Citrix Gateway

View PDF

Configure Always On VPN before Windows Logon

April 20, 2022

Contributed by:

This section captures the details to configure Always On VPN before Windows Logon by using an advanced policy.

Prerequisites

Citrix Gateway and VPN plug-in must be version 13.0.41.20 and later.
Citrix ADC Advanced Edition and higher is required for the solution to work.
You can configure the functionality only by using advanced policies.
The VPN virtual server must be up and running.

High-level configuration steps

The Always On VPN before Windows Logon configuration involves the following high-level steps:

Set up a machine level tunnel
Set up a user level tunnel (optional)
Enable user authentication
1. Configure the VPN virtual server and bind the certificate key to the virtual server.
2. Create an authentication profile
3. Create an authentication virtual server
4. Create authentication policies
5. Bind the policies to the authentication profile

Machine level tunnel

Machine level tunnel is established towards Citrix Gateway using the device certificate as identity. Device certificate must be installed in the client machine under the machine store. This is applicable only for Always On before Windows Logon service.

For more details on device certificate, see Use device certificates for authentication.

Important:

If the VPN virtual server on the Citrix Gateway appliance is configured on a nonstandard port (other than 443), the machine-level tunnel does not work as intended.

Set up machine level tunnel by using the device certificate

Device certificate based authentication configuration by using the GUI

On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
On the VPN Virtual Server page, click the edit icon.
Click Add next to the CA for Device Certificate section and click OK.

Note: Do not select the Enable Device Certificate check box.
For binding a CA certificate to the virtual server, click CA certificate under Certificate section. Click Add Binding under the SSL Virtual Server CA Certificate Binding page.
Note:
- The device certificate’s subject common name (CN) field must not be empty. If a device tries to log in with empty CN device certificates, its VPN session is created with the user name as “anonymous”. In IIP, if multiple sessions have the same user name, previous sessions are disconnected. So, when IIP is enabled, you notice the functionality impact because of an empty common name.
- All CA certificates (Root and Intermediate) that can potentially sign the Device Certificate issued to clients must be bound under the CA for Device Certificate section and also the CA Certificate binding section for virtual server in Steps 4 and 5. For more information on linking CA certificate with intermediate / subordinate, see Install, link, and update certificates.
- If multiple device certificates are configured, the certificate with the longest expiry date is tried for the VPN connection. If this certificate allows the EPA scan successfully, then the VPN connection is established. If this certificate fails in the scan process, the next certificate is used. This process continues until all the certificates are tried.
Click Click to select to select the required certificate.
Select the required CA certificate.
Click Bind.
Create an authentication virtual server.
1. On the VPN Virtual Servers page, under Authentication Profile, click Add.
2. On the Create Authentication Profile page, provide a name for the authentication profile, and click Add.
3. On the Authentication Virtual Server page, provide a name for the authentication virtual server. Select IP Address Type as Non-Addressable, and click OK. Note: The authentication virtual server always remains in DOWN state.
Create an authentication policy.
1. Under Advanced Authentication Policies, click inside the authentication policy.
2. On the Policy Binding page click Add next to Select Policy.
3. On the Create Authentication Policy page;
  1. Enter a name for the advance authentication policy.
  2. Select EPA from the Action Type list.
  3. Click Add next to Action.
4. On the Create Authentication EPA Action page;
  1. Enter a name for the EPA action to be created.
  2. Enter sys.client_expr("device-cert_0_0") in the Expression field.
  3. Click Create.
On the Create Authentication Policy page;
1. Enter a name for the authentication policy.
2. Enter is_aoservice in the Expression field.
3. Click Create.
On the Policy Binding page, enter 100 in Priority and click Bind.

Device certificate based authentication configuration by using the CLI

Bind a CA certificate to the VPN virtual server.

bind ssl vserver <vServerName> -certkeyName <string> -ocspCheck ( Mandatory | Optional )
<!--NeedCopy-->

Example

bind ssl vserver TestClient -CertkeyName ag51.xm.nsi.test.com -CA -ocspCheck Mandatory
<!--NeedCopy-->

Add and authentication virtual server.

add authentication authnProfile <name>  {-authnVsName <string>}
<!--NeedCopy-->

Example

add authentication authnProfile always_on -authnVsName always_on_auth_server
<!--NeedCopy-->

Create an authentication EPA action.

add authentication epaAction <name> -csecexpr <expression>
<!--NeedCopy-->

Example

add authentication epaAction epa-act -csecexpr      `sys.client_expr("device-cert_0_0")` -defaultgroup epa_pass
<!--NeedCopy-->

Create an authentication policy

add authentication Policy <name> -rule <expression> -action <string>
<!--NeedCopy-->

Example:

add authentication Policy always_on_epa_auth -rule is_aoservice -action epa_auth
<!--NeedCopy-->

Important:

The machine-level tunnel configuration is now complete. To set up the user-level tunnel after the Windows Logon, see the section User Level Tunnel.

On the client machine, the device certificate is in the .pfx format. The .pfx certificate is installed on the Windows machine as Windows understand the .pfx format. This file has the certificate and key files. This certificate must be of the same domain which is bound to the virtual server. The .pfx and server certificates and keys can be generated by using the client certificate wizard. These certificates can be used with the certificate authority to generate the respective .pfx with server certificate and domain. The certificate .pfx is installed in the computer account in the personal folder. The show aaa session command displays the device tunnel on the Citrix ADC appliance.

User Level Tunnel

Replace a machine-level tunnel with a user-level tunnel by using the GUI

Note: The expression is_aoservice.not is applicable from Citrix Gateway version 13.0.41.20 and later.

