NetScaler Gateway 11 – RDP Proxy

Last Modified: Nov 7, 2020 @ 6:35 am

76 Comments

RDP Proxy

NetScaler 10.5.e and NetScaler 11 support RDP Proxy through NetScaler Gateway. No VPN required. There are two ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.

You can have one Gateway vServer that authenticates the user and a different Gateway vServer to proxy the RDP connection. The Gateways use Secure Ticket Authority (STA) for mutual authentication. See Stateless RDP Proxy at docs.citrix.com for more information.  💡

Links:

Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition or Platinum Edition.
  • NetScaler Gateway Universal Licenses for each user.
  • TCP 443 and TCP 3389 opened to the NetScaler Gateway Virtual Server.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Do the following to configure RDP Proxy:

  1. Expand NetScaler Gateway, expand Policies, right-click RDP and click Enable Feature.
  2. Click RDP on the left. On the right, switch to the Client Profiles tab and click Add.
  3. Give the Client Profile a name and configure it as desired. Scroll down.
  4. In the RDP Host field, enter the FQDN that resolves to the RDP Proxy listener, which is typically the same FQDN as NetScaler Gateway.
  5. Near the bottom is a Pre Shared Key. Enter a password and click OK. You’ll need this later.
  6. On the right, switch to the Server Profiles tab and click Add.
  7. Give the Server Profile a name.
  8. Enter the IP of the Gateway Virtual Server you’re going to bind this to.
  9. Enter the same Pre Shared Key you configured for the RDP Client Profile. Click Create.
  10. If you want to  put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
  11. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.  💡
  12. On the right, click Add.
  13. Give the Bookmark a name.
  14. For the URL, enter rdp://MyRDPServer using IP or DNS.
  15. Check the box next to Use NetScaler Gateway As a Reverse Proxy and click Create.
  16. Create more bookmarks as desired.
  17. Create or edit a session profile/policy.
  18. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
  19. On the Remote Desktop tab, select the RDP Client Profile you created earlier.
  20. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  21. On the Published Applications tab, make sure ICA Proxy is OFF.
  22. Edit or Create your Gateway Virtual Server.
  23. In the Basic Settings section, click More.
  24. Use the RDP Server Profile drop-down to select the RDP Server Profile you created earlier.
  25. Scroll down. Make sure ICA Only is not checked.
  26. Bind a certificate.
  27. Bind authentication policies.
  28. Bind the session policy/profile that has the RDP Client Profile configured.
  29. You can bind Bookmarks to either the NetScaler Gateway Virtual Server or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  30. On the left, in the Published Applications section, click where it says No Url.
  31. Bind your Bookmarks.
  32. Since this NetScaler Gateway Virtual Server has ICA Only unchecked, make sure your NetScaler Gateway Universal licenses are configured correctly. On the left, expand NetScaler Gateway and click Global Settings.
  33. On the right, click Change authentication AAA settings.
  34. Change the Maximum Number of Users to your licensed limit.
  35. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  36. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).
  37. Connect to your Gateway and login.
  38. If you configured Bookmarks, simply click the Bookmark.
  39. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter IP address (e.g. rdpproxy/192.168.1.50) or DNS names (/rdpproxy/myserver).
  40. Then open the downloaded .rdp file.
  41. You can view the currently connected users by going to NetScaler Gateway > Policies > RDP and on the right is the Connections tab.

76 thoughts on “NetScaler Gateway 11 – RDP Proxy”

  1. Hi Carl, when launching a bookmark that’s bound to a Gateway vServer or AAAGroup, when the client first launches that bookmark, are they seen to the bookmark website as the public IP of the client device or the public IP of the NetScaler? Was wondering if it’s the NetScaler so that we could put logic in place for SSO experience. For example, if a website is front ended by PING, to setup ping so that it trusts connections originating from the NetScaler and not prompt for creds.

    Reply

    1. Depends if the bookmark is “clientless”, VPN, or direct. Clientless URLs are rewritten so they are proxied through NetScaler. VPN is proxied through NetScaler. Direct is not proxied through NetScaler.

      Reply

  2. Hi Carl,
    How can I disable SSO only for specific server that no joined to domain.

    thats working for me:
    add vpn trafficAction t_act1 http -SSO OFF
    add vpn trafficPolicy t_pol1 “REQ.HTTP.URL CONTAINS rdpproxy” t_act1
    bind vpn vs -policy t_pol1

    but what expression should I write to be able to limit the SSO-Disable only to specific server?

