Configure contextual tags

The Secure Private Access plug-in provides contextual access (smart access) to Web or SaaS applications based on the user session context such as device platform and OS, installed software, geolocation.

Administrators can add conditions with contextual tags to the access policy. The contextual tag on the Secure Private Access plug-in is the name of a NetScaler Gateway policy (session, preauthentication, EPA) that is applied to the sessions of the authenticated users.

The Secure Private Access plug-in can receive smart access tags as a header (new logic) or by making callbacks to Gateway. For details, see Smart access tags.


The Secure Private Access plug-in supports only classic gateway preauthentication policies that can be configured on NetScaler Gateway.

Configure custom tags using the GUI

The following high-level steps are involved in configuring contextual tags.

  1. Configure a classic gateway preauthentication policy
  2. Bind the classic preauthentication policy to the gateway virtual server

Configure a classic gateway preauthentication policy

  1. Navigate to NetScaler Gateway > Policies > Preauthentication and then click Add.

  2. Select an existing policy or add a name for the policy. This policy name is used as the custom tag value.
  3. In Request Action, click Add to create an action. You can reuse this action for multiple policies, for example, use one action to allow access, another to deny access.

    Add preauthentication policy

  4. Fill in the details in the required fields and click Create.
  5. In Expression, enter the expression manually or use the Expression editor to construct an expression for the policy.

    Expression sample

    The following figure displays a sample expression constructed for checking the Windows 10 OS.

    Expression editor

  6. Click Create.

Bind the custom tag to NetScaler Gateway

  1. Navigate to NetScaler Gateway > Virtual Servers.
  2. Select the virtual server for which the preauthentication policy is to be bound and then click Edit.
  3. In the Policies section, click + to bind the policy.
  4. In Choose Policy, select the preauthentication policy and select Request in Choose Type.

    Policy type

  5. Select the policy name and the priority for the policy evaluation.
  6. Click Bind.

    Policy binding

Configure custom tags using the CLI

Run the following commands on the NetScaler CLI to create and bind a preauthentication policy:


  • add aaa preauthenticationaction win10_prof ALLOW
  • add aaa preauthenticationpolicy Windows10 "CLIENT.OS(win10) EXISTS" win10_prof
  • bind vpn vserver _SecureAccess_Gateway -policy Windows10 -priority 100

Adding new contextual tag

  1. Open the Secure Private Access admin console and click Access Policies.
  2. Create a new policy or select an existing policy.
  3. In the If the following condition met section, click Add condition and select Contextual Tags, Matches all of, and then enter the contextual tag name (for example, Windows10).


Configure contextual tags