This trace study looks at examples when EPA preauthentication scan passes and fails.

• Client IP: 192.168.1.6
• VIP: 192.168.1.3

Instructions

First EPA Preauth test - Check for Avast Free Antivirus on Windows client:

Search for GET /epaq HTTP/1.1 in trace and follow SSL stream to check if the CSEC scan matches the policy:

Search for GET /epas HTTP/1.1 and follow SSL stream to see the CSEC pass/fail code. In this case, it passed and shows code 0:

The CSEC code will be encrypted by default on NS11.0 64.34+. To see the CSEC code, uncheck 'Client Security Encryption':

There are a lot of antivirus products and choosing the wrong one is a common mistake. Here we have selected ‘Other ALWIL Software Antivirus’:

This fails, giving code 3:

You will see complex compound EPA policies with more than one check. For instance, here is a check for a MAC address and Avast Free Antivirus on Windows client. However, I have chosen the wrong antivirus product:

In the trace we see code 30, which means one fail and one pass:

You can check the nsepa.txt on the client (C:\Users\\AppData\Local\Citrix\AGEE\nsepa.txt) and it will also show the CSEC. This is also useful for checking the EPA Library version. Older EPA libraries will not support newer products:

If we look for epaq in the trace again and follow the SSL stream, notice the CSEC shows the policy in reverse order. This tells us that the antivirus check failed and the mac check passed:

NetScaler Gateway EPA: How Do I?