Sunday, 7 June 2015

EPA OPSWAT Packet flow and Troubleshooting

OPSWAT Packet flow and  Troubleshooting:-


Netscaler 10.5 we have noticed the new feature of OPSWAT Editor. It's just like the same EPA we have earlier but with some extra features from 3rd Party OPSWAT. 


Before you begin make sure your client machine has the Root CA of the AGEE vserver under Trusted Root CA certificate on your machine else it will fail in the initial check itself


To configure OPSWAT just go to the OPSWAT editor and give the expression you like

Here I am testing for some expression as below
First expression is checking if Internet Explorer is running or My system domain belongs to "WrongDomain" or My mozilla firefox browser should be my default browser and must be above version 30.0.

CLIENT.APPLICATION('BROWSER_60000_RUNNING_==_TRUE[COMMENT: Internet Explorer]') EXISTS || CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_WrongDomain[COMMENT: Domain check]') EXISTS || CLIENT.APPLICATION('BROWSER_61000_VERSION_>_30.0_DEFAULT_==_TRUE[COMMENT: Mozilla Firefox]') EXISTS



The configuration part is pretty simple in the OPSWAT as you can see it's easy to understand. As I did for my Mozilla firefox check





Now it's time to Test this.

In my system from which I am trying it has Internet explorer running, Mozilla firefox is default browser and is of version 32.0 but my domain is not "wrongDomain" this I did intentionally so this check should fail. But overall it should pass since my expressions has 3 expressions and if any one of them match then Netscaler will allow me to access.

Go to my AGEE Page and it prompted for the EPA plugin scan , I clicked YES



After this I got prompted for the AGEE credentials which means my scan is successful


Let's see the reason why, So that you can troubleshoot yours.

Before Reproducing the issue make sure you do the following things

1.       Disable SSL session reuse from the AGEE vserver otherwise you won't be able to decrypt the trace. You can enable it afterwards



2.       Make the following changes in your client Registry for the OPSWAT log collection( it won't harm in anyway)
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
Make a DWORD value with "EnableEPALogging" and set the value to 1


3.       Now start the trace on Netscaler and reproduce the problem
4.       After that go to command prompt run as administrator and go to
C:\Program Files\Citrix\Secure Access Client
And run the command
nsClientCollect.exe <path where you want to save the outputfile\<filename.zip>





So the Logs are collected.

Analyzing the Logs:-
Wireshark:-
The Typical Packet Flow look like this


·         You send a GET / to the AGEE
·         Get redirected to 302 for the epa.html page
·         Next Get is for epa.html page followed by a 200 OK

·         Then client send the GET/ epatype for which the Netscaler replies with the type of epa being performed. In my case it's just epa and no device cert hence that is off


·         Then comes the major packet called GET/epaq where client request for the type of scan to be performed
                                 As you can see in the below highlighted that the NS replied with the scans to be performed

First check is for Mozilla browser version should be above 30.0 and should be default
Second is my domain should be "Wrong Domain"
Third my browser must be running Internet explorer




Before running these scans the client check with netscaler about the OPSWAT library version. If it matches then it continues otherwise it will download the new version from Netscaler. In our case it same so no downloads



In the Next request the Netscaler sends back it's epa scan result. Always 0 means successful and non zero means there is a failure


In my scenario 
First check is for Mozilla browser version should be above 30.0 and should be default----- Passed so value 0
Second is my domain should be "Wrong Domain"--- Failed since I don't belong to this doman value 3
Third my browser must be running Internet explorer----- Passed since my Internet explorer is running, Value 0

So I got the CSEC header value as 030 as you can notice below



Since in my Netscaler the condition is to allow if any one of them matches hence I got a 200 OK with value 10


For e.g. In case of failure scenario the expression will fail and you will see following in the response as 00.



So getting a 10 is our main concern and avoiding 00


Client Logs Analysis:-

When you will extract the Output file you will notice the following files. Out of which highlighted are our concern ( if you don't see epaHelper_epa_plugin file then that means you forgot to enable Registry value as mentioned above or it's wrongly given)



In epaHelper_epa_plugin file you can see all your result

Adv. EPA Scan log file
Date: 09/18/2014
Time: 23:42:22
=========================
23:42:22.500 Successfully parsed tokens
23:42:23.125 Oesis framework init SUCCESS
23:42:23.268 Version value 32.0.1 , expected 30.0
23:42:27.127 Scan Passed  ( So Mozilla firefox scan passed, since my version is 32.0 which is above 30.0)
23:42:27.127 Successfully parsed tokens
23:42:27.127 Domain is lab.net
23:42:27.127 Scan failed for Scan method SUFFIX  ( Here its failed since my domain is lab.net but I Netscaler tried to search for Wrong Domain)
scanQuery : DOMAIN_SUFFIX_anyof_WrongDomain
23:42:27.127 Successfully parsed tokens
23:42:27.200 Scan Passed


If you need more detailed analysis then you can go for nsepa logs which will give you the same information as I told you in wireshark. Most important is to check the CSEC value as you can see it's 030 here.

23:42:27.201
<GET epas HTTP/1.1

Cookie: NSC_EPAC=********************************

CSEC: 030





post body information is hidden >

23:42:27.217 FQDN of the server is agee.com
23:42:27.217 downloaded total 118 bytes
23:42:27.217 ns_HTTPrequest return value is: 118
23:42:27.217 Received headers size 80
23:42:27.217 ns_start_epa returning passed


Important Notes as of 10.5 build:-
·         In device cert check is present then there will be one extra value EPA type ON and Device Cert ON
·         Except for Device Cert auth , Epa package upgrade or running doesn't  need admin right.
           In OPSWAT scan,EPA plugin will check what version is there on Netscaler, If Netscaler version is above then the installed on client then  it will ask for new library
with GET /epapackage and will install the new epaPackage
·         To check the OPSWAT EPA library you can got to following director of Netscaler and check the version.xml file
/netscaler/ns_gui/epa

root@NG10# more version.xml
<?xml version="1.0" encoding="UTF-8"?>
<Windows>
        <EPALib>1.1.1.8</EPALib>
</Windows>
root@NG10#
·         In mac the client logs are situated at Library/Appliation support/citrix/epa plugin/epaplugin.log ( You don't have to run any command to collect logs)
·         Netscaler at present has a limit of 1499 characters for expressions including all the fields of the expression from starting till end
In case you have a requirement then to overcome this by creating new policies
·         CSEC value limit is 25K of buffer. So if the scan CSEC value took more than 25K of buffer normally in mac address scan then scan will fail
·         To upgrade the OPSWAT build no need of Netscaler upgrade is required.