Tag Archives: Pre-Authentication Policies

Setup Pre-Authentication Endpoint Analysis (EPA) Policy with an Azure NetScaler (Unified) Gateway 11.x.n

The following content is a brief and unofficial overview of how-to setup an Endpoint Analysis (EPA) scan of Windows and Mac devices with an Azure NetScaler (Unified) Gateway VPX 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
ENDPOINT ANALYSIS – epa
FIREWALL – f/w
ANTI-VIRUS = a/v
NETSCALER UNIFIED GATEWAY – nug
NETSCALER GATEWAY – nsg
XENAPP – xa
XENDESKTOP – xd
VIRTUAL DESKTOP – vd
PRE-AUTHENTICATION – pre-auth
CONFIGURATION – cfg
MICROSOFT – ms

What is an Pre-Authentication EPA Scan?
Citrix NUG provides an ability to perform and enforce end-point security checks using the NetScaler’s EPA agent which installed onto supported OSes (Windows, OS X) which then sends the results to the NUG to validated against preconfigured “Preauthentication Policy(s)” which check’s if e.g the Windows Firewall enabled? If YESthen the user is allowed to procced to logon page and if NO the user is denied access until all outstanding end-security requirements have been successful meet.

You can create pre-auth policies using Opswat – http://citrix.opswat.com/ to check for A/V including min version, precense of exsiting registry entries, file policies and much more so be sure to check out https://docs.citrix.com/en-us/netscaler-gateway/11/vpn-user-config/endpoint-policies/ng-endpoint-expressions-client-security-preauth-con.html for more in-depth detail.

User Workflow of Pre-Authentication EPA Scans
1. User attempts to login by opening an internet browser e.g Internet Explorer or Google Chrome and navigates to at https://go.x1co.eu/
2. The user is automatically re-directed to https://go.x1co.eu/epa/epa.html
3. The user will be prompted after 10 seconds if they do not have the EPA agent installed to install it with the download initiating from the NetScaler on https://go.x1co.eu/epa/epa.html.
4. The user follows the onscreen instructions to install the EPA agent and after it’s installation the EPA scan begins automatically.
5. The scanned results are sent to the NetScaler at https://go.x1co.eu/.
6. The NetScaler verifies the sent scanned results based upon the pre-auth policy cfg configured in the “Preauthentication Policy(s)” on the NUG and then returns a pass vs. fail to the device. If the device receives a Pass then the user can login with there organisation credentials at – https://go.x1co.eu/vpn/index.html and if its a Fail then the user is redirected automatically to https://go.x1co.eu/epa/errorpage.html and they should thereafter contact there organisations IT support department with the Case ID presented to the user onscreen to help resolve and validate the end-users required end-point security requirements to be able to login successfully.

The following Image 1 below describes visually the user flow once the end-user has the NetScaler EPA agent installed and a scan is initated if sucessful the user can then attemp to auth against the NetScaler UG and will be presented with various options as configured by the NS & CTX SysAdmins but lets assume they have all three options avaiable to them as part of the NetScaler Unified Gateway offering and the user in this example elect’s to select a virtual desktop from XAD as seen in the Image 2 below.

Image 1

Image 2

Setup Pre-Authentication Policy on your NetScaler 11.x.n+ for a PoC
The following will descirbe’s how-to setup & bound a pre-authentication policy to check the min ClamWin Anti-Virus version installed onto a Windows desktop OS and to check that your Windows Firewall actually ENABLED!

