RDP Proxy – NetScaler Gateway 12 / Citrix Gateway 12.1

Last Modified: Nov 18, 2018 @ 10:53 am

Navigation

ūüí° = Recently Updated

Change Log

RDP Proxy Overview

NetScaler ADC supports RDP Proxy through NetScaler Gateway. No VPN required. RDP can connect through NetScaler Gateway on port 443.

There are several ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
    • Bookmarks can be defined by the administrator.
    • Or users can add their own RDP bookmarks.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.
  • In the RfWebUI Portal Theme, the¬†Bookmark link lets users enter an RDP address, and click Go.

Links:

Requirements

Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition (aka ADC Advanced Edition) or Platinum Edition (aka ADC Premium Edition).
    • Citrix Gateway VPX and NetScaler Gateway Enterprise VPX are not sufficient. It must be a full ADC license.
  • Citrix Gateway Universal Licenses for each user.
    • Most NetScaler Editions come with built-in Gateway Universal licenses: NetScaler ADC Standard Edition = 500 licenses, NetScaler ADC Advanced/Enterprise Edition = 1000 licenses, and¬†NetScaler ADC Premium/Platinum Edition = unlimited licenses. See Feature Licensing in the Gateway Tweaks post.
  • TCP 443 opened to the NetScaler Gateway Virtual Server.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Configuration

Enable RDP Proxy Feature

  1. Go to System > Settings, and click Configure Advanced Features.
  2. In the left column, near the bottom, check the box for RDP Proxy and click OK.

Create RDP Server Profile

If you want Citrix Gateway to RDP Proxy to a RDSH machine that is part of an RDS Connection Broker Infrastructure (aka RDS Collection, or member of RDS Broker Farm), then you’ll need the following:

  • Citrix ADC 12.1
    • NetScaler 12.0 does not support RDSH machines connected to RDS Connection Broker.
  • RDP Server Profile to enable the 3389 listener on your Gateway Virtual Server.
    • You do not need the 3389 listener if the machines you want to RDP to are not members of any RDS Connection Broker Infrastructure.

RDP connections through Citrix Gateway to RDP Connection Broker members requires that the Remote Desktop Session Hosts are configured to disable the GPO setting Use IP Address Redirection located in a GPO at Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | RD Connection Broker. Disable this setting on the RDSH machines, not the Connection Broker machine. Disabling this setting enables token-based redirection instead of IP-based redirection, which is required by RDP Proxy in Citrix Gateway.

To create the RDP Session Profile on NetScaler:

  1. Expand NetScaler Gateway, expand Policies, and click RDP.
  2. On the right, on the Server Profiles tab, click Add.
  3. In the Create RDP Server Profile window:
    1. Give the RDP Server Profile a name.
    2. If you don’t enter an RDP IP, then it will use the Gateway VIP.
    3. If you don’t enter a RDP Port, then it will default to 3389. This is an additional port that must be opened on the firewall.
    4. Enter a new Pre Shared Key.
    5. Change RDP Redirection to ENABLE. This is a new feature in ADC 12.1. This setting enables RDS Infrastructure to work.
  4. Click Create.

Create RDP Proxy Profile

  1. Expand NetScaler Gateway, expand Policies, and click RDP.
  2. On the right, switch to the Client Profiles tab, and click Add.

    1. Give the RDP Client Profile a name, and configure the client device mappings as desired. Scroll down.
    2. For the RDP Cookie Validity field, Citrix CTX233207 says that after a HA failover, RDP Proxy session will not reconnect if the cookie has expired.
    3. If you are running ADC 12.1 and need to allow RDP connections to RDS Infrastructure member machines, then enter the same Pre Shared Key that you configured in the RDP Server Profile.
      • Also, for RDP Host, enter the FQDN of the Gateway Virtual Server. This is only needed for RDP Server Profiles.
    4. Click Create.

Create RDP Bookmarks

  1. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.

