-
Install and configure the Citrix Gateway appliance
-
VPN configuration on a Citrix Gateway appliance
-
Integrate the Citrix Gateway plug-in with Citrix Workspace app
-
Always On VPN before Windows Logon
-
Configure Always On VPN before Windows Logon
-
-
Maintaining and Monitoring the System
-
Integrate Citrix Gateway with Citrix products
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configure settings for your Citrix Endpoint Management Environment
-
Configure load balancing servers for Citrix Endpoint Management
-
Configure load balancing servers for Microsoft Exchange with Email Security Filtering
-
Configure Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allow Access from mobile devices with Citrix Mobile Productivity Apps
-
Configure domain and security token authentication for Citrix Endpoint Management
-
Configure client certificate or client certificate and domain authentication
-
-
Access Citrix Virtual Apps and Desktops resources with the Web Interface
-
Configuring Additional Web Interface Settings on Citrix Gateway
-
Configuring Access to Applications and Virtual Desktops in the Web Interface
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configuring Settings for Your Citrix Endpoint Management Environment
-
Configuring Load Balancing Servers for Citrix Endpoint Management
-
Configuring Load Balancing Servers for Microsoft Exchange with Email Security Filtering
-
Configuring Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allowing Access from Mobile Devices with Citrix Mobile Productivity Apps
-
Configuring Domain and Security Token Authentication for Citrix Endpoint Management
-
Configuring Client Certificate or Client Certificate and Domain Authentication
-
-
Citrix Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Configure DTLS VPN virtual server using SSL VPN virtual server
-
Proxy Auto Configuration for Outbound Proxy support for Citrix Gateway
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Configure Always On VPN before Windows Logon
Always On VPN before Windows Logon provides the following capabilities.
- Administrator provides a one-time password to the first time users working remotely using which users can connect to the domain controller to change their password.
- Administrator remotely manages/enforces AD policies to the device even before the user logs in.
- Administrator provides a granular level of control to users based on the user group after the user logs on. For example, using a user-level tunnel, you can restrict or provide access for a resource to a particular user group.
- The user tunnel can be configured for MFA as per user requirements.
- Multiple users can use the same machine. Access to selective resources are provided based on the user profile. For example multiple users can use a machine in a kiosk without hassle.
- Users working remotely connect to the domain controller to change their password.
Understanding Always On VPN before Windows Logon
The following is the flow of events for the Always On VPN before Windows Logon functionality.
- User turns on the laptop, the machine-level tunnel is established towards Citrix Gateway using the device certificate as identity.
- User logs in to the laptop with AD credentials.
- Post login, user is challenged with MFA.
- Upon a successful authentication, the machine-level tunnel is replaced with the user-level tunnel.
- Once the user logs out, the user-level tunnel is replaced with the machine-level tunnel.
Configure Always On VPN before Windows Logon by using an advanced policy
Prerequisite
- Citrix Gateway and VPN plug-in must be version 13.0.41.20 and later.
- Citrix ADC Advanced Edition and higher is required for the solution to work.
- You can configure the functionality only by using advanced policies.
The configuration involves the following high-level steps:
- Create an authentication profile
- Create an authentication virtual server
- Create authentication policies
- Bind the policies to the authentication profile
To configure the functionality using the GUI
Client certificate based authentication
- On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
- On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
- On the VPN Virtual Server page, click the edit icon.
-
Click Add next to the CA for Device Certificate section and click OK.
Note: Do not select the Enable Device Certificate check box.
-
For binding a CA certificate to the virtual server, click CA certificate under Certificate section. Click Add Binding under the SSL Virtual Server CA Certificate Binding page.
Note: All CA certificates (Root and Intermediate) that can potentially sign the Device Certificate issued to clients must be bound under the CA for Device Certificate section and also the CA Certificate binding section for virtual server in Steps 4 and 5. For more information on linking CA certificate with intermediate / subordinate, see Install, link, and update certificates.
-
Click Click to select to select the required certificate.
