Hello, What is the best way to construct nFactor EPA pre auth expressions for both macOS and Windows?

[Mike Smithson]

We currently have 2 separate EPA actions bound to auth 2 auth policies, one for Windows and one for macOS, both policies bound to a AAA vServer in a policy order Windows 100 --> NEXT ----> 110 Mac. We are using User-Agent header contain "Win" on the Window EPA auth policy in an attempt to only apply the Windows EPA scans to Windows, mac EPA auth policy has Agent header contain "mac" to apply to macOS. We appear to be getting inconsistent results. Is this the best method to approach this challenge?

[Steven Wright]

I would likely have written a single expression that did both.

Perhaps something similar to:

(CLIENT.OS(MacOS).VERSION == 10.13 && (CLIENT.APPLICATION('MAC-ANTIVIR_100021_0') EXISTS) || (CLIENT.OS(WIN8.1) EXISTS) && (CLIENT.APPLICATION(ANTIVIR_0_0_RTP_==_TRUE) EXISTS)

First, the check will determine if the client has MacOS version 10.13 or above and a version of AV. Second, the check will identify if the client has Windows 8.1 and any version of AV. If either the first or second group of checks passes the EPA scan will return success.

[Anchala Bansal]

You can as well refer to following article which has detailed steps:-

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-preauth-epa-scan-as-factor-in-nfactor.html

[Terry Hooper]

I'd also suggest reviewing the following article related to troubleshooting https://support.citrix.com/article/CTX209148/understanding-and-configuring-epa-verbose-logging-on-citrix-gateway as this will allow you to perform your own testing whilst reviewing the client EPA logs.