Discover domains or IP addresses accessed by end users

The Application Discovery feature helps an admin get visibility into the external and internal applications (HTTP/HTTPS and TCP/UDP apps) that are being accessed in an organization. This feature discovers and lists all the domains/IPs addresses, published or unpublished. Thus, admins can see what domains/IP addresses are getting accessed, by whom, and decide if they want to publish them as applications, providing access to those users.

The Application Discovery feature provides the following capabilities to the admins:

  • Provides visibility into both internal or external domains/IPs addresses accessed by the end users.
  • Provides a comprehensive visibility into all types of applications accessed (HTTP, HTTPS, TCP, and UDP). Access Citrix Enterprise Browser and Citrix Secure Access agent are supported.
  • Displays both published or unpublished domains/IP addresses accessed by the end users.

The following figure displays a sample App discovery page. The App discovery page allows filtering of domains based on the protocol (HTTP/HTTPS, TCP/UDP) and Domain/IP address and port numbers. It also displays the unpublished (not assigned to any app) domains accessed by the end users.

App discovery page

Application Discovery for internal domains in a new environment

The Application Discovery feature can be used if you are setting up a new Secure Private Access environment and want visibility into the applications that are to be configured. This feature discovers and lists all domains/IPs addresses that are accessed by your end users so you can configure them as applications. Use the following steps to enable the Application Discovery feature when you are setting up your Secure Private Access environment:

  • To discover internal web applications, configure an application within Secure Private Access and specify the wildcard related domain that belongs to the domain/subdomain of the applications that you want to discover.

    For example, if you want to discover all applications with the domain citrix.com, create an application with a related wildcard domain as *.citrix.com. To allow completion of application configuration, add any test URL as the main web app URL section.

    Configure for app discovery1

    Web app URL: https://test.citrix.com/ Related domain: *.citrix.com

  • For internal TCP/UDP apps, configure an application within Secure Private Access and specify the subnet along with the TCP/UDP protocol and range of ports (enter * to include the entire range). This enables discovering all TCP and UDP apps from the Citrix Secure Access agent. For example, if you want to discover all applications within subnet 10.0.0.0/8, then configure the app with the following details: Example: 10.0.0.0/8:

    Port: (*)

    Protocol: TCP

    Configure for app discovery2

  • Once you have created the applications, you must also define users that are allowed access to apps with the configured domains and IP subnets. Create an access policy and assign users to whom you want to allow access to the FQDNs/IP addresses configured in the applications created. These can be an initial set of test users or a limited number of users you want to give access to initially.

  • After creating the applications and corresponding access policies, users can continue to access applications from the Citrix Workspace app and access different domains. All FQDN/IP addresses accessed by the end users start to show up in the Application Discovery page.

Note:

  • Once you have discovered and identified most of the applications over a few days/weeks, we recommend deleting the initially created applications so that the wider access given via the wildcard domains and IP subnets can be closed down, and only specific application URLs and IP addresses that are discovered must be allowed access via new applications.
  • Add the prefix Discover in the app name to indicate that this is a special app configuration to enable discovery monitoring and reporting. This naming helps you identify to remove the wild card domains or IP subnets or both so you can reduce the overall app access zone to just the specific FQDNs and IP/port combinations later in weeks or a month.
  • To access TCP/UDP apps, users must use the Citrix Secure Access agent. App access from various access methods is monitored based on the apps’ domains and subnets configuration and reported within the App Discovery page.
  • Even after you have removed the discovered applications, this feature keeps on discovering domains/IP addresses accessed by your users. So at any time, you can come back to the App Discovery page to see what is being accessed and if there are any new domains/IP addresses discovered that must be configured as applications.

For details on adding the domains, FQDNs, or IP address, see the following topics.

Create an application from the App discovery page

To create an application for main domains and unpublished domains from the App discovery page, do the following steps:

  1. Navigate to Applications > App discovery.
  2. Select a domain from the list.

    Note:

    • You cannot select domains belonging to different protocols to create an application. An error message is displayed when you select domains belonging to different protocols.
    • If a domain is already associated with an application, you cannot select that domain again to create an application. The checkbox corresponding to that domain appears grayed out and when you hover the mouse over the checkbox, a tooltip appears.
  3. Click Create application. For details on creating an application, Configure HTTP/HTTPS applications and Configure TCP/UDP apps.

Update an existing application

To add a domain to an existing application, perform the following steps:

  1. Select the domain that must be added to an application.
  2. Click Add to an existing application.
  3. In Applications, select the application to which you want to add these domains.
  4. Click Get app details.
  5. The Related Domains field displays all the domains that you selected earlier in separate rows.
  6. Click Finish.

Update an app

Note:

  • You can only add a TCP/UDP destination IP address to an existing TCP/UDP application. The Applications field lists only the TCP/UDP apps configured in the system.
  • You can select an existing HTTP/HTTPS or TCP/UDP app to add domains (main or single entry) whose protocol is HTTP/HTTPS.
  • You cannot select a domain that is already associated with an application.
Discover domains or IP addresses accessed by end users