Gateway

Advanced Endpoint Analysis scans

Advanced Endpoint Analysis (EPA) is used for scanning user devices for the endpoint security requirement configured on NetScaler Gateway. If a user device tries to access the NetScaler Gateway, the device is scanned for security information, such as operating system, antivirus, web browser versions and so forth before an administrator can grant access to NetScaler Gateway.

The Advanced EPA scan is a policy-based scan that you can configure on NetScaler Gateway for authentication sessions. The policy performs a registry check on a user device and based on evaluation, the policy allows or denies access to the NetScaler network. For more information about the Citrix EPA client system requirements, see Endpoint Analysis requirements.

Important:

Citrix EPA client does not support the following OPSWAT antivirus checks:

  • Real-time protection status of the Sophos endpoint agent.

  • Timestamp of virus definition files for Bitdefender endpoint security tools.

Starting from Citrix Secure Access client for Windows version 24.8.1.15, the Windows Last Update scan includes updates installed through BigFix, Intune, and other third-party tools. Previously, the scan only checked updates installed through the Windows Auto Upgrade service.

Note:

The Windows Last Update scan enhancement is applicable for EPA library version 24.9.1.1 and above. To update the EPA library, download it from https://www.citrix.com/downloads/citrix-gateway/epa-libraries/epa-libraries-for-netscaler-gateway.html.

You can configure the advanced EPA scan by using the GUI or the CLI.

On the GUI

  1. Create EPA action.

    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > EPA and click Add. On the Create Authentication EPA Action page, update the following information and click Create.

    • Name: Name of the EPA action.
    • Default Group: The default group that is chosen when the EPA check succeeds.
    • Quarantine Group: The quarantine group that is chosen when the EPA check fails.
    • Kill Process: A string specifying the name of a process to be terminated by the EPA plug-in. Multiple processes must be comma-separated.
    • Delete Files: A string specifying the paths and names of the files to be deleted by the EPA plug-in. Multiple files must be comma-separated.
    • Expression: Refer to Advanced Endpoint Analysis policy expression reference for the EPA expression format.

    Advanced EPA scan workflow

    • EPA Editor: Select the operators for the product version scan.

    Advanced EPA scan workflow

    Note:

    Citrix EPA client for macOS 24.2.1.5 / Citrix Secure Access client for macOS 24.02.1 and later versions support the EPA operators >, <, >=, <=, == and != on the EPA editor. Also, the Mac OS option is now available as a separate option on the EPA editor (Mac > Mac OS). Previously, the macOS product version scan had to be performed at Common > Operating System > MacOS using only the == and != operators. Ensure that you are using NetScaler Gateway 14.1-12.x or later to leverage this functionality.

    You can perform a product version scan of your macOS devices at Mac > Mac OS using these operators. For example, to allow the OS versions from 12.4 to 13.0, except 12.8, configure the expression sys.client_expr("sys_0_MAC-OS_version_>=_12.4")&&sys.client_expr("sys_0_MAC-OS_version_<=_13.0")&&sys.client_expr("sys_0_MAC-OS_version_!=_12.8") on the EPA editor.

  2. Create a corresponding EPA policy.

    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policies and click Add. On the Create Authentication Policy page, update the following information and click Create.

    • Name: Name of the advanced EPA policy.
    • Action Type: Type of the authentication action.
    • Action: Name of the authentication action to be performed if the policy matches.
    • Expression: Refer to Advanced Endpoint Analysis policy expression reference for the EPA expression format.
    • Log Action: Name of message log action to use when a request matches this policy. The maximum allowed length is 127 characters.

    Advanced EPA scan workflow

  3. Configure an authentication virtual server and an authentication profile.

    • Navigate to Security > AAA - Application Traffic > Authentication Virtual servers and click Add.

    Advanced EPA scan workflow

    • Navigate to Security > AAA - Application Traffic > Authentication Profile and click Create.

    Advanced EPA scan workflow

  4. Bind the advanced EPA policy to the authentication virtual server.

    • Navigate to Security > AAA – Application Traffic > Authentication Virtual Servers and select the authentication virtual server.
    • Select the policy in the Advanced Authentication Policies section.
    • Click Bind in the Policy Binding section.

    Advanced EPA scan workflow

  5. Bind the EPA policy to nFactor flow.

    For details about how to add an advanced EPA policy as a factor to the nFactor flow, see EPA scan as a factor in nFactor authentication.

On the CLI

  1. Create an action to perform the EPA scan.

    add authentication epaAction EPA-client-scan -csecexpr "sys.client_expr (\"proc_2_firefox\")"
    <!--NeedCopy-->
    

    The preceding expression scans if the process ‘Firefox’ is running. The EPA plug-in checks for the process existence every 2 minutes, signified by the digit ‘2’ in the scan expression.

  2. Associate the EPA action to an advanced EPA policy.

    add authentication Policy EPA-check -rule true -action EPA-client-scan
    <!--NeedCopy-->
    
  3. Configure an authentication virtual server and an authentication profile.

    add authentication vserver authnvsepa ssl -ip address 10.104.130.129 -port 443
    <!--NeedCopy-->
    
    add Authnprofile_EPA -authnVsName authnvsepa
    <!--NeedCopy-->
    
  4. Bind the advanced EPA policy to the authentication virtual server.

    bind authentication vs authnvsepa -policy EPA-check -pr 1
    <!--NeedCopy-->
    

Upgrade EPA libraries

To use the NetScaler GUI to upgrade EPA libraries:

  1. Navigate to Configuration > NetScaler Gateway > Update Client Components.

  2. Under Update Client Components, click Upgrade EPA Libraries link.

  3. Choose the required file and click Upgrade.

Important:

  • In a NetScaler Gateway high availability, the EPA Libraries must be upgraded on both the primary and secondary nodes.

  • In a NetScaler Gateway clustering setup, the EPA Libraries must be upgraded on all the cluster nodes.

For the list of Windows and MAC Supported applications by OPSWAT for NetScaler scans, see https://support.citrix.com/article/CTX234466.

Troubleshooting advanced Endpoint Analysis scans

To help with troubleshooting Advanced Endpoint Analysis scans, the client plug-ins write logging information to a file on client endpoint systems. These log files can be found in the following directories, depending on the user’s operating system.

Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10:

C:\Users\<username>\AppData\Local\Citrix\AGEE\nsepa.txt

Windows XP:

C:\Documents and Settings\All Users\Application Data\Citrix\AGEE\nsepa.txt

Mac OS X systems:

~/Library/Application Support/Citrix/EPAPlugin/epaplugin.log

(Where the ~ symbol indicates the relevant macOS user’s home directory path.) (Where the ~ symbol indicates the relevant macOS user’s home directory path.)

Ubuntu:

  • ~/.citrix/nsepa.txt

  • ~/.citrix/nsgcepa.txt

Advanced Endpoint Analysis scans