Jump to content
Welcome to our new Citrix community!

AlwaysOn VPN Various Questions

Recommended Posts

We have set up Always On VPN with the service tunnel established before Windows logon and user tunnel after Windows logon. We are using ADC 13.0 build 79.64 together with the latest VPN Plugin version and the service is configured with an Intranet IP Pool and location detection enabled. We also enabled Split Tunneling and Split DNS is set to BOTH.


The vpn service works rather well, however there are a couple of things/behaviours we would like to fix or at least understand why it is a certain way.


Odd ICMP responses

When connected to the VPN in user mode with an Intranet IP we get these odd responses when pinging different internal resources. For example, most servers respond with an address like 172.16.0.x which seem to be some kind of internal ADC owned IP range. At the same time, another server might respond with its actual IP address just like we want it to. I haven't found any answers as to why it behave like this. Can we somehow get ICMP responses to always show the correct IP?


Secure DNS Updates

Our environment only support secure dns updates from clients. We have implemented the below registry key on the clients but still no dns updates are happening. We cannot see what would be the cause of this. Log output and wireshark show that clients try to update the DNS but DNS server repsonds with a refusal. What are we missing?


HKLM\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD set to 2


Logoff and Exit buttons greyed out

In the AlwaysOn Profile we configured Client Control set to ALLOW. But still the user is not able to log off the vpn or exit the plugin as the buttons are greyed out. Seem like a bug to me. Anyone else seen this behaviour?


Activate VPN service from company network

We have seen issues onboarding new users when they are connected to the company network. To complete the process they had to connect via their mobile devices 4G network. Is it not possible to onboard new users when location detection is enabled?


Streamline onboarding process

From my understanding it is required for a first time vpn user to browse to the alwayson portal and sign in so the plugin can be activated properly and download certain settings from the ADC. Is this really the case or would it be possible to somehow onboard a new user without requiring any user input what so ever? Perhaps using registry keys and copying any important files that otherwise are downloaded from the ADC at first sign in?



I am greatful for any help regarding these questions!



Link to comment
Share on other sites

  • 2 weeks later...

Streamline onboarding process:

Config.js file will be created in the following location (C:\Users\*****\AppData\Local\Citrix\AGEE) once user connects.

Create a script to Manually copy this file in the above location once the VPN plugin installation is complete.

so this will be called automatically when user tries to launch Citrix Gateway.

Add the AlwaysONURL registry key via the same script.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...