Citrix Gateway

Advanced Endpoint Analysis scans

Advanced Endpoint Analysis (EPA) is used for scanning user devices for the endpoint security requirement configured on a Citrix Gateway appliance. If a user device tries to access the Citrix Gateway appliance, the device is scanned for security information, such as operating system, antivirus, web browser versions and so forth before an administrator can grant access to the Citrix Gateway appliance.

The Advanced EPA scan is a policy-based scan that you can configure on a Citrix Gateway appliance for pre-authentication and post-authentication sessions. The policy performs a registry check on a user device and based on evaluation, the policy allows or denies access to the Citrix ADC network.

You can perform two types of EPA scan, OPSWAT scan and System scan. The following section explains the scan types and its details.

OPSWAT scan. The scan mechanism provides security at different levels such as:  

  • Product specific scan
  • Vendor specific scan
  • Generic scan

Product specific scan: You can configure scan criteria for a particular product (for example Avast! Free Antivirus) offered by a particular vendor (for example AVAST Software a.s.), for a category (for example Antivirus). The access is granted only to the computers fulfilling the specified criteria.**

Vendor specific scan: You can configure scan criteria for a particular vendor (for example AVAST Software a.s.), of a category (for example Antivirus). The configured scan checks for the specified criteria across all the products offered by the vendor. The access is granted only to the computers fulfilling the specified criteria.

Generic scan: You can configure scan criteria for a particular category (for example Antivirus). The configured scan checks for the specified criteria across all the vendors and the products offered by the vendors. The access is granted only to the computers fulfilling the specified criteria.

System Scan. The System scan provides security for system level attributes such as MAC address. You can configure scan criteria for a system attribute (for example MAC Address). The access is granted only to the computers fulfilling the specified criteria.

Configure advanced endpoint analysis scans

You can configure two types of EPA scan, OPSWAT scan and System scan.

OPSWAT scan

The following OPSWAT scans are configured on a Citrix Gateway appliance.

  • Product specific scan
  • Vendor specific scan
  • Generic scan

Note:

Scans that a particular product support is displayed in the GUI. Also, the following OPSWAT scan configuration takes pre-authentication EPA as an example. OPSWAT scan can be configured for post-authentication EPA as well.

Configure product specific OPSWAT scan

To use the Citrix ADC GUI to configure product specific OPSWAT scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the category, for example Antivirus.

    Select Antivirus

  6. Select the vendor, for example AVAST Software a.s.

    Select vendor

  7. Select the product, for example Avast! Free Antivirus.

    Select product

  8. Click + next to the product drop-down menu to configure the product scan.

    Configure scan

  9. Optionally enter a value for frequency of scan if you want a periodic scan.

    Configure frequency

Configure vendor specific OPSWAT scan

To use the Citrix ADC GUI to configure Vendor specific OPSWAT scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click the OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the category, for example Antivirus.

    Select category

  6. Select the vendor, for example AVAST Software a.s.

    Select vendor

  7. Select Generic ‘AVAST Software a.s’ Scan vendor specific scan.

    Select vendor specific scan

  8. Click + next to the product drop-down menu to configure your scan.

    Configure scan

  9. Optionally enter a value for frequency of scan if you want a periodic scan.

    Configure frequency

Configure generic OPSWAT scan

To use the Citrix ADC GUI to configure Generic OPSWAT scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the category, for example Antivirus.

    Select category

  6. Select “Generic” category specific scan, for example Generic Antivirus Product Scan.

    Select generic product

  7. Click + next to the product drop-down menu to configure your scan.

    Configure scan

  8. Optionally enter a value for the frequency of the scan if you want a periodic scan.

    Configure frequency

System scan

The following system scans are configured on a Citrix Gateway appliance.

