Professional Documents
Culture Documents
Citrix SPA LAB Guide
Citrix SPA LAB Guide
LAB MANUAL
Lab Guide | Citrix Systems, Inc | SPA
Table of Contents
Workshop Overview ......................................................................................................................................................................................................................... 3
Lab Manual Overview ....................................................................................................................................................................................................... 4
Workshop Overview
v0.8 - 082222JDW 3
Lab Guide | Citrix Systems, Inc | SPA
Lab Exercise
The virtual machines in this lab are running on Windows Server 2016 and Windows 10 Desktop. At the completion of these
exercises, you will gain valuable hands-on experience in installing, configuring, administering, and supporting Citrix Secure
Private Access (SPA) on Citrix Cloud.
Lab Scenario
WW Labs is a technology company whose infrastructure topology is centrally located in New York City— referenced as NYC in
the company naming convention. The CTO has received a trial account for Citrix SPA on Citrix Cloud and has requested his
team to validate the solution. The Lead Citrix Architect has tasked the Citrix Administrator team to implement a Proof of
Concept (PoC) to simulate Citrix SPA on Citrix Cloud, utilizing the current implementation of Active Directory, web applications,
RDP, and SSH.
The Lead Citrix Architect has designated an isolated environment for the PoC, and various virtual machines have already been
provisioned to verify that the PoC can be easily implemented. The Lead Citrix Architect has instructed the Citrix Administrator
team to meet the following project goals with the Citrix SPA PoC:
Lab Access
As Citrix Cloud is a SaaS offering, product updates and hot fixes are continuously implemented. As a result, you may
notice procedures are different from those described in the step-by-step instructions, and screenshots differ from
what you see on your screen
You should have received an e-mail from Citrix Demo Center; follow the steps in this lab guide to proceed.
1. Click the Demo Center hyperlink in the e-mail to open the lab landing page.
v0.8 - 082222JDW 4
Lab Guide | Citrix Systems, Inc | SPA
2. The Demo Center page will launch that displays all of the connection information for your lab.
Leave this page open for the duration of the workshop for reference.
4. Log On with User name demoadmin and the unique password defined in the Demo Center page
5. Click the Log On button
v0.8 - 082222JDW 5
Lab Guide | Citrix Systems, Inc | SPA
If the Citrix Workspace client is installed on your machine you can safely bypass all prompts for installation.
If the downloaded *.ica file does not auto launch, open the file with Citrix Connection Manager when prompted.
You will perform XenCenter lab exercises inside of the Admin Desktop and all further ADMINISTRATION and CLIENT
testing exercises on the Windows 10 desktop
Module 5 CLIENT testing can also be performed on your local workstation though the Windows 10 desktop is
configured to have all agents installed and is ready to go
8. You have successfully accessed your lab environment when you see the following Admin Desktop.
v0.8 - 082222JDW 6
Lab Guide | Citrix Systems, Inc | SPA
Server List
Credential List
The credentials required to connect to the environment and complete the lab exercises are displayed in the initial Citrix Demo
Center launch page and are unique per student.
Username Password
demoadmin
nsroot
demoroot
root
User2
User3
User4
User5
v0.8 - 082222JDW 7
Lab Guide | Citrix Systems, Inc | SPA
Credits
Title Name
v0.8 - 082222JDW 8
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 9
Lab Guide | Citrix Systems, Inc | SPA
It is assumed that you have an active Citrix Cloud or MyCitrix account. If you do, complete First Time Login - Existing
Account, if you do not have either account type, complete First Time Login - New Account.
Please Note:
All work for this section should be completed on the Admin Desktop.
Only complete this section if you have an existing Citrix Cloud or MyCitrix account. Otherwise skip to the next section.
If the above prompt does not appear, you may not have an account registered to the e-mail address used for this
workshop. Proceed to the next section and create a new account.
v0.8 - 082222JDW 10
Lab Guide | Citrix Systems, Inc | SPA
5. Login with your existing account credentials and click the Sign In button.
This dialogue may not appear if you have logged in recently and already accepted.
v0.8 - 082222JDW 11
Lab Guide | Citrix Systems, Inc | SPA
10. You should now be successfully logged in to your Citrix Cloud tenant for this workshop.
11. Note the tenant CCID value in the upper right hand corner.
All lab exercises are performed inside this tenant. Ensure that you are always working in this tenant if you have
multiple tenants bound to your account.
