Users get the error "access denied" after EPA scan even with valid certificates available in the store

If certificate check is required, then users should have admin rights.

Workaround:
It is a rare scenario when users would have admin rights on the systems, so a workaround is to install the full NetScaler Gateway plug-in which can access the local store. 

As we do not need Gateway plugin for EPA scan we have to manually install the plugin so that the plugin would check the certificates in the store and validate EPA.

If there are multiple client machines, use GPO to push the gateway plugin to multiple machines.
https://docs.citrix.com/en-us/netscaler-gateway/12/vpn-user-config/ng-plugin-select-type/ng-connect-ng-plugin-deploy-from-active-directory-tsk.html
Plugin - https://www.citrix.com/downloads/citrix-gateway/


 

---

Problem Cause

EPA client needs the user to have local administrator rights to be able to access the machine certificate store for certificate check

EPA for device certificate check fails on NetScaler.

For further debugging on the client, examine the following EPA logs on client and contact support if issue still exists:
C:\Users\<User name>\AppData\Local\Citrix\AGEE\nsepa.txt