How to Migrate Advanced EPA Configuration from NetScaler Gateway 10.1.e to 10.5 and Later Releases

book

Article ID: CTX200124

calendar_today

Updated On:

Description

This article describes how to migrate advanced EPA configuration from NetScaler Gateway 10.1.e to 10.5 and later releases.

Background

The NetScaler Gateway advanced endpoint analysis (EPA) feature was introduced in NetScaler Gateway software release 10.1.e. This feature uses endpoint analysis libraries from OPSWAT to perform endpoint compliance checks on client systems for a broad selection of software and system parameters. However, the new feature was not compatible with the classic NetScaler endpoint analysis features.

NetScaler Gateway release 10.5 unifies the classic and advanced EPA features, and adds improvements to the advanced feature. One of the improvements is in how scans are saved in the NetScaler configuration. Advanced EPA scans in version 10.1.e are saved in a specialized format known as EPAProfiles, which is base64 encoded and complex to decipher. This format is discontinued from NetScaler Gateway release 10.5 onwards.

After an upgrade to release NetScaler Gateway 10.5, scans saved as EPAprofiles must be reconfigured, or the configuration utility will not be able to read them and they will not be a functioning part of the configuration. You can use the link on this page to download a script, epaMigrateNetscaler.pl, which can aid migration of your configured EPAprofiles scans. The script generates brief descriptions of the configured EPAprofiles scans. You can use the descriptions to recreate scans after the NetScaler Gateway 10.5 upgrade is complete.

Instructions

When you upgrade to NetScaler Gateway 10.5, a warning appears during the installation if EPAprofile formatted scans are found in the configuration. The installation script also indicates that a backup of the NetScaler configuration has been stored in the file at /var/ns.conf.deprecated-AEPA.

When the upgrade to version NetScaler Gateway 10.5 is complete, upload the epaMigrateNetscaler.pl script to the NetScaler appliance.

Usage

When the script is run, it requires the configuration-file and its path as the only argument.
/epaMigrateNetscaler.pl < path/configuration file >
/epaMigrateNetscaler.pl /var/ns.conf.deprecated-AEPA

To write the output to a file instead of to the screen, put a greater than sign (>) before the name of the output file to write to:
/epaMigrateNetscaler.pl sample.conf > sampleOutput.txt

If you do not include the argument, the script output includes usage information as well as information about the contents of the output file, as shown in following example:

Filename = ns.conf
______________________________***______________________________

Welcome Humans

Boolean operators you see here are prefix and can be unary as well

For example:
&(A) would mean A
&(A,B,C) would mean A & B & C

Sample Scan::

EpaProfile - scan3Mac

___AND
_________AND
_______________scan
__________________entrypoint - CitrixAntiphishing
__________________name - CitrixAntiphishing
__________________displayName - Mac_Antiphishing
___________________________version
______________________________value - 6.x
___________________________ProductList
______________________________operator - some_of
______________________________value - 62000
___________________________name
______________________________value - Safari
___________________________GetEnabledForApplications
______________________________operator - some_of
______________________________value - 61500
_________OR
_______________scan
_____________________entrypoint - CitrixFirewall
_____________________displayName - Mac_Firewall
______________________________version
_________________________________value - 10.8.x
______________________________name
_________________________________value - Mac OS X Builtin Firewall
______________________________IsEnabled
_________________________________value - true
_____________________entrypoint - CitrixAntivirus
_____________________displayName - Mac_Antivirus
______________________________version
_________________________________value - 9.x
______________________________name
_________________________________value - Sophos Anti-Virus
______________________________IsRTP_On
_________________________________value - true

Description starts with the EpaProfile name.
It is followed by a AND. That is the parent operator
That AND is followed by an OR and AND.
Notice that OR and AND are at the same level
Levels here means the distance from the left margin or the number of '_'
Each AND or OR will be followed by the scan(s).
Now how to read the scan details you ask?

_____________________entrypoint - CitrixAntivirus
_____________________displayName - Mac_Antivirus

entrypoint and displayName marks the start of a scan.
Entrypoint = CitrixAntivirus tells you it's an Antivirus scan
displayName = Mac_Antivirus is the name you had configured for that scan
Followed by the scan name you have that scan details on next level
Details have the paramter name and then it's value on next level

______________________________version
_________________________________value - 9.x
______________________________name
_________________________________value - Sophos Anti-Virus
______________________________IsRTP_On
_________________________________value - true
______________________________***______________________________

This would mean that the parameter 'version' is equal to '9.x' and Product name is 'Sophos Anti-Virus' and so on

Finally the scan would show results in terms of boolean expression as follows:
AND( AND( Mac_Antiphishing ), OR( Mac_Firewall, CitrixAntivirus ) )

When simplified it is == ( Mac_Antiphishing AND ( Mac_Firewall OR CitrixAntivirus) )

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Issue/Introduction

This article describes how to migrate advanced EPA configuration from NetScaler Gateway 10.1.e to 10.5 and later releases.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"