Working with a customer on a project to upgrade the NetScaler Firmware to the latest version, we figured out some issues with EPA.
In fact, the customer uses a NetScaler Gateway to provide VPN access to end users.
What was in place?
Some post authentication EPA tests are made to check if the computer is a Corporate one.
Based on Active Directory membership and EPA results:
- VPN is launched on Intranet homepage is opened
- StoreFront is opened with RDP PRoxy
- StoreFront is opened
Everything was working great before the upgrade.
As soon as the Upgrade was made, it was impossible to launch VPN.
After spending some days to figure out what was the problem, I discovered that Bound priorities seems to be interpret differently with the new Firmware.
Here after a Excel spreadsheet of what was is place before the upgrade:
AAA Group | Policies Names | Priority |
DG_Citrix_Netscaler_XenApp_VPN_User_Access | AV_Running | 100 |
DG_Citrix_Netscaler_XenApp_VPN_Device_Access | Approved_device | 100 |
DG_Citrix_Netscaler_XenApp_VPN_Admin_Access | VPN | 100 |
DG_Citrix_Netscaler_XenApp_Access | SP-StorefrontICAProxy-Receiver | 100 |
SP-StorefrontICAProxy-NonRec | 110 | |
DG_Citrix_Netscaler_XenApp_VPN_Exemption_User_Access | VPN | 100 |
DG_Citrix_Netscaler_Fall_Back_Access | SP-StorefrontICAProxy-NonRec | 100 |
DG_Citrix_Netscaler_RDP_Proxy | RDP_Proxy | 100 |
DG_Citrix_Netscaler_VPN_Access | Full_VPN | 100 |
As you can see on the priorities were bound with same number 100.
And in fact this was the problem, with the latest Firmware (as well as with N-1), if a user is member of multiple Active Directory groups, the Policies are merged.
So we have to modify the priority to have this working as it was before.
Here is what we implemented:
AAA Group | Policies Names | Priority |
DG_Citrix_Netscaler_XenApp_VPN_User_Access | AV_Running | 30 |
DG_Citrix_Netscaler_XenApp_VPN_Device_Access | Approved_device | 40 |
DG_Citrix_Netscaler_XenApp_VPN_Admin_Access | VPN | 20 |
DG_Citrix_Netscaler_XenApp_Access | SP-StorefrontICAProxy-Receiver | 100 |
SP-StorefrontICAProxy-NonRec | 110 | |
DG_Citrix_Netscaler_XenApp_VPN_Exemption_User_Access | VPN | 50 |
DG_Citrix_Netscaler_Fall_Back_Access | SP-StorefrontICAProxy-NonRec | 70 |
DG_Citrix_Netscaler_RDP_Proxy | RDP_Proxy | 60 |
DG_Citrix_Netscaler_VPN_Access | Full_VPN | 10 |
Note: Based on my own experience