1. Setup your NetScaler Unified Gateway following this detailed Citrix CTX article – https://support.citrix.com/article/CTX205295.
2. Test that you can actually login to your configured NetScal UG and launch a virtual app or desktop or connecting to an internal intranet homepage using the clientless VPN feature prior to proceeding.
3. Go back to the NS Admin WebUi & then navigate to “NetScaler Gateway > Policies > Preauthentication Profiles > Add“.
4. Select “Add” and enter in a name for your policy e.g PreScanPoC and ensure that the “Action” field is set to “ALLOW” then click “Create“.
5. Now in the Expression Editor input field below click on the link entitled “OPSWAT EPA editor“.
6. Now select “Windows” next select “Firewall” then search for and select “Microsoft Windows Firewall” then click on the “+” symbol and configure as follows below:

Version <
Enabled == TRUE
Comment == Microsoft Windows Firewall

7. Next click on “OPSWAT EPA editor” once again & now select “Windows” next select “Antivirus” then search for and select “*YOUR PREFFERD & SUPPORTED ANTI-VIRUS” then click on the “+” symbol and configure as follows below replacing ClamWin Free Antivirus with your *:

Version < 0.99.1
Enabled ==
Comment == ClamWin Free Antivirus

Or if you prefer you could also just copy and paste the following into your expression editor input box “CLIENT.APPLICATION(‘ANTIVIR_177001_VERSION_<=_0.99.1[COMMENT: ClamWin Free Antivirus]') EXISTS && CLIENT.APPLICATION('FIREWALL_6015_ENABLED_==_TRUE[COMMENT: Microsoft Windows Firewall]') EXISTS” or if you only want to configure the pre-auth policy to just detect if your MS Windows Firewall is disabled and deny access then copy and paste the folllwing into the expression editor input box “CLIENT.APPLICATION(‘FIREWALL_6015_ENABLED_==_TRUE[COMMENT: Microsoft Windows Firewall]’) EXISTS“.

8. Once you have finished your inputs then select “Ok“.
9. Now click on the “Action” drop down above and select “Global Bindings“, next select the “pencil icon” and select your created policy e.g “PreScanPoC” as described eariler, once you return back to the Policy Binding view select “Bind” and click “Close”.
10. Now using the menu on the left-hand side navigate to “NetScaler Gateway > Virtual Servers” and select your Unified Gateway configuration and select “Edit”.
11. Scroll to the bottom and look for the “Policies” section and click on the “+” symbol.
12. Next from the “Choose Policy*” drop down list select “Preauthentication” and the “Choose Type*” default should be “Request” and then click on “Continue“.
13. Parallel to “Select Policy*” select the “” then select your Preauthentication Policy e.g “PreScanPoC“.
14. Select “Bind” then click on “Close”.
15. Click on “Done” and now you have setup & configured your first pre-authentication Endpoint Analysis (EPA) policy against your NetScaler Unified Gateway configurtion of your Azure NetScaler (Unified) Gateway 11.x.n VPX.
16. Naviagte to your FQDN e.g https://go.x1co.eu/ and attempt to sign-in and you’ll notice it will prompt you to install the EPA agent and thereafter automatically initate the EPA scan which will either allow or deny your access e.g turn your Windows f/w on an off to test how the EPA scanning works.

Troubleshooting
As I only have a Windows laptop my suggusted troubleshooting is only relevant to Windows OSes.

1. On Windows click Start -> Run -> enter in “%localappdata%\Citrix\AGEE\” once Windows Explorer opens the window you can open and review each file for errors however in most cases I would sugguest if you are just trying to get an EPA scan to work based upon this blog article then copy and paste the Windows f/w expression only.

Citrix NetScaler How-to Guides
The follow guides and more can be found at the NetScaler Developer Community webpage – https://www.citrix.com/go/citrix-developer/netscaler-developer-community/howto-guides.html which also includes how-to guides for HDX Framehawk, GSLB, L/B DNS traffic and much much more. The below guides are purely focused on configuriung pre-authentication scans on your NUG prior to allowing to attempt to login.

1. How do I configure EPA for Registery Check – https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-do-i-configure-epa-for-registery-check.pdf
2. How do I configure EPA for Symantec Antivirus Check – https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-do-i-configure-epa-for-symantec-antivirus-check.pdf
3. How do I configure EPA for Windows Update Check – https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-do-i-configure-epa-for-windows-update-check.pdf