GINA mode

Overview

The GINA mode allows you to open VPN connections before the Windows logon.

This function can, for example, create a secure connection to an access rights management server so that the user workstation access rights can be obtained before opening a user session.

When a tunnel is configured “in GINA mode”, the following two situations are possible:

  1. If the VPN Client is configured to start up in TrustedConnect mode (refer to section General), then the TrustedConnect Panel will be displayed on the Windows logon screen and the VPN Client tries to automatically connect to the trusted network.

    NOTE
    As of version SN VPN Client Exclusive 7.4, if you enabled the option that allows users to choose the connection in the TrustedConnect Panel using the MSI property DIALERBEHAVIOR when you installed the VPN Client (see “Deployment Guide”), users can choose the connection before they log on to Windows (see section Choosing the connection).

  2. Otherwise, a window allowing you to open a tunnel that is similar to the Connection Panel will be displayed on the Windows logon screen. It allows you to open a VPN tunnel manually or automatically.

NOTE
As of SN VPN Client Exclusive version 7.5, the behavior of the GINA mode changes according to compliance level reported by the Secure Connection Agent (SCA), which determines whether a workstation should be allowed to access the corporate network (see section In GINA mode)

Special use case

If you want to use several tunnels, one of which for the GINA mode and another for connecting the user in TrustedConnect mode after Windows logon, the user tunnel must be the first in the list of connections.

This way, the GINA tunnel will be opened when the workstation starts up, and then a transition to the user tunnel will take place when the user logs on to Windows. Likewise, a transition from the user tunnel to the GINA tunnel will take place when the user logs off from Windows.

Configuring the GINA mode

Configuring the GINA mode for a VPN connection is done on the Automation tab of the relevant tunnel.

Refer to chapter Automation.

Using the GINA mode

When the VPN tunnel is configured in GINA mode, the window used to open GINA tunnels is displayed on the Windows logon screen. The tunnel will open automatically if it is configured accordingly.

A GINA-mode VPN tunnel can perfectly implement an EAP authentication (users must enter their login name and password) or a certificate-based authentication (users must enter the PIN code required to access the smart card).

Security considerations

A tunnel configured in GINA mode can be opened before Windows logon, i.e. by any user of the workstation. We therefore strongly recommend that you set up a strong authentication method that is certificate-based and, if possible, stored on a removable device.

NOTE
For the Automatically open this tunnel on traffic detection option to be operational after Windows logon, the Enable before Windows logon option must not be checked.

IMPORTANT
  • Limitation: Scripts and USB mode are not available for VPN tunnels configure in GINA mode.
  • A VPN tunnel configured with a certificate stored in the Windows user certificate store cannot be used in GINA mode. The reason for this is that the GINA mode is run before a Windows user is identified (prior to opening any session). The software simply cannot identify the user’s certificate in the Windows machine certificate store.