Application discovery

Application discovery feature helps an admin get visibility into the internal private applications such as web apps and client server apps (TCP and UDP based apps) in their organization and the users accessing those applications. Admins can discover the apps by specifying the scope of the domains (wildcard domains) or IP subnets. To enable the app discovery feature within the Citrix Secure Private Access service, admins have to configure the subnets or the wildcard domains or both within which applications and user access needs to be discovered and reported. Admins use the Application configuration workflow to define the broad subnets and wildcard domains, and complete the same application access policy workflow that is used for all application definition configurations.

Configure application discovery

Application discovery can be done by one of the following ways:

  • Configure the system to monitor and report the exact IP address destinations and ports that are TCP/UDP based.

    Specify the subnet along with the TCP/UDP protocol and range of ports (enter * to include entire range). This enables discovering all TCP and UDP apps from the secure access agent.

    Example: TCP : Port (*)

    App discovery

  • Configure the system to monitor and report the host names or fully qualified domains (FQDNs) or both for the apps accessed using the TCP or UDP protocol.

    Specify the wildcard domain belonging to the web apps that must be monitored and reported.

    Example: * : TCP : Port (*)

    App discovery

  • Configure the system to monitor and report the fully qualified domains (FQDNs) that might be accessed from the Citrix Enterprise Browser.

    Specify at least one FQDN for a web app that belongs within the domain or subdomain within which you want to discover internal web apps. Configure the related domain to include the wildcard domain within which that app belongs.


    Web app URL:

    Related domain: *

    App discovery


  • In addition to creating the apps, you must also define users that are allowed access to apps with the configured domains and IP subnets. This is to prevent unauthorized or in-advertent access from other user groups that are outside the allowed user groups.

  • Add the prefix Discover in the app name to indicate that this is a special app configuration to enable discovery monitoring and reporting. This naming helps you identify to remove the wild card domains or IP subnets or both so you can reduce the overall app access zone to just the specific FQDNs and IP/port combinations later in weeks or a month.

App discovery applications

App discovery policies

After creating the applications and corresponding access policies, users can continue to access applications from the Citrix Workspace app and access different domains. For accessing TCP/UDP apps, users need to use the Citrix Secure Access agent. App access from various access methods is monitored based on the apps’ domains and subnets configuration and reported within the dashboards.

Application discovery