Product Documentation

Creating Advanced Endpoint Analysis Scans

Jun 26, 2014

To improve control of client access to network resources, NetScaler Gateway Advanced Endpoint Analysis scans expand on basic endpoint checks by scanning not just for the existence of various applications on client computers, but also scanning the states and configurations of those applications. You can apply the advanced scans to users who log on from Windows or Mac OS X computers. The scans can be applied both before user authentication and, through the Windows or Mac OS X client end point plug-in, to monitor active user sessions. To use Advanced Endpoint Analysis scans, you define and bind them the same way that you do the basic endpoint scans.

For information about using basic endpoint scans, see Configuring Endpoint Policies.

Ways to Apply Advanced Endpoint Analysis Scans

Advanced Endpoint Analysis scans are applied via policy expressions in order to flexibly manage user access in your configuration.

To scan endpoints before users authenticate, these expressions can be applied as:

  • Preauthentication policies
  • aaa preauthentication parameters

To scan endpoints after user authentication, these expressions can be applied as:

  • NetScaler Gateway global settings
  • Per NetScaler Gateway virtual server policy bindings
  • Session policies

Optionally, you can use the NetScaler AppExpert feature to create Advanced Endpoint expressions as named expressions. In the configuration utility, navigate to AppExpert > Expressions > Classic Expressions. Expressions created there are available for use in relevant policies elsewhere in the configuration utility as saved policy expressions. For Advanced Endpoint Analysis scans, named expressions can help simplify more complex expression configurations and centralize expression management.

Client plug-in operation

When users first attempt to log on from a Windows-based or Mac OS X computer, the endpoint analysis plug-in is downloaded and installed automatically. Once installed, the plug-in scans the user device to check that it meets the requirements defined in the policy. If the device matches the policy requirements, the profile assigned to the policy is applied. If the profile does not deny the logon attempt, the user is allowed to authenticate. If additional endpoint scans have been defined in session policies, the plug-in continues to monitor for policy compliance for the duration of the user session.

Supported checks

You can define scans to create advanced endpoint scan packages for a variety of software products. The types of software that Advanced Endpoint scans can check for on Windows endpoint systems include:

  • Antiphishing software
  • Antispyware software
  • Antivirus software
  • Backup client software
  • Data loss prevention software
  • Desktop sharing software
  • Device access control software
  • Firewall software
  • Hard disk encryption software
  • Health agent software
  • Instant messaging client software
  • Peer-to-peer networking software
  • Web browser

The types of system characteristics that you can choose as part of the scan to run on Windows clients include:

  • Domain membership
  • MAC addresses
  • Patch management
  • Numeric registry entries
  • Non-numeric registry entries
  • URL Filtering

Mac OS X client scans can be created to analyze the following items:

  • Antiphishing software
  • Antispyware software
  • Antivirus software
  • Firewall software
  • Hard disk encryption software
  • MAC address
  • Patch management
  • Peer to peer software
  • Web browser