Jump to content

AlwaysOn VPN Before Windows Logon & Security

Recommended Posts

Hi all,


We're looking to use the AlwaysOn VPN Before Windows Logon functionality with Autopilot to allow prepping of equipment remotely directly with users.


I'm pretty happy with the functionality and how it works in terms of a machine level tunnel authenticated via certificates and then a user level tunnel where we can add MFA after logon, however, I wondered if it was also possible to restrict what the machine level tunnel could access?


My thinking here is as another layer of security I'm not 100% comfortable with just authenticating via certificate before allowing network connectivity to all internal resources. Open to thoughts as well for if I'm being overly cautious.





Link to comment
Share on other sites

For the "The alwaysOn VPN Before Windows Logon", you use the windows credentials for the user VPN as this is the idea that after the machine level VPN is started then the user VPN will start right after the User logs in to his computer?




Otherwise you are using Device certificate authentication that has security holes https://support.citrix.com/article/CTX200290.





For extra security see below and better set "Network Access On VPN Failure " to "Only To Gateway" and "Client Control" to "Deny " and see "Location Based VPN" if you want the VPN to be up even in the office, select "Everywhere". Please check the link below:





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...