Mike Smithson

Hi, we have configured LOM access on MPX device. Wanted to know if anyone has used HTML5 for the remote console/GUI access? When we logon to the LOM and open a remote console the HTML5 option is greyed out. Any advice on how to use HTML5 for remote console access would be useful as there isn't much at all in the documentation.

Thanks we went through that article many times and not much helped TBH. We ended up blatting the complete config on the NetScalers and starting again which worked when we reconfigured it.

Trying to configure GSLB on 2 x VPX HA pairs, each pair in different sites. MEP status is showing as Down at both sites at the GSLB Site level. We've gone through the GSLB troubleshooting guides with no luck TCP ports are open for MEP 3009-3011 from each side, network team checked and verified, we've reset the rpcNode pwds and re-enabled, changed the source IP that RPC should originate from for the Site, changed the MEP traffic to insecure 3011. nstcpdump shows port 3011 traffic going to the local loopback address 127.0.0.1 and occasionally hitting the secondary HA node (HA traffic) but never going over to the 2nd GSLB site IP. Are there any log files that show GSLB errors? There appears to be one for GSLB sync in directory var/netscaler/gslb but it doesn't show any MEP related errors .

We already looked at that - this is where we go the meaning of error 129. However it does not give a fix for this error 129 NS_ICA_ERR_INVALID_CHANNEL_HEADER Detected invalid channel header

ADM is not capturing all HDX Insight sessions - After looking in the ns.log file we can see a lot of sessions with one of these errors (the EUEM service is started on XA servers) Missing EUEM ICA RTT with a skip code of [129] "Error: Skip Parsed VC Processing with error code : 129 "ICA_RECORD: Skipping ICA flow: again with skip code [129] The meaning of skip code 129 below from Citrix article: 129 NS_ICA_ERR_INVALID_CHANNEL_HEADER Detected invalid channel header Does anyone know what this means and what the fix is for it?

The problem is we scan for generic AV products which means the libraries need to be bang upto date otherwise cloud based AV subscriptions update the version of AV on the endpoint before the EPA libraries get updated by Citrix. Then users can't logon in this scenario. We have to do many updates of the libraries once every month at least. TBH I would have thought Citrix would have a cloud based subscription service to update the EPA Libraries automatically on client based NetScalers We want to automate the update process so we drop the new library files into a fileshare, the ADM configuration job runs once every month on a schedule. I have managed to get this working using 'SED' shell cmd line tool to update the pluginlist.xml file . We are testing it at the moment and it works. This means that we don't have to work out of hours every month to update the ADC's libraries.

Has anyone successfully scanned for missing MacOS patches using EPA pre-auth policies? We get mixed results, it sometimes works and sometimes fails despite the Monterey operating system having no patches missing, either of these expressions do not work consistently. sys.client_expr("app_0_MAC-PATCH_0_0_ENABLED_==_TRUE_MISSED-PATCH_anyof_5,4[COMMENT: Generic Patch Management Product Scan]") sys.client_expr("app_0_MAC-PATCH_0_0_ENABLED_==_TRUE_MISSED-PATCH_anyof_5[COMMENT: Generic Patch Management Product Scan]")

We currently have 2 separate EPA actions bound to auth 2 auth policies, one for Windows and one for macOS, both policies bound to a AAA vServer in a policy order Windows 100 --> NEXT ----> 110 Mac. We are using User-Agent header contain "Win" on the Window EPA auth policy in an attempt to only apply the Windows EPA scans to Windows, mac EPA auth policy has Agent header contain "mac" to apply to macOS. We appear to be getting inconsistent results. Is this the best method to approach this challenge?

Thank you Jonathan for the clear explanation. For some reason or other we couldn't get the flow to work so we did the policies manually and voila it worked straight away! Good advice around where to use the visualiser and manual policies.

I have attached our nFactor flow

We have our nFActor flow configured that contains EPA pre auth scans. These are working as we want them to. The problem is that our nFactor authentication now has the fields flipped i.e.:- the password field is now the passcode field and vice versa. We tried swapping the authentication factors around so that ldap was the first factor and radius the 2nd and we can see auth was working but we received the storefront "cannot complete your request"

I’ve posted a few questions recently around nFactor EPA pre auth scans, thanks for all the replies, really helpful! This is the last question. Is it possible to create a pre auth scan for an lb vServer. Is this supported? I’m assuming the nFactor flow is bound to the AAA vServer that sits in front of the lb vServer?

That's great Chris. Many thanks for taking the time to put the visual explanation together.

Thanks Richard for the links to the documentation, seems like there's very limited functionality for Ubuntu scans.

Hello, we have been tasked with setting up pre-auth EPA scans for Ubuntu clients. I can't find any Citrix documentation on building EPA expressions for Ubuntu clients. The EPA client is available, are EPA scans supported for Ubuntu?