Citrix Secure Private Access

Integration of Citrix Secure Private Access with Google Chrome Enterprise Premium

June 2, 2025

Contributed by:

Solution overview

This integrated solution from Citrix enables customers to use Google Chrome Enterprise Premium as the enterprise browser solution for secure access to private web apps and SaaS applications along with secure connectivity provided by Citrix Secure Private Access.

The integrated solution is comprised of the following components:

Google Chrome Enterprise Premium (CEP), which includes features such as Data Leak Prevention (DLP), malware and phishing protection, URL filtering, and Google administration console.
- The Google Chrome browser running locally on the client machine acts as a managed browser. A managed browser enables a secure browsing experience to the end user and enforces the security controls based on the policies defined by the administrator.
- The Google Chrome Enterprise Premium console accessed via the Google Cloud portal provides the administration, management, and monitoring console for the Chrome Enterprise Premium security policies.
Citrix Secure Private Access, which includes Citrix Secure Access (CSA), Citrix console including the Secure Private Access console for zero-trust access policies to private applications and Citrix Monitor for monitoring and troubleshooting.
- The Citrix Secure Access client, running locally on the client machine, enables connectivity to internal applications for the Chrome browser. This client ensures that only traffic originating from the Chrome process is tunneled, as configured by the administrator.
- The Citrix Secure Private Access service enforces all the access policies configured by the administrator, ensuring that users are only granted access to specific web applications.

Chrome Enterprise Premium advanced security features

The following are some of the advanced security features offered by Chrome Enterprise Premium:

Data loss prevention (DLP): Implement granular controls and policies to prevent sensitive data from being leaked or accidentally shared.
Malware deep scanning: Advanced scanning techniques are used to detect and quarantine unknown or high-risk files, preventing the execution of malicious code and protecting against zero-day attacks.
Phishing protection: Safeguard users from visiting harmful websites by identifying and blocking phishing attempts, preventing the theft of login credentials and personal information.
URL categorization and filtering: Restricts access to websites based on their content category, preventing users from accessing inappropriate or malicious content.
Web usage insights and analytics: Provides detailed reports and analytics on web traffic, allowing administrators to monitor user activity, identify potential security threats, and optimize network bandwidth.

For more information, see Chrome Enterprise Premium overview.

Prerequisites for the integrated solution

To ensure optimal integration between the Citrix Workspace application and Chrome Enterprise Premium, the following prerequisites must be implemented. Successful completion of these prerequisites will result in a more efficient and seamless experience when launching applications from the Citrix Workspace app or the web-based user interface.

Configure Chrome browser to a managed Chrome browser: Ensure that the users’ Chrome browser is managed by the organization. For details, see Enroll cloud-managed Chrome browsers. See the notes on the importance of Chrome being managed for proper integration.
Set Chrome as the default browser: We recommend that you set Chrome as your default browser or remove all other browsers from your device except Chrome. For details, see Set Google Chrome as your enterprise browser. See the notes on the importance of Chrome being the default system browser for proper integration.
Use only managed devices: The devices used to access the applications must be managed by the organization. Otherwise, Chrome enrollment and Chrome being the default browser cannot be enforced at scale. To enforce this policy, administrators can use the Citrix endpoint analysis or the Citrix Device Posture service. These tools can assess the device’s management status and compliance with the organization’s security requirements.
Install Citrix Secure Access client: To access applications via Google Chrome, users must use managed devices that have the Citrix Secure Access client installed. The Citrix Secure Access client enhances security and control by monitoring and controlling internal web app traffic on devices, permitting access only if the traffic originates from the managed Chrome browser.

Users without the Citrix Secure Access client installed or those using unmanaged devices, can only access applications via Citrix Enterprise Browser.

The following client versions support the integration of Chrome Enterprise Premium with Citrix Secure Private Access:
- Windows - 25.4.1.9 and later
- macOS - 25.03.1 and later
Create or recreate policies and security controls: Policies and security controls configured in the Secure Private Access console only apply to Citrix Enterprise Browser. When Google Chrome is set as the enterprise browser, security controls must be configured as policies and rules in the Google Admin console.
- Policies are configured in the Google Admin console > Devices > Chrome > Settings. These settings allow you to manage browser settings, such as block javascript and allow list of printers.
- Rules are configured in Google Admin console > Rules. These rules are advanced settings related to DLP, such as adding a watermark, blocking the download of files with social security numbers, and URL filtering.

Notes:

The Chrome browser must be set as the default browser. Otherwise, the Citrix Workspace app launches the default system browser instead of Chrome Enterprise Premium browser.

The Citrix Secure Access client only validates that the traffic originates from the Chrome browser. This implies that the DLP rules cannot be enforced at the granular level of individual user profiles within the browser. Hence, DLP rules must be configured at a managed browser level rather than at a managed profile level. This approach ensures that all traffic passing through the Chrome browser, regardless of the specific user profile in use, is subject to the same set of DLP rules.