Only complete this section if you do not have an existing Citrix Cloud or MyCitrix account. Otherwise continue to the
next section.
4. Create your Citrix Cloud account by populating the Name and Password fields.
5. Check the box for ToS acceptance.
6. Click the Continue button.
v0.8 - 082222JDW 12
Lab Guide | Citrix Systems, Inc | SPA
8. Populate the Username field with the e-mail address used to register for Citrix Cloud.
9. Populate the Password field with the password defined in a previous step.
10. Click the Sign In button.
13. Check the e-mail account used to register for Citrix Cloud.
14. Find the e-mail with the Subject line Citrix Cloud: Complete Your Device Registration.
15. Copy the 6-digit verification code from this e-mail into the first field.
v0.8 - 082222JDW 13
Lab Guide | Citrix Systems, Inc | SPA
18. Open an authenticator app of your choice (Microsoft Authenticator, Twilio Authy, etc.).
19. Scan the QR code or enter the Key into your authenticator app.
20. Once the application has been added, type in the next 6-digit code that appears.
21. Click the Verify code button.
v0.8 - 082222JDW 14
Lab Guide | Citrix Systems, Inc | SPA
This dialogue may not appear if you have logged in recently and already accepted.
27. You should now be successfully logged in to your Citrix Cloud tenant.
v0.8 - 082222JDW 15
Lab Guide | Citrix Systems, Inc | SPA
Note that this change is not instantaneous and takes roughly 1-2 minutes to be reflected on the Workspace login page
v0.8 - 082222JDW 16
Lab Guide | Citrix Systems, Inc | SPA
Resource locations contain the resources required to deliver cloud services to your subscribers. You manage these resources
from the Citrix Cloud console. Resource locations contain different resources depending on which Citrix Cloud services you are
using and the services that you want to provide to your subscribers.
In this exercise we will walk you through the installation and configuration of the Connector Appliance software in your on
premises environment.
1. Click the Edit or Add New button for Resource Location in your Citrix Cloud tenant.
4. Make sure Citrix Hypervisor is selected and click the Download Image button
v0.8 - 082222JDW 17
Lab Guide | Citrix Systems, Inc | SPA
5. In the Admin Desktop launch Citrix XenCenter from the Start Menu; it should automatically connect to your host
v0.8 - 082222JDW 18
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 19
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 20
Lab Guide | Citrix Systems, Inc | SPA
You will only be installing one (1) Connector Appliance during this workshop for the sake of brevity. Please note that
in a real environment two (2) Connector Appliances would always be installed for fault tolerance.
During the remainder of this workshop you can safely ignore any messages about only one (1) Connector Appliance
being available.
4. In Google Chrome on your Admin Desktop navigate to the IP Address listed in the previous step in a new tab
5. Set the initial password to Citrix123! and click the Set password button
v0.8 - 082222JDW 21
Lab Guide | Citrix Systems, Inc | SPA
7. Click the Register connector button under the Connector summary heading
v0.8 - 082222JDW 22
Lab Guide | Citrix Systems, Inc | SPA
Depending on your screen resolution you may have to scroll down to see the code input section
v0.8 - 082222JDW 23
Lab Guide | Citrix Systems, Inc | SPA
16. Click the Add Active Directory domain link under the Active Directory domains heading
It may take a few minutes for this step to work successfully if the Connector Appliance needs to pull an update from
Citrix Cloud and update itself. Please wait a few minutes and Sign in again if this occurs.
v0.8 - 082222JDW 24
Lab Guide | Citrix Systems, Inc | SPA
The password for the demoadmin account is in your DemoCenter landing page
20. Back in Citrix Cloud verify that the Connector Appliance shows as available
The Connector Appliances may automatically update themselves and reboot depending on how quickly the prior steps
are performed. The Connector Appliance will show in a down state temporarily in this event.
v0.8 - 082222JDW 25
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 26
Lab Guide | Citrix Systems, Inc | SPA
At this point you will log off the Admin Desktop and perform further efforts on the
Windows 10 Desktop (This will be key for the RDP component in Section 5)
v0.8 - 082222JDW 27
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 28
Lab Guide | Citrix Systems, Inc | SPA
Once logged into the Windows 10 Desktop, use Chrome on the Desktop to reconnect to Citrix.cloud.com and sign back in to
configure SPA
v0.8 - 082222JDW 29
Lab Guide | Citrix Systems, Inc | SPA
In this exercise we will walk you through the process of adding an app and security policy. Then you will log in as a user and
access the app through the portal.
