Product Documentation
Gateway
14.1-Current Release 13.1 12.1
View PDF

Device Posture checks on NetScaler® Gateway

March 9, 2026
Contributed by: 
C

Starting from NetScaler Gateway release 14.1 build 43.x, the Citrix Device Posture service is integrated with NetScaler Gateway. You can configure the device posture checks on NetScaler Gateway.

Prerequisites

Ensure that the following prerequisites are met when configuring device posture checks on NetScaler Gateway:

  • The customer ID is set on NetScaler Gateway by using the GUI or CLI:

    • CLI command: set dps parameter -CustomerID <CCID>
    • GUI: NetScaler Gateway > Global Settings > Change DPS Parameter settings.
  • The virtual server FQDN is set in the VPN virtual server configuration.
  • The virtual server FQDN is added in the Device Posture > Settings page. For details, see Configure the list of allowed domains.

Note:

  • For NetScaler Gateway versions prior to 14.1-56.x, use the set cloud parameter -CustomerID <CCID> -Deployment <DeploymentType> command to configure the customer ID. For example, set cloud parameter -CustomerID krfnzimofi6b -Deployment Production.
  • In Secure Private Access for hybrid deployments, the set dps parameter -customerID and the VPN virtual server FQDN is configured automatically during the onboarding.

Enable Device Posture by using the GUI

Device Posture checks on NetScaler Gateway can be enabled globally, at the VPN virtual server level, or as part of the nFactor authentication.

  • Global - The Device Posture check is performed first before any other authentication.
  • VPN virtual server level - The Device Posture scans are applied only to the users connecting to a specific VPN virtual server thus enabling granular control.
  • Factor in nFactor authentication - The Device Posture scans can be configured as a step in the authentication process. Device Posture can be configured as the first, second, or any step in the nFactor authentication flow. For details, see Configuring nFactor authentication.

Enable Device Posture checks at the global level

Perform the following steps to enable Device Posture globally:

  1. Navigate to NetScaler Gateway -> Global Settings -> Change Global Settings.
  2. Click the Security tab.
  3. In Device Posture, select ENABLED, and then click OK.

Enable Device Posture checks at the VPN virtual server level

Perform the following steps to enable Device Posture for a specific VPN virtual server:

  1. Navigate to NetScaler Gateway -> Virtual Servers.
  2. On the NetScaler Gateway Virtual Servers page, select the VPN virtual server on which you want to enable Device Posture check and then click Edit.
  3. In Basic Settings, click the edit icon, and then click More.
  4. In Device Posture, select ENABLED, and then click OK.

Enable Device Posture checks as a factor in nFactor authentication

You must create an EPA action that performs the Device Posture scan and then add this action as a factor in the nFactor authentication flow. Perform the following steps to add Device Posture as a factor in the nFactor authentication flow:

Note:

You can either configure EPA or Device Posture as a factor in an nFactor flow. They can be present as different factors. However, there are no fallback mechanisms for each other if there is a failure.

  1. Navigate to Security -> AAA - Application Traffic -> Policies -> Authentication -> Advanced Policies -> Actions -> EPA.
  2. On the Authentication EPA Action page, click Add.

  3. On the Create Authentication EPA Action page, update the following information and click Create.

    • Name: Name of the EPA action.
    • Default Group: The default group to choose when the device posture check succeeds.
    • Quarantine Group: The quarantine group to choose when the device posture check fails.
    • Device Posture: Select ENABLED to enable the device posture check.

    Note:

    • The Device Posture option is disabled by default. Existing users can continue to use the existing EPA expression.
    • When the Device Posture option is enabled, you don’t have to configure the expressions as the posture scans are configured in the Device Posture service portal. The Kill Process, Delete Files, and Expression fields become uneditable in the EPA expression.

  4. Bind the EPA action to a policy. For details, see Configuring nFactor authentication and EPA scan as a factor in nFactor authentication.

    • Navigate to Security -> AAA - Application Traffic > Virtual Servers.
    • Select the virtual server and click Edit.
    • In Advanced Authentication Policies, click Authentication Policy and then click Add binding.
    • Select the EPA action created earlier.
    • Assign a priority and select the next factor.
    • Click Bind.

Enable Device Posture by using the CLI

You can enable Device Posture at the following levels:

  • Global level

    set vpn parameter -devicePosture ENABLED

  • VPN virtual server level

    set vpn vserver <vserver-name> -devicePosture ENABLED

  • As a factor in an nFactor flow

    Example to configure Device Posture as a first factor:

    add authentication epaAction dps_act -devicePosture ENABLED

    add authentication Policy dps_pol -rule true -action dps_act

    bind authentication vserver dpsspa -policy dps_pol

    show authentication vserver dpsspa

    For nFactor flow, you must create an EPA action and an authentication policy and then bind the policy to the authentication virtual server.

References

Device Posture checks on NetScaler® Gateway
March 9, 2026
Contributed by: 
C
March 9, 2026
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.