Jump to content
Welcome to our new Citrix community!

Per-App/On demand VPN, transfer session issue

Nils Andreas Myhre

Recommended Posts

Citrix ADC

Microsoft Intune

Apple iPad IOS 12.1

Citrix SSO app 1.1.11(134)


Have anyone experience in using Citrix ADC as VPN gateway for Intune MDM managed Per-App VPN?

I'm having a issue when NOSPILLOVER is configured and there is a preexisting session.


We've set up Citrix ADC to use BASIC certificate authentication with LDAP group extraction to use AD groups to manage Intranet IP range, and published applications. I have configured a session policy bound directly on the gateway vserver.

Use Intranet IP: NOSPILLOVER, Clientless Access: Disabled, Plug-in Type: Windows/MAX OS X, ICA Proxy: OFF, Default Authorization Action: DENY(Resource authorization allowed by policy bound to group)


My setup works as intended and iPads can use internal resources through VPN managed by Intune. However if I would launch the app which connects VPN, and then reboot the iPad and try to connect again, the VPN gets stuck "connecting". If I manually kill the active user session on Citrix ADC, and force a disconnect in the iPad and relaunch the app the VPN connects again with no issue.


I belive that the on demand VPN part of Citrix SSO app is not handling transfer login. I can confirm that the transfer login logic kicks in by, manually configuring the VPN and launching it interactively. I then get prompted to transfer login. This issue is not present if I configure SPILLOVER in the session Profile. It will then use subnet IP instead of Intranet IP, but that's undesired behavior. 



I have created a case with Citrix support, but I want to give the forums a shot as well.






Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...