  • MAC Address
  • Domain Check
  • Numeric Registry
  • Non-numeric Registry
  • Windows Update

To use the Citrix ADC GUI to configure OPSWAT System scan:

  1. Navigate to Configuration > Citrix Gateway > Global Settings.

  2. On the Global Settings page, click Change Preauthentication settings link.

  3. On the Configure AAA Preauthentication Parameter page, click the OPSWAT EPA Editor link.

  4. Under the Expression Editor area, select the operating system.

    Expression editor

  5. Select the desired system scan from the drop-down menu. For example, MAC Address.

    Select scan type

  6. Click the + next to the product drop-down menu to configure your scan.

    Configure scan

  7. Optionally enter a value for the frequency of the scan if you want a periodic scan.

    Configure frequency

To configure a preauthentication profile using advanced Endpoint Analysis expressions

  1. Navigate to Citrix Gateway > Policies.
  2. Select Preauthentication.
  3. In the details pane, on the Policies tab, click Add.
  4. Enter a name for the profile.
  5. Select an action.
  6. Optionally, enter the names of any processes to be stopped or files to be deleted on the client endpoint system.
  7. Click Create.

Your profile is now available for use in a preauthentication policy as a Request Action.

To configure a preauthentication policy using advanced Endpoint Analysis expressions

  1. Navigate to Citrix Gateway > Policies.
  2. Select Preauthentication.
  3. In the details pane, on the Policies tab, click Add.
  4. Enter a name for the policy.
  5. From the Request Action menu, select the desired profile.
  6. In the Expression pane, select OPSWAT EPA Editor.
  7. In the first menu, select a client operating system.
  8. In the second menu, select a scan type.
  9. When you finish building the policy, click Create.

Bind your Advanced Endpoint Analysis preauthentication policy to enable it.

To bind a preauthentication policy

  1. Navigate to Citrix Gateway > Policies.
  2. Select Preauthentication.
  3. In the details pane, on the Policies tab, click Add.
  4. From the Action menu, select Global Bindings.
  5. Click Bind.
  6. In the Policies detail pane that appears, select the check box next to the desired policy.
  7. Click Insert.
  8. The policy is automatically assigned a priority (weight). Click the Priority entry to edit as needed.
  9. Click OK to bind the policy.

To configure an advanced Endpoint Analysis policy for specific sessions

  1. Navigate to Citrix Gateway > Policies.
  2. Select Session.
  3. In the details pane, on the Policies tab, click Add.
  4. Enter a name for the policy.
  5. In the Action menu, do one of the following:
    • a. Select an existing action.
    • b. Click the plus icon to display the configuration parameters that can be set by the session policy. Click the Override Global check box to the right of a configuration option to activate it. Select Create.
  6. In the Expression pane, select OPSWAT EPA Editor.
  7. In the menu, select a client operating system.
  8. In the second pull menu, select a scan type.
  9. When you finish building the policy, click Create.

Bind your Advanced Endpoint Analysis session policy to enable it.

To bind a session policy

  1. Navigate to Citrix Gateway > Policies.
  2. Select Session.
  3. In the details pane, on the Policies tab, click Add.
  4. From the Action menu, select Global Bindings.
  5. Click Bind.
  6. In the Policies detail pane that appears, select the check box next to the desired policy.
  7. Click Insert.
  8. The policy is automatically assigned a priority (weight). Click the Priority entry to edit as needed.
  9. Click OK to bind the policy.

Upgrade EPA libraries

To use the Citrix ADC GUI to upgrade EPA libraries:

  1. Navigate to Configuration > Citrix Gateway > Update Client Components.

  2. Under Update Client Components, click Upgrade EPA Libraries link.

  3. Choose the required file and click Upgrade.

Important:

  • In a Citrix Gateway high availability, the EPA Libraries must be upgraded on both the primary and secondary nodes.

  • In a Citrix Gateway clustering setup, the EPA Libraries must be upgraded on all the cluster nodes.

For the list of Windows and MAC Supported applications by OPSWAT for Citrix ADC scans, see https://support.citrix.com/article/CTX234466.

Troubleshooting advanced Endpoint Analysis scans

To help with troubleshooting Advanced Endpoint Analysis scans, the client plug-ins write logging information to a file on client endpoint systems. These log files can be found in the following directories, depending on the user’s operating system.

Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10:

C:\Users\<username>\AppData\Local\Citrix\AGEE\nsepa.txt

Windows XP:

C:\Documents and Settings\All Users\Application Data\Citrix\AGEE\nsepa.txt

Mac OS X systems:

~/Library/Application Support/Citrix/EPAPlugin/epaplugin.log

(Where the ~ symbol indicates the relevant macOS user’s home directory path.)

Advanced Endpoint Analysis scans