Understanding and Configuring EPA Verbose Logging on Citrix Gateway

CLI Configuration

Run the following command on NetScaler for PreAuth and PostAuth EPA logging:

> set vpn param –clientSecurityLog ON

Note: For PreAuth and PostAuth logging, the vpn param MUST be used. If the clientSecurityLog is modified in a SessionAction whose Session Policy has a ClientSecurity expression as the rule, the clientSecurityLog value in the SessionAction will not be honored. All the configuration should be done at the global settings under the Citrix Gateway.

Log File Location

Note:如果扫描是由美国环保署插件(即你用browser for login) nsepa.txt (for EPA flow and old EPA scans) or epahelper_epa_plugin.txt (Opswat and newer EPA scans) is generated. If scan was done by native plugin nssslvpn.txt (for EPA flow and old EPA scans) and epahelper.txt (Opswat and newer EPA scans) is generated

Logging debug Messages to ns.log

All failed Scan are logged as ERROR messages and successful scans are logged as DEBUG messages. By default, error messages are logged in ns.log. To log DEBUG messages in ns.log, the loglevel needs to be increased to DEBUG: ( Reference article https://support.citrix.com/article/CTX222945 )

> set audit syslogParams -logLevel ALL

环境保护署Logs Example

Below are some of the PreAuth examples which show a failed scan. In the logs we can see the case ID as well as the EPA expression which is failing.

PreAuth Classic EPA Log

17) 11/04/2015:06:31:30 GMT Error 0-PPE-0 : default SSLVPN CLISEC_EXP_EVAL 107 0 : CaseID 38136: - Client IP 10.252.241.192 - Vserver 10.102.39.219:443 - Client security check CLIENT.FILE('c:\\\\notepad.exe') EXISTS FAILED(3) on the client machine 18) 11/04/2015:06:31:30 GMT Error 0-PPE-0 : default SSLVPN CLISEC_EXP_EVAL 108 0 : CaseID 38136: - Client IP 10.252.241.192 - Vserver 10.102.39.219:443 - Client security check CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS FAILED(3) on the client machine 19) 11/04/2015:06:31:30 GMT Error 0-PPE-0 : default SSLVPN CLISEC_CHECK 109 0 : CaseID: 38136 - Client IP 10.252.241.192 - Vserver 10.102.39.219:443 - Client_security_expression "CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS && CLIENT.FILE('c:\\\\notepad.exe') EXISTS" - Client_security_check "Failed - User not allowed to login"

PreAuth OPSWAT EPA Log

18) 11/04/2015:06:42:06 GMT Error 0-PPE-0 : default SSLVPN CLISEC_EXP_EVAL 114 0 : CaseID 39736: - Client IP 10.252.241.192 - Vserver 10.102.39.219:443 - Client security check CLIENT.APPLICATION('ANTIVIR_328000_VERSION_<_5[COMMENT: Zillya Antivirus]') EXISTS FAILED(3) on the client machine 19) 11/04/2015:06:42:06 GMT Error 0-PPE-0 : default SSLVPN CLISEC_CHECK 115 0 : CaseID: 39736 - Client IP 10.252.241.192 - Vserver 10.102.39.219:443 - Client_security_expression "CLIENT.APPLICATION('ANTIVIR_328000_VERSION_<_5[COMMENT: Zillya Antivirus]') EXISTS" - Client_security_check "Failed - User not allowed to login"

HTTP Request and Response Log

GET https://example.net/epaq HTTP/1.1 Cookie: NSC_EPAC=9158c1f2594857d118ba3cb9817134db Date: 1442407956 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AGEE 8.0;) Host: example.net Cache-Control: no-cache HTTP/1.1 200 OK TunnelType: nocmp Set-Cookie: NSC_ERRM=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT Encode: Yes CSEC: 7rtbndK+d5YrEQTgwiOvwwwIakkjEST1QBK2OOc3b1g= CSEC_OPTS: 5RmG8h16YuaEAUQdqHxdvw== Content-Length: 0 Cache-control: no-cache, no-store Pragma: no-cache Content-Type: text/html

Backgroud

Configuring EPA Verbose Logging

Currently, Citrix Gateway EPA plugin (as well as VPN plugin) does not log anything related to EPA on the user machine. Without any kind of logging it becomes difficult to troubleshoot EPA related issue. From the ADC version 11.0.64.34 a new feature " EPA Verbose logging" is introduced for enhancing EPA troubleshooting experience.

The EPA scan failure messages are written in non-technical language, so user can troubleshoot failures on their own without contacting the admin. For example - "Norton Antivirus installed on your machine is not updated recently", "Your machine is not part of domain", "No antivirus found on this system".

The following can be achieved with this new EPA feature:

• Provide Verbose logging of which EPA Scans Passed/Failed on the ADC..
• Display human readable reason for EPA Scan failure on the client machine.

Points to Remember

1. This setting will be applicable for all type of scans, that is, Opswat, old EPA, newer Citrix supported EPA; for Pre-Auth. and Post-Auth. This setting is not applicable for frequency based scans. (the one which runs after GET /cfg)
2. Currently EPA plugins will show scan failures for only relevant OS. So Windows EPA plugin will show only windows EPA scan failures and Mac EPA plugin will show only Mac EPA scan failures.
3. 环境保护署error text will not be shown for any failed EPA scan which uses “NOT” or “!=” operator. Opswat scan where “!=” operator is used inside expression like ANTIVIR_0_VERSION_!=_10 will work properly.
4. 环境保护署plugins will not show configuration errors to user.
   In production environment configuration errors will not occur. So most of the time, it will be some new kind of scan supported by different EPA plugin (for example, new windows specific EPA scan which older Mac plugin does not understand). But these scans will get logged, so you can debug this during production setup phase.
5. As of now, we have server side configuration for controlling EPA logging functionality and removed support for “EnableEPALogging” registry in windows EPA library.

Additional Resources

Case ID

Since PreAuth EPA is done before authentication, you cannot figure out which user failed the EPA scan. To facilitate debugging of PreAuth EPA failure, the ‘Case ID’ is introduced. Case ID is the last 5 bytes of the NSC_EPAC cookie and will uniquely identify PreAuth EPA for a particular user in ns.log.

The case ID will be displayed to the End User in the PreAuth EPA error HTML page and will also be logged in ADC along with all the scans passed/failed. The end user can then contact their IT Support Desk with the Case ID, and IT can then use the Case ID to figure out the reason for failure by searching for the Case ID in ns.log.

For more information on Advanced Endpoint Analysis Scansclick here.