Get Started with NetScaler EPA (Endpoint Analysis)

Within this article we want to proceed in showcasing some basic EPA (End Point Analysis) policies that we can implement within our organization to enhance security.

Please do note that we will not necessarily get into the details on setting up pre or post authentication EPA policies, but more concentrate on the EPA policies itself.

For reference here the short list and their setup that we will be describing in this blog entry:

• EPA for Operating System Patches (not the patch management)
• EPA for Operating System version
• EPA device certificate verification
• EPA Antivirus Check (Windows Defender as sample)
• EPA Registry check and CWA (Citrix Workspace Agent) verification
• EPA Registry check and CWA (Citrix Workspace Agent) verification with the use of NetScaler expressions

To be able to use EPA with Advanced Expressions we will look it up in the search box and click the search result (fastest operational approach).

EPA for Operating System Patches (not patch management)

As indicated we will create a new EPA action in the EPA settings through the NetScaler admin user interface. Here it is advised to make use of the expression editor, as it will provide guidance and help for the creation of the corresponding rules.

For this purpose we will go to:   EPA Editor >> Windows >> Windows Update >> + to proceed in making the configuration.

In this case we have chosen that Security Updates and Service Packs should not be missing on the operating system the user is using to connect to the NetScaler.

The corresponding rule would be the following one, which could also be copy/pasted into the box without using the EPA editor:

sys.client_expr("sys_0_WIN-UPDATE_WIN-MISSED-PATCH_==_SECURITYUPDATES,SERVICEPACKS[COMMENT: Windows Update]")

This external third party link shows a detailed list of the options in relation of the installed service packs that we can use for Windows Operating Systems: 

Description of the standard terminology that is used to describe Microsoft software updates

EPA for Operating System version

With the following policy we do want to verify the Operating System version.

For this purpose we either could use the "Windows" element, as it includes one configuration option, or even the "Common" option within the EPA Editor (first option). Note that for the purpose of this blog entry we have chosen the Windows menu as first configuration item.

Windows >> Windows OS >> Select Operating System and edit desired minimum version

Corresponding string:

sys.client_expr("sys_0_WIN-OS_NAME_anyof_WIN-11_BUILD-NUM_==_22621[COMMENT: Windows OS]")

Important:   Be careful when creating the logic = , || , && , <= , etc. as this is a source of common mistake during policy setup.

EPA device certificate verification

Before we do start please note some important things in relation to this policy:

• This policy relates to the verification of the device certificate check within a Windows machine. Due to this the EPA Plugin will have to be installed with administrative rights as it is required so by the operating system. 
• Also this is not a user certificate authentication for the user with a user certificate or smart card, which would be a different procedure.
• Additionally we will have to proceed in doing some additional changes to make this EPA policy work. The details are described in different documentations and KB articles.

• Virtual Gateway Server
  • Basic Settings (more)
    • Configure CA for device Certificate but
    • do not activate the checkbox
  • Certificate
    • Configure Server Cert
    • Configure CA Cert
• AAA Virtual Server
  • Basic Settings
    • Configure CA for device Certificate

Now to the EPA policy itself it is quite simple:

sys.client_expr("device-cert_0_0")

EPA Antivirus Check (Windows Defender as sample)

One commonly demanded check is the verification of a security element as could be an Anti Virus solution. In this case and for this specific example we have chosen Windows Defender, but a variety of other security solutions are supported and available.

Note that for the purpose of this example we only have used the main version for detection.

sys.client_expr("app_0_ANTIVIR_90_362_VERSION_>=_4.20[COMMENT: Windows Defender]")

EPA Registry check and CWA (Citrix Workspace Agent) verification

With this entry we actually have mixed two interesting verifications, where with EPA we will verify the existence of a Windows Registry Key, but at the same time we also will be verifying the version of CWA (Citrix Workspace Agent).

These Registry entries are used currently by CWA to provide uninstall information, yet the CWA version is reflected within those entries. As you can see the string used is quite long and we are also verifying two elements within the registry, which are a minor and a mayor version. As you can see both checks are bound with an "&&" operator:

(sys.client_expr("sys_0_REG_PATH_==_HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\CitrixOnlinePluginPackWeb\\\\VersionMajor_VALUE_==_23[COMMENT: Registry]")) && (sys.client_expr("sys_0_REG_PATH_==_HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\CitrixOnlinePluginPackWeb\\\\VersionMinor_VALUE_>=_9[COMMENT: Registry]"))

EPA Registry check and CWA (Citrix Workspace Agent) verification with the use of NetScaler expressions

As we have seen in the last example when using Registry Key EPA expressions it can get somehow complex from an expression point of view, especially if we wanted to make a more complex rule like V1 || V2 || V3, meaning the verification of different CWA (Citrix Workspace Application) versions. 

To make it easier form an operational point of view we can make usage of the "Expressions" functionality within NetScaler.

You have to navigate to:   App Expert >> Expressions >> Advanced Expressions

It is highly recommended to make use of the Advanced and not the Classic expressions as those will be deprecated in upcoming versions.

Once we have our different versions set  as in this picture: 

We will proceed in creating our EPA Policy with the corresponding Expressions that we have created.