  2. On the right, click Add.

    1. Give the Bookmark a name.
    2. For the URL, enter rdp://MyRDPServer using IP or DNS (FQDN).
      • For RDS Collections, enter the address of any RDP member of the collection. The RDP server will ask the Connection Broker to load balance across the Collection and then redirect the RDP connection to the least busy RDP server in the Collection.
    3. Check the box next to Use NetScaler Gateway As a Reverse Proxy,
  3. Click Create.
  4. Create more bookmarks as desired.

Edit a Session Profile

  1. Create or edit a Gateway Session Profile (Session Profiles tab).
  2. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.

  3. On the Remote Desktop tab, check Override Global, and select the RDP Client Profile you created earlier.
  4. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  5. For RDP Server Profile (RDS Collections), on the Client Experience tab of the Session Profile, make sure Single Sign-on to Web Applications is checked.
  6. On the Published Applications tab, make sure ICA Proxy is OFF.
  7. Click OK when done.

Edit NetScaler Gateway Virtual Server

  1. Edit or Create your Gateway Virtual Server.
  2. In the Basic Settings section, click the pencil icon to edit it.
  3. Click More to show more settings.

    1. If this is ADC 12.1, and if you want to allow RDP to RDS Collection members, then select the RDP Server Profile that you created earlier. The RDP Server Profile enables port 3389 on the Gateway VIP. If you don’t select a RDP Server Profile, then RDP is proxied through 443 on the Gateway, but this won’t work for RDS Collection members.
    2. Scroll down. Make sure ICA Only is not checked. This means you’ll need Citrix Gateway Universal licenses for each user that connects through this Gateway.
    3. Click OK to close the Basic Settings section.
  4. Bind a certificate.
  5. Bind authentication policies.
  6. In the Policies section, bind the Session Policy that has the RDP Client Profile configured.


  7. You can bind RDP Bookmarks to either the NetScaler Gateway Virtual Server, or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  8. On the left, in the Published Applications section, click where it says No Url.
  9. Bind your Bookmarks.

  10. While editing your Gateway vServer, you can also set the Portal Theme to RfWebUI.

Configure DNS

  1. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  2. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).

Use RDP Proxy

  1. Connect to your Citrix Gateway and login.
  2. If you configured Bookmarks, if RfWebUI theme, on the Apps tab, click Web and SaaS Apps.

    1. If X1 theme, the bookmarks are on the Web Apps page.
  3. If RfWebUI theme, you can click Details to mark the Bookmark as a Favorite.

  4. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/192.168.1.50) or a DNS name (/rdpproxy/myserver).
  5. If you edit the downloaded .rdp file, notice that it’s connecting on port 443.
  6. Then open the downloaded .rdp file.
  7. You can view the currently connected RDP users by going to NetScaler Gateway > Policies > RDP, and on the right is the Connections tab.

Personal Bookmarks

  1. If using the RfWebUI theme, another way to launch RDP sessions is to click the Bookmark link, enter a destination DNS/IP, check the box next to RDP Link, and click Go.
  2. You can also give the Bookmark a name and Save it.
  3. Then access the saved bookmark from Apps > Personal Bookmarks.

  4. Personal bookmarks are stored in /var/vpn/bookmark on the appliance. You might want to back these up and replicate them to other Gateway appliances participating in GSLB. See NetScaler 11.1 Personal Bookmarks at Citrix Discussions.
  5. The X1 theme has an Add button on the Web Apps page.
  6. But there is no Go button. Instead, you save the Bookmark and launch it from the list.

33 thoughts on “RDP Proxy – NetScaler Gateway 12 / Citrix Gateway 12.1”

  1. Everything works for me unless when I trying to connect a WIN2012 SERVER with Connection Broker enabled.

    “Your computer can’t connect to the remote computer because the Connection Broker couldn’t validate the settings specified in your RDP file.”

  2. Have you tested out using the new RDP Redirection setting in the RDP Server Profile to add support for an RDS farm with a Connection Broker that ‘redirects’ the user to a different RDS Server? I haven’t managed to get it working with a 2016 RDS Farm.

