To improve control of client access to network resources, NetScaler Gateway Advanced Endpoint Analysis scans expand on basic endpoint checks by scanning not just for the existence of various applications on client computers, but also scanning the states and configurations of those applications. You can apply the advanced scans to users who log on from Windows or Mac OS X computers. The scans can be applied both before user authentication and, through the Windows or Mac OS X client end point plug-in, to monitor active user sessions. To use Advanced Endpoint Analysis scans, you define and bind them the same way that you do the basic endpoint scans.
For information about using basic endpoint scans, see Configuring Endpoint Policies.
Ways to Apply Advanced Endpoint Analysis Scans
Advanced Endpoint Analysis scans are applied via policy expressions in order to flexibly manage user access in your configuration.
To scan endpoints before users authenticate, these expressions can be applied as:
To scan endpoints after user authentication, these expressions can be applied as:
Optionally, you can use the NetScaler AppExpert feature to create Advanced Endpoint expressions as named expressions. In the configuration utility, navigate to AppExpert > Expressions > Classic Expressions. Expressions created there are available for use in relevant policies elsewhere in the configuration utility as saved policy expressions. For Advanced Endpoint Analysis scans, named expressions can help simplify more complex expression configurations and centralize expression management.
When users first attempt to log on from a Windows-based or Mac OS X computer, the endpoint analysis plug-in is downloaded and installed automatically. Once installed, the plug-in scans the user device to check that it meets the requirements defined in the policy. If the device matches the policy requirements, the profile assigned to the policy is applied. If the profile does not deny the logon attempt, the user is allowed to authenticate. If additional endpoint scans have been defined in session policies, the plug-in continues to monitor for policy compliance for the duration of the user session.
You can define scans to create advanced endpoint scan packages for a variety of software products. The types of software that Advanced Endpoint scans can check for on Windows endpoint systems include:
The types of system characteristics that you can choose as part of the scan to run on Windows clients include:
Mac OS X client scans can be created to analyze the following items: