RDP Proxy with NetScaler Gateway

Dec 17, 2016
/
NetScaler

RDP Proxy is available on NetScaler Enterprise and Platinum editions allowing you to securely establish remote desktop sessions to machines within your corporate domain. RDP Proxy is a better alternative to publishing RDP as a resource on a XenApp machine.

RDP Proxy was made generally available in NetScaler v11. Using RDP Proxy you can enable SSO to RDP connections and disable printer redirection, client drive redirection and more using Client Profiles.

Note: The RDP Proxy feature is marked as unlicensed on NetScaler 11.1 build 47.14 if you have an Enterprise license. This issue is fixed in 11.1 build 48.10.

Port requirements:

Port TCP 3389 from NetScaler SNIP to back-end computer you want to initiate RDP connection towards.
Port 443 should be open to the NetScaler VIP if using NetScaler 11.1+. TCP 3389 should be open if using pre 11.1 versions.

Two RDP Proxy deployment modes exist:

Stateless dual gateway solution where RDP resource enumeration and RDP file downloads happen on one NetScaler (authenticator gateway) but the RDP connection launch happens on a second NetScaler (RDP Listener gateway).
Single gateway solution where RDP resource enumeration, RDP file download and RDP connection happens on the same gateway.

I will show the single gateway deployment.

Firstly enable RDP Proxy by right-clicking RDP and selecting Enable Feature.Or use the CLI with command enable ns feature rdpproxy. Now navigate to NetScaler Gateway -> Policies -> RDP -> Client Profiles -> Add. Specify a name and choose if you want to block redirection of the clipbord, printers, client drives etc.

Note that these settings will be enforced ONLY if SSO is kept enabled.Click Create. Edit your Session Profile that will be used for RDP Proxy. Click on the Remote Desktop tab. Check to enable RDP Client Profile Name and select the profile you have just created. Users can launch RDP Proxy files either via bookmarks created by the user, bookmarks created by the administrator or by making adjustments to the NetScaler Gateway URL. To create a bookmark navigate to NetScaler Gateway -> Resources -> Bookmarks -> Add. Specify a name, under Bookmark use a format of rdp://ipaddress or rdp://hostname if you have DNS configured on the NetScaler. Click Create. Now you can bind the bookmark to an AAA User, AAA Group or NetScaler Gateway Virtual Server. To bind to a NSG vServer, edit the Virtual Server and under Published Applications click No Url. Click on Click to select. Select the bookmark. Click Select. Click Bind. Click Done. Now when a user logs on to NetScaler they will see the bookmarked RDP link. Your NetScaler Gateway Virtual Server should be configured for Clientless Access. Click on the RDP bookmark. The RDP connection opens. An RDP session has been established. To confirm RDP sessions are running, you can navigate to NetScaler Gateway -> Policies -> RDP -> Connections. As mentioned previously, if a user modifies the NetScaler Gateway URL adding /rdpproxy/ipaddress or /rdpproxy/hostname and pressing enter will launch an RDP connection to the specified address. If a user wants to create their own RDP connection, simply click on Bookmark. Enter the URL (ip address/hostname) and check RDP Link. This is the RfWeb UI however other UIs are similar in practice.

Tags: citrix, netscaler, rdp proxy

24 Comments

John Carmody
March 21, 2017

Hi George do you know if the RDP proxy solution can be used to deliver RDS Remote app RDP files rather than a RDP to a desktop

Reply
George Spiers
March 21, 2017

Good question. I don’t think it would work because RemoteApp needs more than just a FQDN to be able to know which application it is going to launch. RemoteApp works in a way that the application it is launching i.e. Notepad is specified within the MSTSC connection under “Program path and filename”.

Reply
- AviD
  April 18, 2017
  
  Hi,
  RemoteAPP works with netscaler gateway,
  you need to add to special parameters under rdp server options some extra lines to open as remoteapp session.
  the problem is it’s limited to only one remoteapp program, you will not be able to create multiple remoteapp apps.
  
  Reply
  - Yan Lafrance
    July 27, 2018
    
    Hi,
    you can add those special parameters to the bookmark. this allow you to publish multiple RemoteApp + RDP desktop to your users.
    here’s an example :
    add vpn url RemoteApp RemoteApp “rdp://10.10.10.10?alternate shell:s:||ServiceCenter&remoteapplicationprogram:s:||ServiceCenter&remoteapplicationname:s:ServiceCenter&remoteapplicationcmdline:s:&remoteapplicationmode:i:1” -clientlessAccess ON
    
    All you have to do, is to open the RDP RemoteApp file within a notepad and then extract those parameters and use & to append them after the ? in the bookmark
    
    I used those 5 parameters to make it works. Nothing to change in the RDP ClientProfile. I had RDP Redirection = Enabled in the RDP ServerProfile on NS 12.1
    
    HTH
    
    Reply
Suk
July 24, 2018

Great article! I configured as per this article but I couldn’t able to build the connection with RDP server. I can able launch the RDP bookmark by editing the gateway address, once rdp bookmark is download, I can’t open the it as server session. Can you please help me out what could stopping that RDP session from launching.

Reply
- George Spiers
  July 25, 2018
  
  Thanks. Have you allowed the SNIP to contact the backend server over 3389? Is RDP enabled/allowed on the backend server? Take an nstrace on NetScaler to make sure the SNIP is communicating with backend.
  
