Gateway

Advanced Endpoint Analysis scans

Advanced Endpoint Analysis (EPA) is used for scanning user devices for the endpoint security requirement configured on Citrix Gateway. If a user device tries to access Citrix Gateway, the device is scanned for security information, such as operating system, antivirus, web browser versions and so forth before an administrator can grant access to Citrix Gateway. For more information about the Citrix EPA client system requirements, see Endpoint Analysis requirements.

The Advanced EPA scan is a policy-based scan that you can configure on Citrix Gateway for authentication sessions. The policy performs a registry check on a user device and based on evaluation, the policy allows or denies access to the Citrix ADC network.

Important:

OPSWAT scans requiring admin privileges are not supported on Citrix EPA clients for Windows and macOS. To verify supported OPSWAT scans, refer to the “Supported application list.xlsx” available on the Citrix Downloads page for the specific version of the OPSWAT libraries in use.

If a scan qualifier in the “Supported application list.xlsx” is marked as “FALSE”, it indicates that the corresponding OPSWAT scan qualifier is not supported. In such cases, it is recommended to adjust your scans to use supported configurations.

You can configure the advanced EPA scan by using the GUI or the CLI.

On the GUI

  1. Create EPA action.

    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > EPA and click Add. On the Create Authentication EPA Action page, update the following information and click Create.

    • Name: Name of the EPA action.
    • Default Group: The default group that is chosen when the EPA check succeeds.
    • Quarantine Group: The quarantine group that is chosen when the EPA check fails.
    • Kill Process: String specifying the name of a process to be terminated by the EPA plug-in. Multiple processes must be comma-separated.
    • Delete Files: String specifying the paths and names of the files to be deleted by the EPA plug-in. Multiple files must be comma-separated.
    • Expression: Refer to Advanced Endpoint Analysis policy expression reference for the EPA expression format.

    Advanced EPA scan workflow

  2. Create a corresponding EPA policy.

    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policies and click Add. On the Create Authentication Policy page, update the following information and click Create.

    • Name: Name of the advanced EPA policy.
    • Action Type: Type of the authentication action.
    • Action: Name of the authentication action to be performed if the policy matches.
    • Expression: Refer to Advanced Endpoint Analysis policy expression reference for the EPA expression format.
    • Log Action: Name of message log action to use when a request matches this policy. Maximum allowed length is 127 characters.

    Advanced EPA scan workflow

  3. Configure an authentication virtual server and an authentication profile.

    • Navigate to Security > AAA - Application Traffic > Authentication Virtual servers and click Add.

    Advanced EPA scan workflow

    • Navigate to Security > AAA - Application Traffic > Authentication Profile and click Create.

    Advanced EPA scan workflow

  4. Bind the advanced EPA policy to the authentication virtual server.

    • Navigate to Security > AAA – Application Traffic > Authentication Virtual Servers and select the authentication virtual server.
    • Select the policy in the Advanced Authentication Policies section.
    • Click Bind in the Policy Binding section.

    Advanced EPA scan workflow

  5. Bind the EPA policy to nFactor flow.

    For details about how to add an advanced EPA policy as a factor to the nFactor flow, see EPA scan as a factor in nFactor authentication.

On the CLI

  1. Create an action to perform the EPA scan.

    add authentication epaAction EPA-client-scan -csecexpr "sys.client_expr (\"proc_2_firefox\")"
    <!--NeedCopy-->
    

    The preceding expression scans if the process ‘Firefox’ is running. The EPA plug-in checks for the process existence every 2 minutes, signified by the digit ‘2’ in the scan expression.

  2. Associate the EPA action to an advanced EPA policy.

    add authentication Policy EPA-check -rule true -action EPA-client-scan
    <!--NeedCopy-->
    
  3. Configure an authentication virtual server and an authentication profile.

    add authentication vserver authnvsepa ssl -ip address 10.104.130.129 -port 443
    <!--NeedCopy-->
    
    add Authnprofile_EPA -authnVsName authnvsepa
    <!--NeedCopy-->
    
  4. Bind the advanced EPA policy to the authentication virtual server.

    bind authentication vs authnvsepa -policy EPA-check -pr 1
    <!--NeedCopy-->
    

Upgrade EPA libraries

To use the Citrix ADC GUI to upgrade EPA libraries:

  1. Navigate to Configuration > Citrix Gateway > Update Client Components.

  2. Under Update Client Components, click Upgrade EPA Libraries link.

  3. Choose the required file and click Upgrade.

Important:

  • In a Citrix Gateway high availability, the EPA Libraries must be upgraded on both the primary and secondary nodes.

  • In a Citrix Gateway clustering setup, the EPA Libraries must be upgraded on all the cluster nodes.

For the list of Windows and MAC Supported applications by OPSWAT for Citrix ADC scans, see https://support.citrix.com/article/CTX234466.

Troubleshooting advanced Endpoint Analysis scans

To help with troubleshooting Advanced Endpoint Analysis scans, the client plug-ins write logging information to a file on client endpoint systems. These log files can be found in the following directories, depending on the user’s operating system.

Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10:

C:\Users\<username>\AppData\Local\Citrix\AGEE\nsepa.txt

Windows XP:

C:\Documents and Settings\All Users\Application Data\Citrix\AGEE\nsepa.txt

Mac OS X systems:

~/Library/Application Support/Citrix/EPAPlugin/epaplugin.log

(Where the ~ symbol indicates the relevant macOS user’s home directory path.) (Where the ~ symbol indicates the relevant macOS user’s home directory path.)

Ubuntu:

  • ~/.citrix/nsepa.txt

  • ~/.citrix/nsgcepa.txt

Advanced Endpoint Analysis scans