Rather than users needing to know your StoreFront or NetScaler Gateway URLs you can provide them with the option to configure Citrix Receiver using their email address. This can work for both outside and inside the corporate LAN either connection directly to StoreFront when inside the corporate network or through NetScaler Gateway when outside.
I like this method of delivery especially for users connecting through NetScaler Gateway because Internet Explorer, Microsoft Edge, Firefox etc. can often be the point of failure when users try and launch an Citrix session often because the browser may need extra configuration such as the NetScaler Gateway URL being added to the Trusted Sites Zone or the Receiver add-on needing set to “Always Activate” on Firefox.
Internal Configuration:
We basically need two things to get this working internally:
- An SRV record within DNS.
- An internal certificate for StoreFront with a discoverReceiver.domain.com subject alternative name.
Firstly open DNS and create the SRV record. Right-click your primary domain zone and click Other New Records…Choose Service Location (SRV) and click Create Record. Enter the following:
- Service = _citrixreceiver
- Protocol = _tcp
- Port number = 443
- Host offering this service = StoreFront server FQDN or load balanced address.
Click OK.
Next you need to issue a certificate to your StoreFront servers that has a alternative name of discoverReceiver.domain.com. If you don’t users will receive a prompt such as below when configuring Citrix Receiver with their email address.The subject or common name should be the FQDN of your StoreFront server, or load balanced address. You should have Subject Alternative Names for the StoreFront/load balanced FQDN and discoverReceiver.domain.com. Now when adding an account, enter your corporate email address. If successful you’ll be prompted for a username and password, then your resources should enumerate. External Configuration
We basically need two things to get this working externally:
- An SRV record configured on your external domain DNS.
- An external certificate for NetScaler Gateway with a discoverReceiver.domain.com subject alternative name. You bind this certificate to your NetScaler Gateway Virtual Server.
No other configuration is required on NetScaler v11.1. There was a requirement to configure an Account Services Address and enable clientless access etc. on older versions of NetScaler. If you are running older versions and cannot get email based discovery to work refer to https://docs.citrix.com/en-us/netscaler-gateway/11-1/storefront-integration/ng-clg-session-policies-overview-con/ng-clg-storefront-policies-con/ng-clg-storefront-email-discovery-tsk.html
Chris
February 20, 2019For the external configuration, does the SRV record need to point at the NetScaler Gateway URL or the StoreFront URL?
George Spiers
February 21, 2019It points to the Gateway URL of Citrix ADC (NetScaler)
Rob
March 11, 2019Will this work when using Wildcard Certificates?
George Spiers
March 11, 2019Yes, just include discoverReceiver.domain.com in the certificate.
Tony
March 19, 2019George, what about a WC cert with *.domain.com in the SAN- would that work?
George Spiers
March 19, 2019Yes in the SAN have discoverReceiver.domain.com (which matches your email suffix). Repeat for any other email suffix that will be used.
Tshattuck
August 14, 2019It appears the *.domain.com works without adding specific SAN
Xdong
October 16, 2019Hi George, We have Citrix landscape for different regions, i.e. EMEA, AMER and APJ. Each region has its own StoreFront servers and NetScaler. What is the best way to configure email base discovery? Thanks!
George Spiers
November 3, 2019One option is to use a wildcard certificate, if all the regions share the same top-level domain.
Daan
May 14, 2020When I use a gateway with IPadress and forward all my 443 traffic to that gateway eveything works fine. But want to put a non-adressable gateway behind a content switcher. Then email based discovery doens’t work.
Kathy
May 26, 2020May I know how to issue a certificate to your StoreFront servers that has a alternative name of discoverReceiver.domain.com? Thanks.
Chris
July 13, 2020If users have a mailbox address of user@domain1.com but the ADC/NetScaler Gateway is gateway.domain2.com will this not work? Are any additional steps required to get this working?