Configure post-authentication Endpoint Analysis scan as a factor in Citrix ADC nFactor authentication

On Citrix Gateway, Endpoint Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow internal resources access to the user. The Endpoint Analysis plug-in downloads and installs on the user device when users log on to Citrix Gateway for the first time. If a user does not install the Endpoint Analysis plug-in on the user device or chooses to skip the scan, the user cannot log on with the Citrix Gateway plug-in. Optionally, users can be put in a quarantine group where the user gets limited access to internal network resources.

Previously post-EPA was configured as part of session policy. Now it can be linked to nFactor providing more flexibility, as to when it can be performed.

In this topic, EPA scan is used as a final check in a nFactor or multifactor authentication.

EPA scan as a final check-in nFactor or multifactor authentication

User tries to connect to Citrix Gateway virtual IP address. A simple login page with user name and password field is rendered to user to provide login credentials. With these credentials, LDAP or AD-based authentication is performed at the back end. If successful, user is presented with a popup message to authorize EPA scan. Once user authorizes, EPA scan is performed and based on the success or failure of user client settings, user is provided access.


It is assumed that following configuration are in place.

  • VPN virtual server/gateway and authentication virtual server configurations
  • LDAP server configurations and associated policies

Note: The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

The following image shows mapping of policies and policy label. This is the approach used for configuration, but from right to left.

Mapping of policies and policy label used in this example

Perform the following by using the CLI

  1. Create an action to perform EPA scan and associate it with an EPA scan policy.

    add authentication epaAction EPA-client-scan -csecexpr "sys.client_expr (\"app_0_MAC-BROWSER_1001_VERSION_<=_10.0.3\")||sys.client_expr(\"os_0_win7_sp_1\")"

    The above expression scans if macOS users have browser version less than 10.0.3 or if Windows 7 users have Service pack 1 installed.

    add authentication Policy EPA-check -rule true -action EPA-client-scan
  2. Configure policy label post-ldap-epa-scan that hosts the policy for EPA scan.

    add authentication policylabel post-ldap-epa-scan -loginSchema LSCHEMA_INT

    Note: LSCHEMA_INT is an in-built schema with no schema (noschema), meaning no additional webpage is presented to user at this step.

  3. Associate policy configured in step 1 with policy label configured in step 2.

    bind authentication policylabel post-ldap-epa-scan -policyName EPA-check - priority 100     -gotoPriorityExpression END
  4. Configure ldap-auth policy to and associate it with an LDAP policy which is configured to authenticate with a particular LDAP server.

    add authentication Policy ldap-auth -rule true -action ldap_server1

    where ldap_server1 is LDAP policy and ldap-auth is the policy name

  5. Associate ldap-auth policy to authentication, authorization, and auditing virtual server with next step pointing to policy label post-ldap-epa-scan to perform EPA scan.

    bind authentication vserver MFA_AAA_vserver -policy ldap-auth -priority 100 -nextFactor post-ldap-epa-scan -gotoPriorityExpression NEXT

    Note: Pre-authentication EPA scan is always performed as the first step in nFactor authentication. Post-authentication EPA scan is always performed as the last step in nFactor authentication. EPA scans cannot be performed in between a nFactor authentication.

Configuring using the nFactor Visualizer

The above configuration can also be performed using nFactor Visualizer, which is a feature available on firmware 13.0 and later.

Nfactor flow representation in visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.

  2. Click + to add the nFactor flow.

  3. Add a factor. The name that you enter is the name of the nFactor flow.

    Add a name for the flow

  4. Click Add Schema to add a schema for the first factor and then click Add.

    Click to add a schema

  5. Click Add Policy to add the LDAP policy. If the LDAP policy is already created, you can select the same.

    Note: You can create an LDAP policy. Click Add and in the Action field, select LDAP. For more details about adding an LDAP server, see

    Choose a policy to add

    Create an auth policy

  6. Click + to add the EPA factor.

    Click to add the EPA factor

  7. Leave the Add Schema section blank, to have the default no schema applied for this factor. Click Add policy to add the post auth EPA policy and action.

    EPA action:

    Add EPA action

    EPA policy:

    Add EPA policy

    Click Create.

  8. After the nFactor flow is complete, bind this flow to the authentication, authorization, and auditing virtual server.

Configure post-authentication Endpoint Analysis scan as a factor in Citrix ADC nFactor authentication