NetScaler Gateway 12 – RDP Proxy

Last Modified: Aug 28, 2017 @ 6:50 pm


ūüí° = Recently Updated

RDP Proxy Overview

NetScaler supports RDP Proxy through NetScaler Gateway. No VPN required. RDP can connect through NetScaler Gateway on port 443.

There are several ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
    • Bookmarks can be defined by the administrator.
    • Or users can add their own RDP bookmarks.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.
  • In the RfWebUI Portal Theme, the¬†Bookmark link lets users enter an RDP address, and click Go.



Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition or Platinum Edition.
  • NetScaler Gateway Universal Licenses for each user.
    • Most NetScaler Editions come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and¬†NetScaler Platinum Edition = unlimited licenses. See Feature Licensing in the Gateway Tweaks post.
  • TCP 443 opened to the NetScaler Gateway Virtual Server.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.


Enable RDP Proxy Feature

  1. Go to System > Settings, and click Configure Advanced Features.
  2. In the left column, near the bottom, check the box for RDP Proxy, and click OK.

Create RDP Proxy Profile

  1. Expand NetScaler Gateway, expand Policies, and click RDP.
  2. On the right, switch to the Client Profiles tab, and click Add.

    1. Give the RDP Client Profile a name, and configure it as desired. Scroll down.
    2. It is no longer necessary to configure a Pre shared key or RDP Host. Just click Create.
  3. It is no longer necessary to create a RDP Server Profile.

Create RDP Bookmarks

  1. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
  2. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.
  3. On the right, click Add.

    1. Give the Bookmark a name.
    2. For the URL, enter rdp://MyRDPServer using IP or DNS (FQDN).
    3. Check the box next to Use NetScaler Gateway As a Reverse Proxy,
  4. Click Create.
  5. Create more bookmarks as desired.

Edit a Session Profile

  1. Create or edit a Session Profile.
  2. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
  3. On the Remote Desktop tab, check Override Global, and select the RDP Client Profile you created earlier.
  4. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  5. On the Published Applications tab, make sure ICA Proxy is OFF.
  6. Click OK when done.

Edit NetScaler Gateway Virtual Server

  1. Edit or Create your Gateway Virtual Server.
  2. In the Basic Settings section, click the pencil icon to edit it, and click More to show more settings.

    1. It is no longer necessary to bind a RDP Server Profile. Instead, RDP is proxied through 443 on the Gateway.
    2. Scroll down. Make sure ICA Only is not checked. This means you’ll need NetScaler Gateway Universal licenses for each user that connects through this Gateway.
    3. Click OK to close the Basic Settings section.
  3. Bind a certificate.
  4. Bind authentication policies.
  5. In the Policies section, bind the Session Policy that has the RDP Client Profile configured.

  6. You can bind RDP Bookmarks to either the NetScaler Gateway Virtual Server, or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  7. On the left, in the Published Applications section, click where it says No Url.
  8. Bind your Bookmarks.

  9. While editing your Gateway vServer, you can also enable the RfWebUI Portal Theme.

Configure DNS

  1. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  2. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).

Use RDP Proxy

  1. Connect to your Gateway and login.
  2. If you configured Bookmarks, if RfWebUI theme, on the Apps tab, click Web and SaaS Apps.

    1. If X1 theme, the bookmarks are on the Web Apps page.
  3. If RfWebUI theme, you can click Details to mark the Bookmark as a Favorite.

  4. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/ or a DNS name (/rdpproxy/myserver).
  5. If you edit the downloaded .rdp file, notice that it’s connecting on port 443.
  6. Then open the downloaded .rdp file.
  7. You can view the currently connected RDP users by going to NetScaler Gateway > Policies > RDP, and on the right, is the Connections tab.

Personal Bookmarks

  1. If using the RfWebUI theme, another way to launch RDP sessions is to click the Bookmark link, enter a destination DNS/IP, check the box next to RDP Link, and click Go.
  2. You can also give the Bookmark a name and Save it.
  3. Then access the saved bookmark from Apps > Personal Bookmarks.

  4. Personal bookmarks are stored in /var/vpn/bookmark on the appliance. You might want to back these up and replicate them to other Gateway appliances participating in GSLB. See NetScaler 11.1 Personal Bookmarks at Citrix Discussions.
  5. The X1 theme has an Add button on the Web Apps page.
  6. But there is no Go button. Instead, you save the Bookmark and launch it from the list.

9 thoughts on “NetScaler Gateway 12 – RDP Proxy”

  1. I’ve followed these steps, and after logging in (clientless, RfWebUi), I got the actual RDPfile by clicking on the bookmark, that seems pretty much the same as yours.
    Similarly, when I use, I also get the RDP file. So I’d say ‘m pretty close to having it going.


    When I try to actually connect to the server, I get an “connecting to:”, and eventually it errors out, not being able to connect.

    Slightly clueless what ‘m doing wrong here. I’m running NetScaler 12.0 53.13.

      1. Yeap, there is a content switch in front of the UG; CS refers to it as

        HTTP.REQ.HOSTNAME.SERVER.TO_LOWER.CONTAINS(“unified”) || is_vpn_url

        Session Profile Security has the default authorization action “Allow”
        The SNIP is also in the same VLAN as the server to be connected to, so no firewall in between NetScaler and RDP Host

          1. Tried to do it this time on a clean netscaler VPX, without any further configurations. First ran the normal UG wizard to create the entire set of the normal config, then executed the steps above.

            Then tried – as suggested – to remove the content switch, the CS Policy and Action and recreate the vpn server with a fixed address. Still no show.

            I am able to access everything else that I bookmark.

  2. Hi Carl, thanks for the very informative guide. I’ve followed the guide and got this working up successfully, just had a question:

    In my setup, when the user clicks the downloaded .rdp it prompts for username and password. The user then has to enter domain\username, then their password.

    What I wanted to know was, is there a way to insert the domain name into the .rdp files, so the user just types their username and password when prompter.

    Or better yet is there a way to set it that when they click on the .rdp file, it automatically logs them in using the credentials they used to log into the netscaler initially?



    1. Managed to figure it out, I didn’t select the option “Single Sign-on to Web Applications”, in the RDP profile, under
      the Client Experience tab. Enabling this and now when clicking on the RDP file, the desktop opens without prompting for username and password. Might be useful for anyone else using RDP proxy.

  3. HI Carl, from the article i gather that if i change the url rdpproxy/myserver a smart user can connect basically to every rdp server (assuming the traffic between netscaler and rpd server is enabled). Is there a way to constrain users to connect to only one or some predefined RDP Server without using the netscaler ACL function ? Regards Christian

    1. Set Default Authorization to DENY. Then create Authorization Policies. You can create them an bind them to AAA Groups. Or the new PI for Authorization Policies might allow HTTP.REQ.USER.IS_MEMBER_OF() expressions.

Leave a Reply