Jump to content

Can i choose a specific session policy or protocol (VPN or ICA) based on result of EPA scan?

Cormac Long

Recommended Posts

Currently i have a post epa check for a registry key configured in a session policy bound to Citrix Gateway. If this fails then VPN access is denied and user falls back to ICA (Storefront). This functionality broke when upgrading from 12.1 t o 13.0. I have a case open with CItrix support but I have been looking at migrating this to an epa check built into nfactor flow however i cant figure out how i can get it to perform the fallback part from VPN to ICA (storefront).

Anybody ever done something similar or know if it is possible?

Link to comment
Share on other sites

Hello Cormac,

For epa failure construct an epa policy same as pass, but add a ! in front of it. This will help to still continue with you authentciation flow and then you can use these failure/success groups in your sessisonaction or any policy you want and proceed.

Something as follows:-

add authentication epaAction epaact1 -csecexpr "sys.client_expr("proc_0_notepad")" -defaultEPAGroup EPA_PASS

add authentication epaAction epaact2 -csecexpr "!sys.client_expr("proc_0_notepad")" -defaultEPAGroup EPA_FAIL

then use EPA_FAIL group as your check for your sessionpolicy if needed(expression below) as follows:- "AAA.USER.IS_MEMBER_OF("EPA_FAIL")"


Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...