Introduction

Citrix NetScaler Gateway provides easy and secure application, desktop, and data access from anywhere, on any device, to maximize user productivity and ensure business continuity. NetScaler Gateway is a secure application, desktop and data access solution that gives IT administrators granular application-level and device-level policy and action controls over access to corporate content, while allowing users to work from anywhere using SmartAccess and the XenMobile Micro VPN technologies.

Endpoint Analysis 

Integrated endpoint scanning can be used both to verify identity of corporate owned devices and to determine if they adhere to corporate policies for security, such as having operational and up-to-date antivirus and personal firewall software. For devices that fail these checks, access can be restricted to pre-defined remediation zones where users can obtain the tools needed to bring them into compliance.

Citrix NetScaler Gateway uses a proprietary protocol for exchanging the endpoint scanning results between the client and the server.

1. When a client attempts to connect to the NetScaler Gateway, the server presents the client with a set of endpoint scanning expressions that must be met for the client to proceed further.

2. The client runs the scan expressions and presents the results to the server.

3. The server evaluates the response and based on the rules configured on the server, either allows or denies the next step to the client.

4. The next step is usually the logon prompt where user enters valid credentials to get VPN access.

Issue

There have been weaknesses identified in the EPA protocol. The weaknesses allow an end user with admin privileges on the client machine to decrypt, view and modify the results of the endpoint scan expressions. By manually modifying the results of the scan expressions, user is presenting falsified information to the NetScaler Gateway server that results in providing logon page to the user instead of denying access to the logon page.

Solution

The solution for this weakness has been provided in the 10.5 NetScaler releases. By upgrading to the latest 10.5 release build, customers can avoid the weakness that allows end user to view and modify endpoint scan expression results.