Richard Parmiter

Virtualisation blog and Knowledge Base

  • You are here: 
  • Home
  • Citrix Access Gateway Enterprise Edition scope and limitations for end point scanning rule base

Citrix Access Gateway Enterprise Edition scope and limitations for end point scanning rule base

Posted on September 11th, 2008

 

Citrix Access Gateway Enterprise Edition scope and limitations for end point scanning rule base

 

This is based on my findings with CAG Enterprise Edition 8.1 build 58.5.

 

  • Pre-requisites
    • Internet Explorer
  • End Point Analysis Policies
    • Pre-Authentication policies
    • Authorization policies
    • Session policies
  • Allowing access to some applications through CAG
    • Trust XML Requests
    • Restricting access to specific applications
    • Allowing any Connection for an application
    • Allowing some connections for an application – tied to session policies
  • Applying a Citrix Policy based on the outcome of an EPA scan
  • Testing

 

Pre-requisites

 

Microsoft Internet Explorer

The EPA scan agent runs as an active-x plug in (nsepa.ocx)

The client must be running IE. If the client tries to access in any other browser the following message is displayed:

 

3006: Failed to load EPA plugin, contact Secure Access admin.

 

 

 

End Point Analysis Policies

 

There are different types of policies that can be applied depending on what the desired result is. They get applied at different points during the process so select the one that you require.

 

Pre-authentication policies

Runs prior to the logon page being displayed. Displays the following message

 

If the user selected to ‘skip scan’ or ‘no’ to the message, the scan is marked as FALSE. If the scan results are FALSE the following message is displayed instead of the logon page.

 

 

If the policy is true the logon page is displayed. If the policy is false the logon page is not displayed and a ‘message’ is displayed instead.

 

To restart the scan you must close and re-open the browser.

 

 

Authorization Policy

Must be applied to local users or groups on the CAG. It is a bit messy when used with LDAP groups as a local group must be created on the CAG to match the group name from LDAP.

 

However, there appears to be a limit of 31 characters for the group name, which generally rules out most group formats in a large structured organisation. (i.e. group name format something like domain_Citrix_Country_businessunit_ApplicationOrDesktopname_test_global is way too long)

 

Will need to do more testing on this if required.

 

Session policies

These policies run after logon and can even be configured to re-run every x minutes.

There results from these scans are passed to the Web Interface server and finally to the XML brokers and Citrix Policies or published applications can be filtered against these policies.

 

These are the most useful type of policies in most scenarios.

 

Allowing access to some published applications through CAG

 

Published applications can be restricted and customised to allow or not allow them to be accessed through an Access Gateway connection. The following section will detail this.

 

 

Trust XML Requests

The Web Interface site is configured to point to a Citrix Server Farm. In the configuration servers are listed that provide the XML requests as shown:

 

 

These servers must have the ‘trust XML’ option selected in the farm for the ‘allow connections made through Access Gateway Advanced Edition 4.0 or later’ to work.

 

Ensure that the servers listed have this option selected in their properties.

 

 

If this option is not selected, the application will not appear in a connection through the CAG if the ‘allow all other connections’ option is unselected in the published application properties.

 

 

 

Restricting access to specific applications

Unselect to ‘allow connections made through Access Gateway Advanced Edition 4.0 or later’ to stop the application being available through the Access Gateway.

 

 

 

Allowing any Connection for an application

To allow some applications to only be accessed through the CAG device the following configuration can be used.

 

Publish a new application in the normal way but then modify the Access Control section, as shown.

 

Remove the option to ‘allow all other connections’

Select to ‘allow connections made through Access Gateway Advanced Edition 4.0 or later’

Select ‘Any connection’

 

This may pop up the following warning.

 

You selected the option not to allow some connection types. This option requires that you also enable Trust requests sent to the XML service. Verify the XML services trust setting on the properties page of all servers in the farm that receive XML requests.

 

 

 

Follow the section above to enable this.

 

 

Allowing some connections for an application – tied to session policies

Published applications can be configured to only allow connections through the Access Gateway for specified filters.

Select the options:

Remove the option to ‘allow all other connections’

Select to ‘allow connections made through Access Gateway Advanced Edition 4.0 or later’

Select ‘Any connection that meets any of the following filters’

 

 

Enter the Farm name as the Access Gateway Virtual Server name

Enter the filter as the name of the session policy

 

There is no error checking done on these entries, so ensure they are correct yourself.

 

Also, why the naming convention cannot be the same between the Access Gateway options and the published application options, I don’t know!

 

  • Farm name = CAG Virtual server name
  • Filter = Session policy name

 

 

Applying a Citrix Policy based on the outcome of an EPA scan

 

Citrix Policies can be applied based on the outcome of an EPA scan. For example, drive mapping can be disabled if the client doesn’t have AV running.

Create the desired policy in the Citrix Management Console (CMC)

Right click and select ‘apply this policy to’

Select ‘Access Control’ menu

Select ‘filter based on Access Control’

Select ‘Apply to connections made through Access Gateway’

Select ‘Any connection that meets any of the following filters’

Click ‘add’

Access Gateway Farm = CAG Virtual Server Name

Access Gateway Filter = Session Policy name

Click OK

 

 

 

Testing

Publish an application and change the Access control to match the following:

Farm name: trial_cag_ent

Filter: NotepadRunning

 

I made a session policy on the CAG called

Policy Name: NotepadRunning

Rule: CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

 

Applied this Session policy to the specified VPN.

 

This checked for the local running process of notepad.exe and enumerated this application if it was running. If notepad.exe was not running on the client device, this application did not display.

  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
  • Add to favorites
  • FriendFeed
  • Google Buzz
  • LinkedIn
  • Live
  • MySpace
  • Reddit
  • RSS

Tags: , , , , , , , , ,
Filed under Citrix Access Gateway, Citrix Netscaler |

One Response to “Citrix Access Gateway Enterprise Edition scope and limitations for end point scanning rule base”

  1. Elisse Says:
    January 7th, 2011 at 1:57 am

    If you’re interested in looking for other options for EPA scans, you should check out a free alternative at http://citrix.opswat.com.

Leave a Reply

*