Windows always-on Client

  • 4 minute read
Prev Next

Always-on clients are similar to the full client that a normal user would use, however they allow the user's device to connect to the network even when the user is not signed in. The always-on client combines the full client which behaves in the usual (interactive) way with the headless client (which will runs in the background without a UI).

This functionality is in part designed to provide an alternative to using the Window SSO (PLAP) client. Here are a few examples of different use cases relating to the headless half of the always-on client:

  • Provision sufficient entitlements to allow connection to the domain controller. This could then allow a virgin Windows PC to become domain joined while remote from the network (just using a bootable USB stick).

  • Include an entitlement (down rule) that would allow remote administration of the device.

  • Set a default route entitlement for the device so it captures and redirects all the user's traffic at all times.

Whenever the user is not signed in using the always-on-full client, always-on-headless client will continuously try to sign in. This will mean that at boot-up devices using the always-on client will always be signed-in using the always-on-headless client which gets its own entitlements (based on its own policy). This allows secure connections to be established with certain Sites - providing access to a limited set of resources protected by AppGate ZTNA irrespective of what the user is doing.

As soon as the user signs in using the always-on-full client they will get their own entitlements (based on their policy) and always-on-headless will suspend (keeping its tokens in memory so it can resume later). If and when the user suspends the always-on-full client or signs out, then the always-on-headless takes over again immediately. These two modes of operation (headless and full) are quite independent, so renewing the tokens for one will not renew tokens for the other.

The always-on client supports auto-update and is initiated from either the headless or full client depending on which is connected. Both parts of the client will be updated together.

System limitations for the Windows always-on client

  • You must have different users defined for the always-on-headless and always-on-full mode. The on-boarding process has to be done for both the AppGate ZTNA always-on-headless and always-on-full clients. If the user is the same for both modes and has already on-boarded in one of the two modes, then the other mode will fail to onboard. This means the client will consume two user licenses.

  • Muti-factor authentication on-boarding is not supported on always-on-headless client, so if this is required for the always-on-full client, then a different IdP will have to be chosen and two different profile links used.

  • Custom on-demand device claims are not supported while running in always-on-headless mode.

  • You will probably want to have different policies for always-on-headless and always-on-full clients. These can be assigned based on the different users (or IdPs)  that have been defined. Alternatively, the clientType claim can be used as this will report either full or headless depending on the mode in use.

Standard executables for the Windows always-on client

The Windows always-on client uses standard executables:

  • Appgate SDP Service. Appears twice running as USER and as SYSTEM (in the background).

  • Service Configurator. Included to configure the headless client. Requires that the Appgate SDP Service is running.

Installing the Windows always-on client

Install the client from the command line using the /O (/ALWAYSON) switch.  It is recommended to run it using the /S (silent installation) switch as well.

An existing AppGate ZTNA full client installation can be upgraded to run as an always-on client by simply running installer with /O. The full client will be upgraded and the headless mode added. Any existing profiles from the full client will be retained. Refer to Windows clients for a full explanation of all the installation switch options.

To install the Windows always-on client in silent mode, open a cmd window and enter:

start "" /WAIT "AppGate-SDP-x.y.z-Installer.exe" /O /S /P="appgate://url.com"

PowerShell requires slightly different syntax:

start "Appgate-SDP-x.y.z-Installer.exe" -ArgumentList ' /O /S /P="appgate://url.com" '

NOTE

The profile link defined after the /P switch will set only the profile for always-on-full mode. Profile links can be obtained from the Client Profiles UI.

Use services.msc to make sure both Appgate SDP client service (appgateservice) and Appgate SDP Driver Control (cxdriver) exists as a service and that both are running.

NOTE

Write access to "TrustedCertificatePath"  is recommended when using the headless client.

NOTE

Always provide the /O flag every time the client is installed, upgraded, or reinstalled to continue to run it as the always-on client.

Uninstalling the Windows always-on client

Uninstall the Windows always-on client in one of the following ways:

  • Run the uninstaller from the start menu shortcut

  • Use the Add or Remove Programs option in Windows

NOTE

Any configurations of the always-on-headless client will not be removed on uninstall, only the client binaries.

How to set (or change) the client configuration

Once installed, there will be an “Appgate SDP” folder in the Windows start menu that contains a number of items, including a shortcut to the normal headless client's Configurator tool. This tool should now be used to configure the always-on-headless mode. Run the Configurator tool with the -o option using the (same or a different) profile link to set a profile for always-on-headless mode. At the same time, set some credentials for the always-on-headless client to use when signing in to the Controller. Profile links can be obtained from client profiles.

NOTE

If the install time profile (set with the /P option) is removed or replaced by the user in the always-on-full mode, this will not remove the profile for the always-on headless mode.

The Configurator tool can be used at any time to change the profile or credentials used by the always-on-headless client. It can also check the status of the Windows always-on client, such as checking that it has signed in correctly.

Log files

There are two log files for the always-on-headless client:

  • service.log

  • driver.log

Both of these files are found in C:\ProgramData\AppGate\

Related articles
  • Windows always-on Client
    Admin Guide > Admin Guide v6.6 > General administration > Client deployment and management > Windows Clients
  • Windows always-on Client
    Admin Guide > Admin Guide v6.5 > General administration > Client deployment and management > Windows Clients
  • Windows headless client
    Admin Guide > Admin Guide v6.7 > General administration > Client deployment and management > Windows clients