Discover domains or IP addresses accessed by end users

The Application Discovery feature helps an admin get visibility into the external and internal applications (HTTP/HTTPS and TCP/UDP apps) that are being accessed in an organization. This feature discovers and lists all the domains/IPs addresses, published or unpublished. Thus, admins can see what domains/IP addresses are getting accessed, by whom, and decide if they want to publish them as applications, providing access to those users.

To enable the Application Discovery feature within the Citrix Secure Private Access service, admins have to configure the subnets or the wildcard domains or both within which applications and user access needs to be discovered and reported. Admins use the application configuration workflow to define the broad subnets and wildcard domains, and complete the same application access policy workflow that is used for all application definition configurations. For details on configuring for application discovery, see Application Discovery for internal domains in a new environment.

The Application Discovery feature provides the following capabilities to the admins:

• Provides visibility into both internal or external domains/IPs addresses accessed by the end users.
• Provides a comprehensive visibility into all types of applications accessed (HTTP, HTTPS, TCP, and UDP). All access methods are supported, that is access via Citrix Enterprise Browser, Secure Access Agent, Direct Access, or Workspace for Web.
• Displays both published or unpublished domains/IP addresses accessed by the end users.
• Displays both the main domain and its underlying embedded domains that are required to be configured as related domains while publishing the applications for access made via Citrix Enterprise Browser.
• Displays the embedded domains in a tree structure. Admins can click the expand sign (>) in line with the main domain to view the embedded domains.
• Enables admins to create new applications or add those domains to an existing application if a main domain or an embedded domain (HTTP/HTTPS) or the destination IP address (TCP/UDP) is not associated with an application.

The following figure displays a sample App discovery page. The App discovery page allows filtering of domains based on the protocol (HTTP/HTTPS, TCP/UDP) and Domain/IP address and port numbers. It also displays the unpublished (not assigned to any app) domains accessed by the end users. You can see a main domain with a drop-down list of embedded domains underneath it. These domains must be configured as related domains while publishing the application.

Note:

• Embedded domains are grouped under the main domain only for HTTP/HTTPS apps accessed via Citrix Enterprise Browser. TCP/UDP domains are not grouped under one main domain.
• Grouping of embedded domains is only available for apps accessed from Citrix Enterprise Browser (v119 and later).

Application Discovery for internal domains in a new environment

The Application Discovery feature can be used if you are setting up a new Secure Private Access environment and want visibility into the applications that are to be configured. This feature discovers and lists all domains/IPs addresses that are accessed by your end users so you can configure them as applications. Use the following steps to enable the Application Discovery feature when you are setting up your Secure Private Access environment:

• To discover internal web applications, configure an application within Secure Private Access and specify the wildcard related domain that belongs to the domain/subdomain of the applications that you want to discover.

  For example, if you want to discover all applications with the domain citrix.com, create an application with a related wildcard domain as *.citrix.com. To allow completion of application configuration, add any test URL as the main web app URL section.

  

  Web app URL: https://test.citrix.com/ Related domain: *.citrix.com

• For internal TCP/UDP apps, configure an application within Secure Private Access and specify the subnet along with the TCP/UDP protocol and range of ports (enter * to include the entire range). This enables discovering all TCP and UDP apps from the Citrix Secure Access agent. For example, if you want to discover all applications within subnet 10.0.0.0/8, then configure the app with the following details: Example: 10.0.0.0/8:

  Port: (*)

  Protocol: TCP

  

• Once you have created the applications, you must also define users that are allowed access to apps with the configured domains and IP subnets. Create an access policy and assign users to whom you want to allow access to the FQDNs/IP addresses configured in the applications created. These can be an initial set of test users or a limited number of users you want to give access to initially.

• After creating the applications and corresponding access policies, users can continue to access applications from the Citrix Workspace app and access different domains. All FQDN/IP addresses accessed by the end users start to show up in the Application Discovery page.

Note:

• Once you have discovered and identified most of the applications over a few days/weeks, we recommend deleting the initially created applications so that the wider access given via the wildcard domains and IP subnets can be closed down, and only specific application URLs and IP addresses that are discovered must be allowed access via new applications.
• Add the prefix Discover in the app name to indicate that this is a special app configuration to enable discovery monitoring and reporting. This naming helps you identify to remove the wild card domains or IP subnets or both so you can reduce the overall app access zone to just the specific FQDNs and IP/port combinations later in weeks or a month.
• To access TCP/UDP apps, users must use the Citrix Secure Access agent. App access from various access methods is monitored based on the apps’ domains and subnets configuration and reported within the App Discovery page.
• Even after you have removed the discovered applications, this feature keeps on discovering domains/IP addresses accessed by your users. So at any time, you can come back to the App Discovery page to see what is being accessed and if there are any new domains/IP addresses discovered that must be configured as applications.

For details on adding the domains, FQDNs, or IP address, see the following topics.

• Support for Enterprise web apps
• Support for Software as a Service app
• Support for client-server apps

Create an application from the App discovery page

To create an application for embedded domains or unpublished domains from the App discovery page, do the following steps:

1. Navigate to Applications > App discovery.

2. Select a domain from the list. If the domain has embedded domains, then click the expand sign (>) in line with the main domain and select the embedded domains.

   Note:

   • You cannot select domains belonging to different protocols to create an application. An error message is displayed when you select domains belonging to different protocols.
   • If a domain is already associated with an application, you cannot select that domain again to create an application. The checkbox corresponding to that domain appears grayed out and when you hover the mouse over the checkbox and a tooltip appears.
   • You cannot select and add embedded domains grouped under different main domains to an application. The Application Discovery feature only allows embedded domains grouped under a single main domain to be added to an app. An error message appears if embedded domains from different main domains are selected and added to the same app.

3. Click Create application. For details on creating an application, see Support for Enterprise web apps, Support for Software as a Service app, and Support for client-server apps](/en-us/citrix-secure-private-access/service/add-and-manage-apps/support-for-client-server-apps).

Update an existing application

To add a domain to an existing application, select the domain from the list. If the domain has embedded domains, then click the expand sign (>) in line with the main domain and select the embedded domains.

1. Select the embedded domain that must be added to an application.
2. Click Add to an existing application.
3. In Applications, select the application to which you want to add these domains.
4. Click Get app details.
5. The Related Domains field displays all the embedded domains that you selected earlier in separate rows.
6. Click Finish.

Note:

• You can only add a TCP/UDP destination IP address to an existing TCP/UDP application. The Applications field lists only the TCP/UDP apps configured in the system.
• You can select an existing HTTP/HTTPS or TCP/UDP app to add domains (main, single entry, or embedded) whose protocol is HTTP/HTTPS.
• You cannot select a domain that is already associated with an application.

Known limitations

• Although the Create application and Add to existing application options are available in the Secure Private Access dashboard (Top discovered applications by total visits chart), it is recommended that you create or update an application from the App discovery tab (Applications > App discovery). This is because, while adding or updating an application from the dashboard and you cancel the operation, the page is reloaded and as a result, all settings are reset.
• After selecting the embedded domains to add or update an application, if you collapse the expand sign (>), there is no option to identify the embedded domains that you have selected earlier. You must individually click the expand sign (>) of each main domain to identify the embedded domain that you have selected earlier.