Jump to content
Welcome to our new Citrix community!

EPA -> SSL-VPN -> Domain-check fails in some cases

Christoph Dusek

Recommended Posts


it's about our SSL-VPN-Environment with Netscaler Gateway-Plugin.


Since rund about 1 month and after updating our windows7-clients to windows10, we partially have some clients, where the EPA-check fails. It worked fine for many month with the same Gateway-Plugin-Version. Some new installed und updated windows-clients have some problems. The deployment of the client-installation didn't change.


The loggin (tail -f /var/log/ns.log | grep 'username') shows me:


<local0.err> xxx.xxx.xx.xx **/**/2019:07:53:52 GMT XXXXXX 0-PPE-0 : default SSLVPN CLISEC_CHECK 52258158 0 :  User: 'username' - Client IP xxx.xxx.xxx.xxx - Vserver xxx.xxx.xxx.xxx:443 - Client_security_expression "CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_Domain.Subdomain[COMMENT: Domain check]') EXISTS" - Client security check failed - User put in quarantine group VPN-Quarantine - Error message Your client does not comply with the security policy from our company.


But the client IS member of the domain. This has been thoroughly validated by the client-admins.


Maybe somebody can explain to me, at which stele the domain affiliation is checked? Is it a registry key that is checked?


We use this on the "NetScaler Gateway Session Profile" (-> Security Tab -> "Client security check string"):
CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_domain.subdomain[COMMENT: Domain check]') EXISTS


The string is not self-invented, it was taken over by citrix.com



Thank you very much in advance for your answers.

Link to comment
Share on other sites

  • 4 weeks later...
  • 1 month later...

Oh, absolutely, the whole point is that the client EPA check is done by the client.... but it sounds like Windows updates maybe broke the EPA on the client. But Citrix may have a fix = EPA upgrade.


Depending on your session profiles, the upgrade might happen automatically the next time users need to do the EPA.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...