NOTE: NetScaler Gateway EPA functionality is available on Windows and Mac, Desktop platforms only (as on May 01, 2014).

With the release of NetScaler Gateway, Citrix has significantly enhanced it’s End Point Analysis (EPA) capabilities. As a   quick introduction to what’s new and advanced with EPA:

  • New Advanced EPA engine with thousands of pre-configured scans
  • Device Certificate Checks

To those who are new to EPA, this capability let’s NetScaler Gateway assess the incoming end point device for posture, and evaluates policies which define what kind of session will be provided to the user, if any. Note that a device check is different from and complimentary to, user authentication. While user authentication ensures that a valid and trusted user accesses your enterprise resources, device check ensures that a valid user comes from a healthy device.

In general, as an administrator, you might want to differentiate between users, based on the devices in the following manner:

  • Users coming from company owned assets
  • Users coming from healthy personal devices
  • Users coming from unhealthy devices

So as you can see, EPA is a very powerful concept, and allows granular control in terms of AAA policies and session parameters, based on the device posture.

Advanced EPA Engine

NetScaler Gateway has had a classic EPA engine, which has offered huge flexibility and power to admins, in terms of creating scans to detect a variety of things like OS versions, presence or absence of certain software, domain join status, … The real power of classic EPA engine comes in terms of a powerful policy editor, which can create scans based on Registry / Files / Process checks, and hence provides tons of customizable options.

What this classic EPA engine lacked was out of the box pre-configured scans, that an admin could enable and get going.

Advanced EPA engine now provides this infrastructure, with the following advantages:

  • Thousands of pre-configured scans, available out of the box
  • New scans are automatically provided, as new software becomes available
  • Easy Maintainability, based on scans that can provide minimum versions. Hence as new versions come, admin may not have to necessarily go change the configuration.

Note that the current release of Advanced EPA provides the preconfigured scans for Pre-Authentication checks only.

Device Certificate Checks

Device Certificates are client certificates, issued to devices, as opposed to the common concept of issuing certificates to users. Like a user certificate identifies a trusted user, device certificate identifies a trusted device.

Such certificates are commonly used to distinguish between corporate owned assets and BYOD assets. A corporate owned asset can be deployed with a Device Certificate by the enterprise CA, and presence of such a certificate, is what identifies / marks the device, as a corporate owned asset. Similarly, lack of this certificate, marks any other device as a possible BYOD device.

NetScaler Gateway now supports Device Certificate checks to differentiate between these two classes of devices. Configuration is pretty seamless and essentially requires an admin to enable this check, and provide the Enterprise CA details that is responsible for issuing these certificates. Note that providing this CA details is a critical input, since you don’t want to trust user certificates provided by another enterprise CA, which might be issuing user certificates.

NetScaler Gateway supports parallel setup of user certificate authentication and device certificate check. In such a setup, user authentication is handled as part of the SSL handshake. Once successfully established, a device certificate check is performed. Such a check ensures all the obvious computations around certificate validity, certificate trust chain, presence of corresponding Private Key on the end point and OCSP check for revoked certificates.

So in essence, this release of NetScaler Gateway brings some powerful and advanced EPA capabilities to the platform, and provides true value to any security conscious administrator.

For a more detailed insight into the new release of NetScaler Gateway, refer to my earlier post.