Product Documentation
Gateway
14.1-Current Release 13.1 12.1
View PDF

Configure Always On VPN before Windows Logon using classic policy

September 27, 2025
Contributed by: 
C S

Prerequisites

  • NetScaler Gateway and VPN plug-in must be version 12.0.51.24 and later

  • Using classic policy you can configure machine-level tunnel only. For user-level tunnel configuration, see [advanced policy config link]

Configure Always On VPN before Windows Logon by using classic policy in GUI

Always On VPN before Windows Logon supports the following two configurations:

  • Device certificate authentication
  • Client Certificate Authentication

Device certificate based authentication

  1. On the Configuration tab, navigate to NetScaler Gateway > Virtual Servers.
  2. On the NetScaler Gateway Virtual Servers page, select an existing virtual server and click Edit.
  3. On the VPN Virtual Servers page, under Basic Settings section, click Edit.
  4. Clear the Enable Authentication box to disable authentication and enable device certificate by checking the Enable Device Certificate box. Enable device certificate

  5. Click Add to add available device certificate issuer’s CA certificate name to the list.

  6. For binding a CA certificate to the virtual server, click CA certificate under Certificate section. Click Add Binding under the SSL Virtual Server CA Certificate Binding page.

  7. Click Click to select to select the required certificate.

    Certificate page

  8. Select the required CA certificate.

    Select required certificate

  9. Click Bind.

  10. Click OK to save the configuration.

Client Certificate based authentication

  1. On the Configuration tab, navigate to NetScaler Gateway > Virtual Servers.
  2. On the NetScaler Gateway Virtual Servers page, select an existing virtual server and click Edit.
  3. In the navigation pane, under Authentication, click CERT.
  4. In the details pane, click Add.
  5. In the Name field, type a name for the policy.
  6. Click New next to the server.
  7. In Name, type a name for the profile.
  8. Select OFF next to Two Factor.
  9. In User Name and Group Name, select the values and then click Create.
  10. In the Create Authentication Policy dialog, next to Named Expressions, select the expression, click Add Expression, click Create, and then click Close.
  11. Bind the expression to the virtual server.
  12. On the Configuration tab, navigate to NetScaler Gateway > Virtual Servers.
    1. On the NetScaler Gateway Virtual Servers page, select an existing virtual server and click Edit.
    2. In the configure NetScaler Gateway Virtual Server dialog box, click the Authentication tab.
    3. Click Primary and under Details, click Insert Policy.
    4. In Policy Name, select the policy and then click OK.
    5. On the VPN Virtual Servers page, create an SSL profile.
    6. In Deny SSL Renegotiation, select NONSECURE for non-secure requests only. SSL profile
  13. Click OK.

Client side configuration

AlwaysOn, locationDetection, and suffixList registries are optional and only required if the location detection functionality is needed.

Registry key Registry type Values and description
AlwaysOnService REG_DWORD 1 => Enable Always On service without a user persona; 2 => Enable Always On service with user persona
AlwayOnURL REG SZ URL of the NetScaler Gateway virtual server a user wants to connect to. Example: https://xyz.companyDomain.com
AlwaysOn REG_DWORD 1 => Allow network access on VPN failure; 2=> Block network access on VPN failure
locationDetection REG_DWORD 1 => To enable location detection; 0 => To disable location detection
suffixList REG SZ Comma separated list of intranet domains. Used when location detection is enabled.
Configure Always On VPN before Windows Logon using classic policy
September 27, 2025
Contributed by: 
C S
September 27, 2025
Contributed by: 
C S

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.