Jump to content
Welcome to our new Citrix community!

SSLVPN Session initiated after failed Post-EPA Domain Check

Mike Linde

Recommended Posts



I've configured Post-EPA Domain Check with a Quarantine Group in two environments.

One runs with an ADC 13.1 and another with 12.1 (actual builds)


The post-EPA checks are configured inside the session profile under security and run as expected. The behavior after the check is not as expected.

In the 13.1 environment the client browser is forwarded to the https://<fqdn>/vpns/f_ndisagent.html URL and want to initate a SSLVPN session if the post-EPA Check fails or is aborted.

In the 12.1 environment the client browser gets feedback with "Error: Not a privileged User." which is my goal.


I cannot find the root cause in the 13.1 environment of getting SSLVPN Session initation. Any ideas?





Link to comment
Share on other sites

  • 2 months later...

After troubleshooting this behavior with citrix support, we changed all classic policies to advanced policies in ADC 13.1 Netscaler Gateway instance.

After this, the behavior was not resolved, but the change was recommended from support because of the classic policies depreciation in 13.1


I finally resolved the issue by changing netscaler gateway vserver authentication from primary+secondary authentication policies to nFactor flow through an authentication  profile:


In this flow I added a decision block for group-extraction and also an EPA-policy.




  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...