Citrix Secure Internet Access FAQ's

Citrix Secure Internet Access (SIA) is a feature laden, cloud delivered security stack that connects users in all locations on all device types directly to the origin of the service they need to consume, without compromising performance and ultimately productivity. A super hot product, we're seeing lots of use cases and have the answers to your questions.

Welcome to our Citrix Secure Internet Access FAQ’s. If you don’t see what you’re looking for, get in touch and we can give you a straight answer to your question.

What is Citrix Secure Internet Access / Citrix SIA?

  • Citrix Secure Internet Access, known as Citrix SIA is not a single product but rather a group of products combining to provide users the secure access they need to SaaS and Internet when working from anywhere. 

https://clouddnagroup.com/2021/02/23/what-is-citrix-secure-internet-access/ 

What products are within Citrix Secure Internet Access / Citrix SIA?

  • Citrix Secure Internet Access, known as Citrix SIA includes Secure Web Gateway, Firewall as a Service, Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP) and Sandboxing. 

Note: User traffic does not go through each of these features one at a time as this could increase latency, rather the traffic is parsed by all these simultaneously. 

https://clouddnagroup.com/2021/02/23/what-is-citrix-secure-internet-access/ 

 

Citrix Secure Internet Access / Citrix SIA - What is Citrix Secure Web Gateway?

A product within the Citrix SIA offering, Secure Web Gateway (SWG) provides Web Filtering, URL filtering allowing or blocking website access based on company defined rules. Anti-Malware, inspecting both encrypted and unencrypted web content to identify and block all threats. Finally, Application Control, provides visibility into applications being given access and allows granular control to ensure security and compliance. 

Citrix Secure Internet Access / Citrix SIA - What is Firewall as a Service?

A product within the Citrix SIA offering, it provides bidirectional control to allow only trusted secure traffic to flow between the enterprise network to the internet. 

Citrix Secure Internet Access / Citrix SIA - What is Cloud Access Security Broker (CASB)?

A product within the Citrix SIA offering, CASB helps monitor, secure and manage access to SaaS applications (both allowed and blocked). 

Citrix Secure Internet Access / Citrix SIA - What is Data Loss Prevention (DLP)?

A product within the Citrix SIA offering, DLP makes sure sensitive data such as credit card details, social security numbers etc. are not lost or accessed by unauthorised users.

Citrix Secure Internet Access / Citrix SIA - What is Sandboxing?

  • A product within the Citrix SIA offering, Sandboxing provides an isolated environment in which suspected malicious code can be safely executed and accessed helping prevent Zero Day attacks. 

 

What are the Citrix Secure Internet Access / Citrix SIA prerequisites?

  • The following are the prerequisites of a Citrix SIA deployment. 

You must have a Citrix Cloud account. 

You must also have one or more of the following: 

a)  Citrix Virtual Apps and Desktops deployment accessible through Citrix  Workspace. 

b)  Workspace app on your host systems such as laptops and mobile devices. 

c)  Citrix SD-WAN for remote branch sites. 

How does Citrix Secure Internet Access / Citrix SIA work?

The basic concept of Citrix SIA is to securely redirect all user internet bound traffic from a client device/user through Citrix SIA service. 

How does Citrix Secure Internet Access / Citrix SIA work with Citrix Virtual Apps and Desktops?

By installing a Citrix SIA Cloud Connector agent on the Virtual Delivery Agent (VDA) you can redirect all internet traffic to the Citrix SIA service. 

How does Citrix Secure Internet Access / Citrix SIA work with Native browsers on host systems?

You can install the Citrix SIA Cloud Connector agents on the user’s device to redirect all internet traffic through the Citrix SIA service. The Cloud Connector agent also authenticates the user and installs the appropriate certificates for SSL decryption. Cloud Connector agents are available for the following operating systems: iOS, macOS, Android, Windows, Linux. 

How does Citrix Secure Internet Access / Citrix SIA work with Citrix SD-WAN?

Citrix SD-WAN appliance installed at remote sites can be configured to make a direct connection to the nearest Citrix SIA service and then redirect internet bound traffic through that connection. IPSEC or GRE tunnels are used to secure this connectionno Cloud Connector agent is needed. Citrix SD-WAN automatically creates secure connectivity to the closest Citrix SIA service point of presence (PoP). Fail tolerance on these links is achieved both at the tunnel level and through multiple links to primary and secondary Citrix SIA PoPs. 

