NetScaler Gateway 11.1 – RDP Proxy

Last Modified: Dec 22, 2016 @ 1:40 pm

RDP Proxy

NetScaler supports RDP Proxy through NetScaler Gateway. No VPN required. In 11.1 and newer, RDP can connect to Gateway on 443. In older NetScaler, RDP connects on 3389.

There are several ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
    • Bookmarks can be defined by the administrator.
    • Or users can add their own RDP bookmarks.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.
  • In the RfWebUI Portal Theme, the Add Bookmark link lets users enter an RDP address, and click Go.

The easy configuration is for one Gateway to do both authentication and RDP Proxy. Alternatively, you can have one Gateway vServer that authenticates the user and a different Gateway vServer to proxy the RDP connection. The Gateways use Secure Ticket Authority (STA) for mutual authentication. See Stateless RDP Proxy at docs.citrix.com for more information.

Links:

Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition or Platinum Edition.
  • NetScaler Gateway Universal Licenses for each user.
    • NetScaler 11.1 build 49 and later come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and NetScaler Platinum Edition = unlimited licenses.
  • TCP 443 opened to the NetScaler Gateway Virtual Server. If older NetScaler, open TCP 3389 to the Gateway.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Do the following to configure RDP Proxy:

  1. Go to System > Settings, and click Configure Advanced Features.
  2. Check the box for RDP Proxy, and click OK.
  3. Expand NetScaler Gateway, expand Policies, and click RDP.
  4. On the right, switch to the Client Profiles tab, and click Add.
  5. Give the Client Profile a name, and configure it as desired. Scroll down.
  6. It is no longer necessary to configure a Pre shared key or RDP Host. Just click Create.
  7. It is no longer necessary to create a RDP Server Profile.
  8. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
  9. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.
  10. On the right, click Add.
  11. Give the Bookmark a name.
  12. For the URL, enter rdp://MyRDPServer using IP or DNS.
  13. Check the box next to Use NetScaler Gateway As a Reverse Proxy, and click Create.
  14. Create more bookmarks as desired.
  15. Create or edit a Session Profile/Policy.
  16. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
  17. On the Remote Desktop tab, Override Global and select the RDP Client Profile you created earlier.
  18. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  19. On the Published Applications tab, make sure ICA Proxy is OFF.
  20. Edit or Create your Gateway Virtual Server.
  21. In the Basic Settings section, click More.
  22. It is no longer necessary to bind a RDP Server Profile. Instead, RDP is proxied through 443 on the Gateway.
  23. Scroll down. Make sure ICA Only is not checked. This means you’ll need NetScaler Gateway Universal licenses for each user that connects through this Gateway.
  24. Bind a certificate.
  25. Bind authentication policies.
  26. Bind the session policy/profile that has the RDP Client Profile configured.
  27. You can bind Bookmarks to either the NetScaler Gateway Virtual Server, or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  28. On the left, in the Published Applications section, click where it says No Url.
  29. While editing your Gateway vServer, you can also enable the new RfWebUI Portal Theme. This requires StoreFront to be 3.6 or newer.
  30. Bind your Bookmarks.
  31. Since this NetScaler Gateway Virtual Server has ICA Only unchecked, make sure your NetScaler Gateway Universal licenses are configured correctly. On the left, expand NetScaler Gateway and click Global Settings.
  32. On the right, click Change authentication AAA settings.
  33. Change the Maximum Number of Users to your licensed limit. In NetScaler 11.1 build 49 and newer, this value should already match the number of licensed users. In older builds, you must manually configure this setting, and if not configured, then it defaults to only 5 concurrent connections.

  34. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  35. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).
  36. Connect to your Gateway and login.
  37. If you configured Bookmarks, if RfWebUI theme, on the Apps tab, click Web and SaaS Apps.
  38. If X1 theme, the bookmarks are on the Web Apps page.
  39. Then click the Bookmark. If RfWebUI theme, you can also click Details to mark the Bookmark as a Favorite.
  40. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/192.168.1.50) or a DNS name (/rdpproxy/myserver).
  41. If you edit the downloaded .rdp file, notice that it’s connecting on port 443.
  42. Then open the downloaded .rdp file.
  43. You can view the currently connected users by going to NetScaler Gateway > Policies > RDP, and on the right is the Connections tab.
  44. If using the RfWebUI theme, another way to launch RDP sessions is to click the Add Bookmark link, enter a destination DNS/IP, check the box next to RDP Link, and click Go.
  45. You can also Save the bookmark.
  46. Then access the saved bookmark from Apps > Personal Bookmarks.

