RDP Proxy configuration with Citrix NetScaler 11. Connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
RDP Proxy is a new feature initially added in NetScaler 10.5.e and now fully integrated within NetScaler 11. In this post, we will see how to configure RDP Proxy with NetScaler 11 and connect with single sign-on (CredSSP) to Remote Desktop (RDP) connections through NetScaler Gateway without having to configure any RDS server environment (RDS gateway/Web Access).
How does RDP Proxy work ?
- User connects to Unified Gateway website (SSL VPN)
- User authenticates (one-factor or two-factor authentication)
- NetScaler gateway cookie is created
- RDP ressources enumeration
- User clicks on the RDP icon (Ex: https://NSGVIP/rdpproxy/ip:port)
- RDPUser and RDPTarget information are sent and store on one of the STA server configured in the gateway virtual server
- Authorization from the STA server. STA ticket creation
- .rdp file is downloaded to the client (STA ticket included)
- full address:s:NetScalerGatewayURL:port
- loadbalanceinfo:s:STA Ticket
- enablecredsspsupport:i:1
- RDP Settings are provided by the RDP client profile
- NetScaler accepts/proxies the connection to the RDPListener Gateway on the selected port (default 3389 but you can change it)
- RDP Listener validates the STA ticket to the STA server
- RDPUser and RDPTarget are provided to the RDP Listener by the STA server
- Gateway session is created or reused
- RDP Listener does the SSO (CredSSP) to the remote server on port 3389
Advantages of using RDP Proxy
- Cheap solution to access backend servers via RDP
- Microsoft Remote Desktop Services Gateway is not necessary (replaced by NetScaler Gateway)
- Authentication on the NetScaler Gateway
- Two-Factor authentication possible
- No Full VPN
- Single sign-on to the remote host (CredSSP)
- RDP session is only allowed after the user authentication
- You can change the port of the RDP session to anything you want
- With Unified Gateway, you can offer applications via ICA Proxy (XenApp apps, VDI, etc) and applications via RDP Proxy (RDP app) on the same website
- Easy to configure (rdp server profile, rdp client profile, bookmarks, session policy)
Requirements
- At least NetScaler 10.5.e
- Port 3389 open between the NetScaler HA Pair and the backend servers (via the SNIP addresses)
- The RDP listener can be configured on any port. The RDP listener can be configured on port 443 as long as you use a unique IP for it, which is different from the VPN server IP. In the lab, we will configure the RDP listener on the port 3389
- Port 3389/443 should be opened on firewall between end user machine IP and VPN virtual server VIP.
- DNS resolution working on the NetScaler
- Enterprise or Platinum NetScaler license
- Universal CCU license (5 by default)
- Unified Gateway virtual server. How to License a NetScaler Gateway Appliance.
- Any SSL/TLS server certificates, authentication policies must be bound to the NetScaler Gateway virtual server that is part of the chosen Unified Gateway formation.
Lab configuration
- NS Build 11.0 62.10.nc
- NetScaler HA Pair configured (192.168.1.201)
- Backend server CDC01.citrixguru.lab (10.0.0.71)
- CDC01.citrixguru.lab is properly resolved on the NetScaler (DNS suffix is configured)
- Unified Gateway virtual server configured (192.168.1.17)
- External Unified Gateway address: lab.citrixguru.com
Lab NetScaler Architecture
Configure RDP Proxy with NetScaler Gateway 11
Enable RDP Proxy feature
First, you need to enable the feature on the NetScaler.
Go to NetScaler > System > Settings and select Configure Advanced Features.
- Enable RDP Proxy
-
1enable ns feature rdpproxy
The feature must be licensed to run this command.
Create RDP Client Profile
Complete the following steps to create the RDP client profile.
Go to NetScaler > NetScaler Gateway > Policies > RDP > Profiles and Connections > Client Profiles and select Add.
- Name: rdp_profile_client
- RDP File name: app.rdp
- RDP Host: lab.citrixguru.com
- Pre Shared key: <key>
- This attribute has been made mandatory with NetScaler 11
You can change RDP settings depending of your needs. For this lab, we are using the default settings.
|
1 |
add rdp clientprofile rdp_profile_client -rdpFileName app.rdp -rdpHost lab.citrixguru.com -psk <key> -encrypted -encryptmethod ENCMTHD_3 |
Create RDP Server Profile (RDP Listener)
Complete the following steps to configure the RDP listener on port 3389. The server profile is configured on the RDPListener Gateway.
Go to NetScaler > NetScaler Gateway > Policies > RDP > Profiles and Connections > Server Profiles and select Add.
Make sure to use the same Pre Shared key as for the RDP Client profile.
- Name: rdp_server_profile
- RDP IP: 192.168.1.17
- RDP Port: 3389
- Pre Shared key: <key>
- This attribute has been made mandatory with NetScaler 11
The RDP listener can be configured on any port. The RDP listener can be configured on port 443 as long as you use a unique IP for it, which is different from the VPN server IP.
- RDP server profile
|
1 |
add rdp serverprofile rdp_server_profile -rdpIP 192.168.1.17 -rdpport 3389 -psk <key> -encrypted -encryptmethod ENCMTHD_3 |
The same serverProfile cannot be reused on another vpn vserver.
Create session profile
Go to NetScaler > NetScaler Gateway > Policies > NetScaler Gateway Session Policies and Profiles > Session Profiles and select Add.
- Name: rdp_session_profile
Clientless VPN mode should be set to ON. ICA proxy should be OFF. ICA only should be OFF.
- Client access: On
- RDP Client Profile Name: rdp_profile_client
- Session profile 4/4
|
1 |
add vpn sessionAction rdp_session_profile -icaProxy OFF -clientlessVpnMode ON -rdpClientProfileName rdp_profile_client -defaultAuthorizationAction ALLOW |
Create session policy
Go to NetScaler > NetScaler Gateway > Policies > NetScaler Gateway Session Policies and Profiles > Session Profiles and select Add.
- Name: rdp_session_pol
- Profile: rdp_session_profile
- Expression: ns_true
|
1 |
add vpn sessionPolicy rdp_session_pol ns_true rdp_session_profile |
Create Bookmark for Unified Gateway
- Name: CDC01
- Text to display: CDC01
- Bookmark: rdp://cdc01.citrixguru.lab
- Use NetScaler Gateway as reverse proxy
- Add bookmark
|
1 |
add vpn url CDC01 CDC01 "rdp://cdc01.citrixguru.lab" -clientlessAccess ON |
Configure virtual server for RDP proxy
Go to NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers and select your virtual server.
- RDP Server Profile: rdp_server_profile
- ICA proxy not checked
Bind session policy to virtual server.
- Name: rdp_session_pol
|
1 |
bind vpn vserver <virtualServer> -policy rdp_session_pol -priority 58010 |
Publish bookmark.
Select the bookmark previously created.
- Published Applications 4/4
|
1 |
bind vpn vserver <virtualserver> -urlName CDC01 |
Testing
Connect to your external website.
The CDC01 shortcut is available in the Web Apps folder.
You can also type /rdpproxy/YourRDPServer (IP/DNS) in the address bar to start the session.
Click on the icon the start your RDP session.
RDP session is open and the only authentication was on the NetScaler gateway website.
Below is the content the the app.rdp file downloaded from the NetScaler unified gateway.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
redirectclipboard:i:1 redirectdrives:i:0 redirectprinters:i:1 keyboardhook:i:2 audiocapturemode:i:0 videoplaybackmode:i:1 use multimon:i:1 negotiate security layer:i:1 enablecredsspsupport:i:1 authentication level:i:0 full address:s:lab.citrixguru.com:3389 loadbalanceinfo:s:5a9afd2966e0e08a8505c8aa2d0c094713e77192ceb73716b0abc35d41930ed0e11e535e83c999dc |
Go to NetScaler > NetScaler Gateway > Policies > RDP Profiles and Connections > Connections.
You can see the current session.
RDP Proxy is pretty cool feature of Citrix NetScaler which can resolve some of the use cases we are facing with our remote access resolution. However the current implementation is too limited to fully replace Microsoft RDS environment. Let’s just hope that Citrix continues to develop this feature in the next version of NetScaler.
Sources:
CTX200853
Zooming in on RDP Proxy on Unified Gateway
Unified Gateway FAQ
Stateless RDP Proxy
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
I did everything like I should, but the rdp shortcut is not appearing on the unified gateway portal. Any suggestions?