Configure EPA to scan the Windows update for the Critical update or Automatic updates.

---

Instructions

Use Case
Scan the user device for Windows update and take a decision to allow or deny access to internal network.

Introduction to EPA
On NetScaler Gateway, End Point Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow access of internal resources to the user. This can be configured by using preauthentication policy. If the user device fails the preauthentication scan, users are not allowed to log on. If additional security is needed, a session policy can be configured and bound to a AAA user or group or VPN vserver or VPN global level. This type of policy is called a post-authentication policy, which runs during the user session to ensure the required software, such as antivirus is running. If the policy fails, the connection to NetScaler Gateway ends. The Endpoint Analysis Plug-in downloads and installs on the user device when users log on to NetScaler Gateway for the first time. If a user does not install the Endpoint Analysis Plug-in on the user device or chooses to skip the scan, the user cannot log on with the NetScaler Gateway Plug-in. Optionally, user can be put in a quarantine group where (s)he gets limited access to internal network resources.

Configuration Steps

Step 1: Create Preauthentication profile

Create preauthentication profile which contains the action to allow or deny logon after preauthentication policy check. Optionally admin can also configure process to be cancelled and files to be deleted by EPA tool and also the default group that is chosen when the EPA check succeeds.

CLI:
> add preauthenticationaction ALLOW

GUI:
Go to NetScaler Gateway -> Policies -> Preauthentication Profiles -> Add


Step 2: Create Preauthentication Policy

Create preauthentication policy with a profile and an expression to check for windows update on user device.

CLI:
> add aaa preauthenticationpolicy CLIENT.SYSTEM(WIN-UPDATE_MISSED-PATCH_==_CRITICAL[COMMENT: Windows Update]) EXISTS

In this example, expression EPA scans for Critical updates being enabled on the client system.  

GUI:
To create policy go to NetScaler Gateway -> Policies -> Preauthentication Policies -> Add. You can use OPSWAT EPA editor to create custom EPA expression. Selecting Microsoft Windows Update Agent will give expression to check for the presence of the Windows update agent in client device. Additional parameters can be added to the expression by clicking on the + button and filling the required values about the Windows update.






 

Configure EPA Scan to check the latest Windows update.

https://support.citrix.com/article/CTX219296