Citrix NetScaler, how to configure ICA proxy for mobile devices and SSL VPN for laptops

In my recent blogpost on “NetScaler, WI and the Citrix Receiver 5.7.. “The gateway settings are incorrect” you could read how I configured the Citrix NetScaler for mobile devices (ICA Proxy) and laptops (SSL VPN). During the project new requirements came up and I had to do an End Point Analysis on the laptop to make sure that they were only allowed to do SSL VPN when the machine was domain joined to the customer domain.

So I started to configure the Citrix NetScaler for EPA and I wanted to use this article to exclude mobile clients from the EPA scan, after configuring this policy expression the mobile client still gave an error that EPA wasn’t available for mobile devices. After some research I found the following post on the Citrix forums stating:

The EPA was not skipped for mobile devices.So i logged support call with citrix and worked almost 10 days with citrix support engineer and they finally concluded that the document was wrong..

So I had to be creative on how to build this so I already had the MobileAccess policy in place and by creating a pre-auth policy the mobile clients wouldn’t work so I build a second session policy with a higher priority that checks the following reg key:

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Domain”

To use this in a session policy it’s formatted like following:

[crayon-59c38c1e6d37b184285498/]

Based on this rule a device that matches would be redirected to the ICA Proxy so I changed the policy to:

[crayon-59c38c1e6d385068510741/]

By using this rule the first check would be for the user-agent, if true the device would get the ICA Proxy. The second rule would check the regkey and if it isn’t a member of the domain the device would be offered the ICA Proxy and all other clients would be offered SSL VPN.

ns001

I tested this new config and my EPA scan would hang and wouldn’t give an actual result so I did some more research and I found I wasn’t the only one with this problem:

Stefano Bosio

on 5 months ago · Reply

With pre-authentication policies enabled does not work. NetScaler ask always for checking endpoint device and display the page for download or skip the Citrix Endpoint Analysis Plug-in software. The software is installed but NetScaler does not check. I have reinstalled the epa software, NetScaler rebooted, Clients rebooted (and IE cache cleared). With the default theme no problem. Any ideas? Thank you.

With that comment I knew what to do, I applied the Green Bubbles theme (the default one with NS10) and forgot to edit the epa.html and postepa.html to the right NSversion as Jarian Gibson blogged about.

Change nsversion one line 19 from 1,1,1,1 to the NetScaler/Access Gateway version you are using.

In my case I was using Citrix  NetScaler NS10.0: Build 72.5.nc so the NSversion should be “10,0,72,5”. After a reboot of the NS the EPA scan worked and all functionality was tested succesful.

The following two tabs change content below.

Kees Baggerman

Kees Baggerman is a Staff Solutions Architect for End User Computing at Nutanix. Kees has driven numerous Microsoft and Citrix, and RES infrastructures functional/technical designs, migrations, implementations engagements over the years.

One comment

  1. […] Citrix NetScaler, how to configure ICA proxy for mobile devices and SSL VPN for laptops […]

Leave a Reply