Product Documentation

Configuring Registry Policies

Jan 27, 2014

When you create a session or preauthentication policy, you can check for the existence and value of registry entries on the user device. The session is established only if the particular entry exists or has the configured or higher value.

When configuring a registry expression, use the following guidelines:

  • Four backslashes are used to separate keys and subkeys, such as

    HKEY_LOCAL_MACHINE\\\\SOFTWARE

  • Underscores are used to separate the subkey and the associated value name, such as

    HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\VirusSoftware_Version

  • A backslash (\) is used to denote a space, such as in the following two examples:

    HKEY_LOCAL_MACHINE\\\\SOFTWARE\\Citrix\\\\Secure\ Access\ Client_ProductVersion

    CLIENT.REG(HKEY_LOCAL_MACHINE\\\\Software\\\\Symantec\\Norton\ AntiVirus_Version).VALUE == 12.8.0.4 -frequency 5

The following is a registry expression that looks for the NetScaler Gateway Plug-in registry key when users log on:

CLIENT.REG(secureaccess).VALUE==HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\CITRIX\\\\Secure\Access\Client_ProductVersion

Note: If you are scanning for registry keys and values and you select Advanced Free-Form in the Expression dialog box, the expression must start with CLIENT.REG

Registry checks are supported under the following most common five types:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG

Registry values to be checked use the following types:

  • String

    For the string value type, case-sensitivity is checked.

  • DWORD

    For DWORD type, the value is compared and must be equal.

  • Expanded String

    Other types, such as Binary and Multi-String, are not supported.

  • Only the '==' comparison operator is supported.
  • Other comparison operators, such as <, > and case-sensitive comparisons are not supported.
  • The total registry string length should be less than 256 bytes.

You can add a value to the expression. The value can be a software version, service pack version, or any other value that appears in the registry. If the data value in the registry does not match the value you are testing against, users are denied logon.

Note: You cannot scan for a value within a subkey. The scan must match the named value and the associated data value.

To configure a registry policy

  1. In the configuration utility, in the navigation pane, do one of the following:
    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
    2. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Match Any Expression, click Add.
  5. In the Add Expression dialog box, in Expression Type, select Client Security.
  6. Configure the settings for the following:
    1. In Component, select Registry.
    2. In Name, type the name of the registry key.
    3. In Qualifier, leave blank or select Value.
    4. In Operator, do one of the following:
      • If Qualifier is left blank, select EXISTS or NOTEXISTS
      • If you selected Value in Qualifier, select either == or !==
    5. In Value, type the value as it appears in the registry editor, click OK and then click Close.