If the session profile is bound to the session profile with classic expression the EPA scan is initiated the client machine is checked for the EPA checks.
If you use advance expression to bind  session profile to the session policy, the EPA check will not be initiated and the users will be allowed/denied by default as per the profile's default Authorization Action configuration.

The session profile is same for working and nonworking scenarios.
Session Profile sample:
add vpn sessionAction AC_WB -clientSecurity "CLIENT.APPLICATION(\'ANTIVIR_0_0_AUTHENTIC_==_TRUE[COMMENT: Generic Antivirus Product Scan]\') EXISTS -frequency 1" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "http://example.com/Citrix/StoreWeb" -ClientChoices OFF -ntDomain example -clientlessVpnMode OFF -sfGatewayAuthType domain

Above is an EPA check example where the EPA scan will be performed to check if the Antivirus is Authentic or not. 


Working: In working case the session policy is bound with classic expression as below: 
>add vpn sessionPolicy Working_policy ns_true AC_WB


NonWorking: In non-working case the session policy is bound with classic expression as below: 
>add vpn sessionPolicy NonWorking_policy true AC_WB

Problem Cause