  3. I’m testing RDP Proxy in NetScaler as a replacement for a PulseSecure (Juniper) SSL-VPN. With the SSL-VPN, we could automatically create a link, similar to the RDP Proxy in NetScaler, for user’s PC and populate the info based on an AD attribute. So for example, we have an AD attribute for a user’s workstation, then the existing solution would dynamically create an RDP link (proxy) to that workstation. This assisted users because they wouldn’t have to remember their PC name when then wanted to RDP to it.

    Is there someway to dynamically create RDP bookmarks for users in NetScaler based on an AD attribute on their user account? That way 1) Users don’t have to create the RDP bookmark themselves and 2) It makes a transition off of the old SSL-VPN to NetScalers close to the same user experience.

  4. Hi Carl, is it possible to use the RDP Proxy as an alternative for WAP passthrough or direct RD Gateway access? So the users will see the RemoteApp’s created in their collection from RDS in het web page of Netscaler? I read your article and you didn’t mention anything about RDS RemoteApp’s. Best regard, Peter

    1. Hi,
      you can use RemoteApp special parameters in the bookmark. this allow you to publish multiple RemoteApp + RDP desktop to your users.
      here’s an example :
      add vpn url RemoteApp RemoteApp “rdp://10.10.10.10?alternate shell:s:||ServiceCenter&remoteapplicationprogram:s:||ServiceCenter&remoteapplicationname:s:ServiceCenter&remoteapplicationcmdline:s:&remoteapplicationmode:i:1” -clientlessAccess ON

      All you have to do, is to open the RDP RemoteApp file within a notepad and then extract those parameters and use & to append them after the ? in the bookmark

      I used those 5 parameters to make it works. Nothing to change in the RDP ClientProfile. I had RDP Redirection = Enabled in the RDP ServerProfile on NS 12.1

      HTH

        1. Hi, have you setup and make the regular RDP proxy working before you tried RemoteApp ? this help you https://www.carlstalhood.com/netscaler-gateway-12-rdp-proxy/#configuration

          also, if you are pointing to a MS broker, you have to use NS 12.1 with the Connection redirection feature enable https://docs.citrix.com/en-us/netscaler-gateway/12-1/rdp-proxy/rdp-redirection.html

          if you could provide more details about the error you are facing, it might help to troubleshoot this

          1. Hi, Yes i have setup the RDP proxy and it is working. Broker is not enabled on the target machine.

            I tried to add those custom parameters but it just opened the regular remote desktop connection without the remoteapp window. Maybe the parameters were incorrect or something wrong with the connection string but i did not get it working.

  5. Hi Carl – based on the article we have been able to configure a working RDP Proxy solution. We have configured the RDP Client profile with options such as redirect clipboard disabled (to prevent users from copying data out of the session / Data leakage requirements). We have found that if you download the rdp session file from the Netscaler page, there is a small window (approx 60 – 120 sec) where you can manipulate the downloaded rdp session file and revert the redirectclipboard:i:0 parameter to 1, thus re-enabling clipboard copy. There appears to be some time element involved as post 2 minutes, launching the ‘hacked’ session file again fails to connect (as does renaming the file and the like). Is there any way to prevent user manipulation of the Netscaler’s session file. Thanks

  6. Hi Carl. Excellent tutorial as always. Is there a way to set color quality to ‚ÄúHigh – 16 bit color‚ÄĚ and turn off Themes, Wallpaper, Windows Drag, Menu Animation and High Quality Fonts to improve connection performance? One can customize the RDP config file when publishing the RD client as a Citrix app. Can something similar be done with the RDP Proxy? Thank you, sir.

    1. If these are RDP file parameters, then you should be able to use ‚ÄúCustom Parameters” field in the RDP Client Profile.

  7. Hi Carl

    I have this setup and intermittently working. I find I’m having to click the RDP bookmarks multiple times, in order to establish a connection with the backend servers. Most of the time I get the message “This computer can’t connect to the remote computer”. If I click the bookmark again, I can connect no issue. Also intermittently but only on Server 2008 R2 backed servers, the session just disconnects for no apparent reason. Have you come across any issues like these?

    1. I am seeing this exact same error message. The only difference is that no matter how many times we try, we can’t launch the desktop. There is an event on the server (2016), ID 1306, it says: Remote Desktop Connection Broker Client failed to redirect the user xxx\domain. Any ideas appreciated.

