Citrix Gateway

Preauthentication device check expressions for user devices

Important:

Endpoint Analysis is intended to analyze the user device against pre-determined compliance criteria and does not enforce or validate the security of end-user devices. It is recommended to use endpoint security systems to protect devices from local admin attacks.

Citrix Gateway provides various endpoint compliance checks during user logon or at other configured times during a session that help in validating the user devices. Only the user devices that pass these checks are allowed to establish a Citrix Gateway session.

The following are the types of checks on user devices that you can configure on Citrix Gateway:

  • Antispam
  • Antivirus
  • File policies
  • Internet security
  • Operating system
  • Personal firewall
  • Process policies
  • Registry policies
  • Service policies

If a device check fails on the user device, no new connections are made until a subsequent check pass (in the case of checks that are at regular intervals); however, traffic flowing through existing connections continues to tunnel through Citrix Gateway.

You can use the configuration utility to configure preauthentication policies or device check expressions within session policies that are designed to carry out checks on the user devices.

Configure antivirus, firewall, internet security, or antispam expressions

You configure settings for antivirus, firewall, Internet security, and antispam policies within the Add Expression dialog box. The settings for each policy are the same: the differences are the values that you select. For example, if you want to check the user device for Norton antivirus version 10 and ZoneAlarm Pro, you create two expressions within the session or preauthentication policy that specify the name and version number of each application.

When you select Client Security as the expression type, you can configure the following:

  • Component: The type of client security, such as antivirus, firewall, or registry entry.
  • Name: The name of the application, process, file, registry entry, or operating system.
  • Qualifier: The version or the value of the component for which the expression checks.
  • Operator: Checks if the value exists or is equal to the value.
  • Value: The application version for antivirus, firewall, Internet security, or antispam software on the user device.
  • Frequency: Frequency with which a post-authentication scan is run, in minutes.
  • Error weight: A weight assigned to each error message contained in a nested expression when multiple expressions have different error strings. The weight determines which error message appears.
  • Freshness: Defines how old a virus definition can be. For example, you can configure the expression so virus definitions are no older than three days.

To add a client device check policy to a preauthentication or session policy

  1. In the configuration utility, in the navigation pane, do one of the following:
    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies and then click Session.
    2. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Match Any Expression, click Add.
  5. In the Add Expression dialog box, in Expression Type, select Client Security.
  6. Configure the settings for the following:
    1. In Component, select the item for which to scan.
    2. In Name, type the name of the application.
    3. In Qualifier, select Version.
    4. In Operator, select the value.
    5. In Value, type the client device check string, click OK, click Create, and then click Close.

Configure service policies

A service is a program the runs silently on the user device. When you create a session or preauthentication policy, you can create an expression that ensures that user devices are running a particular service when the session is established.

To configure a service policy

  1. In the configuration utility, in the navigation pane, do one of the following:
    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies and then click Session.
    2. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Match Any Expression, click Add.
  5. In the Add Expression dialog box, in Expression Type, select Client Security.
  6. Configure the settings for the following:
    1. In Component, select Service.
    2. In Name, type the name of the service.
    3. In Qualifier, leave blank or select Version.
    4. Depending on your selection in Qualifier, do one of the following:
      • If left blank, in Operator, select == or !=
      • If you selected Version, in Operator, in Value, type the value, click OK, and then click Close.

You can check a list of all available services and the status for each on a Windows-based computer at the following location:

Control Panel > Administrative Tools > Services

Note:

The service name for each service varies from its listed name. Check for the name of the service by looking at the Properties dialog box.

Configure process policies

When creating a session or preauthentication policy, you can define a rule that requires all user devices to have a particular process running when users log on. The process can be any application and can include customized applications.

Note: The list of all processes running on a Windows-based computer appears on the Processes tab of Windows Task Manager.

To configure a process policy

  1. In the configuration utility, in the navigation pane, do one of the following:
    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway \ > Policies and then click Session.
    2. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies \ > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Match Any Expression, click Add.
  5. In the Add Expression dialog box, in Expression Type, select Client Security.
  6. Configure the settings for the following:
    1. In Component, select Process.
    2. In Name, type the name of the application.
    3. In Operator, select EXISTS or NOTEXISTS, click OK and then click Close.

When you configure an Endpoint Analysis policy (pre-authentication or post-authentication) to check for a process, you can configure an MD5 checksum.

When you create the expression for the policy, you can add the MD5 checksum to the process you are checking for. For example, if you are checking to see if notepad.exe is running on the user device, the expression is: CLIENT.APPLICATION.PROCESS(notepad.exe_md5_388b8fbc36a8558587afc90fb23a3b00) EXISTS

Configure operating system policies

When you create a session or preauthentication policy, you can configure client device check strings to determine whether the user device is running a particular operating system when users log on. You can also configure the expression to check for a particular service pack or hotfix.

The values for Windows and Macintosh are:

Operating system Value
macOS X macOS
Windows 8.1 win8.1
Windows 8 win8
Windows 7 win7
Windows Vista vista
Windows XP winxp
Windows Server 2008 win2008
Windows Server 2003 win2003
Windows 2000 Server win2000
Windows 64-bit platform win64

To configure an operating system policy by using the GUI

  1. In the navigation pane, do one of the following:
    1. Navigate to Citrix Gateway > Policies and then click Session.
    2. Navigate to Citrix Gateway > Policies > Preauthentication.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. In Request Action select an existing action or create one.
  5. Click Expression Editor.
  6. In Select Expression Type, select Client Security.
  7. Configure the settings for the following:
    1. In Component, select Operating System.
    2. In Name, type the name of the operating system.
    3. In Qualifier, do one of the following:
      • Leave the field blank
      • Select Service Pack
      • Select Hotfix
      • Select Version (for macOS only)
    4. Depending on your selection in step 7, in Operator, do one of the following:
      • If Qualifier is blank, in Operator, select EQUAL (= =), NOTEQUAL (!=), EXISTS or NOTEXISTS.
      • If you selected Service Pack or Hotfix, select the operator and in Value, type the value.
  8. Click Done and then click Close.

