Citrix Gateway

How Endpoint Policies Work

You can configure Citrix Gateway to check if a user device meets certain security requirements before a user logs on. This is called a preauthentication policy. You can configure Citrix Gateway to check a user device for antivirus, firewall, antispam, processes, files, registry entries, Internet security, or operating systems that you specify within the policy. If the user device fails the preauthentication scan, users are not allowed to log on.

If you need to configure additional security requirements that are not used in a preauthentication policy, you configure a session policy and bind it to a user or group. This type of policy is called a post-authentication policy, which runs during the user session to ensure the required items, such as antivirus software or a process, is still true.

When you configure a preauthentication or post-authentication policy, Citrix Gateway downloads the Endpoint Analysis plug-in and then runs the scan. Each time a user logs on, the Endpoint Analysis plug-in runs automatically.

You use the following three types of policies to configure endpoint policies:

  • Preauthentication policy that uses a yes or no parameter. The scan determines if the user device meets the specified requirements. If the scan fails, the user cannot enter credentials on the logon page.
  • Session policy that is conditional and can be used for SmartAccess.
  • Client security expression within a session policy. If the user device fails to meet the requirements of the client security expression, you can configure users to be placed into a quarantine group. If the user device passes the scan, users can be placed into a different group that might require additional checks.

You can incorporate detected information into policies, enabling you to grant different levels of access based upon the user device. For example, you can provide full access with download permission to users who connect remotely from user devices that have current antivirus and firewall software requirements. For users connecting from untrusted computers, you can provide a more restricted level of access that allows users to edit documents on remote servers without downloading them.

Endpoint analysis performs the following basic steps:

  • Examines an initial set of information about the user device to determine which scans to apply.
  • Runs all applicable scans. When users try to connect, the Endpoint Analysis plug-in checks the user device for the requirements specified within the preauthentication or session policy. If the user device passes the scan, users are allowed to log on. If the user device fails the scan, users are not allowed to log on. Note: Endpoint analysis scans completes before the user session uses a license.
  • Compares property values detected on the user device with desired property values listed in your configured scans.
  • Produces an output verifying whether or not desired property values are found.

    Attention: The instructions for creating endpoint analysis policies are general guidelines. You can have many settings within one session policy. Specific instructions for configuring session policies might contain directions for configuring a specific setting; however, that setting can be one of many settings that are contained within a session profile and policy.

How Endpoint Policies Work