Jump to content
Welcome to our new Citrix community!

Classic Expression in Session Policy - Windows Updates


Recommended Posts

Hi All, 

 

I have inherited support of a Citrix ADC nc13.0.58.32 (VPX200)  of which there is a bound session policy using classic expression to ensure that our users must have our AV installed and certain aged definitions but also if it's missed Critical patches not to be allowed access and instead be presented with the VDI portal page via a separate session policy.

 

The experience i have with laptops connecting to this has me questioning if this is working correctly. We deploy our windows updates for the most part via SCCM.

 

The classic expression as below:

 

CLIENT.APPLICATION('ANTIVIR_377_2884_AUTHENTIC_==_TRUE_RTP_==_TRUE_VIRDEF-FILE-TIME_<_7200[COMMENT: Sophos Cloud Endpoint]') EXISTS && CLIENT.SYSTEM('WIN-UPDATE_UPDATE-TYPE_==_AUTOMATIC_MISSED-PATCH_==_CRITICAL[COMMENT:Windows Update]') EXISTS

 

How does the Citrix ADC verify the windows critical patch? Is there a specific reg key this is looking at and subsequent value?

 

We have Windows 10 OS, i have Septembers Patches and the VPN works, my colleague only has July patches the VPN works - however i have 3 users one on the same patch level as me that fails the EPA and is presented the VDI portal page.

 

I want to be able to compare known good vs not working local endpoint as the VPN itself does work.

 

Appreciate any feedback or explanation on this.

Link to comment
Share on other sites

I think it depends on whether Windows Update has scanned for patches. If Windows Update found a missing Critical patch but the user hasn't installed it yet then it fails. If Windows Update has not done any scanning recently then it might now know about missing patches. The Opswat expression also has a field for "last update check" to ensure that users are running Windows Update scanning periodically.

Link to comment
Share on other sites

Hi Carl - Thanks for coming back to me so soon on this.

 

It's an odd one as i have "You're up to date" on my windows device as does the user who is experiencing issues. I was hoping there would be some reference to a registry key on Windows but this going to be a bit more tedious troubleshooting than it already is. 

 

I may remove the expression entirely as a test to see if those that are having difficulty could then get on but does the expression 

 

CLIENT.SYSTEM('WIN-UPDATE_UPDATE-TYPE_==_AUTOMATIC_MISSED-PATCH_==_CRITICAL[COMMENT:Windows Update]') EXISTS

 

look correct? Or should it also be accompanied by the opswat expression you mention for "last update check" to work 'properly'

 

I do have a ticket open with citrix support but this seems to have them stumped at present too and we have users that need VPN access as part of their role.

Link to comment
Share on other sites

*RESOLVED*

 

I was reviewing the local endpoint log "nssslvpn.txt" (%localappdata%\Citrix\AGEE) whilst it was stuck with a spinning cog trying to connect & noticed the following repeated errors within

 

 nsload.exe
Date: 2021-09-21
Time: 11:03:13
Version: 13.0.58.32
=========================
11:03:13.589 | DEBUG   | ns_logout: finished logout
11:03:16.893 | DEBUG   | OnAPIMessage: wParam 1002 lParam 1002
11:03:26.903 | DEBUG   | OnAPIMessage: wParam 1002 lParam 1002
11:03:36.910 | DEBUG   | OnAPIMessage: wParam 1002 lParam 1002
11:10:32.335 | DEBUG   | Adapter Name - Bluetooth Device (Personal Area Network) : Index(17)
11:10:32.335 | DEBUG   | Adapter Name - Intel(R) Wi-Fi 6 AX201 160MHz : Index(12)
11:10:32.335 | DEBUG   | Adapter Name - Microsoft Wi-Fi Direct Virtual Adapter : Index(16)
11:10:32.335 | DEBUG   | Adapter Name - Microsoft Wi-Fi Direct Virtual Adapter #2 : Index(11)
11:10:32.340 | DEBUG   | Adapter's Information : Intel(R) Wi-Fi 6 AX201 160MHz, Index : 12l
11:10:32.340 | VERBOSE | local address:
11:10:32.340 | VERBOSE | Interface[12]: 192.168.1.161
11:10:32.341 | EVENT   | Resume from standby = no,   Local IP Changed = no
11:10:37.383 | DEBUG   | OnAPIMessage: wParam 1002 lParam 1002
11:10:47.400 | DEBUG   | OnAPIMessage: wParam 1002 lParam 1002
11:10:57.417 | DEBUG   | OnAPIMessage: wParam 1002 lParam 1002

 

Why was it looping and reporting on NICs i thought?!; In our case the users reporting problems were connected to Wi-Fi the properties of the the WiFi NIC had both IPv4 & IPv6 selected and i thought i'd try unchecking IPv6 - Apply - OK and low & behold the VPN connected in fine. How or why that was an issue for some users and not others who do have both selected and work fine i doubt i'll ever know but then problem for now looks to be resolved.

  • Like 1
Link to comment
Share on other sites

  • 3 months later...
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...