This post has already been read 21628 times!
In part 4 of this blog series I wrote about enabling full VPN access to your network and selectively allowing users to either run VPN or ICA only based on Active Directory Group. The past entries from this series can be found here
So lets get to it.
If you remember in the last blog article we created a group called “netscaler-vpn” and assigned the UG_VPN policy to that AAA Group.
If you navigate to NetScaler Gateway – Policies – Session
Double click the UG_VPN policy to open it up
As you can see the expression is set to ns_true. This means that anyone hitting this policy after authentication will just run the VPN Profile regardless of the state of their client device. Whilst this may be a wanted experience in some instances most of the customers I work with want some form of end point analysis to ensure that the end point is secure.
In this example I am going to set up a simple EPA scan to check if the firewall is turned on when I am logging into the gateway, if it is not then the expression for that specific profile fill fail and it will fall back to the standard policies assigned to the Virtual Server (ICA Only)
First – delete ns_true from the expression box
Then click OPSWAT EPA Editor from the top right hand side of the box
Start to build up your policy from the drop down list provided
Click the + button to add additional expression values
Click on Done to commit the expression
The click OK to write the policy changes back to the NetScaler Unified Gateway
Thats it, but bear in mind this is an extremely simple example.
You can use the expressions && / || to commit AND / OR statements to the expression so this can easily grow.
For Example – a simple expression requested by a customer may be:
We want to allow Windows 7 and Windows 10 machines that are domain joined and have AV running or Mac OSX 10 and above with the firewall enabled. If the machine does not meet these requirements then drop back to ICA only.
As you can see – that would be a larger and more complex statement – but not one that is impossible – just takes a little thinking and time to get it right.
A Policy reference for the Advanced EPA Scan options can be found here:
So, lets test.
I will switch off my Firewall on my MacBook
Navigate to my gateway and log in
As this is the first time I have logged in with EPA enabled my device asks me to download and install the EPA plugin
Once downloaded launch the installer
Click Install Citrix End Point Analysis Plugin
Wait for the installation to complete and click Done
Once complete the Citrix End Point Analysis engine will start up and check your system for the required security as per out EPA Scan defined earlier
As you can see in this case my EPA check failed and I reverted to ICA only access
ok – so lets turn my firewall back on
Log back into my gateway
Let EPA check my system – will be faster this time as the era agent is already installed
Passed! As you can see I get the client choices prompt and therefore have passed EPA and am allowed to run a full VPN
Thats it, In part 6 I will look at securing your deployment and ensuring you get that all important A+ grading from SSL Labs.
Hope thats helped some of you out.