End users encounter issues at the Device Posture Portal when attempting to log into the Workspace URL. They are prompted to "Check Again" or "Download EPA client," despite already having the client installed on their device. 

Checking endpoint logs, we see the following error:

 

The Windows client logs can be found at: %localappdata%\Citrix\EPA\dpaCitrix.txt %localappdata%\Citrix\EPA\epalib.txt The macOS client logs can be found at: ~/Library/Application Support/Citrix/EPAPlugin/EpaCloud.log ~/Library/Application Support/Citrix/EPAPlugin/epaplugin.log

2023-12-19 10:45:33.302 Launching cloud EPA with token
2023-12-19 10:45:33.302 Starting Device Posture Assessment with URL : https://aws-us-e-device-posture-service.cloud.com, token : XXXX , customerid : XXXX, correlation_id :
2023-12-19 10:45:33.302 Device posture functionality starts here and received location_param : https://aws-us-e-device-posture-service.cloud.com2023-12-19 10:45:33.302 Detected environment is prod2023-12-19 10:45:33.303 Got app version [ 23.8.1.24 ]-
2023-12-19 10:45:33.303 Got library version [ 23.8.1.24 ]-
2023-12-19 10:45:33.303 Calling epa_parse_location with location : https://aws-us-e-device-posture-service.cloud.com
2023-12-19 10:45:33.670 Received ret : 420. Status code 307
2023-12-19 10:45:33.670 Error 420 for get plugin version request. Status code 3072023-12-19 10:45:33.670 Error while checking whether plugin upgrade is required or not

To add Citrix Device Posture Services URLs in SSL decryption bypass/whitelist the URLs

*.netscalergateway.net
*.nssvc.net
*.cloud.com
*.citrixworkspacesapi.net

Note: The URL's may change in the future. It's recommended to check the EPA logs or network devices for URLs that are being blocked.

---

Problem Cause

Issue found to be with network device [Firewall/Proxy] which intercepts or blocks Device Posture Service URL-related traffic.