This article describes how to configure a registry-based scan expression to look for domain membership.
When the user types the NetScaler Gateway web address, the NetScaler Gateway checks to see if there are any client-based security policies in place. This is called a preauthentication policy. If this type of policy is configured on the NetScaler Gateway, it checks for the specified condition on the user device. These are generally security checks that verify that the user device has the necessary security-related operating system updates, antivirus protection, and perhaps a properly configured firewall.
If the user device fails the security check, the NetScaler Gateway blocks the user from logging on. A user unable to log on needs to download the necessary updates, packages or keys and install them on the user device.
To perform a registry-based scan expression to look for domain membership you can use either of the following registry keys:
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.This registry key is located at - My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
The EPA expression to use on the NetScaler Gateway is:
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters_Domain').VALUE== example.net
Run the following command from NetScaler CLI:
add aaa preauthenticationpolicy EPA_expression_domain_membership q/CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters_Domain').VALUE == example.net/ Test
This registry key is located at - My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The EPA expression to use on the NetScaler Gateway is:
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon_DefaultDomainName').VALUE == CITRIX
Important! Notice the space between Windows\\ NT
Alternatively, you can use both expressions to create a single preauthentication policy and look for both registry keys.
The EPA expression to use on the NetScaler Gateway is:
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters_Domain').VALUE == example.net || CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon_DefaultDomainName').VALUE == CITRIX
Important! Notice the space between Windows\\ NT