Jump to content
Welcome to our new Citrix community!

13.0-83.27 breaks classic expressions set in citrix gateway session policy.


Recommended Posts

We have recently upgraded 1 sites VPX200 to 13.0.83.27 (Standard Edition) due to vulnerability release (previously on 13.0-64.35) everything worked fine prior.

 

We have setup in Citrix Gateway 2 session policies with classic expressions to enable access for VDI\VPN users, policy details below:

 

VPN_POL - Priority 50 - All users usually hit this policy first and post epa will perform the check below; if successfully users are presented with a NS page to launch the VPN

CLIENT.APPLICATION('ANTIVIR_377_2884_AUTHENTIC_==_TRUE_RTP_==_TRUE_VIRDEF-FILE-TIME_<_7200[COMMENT: Sophos Cloud Endpoint]') EXISTS && CLIENT.SYSTEM('WIN-UPDATE_UPDATE-TYPE_==_AUTOMATIC_MISSED-PATCH_==_CRITICAL[COMMENT:Windows Update]') EXISTS

 

No_VPN_POL - Priority 120 - If users do not meet the post epa checks above they then hit this policy which loads the storefront portal for VDI access

 

I am aware that we need an exercise on converting our nsconf from classic to advanced expressions using nspepi. However, for now i just need to patch for the vulnerability and ensure that the VPN users can still access the network; looking at real time access it looks like the VPN policy is being completely ignored since the upgrade and all users hit no vpn policy only.

 

I have tested and configured the classic expression in VPN & NO VPN policy to true and i can get on the VPN fine. So it's clear that the issue is with the classic expressions. 

 

How can i achieve the same result so that i can patch our other VPX and ensure users can access VPN\VDI the CLIENT.APPLICATION doesn't appear to be an option any more in advanced expressions so i am between a rock and a hard place.

 

I also attempted to configure nFactor using the "show unlicensed features" and whilst our 2 factor authentication (LDAP + RADIUS) worked i got cannot complete your request on the storefront portal. This also doesn't resolve the underlying issue of differentiating VPN users from VDI.

 

Any help or suggestions on the forums would be greatly appreciated.

 

Craig

Link to comment
Share on other sites

Hi Craig, 

 

As per https://support.citrix.com/article/CTX239452 this seems to be the same issue, and you need to use instructions as per https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-to-configure-post-auth-epa-as-a-factor-in-nfactor.pdf to get past this,

 

Unfortunately, even though classic policies were not to be fully deprecated until 13.1 it seems some problems with this have made their way into earlier builds, 

 

If you dont want to convert the nsconf file all in the one go, you can just do the following for each expression you want to change:

 

Run the following command at the shell prompt of the appliance:
nspepi -e "<classic expression>"

 

As per https://support.citrix.com/article/CTX131024

 

 

 

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...