This post has already been read 22124 times!
In part 4 of this blog series I wrote about enabling full VPN access to your network and selectively allowing users to either run VPN or ICA only based on Active Directory Group. The past entries from this series can be found here
https://bretty.me.uk/citrix-unified-gateway-series-part-1-citrix-unified-gateway-initial-setup/
https://bretty.me.uk/citrix-netscaler-unified-gateway-series-part-3-adding-web-and-saas-resources/
So lets get to it.
If you remember in the last blog article we created a group called “netscaler-vpn” and assigned the UG_VPN policy to that AAA Group.
If you navigate to NetScaler Gateway – Policies – Session
Double click the UG_VPN policy to open it up
As you can see the expression is set to ns_true. This means that anyone hitting this policy after authentication will just run the VPN Profile regardless of the state of their client device. Whilst this may be a wanted experience in some instances most of the customers I work with want some form of end point analysis to ensure that the end point is secure.
In this example I am going to set up a simple EPA scan to check if the firewall is turned on when I am logging into the gateway, if it is not then the expression for that specific profile fill fail and it will fall back to the standard policies assigned to the Virtual Server (ICA Only)
First – delete ns_true from the expression box
Then click OPSWAT EPA Editor from the top right hand side of the box
Start to build up your policy from the drop down list provided
Click the + button to add additional expression values
Click on Done to commit the expression
The click OK to write the policy changes back to the NetScaler Unified Gateway
Thats it, but bear in mind this is an extremely simple example.
You can use the expressions && / || to commit AND / OR statements to the expression so this can easily grow.
For Example – a simple expression requested by a customer may be:
We want to allow Windows 7 and Windows 10 machines that are domain joined and have AV running or Mac OSX 10 and above with the firewall enabled. If the machine does not meet these requirements then drop back to ICA only.
As you can see – that would be a larger and more complex statement – but not one that is impossible – just takes a little thinking and time to get it right.
A Policy reference for the Advanced EPA Scan options can be found here:
So, lets test.
I will switch off my Firewall on my MacBook
Navigate to my gateway and log in
As this is the first time I have logged in with EPA enabled my device asks me to download and install the EPA plugin
Once downloaded launch the installer
Click Install Citrix End Point Analysis Plugin
Click Continue
Click Install
Wait for the installation to complete and click Done
Once complete the Citrix End Point Analysis engine will start up and check your system for the required security as per out EPA Scan defined earlier
As you can see in this case my EPA check failed and I reverted to ICA only access
ok – so lets turn my firewall back on
Log back into my gateway
Let EPA check my system – will be faster this time as the era agent is already installed
Passed! As you can see I get the client choices prompt and therefore have passed EPA and am allowed to run a full VPN
Thats it, In part 6 I will look at securing your deployment and ensuring you get that all important A+ grading from SSL Labs.
Hope thats helped some of you out.
Laters,
b@m
Thanks a lot Bretty. Awesome post. Helped me resolve some of my issues with the web.config edit.
SSO still does not work from my unified gateway to storefront though.
Thanks
Thanks!
Are you using a NetScaler VIP for the storefront service?
Hi Bretty
i have installed netscaler version 12. i have created AAA Group and created VPN policy which works.
what i want to configure is that VPN is allowed only when certain criteria ( like laptop is part of the domain ) .
i tried it with pre- authentication policy but it does not fail to deafault ica if epa fails.
could you guide me where i may be wrong
HI Bretty
I have installed netscaler version 12 VPX.
I want to have VPN only for AAA group only if they meet certain criteria like device is part of domain . firewall etc.
I am not able to create expression using OPSWAT EPA editor under session policy.
How can I achieve this outcome
Hi Bretty,
Thanks for these Series.
Part 6 for soon ?