Citrix NetScaler Unified Gateway Series – Part 5 – Secure Your VPN with Advanced EPA Checks

This post has already been read 22611 times!

In part 4 of this blog series I wrote about enabling full VPN access to your network and selectively allowing users to either run VPN or ICA only based on Active Directory Group.  The past entries from this series can be found here

https://bretty.me.uk/citrix-unified-gateway-series-part-1-citrix-unified-gateway-initial-setup/

https://bretty.me.uk/citrix-netscaler-unified-gateway-series-part-2-integrating-your-apps-and-desktops/

https://bretty.me.uk/citrix-netscaler-unified-gateway-series-part-3-adding-web-and-saas-resources/

https://bretty.me.uk/citrix-netscaler-unified-gateway-series-part-4-use-case-for-vpn-and-selective-deployment/

So lets get to it.

If you remember in the last blog article we created a group called “netscaler-vpn” and assigned the UG_VPN policy to that AAA Group.

If you navigate to NetScaler Gateway – Policies – Session

Double click the UG_VPN policy to open it up

As you can see the expression is set to ns_true.  This means that anyone hitting this policy after authentication will just run the VPN Profile regardless of the state of their client device.  Whilst this may be a wanted experience in some instances most of the customers I work with want some form of end point analysis to ensure that the end point is secure.

In this example I am going to set up a simple EPA scan to check if the firewall is turned on when I am logging into the gateway, if it is not then the expression for that specific profile fill fail and it will fall back to the standard policies assigned to the Virtual Server (ICA Only)

First – delete ns_true from the expression box

Then click OPSWAT EPA Editor from the top right hand side of the box

Start to build up your policy from the drop down list provided

Click the + button to add additional expression values

Click on Done to commit the expression

The click OK to write the policy changes back to the NetScaler Unified Gateway

Thats it, but bear in mind this is an extremely simple example.

You can use the expressions && / || to commit AND / OR statements to the expression so this can easily grow.

For Example – a simple expression requested by a customer may be:

We want to allow Windows 7 and Windows 10 machines that are domain joined and have AV running or Mac OSX 10 and above with the firewall enabled.  If the machine does not meet these requirements then drop back to ICA only.

As you can see – that would be a larger and more complex statement – but not one that is impossible – just takes a little thinking and time to get it right.

A Policy reference for the Advanced EPA Scan options can be found here:

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-adv-epa-wrapper-con-v2/ng-adv-epa-ref.html

So, lets test.

I will switch off my Firewall on my MacBook

Navigate to my gateway and log in

As this is the first time I have logged in with EPA enabled my device asks me to download and install the EPA plugin

Once downloaded launch the installer

Click Install Citrix End Point Analysis Plugin

Click Continue

Click Install

Wait for the installation to complete and click Done

Once complete the Citrix End Point Analysis engine will start up and check your system for the required security as per out EPA Scan defined earlier

As you can see in this case my EPA check failed and I reverted to ICA only access

ok – so lets turn my firewall back on

Log back into my gateway

Let EPA check my system – will be faster this time as the era agent is already installed

Passed!  As you can see I get the client choices prompt and therefore have passed EPA and am allowed to run a full VPN

Thats it, In part 6 I will look at securing your deployment and ensuring you get that all important A+ grading from SSL Labs.

Hope thats helped some of you out.

Laters,

b@m