CTX-Blog - powered by Ecki’s Place » Registry Scan (Watermark) for CAG 4.5.x Advanced

March 2007
M	T	W	T	F	S	S
		Apr »
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Registry Scan (Watermark) for CAG 4.5.x Advanced

By ecki

Most people who know Citrix Access Gateway (CAG) with Advanced Access Control (AAC) for a while, especially version 4.2, know the “Citrix Watermark” End Point Analysis Scan (EPA Scan). A possibility to configure the security group membership of a PC withe a simple registry key. In contrast to MAC or Domain filters, this scan made it very easy to change the security context of a PC, very handy for product demonstrations, where you want to visualize different access scenarios.

The update to AAC version 4.2.5, eg. version 4.5 introduced a massive change for EPA Scans. Since then, every EPA Scan has to be signed, which renders the unsigned “Watermark” scan worthless. Every EPA Scan delivered with AAC 4.5 is now already signed by Citrix and if you try to create your own EPA Scans, you have to sign them too and build your own specific EPA Scan MSI package. Lots of customers try to avoid this effort and the costs associated with signing certificates. For Citrix partners, trying to build just a demo site, the effort and the costs are too high as well. If you do not intend to spend money on Custom Scans for example from EPAFactory, you are stuck with the scans provided by Citrix:-(

I will therefore show a way, how you can accomplish a working registry scan with the means provided by a standard setup of AAC. Most EPA Scans do in fact nothing else than reading predefined keys in the registry of the client PC. Therefore almost any EPA Scan can be used as registry scan. As an example i will use the “Citrix Scans for Windows Update” shipped with AAC. This scan reads on a client PC recursively all keys beneath:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\

and reports back the KB-numbers found. It must be pointed out, that keys directly below the “Updates”-key are NOT delivered back to the AAC server. You should therefore use an existing key like “SP2″ to create your own KB-number key. Knowing that, it is fairly simple to create your own registry scan. A detailed description with screen shots of this process can be found here (german only).

Regards
Ecki

This entry is filed under °AAC, °Access Gateway, Citrix. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Srini says:

October 23, 2007 at 5:38 AM

Hi,

Good article about scanning registry for windows update.

I would like to know do you use any software to analyze the Endpoint scaning results. I know EPA scan details are in AAC event log. But I would like to know is there any automated was to analyze and generate a report?

Thanks
Srini

ecki says:

October 23, 2007 at 9:36 PM

Most customers of mine just use the eventlog consolidator provided with AAC to check the eventlogs of their AAC farm for problems.

You could anyway use products like MOM, or GFI Eventsmanager to consolidate the standard Windows event logs. Citrix doesn’t offer a solution for this problem today, but as fast as they acquire new companies, you never know

October 24, 2007 at 4:27 AM

Thanks. I think we should have Qwest software already, let me look at that.

J House Consulting / The Myth Surrounding Various End-Point Analysis Scans says:

January 14, 2008 at 8:44 AM

[...] “Watermark” Scan: See here for the original article from Ecki. I have enhanced the article and used a different registry key [...]

Elisse says:

January 7, 2011 at 3:30 AM

Now you can get third party EPA scans for free through citrix.opswat.com.