Jump to content
Welcome to our new Citrix community!

Restrict Access via NetScaler ADC to only NON-domain Joined Computers.

Jimmy Raborn

Recommended Posts

This seems backwards but our Cybersecurity team asked that we inquire. ('nuff said, right?) We have our Citrix environment and we have a Cisco VPN. 


Our Cyber team has asked that we block domain joined computers from connecting through the NetScalers and only allow non-domain join computers through them. 

The reasoning behind this is that the remote users on domain joined computers who use Citrix resources exclusively are not building their VPN tunnel, therefore their domain computers are becoming out of compliance with SCCM deployed updates and compliance policies, Splunk logging and so on because they're not chatting with the domain. 


What would be the simplest, least invasive way to block a domain joined computer from connecting through the ADC without hindering non-domain joined computers and if possible, provide a message to the end user that they need to connect to the VPN before they can access our Citrix resources... (*facepalm*)


Link to comment
Share on other sites

6 hours ago, Jimmy Raborn said:

simplest, least invasive way to block a domain joined computer


Which firmware are you on 13.0 or earlier?

I think you know part of this: the easier thing to enforce would be to allow domain-joined systems only...blocking is tricky.  So I have a lot of sympathy for your requirements.



if domain join, block access to citrix gateway, require use of cisco vpn

if not domain join (or epa scan fails), allow ica proxy access...


The way to identify domain joined systems would be to 1) run an EPA scan to confirm if system is a member of the domain OR if the vpn client is present OR 2) if we end up doing epa scans anyway, have the "update" process install a "last update" file or something and if this file is too far out of date have the citrix gateway reject their connection until they establish the vpn (every so often)


So for the gateway to detect domain joined, or the presence of the vpn client, or some other OS characteristic, you would have to:

1) Use an EPA scan (preferably via the advanced engine opswat epa instead of classic engine).

1a) EPA Scan are run either by the full vpn client OR the epascan client; the citrix receiver/workspace app alone can't do it. So you would use the epa client.

1b) EPA client is only supported on full windows or full mac (but that would be valid on the domain joined system) if scan can't run, you would not be on domain joined...

1c) The use of EPA policies moves you from ICA Proxy basic features to ICA Proxy advanced features which consumes a VPN ccu license/gateway universal license and not the regular Ica proxy only licenses (But that may not be an issue on your license type)

1d) You'll have to test because the epa client can be fussy on 13.x (and you need to ensure you can deploy your session policies either all classic or all advanced as a result of any dependencies you have).


>> It's not going to keep it simple as you now have to deploy the EPA client (and it installs under admin rights) and deal with possible licensing requirements. 


Usually epa scans are used to determine the type of connection to allow; and you'd be using it to reject (Or allow if scan is NOT true).


I'm still not sure if it will do exactly what you want, but if you can confirm that the majority of "domain joined" devices means windows workstations (and not other considerations like mobile or other).  There might be something to work with.


So either a preauthentication epa scan that if TRUE denies access (via advanced engine if possible) or a session policy that could flag allow/deny (or even change the gateway page to redirect you to the cisco vpn portal) might be what you are looking at here.



But if this sounds possible, we can get you more info.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...