Jump to content
Welcome to our new Citrix community!

always-on-vpn-before-windows-logon - Bound to user group


Recommended Posts



I have successfully managed to get a machine connection using the guide below. 




Is it possible to specify only certain users are given access to this method of connecting?





Link to comment
Share on other sites

The issue is the user authentication occurs after the always on (machine) tunnel has been established.  Restricting an LDAP Policy to only certain groups is possible.  Whether it will work in this always on scenario, is what I'm not sure of.


If it would work at all, when you configure your is_aosservice.not flow to trigger the user authentication:  you can adjust the LDAP policy/action scope to limit users to members of certain user groups, OUs or certain parameters.

Either adjust the LDAP policy Bind DN scop from the typical domain to a specific OU or Container ldap string OR leave the Bind DN as the domain string and use the search filter to restrict to CN=<CN ldap string> or OU=<ou ldap string> or if you use the tool tip other ldap string filters are possible.  And example of a specific group filter for one specific group is here:  https://support.citrix.com/article/CTX111079


This would result in a failed LDAP authentication preventing the establishment of the User tunnel.

You could also use authorization policies to ensure that any unauthorized group is restricted to what they can or can't access via the vpn tunnel (in either state).


But the machine level tunnel for the always on service would likely have already been established by the initial always on setup (device cert or other mechanism).






Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...