Product Documentation
Gateway
14.1-Current Release 13.1 12.1
View PDF

Configuring Advanced Endpoint Analysis Scans

September 27, 2025
Contributed by: 
C S

You can configure two types of EPA scan, OPSWAT scan and System scan.

Configuring OPSWAT Scan

The following OPSWAT scans are configured on a Citrix® Gateway appliance.

  • Product specific scan
  • Vendor specific scan
  • Generic scan

Note: Scans that a particular product support is displayed in the GUI. Also, the following OPSWAT scan configuration takes pre-authentication EPA as an example. OPSWAT scan can be configured for post-authentication EPA as well.

Configuring Product specific OPSWAT scan

To use the NetScaler® GUI to configure product specific OPSWAT scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click the OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the category, for example Antivirus.

    Select Antivirus

  6. Select the vendor, for example AVAST Software a.s.

    Select vendor

  7. Select the product, for example Avast! Free Antivirus.

    Select product

  8. Click + next to the product menu to configure the product scan.

    Configure scan

  9. Optionally enter a value for frequency of scan if you want a periodic scan.

    Configure frequency

Configuring Vendor specific OPSWAT Scan

To use the NetScaler GUI to configure Vendor specific OPSWAT scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click the OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the category, for example Antivirus.

    Select category

  6. Select the vendor, for example AVAST Software a.s.

    Select vendor

  7. Select Generic ‘AVAST Software a.s’ Scan vendor specific scan.

    Select vendor specific scan

  8. Click + next to the product menu to configure your scan.

    Configure scan

  9. Optionally enter a value for frequency of scan if you want a periodic scan.

    Configure frequency

Configuring Generic OPSWAT Scan

To use the NetScaler GUI to configure Generic OPSWAT scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click the OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the category, for example Antivirus.

    Select category

  6. Select “Generic” category specific scan, for example Generic Antivirus Product Scan.

    Select generic product

  7. Click + next to the product menu to configure your scan.

    Configure scan

  8. Optionally enter a value for the frequency of the scan if you want a periodic scan.

    Configure frequency

Configuring System Scan

The following system scans are configured on a Citrix Gateway appliance.

  • MAC Address
  • Domain Check
  • Numeric Registry
  • Non-numeric Registry
  • Windows Update

To use the NetScaler GUI to configure OPSWAT System scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click the OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the desired system scan from the menu. For example, MAC Address.

    Select scan type

  6. Click the + next to the product menu to configure your scan.

    Configure scan

  7. Optionally enter a value for the frequency of the scan if you want a periodic scan.

    Configure frequency

Upgrade EPA libraries

To use the NetScaler GUI to upgrade EPA libraries:

  1. Navigate to Configuration > Citrix Gateway > Update Client Components.

  2. Under Update Client Components, click Upgrade EPA Libraries link.

  3. Choose the required file and click Upgrade.

For the list of Windows and MAC Supported applications by OPSWAT for Citrix ADC scans, see https://support.citrix.com/article/CTX234466.

To configure a preauthentication profile using Advanced Endpoint Analysis expressions

  1. Navigate to Citrix Gateway > Policies.
  2. Select Preauthentication.
  3. In the details pane, on the Policies tab, click Add.
  4. Enter a name for the profile.
  5. Select an action.
  6. Optionally, enter the names of any processes to be stopped or files to be deleted on the client endpoint system.
  7. Click Create.

Your profile is now available for use in a preauthentication policy as a Request Action

To configure a preauthentication policy using Advanced Endpoint Analysis expressions

  1. Navigate to Citrix Gateway > Policies.
  2. Select Preauthentication.
  3. In the details pane, on the Policies tab, click Add.
  4. Enter a name for the policy.
  5. From the Request Action menu, select the desired profile.
  6. In the Expression pane, select OPSWAT EPA Editor.
  7. In the first menu, select a client operating system.
  8. In the second menu, select a scan type.
  9. When you finish building the policy, click Create.

Bind your Advanced Endpoint Analysis preauthentication policy to enable it.

To bind a preauthentication policy

  1. Navigate to Citrix Gateway > Policies.
  2. Select Preauthentication.
  3. In the details pane, on the Policies tab, click Add.
  4. From the Action menu, select Global Bindings.
  5. Click Bind.
  6. In the Policies detail pane that appears, select the check box next to the desired policy.
  7. Click Insert.
  8. The policy is automatically assigned a priority (weight). Click the Priority entry to edit as needed.
  9. Click OK to bind the policy.

To configure an Advanced Endpoint Analysis policy for specific sessions

  1. Navigate to Citrix Gateway > Policies.
  2. Select Session.
  3. In the details pane, on the Policies tab, click Add.
  4. Enter a name for the policy.
  5. In the Action menu, do one of the following:
    • a. Select an existing action.
    • b. Click the plus icon to display the configuration parameters that can be set by the session policy. Click the Override Global check box to the right of a configuration option to activate it. Select Create.
  6. In the Expression pane, select OPSWAT EPA Editor.
  7. In the menu, select a client operating system.
  8. In the second pull menu, select a scan type.
  9. When you finish building the policy, click Create.

Bind your Advanced Endpoint Analysis session policy to enable it.

To bind a session policy

  1. Navigate to Citrix Gateway > Policies.
  2. Select Session.
  3. In the details pane, on the Policies tab, click Add.
  4. From the Action menu, select Global Bindings.
  5. Click Bind.
  6. In the Policies detail pane that appears, select the check box next to the desired policy.
  7. Click Insert.
  8. The policy is automatically assigned a priority (weight). Click the Priority entry to edit as needed.
  9. Click OK to bind the policy.
Configuring Advanced Endpoint Analysis Scans
September 27, 2025
Contributed by: 
C S
September 27, 2025
Contributed by: 
C S

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.