Always On VPN before Windows Logon (formally Always On service)
The AlwaysOn VPN before Windows Logon (Formally Always On service) feature enables a user to establish a machine level VPN tunnel even before a user logs in to a Windows system. The tunnel remains active until the machine shuts down. After the user logs on, the device-level VPN tunnel is taken over by a user-level VPN tunnel. After the user logs off, the user-level tunnel is torn and a device-level tunnel is established. Always On VPN before Windows Logon can be configured by using advanced policies only. For details see, Configure Always On VPN before Windows Logon.
Always On VPN before Windows Logon encompasses the following:
- Windows machine can verify the user’s login credential using the corporate active directory (AD) and Windows credentials on the machine are not cached. Also, new corporate AD users are enabled to seamlessly log on to the machine.
- Windows machine becomes a part of the corporate intranet even before users log in, allowing IT administrators to access the client machine from the corporate network for debugging purposes.
- VPN tunnel for a Windows machine remains connected even when different users log in or log out to the machine.
Points to note:
- Citrix Gateway and VPN plug-in must be version 126.96.36.199 and later.
- If a client machine does not have internet connectivity, Always On VPN before the Windows Logon waits for the internet connectivity to become available before establishing the VPN tunnel.
- If a client machine is connected to a captive portal network, Always On VPN before the Windows Logon waits for the user to authenticate to the captive portal. After the user logs in and internet access is enabled, Always On VPN before the Windows Logon establishes the VPN tunnel.
- Always On VPN before Windows Logon feature supports captive portals for Citrix ADC.
- If the cached logon credentials option is not enabled for Windows, then users cannot log on in the following scenarios:
- Machine has no internet connectivity
- Machine is connected to a captive portal network
Windows credential manager screen after Always On VPN before Windows Logon configuration
After the Always On VPN before Windows Logon feature is configured, the Windows credentials manager screen is modified as follows.
When you click Sign-in options on the logon screen, the following information is displayed:
- Citrix Gateway icon suggests whether the machine is connected to Citrix Gateway or not.
- Depending on the user configuration mode, one of the following statements is displayed on the logon screen.
- Citrix Gateway is connected in service mode
- Citrix Gateway is connected in user mode