Access rules for external web/SaaS apps must be configured via Google Chrome policy configuration.

Google Chrome’s policy configuration is limited to Allow or Deny access options. The Allow with restriction option is supported in Citrix Enterprise Browser but is not supported in Google Chrome and must be functionally interpreted as Allow.

For details on creating policies and rules for Google Chrome in the Google Workspace Admin console, see the following topics:

Set Chrome Enterprise connector policies for Chrome Enterprise

Data protection rules

ICA Proxy settings in a SPA hybrid deployment

In a hybrid deployment, to use Google Chrome as Workspace for Web (that is, enumerate and launch Secure Private Access apps through the Chrome browser), you must perform the following configuration changes related to ICA Proxy on NetScaler Gateway:

Enable ICA Proxy for Workspace for Web:

Using the NetScaler GUI:

Navigate to Configuration > NetScaler Gateway > Policies > Session.
Create a session profile or edit an existing session profile for Workspace for Web.

Note:

The Workspace for Web session policy usually has the following rule:

HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”).NOT && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“plugin”).NOT && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixSecureAccess”).NOT.
In the NetScaler Gateway Session Profile page, click the Published Applications tab.
In ICA Proxy, click On.

For details, see Create a session policy for web browser-based access.

Using the CLI:

Use the following sample command as a reference to enable ICA Proxy:

add vpn sessionAction Web_Browser_Profile -transparentInterception OFF -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy ON -wihome "https://storefront.mydomain.com/Citrix/MyStoreWeb" -ClientChoices OFF -ntDomain mydomain.com -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://storefront.mydomain.com" -sfGatewayAuthType domain

Ensure that this session action is bound to a session policy for Workspace for Web.

Configure the authorization policy to allow ICA Proxy traffic:

Using the GUI:

Navigate to NetScaler Gateway > Policies > Authorization.
Create an authorization policy or edit an existing policy.
In Action, select Allow.
In Expression, click Expression Editor.
Configure the expression - click Select and choose the necessary elements.
Click OK.

For details, see Configuring Authorization Policies.

SPA-CEP authorization policy

Using the CLI:

Use the following sample command as a reference to allow ICA Proxy traffic:

add authorization policy ALLOW_STOREFRONT "(HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"storefront.mydomain.com\")||CLIENT.SSLVPN.MODE.EQ(\"ICAPROXY\"))&&HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix\")" ALLOW

Synchronize user directory configured in Citrix Workspace with the Google Cloud user directory

We recommend that you synchronize the user directory configured in Citrix Workspace or StoreFront with the Google Cloud user directory. While it is not a requirement for managing per-user access to web and SaaS apps when using the managed browser configuration in Chrome, it is a requirement for managing some security controls and gathering per-user/user group usage insights within the Google Chrome Enterprise Premium console.

Specifically the following features require synchronization of the user identities from your local user directory configured in Citrix with the Google Cloud user directory:

Per-user and user group based Data Loss Prevention (DLP) controls and other security policies within Google Chrome Enterprise Premium.
Per-user and user group based endpoint verification and enforcement within Google Chrome Enterprise Premium.
Per-user and user group based security insights in the Google Chrome Enterprise Premium console.
Using a managed profile with a corporate account for Chrome profile synchronization of bookmarks, history, settings, and so on.

For more information, see Google Directory sync.

Set Google Chrome as your enterprise browser

You can set Google Chrome as your default enterprise browser from the Secure Private Access admin console.

Note:

Citrix Enterprise Browser functions as the default enterprise browser unless the setting is changed to Google Chrome in the Secure Private Access administration console.

Perform the following steps:

Log on to Citrix Cloud and then click Secure Private Access.
Click Settings and then click Browser Selection.
Click Google Chrome.

SPA-CEP integration

Note:

You can switch between Citrix Enterprise Browser and Google Chrome at any time.

Global application configuration service (GACS): (Not applicable for hybrid deployments) When using Citrix Workspace with GACS, the App Configuration > Citrix Enterprise Browser setting in Workspace Configuration determines whether the target URL opens in Citrix Enterprise Browser or Google Chrome. Ensure that the Open All SaaS Apps Through Citrix Enterprise Browser setting is disabled. For details on disabling this setting, see Manage Citrix Enterprise Browser through Global App Configuration service. Also, Google Chrome must still be set as the default system browser as per the guidelines in Prerequisites for the integrated solution.

Disabling the enterprise browser setting in Workspace Configuration prevents the enforcement of security controls, causing all applications to launch in the device’s native browser. Hence, Google Chrome must be set as the default system browser as per the guidelines in Prerequisites for the integrated solution.

