Configuring AlwaysON on NetScaler 11.1

One of the cool new features in NetScaler 11.1 is a feature called AlwaysON, now NetScaler has had a VPN agent setup for a long time now, and in 11.1 it got a huge overhaul! AlwaysON is a VPN feature which will trigger the VPN agent to logon after a user is a logged into an computer.

image

Again there are some things that you need to be aware of by using this feature.

1: It requires that the vServer is set in smart access mode, meaning that all connections will require universal license.

2: It will require a user to be logged on the computer, therefore it will not be same as DirectAccess.

3: It requires an admin to install the VPN agent on the endpoint.

In order to configure the AlwaysON feature you need to configure an AlwaysON profile and attach it to a session profile on the NetScaler Gateway. First to create an AlwaysON Profile. NetScaler Gateway –> Policies –> AlwaysON

image

Its a pretty simple setup, but we need to be aware of what each setting does to the client configuration when they connect.

Location Based VPN: This defines how and when the client will try and connect. If it is set to Everywhere the client will try to authenticate the tunnel regardsless of where the client is.
Is set to Remote it will only try to connect when outside the network. DNS suffixes will be used to detect the location. The client receives the DNS suffixes in the configuration after successful login. These suffixes will be stored in registry. Client reads these suffixes upon starting and tries to resolve.  If the resolved IP addressed is a public IP address according to RFC1918, it is considered to be outside the enterprise network. If the resolved IP address(es) are private addresses according to RFC1918, the client is considered to be part of the enterprise network.

    10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

So if you use public IP’s or IPv6 for the DNS suffixes its going to be hard to use the Remote based location feature.

image

Client Control: The Logoff option from the plugin context menu and plugin UI will be disabled when AlwaysON  is enabled and client control is disabled.

image

Network Access ON VPN Failure:
This defines if the computer will have network access if the VPN authentication has failed. It has two options, either full access meaning that in regardsless of authenticaiton failure it will be able to communicate fully with the network. Or we can choose Only to Gateway which defines that it can only communicate with the VPN gateway if for some reason the VPN tunnel is not established.

So how does this look like for the enduser when they try to logon with a properly configured NetScaler Gateway? Pretty seamless!

0 thoughts on “Configuring AlwaysON on NetScaler 11.1”

  1. Hello Marius
    A great blog as ever!
    I just had someone else ask about using the ‘remote’ mode when the client actually does not use RFC1918 addresses. According to my colleague you need to have at least one DNS suffix resolve to a RFC1918 address. So, you can use real addresses, you would just need to have a ‘internal’ suffix point to one private address.

    Kind Regards

    Andrew

Leave a Reply

Scroll to Top
%d bloggers like this: