Netscaler Knowledgebase

i am trying to achieve full ssl vpn for corporate devices, with fallback to csg-style application/desktop delivery for non-corporate devices.

i have two session policies - one which enforces an ssl vpn profile, and another which enforces a csg-style application/desktop delivery profile.

both of these work perfectly in isolation when bound to an AD group and the expression to match is just a simple ns_true value.

i now have two groups in AD, one for agee-sslvpn and another for agee-icaproxy.  both groups contain the same users.  i have bound the ssl vpn profile to the agee-sslvpn group.

i am now trying to use the qarantine function under security > advanced > client security to point non-corporate devices to the agee-icaproxy group which has the csg-style application/desktop delivery profile bound to it.

for the client security expression i am trying to use:
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\
CurrentControlSet\\\\services\\\\Tcpip\\\\Parameters_Domain')
.VALUE != domain.org

the idea being that for devices that are a member of our domain receive full ssl vpn access and devices that are not receive csg-style application/desktop delivery.

no machine will pass the epa scan - all fail with 'unable to send epaq'.  i have tried every connotation of syntax for this security expression that i can think of, but nothing seems to work.