Jump to content
Welcome to our new Citrix community!

"Citrix always on VPN before windows logon" and AD logon scripts

Recommended Posts



I'm facing a bit of a challenge around the "Citrix always on VPN before windows logon" solution and our AD logon scripts. We deploy multiple logon scripts and assign them to AD users profiles. Those are mainly used to map network drives. 

We are now looking to implement the Citrix VPN solution with both machine-based and user-based tunnel. The logon process looks like:

- a laptop will build a machine-based tunnel back to the GW when it gets powered on, even before the user logs into Windows. The profile assigned to those machine-based tunnels have a very restricted access. Allowing the machine to contact our AD servers. So, no access into our storage for drives mapping.

- the remote user logs into Windows. At this stage the authentication gets done against our AD servers which will authenticate the user and send back the user specific logon script to run
- the user will then pass the Windows auth and will get to his desktop where he can see that script passed by the AD server trying to run. However, at this stage the user-based tunnel hasn't replaced the machine-based tunnel yet. As a consequence the logon script fails to map the network drives timing out as it can't reach the network drives.

- by the time the user-based tunnel will replace the machine-based one, the script has already failed and as a result no drives gets mapped.


We are reluctant to allow access from a machine-based tunnel into our network drives for obvious security reasons. 


I was wondering if anyone out there has faced the same challenge and would have a proposed solution to these logon scrips failing.




Link to comment
Share on other sites


we are building up the same. But currently using Microsoft Always On VPN Device & User Tunnel as those can be established at the same time.

Also we are looking currently into Conditional Access with Azure MFA to improve Security.


Best regards


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...