NetScaler Firmware Upgrade: EPA Issue

NetScaler

Working with a customer on a project to upgrade the NetScaler Firmware to the latest version, we figured out some issues with EPA.

In fact, the customer uses a NetScaler Gateway to provide VPN access to end users.

What was in place?

Some post authentication EPA tests are made to check if the computer is a Corporate one.

Based on Active Directory membership and EPA results:

  1. VPN is launched on Intranet homepage is opened
  2. StoreFront is opened with RDP PRoxy
  3. StoreFront is opened

 

Everything was working great before the upgrade.

As soon as the Upgrade was made, it was impossible to launch VPN.

After spending some days to figure out what was the problem, I discovered that Bound priorities seems to be interpret differently with the new Firmware.

Here after a Excel spreadsheet of what was is place before the upgrade:

AAA Group Policies Names Priority
DG_Citrix_Netscaler_XenApp_VPN_User_Access AV_Running 100
DG_Citrix_Netscaler_XenApp_VPN_Device_Access Approved_device 100
DG_Citrix_Netscaler_XenApp_VPN_Admin_Access VPN 100
DG_Citrix_Netscaler_XenApp_Access SP-StorefrontICAProxy-Receiver 100
SP-StorefrontICAProxy-NonRec 110
DG_Citrix_Netscaler_XenApp_VPN_Exemption_User_Access VPN 100
DG_Citrix_Netscaler_Fall_Back_Access SP-StorefrontICAProxy-NonRec 100
DG_Citrix_Netscaler_RDP_Proxy RDP_Proxy 100
DG_Citrix_Netscaler_VPN_Access Full_VPN 100

 

As you can see on the priorities were bound with same number 100.

 

And in fact this was the problem, with the latest Firmware (as well as with N-1), if a user is member of multiple Active Directory groups, the Policies are merged.

 

So we have to modify the priority to have this working as it was before.

 

Here is what we implemented:

 

AAA Group Policies Names Priority
DG_Citrix_Netscaler_XenApp_VPN_User_Access AV_Running 30
DG_Citrix_Netscaler_XenApp_VPN_Device_Access Approved_device 40
DG_Citrix_Netscaler_XenApp_VPN_Admin_Access VPN 20
DG_Citrix_Netscaler_XenApp_Access SP-StorefrontICAProxy-Receiver 100
SP-StorefrontICAProxy-NonRec 110
DG_Citrix_Netscaler_XenApp_VPN_Exemption_User_Access VPN 50
DG_Citrix_Netscaler_Fall_Back_Access SP-StorefrontICAProxy-NonRec 70
DG_Citrix_Netscaler_RDP_Proxy RDP_Proxy 60
DG_Citrix_Netscaler_VPN_Access Full_VPN 10

 

Note: Based on my own experience