This access method is best for internal applications that don't contain sensitive or private information.
If the First Time Use page appears for Secure Private Access, click the Continue button
2. Verify that the Identity & Authentication node is defined as Use Existing Workspace Authentication with Active Directory
3. Click the Next button
v0.8 - 082222JDW 30
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 31
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 32
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 33
Lab Guide | Citrix Systems, Inc | SPA
Test Application
All testing in this workshop will be performed inside the Windows 10 desktop.
1. Go back to Chrome on the Windows 10 Desktop and then in Citrix Cloud click on the Hamburger Menu and select
Workspace Configuration
v0.8 - 082222JDW 34
Lab Guide | Citrix Systems, Inc | SPA
2. Copy the Workspace URL and launch Workspace in a new tab in the Google Chrome browser inside of the Windows 10
desktop
3. Log in as citrix.lab\user1
4. Click the Log On button
7. Verify that the internal application Doctor Portal launches successfully in the Google Chrome browser inside the Windows
10 desktop
Note the URL displayed when accessing this application via SPA
v0.8 - 082222JDW 35
Lab Guide | Citrix Systems, Inc | SPA
You've just completed adding and accessing a web application that required SPA to log in and see but had no added protection.
This experience should end up feeling just as if you went straight to the web page with Chrome. Though in this case the access
is proxied via the gateway service rather than needing to be done via a VPN or a published browser via CVAD.
v0.8 - 082222JDW 36
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 37
Lab Guide | Citrix Systems, Inc | SPA
In this exercise we will walk you through the process of adding a more secure application and defining a security policy with
restrictions.
This mode allows the user to access resources but the browser interacting with the site is hosted externally using the cloud.
This prevents any "nefarious" activity from impacting the user's machine or the local network. For truly untrusted or dangerous
sites this is the best access method
v0.8 - 082222JDW 38
Lab Guide | Citrix Systems, Inc | SPA
13. Verify that the App Connectivity types are set to Internal
14. Click the Next button
v0.8 - 082222JDW 39
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 40
Lab Guide | Citrix Systems, Inc | SPA
1. In Citrix Cloud click on the Hamburger Menu and select Workspace Configuration
v0.8 - 082222JDW 41
Lab Guide | Citrix Systems, Inc | SPA
2. Copy the Workspace URL and launch Workspace in the Google Chrome browser inside of the Windows 10 desktop
3. Log in as citrix.lab\user2
4. Click the Log On button
v0.8 - 082222JDW 42
Lab Guide | Citrix Systems, Inc | SPA
7. Verify that the internal application Finance Portal launches successfully in the Secure Browser Service inside Google
Chrome on the Windows 10 desktop
8. Verify that security protections such as copy & paste are not functional inside of this session
9. Close the browser tab when complete
If the Finance Portal does not launch, verify that the web browser is not blocking pop-ups and try again
Notice the browser bar in this type of SPA application is the Citrix Enterprise Browser but is rendered inside of
Google Chrome using the Secure Browser Service.
This is a very effective way of providing a more absolute control over website access. The Secure Browser Service (SBS) being
used is hosted externally and has no life or memory beyond the time of the access. SBS is already popular amongst other Citrix
Security Offerings, this is just another way to put it into play for maximum effect
v0.8 - 082222JDW 43
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 44
Lab Guide | Citrix Systems, Inc | SPA
2. Copy the Workspace URL to your clipboard as you will need it to set up the Citrix Workspace application
3. From your Windows 10 desktop launch the Citrix Workspace application from the system tray by double clicking on the
icon
4. Paste the Workspace URL from your clipboard when prompted for your Store URL
5. Click the Continue button
v0.8 - 082222JDW 45
Lab Guide | Citrix Systems, Inc | SPA
6. Log in as citrix.lab\user2
7. Click the Sign In button
v0.8 - 082222JDW 46
Lab Guide | Citrix Systems, Inc | SPA
10. Verify that the internal application Finance Portal launches successfully and a watermark is displayed
11. Notice that the browser is the native Enterprise Browser from the Workspace client
12. Verify security restrictions such as copy and paste functionality
One of the best parts of the EB is that it's often a little faster than the SBS access. While not significant, letting users who have
workspace installed access sites with EB will provide a bit quicker browsing experience.
v0.8 - 082222JDW 47
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 48
Lab Guide | Citrix Systems, Inc | SPA
The Citrix Secure Access agent has been pre-installed on the Windows 10 desktop. You can also install the
components on your local workstation if you prefer. The experience will be the same regardless.
