AlwaysOn service for Windows

AlwaysON service for Windows enables Citrix Gateway to establish a VPN tunnel even before users log in to a Windows system. This feature enables the following.

  • Windows machine becomes a part of corporate intranet even before users log in, allowing IT administrators to access the client machine from the corporate network for debugging purposes.

  • Windows machine can verify user’s login credential using corporate active directory (AD) and Windows credentials on the machine are not cached. Also, new corporate AD users are enabled to seamlessly login to the machine.

  • VPN tunnel for Windows machine remains connected even when different users log in or log out to the machine.

    Note: The only supported authentication mechanism for the AlwaysON service for Windows functionality is Certificate Authentication with second factor “off”.

Note: AlwaysON feature supports captive portals for Citrix ADC 12.0 Build 51.24 and later.

Configure AlwaysON service for Windows

To configure AlwaysON service for Windows perform the following steps on your Windows machine.

  1. Install the Citrix Gateway client. For information, see Installing the Citrix Gateway plug-in for Windows.

  2. Install certificate used for Citrix Gateway authentication to machine store (computer account).

  3. Set up the following registry keys at [HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client].

    Registry key - AlwaysOnService; Type - REG DWORD; Possible values - 0 or 1; Description - 0 to disable AlwaysON service, 1 to enable AlwaysOn service.

    Registry key - AlwaysOnURL; Type: REG DWORD; Possible values - https://xyz.companyDomain.com; Description - URL of the Citrix Gateway virtual server you want to connect to.

  4. Optionally, you can configure the following functionalities:

    • Location Based VPN

    • Network Access On VPN Failure

    For information on configuring the above options, see AlwaysON

    Note: The above functionalities come to effect only after user connects to the VPN tunnel once.

  5. Restart the machine.  

  6. To enable debug logging for AlwaysOn service, administrators can configure the following registry entry in the client machine:

    Registry key - ForcedLogging; Type - REG DWORD; Possible values - 0 or 1; Description - 0 to disable debug logging, 1 to enable debug logging.

Points to note

  • The AlwaysON service for Windows feature is supported only on Windows machine.

  • If a client machine does not have internet connectivity, AlwaysOn service waits for the internet connectivity to become available before establishing the VPN tunnel.

  • If client machine is connected to a captive portal network, AlwaysON service waits for user to authenticate to the captive portal. After user logs in and internet access is enabled, AlwaysON service establishes VPN tunnel.