Help understanding authentication flow for Always On VPN Before Windows Logon

[Dan Angelson]

Hello all,

 

I am in the process of setting up Always On VPN Before Win Logon and I was wondering if anybody can clarify the authentication flow from the picture below. I'd like to break down all the steps involved in order to get a better understanding of how it works under the hood. 

 

This is my understanding so far. 

 

1. When the client device attempts to connect to the VPN server, the auth policy called alwayson-auth-policy is evaluated first. This will first check if the expression is_aoservice returns TRUE or FALSE.  What does this expression check exactly, and where? I read that is_aoservice is actually the expression HTTP.REQ.HEADER("User-Agent").CONTAINS("AO-Service") so would it look for a section in the HTTP Header called User-Agent and then check to see if it contains AO-Service. Is this referring to the registry setting on the client device called AlwaysOnService? Does Citrix Secure Access have a browser engine built-in?

2. If the expression is_aoservice returns TRUE, then it runs the EPA Action where it checks the device certificate by using sys.client_expr("device-cert_0_0"). This expression doesn't have an operator so it just pulls the cert info in order to check it against the CA bound to the VPN server, right? 

 

This is where things get fuzzy for me because I don't exactly understand how it moves on to create the User-Level Tunnel. So, when I put in my login credentials on the Windows logon screen after the Machine-Tunnel is established, the auth policy alwayson-auth-policy will continue where it left off and based on the GOTO expression NEXT the system will then proceed to the second auth policy, alwayson-usertunnel-pol, right? How come is_aoservice.not returns TRUE this time? 

 

Thank you in advance!

 

 

[Dan Angelson]

bump