Friday, January 15, 2010

Citrix Netscaler VPX; AGEE

Verifying the Domain in order to allow access to resources

(Note: although I defined some terms this process assumes you have prior experience with the NetScaler VPX or AGEE; look for additional posts that cover basic configuration of the NetScaler VPX) One of the common requests I get when setting up an Citrix Access Gateway is to enable a pre-scan to determine if the client computer is a corporate asset. For example you may want to provide generic XenApp access to everyone; however if the user is logging in from a corporate laptop provide them full SSL VPN access.

This tip actually came from working with Citrix’s internal support services. To ensure credit is given where due; I have found Citrix’s NetScaler/AGEE support people excellent to deal with.

There are other ways covered on Citrix’s KB but I have found that it can be difficult to find a simple and straightforward approach that works consistently. In order to properly configure this you will need to understand a few related terms and definitions:


A Policy is a series of rules that must be met in order to provide a level of access to internal resources. The rules are built using conditions and expressions that can be applied at different stages of the client connection process (ex. pre-authentication, session, etc)


A Profile is used to define a set of configurations that will be turned on or off during the users session. Think of the policies as the requirements you must meet and the profile as the session settings.


Resources define the internal networks, servers, applications etc. that the user is allowed access to. Resources can be defined generically by subnet or very specifically down to the IP address and port.


A VIP is a virtual IP that has an associated web site. When you create a VIP you are creating a new IP and web site in order to allow user access. To provide granular control on the access, you bind a policy and configure the profile and session settings. In addition you associate a series of resources that are available through the VIP/Website provided the user successfully meets the conditions defined in the policy.

In order to filter based on whether the user’s PC is a member of the domain you will configure a VIP and create a policy. The policy will use an ‘Named’ expression or a predefined expression statement which we will build to scan the client’s registry. The scan will determine if the PC is a member of your corporate domain before login. If the scan is successful then the user can receive full VPN access.

Using PuTTy ssh to your netscaler VPX and login using nsroot and the password


Paste the following

add policy expression Corporate_Asset q/CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon_DefaultDomainName').VALUE ==[YOUR DOMAIN NAME]

Login through the NetScaler VPX and under Configuration create a new Session Policy. Under the General Drop Down List you will have a new named expression called Corporate_Asset


When you add this Named Expression to your Policy the scan will look under the HKEY LOCAL MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\DefaultDomainName Value to ensure the desktop matches the domain specified in the expression. It the user meets the requirements then the user will have access to the resources that you have been defined.


  1. Does this approach require EPA?

  2. Laura,

    You are correct, it is the EPA that looks for the entry in the registry key to determine if the desktop belongs to the appropriate domain