Considerations prior to switching browser

Note the following prior to switching browsers:

When you switch between Google Chrome and Citrix Enterprise Browser, you must log out of the Citrix Secure Access client and login again because switching between browsers does not terminate the Citrix Secure Access session. As a result, app launches might not work as intended.
Chrome cannot enforce access to SaaS apps, because these apps are not tunneled through Citrix Secure Private access. To enable SaaS app access enforcement with Chrome and prevent the use of other browsers, route these apps through the Citrix Secure Private Access tunnel by changing the app routing type to Internal. For details, see Steps to change the routing type or resource location.
When Google Chrome is used as the enterprise browser, DLP policies and security controls configured in Citrix Secure Private Access are not enforced. Therefore, all necessary security policies must be recreated in the Google Admin console to maintain consistent data protection. For details, see Prerequisites for the integrated solution.
The URL filtering (Unsanctioned websites) feature is not supported when using Chrome as the enterprise browser. Any URL filtering policies must be recreated within the Google Admin console.

Citrix Secure Private Access - Supported deployment modes

The integrated solution supports the following deployment modes from Citrix Secure Private Access:

Citrix Secure Private Access service: This deployment mode utilizes the fully cloud-managed Citrix Secure Private Access service. All components, including the control plane and gateway infrastructure, are hosted and managed by Citrix. For more information, see Citrix Secure Private Access.
Citrix Secure Private Access hybrid deployment: This deployment allows customers to implement a Zero Trust Network Access (ZTNA) solution using on-premises StoreFront and NetScaler Gateway components and use the Citrix Cloud for managing the configuration, administration, and monitoring functions. This means customers can leverage existing NetScaler Gateway on-premises to control user traffic routing while using Citrix Cloud hosted UI for management of configurations and policies. Also, use Citrix Monitor hosted in the Citrix Cloud for monitoring and troubleshooting functions. For more information, see Citrix Secure Private Access hybrid deployment.

End user experience

Google Chrome as your enterprise browser

When Google Chrome is your enterprise browser, application launches and security control enforcement vary based on the application types.

Published apps:
- Citrix Workspace app: Applications launched from the Citrix Workspace app open in the default system browser. If the recommendations as suggested in Prerequisites for the integrated solution are followed, the default system browser is Chrome, with security controls being enforced within that browser environment.
- Other browsers: Launching the same application from other browsers, such as Firefox or Microsoft Edge is blocked. A pop-up notification from Citrix Secure Access clients appears asking the user to use Google Chrome.
Internet apps: The browser setting does not affect the general internet applications. These applications can be launched from any browser, including Google Chrome.

Citrix Enterprise Browser as your enterprise browser

When Citrix Enterprise Browser is your enterprise browser, application launches and security controls enforcement remain unaffected.

Launch apps from Citrix Workspace app:
- The application is launched using the Citrix Enterprise Browser.
- Any security controls that have been enabled for the application are enforced accordingly.
Launch apps from Citrix Secure Access:
- After the connection is established, open Chrome and launch the same app.
- Any security controls that have been enabled for the app are enforced accordingly.
Note:

If you attempt to access the same application using a different browser (for example Firefox or Edge), you can still access the application, but the security controls are not enforced.

End-user application access methods

The following table summarizes the end user experience when the applications are accessed using various methods:

User access mode	Workspace (StoreFront in cloud)	StoreFront in on-premises
Citrix Workspace app (CWA)	Apps are enumerated on the workspace portal	Apps are enumerated on the StoreFront portal
	The applications are launched in Chrome	The applications are launched in Chrome
	Citrix Secure Access tunnels the application access	Citrix Secure Access tunnels the application access
Chrome (system browser)	Apps are enumerated on the workspace portal	Apps are enumerated on the StoreFront portal
	The applications are launched in Chrome	The applications are launched in Chrome
	Citrix Secure Access tunnels the application access via Secure Private Access	Citrix Secure Access tunnels the application access via Secure Private Access
Browser other than Chrome	Access denied for private apps	Access denied for private apps
	Windows client: Citrix Secure Access blocks app access	Windows client: Citrix Secure Access blocks app access
	macOS client: Admins can use tools like Jamf to block use of other browsers besides Chrome	macOS client: Admins can use tools like Jamf to block use of other browsers besides Chrome

Legal

Chrome Enterprise Premium is provided by Google LLC and your use is subject to Google’s Acceptable Use Policy and Service Specific Terms.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Integration of Citrix Secure Private Access with Google Chrome Enterprise Premium

June 2, 2025

Contributed by:

Integration of Citrix Secure Private Access with Google Chrome Enterprise Premium

Solution overview

Chrome Enterprise Premium advanced security features

Prerequisites for the integrated solution

ICA Proxy settings in a SPA hybrid deployment

Synchronize user directory configured in Citrix Workspace with the Google Cloud user directory

Set Google Chrome as your enterprise browser

Considerations prior to switching browser

Citrix Secure Private Access - Supported deployment modes

End user experience

Google Chrome as your enterprise browser

Citrix Enterprise Browser as your enterprise browser

End-user application access methods

Legal

In this article