Windows Pre-logon Tunnel

The Pre-Logon Tunnel feature provides a Windows endpoint with access to resources such as Active Directory (AD) for setup and pre-configuration purposes. Pre-Logon Tunnel can be established before the user’s authentication to the Windows endpoint.

The configuration includes the following parts:

  1. Creating an Axis IDP user to be used to identify the Pre-Logon Tunnel
  2. Setting a policy for the created Axis IDP Pre-Logon Tunnel User
  3. Using an MDM solution / Manually set a registry key and install the Axis agent on the Windows endpoint

Creating the Axis IDP Pre-Logon Tunnel User

The Pre-Logon Tunnel requires a special user account for secure, conditional access to resources.

  • First, create the Pre-Logon Tunnel User account in the Axis IdP by navigating to Settings->Axis IdP (e.g. “Pre-Logon User”).
    • Request a Pre-Logon Tunnel User token by contacting Axis Support ([email protected]) with the newly created user name. This token will be needed for the MDM configuration.

Setting a policy rule for the Pre-Logon Tunnel User

Access to the pre-configuration resources requires creating a new policy rule that allows the Pre-Logon Tunnel User to access the required resources.

  • Confirm the private applications required have been created under Settings->Applications. If necessary, create the applications (for example, Active Directory Application)
  • Create a new policy rule under Policy->Rules. The rule should allow the Pre-Logon Tunnel User to access the resources from Step 1.

Configuring the MDM Solution

The MDM solution is used to pre-stage the Axis agent and Pre-Logon Tunnel User token so that the tunnel can be started automatically.

  • Use the MDM to push and install the Axis agent to the machine. Pre-Logon Tunnel requires agent version 3.11.1 or later. Contact Axis Support ([email protected]) if necessary to enable this version.
  • Use the MDM to set the registry key to the value of the Pre-Login Tunnel User token obtained from Axis Support:
    • The key has to be set in the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\axis
    • Note: If a “PreLogonTunnel” registry key already present in the above path, delete it.
    • New Registry Key Info:
      Key: “InitToken”
      Value: The token provided by Axis Support

Additional Notes:

  • The Windows endpoint must be domain-joined.
  • After a successful access to the axis agent, the Pre-Logon tunnel will not re-initiate by default. In order to keep the Pre-Logon functionality after a user has logged in the agent please contact Axis Support.