I think i found the issue, but need to check on the client site when i get in tomorrow.I had a policy that was globally bound - but typically dont see the 'green tick' in the gui interface...If its not that it might be an AAA user policy - need to check that also... Getting there - ill post back if no good. Cheers :) Date: Thu, 19 Dec 2013 17:13:54 -0600 Subject: [THIN] Re: Netscaler Post Auth Session Policy Failure? From: tsorenson99@xxxxxxxxx To: thin@xxxxxxxxxxxxx Seasons Greetings and long time since we've seen you! Can you post the relevant parts of your scrubbed ns.conf ? On Thu, Dec 19, 2013 at 1:59 PM, James Scanlon <scanjam@xxxxxxxxxxx> wrote: Greetings thin list legends!long time no email! Quick one.I have a single Netscaler Access Gateway with one post auth session policy which points them to storefront. It runs an single EPA check for a registry key for the domain membership.If it fails the registry check however its 'defaulting' to a the client choices page and starts running an SSL VPN!?! Ive checked all advanced settings and the global settings - and there is literally nothing set to create this?Any idea how to set a policy so that 'If your EPA scan fails' the system just denies access? or even another policy which would direct them to a web server that doesnt exist or really ANYTHING other than starting a FULL SSL VPN!! :) I hope everyone is well and looking forward to the holidays!All the best for xmas and the new year. scanjam