Configuring Citrix Receiver email based discovery

Rather than users needing to know your StoreFront or NetScaler Gateway URLs you can provide them with the option to configure Citrix Receiver using their email address. This can work for both outside and inside the corporate LAN either connection directly to StoreFront when inside the corporate network or through NetScaler Gateway when outside.

I like this method of delivery especially for users connecting through NetScaler Gateway because Internet Explorer, Microsoft Edge, Firefox etc. can often be the point of failure when users try and launch an Citrix session often because the browser may need extra configuration such as the NetScaler Gateway URL being added to the Trusted Sites Zone or the Receiver add-on needing set to “Always Activate” on Firefox.

Internal Configuration:

We basically need two things to get this working internally:

  • An SRV record within DNS.
  • An internal certificate for StoreFront with a discoverReceiver.domain.com subject alternative name.

Firstly open DNS and create the SRV record. Right-click your primary domain zone and click Other New Records…Choose Service Location (SRV) and click Create Record. Enter the following:

  • Service = _citrixreceiver
  • Protocol = _tcp
  • Port number = 443
  • Host offering this service = StoreFront server FQDN or load balanced address.

Click OK.

Next you need to issue a certificate to your StoreFront servers that has a alternative name of discoverReceiver.domain.com. If you don’t users will receive a prompt such as below when configuring Citrix Receiver with their email address.The subject or common name should be the FQDN of your StoreFront server, or load balanced address. You should have Subject Alternative Names for the StoreFront/load balanced FQDN and discoverReceiver.domain.com. Now when adding an account, enter your corporate email address. If successful you’ll be prompted for a username and password, then your resources should enumerate. External Configuration

We basically need two things to get this working externally:

  • An SRV record configured on your external domain DNS.
  • An external certificate for NetScaler Gateway with a discoverReceiver.domain.com subject alternative name. You bind this certificate to your NetScaler Gateway Virtual Server.

No other configuration is required on NetScaler v11.1. There was a requirement to configure an Account Services Address and enable clientless access etc. on older versions of NetScaler. If you are running older versions and cannot get email based discovery to work refer to https://docs.citrix.com/en-us/netscaler-gateway/11-1/storefront-integration/ng-clg-session-policies-overview-con/ng-clg-storefront-policies-con/ng-clg-storefront-email-discovery-tsk.html


12 Comments

  • Chris

    February 20, 2019

    For the external configuration, does the SRV record need to point at the NetScaler Gateway URL or the StoreFront URL?

    Reply
    • George Spiers

      February 21, 2019

      It points to the Gateway URL of Citrix ADC (NetScaler)

      Reply
  • Rob

    March 11, 2019

    Will this work when using Wildcard Certificates?

    Reply
    • George Spiers

      March 11, 2019

      Yes, just include discoverReceiver.domain.com in the certificate.

      Reply
      • Tony

        March 19, 2019

        George, what about a WC cert with *.domain.com in the SAN- would that work?

        Reply
        • George Spiers

          March 19, 2019

          Yes in the SAN have discoverReceiver.domain.com (which matches your email suffix). Repeat for any other email suffix that will be used.

          Reply
        • Tshattuck

          August 14, 2019

          It appears the *.domain.com works without adding specific SAN

          Reply
  • Xdong

    October 16, 2019

    Hi George, We have Citrix landscape for different regions, i.e. EMEA, AMER and APJ. Each region has its own StoreFront servers and NetScaler. What is the best way to configure email base discovery? Thanks!

    Reply
    • George Spiers

      November 3, 2019

      One option is to use a wildcard certificate, if all the regions share the same top-level domain.

      Reply
  • Daan

    May 14, 2020

    When I use a gateway with IPadress and forward all my 443 traffic to that gateway eveything works fine. But want to put a non-adressable gateway behind a content switcher. Then email based discovery doens’t work.

    Reply
  • Kathy

    May 26, 2020

    May I know how to issue a certificate to your StoreFront servers that has a alternative name of discoverReceiver.domain.com? Thanks.

    Reply
  • Chris

    July 13, 2020

    If users have a mailbox address of user@domain1.com but the ADC/NetScaler Gateway is gateway.domain2.com will this not work? Are any additional steps required to get this working?

    Reply

Leave a Reply