This article provides provides information on how to implement NetScaler Gateway EPA only for Windows clients (not mobile devices ) connecting from the Internet. Mobile devices cannot run the EPA scan. So, they need to bypass it using either a policy or a different virtual server.

Instructions

You can skip EPA scans for your mobile devices if you configure the scans in Profile for your Session-Policies instead of configuring them in the Rule part.

It is assumed that the requests from mobile devices will never contain 'Win' or 'Mac' in the User-Agent header; the requests from desktop devices will always contain either 'Win' or 'Mac' in the User-Agent. Now, exact User-Agents can easily be identified and the session policy can be configured as follows:

1. Create a rule that checks for 'Win' or 'Mac' in the User-Agent header as follows:
   > add policyexpression exp1 "(REQ.HTTP.HEADER User-Agent CONTAINS Win) || (REQ.HTTP.HEADER User-Agent CONTAINS Mac)"

2. Create a Session-Profile (aka Session-Action) that has the EPA-Scans in it.
   > add vpn sessionaction sa1 -clientsecurity " CLIENT.APPLICATION.PROCESS(antivirus.exe) EXISTS "

3. Create a Session-Policy consisting of the preceding expression and profile as follows:
   > add vpn sessionpolicy sp1 exp1 sa1

4. Bind this Session-Policy to your vpn-vserver as follows:
   > bind vpn vserver vs1 -policy sp1

Assume the NetScaler Gateway virtual server is vs1. With this configuration, when a user logs on to the vServer from a mobile device, the rule of the session-policy becomes False (as the User-Agent will not contain Win or Mac). The corresponding action to run the EPA scan is not taken.

If a user logs on from a desktop device (Win or Mac), the rule is set to True, and hence the EPA-Scan runs. However, if the EPA-Scan fails, the user is not allowed to logon. If you want to change this default behavior, you can configure a 'Quarantine Group'.

Citrix Documentation - Disabling Endpoint Analysis for Mobile Devices