*Installation of the Citrix Secure Access agent on your local workstation requires administrative rights.
v0.8 - 082222JDW 49
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 50
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 51
Lab Guide | Citrix Systems, Inc | SPA
2. Copy this URL as you will need to launch it via the Citrix Secure Access agent
If you are testing this module on your local machine, a ShareFile link will be provided with the proper installation
binaries for the Citrix Secure Access agent. After installation resume the exercise from this point.
v0.8 - 082222JDW 52
Lab Guide | Citrix Systems, Inc | SPA
If you did not log off from the Admin Desktop RDP will not connect due to how RDP and session "stealing" works.
Please be sure to log off the Admin Desktop.
3. Launch the Citrix Secure Access agent from the desktop of the Windows 10 desktop or your local workstation
4. Populate the server URL field with the Workspace URL
5. Click the Connect button
7. Login as citrix.lab\demoadmin
8. Click the Sign In button
v0.8 - 082222JDW 53
Lab Guide | Citrix Systems, Inc | SPA
If your Admin Desktop is opened via ICA at the same time as testing this functionality you will receive a message
stating that the target session is incompatible with the current session. This is expected behavior as you can't have both
sessions (ICA/RDP) running concurrently with the same account.
v0.8 - 082222JDW 54
Lab Guide | Citrix Systems, Inc | SPA
The Citrix Secure Access agent has been pre-installed on the Windows 10 desktop if using your local workstation is
not possible. As before, you can opt to install the Secure Access Client and perform these steps on your local
workstation
*Installation of the Citrix Secure Access agent on your local workstation requires administrative rights.
v0.8 - 082222JDW 55
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 56
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 57
Lab Guide | Citrix Systems, Inc | SPA
The Citrix Secure Access agent should already be installed and/or configured from the previous exercise. Refer to
Exercise 3.1 if this has not been done.
1. If you are still connected from the previous exercise click the Logoff button
1. Click the Connection drop down menu and select the previously configured connection
v0.8 - 082222JDW 58
Lab Guide | Citrix Systems, Inc | SPA
7. Login as citrix.lab\demoadmin
8. Click the Sign In button
v0.8 - 082222JDW 59
Lab Guide | Citrix Systems, Inc | SPA
You've now shown that by using web filtering, users can access specific internal resources without the need to distinctly
publish the specific page. This allows for adding multiple resources into a single app/policy while still maintaining security
controls. This won't be as secure as a directly published app with all the access policy options but can work for Intranet sites
not requiring enhanced security.
v0.8 - 082222JDW 60
Lab Guide | Citrix Systems, Inc | SPA
The Citrix Secure Access agent has been pre-installed on the Windows 10 desktop if using your local workstation is
not possible. As mentioned before, the experience will be the same regardless of access method.
*Installation of the Citrix Secure Access agent on your local workstation requires administrative rights.
v0.8 - 082222JDW 61
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 62
Lab Guide | Citrix Systems, Inc | SPA
v0.8 - 082222JDW 63
Lab Guide | Citrix Systems, Inc | SPA
The Citrix Secure Access agent should already be installed and/or configured from the previous exercise. Refer to
Exercise 3.1 if this has not been done.
1. If you are still connected from the previous exercise click the Logoff button
1. Click the Connection drop down menu and select the previously configured connection
v0.8 - 082222JDW 64
Lab Guide | Citrix Systems, Inc | SPA
7. Login as citrix.lab\demoadmin
8. Click the Sign In button
10. Launch your preferred SSH client such as PuTTY (The download for Putty is provided for local machine or the client is
already installed on the Windows 10 Desktop)
11. Populate IP address field with 172.30.200.10
12. Click the Open button
v0.8 - 082222JDW 65
Lab Guide | Citrix Systems, Inc | SPA
14. Login as nsroot with the password from the DemoCenter landing page
15. Verify that you are connected via SSH
Congratulations, you are done. With this last exercise you've seen several ways to allow access to company internal assets
while also minimizing that access in a very controlled way. This is obviously the tip of the iceberg and your sales and SE teams
would be more than happy to go into other scenarios far more specific to your company's use cases. There is a whole world
beyond what you've seen here that we just can't show all of in the time allotted. We really hope you've enjoyed your time here
and we hope to see you again as you follow your journey into next generation secure access.
v0.8 - 082222JDW 66