Implementing NetScaler EPA

Ultra thin laptops using CloudAuthor:  Jamie Engelhard, CTO

A client of ours recently made a strategic decision to move away from a VDI initiative and instead provide all their mobile attorneys with super-fast, ultra-light laptops and SSL VPN access to their backend applications and data. Since this shift dramatically expands both the attack surface and the number of vectors into the corporate network, the firm needed a solution to ensure that the devices that are connecting are authentic firm-managed machines and that they have not fallen out of compliance with security policies. To accomplish this, I implemented NetScaler Advanced Endpoint Analysis (EPA) to perform posture checking on any device attempting to connect to the VPN.

I had previously used earlier versions of EPA on Netscaler, but with version 10.5, Citrix has dramatically improved the capabilities and simplified the creation and configuration of the policies. With built-in support for scores of vendors’ security products and an intuitive policy expression builder, creating truly useful scans is easier than ever.

EPA scanning requires a client plug-in, which will be installed automatically if not detected on the user’s computer. The plug-in works with IE, Firefox and Chrome on both Windows and Mac OS X. EPA also requires a Universal license for each user, but this is a given since it only applies to VPN which also requires this license.

Pre or Post Authentication Scanning?
One key decision to make is whether to scan the incoming user’s PC before or after they login. A pre-authentication scan denies all access to the environment if the scan fails. A post-authentication scan runs after login; and a failed scan can take a variety of less draconian actions, such as reducing the network access level, redirecting the user to a remediation page, or providing access to XenApp/XenDesktop only. In this case, our client chose to perform a post authentication scan and allow access to XenApp and a remediation page but not full VPN to the entire network.

What to Check For?
As I mentioned, there are numerous checks that can be performed, many of which can be done on both Mac and PC platforms. Our client decided to only allow VPN access from the firm’s Windows laptops if the following requirements are met:

  • Computer must include a specific registry tattoo
  • Computer must have McAfee Antivirus Enterprise Edition 8.8 installed
  • AV signatures must be less than 5 days old
  • AV real-time scanning must be enabled
  • Windows Firewall must be enabled
  • Windows Update must have checked for updates within the last 5 days
  • Hard disk must be encrypted with BitLocker

All of these rules were very simply configured using the Netscaler web-based management tool and the EPA expression editor. The settings were added to the existing session policy already bound to the Netscaler Gateway, which activates the check post-authentication.

There is a known issue with the EPA plugin not being detected when using Internet Explorer and a work around which requires editing the Netscaler code. The BitLocker encryption check also fails. According to Citrix support, both of these bugs are slated to be fixed in the next Netscaler code release. One minor annoyance is that when creating policies, you must choose from a very long list of security products and this list is not properly alphabetized, so the right ones can be hard to find.

Netscaler Endpoint Analysis is easier, more comprehensive, and more effective than ever. While there are a few known issues to be aware of, you can easily implement effective posture checking and make sure that your VPN users are not going to unwittingly compromise your company security measures.

The author, Jamie Engelhard, is the Chief Technology Officer for Helient Systems LLC. He is an industry leading systems architect, business analyst and technical visionary, who has provided technical, sales, and operational leadership to several consulting firms and scores of clients over his 20+ year career in IT. For any questions, please do not hesitate to contact Jamie at