If you are configuring a service pack, such as client.os (winxp).sp, if a number is not in the Value field, Citrix Gateway returns an error message because the expression is invalid.

If the operating system has service packs present, such as Service Pack 3 and Service Pack 4, you can configure a check just for Service Pack 4, because the presence of Service Pack 4 automatically indicates that previous service packs are present.

Configure registry policies

When you create a session or preauthentication policy, you can check for the existence and value of registry entries on the user device. The session is established only if the particular entry exists or has the configured or higher value.

When configuring a registry expression, use the following guidelines:

  • Four backslashes are used to separate keys and subkeys, such as

    HKEY_LOCAL_MACHINE\\\\SOFTWARE

  • Underscores are used to separate the subkey and the associated value name, such as

    HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\VirusSoftware_Version

  • A backslash (\) is used to denote a space, such as in the following two examples:

    HKEY_LOCAL_MACHINE\\\\SOFTWARE\\Citrix\\\\Secure\ Access\ Client_ProductVersion

    CLIENT.REG(HKEY_LOCAL_MACHINE\\\\Software\\\\Symantec\\Norton\ AntiVirus_Version).VALUE == 12.8.0.4 -frequency 5

The following is a registry expression that looks for the Citrix Secure Access agent registry key when users log on:

CLIENT.REG(secureaccess).VALUE==HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\CITRIX\\\\Secure\Access\Client_ProductVersion

Note:

If you are scanning for registry keys and values and you select Advanced Free-Form in the Expression dialog box, and the expression must start with CLIENT.REG.

Registry checks are supported under the following most common five types:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG

Registry values to be checked use the following types:

  • String

    For the string value type, case-sensitivity is checked.

  • DWORD

    For the DWORD type, the value is compared and must be equal.

  • Expanded String

    Other types, such as Binary and Multi-String, are not supported.

  • Only the ‘==’ comparison operator is supported.

  • Other comparison operators, such as <, > and case-sensitive comparisons are not supported.

  • The total registry string length must be less than 256 bytes.

You can add a value to the expression. The value can be a software version, service pack version, or any other value that appears in the registry. If the data value in the registry does not match the value you are testing against, users are denied logon.

Note:

You cannot scan for a value within a subkey. The scan must match the named value and the associated data value.

To configure a registry policy

  1. In the configuration utility, in the navigation pane, do one of the following:
    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway \ > Policies and then click Session.
    2. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies \ > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Match Any Expression, click Add.
  5. In the Add Expression dialog box, in Expression Type, select Client Security.
  6. Configure the settings for the following:
    1. In Component, select Registry.
    2. In Name, type the name of the registry key.
    3. In Qualifier, leave blank or select Value.
    4. In Operator, do one of the following:
      • If Qualifier is left blank, select EXISTS or NOTEXISTS
      • If you selected Value in Qualifier, select either == or !==
    5. In Value, type the value as it appears in the registry editor, click OK and then click Close.

Configure compound client device check expressions

You can combine client device check strings to form compound client device check expressions.

The Boolean operators that are supported in Citrix Gateway are:

  • And (&&)
  • Or (   )
  • Not (!)

For greater precision, you can group the strings together using parentheses.

Note:

If you use the command line to configure expressions, use parentheses to group device check expressions together when you form a compound expression. The use of parentheses improves the understanding and debugging of the client expression.

Configure policies with the AND (&&) operator

The AND (&&) operator works by combining two client device check strings so that the compound check passes only when both checks are true. The expression is evaluated from left to right and if the first check fails, the second check is not carried out.

You can configure the AND (&&) operator using the keyword ‘AND’ or the symbols ‘&&’.

Example:

The following is a client device check that determines if the user device has Version 7.0 of Sophos antivirus installed and running. It also checks if the Net Logon service is running on the same computer.

CLIENT.APPLICATION.AV(sophos).version==7.0 AND CLIENT.SVC(netlogon) EXISTS

This string can also be configured as:

CLIENT.APPLICATION.AV(sophos).version==7.0 && CLIENT.SVC(netlogon) EXISTS

Configure policies with the OR ( || ) operator

The OR (   ) operator works by combining two device check strings. The compound check passes when either check is true. The expression is evaluated from left to right and if the first check passes, the second check is not carried out. If the first check does not pass, the second check is carried out.
You can configure the OR (   ) operator using the keyword ‘OR’ or the symbols ‘   ’.

Example:

The following is a client device check that determines if the user device has either the file c:\file.txt on it or the putty.exe process running on it.

client.file(c:\\\\file.txt) EXISTS) OR (client.proc(putty.exe) EXISTS

This string can also be configured as

client.file(c:\\\\file.txt) EXISTS)   (client.proc(putty.exe) EXISTS

Configure policies using the NOT (!) operator

The NOT (!) or the negation operator negates the client device check string.

Example:

The following client device check passes if the file c:\sophos_virus_defs.dat file is NOT more than two days old:

\!(client.file(c:\\\\\\\\sophos\_virus\_defs.dat).timestamp==2dy)