  8. Hello, Carl!

    Thank you for a nice write-up! Have anybody had issues with the RDP session getting disconnected multiple times in a relatively short time?

    I’ve tried to look for session timeout values, but there are none that impact my issue. Any clues are greatly appreciated.

  9. Hi Carl,

    First, thanks for the awesome documentation! Now, I used your documentation before and got RDP Proxy working, I found it to be really easy to do. However, I recently upgraded (actually it’s been several months) the NetScaler to version 12.0.53.13.nc and setup RDP proxy once again.

    Everything went well like before, but this time I get an error when I connect to any server via RDP through the NetScaler.

    The Error is “An authentication error has occurred (Code: 0x80005005)”

    Have you seen this before? Seems like the NetScaler is not sending the creds along to the server, not sure what to try or changes to make.

    Thanks for any assistance you can provide.

    Rob

  10. I’m trying to do RDP Proxy and having a little problem. I follow all of the steps but when I go to bind the RDP session policy to my NetScaler Gateway, I get the following error.

    Classic VPN Session Policy cannot be bound if Advanced VPN Session Policy is already bound to any entity (i.e. aaa user, aaa group, vpn vserver, vpn global)

    I have been trying to do research online but can’t find much with this error message. Can you explain what this means?

    1. I’m guessing you have Session Policies already bound to your Gateway vServer and they use Default Syntax instead of Classic Syntax. But the new Session Policy you created for RDP is in Classic Syntax (ns_true instead of true). You can’t mix the two types.

  11. I’ve followed these steps, and after logging in (clientless, RfWebUi), I got the actual RDPfile by clicking on the bookmark, that seems pretty much the same as yours.
    Similarly, when I use https://unified.domain.com/proxy/server, I also get the RDP file. So I’d say ‘m pretty close to having it going.

    allas…

    When I try to actually connect to the server, I get an “connecting to: unified.domain.com:443”, and eventually it errors out, not being able to connect.

    Slightly clueless what ‘m doing wrong here. I’m running NetScaler 12.0 53.13.

      1. Yeap, there is a content switch in front of the UG; CS refers to it as

        HTTP.REQ.HOSTNAME.SERVER.TO_LOWER.CONTAINS(“unified”) || is_vpn_url

        Session Profile Security has the default authorization action “Allow”
        The SNIP is also in the same VLAN as the server to be connected to, so no firewall in between NetScaler and RDP Host

          1. Tried to do it this time on a clean netscaler VPX, without any further configurations. First ran the normal UG wizard to create the entire set of the normal config, then executed the steps above.

            Then tried – as suggested – to remove the content switch, the CS Policy and Action and recreate the vpn server with a fixed address. Still no show.

            I am able to access everything else that I bookmark.

  12. Hi Carl, thanks for the very informative guide. I’ve followed the guide and got this working up successfully, just had a question:

    In my setup, when the user clicks the downloaded .rdp it prompts for username and password. The user then has to enter domain\username, then their password.

    What I wanted to know was, is there a way to insert the domain name into the .rdp files, so the user just types their username and password when prompter.

    Or better yet is there a way to set it that when they click on the .rdp file, it automatically logs them in using the credentials they used to log into the netscaler initially?

    Thanks

    Ben

    1. Managed to figure it out, I didn’t select the option “Single Sign-on to Web Applications”, in the RDP profile, under
      the Client Experience tab. Enabling this and now when clicking on the RDP file, the desktop opens without prompting for username and password. Might be useful for anyone else using RDP proxy.

  13. HI Carl, from the article i gather that if i change the url rdpproxy/myserver a smart user can connect basically to every rdp server (assuming the traffic between netscaler and rpd server is enabled). Is there a way to constrain users to connect to only one or some predefined RDP Server without using the netscaler ACL function ? Regards Christian

    1. Set Default Authorization to DENY. Then create Authorization Policies. You can create them an bind them to AAA Groups. Or the new PI for Authorization Policies might allow HTTP.REQ.USER.IS_MEMBER_OF() expressions.

Leave a Reply