  47. Personal bookmarks are stored in /var/vpn/bookmark on the appliance. You might want to back these up and replicate them to other Gateway appliances participating in GSLB. See NetScaler 11.1 Personal Bookmarks at Citrix Discussions.
  48. The X1 theme has an Add button on the Web Apps page.
  49. But there is no Go button. Instead, you save the Bookmark and launch it from the list.

41 thoughts on “NetScaler Gateway 11.1 – RDP Proxy”

  1. Hi Carl,

    Is there a way to block users from entering /rdpproxy/RDPServer URL ? I want to be sure that a user get access to the bookmarks but nothing more.

    Regards,

    Stéphane

  2. Thanks for the article Carl. Any idea how I can restrict RDP Bookmarks to different AD Groups and with different options like:
    – AD Group 1 gets Bookmark “Support VM” with redirect Printers enabled
    – AD Group 2 gets Bookmark “Support VM” and “Trainee VM” with redirect Printers disabled
    – and so on…

    Thanks and Regards
    Julian

    1. You can add Gateway AAA Groups that match the AD Group names, and assign bookmarks and Session Policies to the AAA Groups.

        1. Ok, found it… When you edit the AAA User or AAA Group under the section Security -> AAA, Users, then there are no Bookmark option. Edit the AAA User under NetScaler Gateway -> User Administration -> AAA User / AAA Groups, there’s the option visible. Funny.

  3. Carl, thanks for this article. This is very promising from a MFA PCI perspective. It’s been a while since I engineered NetScaler (I architect now). Can you do something similar to this but using an SSH client such as PuTTy?

  4. Hi Carl, custom RDP line works through the custom option in RDP client profiel but what if an existing entry, non custom, needs to be deleted from the file? I ask because my custom entry gets put at the top of the RDP file and a same default entry overrides it further down.

    kind regards,
    Geoff

    1. I’m holding thumbs for a solution as well. I have the same issue when I try to override the default “enablecredsspsupport” setting in the RDP file generated.
      Regards,
      Pieter

      1. Thanks Carl, all working fine. Just need to inject a custom line into the RDP file which downloaded, can this be done do you know? Geoff

  5. Can the RDPserver be a Windows OS desktop i.e. one user, one desktop for every user conne
    cting through this NetScaler RDP proxy?

      1. Thanks Carl, have you had experience of pre-populating automatically the users desktop name where it is already known what the users desktop is, instead of user having to provide this?

  6. Is it possible to disable Credssp support in the RDP file generated by the NetScaler RDP proxy?

    Each downloaded RDP file contains the “enablecredsspsupport:i:1” setting which prevents users from changing expired passwords in a scenario where:
    – SSO is disabled with a traffic policy
    – Network Level Authentication and CredSSP is used on the remote RDP host
    – The user’s password has expired

    What seems to happen is that the user is authenticated, but the password change message cannot be passed to the user.

    A workaround for a regular RDP file is to disable credssp by adding “enablecredsspsupport:i:0” to the RDP file. Adding this as a custom parameter in the RDP client profile does add the setting to the generated RDP file at the top of the file – HOWEVER, this is then overwritten by the original setting again which enabled it again.

    Not sure if this behaviour can be changed, but any ideas would be greatly appreciated.

  7. Hi Carl,
    An ideas on this one…
    Using NS 11.1, I’ve setup the RDP Proxy as per your guide (including the SSO traffic policy tip from Carsten). If I connect to the Gateway VServer IP directly, then everything works well – I can connect to the vserver login page and login successfully, choose the RDP Bookmark which downloads the RDP file and I can open that and it connects me to the RDP server as expected.
    However, if I attempt to connect via the internet facing firewall (NATs to the Netscaler Gateway VIP), everything works until launching the RDP file… I receive “An internal error has occurred”.
    Reviewing firewall logs indicates that 443 is passing through as expected, and I can access the vserver login page and login successfully. There doesn’t seem to be anything that is blocking the traffic.
    Reviewing the nstcpdump doesn’t show any traffic for 3389 (I’m not using any custom ports).

