Skip to main content

As more users are working from home than ever before, the demands on Enterprise IT to deliver end user devices have become more complex. During this time cloudDNA has seen an increase in the number of customers requesting the capability to manage connectivity into the Enterprise when connected by a Virtual Private Network (VPN).

Customer requirements are still seamless user experience and a robust mechanism for central IT to manage the device; but use cases that may prevent giving users access come to the fore if the user has never been to the office, or it is a newly built device.

The usual method of allowing VPN users to connect remotely into the environment is to install a software agent on the device and request the user to run the software whenever they need to connect to the corporate network.  This is adequate for users who have sat at their machines in the office and have then taken them home with cached credentials; but what about new devices shipped to users? Or new users who have never set foot in the office?  Neither does this address security concerns that may require policy changes to be immediate such as Group Policy, password expiry or software updates.

Traditionally, if a new user could not get into the office to receive a new device, central IT would have to log into the machine as the user to cache credentials, and then to share those access details with the user for logon later. This is not desirable or good practice.

To address these issues Citrix AlwaysON VPN connectivity creates a ‘machine-based’ VPN tunnel that is always connected to the Citrix Gateway; even before the user logs on to the device.  This creates a connection to the enterprise without user intervention and allows support to monitor the device without the user having to log in.

Citrix AlwaysON VPN first appeared in NetScaler firmware build version 11.1, but Citrix now specifies a newer minimum version requirement dependant on the functionality required and method of implementation. With the introduction of Citrix ADC firmware build 13.0, this has been further enhanced to provide functionality and options based on a User connection.

Citrix AlwaysON VPN using Classic Policy

Based on Device Certificates as the measure of trust, the device attempts to build a VPN tunnelled connection to the Citrix Gateway as soon as the machine is powered on, without any user interaction.

This requires firmware version or later.

Citrix AlwaysON VPN

This enables a core set of functionalities.

  • New users can be sent a device that they have not logged onto before and can authenticate directly against an Active Directory Domain Controller.
  • If the VPN tunnel fails to establish, IT can block access to the local network and internet if required. This can be used to enforce all traffic through the enterprise in highly regulated environments.  For example, to backhaul internet traffic through enterprise web proxies.
  • Central IT can push policy and manage the device without the user being logged in.

Citrix AlwaysON VPN using Advanced Policy

Requires firmware version or later, and ADC Advanced Edition or higher.  Similarly to the above model the device establishes a connection to the enterprise as soon as the machine is powered on; achieving the same functionality as above.

However, once the user successfully logs in with their Active Directory credentials, the Machine Tunnel is replaced with a User Tunnel.

Citrix AlwaysON VPN

The presence of the User tunnel means that the service becomes more flexible.

As well as the above benefits, the following is now available:

  • Multiple users can use the same device, enabling IT to specify different access options based on user roles or Profiles from the same machine. For example, using AD Group Membership.
  • A user will log out and a new user log in, tearing down the User VPN tunnel; but the device will always stay connected due to the Machine-based tunnel, enabling a seamless experience.
  • Users can be presented with further MFA access requirements if required.

On log off, the user tunnel is torn down and the machine-based tunnel is automatically re-established.

Citrix AlwaysON VPN further consolidates the delivery footprint and provides another layer of visibility in the service analytics view within the popular Application Delivery Manager. It’s a cool feature!

New for release 13.0 build 47.x and later is the ability to set a limited number of URL’s the user can access if the VPN tunnel fails to establish and access to the local network has been blocked.  Administrators can specify an AlwaysONWhitelist registry value to add websites that are allowed to be accessed locally.


If you would like to talk to us about any of the points raised or you have your own challenges that you’d like discuss, please call 0330 010 3443 or email