NetScaler Gateway 12 – RDP Proxy

Last Modified: Sep 2, 2018 @ 7:52 am


ūüí° = Recently Updated

Change Log

RDP Proxy Overview

NetScaler supports RDP Proxy through NetScaler Gateway. No VPN required. RDP can connect through NetScaler Gateway on port 443.

There are several ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
    • Bookmarks can be defined by the administrator.
    • Or users can add their own RDP bookmarks.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.
  • In the RfWebUI Portal Theme, the¬†Bookmark link lets users enter an RDP address, and click Go.



Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition or Platinum Edition.
  • NetScaler Gateway Universal Licenses for each user.
    • Most NetScaler Editions come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and¬†NetScaler Platinum Edition = unlimited licenses. See Feature Licensing in the Gateway Tweaks post.
  • TCP 443 opened to the NetScaler Gateway Virtual Server.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.


Enable RDP Proxy Feature

  1. Go to System > Settings, and click Configure Advanced Features.
  2. In the left column, near the bottom, check the box for RDP Proxy, and click OK.

Create RDP Proxy Profile

  1. Expand NetScaler Gateway, expand Policies, and click RDP.
  2. On the right, switch to the Client Profiles tab, and click Add.

    1. Give the RDP Client Profile a name, and configure it as desired. Scroll down.
    2. For the¬†RDP Cookie Validity field, Citrix¬†CTX233207 says that after a HA failover, RDP Proxy session will not reconnect if the cookie has expired.¬† ūüí°
    3. It is no longer necessary to configure a Pre shared key or RDP Host. Just click Create.
  3. It is no longer necessary to create a RDP Server Profile.

Create RDP Bookmarks

  1. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
  2. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.
  3. On the right, click Add.

    1. Give the Bookmark a name.
    2. For the URL, enter rdp://MyRDPServer using IP or DNS (FQDN).
    3. Check the box next to Use NetScaler Gateway As a Reverse Proxy,
  4. Click Create.
  5. Create more bookmarks as desired.

Edit a Session Profile

  1. Create or edit a Session Profile.
  2. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
  3. On the Remote Desktop tab, check Override Global, and select the RDP Client Profile you created earlier.
  4. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  5. On the Published Applications tab, make sure ICA Proxy is OFF.
  6. Click OK when done.

Edit NetScaler Gateway Virtual Server

  1. Edit or Create your Gateway Virtual Server.
  2. In the Basic Settings section, click the pencil icon to edit it, and click More to show more settings.

    1. It is no longer necessary to bind a RDP Server Profile. Instead, RDP is proxied through 443 on the Gateway.
    2. Scroll down. Make sure ICA Only is not checked. This means you’ll need NetScaler Gateway Universal licenses for each user that connects through this Gateway.
    3. Click OK to close the Basic Settings section.
  3. Bind a certificate.
  4. Bind authentication policies.
  5. In the Policies section, bind the Session Policy that has the RDP Client Profile configured.

  6. You can bind RDP Bookmarks to either the NetScaler Gateway Virtual Server, or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  7. On the left, in the Published Applications section, click where it says No Url.
  8. Bind your Bookmarks.

  9. While editing your Gateway vServer, you can also enable the RfWebUI Portal Theme.

Configure DNS

  1. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  2. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).

Use RDP Proxy

  1. Connect to your Gateway and login.
  2. If you configured Bookmarks, if RfWebUI theme, on the Apps tab, click Web and SaaS Apps.

    1. If X1 theme, the bookmarks are on the Web Apps page.
  3. If RfWebUI theme, you can click Details to mark the Bookmark as a Favorite.

  4. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/ or a DNS name (/rdpproxy/myserver).
  5. If you edit the downloaded .rdp file, notice that it’s connecting on port 443.
  6. Then open the downloaded .rdp file.
  7. You can view the currently connected RDP users by going to NetScaler Gateway > Policies > RDP, and on the right, is the Connections tab.

Personal Bookmarks

  1. If using the RfWebUI theme, another way to launch RDP sessions is to click the Bookmark link, enter a destination DNS/IP, check the box next to RDP Link, and click Go.
  2. You can also give the Bookmark a name and Save it.
  3. Then access the saved bookmark from Apps > Personal Bookmarks.