    We have a 2 arm setup – VServer is in a DMZ and the Netscaler SNIP is on the LAN.

    Any thoughts would be appreciated.
    Regards,
    Robert

      1. Hi Guys,
        I had already tried turning off the traffic inspection etc on the firewall policy with no luck. I re-tested though just to be sure… Turns out the inbound policy on the ‘Next Gen’ firewall was configured to allow SSL and HTTP application type traffic through, not the actual inbound ports (i.e 80 and 443). Because RDP traffic over SSL isn’t your typical SSL web browsing traffic, it rejects the connection. Changing the inbound policy to allow specifically port 80 (for redirect to https) and 443, as opposed to the application type has resolved the issue.
        Thanks for the tips!
        Robert

          1. Yes, I’d only gone as far as turning off inspection for gateway AV, URL filtering, content filtering, etc. Didn’t click until this morning that the application type was causing the issue.

  8. Hi carl,

    Thanks for your document. My RDP Proxy is working BUT I have this issue of intermittent disconnection of RDP session, basically user session hangs then black screen and RDP automatically tries to restablish connection but failed, However If user re-launch the RDP icon it connects back to the disconnected session.

    Any ideas? It’s only happening on connection using RDP Proxy, all vServer using ICA proxy are fine.

    thanks
    Lauro

  9. Hi Carl,

    Within the document, you have indicated a couple of times for “/rdpproxy/MyRDPServer” which we can either use DNS or IP for “MyRDPServer”. Is this a virtual server IP hosted by Netscaler? Or the Netscaler Gateway Virtual server IP?

    I am assuming that it is not an actual RDP server acting as a terminal as that role should be replaced by Netscaler.

    Do let me know if my understanding is wrong 🙂

    Thanks for your guide as always.

      1. so it is the internal resources 🙂 so for each RDP resources, I will need to create a separate client profile accordingly?

        1. You usually only need one client resource.

          You can then create bookmarks for each internal RDP Server (machine you want to use RDP to connect to). Or you can manually change the browser address bar to access another RDP server.

  10. Hey Carl, first I want to thank you for your excellent blog posts!

    I have read all instructions, when I click on the RDP bookmark, it opens an new tab with the /rdpproxy/RDPServer URL, but I see a message in the browser: “Error: Not a privileged User.” The .rdp file is not downloaded.

    I’m sure all settings are exact as you blog describes. I’m running build-11.1-50.10 and have a Platinum license.
    Do you have any clue?

  11. Hi Carl,

    Thanks for your awesome documentation (as usual!).

    My setup doesn’t working properly, I’ve got “An internal error has occurred.” when a launch the RDP file after connecting RDP Proxy.

    I made a Wireshark trace and I can see the NetScaler trying to connect to my server on the backend on port 3389 but a got a connection reset. I tried different target (win10, ws2012, domain/nondomain). The firewall is disable (On + “Allow All” in the profile) on the target. I’m able to connect to this target directly. I tried also to disable NLA on RDP without success.

    This is a brand new NetScaler in my lab at build 11.1.49.11.

    Any idea what I can check?

  12. Thanks you for the post. I’ve configured everything, but I get the message “could not connect to the remote computer” I think the netscaler snip cannot connect to the rdp server. Is there a way to test this?

    1. From the NetScaler CLI, run shell, then run nstcpdump.sh port 3389 to see the RDP traffic. If you see R flag, then a firewall is blocking.

      1. Thank you for your help. Another question, I’ve established SSO between Office 365 and the netscaler gateway virtual server. With SAML authenticationt to the unified gateway the rdp session won’t start (already afraid for it), with ldap authentication it works fine. Is there a way to get it working with saml authentication to the unified gateway?

        1. I’m guessing it needs the user’s password to perform SSON.

          For SAML to XenApp, Citrix has a way of requesting smart card certificates for login. I assume they don’t have similar functionality for RDP.

      2. Hi Carl,

        I had the same problem, I saw also the R Flag, but the reason was, that the user was not authorized to do RDP on that server.
        The problem was the SSO from the Netscaler, the RDP destination uses different accounts.
        The traffic policy from CTX208324 has helped me.

        Best regards,

        Carsten

Leave a Reply