Currently i have a post epa check for a registry key configured in a session policy bound to Citrix Gateway. If this fails then VPN access is denied and user falls back to ICA (Storefront). This functionality broke when upgrading from 12.1 t o 13.0. I have a case open with CItrix support but I have been looking at migrating this to an epa check built into nfactor flow however i cant figure out how i can get it to perform the fallback part from VPN to ICA (storefront). Anybody ever done something similar or know if it is possible?