How to configure EPA domain check combined with Smartaccess feature
Article ID: CTX561487
Updated On:
Description
Configuring the EPA policy to identify the Client domain joined info, distinguishing with/without the domain info, then enumerating different resources for user.
Instructions
1.Create an EPA action ,put the users that passed the check into the DomainUser groupadd authentication epaAction DomainCheck -csecexpr "sys.client_expr(\"sys_0_DOMAIN_SUFFIX_anyof_abc.com[COMMENT: Domain check]\")" -defaultEPAGroup DomainUser
2.Create an EPA policy and associate this EPA action
add authentication Policy DomainCheck_POL -rule true -action DomainCheck
3.Create policylabel and associate it with EPA policy, in order to enable users who fail the EPA check to access resource, need to add a Noauth policy and bind the policylabel
add authentication Policy NoAuth -rule true -action NO_AUTHN
add authentication policylabel EPADomainCheck -loginSchema LSCHEMA_INT
bind authentication policylabel EPADomainCheck -policyName DomainCheck_POL -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel EPADomainCheck -policyName NoAuth -priority 110 -gotoPriorityExpression NEXT
add authentication policylabel EPADomainCheck -loginSchema LSCHEMA_INT
bind authentication policylabel EPADomainCheck -policyName DomainCheck_POL -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel EPADomainCheck -policyName NoAuth -priority 110 -gotoPriorityExpression NEXT
4.Create an LDAP authentication policy.
add authentication Policy ldap_nfactor_pol -rule true -action ldap_server
5.Create AAA VS and bind the certificate and portal theme, bind the LDAP policy, and set the next factor to the policy label created in step 3
add authentication vserver AAA_DomainCheck SSL 0.0.0.0
bind authentication vserver AAA_DomainCheck -portaltheme RfWebUI
bind authentication vserver AAA_DomainCheck -policy ldap_singleauth -priority 100 -gotoPriorityExpression END
bind authentication vserver AAA_DomainCheck -policy ldap_nfactor_pol -priority 100 -nextFactor EPADomainCheck -gotoPriorityExpression NEXT
bind ssl vserver AAA_DomainCheck -certkeyName tkserver2023.pair
bind authentication vserver AAA_DomainCheck -portaltheme RfWebUI
bind authentication vserver AAA_DomainCheck -policy ldap_singleauth -priority 100 -gotoPriorityExpression END
bind authentication vserver AAA_DomainCheck -policy ldap_nfactor_pol -priority 100 -nextFactor EPADomainCheck -gotoPriorityExpression NEXT
bind ssl vserver AAA_DomainCheck -certkeyName tkserver2023.pair
6.Create an AAA GROUP and set the group name to the same as that in the EPA action in Step 1
add aaa group DomainUser
7.Create an authentication profile and associate it with the gateway virtual server
add authentication authnProfile EPA_DomainCheck -authnVsName AAA_DomainCheck
add vpn vserver _XD_x.x.x.x_443 SSL x.x.x.x 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -authnProfile EPA_DomainCheck -vserverFqdn xxx.com
add vpn vserver _XD_x.x.x.x_443 SSL x.x.x.x 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -authnProfile EPA_DomainCheck -vserverFqdn xxx.com
8.Create session policies and determine whether passes the EPA check based on the group name
add vpn sessionPolicy PL_OS_X.X.X.X_DomainUser "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&aaa.USER.IS_MEMBER_OF(\"DomainUser\")" AC_OS_X.X.X.X
add vpn sessionPolicy PL_OS_X.X.X.X_NoDomain "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&aaa.USER.IS_MEMBER_OF(\"DomainUser\").NOT" AC_OS_X.X.X.X
add vpn sessionPolicy PL_WB_X.X.X.X_DomainUser "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT&&aaa.USER.IS_MEMBER_OF(\"DomainUser\")" AC_WB_X.X.X.X
add vpn sessionPolicy PL_WB_X.X.X.X_NoDomain "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT&&aaa.USER.IS_MEMBER_OF(\"DomainUser\").NOT" AC_WB_X.X.X.X
add vpn sessionPolicy PL_OS_X.X.X.X_NoDomain "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&aaa.USER.IS_MEMBER_OF(\"DomainUser\").NOT" AC_OS_X.X.X.X
add vpn sessionPolicy PL_WB_X.X.X.X_DomainUser "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT&&aaa.USER.IS_MEMBER_OF(\"DomainUser\")" AC_WB_X.X.X.X
add vpn sessionPolicy PL_WB_X.X.X.X_NoDomain "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT&&aaa.USER.IS_MEMBER_OF(\"DomainUser\").NOT" AC_WB_X.X.X.X
9.Bind the session policies to gateway virtual server
bind vpn vserver _XD_X.X.X.X_443 -policy PL_OS_X.X.X.X_DomainUser -priority 60 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_X.X.X.X_443 -policy PL_OS_X.X.X.X_NoDomain -priority 70 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_X.X.X.X_443 -policy PL_WB_X.X.X.X_DomainUser -priority 80 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_X.X.X.X_443 -policy PL_WB_X.X.X.X_NoDomain -priority 90 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_X.X.X.X_443 -policy PL_OS_X.X.X.X_NoDomain -priority 70 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_X.X.X.X_443 -policy PL_WB_X.X.X.X_DomainUser -priority 80 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_X.X.X.X_443 -policy PL_WB_X.X.X.X_NoDomain -priority 90 -gotoPriorityExpression NEXT -type REQUEST
10.Please refer to the following documents to complete the SF and DDC Settings(uses the session policy name created in step 8 as the filtering condition in DDC)
https://support.citrix.com/article/CTX227055
Environment
This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.
Was this article helpful?
Yes
No
Powered by