Is Citrix Secure Internet Access/ Citrix SIA compatible with Citrix SD-WAN?

Yes. Citrix SD-WAN fully supports connectivity to Citrix SIA from branch sites when the SD-WAN deployment has been configured and managed using the Citrix SD-WAN Orchestrator. 

Can Citrix Secure Internet Access / Citrix SIA work with existing Citrix SD-WAN deployments?

Yes. Citrix SIA is licenced independently of Citrix SD-WAN. So long as the Citrix SD-WAN deployment is managed using Citrix SD-WAN Orchestrator, Citrix SIA can be configured as part of the infrastructure. 

Citrix Secure Internet Access / Citrix SIA vs ZScaler.

Citrix sets its offering apart from other vendors with its cloud security and connectivity capabilities that other vendors cannot deliver because they lack Citrix’s patented and unique containerisation architecture. This includes capabilities such as complete data isolation while data is secured through the SASE service to native hybrid deployment scenarios that include 100% feature parity. 

How is Citrix Secure Internet Access / Citrix SIA licenced?

  • Citrix SIA is licenced on tier-based structure, size your purchase based on the number users expected to connect to the Citrix SIA. 

 

What Happens if more users connect than are licenced?

Citrix SIA will allow these extra user connections but there will be notifications of the licenced threshold being exceeded logged against the account. 

What are Citrix Secure Internet / Citrix SIA tunnels?

A Citrix SIA Tunnel is an IPSec or GRE secure tunnel connecting from the remote client end. A number of tunnels are included with your licence subscription package. By default, each subscription includes one tunnel for every 10 users in an account. 

Can more GRE/IPSec tunnels be purchased if needed?

Yes, additional GRE/IPSec tunnel licences can be bought as add-on. 

What’s the minimum version of SD-WAN firmware?

v11.1 is the minimum version of Citrix SD-WAN firmware to support connectivity to Citrix SIA. 

How is Citrix Secure Internet Access / Citrix SIA managed?

Citrix SIA is managed through the Citrix Cloud Portal. When a deployment is done in conjunction with Citrix SD-WAN both services can be managed from the same Citrix Cloud portal. Citrix SIA & Citrix SD-WAN interfaces are seen separate tabs. 

Why can’t I see Citrix Secure Internet Access/ Citrix SIA as an option in my delivery services within Citrix SD-WAN Orchestrator?

The Citrix SIA service link is only visible if you are an SD-WAN Orchestrator customer and have Citrix SIA entitlement. 

Can Citrix Secure Internet Access / Citrix SIA be used independently of Citrix SD-WAN or Citrix VAD?

  • Yes, Users can take advantage of Citrix SIA using their local systems, such as laptops and mobile devices. These devices, managed or unmanaged, can secure their internet bound traffic by installing the Citrix SIA Cloud Connector agent. This agent will redirect all internet traffic to the Citrix SIA service. The Cloud Connector agent also authenticates the user and installs the appropriate certificates for SSL decryption. Cloud Connector agents are available for the following operating systems: iOS, macOS, Android, Windows, Linux. 

 

How is traffic steered when not behind a Citrix SD-WAN device?

Citrix uses what they call ‘Citrix Cloud Connector’ to redirect traffic to Citrix SIA. This connector can install seamlessly onto most modern user devices and is responsible for the traffic redirection. It also used for authenticating the user as well as installing appropriate certificates for the SSL decryption. 

What is Citrix Secure Internet Access / Citrix SIA Cloud Connector Agent?

The Cloud Connector Agent is a software agent that will redirect all internet traffic to the Citrix SIA service from a user’s device. The Cloud Connector agent also authenticates the user and installs the appropriate certificates for SSL decryption. The agent is available for download from the Citrix SIA Management portal and can be installed directly to the client device or via deployment solutions such as GPO, MDM or others. 

What is Citrix Secure Internet Access / Citrix SIA vs Secure Access Services Edge (SASE).