Configure a policy for user authentication.
1. Navigate to Citix Gateway > Virtual Servers and in Advanced Settings, click Authentication Profile.
2. Configure the authentication profile.
3. On the Authentication Virtual Server page, click inside the authentication policy.
4. In Select Action, click Edit Binding and change GoTo Expression to NEXT instead of END for the policy bound.
5. Click Bind and then in the Authnetication Policy page, click Add binding.
6. On the Policy Binding page, click Add next to Select Policy. On the Create Authentication Policy page;
  1. Enter a name for the “no authentication” policy to be created.
  2. Select action type as No_AUTHN.
  3. Enter is_aoservice.not in the Expression field.
  4. Click Create.
In Select Action, click Edit Binding.
On the Policy Binding page, enter 110 in Priority. Click Add next to Select Next Factor.
1. On the Authentication Policy Label page, enter a descriptive name for the policy label, select the login schema, and click Continue.
2. In Select Policy, click Add and create an LDAP authentication policy.
3. Click Create, and then click Bind.
4. Click Done, and then click Bind.
In the Authentication Policy page, the Next Factor column displays the configured next factor policy.
You can configure LDAP policy as the next factor of authentication policy.
1. On the Create Authentication Policy page, enter a name for the LDAP policy.
2. Select Action Type as LDAP.
3. Enter Action as configured LDAP action.
Note:
- For creating login schema XML file, see Login schema XML file.
- For creating policy labels, see Authenticate the policy label.
- For creating an LDAP authentication policy, see To configure LDAP authentication by using the configuration utility.

Replace a machine-level tunnel with a user-level tunnel by using the CLI

Bind a policy to the authentication virtual server

bind authentication vserver <name> -policy <name> -priority  <positive_integer> -gotoPriorityExpression <expression>
<!--NeedCopy-->

Example

bind authentication vserver alwayson-auth-vserver -policy alwayson-auth-pol -priority 100 -gotoPriorityExpression NEXT

<!--NeedCopy-->

Add an authentication policy with the action as NO_AUTH and expression is_aoservice.not, and bind it to the policy.

add authentication Policy <name> -rule <expression> -action <string>

bind authentication vserver <name> -policy <name> -priority <positive_integer> -gotoPriorityExpression <expression>
<!--NeedCopy-->

Example

add authentication Policy alwayson-usertunnel-pol -rule is_aoservice.not -action NO_AUTHN

bind authentication vserver alwayson-auth-vserver -policy alwayson-usertunnel-pol -priority 110
<!--NeedCopy-->

Add a next factor and bind the policy label to the next factor.

add authentication policylabel <labelName> -loginSchema <string>

bind authentication  policylabel <string>  -policyName <string>  -priority <positive_integer> -gotoPriorityExpression <expression> -nextFactor <string>
<!--NeedCopy-->

Example

add authentication policylabel user-tunnel-auth-label -loginSchema singleauth_alwayson

bind authentication policylabel user -policyName alwayson-usertunnel-pol -priority 100
<!--NeedCopy-->

Configure an LDAP policy and bind it to the user tunnel policy label.

add authentication policy <name>  -rule <expression>  -action <string>

bind authentication vserver <vserver_name> -policy <string>  -priorit < positive integer>  gotoPriorityExpression <string>
<!--NeedCopy-->

Example

add authentication Policy LDAP_new -rule true -action LDAP_new

bind authentication policylabel user-tunnel-auth-label -policyName LDAP_new -priority 100 -gotoPriorityExpression NEXT
<!--NeedCopy-->

Client side configuration

The AlwaysOn, locationDetection, and suffixList registries are optional and only required if the location detection functionality is needed.

To access registry key entries, navigate to the following path: Computer>HKEY_LOCAL_MACHINE>SOFTWARE>Citrix>Secure Access Client

Registry key	Registry type	Values and description
AlwaysOnService	REG_DWORD	1 => Establish machine level tunnel but not user level tunnel; 2 => Establish machine level tunnel and user level tunnel
AlwaysOnURL	REG SZ	URL of the Citrix Gateway virtual server the user wants to connect to. Example: `https://xyz.companyDomain.com` Important: Only one URL is responsible for machine level tunnel and user-level tunnel. The AlwaysOnURL registry helps both the service and user-level component to work and connect a separate tunnel, that is, machine-level tunnel and user-level tunnel based on the design
`AlwaysOn`	REG_DWORD	1 => Allow network access on VPN failure; 2=> Block network access on VPN failure
AlwaysOnAllowlist	REG_SZ	Semi-colon separated list of IP addresses or FQDNs which must be whitelisted while the machine is running under the strict mode. Example: `8.8.8.8;linkedin.com`
UserCertCAList	REG_SZ	Comma or semi-colon separated list of root CA names, that is the issuer name of the certificate. Used in the context of an Always On service where a customer can specify the list of CAs to choose the client certificate from. Example: `cgwsanity.net;xyz.gov.in`
locationDetection	REG_DWORD	1 => To enable the location detection; 0 => To disable the location detection
suffixList	REG SZ	Comma separated list of domains and is responsible for checking if the machine is in intranet or not at any given time when location-detection is enabled. Example: `citrite.net,cgwsanity.net`

For more information about these registry entries, see Always On.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configure Always On VPN before Windows Logon

April 20, 2022

Contributed by:

April 20, 2022

Contributed by:

Configure Always On VPN before Windows Logon

Prerequisites

High-level configuration steps

Machine level tunnel

Set up machine level tunnel by using the device certificate

Device certificate based authentication configuration by using the GUI

Device certificate based authentication configuration by using the CLI

User Level Tunnel

Replace a machine-level tunnel with a user-level tunnel by using the GUI

Replace a machine-level tunnel with a user-level tunnel by using the CLI

Client side configuration

In this article