This article contains some configuration and troubleshooting tips when Endpoint Analysis (EPA) scans are used with Access Gateway Enterprise Edition appliance.
A common error when this scan is used is the assumption that the name of the service is one in the description. As shown in the following screen shot, the name of the service is nsverctl. You should use this for the scan expression.
The expression to use is CLIENT.SVC(nsverctl) EXISTS.
If the service exists but is not running, the expression equates to false. The status of the service must UP for this expression to pass successfully.
Alternatively, you can scan for the process using the following expression which ensures that the executable is running:
You can try a variant of scanning for the Windows service by indicating a version of the Service.
In the preceding example, the service points to the C:\Program Files\Citrix\Secure Access Client\nsverctl.exe executable. If you verify the properties of this executable in Windows Explorer, you can see that the version is 10.0.70.7:
One common error is to assume that the == symbol indicates exactly equal. This is incorrect, the == symbol indicates this version or a later version. For example: CLIENT.SVC(nsverctl).VERSION == 10.0.54.6
On a test computer this expression passes successfully for version 10.0.70.7 of the Citrix Secure Access Client.
The theme of versions carries through to Windows Service Packs. If for example an administrator wanted to implement a minimum Windows Service Pack version, then it is not necessary to scan for multiple versions of the Service Pack. The following expression passes successfully for Service Pack 1, 2, or 3 on Windows XP:
CLIENT.OS(winxp).SP == 1
There is a frequency option for scan expressions available. For example; CLIENT.SVC(nsverctl) EXISTS -frequency 5
This expression scans for the nsverctl Windows Service every 5 minutes. However this option only works when you use the full VPN client.
Shorter expressions can be leveraged by using AppExpert on NetScaler to define expressions with short descriptive names.
Select AppExpert > Expressions > Classic Expressions in the Configuration utility.
Click Add and add an expression and short name, as shown in the following screen shot:
The expression should be available in Access Gateway > Policies > Pre-Authentication, as shown in the following screen shot:
For example Error 12045 returns the following results:ERROR_WINHTTP_SECURE_INVALID_CA
Internet Explorer in Windows XP indicates that the SSL Certificate is not trusted:
If you verify the certificate, then you can see that the CA certificate is not trusted:
The error 12057 indicates that the Certificate Revocation List (CRL) cannot be read, so perhaps the server hosting the CRL is not accessible.
If you think one scan expression is misconfigured and failing, then use a test NetScaler or Access Gateway virtual server to identify the troublesome scan expression and isolate it. The quickest way to achieve this is to bind the scan as a Pre-Authentication policy at the virtual server level.