AlwaysON before logon for Windows

AlwaysOn before logon for Windows enables user to establish a VPN tunnel even before a user logs in to a Windows system. This persistent VPN connectivity is achieved by an automatic establishment of a device-level VPN tunnel once the device boots up. AlwaysOn before logon for Windows feature can be configured for the following two capabilities.

  • AlwaysOn before logon for Windows without a user persona – Device-level VPN tunnel is established once the device boots up. The tunnel remains active until the machine shuts down. AlwaysOn before logon for Windows without a user persona can be configured by using classic and advanced policies. For details see, AlwaysOn before logon without a user persona.
  • AlwaysOn before logon for Windows with a user persona – Device-level VPN tunnel is established once the device boots up. Post user login, the device-level VPN tunnel is taken over by a user-level VPN tunnel. After the user logs off the user-level tunnel is torn and a device-level tunnel is established. AlwaysOn before logon for Windows with a user persona can be configured by using advanced policies only. For details see, AlwaysOn before logon with a user persona.

The AlwaysOn before logon for Windows encompasses the following:

  • Windows machine can verify the user’s login credential using corporate active directory (AD) and Windows credentials on the machine are not cached. Also, new corporate AD users are enabled to seamlessly log on to the machine.
  • Windows machine becomes a part of corporate intranet even before users log in, allowing IT administrators to access the client machine from the corporate network for debugging purposes.
  • VPN tunnel for a Windows machine remains connected even when different users log in or log out to the machine.

System requirements

The following table summarizes the Windows, Citrix ADC, and Windows plug-in versions that support AlwaysOn service with and without a user persona.

AlwaysOn service Windows version Citrix ADC and Windows VPN plug-in version
Always on service without a user persona Windows 7 and later No recommendation on specific Citrix ADC version. VPN plug-in must be version 13.0.36.xx and later or 12.1.53.xx and later.
Always on service with a user persona Windows 8 and later Citrix ADC and VPN plug-in must be version 13.0.41.xx and later.

Points to note:

  • AlwaysOn before logon for Windows is supported only on Windows machine.
  • If a client machine does not have internet connectivity, AlwaysOn before logon waits for the internet connectivity to become available before establishing the VPN tunnel.
  • If a client machine is connected to a captive portal network, AlwaysOn before logon waits for the user to authenticate to the captive portal. After the user logs in and internet access is enabled, AlwaysOn before logon establishes the VPN tunnel.
  • AlwaysOn feature supports captive portals for Citrix ADC 12.0 Build 51.24 and later.
  • If cached logon credentials option is not enabled for Windows, then users cannot log on in the following scenarios:
    • Machine has no internet connectivity
    • Machine is connected to a captive portal network

Windows credential manager screen after AlwaysOn before logon configuration

Upon configuring the AlwaysOn before logon feature, the Windows credentials manager screen is modified as follows.

Windows credential manager screen

When you click Sign-in options on the logon screen, the following information is displayed:

  • Citrix Gateway icon suggests whether the machine is connected to Citrix Gateway or not.
  • Depending on the user configuration mode, one of the following statements is displayed on the logon screen.
    • Citrix Gateway is connected in service mode
    • Citrix Gateway is connected in user mode
    • URL for the Citrix Gateway machine is displayed

Configure AlwaysOn before logon for Windows

Client side configuration

AlwaysOn, locationDetection, and suffixList registries are optional and only required if AlwaysOn functionality is required on top of AlwaysOn Service.

Registry key Registry type Values and description
AlwaysOnService REG_DWORD 1 => Enable AlwaysOn service without a user persona; 2 => Enable AlwaysOn service with user persona
AlwaysOnURL; Type:; Possible values – ; Description - REG SZ URL of the Citrix Gateway virtual server user wants to connect to. Example: https://xyz.companyDomain.com
AlwaysOn REG_DWORD 1 => Allow network access on VPN failure; 2=> Block network access on VPN failure
locationDetection REG_DWORD 1 => To enable location detection; 0 => To disable location detection
suffixList REG SZ Comma separated list of intranet domains. Used when location detection is enabled.

For more information about AlwayOn, see AlwaysOn.