RDP Proxy with NetScaler Gateway

RDP Proxy is available on NetScaler Enterprise and Platinum editions allowing you to securely establish remote desktop sessions to machines within your corporate domain. RDP Proxy is a better alternative to publishing RDP as a resource on a XenApp machine.

RDP Proxy was made generally available in NetScaler v11. Using RDP Proxy you can enable SSO to RDP connections and disable printer redirection, client drive redirection and more using Client Profiles.

Note: The RDP Proxy feature is marked as unlicensed on NetScaler 11.1 build 47.14 if you have an Enterprise license. This issue is fixed in 11.1 build 48.10.

Port requirements:

  • Port TCP 3389 from NetScaler SNIP to back-end computer you want to initiate RDP connection towards.
  • Port 443 should be open to the NetScaler VIP if using NetScaler 11.1+. TCP 3389 should be open if using pre 11.1 versions.

Two RDP Proxy deployment modes exist:

  • Stateless dual gateway solution where RDP resource enumeration and RDP file downloads happen on one NetScaler (authenticator gateway) but the RDP connection launch happens on a second NetScaler (RDP Listener gateway).
  • Single gateway solution where RDP resource enumeration, RDP file download and RDP connection happens on the same gateway.

I will show the single gateway deployment.

Firstly enable RDP Proxy by right-clicking RDP and selecting Enable Feature.Or use the CLI with command enable ns feature rdpproxy. Now navigate to NetScaler Gateway -> Policies -> RDP -> Client Profiles -> Add. Specify a name and choose if you want to block redirection of the clipbord, printers, client drives etc. Click Create. Edit your Session Profile that will be used for RDP Proxy. Click on the Remote Desktop tab. Check to enable RDP Client Profile Name and select the profile you have just created. Users can launch RDP Proxy files either via bookmarks created by the user, bookmarks created by the administrator or by making adjustments to the NetScaler Gateway URL. To create a bookmark navigate to NetScaler Gateway -> Resources -> Bookmarks -> Add. Specify a name, under Bookmark use a format of rdp://ipaddress or rdp://hostname if you have DNS configured on the NetScaler. Click Create. Now you can bind the bookmark to an AAA User, AAA Group or NetScaler Gateway Virtual Server. To bind to a NSG vServer, edit the Virtual Server and under Published Applications click No Url. Click on Click to select. Select the bookmark. Click Select. Click Bind. Click Done. Now when a user logs on to NetScaler they will see the bookmarked RDP link. Your NetScaler Gateway Virtual Server should be configured for Clientless Access. Click on the RDP bookmark. The RDP connection opens. An RDP session has been established. To confirm RDP sessions are running, you can navigate to NetScaler Gateway -> Policies -> RDP -> Connections. As mentioned previously, if a user modifies the NetScaler Gateway URL adding /rdpproxy/ipaddress or /rdpproxy/hostname and pressing enter will launch an RDP connection to the specified address. If a user wants to create their own RDP connection, simply click on Bookmark. Enter the URL (ip address/hostname) and check RDP Link. This is the RfWeb UI however other UIs are similar in practice.


  • John Carmody

    March 21, 2017

    Hi George do you know if the RDP proxy solution can be used to deliver RDS Remote app RDP files rather than a RDP to a desktop

  • George Spiers

    March 21, 2017

    Good question. I don’t think it would work because RemoteApp needs more than just a FQDN to be able to know which application it is going to launch. RemoteApp works in a way that the application it is launching i.e. Notepad is specified within the MSTSC connection under “Program path and filename”.

    • AviD

      April 18, 2017

      RemoteAPP works with netscaler gateway,
      you need to add to special parameters under rdp server options some extra lines to open as remoteapp session.
      the problem is it’s limited to only one remoteapp program, you will not be able to create multiple remoteapp apps.


Leave a Reply