Configuring Preauthentication Policies and Profiles
AAA preauthentication policy is deprecated from NetScaler 12.0 build 56.20 onwards and as an alternative, Citrix recommends you to use the Nfactor authentication. For more information, see Multi-Factor (nFactor) Authentication topic.
You can configure Citrix Gateway to check for client-side security before users are authenticated. This method ensures that the user device establishing a session with Citrix Gateway conforms to your security requirements. You configure client-side security checks through the use of preauthentication policies specific to a virtual server or globally, as described in the following two procedures.
Preauthentication policies consist of a profile and an expression. You configure the profile to use an action to allow or deny a process to execute on the user device. For example, the text file, clienttext.txt, is running on the user device. When the user logs on to Citrix Gateway, you can either allow or deny access if the text file is running. If you do not want to allow users to log on if the process is running, configure the profile so the process is stopped before users log on.
You can configure the following settings for pre-authentication policies:
- Expression. Includes the following settings to help you to create expressions:
- Expression. Displays all of the created expressions.
- Match Any Expression. Configures the policy to match any of the expressions that are present in the list of selected expressions.
- Match All Expressions. Configures the policy to match all the expressions that are present in the list of selected expressions.
Tabular Expressions. Creates a compound expression with the existing expressions by using the OR ( ) or AND (&&) operators.
Advanced Free-Form. Creates custom compound expressions by using the expression names and the OR ( ) and AND (&&) operators. Choose only those expressions that you require and omit other expressions from the list of selected expressions.
- Add. Creates a new expression.
- Modify. Modifies an existing expression.
- Remove. Removes the selected expression from the compound expressions list.
- Named Expressions. Select a configured named expression. You can select named expressions from the drop-down list of expressions already present on Citrix Gateway.
- Add Expression. Adds the selected named expression to the policy.
- Replace Expression. Replaces the selected named expression to the policy.
- Preview Expression. Displays the detailed client security string that will be configured on Citrix Gateway when you select a named expression.
To configure a preauthentication profile globally by using the configuration utility
- In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
- In the details pane, under Settings, click Change pre-authentication settings.
- In the Global Pre-authentication settings dialog box, configure the settings:
In Action, select Allow or Deny.
Denies or allows users to log on after endpoint analysis occurs.
In Processes to be cancelled, enter the process.
This specifies the processes to be stopped by the Endpoint Analysis plug-in.
In Files to be deleted, enter the file name.
This specifies the files to be deleted by the Endpoint Analysis plug-in.
- In Expression you can leave the expression ns_true or build an expression for a specific application, such as antivirus or security software and then click OK.
To configure a preauthentication profile by using the configuration utility
- In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
- In the details pane, on the Profiles tab, click Add.
- In Name, type the name of the application to be checked.
- In Action, select ALLOW or DENY.
- In Processes to be cancelled, type the name of the process to be stopped.
- In Files to be deleted, type the name of the file to be deleted, such as c:\clientext.txt, click Create and then click Close.
Note: If a file is to be deleted or a process stopped, users receive a message asking for confirmation. Steps 5 and 6 are optional parameters.
If you use the configuration utility to configure a preauthentication profile, you then create the preauthentication policy by clicking Add on the Policies tab. In the Create Pre-Authentication Policy dialog box, select the profile from the Request Profile drop-down list.