  4. Personal bookmarks are stored in /var/vpn/bookmark on the appliance. You might want to back these up and replicate them to other Gateway appliances participating in GSLB. See NetScaler 11.1 Personal Bookmarks at Citrix Discussions.
  5. The X1 theme has an Add button on the Web Apps page.
  6. But there is no Go button. Instead, you save the Bookmark and launch it from the list.

30 thoughts on “NetScaler Gateway 12 – RDP Proxy”

  1. Have you tested out using the new RDP Redirection setting in the RDP Server Profile to add support for an RDS farm with a Connection Broker that ‘redirects’ the user to a different RDS Server? I haven’t managed to get it working with a 2016 RDS Farm.

  2. I’m testing RDP Proxy in NetScaler as a replacement for a PulseSecure (Juniper) SSL-VPN. With the SSL-VPN, we could automatically create a link, similar to the RDP Proxy in NetScaler, for user’s PC and populate the info based on an AD attribute. So for example, we have an AD attribute for a user’s workstation, then the existing solution would dynamically create an RDP link (proxy) to that workstation. This assisted users because they wouldn’t have to remember their PC name when then wanted to RDP to it.

    Is there someway to dynamically create RDP bookmarks for users in NetScaler based on an AD attribute on their user account? That way 1) Users don’t have to create the RDP bookmark themselves and 2) It makes a transition off of the old SSL-VPN to NetScalers close to the same user experience.

  3. Hi Carl, is it possible to use the RDP Proxy as an alternative for WAP passthrough or direct RD Gateway access? So the users will see the RemoteApp’s created in their collection from RDS in het web page of Netscaler? I read your article and you didn’t mention anything about RDS RemoteApp’s. Best regard, Peter

    1. Hi,
      you can use RemoteApp special parameters in the bookmark. this allow you to publish multiple RemoteApp + RDP desktop to your users.
      here’s an example :
      add vpn url RemoteApp RemoteApp “rdp:// shell:s:||ServiceCenter&remoteapplicationprogram:s:||ServiceCenter&remoteapplicationname:s:ServiceCenter&remoteapplicationcmdline:s:&remoteapplicationmode:i:1” -clientlessAccess ON

      All you have to do, is to open the RDP RemoteApp file within a notepad and then extract those parameters and use & to append them after the ? in the bookmark

      I used those 5 parameters to make it works. Nothing to change in the RDP ClientProfile. I had RDP Redirection = Enabled in the RDP ServerProfile on NS 12.1


        1. Hi, have you setup and make the regular RDP proxy working before you tried RemoteApp ? this help you

          also, if you are pointing to a MS broker, you have to use NS 12.1 with the Connection redirection feature enable

          if you could provide more details about the error you are facing, it might help to troubleshoot this

  4. Hi Carl – based on the article we have been able to configure a working RDP Proxy solution. We have configured the RDP Client profile with options such as redirect clipboard disabled (to prevent users from copying data out of the session / Data leakage requirements). We have found that if you download the rdp session file from the Netscaler page, there is a small window (approx 60 – 120 sec) where you can manipulate the downloaded rdp session file and revert the redirectclipboard:i:0 parameter to 1, thus re-enabling clipboard copy. There appears to be some time element involved as post 2 minutes, launching the ‘hacked’ session file again fails to connect (as does renaming the file and the like). Is there any way to prevent user manipulation of the Netscaler’s session file. Thanks

  5. Hi Carl. Excellent tutorial as always. Is there a way to set color quality to ‚ÄúHigh – 16 bit color‚ÄĚ and turn off Themes, Wallpaper, Windows Drag, Menu Animation and High Quality Fonts to improve connection performance? One can customize the RDP config file when publishing the RD client as a Citrix app. Can something similar be done with the RDP Proxy? Thank you, sir.

    1. If these are RDP file parameters, then you should be able to use ‚ÄúCustom Parameters” field in the RDP Client Profile.

  6. Hi Carl

    I have this setup and intermittently working. I find I’m having to click the RDP bookmarks multiple times, in order to establish a connection with the backend servers. Most of the time I get the message “This computer can’t connect to the remote computer”. If I click the bookmark again, I can connect no issue. Also intermittently but only on Server 2008 R2 backed servers, the session just disconnects for no apparent reason. Have you come across any issues like these?

