1. EPA plugin is not launching and users land in "https://<nsg_fqdn>/vpns/postepa.html" page with the options to Skip or Download the plugin even when the plugin is installed. 
2. Internet Explorer may work while other browsers will experience the issue. Issue may affect both Windows and Mac OS X.
3. No error/warning events registered in ns.log or even EPA logs but if you open the Developer Tools and check the Console tab multiple Content Security Policy errors -like picture below- may appear.

Check Content Security Policy bound  to NetScaler Gateway vServer / Unified Gateway vServer / Globally and update the action [Configuration \ AppExperts \ Rewrite \ Actions] with this value: 
"default-src \'self\' ; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' ; style-src \'self\' \'unsafe-inline\' \'unsafe-eval\'; img-src \'self\' data: http://localhost:* ; child-src \'self\' com.citrix.agmacepa://* citrixng://* " 

---

Problem Cause

If the Content Security Policy directive is not specified the browser will use the value defined for the default-src directive -which is usually very restricted like in the example above: default-src \'self\'. This will cause the browser to block the nglauncher plugin.
Internet Explorer is not fully compatible with Content-Security-Policy HTTP header hence it may not experience the issue at all -header will be ignored- while Microsoft Edge -which is compatible- could be affected along with Firefox, Chrome, and Safari.
For compatibility check you can use the following link: https://caniuse.com/#search=content%20security%20policy