Allow access from Mobile Devices when EPA is enabled with Netscaler Gateway

This is a new deployment of Netscaler 10.1 and I need to implement End Point Analysis for Windows clients connecting from the Internet, but also allow mobile devices (both Android and iOS) to connect from the Internet.  I know the mobile devices can't run the EPA scan so they need to be able to bypass it either by policy or by using a different virtual server, however I'm having trouble accomplishing this in a way that doesn't make the connection process confusing for end users.  

All of the individual pieces are working right now, just not when I try to put them all together.  Both mobile and windows clients connect successfully to the same virtual server with EPA disabled.  When I enable EPA the Windows clients run the scan and connect successfully if they meet the criteria, but mobile devices can't connect.

According to this article from Citrix eDocs

"If you configure endpoint analysis, you need to configure the policy expressions so that the endpoint analysis scans do not run on Android or iOS mobile devices. Endpoint analysis scans are not supported on mobile devices."

which makes sense, but then the next sentence says:

"If you bind an endpoint analysis policy to a virtual server, you must create a secondary virtual server for mobile devices. Do not bind preauthentication or post-authentication policies to the mobile device virtual server."

That also makes sense, but seems contradictory to the first statement.  I tried unsuccessfully to use policy expressions to bypass EPA for mobile devices using a few different techniques - dumping the mobile devices into a quarantine group, higher priority session policy, global session policy and none of them worked.  I contacted Citrix support and after a couple of days their official answer was to create a secondary virtual server for mobile devices.  I don't have a problem with creating a 2nd virtual server, but the part I am having trouble with (and Citrix couldn't offer any suggestions) is how to avoid having to give two different gateway addresses out for end users and expecting them to remember to use one for mobile and one for Windows.

If they use email based discovery, it will always work for windows and never work for mobile (or the reverse depending on which one is in the SRV record).  The same thing will happen if they click on the link we have on our website to take them to the published app.  It seems like there should be a way with the Netscaler Gateway to use a policy expression on a third virtual server that's just an initial connection point to redirect incoming connections to the virtual server for mobile or the virtual server for Windows based on the client OS.  Or maybe a way to create multiple stores/gateways in Storefront to do this.

For instance, the end users could connect to "referral.mydomain.com" and based on their OS be redirected to "mobile.mydomain.com" or "epa.mydomain.com"

I have worked with the Citrix Access Gateway before, but the Netscaler Gateway is a totally different animal so I'm hoping someone with more NS experience can recommend a solution.  

Environment:
1x Netscaler Gateway VPX 10.1
1x Storefront 2.0 with a single store
1x XenApp 6.5

Thanks in advance
turnkeysolAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

turnkeysolAuthor Commented:
Just a point of clarification - the Netscaler is only licensed as a Netscaler Gateway and doesn't have the additional ADC or "real" netscaler features
0
turnkeysolAuthor Commented:
I was able to resolve the issue by moving the EPA scans to session policies (Post Authentication) rather than Pre-Authentication.  By adding the EPA criteria to the security/advanced section of the session profile associated only with Windows/Mac clients I can now connect to the same URL with all types of client devices.  EPA scan is enforced for Windows and Mac and bypassed for mobile devices.

Thanks to Punit from the Citrix forum for providing this solution.

http://forums.citrix.com/thread.jspa?threadID=337423&tstart=0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.