A customer of one of my Citrix Consulting colleagues recently came up with an interesting request.
Like many others they are using Citrix NetScaler’s Access Gateway Enterprise Edition module to grant remote secure remote access to applications and desktops.
Additionally, they use a client management and software distribution solution to deploy the EPA plugin to client computers and therefore wanted to suppress Access Gateway offering the EPA scan plugin for download through the browser. This introduces some additional level of control over which client is entitled to connect through Access Gateway.

An approach restricting certain user groups from logging in by using group memberships is a more common scenario, but in this case the customer intended to restrict the end points and not the users. When end users lack administrative permissions to install custom software, preventing the download is indeed an effective measure.

A job for Citrix Consulting!

As you know, Access Gateway Enterprise Edition offers two ways of running Endpoint Analysis (EPA) scans – before and after authentication. Consequently, there are two procedures.

The formal requirements

  • Remove the download button displayed when accessing the AGEE virtual server and the plugin is not detected by the browser or if the plugin is outdated
  • Alter the message text such that it refers user to contact their system administrator if they think the plugin should be installed.
  • When using a post-authentication EPA scan, add a “logout” button.

EPA Scan dialogue

As a precaution, we want to make backup copies of all files involved:

  • /netscaler/ns_gui/epa/epa.html
  • /netscaler/ns_gui/vpns/postepa.html
  • /netscaler/ns_gui_vpn/resources/en.xml (and any other language you want to customize)

Note: The below changes were made on a NetScaler 10 build 71.6. For later versions, the line numbers or code might change slightly.

Procedure for Pre-Authentication EPA


  • Remove line 371 (download button)
  • Change the” id” in line 367:
      – remove: “To install or upgrade the software click download”
      – add “If the plugin is not installed, please contact your system administrator.”

/netscaler/ns_gui/vpn/resources/en.xml (or any other language for that matter)

  • Below line 17 add If the plugin is not installed, please contact your system administrator.

The result will look like this:

customized pre-auth EPA scan dialogue

Procedure for Post-Authentication EPA

  • Remove line 409 (download button)
  • Below line 404 add:
  • <div style=”float: right” >
    <INPUT id=”logout” type=submit value=”” class=”CTX_BlackButton” onClick=”javascript:ns_logout();” onmouseover=”this.className=’CTX_BlackButton_Hover’;” onmouseout=”this.className=’CTX_BlackButton’;”>

This adds a logout button.

  • Change id in line 404:
      – remove “To install or upgrade the software click download”
      – add “If the plugin is not installed, please contact your system administrator and log out.”
  • Below line 380 add:
    function ns_logout()

This provides the logout function via JavaScript.

/netscaler/ns_gui/vpn/resources/en.xml (or any other language for that matter)

  • Below line 49 add:
    <String id=”If the plugin is not installed, please contact your system administrator and log out.”>If the plugin is not installed, please contact your system administrator and log out.</String>
    <Property id=”logout” property=”value”>Log Out</Property>

Before testing, make sure you clear your browser cache.

Cross-boot Persistence
You can either use symlinks to point to a customized file on NetScaler from the original directory or the well-known startup script copy described at http://support.citrix.com/article/CTX122271 to make the changes persistent across reboots.

While this customization was tested by me using IE9, Firefox 16 and Chrome 22, it is NOT officially supported by Citrix. Before contacting Citrix Support on an issue with Access Gateway Enterprise Edition you should revert the changes made by re-instating the backup copies of the files we altered above.

In other words, our usual disclaimer applies:

This code is provided to you “as is” with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.