NetScaler Endpoint Analysis and IGEL OS – a nice way to protect your infrastructure from unauthorized access and to know that ONLY YOUR devices get access!

By Fredrik Brattstig @virtualbrat

2023-August-17
NetScaler Endpoint Analysis (EPA) is a service where the NetScaler applies checks to the endpoint accessing the Citrix Gateway, even before showing a login prompt. Basically, you connect to the Citrix Gateway using a web browser, and a plugin in the browser launches and validates that certain criteria have been fulfilled, before allowing the user to access your Citrix Apps and Desktop.
IGEL has EPA integrated into recent versions of IGEL OS 11, and it is an available app in the IGEL APP Portal for consumerization with IGEL OS 12.

Looking at the Citrix documentation there are some EPA scans that can be configured for Ubuntu systems, and this applies also to IGEL OS.

https://docs.netscaler.com/en-us/citrix-gateway/current-release/vpn-user-config/endpoint-policies

Would be great to have more scan types, but let’s see what we can do with whats possible today!

Object Type	Evaluation set	Meaning?
FILE	Existence	Check if a file exist on the IGEL OS endpoint
	MD5 Checksum	Check if the MD5 checksum of a specific file matches the rule
	Text within a file	Look for a text string in a file
Process	Existence	Check if a named process is running
	MD5 Checksum	check that the MD5 checksum is correct for a process
	Path	Check if the process running is executed from the right source
File system device or Mountpoint Name	Partition	Check for a specific mounted device or file system

Endpoint Analysis scans supported for Ubuntu and IGEL OS as of 2023-August-17

Ok, now we know the rules to follow. What can we do then? We can check if a file exists, in my mind, that is quite simple to mimic. We can also search for a text string in a file, which is also relatively easy to mimic. What’s much more unique though, is the MD5 checksum of a file. The MD5 checksum is used to verify data integrity against unintentional corruption, eg making sure that the file isn’t broken, tampered with, or replaced. The MD5 checksum is at least pretty hard to mimic and could be a suitable evaluation. (Read more about MD5 checksum here).
Ok, now we decided to go for MD5 checksum of a file. But what file?
We need to check a file that is unique for your organization, that lives in a known storage location, and that that doesn’t change (at least not very often)… Hmm.. Every IGEL OS endpoint that is managed by an IGEL UMS has exactly this. The server certificate that the IGEL UMS server is using. It is unique to your organization, and the same file exists on all your endpoints. The file also resides in a protected area on the IGEL OS endpoint, where the user doesn’t have the rights to modify the file. We will be checking the MD5 checksum of server.crt! which is found on all managed IGEL OS endpoints in the /wfs/ directory. If you don’t know the MD5 checksum to your server.crt, it is very easy to get it with IGEL OS, just open up a terminal, login as root, and type: md5sum /path/to/file
It will throw back the MD5 checksum for your benefit.

MD5 Checksum for my /wfs/server.crt (Don’t worry, this server.crt isn’t my UMS certificate, it’s just a file I’m using for this lab)

Something that is really cool is that the EPA scans can be combined evaluations of multiple expressions. We can validate that a certain process is running and that the process executable is running from the expected path. That would be a combination of Process->Existence & Process->Path. For this article, I will evaluate if the process xfce4-terminal is running (equals a local terminal window). Use your imagination to find out the process you want to look for!

We can also search for a specific text string in a file. Let’s say that we want to make sure that only a specific IGEL OS version can connect to the Citrix Gateway. We have the OS version written in clear text in /etc/os-release:

which means that we can search that file for in this case “12.01.120”

Now, let’s figure out the syntax that we can use in the NetScaler Pre-Authentication policy to evaluate the MD5 checksum on /wfs/server.crt is correct, that a local terminal is running, and that the IGEL OS version is 12.01.120:

CLIENT.FILE(/wfs/server.crt).MD5 == d96621787c8282ba56812ffa4673baf3 && CLIENT.APPLICATION.PROCESS('xfce4-terminal') EXISTS && CLIENT.FILE(/etc/os-release).SEARCH == 12.01.120

Now we have the syntax to validate those checks. Actually, the system where I will run the demo has the IGEL OS 12 version 12.01.140, so I will adopt that change. Currently, it is only possible to search for a text string. This means that it cannot evaluate if the version is above a certain number. It would be cool to be able to check that the IGEL OS version is at least 12.01.120. We could also check the version of the installed Citrix Workspace App for instance.

So, let us get going! What you will need (and I used for the demo video below) is IGEL OS 11 or preferably IGEL OS 12, the Apps Chromium Browser, The Citrix Gateway EPA client, and the Citrix Workspace App, beneficially you can find all of them in the IGEL App Portal!

And you will need to have a NetScaler, a Citrix Gateway, and a Citrix backend of course. You will need to tie a preauthentication policy, with the evaluations you want to do, to your NetScaler Citrix Gateway – reach out to your NetScaler expert!

That is actually it! When you have this in place you can secure the incoming traffic making sure that ONLY IGEL OS endpoints that are under management with your IGEL UMS will be able to access. Can’t be much more secure than that?
The below video will show you the evaluations that I’m doing in my NetScaler before I let my users into the authentication dialogue. Enjoy!

/Fred

Share this: