Citrix NetScaler Unified Gateway Series – Part 5 – Secure Your VPN with Advanced EPA Checks

Citrix NetScaler Unified Gateway Series – Part 5 – Secure Your VPN with Advanced EPA Checks

Citrix NetScaler Unified Gateway Series – Part 5 – Secure Your VPN with Advanced EPA Checks

This post has already been read 23010 times!

In part 4 of this blog series I wrote about enabling full VPN access to your network and selectively allowing users to either run VPN or ICA only based on Active Directory Group.  The past entries from this series can be found here

So lets get to it.

If you remember in the last blog article we created a group called “netscaler-vpn” and assigned the UG_VPN policy to that AAA Group.

If you navigate to NetScaler Gateway – Policies – Session

Screen Shot 2016-02-15 at 15.05.53

Double click the UG_VPN policy to open it up

Screen Shot 2016-02-15 at 15.07.29

As you can see the expression is set to ns_true.  This means that anyone hitting this policy after authentication will just run the VPN Profile regardless of the state of their client device.  Whilst this may be a wanted experience in some instances most of the customers I work with want some form of end point analysis to ensure that the end point is secure.

In this example I am going to set up a simple EPA scan to check if the firewall is turned on when I am logging into the gateway, if it is not then the expression for that specific profile fill fail and it will fall back to the standard policies assigned to the Virtual Server (ICA Only)

First – delete ns_true from the expression box

Screen Shot 2016-02-15 at 15.11.40

Then click OPSWAT EPA Editor from the top right hand side of the box

Screen Shot 2016-02-15 at 15.12.05

Start to build up your policy from the drop down list provided

Screen Shot 2016-02-15 at 15.12.52

Click the + button to add additional expression values

Screen Shot 2016-02-15 at 15.13.27

Click on Done to commit the expression

Screen Shot 2016-02-15 at 15.14.15

The click OK to write the policy changes back to the NetScaler Unified Gateway

Screen Shot 2016-02-15 at 15.16.25

Thats it, but bear in mind this is an extremely simple example.

You can use the expressions && / || to commit AND / OR statements to the expression so this can easily grow.

For Example – a simple expression requested by a customer may be:

We want to allow Windows 7 and Windows 10 machines that are domain joined and have AV running or Mac OSX 10 and above with the firewall enabled.  If the machine does not meet these requirements then drop back to ICA only.

As you can see – that would be a larger and more complex statement – but not one that is impossible – just takes a little thinking and time to get it right.

A Policy reference for the Advanced EPA Scan options can be found here:

So, lets test.

I will switch off my Firewall on my MacBook

Screen Shot 2016-02-15 at 15.21.17

Navigate to my gateway and log in

Screen Shot 2016-02-15 at 15.22.56

As this is the first time I have logged in with EPA enabled my device asks me to download and install the EPA plugin

Screen Shot 2016-02-15 at 14.47.12

Once downloaded launch the installer

Click Install Citrix End Point Analysis Plugin

Screen Shot 2016-02-15 at 14.47.22

Click Continue

Screen Shot 2016-02-15 at 14.47.29

Click Install

Screen Shot 2016-02-15 at 14.47.39

Wait for the installation to complete and click Done

Screen Shot 2016-02-15 at 14.47.52

Once complete the Citrix End Point Analysis engine will start up and check your system for the required security as per out EPA Scan defined earlier

Screen Shot 2016-02-15 at 14.48.42

As you can see in this case my EPA check failed and I reverted to ICA only access

Screen Shot 2016-02-15 at 15.29.02

ok – so lets turn my firewall back on

Screen Shot 2016-02-15 at 15.29.39

Log back into my gateway

Screen Shot 2016-02-15 at 15.22.56

Let EPA check my system – will be faster this time as the era agent is already installed

Screen Shot 2016-02-15 at 14.48.42

Passed!  As you can see I get the client choices prompt and therefore have passed EPA and am allowed to run a full VPN

Screen Shot 2016-02-15 at 15.32.32

Thats it, In part 6 I will look at securing your deployment and ensuring you get that all important A+ grading from SSL Labs.

Hope thats helped some of you out.



5 thoughts on “Citrix NetScaler Unified Gateway Series – Part 5 – Secure Your VPN with Advanced EPA Checks

  1. nisarg

    Thanks a lot Bretty. Awesome post. Helped me resolve some of my issues with the web.config edit.

    SSO still does not work from my unified gateway to storefront though.


  2. Dalip

    Hi Bretty

    i have installed netscaler version 12. i have created AAA Group and created VPN policy which works.

    what i want to configure is that VPN is allowed only when certain criteria ( like laptop is part of the domain ) .

    i tried it with pre- authentication policy but it does not fail to deafault ica if epa fails.

    could you guide me where i may be wrong

  3. Dalip Ticku

    HI Bretty

    I have installed netscaler version 12 VPX.
    I want to have VPN only for AAA group only if they meet certain criteria like device is part of domain . firewall etc.

    I am not able to create expression using OPSWAT EPA editor under session policy.
    How can I achieve this outcome

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.