Machine and User tunnel at the same time

Sokrates — Mon, 11 May 2026 11:06:52 GMT

Hello all,
I've successfully created the machine tunnel before user login.
We use a seperate Gateway with an own site and want now to establish the machine tunnel permanent beside the user tunnel (please, don't ask me why).
I configuered the trac.defaults (machine_tunnel_after_logon STRING true GLOBAL 1), but there's the following problem:
The machine tunnel works, but the client isn't able to connect the user tunnel. I tried to activate the option "always connected" for the machine site, but it's gray.
Connectivity Settings of Global Properties> Remote Access> Endpoint Connect are Manual.
So I have the following questions:
- Is it possible to activate always connected for the secondary site (machine) and leave the primary site (user) at manual?
- Is it necessary to change the global properties?
- What kind of effects has the change of the global properties from Manual to Configured on endpoint clients?
Thank you for any comments

Re: Machine and User tunnel at the same time

PhoneBoy — Mon, 11 May 2026 15:03:42 GMT

The normal use case for Machine Tunnel works something like this:

User boots computer
Machine tunnel is established in the background
Once user authenticates to Windows and logs in, VPN client terminates the Machine Tunnel and is switched to a User Tunnel

At no time is there both a User and Machine tunnel active.
Also, the User and Machine tunnel are expected to be with the same gateway (not a different one) with "Always On" configured.

In your specific case, "Configured on Endpoint Client" would allow the checkbox for "Always On" to be configured on the client, whereas "Manual" requires the end user to activate the VPN connection.
Note that any changes to Global Properties affects ALL gateways managed under the domain.

topic Machine and User tunnel at the same time in SASE and Remote Access

Machine and User tunnel at the same time

Re: Machine and User tunnel at the same time