    1. I am seeing this exact same error message. The only difference is that no matter how many times we try, we can’t launch the desktop. There is an event on the server (2016), ID 1306, it says: Remote Desktop Connection Broker Client failed to redirect the user xxx\domain. Any ideas appreciated.

  7. Hello, Carl!

    Thank you for a nice write-up! Have anybody had issues with the RDP session getting disconnected multiple times in a relatively short time?

    I’ve tried to look for session timeout values, but there are none that impact my issue. Any clues are greatly appreciated.

  8. Hi Carl,

    First, thanks for the awesome documentation! Now, I used your documentation before and got RDP Proxy working, I found it to be really easy to do. However, I recently upgraded (actually it’s been several months) the NetScaler to version and setup RDP proxy once again.

    Everything went well like before, but this time I get an error when I connect to any server via RDP through the NetScaler.

    The Error is “An authentication error has occurred (Code: 0x80005005)”

    Have you seen this before? Seems like the NetScaler is not sending the creds along to the server, not sure what to try or changes to make.

    Thanks for any assistance you can provide.


  9. I’m trying to do RDP Proxy and having a little problem. I follow all of the steps but when I go to bind the RDP session policy to my NetScaler Gateway, I get the following error.

    Classic VPN Session Policy cannot be bound if Advanced VPN Session Policy is already bound to any entity (i.e. aaa user, aaa group, vpn vserver, vpn global)

    I have been trying to do research online but can’t find much with this error message. Can you explain what this means?

    1. I’m guessing you have Session Policies already bound to your Gateway vServer and they use Default Syntax instead of Classic Syntax. But the new Session Policy you created for RDP is in Classic Syntax (ns_true instead of true). You can’t mix the two types.

  10. I’ve followed these steps, and after logging in (clientless, RfWebUi), I got the actual RDPfile by clicking on the bookmark, that seems pretty much the same as yours.
    Similarly, when I use, I also get the RDP file. So I’d say ‘m pretty close to having it going.


    When I try to actually connect to the server, I get an “connecting to:”, and eventually it errors out, not being able to connect.

    Slightly clueless what ‘m doing wrong here. I’m running NetScaler 12.0 53.13.

      1. Yeap, there is a content switch in front of the UG; CS refers to it as

        HTTP.REQ.HOSTNAME.SERVER.TO_LOWER.CONTAINS(“unified”) || is_vpn_url

        Session Profile Security has the default authorization action “Allow”
        The SNIP is also in the same VLAN as the server to be connected to, so no firewall in between NetScaler and RDP Host

          1. Tried to do it this time on a clean netscaler VPX, without any further configurations. First ran the normal UG wizard to create the entire set of the normal config, then executed the steps above.

            Then tried – as suggested – to remove the content switch, the CS Policy and Action and recreate the vpn server with a fixed address. Still no show.

            I am able to access everything else that I bookmark.

  11. Hi Carl, thanks for the very informative guide. I’ve followed the guide and got this working up successfully, just had a question:

    In my setup, when the user clicks the downloaded .rdp it prompts for username and password. The user then has to enter domain\username, then their password.

    What I wanted to know was, is there a way to insert the domain name into the .rdp files, so the user just types their username and password when prompter.

    Or better yet is there a way to set it that when they click on the .rdp file, it automatically logs them in using the credentials they used to log into the netscaler initially?



    1. Managed to figure it out, I didn’t select the option “Single Sign-on to Web Applications”, in the RDP profile, under
      the Client Experience tab. Enabling this and now when clicking on the RDP file, the desktop opens without prompting for username and password. Might be useful for anyone else using RDP proxy.

  12. HI Carl, from the article i gather that if i change the url rdpproxy/myserver a smart user can connect basically to every rdp server (assuming the traffic between netscaler and rpd server is enabled). Is there a way to constrain users to connect to only one or some predefined RDP Server without using the netscaler ACL function ? Regards Christian

    1. Set Default Authorization to DENY. Then create Authorization Policies. You can create them an bind them to AAA Groups. Or the new PI for Authorization Policies might allow HTTP.REQ.USER.IS_MEMBER_OF() expressions.

Leave a Reply