-ZTNA migration instead of a forklift approach

Citrix Secure Private Access and SASE/SSE co-existence

Complements secure web gateway (SWG) and cloud access security broker (CASB) controls offered by SASE/SSE vendors for securing external traffic

ZTNA for web and SaaS applications

Provides secure access to all applications — including web and SaaS applications in addition to proprietary applications and VDI applications — on-premises and in the cloud, effectively reducing the complexity of managing multiple ZTNA solutions

Reduced costs

Comes included in the Citrix Platform License, providing the opportunity for both vendor and cost consolidation

Key ZTNA use cases for Citrix Secure Private Access

A modern zero-trust security model is preferable to traditional perimeter security, but you can begin implementing zero-trust capabilities in a phased approach while also using a VPN. It’s common to start with ZTNA for unmanaged devices for remote and hybrid employees and contractors as a first step.

Employee access to private web, TCP, and UDP applications from managed devices

Citrix Secure Private Access provides better company data protection and context-based authentication to provide just-enough access rights to employees' required resources. Allowing employees to access private web applications using their preferred browsers improves the user experience. Employees can also access client-server (TCP and UDP) applications without any additional setup by admins, making the access process seamless and hassle free for IT and employees.

Contractor access to private web applications from unmanaged devices and native browsers

Citrix Secure Private Access provides secure and contextual-based access to SaaS and internal web applications through a unified portal or direct link using a native browser. Applications configured with contextual policies will launch in an isolated remote browser to mitigate threats, enforce additional security policies, and protect sensitive data by creating an air gap between the user's device and the application.

Cloud VDI user access to private applications from cloud VDI without a VPN

Allowing employees, partners, and contractors to use their own devices can pose a security risk. To mitigate this risk, companies deploy VDI in the cloud, isolated from their company networks. After users log on to their cloud desktops, Citrix Secure Private Access automatically establishes a secure connection to the company network, granting the user access to private applications using a zero-trust approach. This robust security measure ensures data security and provides an air gap between the user's device and the company network.

IT/ VPN admin access management of managed devices over ZTNA connectivity

Maintaining and securing company devices can be difficult, especially the devices of remote employees and employees who travel frequently. Citrix Secure Private Access helps IT admins establish a zero-trust-based machine tunnel after the device starts, which allows devices to remain compliant so that company application and data access can be granted.

ZTNA capabilities of Citrix Secure Private Access

Expand all

Identity aware

Before initiating a session, Citrix Secure Private Access verifies a user's identity using single sign-on, device posture assessment, multi-factor authentication (MFA), and adaptive authentication. After establishing a secure session, continuous monitoring ensures adherence to security policies.

Acts as an identity broker for M&A scenarios
User authentication across Microsoft Entra ID, Okta, Google Identity, Active Directory, SAML 2.0 IdP, and more
Attribute-based IdP selection for authentication
Conditional-authentication with multi-factor authentication MFA
Machine-based authentication

Zero-trust context

Citrix Secure Private Access employs the zero trust principle of "never trust, always verify" to continually validate access to applications and data. Access policies adapt dynamically based on contextual factors such as user location, device status, and network trust. For instance, access may be restricted or additional authentication required if a user connects from an untrusted network.

Device posture checks
Generic and vendor-specific checks
CrowdStrike and Intune integration
Network location and geolocation
Continuous monitoring and enforcement
Dynamic access revocation
Adaptive data leak security controls

Flexible access

Citrix Secure Private Access offers flexible choices for secure access with both agent-based and agentless options, providing a balance between advanced security and convenience for the user.

Agentless with Citrix Enterprise Browser for web and SaaS applications
Agentless with native browser for web applications
Agent-based for TCP and UDP applications
Managed and unmanaged devices
Employees, partners, and contractors

Application access

Citrix Secure Private Access enforces policies that provide access to specific applications rather than broad network access. This approach minimizes the attack surface by ensuring that users can only access the applications necessary for their job roles.

FQDN, IP: port: protocol, IP range, CIDR block, domain name (single or wildcard)
Automated application discovery and publishing
Policy definitions, intuitive rule builder
Single sign-on support (SSO)
SAML
Kerberos
Form-based
Basic

RESOURCES

Learn more about ZTNA with Citrix Secure Private Access

Technical brief

Tech brief: Citrix Secure Private Access

Read article

Blog

How to set up BYOD users with cloud-hosted virtual desktops for zero trust network access to private applications

Read article

Data sheet

Data sheet: Citrix Secure Private Access

Read the data sheet