Secure Always-On VPN via Citrix ADC 12. and 13.x

You want to use Always-On VPN via Citrix ADC? Here you can find out how you can easily connect the clients to the company network with the Citrix ADC using an Always-On VPN without much effort. The VPN function of the Citrix ADC has many advantages and can also cover features that normal VPN gateways or firewalls do not support. For example, rule-based access to resources or quarantine or restricted access for clients that are not equipped with up-to-date virus scanners or patches.

Why Always-On VPN via Citrix ADC?

Now that Direct Access has been discontinued by Microsoft and there is a successor, but it only works under certain conditions, it makes sense to look for alternatives that work independently of an operating system version. Not only with Always-On VPN, but also with the normal VPN functionality of the Citrix ADC, you can use considerably more features than you would with a standard firewall or a VPN gateway.

Why Always-On VPN? What is it anyway?

Always-on VPN means that the client automatically connects to the company network as soon as it detects that it is outside the network. The VPN is then automatically established when an Internet connection is available.

For users, it has many advantages if they only have to log on to the system once and the rest happens “automatically”, so to speak. The user therefore does not have to worry about whether the VPN is now active when they want to access corporate applications or resources. The advantage for IT administration is that the client can be easily managed because it automatically connects to the network on a regular basis.

Configuration on the Citrix ADC

Prerequisite for the configuration

For the configuration, I have already configured a VPN gateway on the Citrix ADC. In addition, there is already an existing Active Directory authentication via a AAA vServer. The VPN connection can already be established via the Citrix ADC, but it still has to be done with manual login.

Enable Always-On VPN on Citrix ADC

To enable Always-On, we first need to go to the configuration of our Citrix ADC VPN Gateway. To do this, log in to the Citrix ADC in the WebGUI and go to “Configuration / Citrix Gateway / Virtual Servers”, select the desired vServer and click on Edit.

Always-On VPN - Citrix ADC

Now we switch to the policies here we edit the “Session Policy”. You can simply click on it.

Always-On VPN über Citrix ADC

Here I edit the profile of the policy. I select the policy and go to “Edit Profile”.

Always-On VPN über Citrix ADC

In the Session Profile of the Citrix Gateway I select the item “Client Experience”.

Always-On VPN - Citrix ADC

Here I scroll down and add a new Always-On profile.

Always-On VPN - Citrix ADC

In the profile for AlwaysOn I set the parameters as follows:

Always-On VPN - Citrix ADC

Explanation of the Always-On Profile

Location Based VPN

With this setting, the VPN client will check where it is in the future. It only connects via VPN when it is outside the network. This setting makes sense when the client switches between home office and branch or main location.

The client always establishes a VPN connection. Regardless of whether it is inside the company or outside, a VPN tunnel is always established.

Client Control

The user cannot log out manually when the VPN is established. He also cannot connect to another VPN gateway.

The user can connect himself and also connect to another gateway.

Network Access On VPN Failure

Full Access:
If the VPN is not available or not working, the client can communicate with all other devices.

Only To Gateway:

Only services that are provided via the VPN gateway will work. This means that if the VPN gateway is not available, the client will not be able to access other services on the network. To enable other websites, IP address ranges, or IP addresses, you must set the VPN client registry in the value: alwaysonwhitelist the desired settings in a semicolon-separated list of FQDNs, IP address ranges, or IP addresses. Zum Beispiel,,,,


The registry value can be found under the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client

The “AlwaysOnWhitelist” value in the registry is supported from Citrix ADC 13.0 build 47.x and later.
Wildcard URLs/FQDNs are not supported in AlwaysOnWhitelist registry value.


VPN Client Testing

Now that I have configured everything, I can test the whole thing directly. On the client, I log in to the VPN gateway externally via the Citrix ADC website. I install the Citrix Gateway Plugin. When I connect manually for the first time, the desired setting is also pushed to the client. From then on everything runs as desired. When the client is restarted, it establishes the connection manually without entering any access data, as long as I am also logged in on the client with my account data, which are also used in the company network.

As you can see, it is quick and easy to deploy an Always-On VPN via Citrix ADC. I hope you enjoyed the article and you were able to take something with you. If you have any questions, praise or comments, please feel free to leave a comment.

Feel free to read my other articles about Citrix, Microsoft or VMWare.

Leave a Comment

Your email address will not be published. Required fields are marked *