Gateway

Device Posture checks on NetScaler Gateway

April 30, 2025

Contributed by:

Starting from NetScaler Gateway release 14.1 build 43.x, the Citrix Device Posture service is integrated with NetScaler Gateway. You can configure the device posture checks on NetScaler Gateway.

Device Posture checks on NetScaler Gateway can be applied globally, at the VPN virtual server level, or as part of the nFactor authentication by using the GUI or the CLI.

Global - The Device Posture check is performed first before any other authentication.
VPN virtual server level - The Device Posture scans are applied only to the users connecting to a specific VPN virtual server thus enabling granular control.
Factor in nFactor authentication - The Device Posture scans can be configured as a step in the authentication process. Device Posture can be configured as the first, second, or any step in the nFactor authentication flow.

Enable Device Posture by using the GUI

Enable Device Posture checks at the global level

Perform the following steps to enable Device Posture globally:

Navigate to NetScaler Gateway -> Global Settings -> Change Global Settings.
Click the Security tab.
In Device Posture, select ENABLED, and then click OK.

Enable Device Posture checks at the VPN virtual server level

Perform the following steps to enable Device Posture for a specific VPN virtual server:

Navigate to NetScaler Gateway -> Virtual Servers.
On the NetScaler Gateway Virtual Servers page, select the VPN virtual server on which you want to enable Device Posture check and then click Edit.
In Basic Settings, click the edit icon, and then click More.
In Device Posture, select ENABLED, and then click OK.

Enable Device Posture checks as a factor in nFactor authentication

You must create an EPA action that performs the Device Posture scan and then add this action as a factor in the nFactor authentication flow. Perform the following steps to add Device Posture as a factor in the nFactor authentication flow:

Note:

You can either configure EPA or Device Posture as a factor in an nFactor flow. They can be present as different factors. However, there are no fallback mechanisms for each other if there is a failure.

Navigate to Security -> AAA - Application Traffic -> Policies -> Authentication -> Advanced Policies -> Actions -> EPA.
On the Authentication EPA Action page, click Add.
On the Create Authentication EPA Action page, update the following information and click Create.
- Name: Name of the EPA action.
- Default Group: The default group to choose when the device posture check succeeds.
- Quarantine Group: The quarantine group to choose when the device posture check fails.
- Device Posture: Select ENABLED to enable the device posture check.
Note:
- The Device Posture option is disabled by default. Existing users can continue to use the existing EPA expression.
- When Device Posture is enabled, you don’t have to configure the expressions as the posture scans are configured in the Device Posture service portal.
- When Device Posture is enabled, the Kill Process, Delete Files, and Expression fields become uneditable.
Bind the EPA action to the VPN virtual server. For details, see Configuring nFactor authentication and EPA scan as a factor in nFactor authentication.
- Navigate to Security -> AAA - Application Traffic > Virtual Servers.
- Select the virtual server and click Edit.
- In Advanced Authentication Policies, click Authentication Policy and then click Add binding.
- Select the EPA action created earlier.
- Assign a priority and select the next factor.
- Click Bind.

Enable Device Posture by using the CLI

To enable Device Posture by using the CLI, you must create an EPA action and an authentication policy and then bind the policy to the VPN virtual server.

Example commands:

add authentication epaAction dps_act -devicePosture ENABLED
add authentication Policy dps_pol - rule true -action dsp_act
bind authentication vserver dpsspa -policy dps_pol
show authentication vserver dspspa

Set Citrix Cloud tenant ID on NetScaler Gateway

In addition to enabling the Device Posture feature on NetScaler Gateway, you must also set the Citrix Cloud tenant ID on NetScaler Gateway.

Use the following command to set the Citrix Cloud tenant ID:

set cloud parameter -customerID

Example:

set cloud parameter - 512abc123bcd

Only after the tenant ID is configured on NetScaler Gateway, Device Posture scans for this customer ID can be set in the Device Posture service admin console.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Device Posture checks on NetScaler Gateway

April 30, 2025

Contributed by:

April 30, 2025

Contributed by:

Device Posture checks on NetScaler Gateway

Enable Device Posture by using the GUI

Enable Device Posture checks at the global level

Enable Device Posture checks at the VPN virtual server level

Enable Device Posture checks as a factor in nFactor authentication

Enable Device Posture by using the CLI

Set Citrix Cloud tenant ID on NetScaler Gateway

In this article