  Reply
Shawn
December 10, 2018

Do you know of any way to create RDP proxy bookmarks instead of RDP bookmarks? Instead of having my users first log into a UG virtual server to access CVPN, then open another tab and type the fdqn/rdpproxy/host, I’d like them to be able to add a bookmark in the personal bookmarks section that essentially is a RDP proxy bookmark but they only have to enter the host part during the bookmark creation. Is this possible?

Reply
- George Spiers
  December 10, 2018
  
  The users can create a bookmark once via Gateway which remains in place on subsequent logons. Also that bookmark can be accessed by Workspace app, which supports SSO to Citrix Gateway.
  
  Reply
  - Shawn
    December 11, 2018
    
    I get that part. Users log in to UG, click on the Add button below the Personal Bookmarks section, then in the Add a Bookmark pop-up window, they fill out the form and select the RDP Link checkbox. After, when they click on the bookmark, it opens a new tab to rdp://address, where address is the value they entered in the Address input field in the Add a Bookmark pop-up window.
    
    By contrast, an RDP Proxy bookmark behaves differently. I automatically populate an RDP proxy bookmark for the user based on an AD attribute as defined in the RDP client profile in the RDP Link Attribute field. In that AD attribute for the user, called companyWorkstation, is the fqdn of their PC. So when the user clicks on the bookmark, it goes to https://myUGfqdn.domain.com/rdpproxy/workstationFDQN, which in turn, download the RDP file to the local PC and connects the user to destination PC via 443 through the RDP Proxy.
    
    What I’m trying to do is allow users to create bookmarks in the Personal Bookmarks section that actually work with RDP Proxy.
    
    Reply
    - George Spiers
      December 11, 2018
      
      So what happens when the new tab opens to rdp://address, does it launch or nothing? What theme are you using? If you use RfWebUI, creating a bookmark and checking the “RDP Link” button launches the resource via RDP Proxy.
      
      Reply
      - Shawn
        December 11, 2018
        
        Correct, the bookmark to rdp://address does nothing. I’m using the X1 theme because I’m using Duo and it can’t display its inline page with the RFWebUI theme: https://duo.com/docs/citrix-netscaler-alt.
        
        I’ll change the theme temporarily as a test to see if that enables the bookmarks to work.
Marty
February 21, 2019

Great Article. I have set this up and it works from a Windows PC.
The UG sites comes up and I can start RDP.

What is the best way to give this to the user as a remote access?
What about mobile device like ipad or Android and the RDP app from MS?
Does that work with Azure MFA and a direct link?

Reply
- George Spiers
  February 21, 2019
  
  When users log on to Unified Gateway, they can either create their own RDP link, or an administrator can pre-create one for them. Once a user clicks on the RDP icon, Gateway produces and sends an .rdp file down to the client. You will need a program (like MSTSC) that knows how to open and handle .rdp files. I haven’t specifically tested RDP Proxy from an Android or iOS device, but if they have an app that can handle .rdp files then it should work fine.
  
  Reply
Timo
September 5, 2019

How about if we want to provide access to RDP hosts which are not part of our corporate domain, but are either part of a trusted domain, or workgroup members? Basically this means that users would need to enter different credentials at login.

We have one Gateway vServer which provides access to Clientless Access portal with bookmarks and Apps & Desktops. The RfWebUi theme is being used and users are able to create their own RDP bookmarks. But is it possible to use the RPD Proxy feature in the way I have described?

Reply
- George Spiers
  September 6, 2019
  
  Yes just make sure the ADC SNIP can access the RDP host, and disable SSO.
  
  Reply
  - Timo
    September 6, 2019
    
    Hi George and thanks for the reply!
    
    We got one Gateway vServer which already has two policies bind to it. These are the session policies for Apps and Desktops and they have SSO on. So can I bind a new policy to this same vServer which has SSO set off?
    
    I did try this, set the new policy’s prority lower than the prior policies, but when I tried to launch the RDP-file I get “An Internal Error has occurred”. The policy expression on that particular policy is ns_true. Any idea what could be causing this?
    
    Reply
    - Timo
      September 9, 2019
      
      An update on this. I am able to take RDP to a server, but it is using SSO even though I’ve configured SSO OFF in the RDP session policy. But maybe the other policies with SSO set ON on the same Gateway vServer override this policy?
      
      Reply
      - Timo
        September 9, 2019
        
        Sorry for the spam, but I found the answer to my question from here: https://support.citrix.com/article/CTX221466
        
        Thanks for your help George!
    - George Spiers
      September 29, 2019
      
      In your LDAP profile, have you populated the SSO Name field with sAMAccountName?
      
      Reply
Dan
March 19, 2020

Hi, is there a per user license requirement for this on the Netscaler? Or is simply having a Netscaler Platinum or Enterprise licenses sufficient?

Reply
- George Spiers
  May 19, 2020
  
  No license requirement other than Advanced (formerly Enterprise) and above.
  
  Reply
Rimk
June 10, 2020

Hi George

Thanks for your great article.
I do have 2 questions.
1- Is it possible to hide RDP proxy icons and only visible to the users having access to it ?
2- With nfactor is it possible to perform device cert check and send to a saml if no cert ?

Reply
Darcy
July 20, 2020

I have set “Redirect Drives” and “Redirect Printers” to DISABLED, but the user is still able to modify the .rdp file to enable these parameters.

Here are a couple of the settings in the .rdp file:
redirectdrives:i:0
redirectprinters:i:0
If the user changes the 0 to 1, they can redirect drives and printers.

Is there a way to lock these down further, to prevent the user from being able to override these settings?

Reply
Anonymous
May 8, 2021

Its possible to configure rdp proxy with intranet ip address bind in virtual server

Reply