>Example: -New user is getting installed the Gateway-Plugin with our software deployment. The registrykeys for the hive "HKLM/Citrix/Secure Access Client" will be configured for AlwaysOn and the Gateway URL. Client is getting rebooted. User logins to his computer and the gateway plugin is asking for his password. Now the VPN tunnel is estasblished but only with user input. After the next reboot the SSO is working and the tunnel gets established automaticly
The NetScaler Gateway client uses the configured authentication mechanism and tries to establish a tunnel. If the authentication methods do not involve a user prompt, the tunnel is established seamlessly.

---

Instructions

Natural behaviour. AlwaysON automatically connects a user to a VPN tunnel that the client has previously established. The first time the user needs a VPN tunnel, the user must connect to the NetScaler Gateway URL and establish the tunnel. After the AlwaysON configuration is downloaded to the client, this configuration drives subsequent establishment of the tunnel.

https://docs.citrix.com/en-us/netscaler-gateway/12/vpn-user-config/alwayson.html