This post is a little bit niche as it may be relevant only for basic EPA expressions done on Citrix Gateway session policies whose use is slowly reducing, but figured it was worth covering off as there is still use cases for using EPA expressions in a session policy.
What I cover in this article is a somewhat elaborate method of providing a user-friendly EPA failure page in scenarios where we must use EPA in session policies, and cannot allow entry to users who fail the EPA scan.
A little visual below of our end result (note the text does not align to the sample provided below, this is just a general reference).
When running EPA in session policy expressions, we need to ensure bound policies have a matching expression for both pass or fail scenarios otherwise a user who fails the EPA check will default to the global Citrix Gateway session policy configs (that lovely white page talking about Java screen). In my experience configuring EPA in session profiles (vs policy expression) gets ignored in current builds of 12.1.
If this was a pre-auth scan or an EPA factor in nFactor, failing the EPA scan without a recourse (cascade or quarantine) will display a nice error message for users from EPA, which we could enhance with verbose EPA logging. However this isn’t an option in some cases, and we get the experience noted above.
I will cover implementing this as a “catch-all” session policy but in reality, the configs could be modified on the global Citrix Gateway session policy configs, but I largely prefer to leave those settings untouched.
It involves creating an HTML error page hosted on the ADC (using a cool obscure feature of the responder engine that allows for storing HTML code) and linking that to an APIPA LBVS that is always up to which we link a responder policy that renders the HTML page. We reference this LBVS in a session profile as a homepage, and are sure to set the default authorization action to “DENY” in this profile. This profile gets referenced by a session policy with the lowest priority and a catch-all “true” value.
Step 1: Creating the Dummy vServer
These commands will great an LBVS that is always online, to which we can bind a responder policy. It uses a non-addressable IP that the ADC can access, but will not be accessible on the network, which is just fine.
add service svc_alwaysup 127.0.0.1 HTTP 80
add lb vserver lbvs_epadeny_80 HTTP 169.254.100.101 80 -persistenceType NONE
bind lb vserver lbvs_epadeny_80 svc_alwaysup
Step 2: Creating the Responder Configuration
Let’s create our responder HTML page import via AppExpert>Responder>HTML Page Imports. This isn’t easily done via CLI and in fact, this does not even show up in the ns.conf file so screenshots are below. Instead of this, you could totally have a website created just to act as a landing page for failed users that is not hosted by the ADC and just redirect users there, but it is more fun to keep it internal to the ADC. But really, whatever works best for you.
For the HTML text, we’re using the following, which you can tweak to your heart’s content or merely use as a concept to develop something entirely different. Just remember to keep it basic and any images should be referenced as links from another site (perhaps a logo file from a public website, or image already found on the ADC from a portal theme).
EPA Scan Failed – Access Denied – DatacentreName
Unfortunately you are unable to access Citrix resources at this time. It seems that your computer is not a corporate asset. The Citrix EPA scan must run successfully in order to access Citrix apps and desktops. Please note that only domain-joined corporate computers are eligible to access Citrix resources remotely. If you are using a corporate asset, please contact the Service Desk for assistance.
With this in place, we can now create the responder action and policy. From there we will bind to our APIPA LBVIP.
add responder action resp_epa-deny_act respondwithhtmlpage denied.html -responseStatusCode 200 -reasonPhrase true
add responder policy resp_epa-deny_pol true resp_epa-deny_act
bind lb vserver lbvs_epadeny_80 -policyName resp_epa-deny_pol -priority 100 -gotoPriorityExpression END -type REQUEST
Step 3: Creating the Session Policy & Action and Linking to Gateway
These commands will create a new session profile and policy and subsequently bind the policy to a Citrix Gateway (be sure to update your gateway object name). Adjust binding priority as necessary, but should be last in the order.
add vpn sessionAction DENYALL -transparentInterception ON -defaultAuthorizationAction DENY -homePage “http://169.254.100.101/” -clientlessVpnMode ON -clientlessModeUrlEncoding OPAQUE
add vpn sessionPolicy DENYALL ns_true DENYALL
bind vpn vserver YOURVSERVER -policy DENYALL -priority 200
And there we go. When a user fails an EPA scan (or skips it if you haven’t hidden the button to do so) they should receive that custom error page.
So although this article may be useful to a very small audience, hopefully its concepts will be useful to some.