-
Select the required CA certificate.
-
Click Bind.
- On the VPN Virtual Servers page, under Authentication Profile section, click Add.
- On the Create Authentication Profile page, provide a name for the authentication profile, and click Add.
- On the Authentication Virtual Server page, provide a name for the authentication virtual server, select IP Address Type as Non-Addressable, and click OK.
- Under Advanced Authentication Policies, click inside Authentication Policy.
- On the Policy Binding page click Add next to Select Policy.
- On the Create Authentication Policy page;
- Enter a name for the advance authentication policy.
- Select EPA from the Action Type list.
- Click Add next to Action.
- On the Create Authentication EPA Action page;
- Enter a name for the EPA action to be created.
- Enter sys.client_expr(“device-cert_0_0”) in the Expression field.
- Click Create.
- On the Create Authentication Policy page;
- Enter a name for the authentication policy.
- Enter is_aoservice in the Expression field.
- Click Create.
-
On the Policy Binding page, enter 100 in Priority and click Bind.
Note:
The machine-level tunnel configuration is now complete. You can skip steps 18–25 and proceed with the client side configuration, if you do not want the user-level tunnel after the Windows Logon.
To replace a machine-level tunnel with a user-level tunnel after Windows logon, continue with the following configuration.
-
Change the Goto Expression to Next instead of End for the policy bound in step 17.
- On the Authentication Virtual Server page, click inside the Authentication Policy.
- On the Authentication Policy page, click the Add Binding tab.
- On the Policy Binding page, click Add next to Select Policy.
- On the Create Authentication Policy page;
- Enter a name for the “no authentication” policy to be created.
- Select action type as No_AUTHN.
- Enter is_aoservice.not in the Expression field.
- Click Create.
Note:
The expression is_aoservice.not is valid from Citrix Gateway version 13.0 build 41.20 and later.
-
On the Policy Binding page, enter 110 in Priority, click Add next to Select Next Factor.
Note:
You can select an existing LDAP policy or create a policy. For details on creating an LDAP authentication policy, see To configure LDAP authentication by using the configuration utility.
- After selecting an existing policy or creating a policy, click Bind on the Policy Binding page.
Client side configuration
AlwaysOn, locationDetection, and suffixList registries
are optional and only required if the location detection functionality is needed.
To access registry key entries, navigate to the following path: Computer>HKEY_LOCAL_MACHINE>SOFTWARE>Citrix>Secure Access Client
Registry key | Registry type | Values and description |
---|---|---|
AlwaysOnService | REG_DWORD | 1 => Establish machine level tunnel but not user level tunnel; 2 => Establish machine level tunnel and user level tunnel |
AlwaysOnURL | REG SZ | URL of the Citrix Gateway virtual server the user wants to connect to. Example: https://xyz.companyDomain.com Important: Only one URL is responsible for machine level tunnel and user-level tunnel. The AlwaysOnURL registry helps both the service and user-level component to work and connect separate tunnel, that is, machine-level tunnel and user-level tunnel based on the design |
AlwaysOn |
REG_DWORD | 1 => Allow network access on VPN failure; 2=> Block network access on VPN failure |
AlwaysOnWhiteList | REG_SZ | Semi-colon separated list of IP addresses or FQDNs which must be whitelisted while the machine is running under the strict mode. Example: 8.8.8.8;linkedin.com
|
UserCertCAList | REG_SZ | Comma or semi-colon separated list of root CA names, that is the issuer name of the certificate. Used in the context of an Always On service where a customer can specify the list of CAs to choose the client certificate from. Example: cgwsanity.net;xyz.gov.in
|
locationDetection | REG_DWORD | 1 => To enable location detection; 0 => To disable location detection |
suffixList | REG SZ | Comma separated list of domains and is responsible for checking if the machine is in intranet or not at any given time when location-detection is enabled. Example: citrite.net,cgwsanity.net
|
For more information about these registry entries, see Always On.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.