Citrix Gateway

AlwaysOn VPN before Windows logon (Formally AlwaysOn service)

The AlwaysOn VPN before Windows logon feature enables user to establish a VPN tunnel even before a user logs in to a Windows system. This persistent VPN connectivity is achieved by an automatic establishment of a device-level VPN tunnel once the device boots up. This feature enables the following.

  • Windows machine can verify the user’s login credential using corporate active directory (AD) and Windows credentials on the machine are not cached. Also, new corporate AD users are enabled to seamlessly log on to the machine.
  • Windows machine becomes a part of corporate intranet even before users log in, allowing IT administrators to access the client machine from the corporate network for debugging purposes.
  • VPN tunnel for a Windows machine remains connected even when different users log in or log out to the machine.

Note: The supported authentication mechanisms for the AlwaysOn VPN before Windows logon functionality is device certificate and client certificate authentication with second factor “off”.

Points to note

  • If a client machine does not have internet connectivity, AlwaysOn VPN before Windows logon waits for the internet connectivity to become available before establishing the VPN tunnel.
  • If a client machine is connected to a captive portal network, AlwaysOn VPN before Windows logon waits for the user to authenticate to the captive portal. After the user logs in and internet access is enabled, AlwaysOn VPN before Windows logon establishes the VPN tunnel.
  • AlwaysOn VPN before Windows logon supports captive portals for Citrix ADC 12.0 Build 51.24 and later.
  • If cached logon credentials option is not enabled for Windows, then users cannot log on in the following scenarios:
    • Machine has no internet connectivity
    • Machine is connected to a captive portal network

Configure AlwaysOn VPN before Windows logon

To configure AlwaysOn before logon VPN for Windows perform the following steps on your Windows machine.

  1. Install the Citrix Gateway client. For information, see Installing the Citrix Gateway plug-in for Windows.

  2. Install certificate used for Citrix Gateway authentication to machine store (computer account).

  3. Set up the following registry keys at [HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client].

    Registry key - AlwaysOnService; Type - REG DWORD; Possible values - 0 or 1; Description - 0 to disable AlwaysON service, 1 to enable AlwaysOn service.

    Registry key - AlwaysOnURL; Type: REG SZ; Possible valueshttps://xyz.companyDomain.com; Description - URL of the Citrix Gateway virtual server user wants to connect to.

  4. Optionally, you can configure the following functionalities:

    • Location Based VPN

    • Network Access On VPN Failure

    For information on configuring the above options, see AlwaysON

    Note: The above functionalities come to effect only after user connects to the VPN tunnel once.

  5. Restart the machine.  

  6. To enable debug logging for AlwaysOn VPN before logon, administrators can configure the following registry entry in the client machine:

    Registry key - ForcedLogging; Type - REG DWORD; Possible values - 0 or 1; Description - 0 to disable debug logging, 1 to enable debug logging.

AlwaysOn VPN before Windows logon (Formally AlwaysOn service)