Caltech VPN (AnyConnect) Start Before Logon Instructions

If you haven't already done so, please read the Caltech VPN Overview and sign up to use the VPN service.


Contents

Start Before Logon Overview

Start Before Logon is an additional feature of the Cisco AnyConnect Client that allows the user to establish a VPN connection before logging into the computer.

This is necessary for users who must create a VPN session before logging into their computer in order to mount shared drives, etc.

Installing and configuring Start Before Logon (SBL) will change the Windows start up process, requiring users to type Control-Alt-Delete to proceed with the login. Most users will not want the additional step that SBL introduces into the start-up process unless needed for business reasons. Read the section Using Start Before Logon to see how SBL works and if it is useful to you.

SBL can be added if AnyConnect is already installed, and can be removed if no longer needed. The feature can also be enabled and disabled through a checkbox in the AnyConnect client.

Disable VPN 3000 Start Before Logon

If you previously used Start Before Logon in the older version VPN3000 client, that feature must disabled in order to use AnyConnect. To check the Start Before Logon setting, launch the VPN300 client. Click on the Options menu and choose the Windows Logon Properties item.



In the Windows Logon Properties dialog, you will see a check box labeled Enable start before logon.

If the checkbox is highlighted as in the illustration, click on on the checkbox to unselect it. Then click on OK and exit from the VPN3000 client.


Installing SBL with a New AnyConnect Installation

If you haven't installed AnyConnect before, it's very simple to add Start Before Logon. The instructions for installing Caltech VPN (AnyConnect) on Windows are here. The process to add Start Before Logon is exactly the same with one exception. After visiting https://vpn.caltech.edu in a web browser, a page will be displayed with a login form like so:


The available profiles are listed in the Group drop down menu. The initially selected profile will be Tunnel-Caltech-Traffic-Only. To install Start Before Logon, this is not the one to use.

To install Start Before Logon, click on the Group drop down menu like so:



All the available profiles will be listed. Choose one of the WinDomanUser profiles as in the illustration.

Now continue with the installation as described in the Caltech VPN (AnyConnect) Windows instructions. The Start Before Logon capability will be added. To enable Start Before Logon, you will need to restart your computer.

Click here to view information on using AnyConnect with Start Before Logon.

Installing Start Before Logon with an Existing AnyConnect Installation

If you have already installed AnyConnect without Start Before Logon then it can be added.

Unfortunately, simply uninstalling and reinstalling AnyConnect will not correctly add the SBL capability.

Likewise, simply choosing one of the WinDomainUser profiles and logging in with AnyConnect will not correctly add SBL.

To correctly add Start Before Logon to an existing AnyConnect installation, there are 3 files which must be deleted.

Note: If you are not comfortable deleting files in Windows, or do not have much experience changing system settings in Windows, please contact the Help Desk (x3500, http://help.caltech.edu (request type IMSS-->Desktop Support-->Other) for assistance. You might also contact your system adminstrator if there is one.

The folders AppData and ProgramData are normally hidden folders. To make them visible, go to Control Panel->Folder Options and check the Show All Folders checkbox.

Locate the following files.

C:\Users\\AppData\Local\Cisco\Cisco AnyConnect VPN Client\preferences.xml

Delete the preferences.xml file.


In the folder

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile there will be one or more files having an .xml suffix (for example, LLA-Recon-SBL.xml).

Delete all the files with an .xml suffix.

Do not delete any other files.


Now, use the AnyConnect client to create a VPN connection. Choose one of the WinDomainUser profiles. AnyConnect will automatically replace the deleted files. The necessary changes for Start Before Logon will be done automatically.

To enable Start Before Logon, restart the computer.

You may want to remove the Show All Folders setting in the Folder Options dialog.


Using Start Before Logon

Once you have installed AnyConnect with Start Before Logon and restarted your computer, Windows will begin the startup process. However, instead of the normal display with your username and a password field, there will be a display such as this:


Hold down the Ctrl and Alt keys together, and press the Delete key to continue.

Windows displays the familiar login display. There is an additional button below the Password field, labeled "Switch User". The Switch User button will be used to establish the AnyConnect VPN session.

Note: At this point you do not have to create an AnyConnect VPN session. You can log into your computer by entering your password as usual. AnyConnect will not establish a VPN session before logging in, and you can use your computer as you usually do. You can also use AnyConnect without the Start Before Logon capabilities if you choose.

Click on the Switch User button in order to use Start Before Logon.

Notice that the Switch User button has disappeared, and been replaced with a Cancel button. In the lower right corner, a Network Logon button has appeared.

Note: If you decide that you don't want to create a VPN session at this point, click on the Cancel button. The display will revert to the previous one with Switch User, and you can log in normally.

Click on the Network Logon icon to create an AnyConnect VPN session, .

The standard AnyConnect login window will appear.



Click on the Select button to download profiles and updates. The Group will contain one of the available profiles. Your access.caltech username may appear in the Username field.



Since this is Start Before Logon session, choose one of the WinDomainUser profiles. Enter your access.caltech credentials in the appropriate fields and click on Connect.

The AnyConnect client will create a VPN connection, and the AnyConnect dialog will disappear.

The Windows display will now have a Disconnect button in the lower right corner.

Note: If you decide at this point you don't want the VPN session, click on Disconnect and you'll return to the normal login display.

To continue using the AnyConnect VPN session, click on the icon with your username. The password field will appear, and you can enter your password. Your login should proceed as normal and display your desktop.

The AnyConnect icon will be displayed in the lower right corner of the Windows desktop window. You can now use your computer normally, and access the specific services which have been made available for use over VPN.

The AnyConnect client can be accessed by Right-Clicking on the AnyConnect icon in the lower right corner of the window. The AnyConnect menu will appear.



Choosing Open AnyConnect will open the AnyConnect client window.



At this point, your AnyConnect session will operate the same way as a session created without Start Before Logon. For more information on using AnyConnect, please see Using the Caltech VPN AnyConnect Client.

Starting an AnyConnect session with Start Before Logon will add one item to the Preferences dialog that you may want to know about. To see the Preferences dialog, click on the Preferences icon as in the above illustration.



In addition to the normal AnyConnect preferences, there is a checkbox labeled "Use Start Before Logon". Leave this setting checked to use Start Before Logon. If you remove the checkbox setting, Start Before Logon will not be enabled. Specifically, you will not see the "Switch User" button in the Windows startup display. Disabling Start Before Logon will not remove the required Control-Alt-Delete sequence to log in to the computer.

Removing Start Before Logon

If you no longer need Start Before Logon, you can remove it without affecting the AnyConnect client.

From the Start Menu, open the Control Panel and locate the Programs and Features applet. Double click to open it. You'll see a list of installed programs.



The Cisco AnyConnect VPN Client will be listed.

There will also be an item labeled Cisco AnyConnect VPN Client Start Before Login Components. You can double-click or right-click on the Start Before Login Components to uninstall the Start Before Logon capability.

Note: Be sure to select the Cisco AnyConnect VPN Client StartBefore Login Components item. If you select the AnyConnect Client and delete it before removing the Start Before Logon Components, the login function of your computer may be corrupted, and fail to work properly. Be sure to delete the Start Before Logon Components, then restart the computer. If you also want to remove the AnyConnect client, you can now safely do that.

Restart your computer to finish the process. The Control-Alt-Delete sequence required by Start Before Logon will no longer appear.