  • Gartner have defined SASE to be the convergence of networking and comprehensive cloud delivered security with Unified Management. 

SASE is not a product but more a solution and with that in mind Citrix SIA forms part of the Citrix SASE solution. Businesses can begin this strategic roll out to a Citrix Secure Access Service Edge solution by combining Citrix SIA, Citrix SD-WAN, Citrix Secure Workspace Access (SWA) and Analytics to deliver everything Gartner defined for SASE. 

How is Citrix Secure Internet Access / Citrix SIA configured on Citrix SD-WAN?

  • Traffic redirection to Citrix SIA from Citrix SD-WAN is configured within the Citrix SD-WAN Orchestrator portal. Here administrators can define globally within the SD-WAN deployment the bandwidth allocated to these secure tunnels. 

 

Can Citrix Secure Internet Access / Citrix SIA be used with all editions of Citrix SD-WAN?

In theory Yes. However, it should be noted that the Citrix SD-WAN Advanced Edition (AE Edition) appliance offers all of the Citrix SIA features installed locally on the appliance. Effectively providing an “On Premises” Citrix SIA solution. 

Should O365 Traffic be proxied via the Citrix Secure Internet Access / Citrix SIA Service.

No, M365 traffic should be routed directly to the internet to adhere to Microsoft connectivity principals to maintain the best possible user performance. 

Can Citrix SD-WAN Cloud Direct Service and Citrix SD-WAN SIA Service be used at the same time?

No, both these delivery service can be enabled at the same time but Citrix SD-WAN can only route traffic through one or the other delivery service. 

Is Citrix SD-WAN connection to Citrix Secure Internet Access / Citrix SIA fault tolerant?

Yes, Using Citrix SD-WAN Orchestrator, administrators can automate the setup of tunnels between Citrix SD-WAN appliances and a Citrix SIA local Point of Presence (PoP) with just a few clicks. The Citrix SD-WAN appliance when configured, connects to a primary and backup Citrix SIA PoP. It continually monitors these PoP’s and if the primary PoP fails the Citrix SD-WAN will redirect traffic to the backup PoP. This ensures the connection between Citrix SD-WAN and Citrix SIA is resilient, consistent and optimized for application performance.  

How fast is failover between active/backup?

  • Tunnel failover due to WAN Link failure is 1 second or faster. 
  • Failover due POP failure is 300 seconds or faster. 

What’s the difference between Citrix Secure Internet Access / Citrix SIA and Citrix Secure Workspace Access?

  • Citrix SIA secures access to all Internet and SaaS applications, regardless of whether the user is inside Citrix Workspace or not. 
  • Citrix Workspace Access (SWA) secures access to all Internal apps that are managed by the IT teams. These apps can be on premises or cloud based. 

Is Citrix Secure Internet Access / Citrix SIA secure?

Yes. Citrix SIA is designed based on an instance-based architecture. Every customer gets their own instance, and that instance can be replicated across regions. Also, that architectural instance is logically separated from an instance of another customer. This architecture ensures greater data privacy between customers. It also helps ensure that data from one region is scanned and stored within that region. This is needed to meet certain compliance and regulatory needs such as GDPR. 

What’s the difference between Citrix Secure Internet Access / Citrix SIA and Secure Access Services Edge (SASE)?

  • Gartner have defined SASE to be the convergence of networking and comprehensive cloud delivered security with Unified Management. 

SASE is not a product but more a solution and with that in mind Citrix SIA forms part of the Citrix SASE solution. Businesses can begin this strategic roll out to a Citrix Secure Access Service Edge solution by combining Citrix SIA, Citrix SD-WAN, Citrix Secure Workspace Access (SWA) and Analytics to deliver everything Gartner defined for SASE. 

Where can I find the Citrix Secure Internet Access / Citrix SIA Documentation?

  • Citrix Secure Internet Access (SIA) documentation is available online at the following link: 

Citrix Secure Internet Access 

When are Citrix Secure Internet Access / Citrix SIA GRE/IPSec tunnels used?

The GRE/IPSec tunnels are used by the Citrix SD-WAN devices to form the secure connection to the Citrix SIA Service. 

GOT MORE QUESTIONS? WE CAN ANSWER THOSE FOR YOU.