Jump to content
Welcome to our new Citrix community!

EPA OSWAT scans fail with "ns_EvalPolicy returns 2003"


Recommended Posts

Hi everyone,

 

I'm deploying EPA scans and it fails even if the computer meets all the requirements. In the nsepa.txt logs it always shows these messages:

 

2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | downloadEpaLib | 381 | Failed to verify downloaded EPA library
2023-01-23 17:59:40.024 | Tid: 08568 | DEBUG   | ns_verifyfile: called
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | checkAndLoadEPALib | 603 | Failed to verify EPA DLL
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | initEPAlib | 795 | Failed to load EPA library 
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | epaLibScan | 888 | Faield to initialize EPA library 
2023-01-23 17:59:40.024 | Tid: 08568 | DEBUG   | ns_EvalPolicy: BROWSER_36_39 returns 2003
2023-01-23 17:59:40.024 | Tid: 08568 | EVENT   | ns_EvalPolicy returns 2003

 

I've been doing a lot of testing and I found that it fails only when using OPSWAT expressions. When using Classic EPA it works properly.

 

Any ideas on whats the meaning of code 2003 or how to make the OPSWAT expressions work? I'm using the latest 13.0 build and also the latest versions of EPA libraries.

Link to comment
Share on other sites

14 hours ago, Felipe Ruiz1709162764 said:

 

2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR   | downloadEpaLib | 381 | Failed to verify downloaded EPA library

 

Looks like the client is not able to properly download the EPA files.

Try disabling the cache on the VPN vserver to make sure is not a cache-related issue. (cache is enabled by default on VPN vservers)

 

add cache policy epa_nocache_pol -rule "HTTP.REQ.URL.CONTAINS(\"/win/epaPackage.exe\")" -action NOCACHE

bind vpn vserver <vserver_name> -policy epa_nocache_pol -priority 1 -gotoPriorityExpression END -type REQUEST

Link to comment
Share on other sites

  • 2 weeks later...
On 1/24/2023 at 9:11 AM, Marcelo Oguma de Souza1709152865 said:

 

Looks like the client is not able to properly download the EPA files.

Try disabling the cache on the VPN vserver to make sure is not a cache-related issue. (cache is enabled by default on VPN vservers)

 

add cache policy epa_nocache_pol -rule "HTTP.REQ.URL.CONTAINS(\"/win/epaPackage.exe\")" -action NOCACHE

bind vpn vserver <vserver_name> -policy epa_nocache_pol -priority 1 -gotoPriorityExpression END -type REQUEST

 

Thanks for the reply Marcelo.

 

In the end it worked somehow before I could even try disabling caché. I still don't know exactly what happened to make it work, the only thing I did was trying to use nfactor but I got the exact same problem. But when I went back to regular pre-auth policies it all suddenly worked. Maybe changing from nfactor to regular pre-auth policies cleared the caché?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...