This is a new deployment of Netscaler 10.1 and I need to implement End Point Analysis for Windows clients connecting from the Internet, but also allow mobile devices (both Android and iOS) to connect from the Internet. I know the mobile devices can't run the EPA scan so they need to be able to bypass it either by policy or by using a different virtual server, however I'm having trouble accomplishing this in a way that doesn't make the connection process confusing for end users.
All of the individual pieces are working right now, just not when I try to put them all together. Both mobile and windows clients connect successfully to the same virtual server with EPA disabled. When I enable EPA the Windows clients run the scan and connect successfully if they meet the criteria, but mobile devices can't connect.
According to this article from Citrix eDocs
"If you configure endpoint analysis, you need to configure the policy expressions so that the endpoint analysis scans do not run on Android or iOS mobile devices. Endpoint analysis scans are not supported on mobile devices."
which makes sense, but then the next sentence says:
"If you bind an endpoint analysis policy to a virtual server, you must create a secondary virtual server for mobile devices. Do not bind preauthentication or post-authentication policies to the mobile device virtual server."
That also makes sense, but seems contradictory to the first statement. I tried unsuccessfully to use policy expressions to bypass EPA for mobile devices using a few different techniques - dumping the mobile devices into a quarantine group, higher priority session policy, global session policy and none of them worked. I contacted Citrix support and after a couple of days their official answer was to create a secondary virtual server for mobile devices. I don't have a problem with creating a 2nd virtual server, but the part I am having trouble with (and Citrix couldn't offer any suggestions) is how to avoid having to give two different gateway addresses out for end users and expecting them to remember to use one for mobile and one for Windows.
If they use email based discovery, it will always work for windows and never work for mobile (or the reverse depending on which one is in the SRV record). The same thing will happen if they click on the link we have on our website to take them to the published app. It seems like there should be a way with the Netscaler Gateway to use a policy expression on a third virtual server that's just an initial connection point to redirect incoming connections to the virtual server for mobile or the virtual server for Windows based on the client OS. Or maybe a way to create multiple stores/gateways in Storefront to do this.
For instance, the end users could connect to "referral.mydomain.com" and based on their OS be redirected to "mobile.mydomain.com" or "epa.mydomain.com"
I have worked with the Citrix Access Gateway before, but the Netscaler Gateway is a totally different animal so I'm hoping someone with more NS experience can recommend a solution.
1x Netscaler Gateway VPX 10.1
1x Storefront 2.0 with a single store
1x XenApp 6.5
Thanks in advance