Most people who know Citrix Access Gateway (CAG) with Advanced Access Control (AAC) for a while, especially version 4.2, know the “Citrix Watermark” End Point Analysis Scan (EPA Scan). A possibility to configure the security group membership of a PC withe a simple registry key. In contrast to MAC or Domain filters, this scan made it very easy to change the security context of a PC, very handy for product demonstrations, where you want to visualize different access scenarios.

The update to AAC version 4.2.5, eg. version 4.5 introduced a massive change for EPA Scans. Since then, every EPA Scan has to be signed, which renders the unsigned “Watermark” scan worthless. Every EPA Scan delivered with AAC 4.5 is now already signed by Citrix and if you try to create your own EPA Scans, you have to sign them too and build your own specific EPA Scan MSI package. Lots of customers try to avoid this effort and the costs associated with signing certificates. For Citrix partners, trying to build just a demo site, the effort and the costs are too high as well. If you do not intend to spend money on Custom Scans for example from EPAFactory, you are stuck with the scans provided by Citrix:-(

I will therefore show a way, how you can accomplish a working registry scan with the means provided by a standard setup of AAC. Most EPA Scans do in fact nothing else than reading predefined keys in the registry of the client PC. Therefore almost any EPA Scan can be used as registry scan. As an example i will use the “Citrix Scans for Windows Update” shipped with AAC. This scan reads on a client PC recursively all keys beneath:


and reports back the KB-numbers found. It must be pointed out, that keys directly below the “Updates”-key are NOT delivered back to the AAC server. You should therefore use an existing key like “SP2” to create your own KB-number key. Knowing that, it is fairly simple to create your own registry scan. A detailed description with screen shots of this process can be found here (german only).