Citrix

Configuration and Troubleshooting Tips for Using Endpoint Analysis (EPA) Scans with Access Gateway Enterprise Edition Appliance

  • CTX135136
  • Created onMar 26, 2014
  • Updated onJun 05, 2014
Article Topic Configuration

Information

This article contains some configuration and troubleshooting tips when Endpoint Analysis (EPA) scans are used with Access Gateway Enterprise Edition appliance.

Configurations

Scan for Services on Windows

You can scan for a Service that exists on Windows. For example, Citrix Secure Access Client Service.

A common error when this scan is used is the assumption that the name of the service is one in the description. As shown in the following screen shot, the name of the service is nsverctl. You should use this for the scan expression.

User-added image

The expression to use is CLIENT.SVC(nsverctl) EXISTS.

If the service exists but is not running, the expression equates to false. The status of the service must UP for this expression to pass successfully.

Alternatively, you can scan for the process using the following expression which ensures that the executable is running:
CLIENT.APPLICATION.PROCESS(nsload.exe) EXISTS

Windows Service Version

You can try a variant of scanning for the Windows service by indicating a version of the Service.

In the preceding example, the service points to the C:\Program Files\Citrix\Secure Access Client\nsverctl.exe executable. If you verify the properties of this executable in Windows Explorer, you can see that the version is 10.0.70.7:

User-added image

One common error is to assume that the == symbol indicates exactly equal. This is incorrect, the == symbol indicates this version or a later version. For example: CLIENT.SVC(nsverctl).VERSION == 10.0.54.6

On a test computer this expression passes successfully for version 10.0.70.7 of the Citrix Secure Access Client.

Windows Service Pack and Version

The theme of versions carries through to Windows Service Packs. If for example an administrator wanted to implement a minimum Windows Service Pack version, then it is not necessary to scan for multiple versions of the Service Pack. The following expression passes successfully for Service Pack 1, 2, or 3 on Windows XP:
CLIENT.OS(winxp).SP == 1

Frequency Option in Expressions

There is a frequency option for scan expressions available. For example; CLIENT.SVC(nsverctl) EXISTS -frequency 5

This expression scans for the nsverctl Windows Service every 5 minutes. However this option only works when you use the full VPN client.

Options with Expressions

Shorter expressions can be leveraged by using AppExpert on NetScaler to define expressions with short descriptive names.

Select AppExpert > Expressions > Classic Expressions in the Configuration utility.

Click Add and add an expression and short name, as shown in the following screen shot:

User-added image

The expression should be available in Access Gateway > Policies > Pre-Authentication, as shown in the following screen shot:

User-added image

Registry Scans

The 64-bit scan expressions require a slightly different scan, for example; CLIENT.REG('HKEY_LOCAL_MACHINE_64\\\\SOFTWARE\\\\McAfee\\\\\AVEngine_AVDatVersion').VALUE == 6198.
The 32-bit equivalent of this scan expression is CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\McAfee\\\\\AVEngine_AVDatVersion').VALUE == 6198.
Windows 7 Scan expression is CLIENT.OS(win7) EXISTS.

Troubleshooting Tips

EPA Scan Results

Review the results of the EPA analysis scan. The results of the EPA scan can be found in the following locations:
Windows XP: C:\Documents and Settings\All Users\Application Data\Citrix\AGEE\nsepa.txt
Windows Vista and Windows 7: C:\Users\All Users\Citrix\AGEE\nsepa.txt
Verify the CSEC value, which is Client Security. If the CSEC value is 0, then it indicates that the scan expression passed successfully. However, if the CSEC value is any value other than 0, then it indicates that the scan expression failed. Usually a failing value is 3.
If you have multiple values such as 003, then this indicates that the third scan failed. You have to review the scan expression to identify the third scan. In the following example the first two equate to true so the last expression CLIENT.APPLICATION.PROCESS(nsload.exe) EXISTS fails:
CLIENT.SVC(nsverctl) EXISTS && CLIENT.OS(winxp).SP == 2 && CLIENT.APPLICATION.PROCESS(nsload.exe) EXISTS
This indicates that the nsload.exe process is not running when the EPA scan was active.

Error Codes

Sometimes you might see error codes that you do not understand in the nsepa.txt log. For example; the following errors were logged on Windows XP with a Windows operating system and Service Pack scan expression:
11:29:43.228 HttpSendRequest -- Error 12045 unknown
11:29:43.243 HttpSendRequest -- Error 12057 unknown
These errors are reported by the Windows HTTP Service and passed to the EPA scan. The following links provide a lot of information on the WinHTTP errors:

For example Error 12045 returns the following results:

ERROR_WINHTTP_SECURE_INVALID_CA
12045
Indicates that a certificate chain was processed, but terminated in a root certificate that is not trusted by the trust provider (equivalent to CERT_E_UNTRUSTEDROOT).
Error 12057 returns the following results:
ERROR_WINHTTP_SECURE_CERT_REV_FAILED
12057
Indicates that revocation cannot be checked because the revocation server was offline (equivalent to CRYPT_E_REVOCATION_OFFLINE).

Internet Explorer in Windows XP indicates that the SSL Certificate is not trusted:

User-added image

If you verify the certificate, then you can see that the CA certificate is not trusted:

User-added image

The error 12057 indicates that the Certificate Revocation List (CRL) cannot be read, so perhaps the server hosting the CRL is not accessible.

User-added image

Simplify the Scan Expressions

If you think one scan expression is misconfigured and failing, then use a test NetScaler or Access Gateway virtual server to identify the troublesome scan expression and isolate it. The quickest way to achieve this is to bind the scan as a Pre-Authentication policy at the virtual server level.

Additional Resources 

CTX127807 - The EPA Scan for Antivirus Fails on a 64-bit Client Computer

Applicable Products

Automatic translation

Important: This article was translated by an automatic translation system (also referred to as Machine Translation, or MT) and has not been translated or reviewed by people. Citrix offers a machine translated version of this article to allow for greater access to the support content. However, automatic translation is not always perfect and may contain errors of vocabulary, syntax or grammar. Citrix is not responsible for inconsistencies, errors or damage incurred as a result of the use of MT articles from our customers.Thank you.
Click here to see the English version of this article.
Languages
Was this helpful?
Thank you for your feedback

Share your comments or find out more about this topic

Citrix Forums