The AlwaysON feature of NetScaler Gateway ensures that users are always connected to the enterprise network. This persistent VPN connectivity is achieved by automatic establishment of a VPN tunnel.
Use AlwaysON when you need to provide seamless VPN connectivity based on user location and have to prevent network access by a user who is not connected to a VPN.
The following scenarios illustrate the use of AlwaysON.
AlwaysON automatically connects a user to a VPN tunnel that the client has previously established. The first time the user needs a VPN tunnel, the user must connect to the NetScaler Gateway URL and establish the tunnel. After the AlwaysON configuration is downloaded to the client, this configuration drives subsequent establishment of the tunnel.
The NetScaler Gateway client executable is always running on the client machine. When the user logs on or the network changes, the NetScaler Gateway client determines whether or not the user laptop is on the enterprise network. Depending upon the location and the configuration, the NetScaler Gateway client either establishes a tunnel or tears down an existing tunnel.
Tunnel establishment is initiated only after the user logs on to the computer. The NetScaler Gateway client uses the configured authentication mechanism and tries to establish a tunnel. If the authentication methods do not involve a user prompt, the tunnel is established seamlessly.
Automatic reestablishment of a tunnel is triggered in the following situations:
- VPN tunnel is torn down by NetScaler Gateway
- The Netscaler Gateway client is aborted
The supported user authentication methods are as follows:
- Username + AD password: If the Windows username and password are used for authentication, the NetScaler Gateway client seamlessly establishes the tunnel by using these credentials.
- User certificate: If user certificate is used for authentication and there is only one certificate on the machine, the NetScaler Gateway client seamlessly establishes the tunnel by using this certificate. If multiple client certificates are installed, the tunnel is established after the user has selected the preferred certificate. The NetScaler Gateway client uses this preference for subsequently established tunnels.
- User certificate and Username + AD Password: This authentication method is the combination of previously described authentication methods.
Enterprise administrator must enforce the following for the managed devices:
- User must not be able to end the process/service for specific configuration
- User must not be able to uninstall the package for speciﬁc conﬁguration
- User must not be able to change speciﬁc registry entries
Review the following section before enabling the AlwaysON feature.
Primary Network Access: When the tunnel is established, the traffic to the enterprise network is decided based on split-tunnel configuration. Additional configurations are not provided to override this behavior.
Proxy settings of client machine: Proxy settings of the client machine are ignored for connecting to the gateway server.
When the configuration value is set to “Deny”, the following changes apply:
- Client UI - The logoff and Exit options from the plug-in context menu and plug-in UI are disabled. Users are not allowed to change the Gateway URL.
- Browser logon - Browser logon to a different gateway is not allowed. Client controls are disabled.
To configure AlwaysON, create an AlwaysOn profile on the NetScaler Gateway appliance and apply the profile.
To create an AlwaysOn profile
- In the NetScaler GUI, navigate to Configuration > NetScaler Gateway > Policies > AlwaysON.
- On the AlwaysON Profiles page, click Add.
- On the Create AlwaysON Profile page, enter the following details:
- Name – The name for your profile.
- Location Based VPN – Select one of the following settings:
- Remote to enable a client to detect whether or not it is in the enterprise network and establish the tunnel if not in the enterprise network. This is the default setting.
- Everywhere to let client skip the location detection and establish the tunnelregardless of the client's location
- Client Control – Select one of the following settings:
- Deny to prevent the user from logging off and connecting to another gateway. This is the default setting.
- Allow to enable user to log off and connect to another gateway.
- Network Access On VPN Failure – Select one of the following settings:
- Full Access to allow network traffic to flow to and from the client when the tunnel is not established. This is the default setting.
- Only To Gateway to prevent network traffic from flowing to or from the client when the tunnel is not established. However, the traffic to or from the Gateway IP address is allowed.
- Click Create to finish creating your profile.
To apply the AlwaysOn profile
- In the NetScaler interface, select Configuration > NetScaler Gateway > Global Settings.
- On the Global Settings page, click the Change Global Settings link, and then select the Client Experience tab.
- From the AlwaysON Profile Name drop down menu, select the newly created profile, and click OK.
The table below summarizes the behavior for different configurations. It also details the possibility of certain user actions, which can affect AlwaysON functionality.