Jump to content
Welcome to our new Citrix community!

ICA Proxy Pre-auth

Pete Moss1709152631

Recommended Posts

Hi All, 


Is it possible to configure ICA proxy only with pre and post EPA scans? I have a scenario whereby we don't want users to create a full SSL VPN tunnel. We just need standard ICA Proxy but with the ability to perform EPA scans. I'm pretty sure it only really works with SSL VPN, but wanted to double check.




Link to comment
Share on other sites

You CAN use preauthentication policies and post-authentication policy epa scans in an ICA only connection mode. But with the following considerations:

1) The use of epa-based expressions isn't supported with the ICA Proxy included licenses; it will require that the vpn ccu licenses (aka universal licenses are consumed).  

2) You can still do this in ICA Proxy mode, meaning you only need the Citrix Receiver/Workspace App to establish connections to XA/XD/CVAD resources. You do not need the SSL VPN (gatewamy plugin) and you do not have to be in a vpn connection mode.  BUT, the workspace app/citrix receiver cannot run the epa scans on its own, so you will need to download/distribution the EPA Client. (The gateway offers this to users automatically if an EPA scan is attempted and a vpn client or existing epa client is not present).  However, users need admin rights to install it AND you might have use a sofware distribution tool to get to your users if you have locked down user devices.


So it is possible, to use these features in an ICA Proxy (HDX Proxy) only connection mode. But you have to deal with potential gateway universal licensing considerations and the EPA client download.  (We do this in the gateway training class for both vpn scenarios and ica proxy only scenarios).


The other challenge is that a lot of the current epa/opswat scans/preauth policies are still mostly classic engine depending on whether you are on 11.1 - 13.0 and haven't fully moved to the advanced engine.  Which adds some complexity to the deployment as we continue towards the migration of features from classic to advanced...and in this area  things have been a little unclear on the future integration.  You may also have to test to make sure there are no issues with epa scans on the firmware you try to run on.






  • Like 1
Link to comment
Share on other sites

Thanks Rhonda.


I've done a few deployments now with full SSL VPN (with various pre and post EPA checks), but none with ICA / HDX Proxy only mode. All configured in POC and working fine. No SSL VPNs attempting to connect and all client choices etc switched off.


Working fine.


Do you have any pointers of how to configure a device certificate EPA check? I'm not having any joy with getting it to work. I did another implementation a couple of weeks ago with cert based auth (extracting the user name from the user cert), but I've configured various bits and pieces today, and the EPA check doesn't work.


Kind Regards,


Link to comment
Share on other sites

This might help you with an EPA scan to check for a device cert:  https://docs.citrix.com/en-us/citrix-gateway/12-1/device-certificate-in-nfactor-as-an-epa-component.html


If you have some users with client-certs and some without and you want them on a single gateway, but to do different authentication requirements with cert vs without (or different session policies with certs vs without), then an n-factor authentication policy that deals with Flow 1:  client cert + <authentication requirements> vs Flow 2:  without client cert

might be useful .


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...