NetScaler Gateway clients verify their installed EPA software version is the same as the one installed on the NetScaler appliance.  And any change in the NetScaler version, even a minor build change, will instruct the client to download and install the new client software.   The intent is to ensure remote users always have the current and compatible client software.  However, this is not always necessary.   And when the client fails to install because the user is not authorized local administrative privileges (install privileges) to the workstation, this can create a big headache for support and deny access to users.

Good news… you can control the EPA version check with AppExpert policies!

There are several advantages to making this change with AppExpert policies rather than hand editing the EPA system file:

  1. Modifications are persistent across reboots
  2. Archiving and documentation are simplified because the modification are stored in the configuration rather than a separate system file
  3. AppExpert policies extend flexibility to further define when, and to whom, the modifications apply
  4. Multiple versions of the modification can exist to facilitate disparate use cases simultaneously
  5. Rollback and troubleshooting are easier because the source files remain unaltered


add rewrite action EPA-NoCheckA insert_before_all “HTTP.RES.BODY(14000)” q/”nsversion = epaPlugin.getEPAVersion();”+”\n”/ -search “text(\”if(epaPlugin.getEPAVersion()!= nsversion)\”)” -bypassSafetyCheck YES
add rewrite action EPA-NoCheckB insert_before_all “HTTP.RES.BODY(14000)” q/”nsversion = epaActiveX.getEPAVersion();”+”\n”/ -search “text(\”if(epaActiveX.getEPAVersion()!= nsversion)\”)” -bypassSafetyCheck YES
add rewrite policy EPA-A “HTTP.REQ.URL.PATH.EQ(\”/epa/epa.html\”)” EPA-NoCheckA
add rewrite policy EPA-B “HTTP.REQ.URL.PATH.EQ(\”/epa/epa.html\”)” EPA-NoCheckB
bind rewrite global EPA-A 100 NEXT -type RES_DEFAULT
bind rewrite global EPA-B 110 NEXT -type RES_DEFAULT

What it does

Source file system location:  /netscaler/ns_gui/epa/epa.html

Whenever HTTP.REQ.URL.PATH.EQ(“/epa/epa.html”)

It inserts a directive which tells the client that the NetScaler build number matches exactly the clients version by inserting  nsversion = epaActiveX.getEPAVersion();
and nsversion = epaPlugin.getEPAVersion();

What is EPA?

Endpoint analysis is a process that scans a user device and detects information, such as the presence and version level of an operating system, and of antivirus, firewall, or Web browser software. You can use endpoint analysis to verify that the user device meets your requirements before allowing it to connect to your network or remain connected after users log on. You can monitor files, processes, and registry entries on the user device during the user session to ensure that the device continues to meet requirements.


If you don’t see the change take place, check if Integrated Caching is delivering a cached copy.


Special thanks to Adam M., Fabian B., and Jeff W. for their contributions to this solution.