Jump to content
Welcome to our new Citrix community!

ADC EPA Pre-Authentication Dont allow access unless device has A/V


Recommended Posts

I have 5 NetScalers in GSLB. I'd like to set the External facing 2 ADCs with a Policy that states if the external user does not have Anti-Virus installed and are on a company Laptop (i.e domain joined laptop at home) that it will not let them login and prompt a warning message. I know i can set  domain check policy but need one policy/profile that does both checks in 1 as mentioned? I'm quite new to ADC's. Any advice greatly appreciated.

Link to comment
Share on other sites

In the traditional (classic-engine) preauth policies using an opswat scan, you can make this a compound expression:  <criteria1> && <criteria2> and use it to set the "ALLOW" to override a default deny.   Just like any other policy with a compound expression.

Preauth example:

add aaa preauthenticationaction preauth_act_demo ALLOW
add aaa preauthenticationpolicy preuath_pol_demo q/ CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_workspacelab.com[COMMENT: Domain check]') EXISTS preauth_act_demo
CLIENT.APPLICATION('ANTIVIR_148_0_VERSION_<_12.1[COMMENT: Generic \'Trend Micro, Inc.\' Scan]')/ EXISTS


Of course with classic engine and the preauthe policy object being deprecated, the preauthentication requirements can be implemented in the nfactor policy engine to be "advanced" based.

go to AAA - Application Traffic, Create an "Advanced" Authentiation Policy. Select "EPA" as the expression type and then Create an advanced "EPA action" which will do the opswat scan and domain check in the "advanced engine.  Make the EPA policy expression true and then bind BEFORE authentication policies on an authentication vserver.


The policy expression itself would be something like this:

add authentication epaAction authe_pol_preauthedemo -csecexpr "sys.client_expr(\"app_0_ANTIVIR_148_0_VERSION_<_12.1[COMMENT: Generic \'Trend Micro, Inc.\' Scan]\") && sys.client_expr(\"sys_0_DOMAIN_SUFFIX_anyof_workspacelab.com\")"
add authentication Policy authe_pol_preauthdemo -rule true -action authe_pol_preauthedemo


You would use this prior to your authentication policies in your nfactor policy binding. But you might need more info if you are unfamiliar with nfactor configurations.


* Also both policies just did an opswat scan on trand at version 12.1 as an example antivirus check and a domain check for a worskpacelab.com (domain name used in citrix training).

If you are unfamiliar, look at the OPSWAT or EPA editor in the GUI and see how to configure for easiest results.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...