NetScaler Advanced Gateway End Point Analysis -
NOTE: NetScaler functionality EPA gateway is available on Windows and Mac desktop platforms only (like May 1 2014).
With the release of NetScaler 10.1.0.1316.e Gateway, Citrix has significantly improved its end point analysis (EPA) capabilities. As a quick introduction to what is new and advanced with the EPA
- New Advanced Engine EPA with thousands of pre-configured scans
- Certificate Checks of device
for those who are new to the EPA, this ability let NetScaler Gateway evaluate the input endpoint device for posture, and evaluates policies that define this type of session will be provided to the user, if applicable. Note that a device check is different and complementary to, user authentication. While user authentication ensures that a valid and reliable user access to your corporate resources, machine control ensures that a valid user from a sound device.
In general, as an administrator, you may want to differentiate between users, based on the devices as follows:
- users from companies owned assets
- users from personal sound devices
- users from unhealthy devices
so, as you can see, the EPA is a very powerful concept, and provides granular control in terms of AAA policies and session parameters, depending on the position of the apparatus.
EPA Advanced Engine
NetScaler Gateway had a classic EPA engine, which offered great flexibility and power to the directors in terms of creating scans to detect a variety of things such as versions of the operating system, the presence or absence of certain software, domain join status ... the real power of the classic EPA engine comes in terms of a powerful political editor, who can create analyzes based on the register / Files / process controls and thus provides tons of customizable options.
What this classic motor EPA lacked was out of the box pre-configured scans, an administrator can activate and go
Advanced EPA engine now provides this infrastructure, with the following advantages :.
- thousands of pre-configured scans, available out of the box
- New scans are automatically provided, the new software is available
- easy maintainability, based on analysis that can provide minimal versions. As well as new versions come, admin may not have to go necessarily change the configuration.
Note that the current version of Advanced EPA provides preconfigured analyzes for pre-authentication checks only.
Device Certificate Checks
Device certificates are client certificates are issued to devices, as opposed to the concept of common issuance of certificates to users. As a user certificate identifies a trusted user, device certificate identifies a trusted device.
These certificates are commonly used to distinguish between corporate assets and BYOD assets. Assets belonging to the enterprise can be deployed with a device certificate by the enterprise CA, and the presence of such a certificate, is what identifies / mark the device as an asset of the company. Similarly, the lack of this certificate, mark another device as a possible BYOD device.
NetScaler Gateway now supports devices certificate checks to differentiate between these two classes of devices. Configuration is fairly homogeneous and essentially requires an admin to enable this check, and provide details Enterprise CA is responsible for issuing these certificates. Note that the CA provide information is a critical input, since you do not want to trust user certificates provided by another CA of the company, which could be issued user certificates.
NetScaler Gateway supports the parallel configuration of authentication by user certificate and check device certificate. In such a configuration, user authentication is managed as part of the SSL handshake. Once established, a device certificate verification is performed. Such verification ensures all the obvious calculations about the validity of the certificate, the certificate trust chain, the presence of the private key on the control endpoint and OCSP for corresponding certificates revoked.
So in essence, this version of NetScaler Gateway brings some powerful and advanced EPA to platform capabilities, and provides real value to any director safety conscious.
for a more detailed overview of the new version of NetScaler Gateway, see my previous post.