    Reply

    1. Found it.
      Thats the expression:
      “REQ.HTTP.URL CONTAINS 10.10.10.10”
      10.10.10.10 = non-domain server – no SSO.

      Reply

  3. For info, I’ve created NetScaler VIP in CVPN mode which forwards to an internal IIS server homepage. This IIS server create icons where I’ve added the a link using format: https:/rdpproxy/**name of VM desktop or ip address**”. This URL, the NetSCaler CVPN will auto rewrite, and when clicked will allow the NS to generate the RDP file and launch a connection to the RDP destination through NetSCaler RDP proxy. This gives more flexible in that all user NetScaler RDP icons can be created on an internal IIS server/StoreFront. The NetScaler VIP has traffic policy to stop SSO, using expression for “rdpproxy” URL, and Session Policy with RDP client profile bound. ICA proxy is also included within the session policy for standard Citrix HDX access, this required StoreFront config changes, which are well documented. End result for user is that they have option of using Citrix HDX to connect with desktop or NetScaler RDP proxy, all presented in a unified gateway page, using custom NetScaler Theme.

    Reply

  4. Hi Carl,

    Thank you for the great article. I’m facing an issue where RDP sessions will only work if I disable SSO on the gateway server using steps in this article https://support.citrix.com/article/CTX208324. It is most likely due to some windows server policy. Are you aware of any policy that might be causing this issue?

    Thanks,

    Reply

  5. dear Carl, really nice Blog, thank’s a lot
    the RDP Proxy works really fine with bookmarks rdp://ServerIP

    is there also an option to setup netscaler with rdweb?

    with rdweb i hope we can do this things without Config-Change on Netscaler:
    a) publishing Desktops with more than one RDP Server (Load-Balancing)
    b) give different users/customers different RDP-Sessions

    Reply

    1. For RDWeb, you’d also need RDGateway. NetScaler can certainly load balance both. I don’t have those instructions on my site, but CTP Cláudio Rodrigues is an expert on it.

      Reply

  6. Dear Carl,

    Did you know if it can be possible with ssh connection ?
    Can Netscaler be Proxy SSH ?

    I want to create a unified gateway with ssh connection to differnet servers behind.

    Regards,
    Julien FONLUPT

    Reply

  7. Hi Carl. Thanks for your hard work. I really appreciate it very much!
    One last question: If I won’t put the default authorization action to allow witch ports do I have to open to get RDP proxy working only for explicit hosts?
    So I have an AAA group and would ad a authorization policy to the AAA group.
    every group reflects one RDP host and RDP should only possible to this host.

    Reply

  8. Very nice article! I’m now also trying to replace the RD webinterface with the netscaler, i tried to connect to the gateway and to the RDS broker but can’t seem to get it working. Is the broker still not supported in RDPproxy?

    Reply

  9. Thanks for an excellent article Carl, smooth and easy setup.

    However, I’m having trouble when connecting to 2012 R2 servers, it gives the following error “Your computer can’t connect to the remote computer because the connection broker couldn’t validate the settings specified in your RDP file”. Any tips on how to solve this?

    Reply

      1. Hi Carl,
        We are facing the same issue as FireLite was having. All I’ve found is that RDP Proxy is not working with Windows 2012 R2 servers which have the RDS Role installed (https://support.citrix.com/article/CTX227538). And that this will not be supported until a future Netscaler 12.1 release. Could you please point me to the workarounds you mentioned? I can’t see any clear one. Thank you very much!

        Reply

  10. Thanks for the article Carl. Is it possible not to pass the login credentials to the RDP session and ask you for the username and password?

    Reply

  11. Thanks for your great work. After the update to 11.1 is the rdpProxy feature, although we have an Enterprise license, no longer licensed. Can you confirm it?

    Reply

      1. Thanks for your quick reply. We already have an enterprise license installed. Any idea? I’ll try a clean installation.

        Reply

    1. Removed thanks. I thought I saw it as an option in one of the Partner documents but I couldn’t find any SKU in the price list.

      Reply

  14. My issue is I configured unified gateway. Therefore, I have a content switching server and 1 NetScaler gateway Virtual server. Now, I configured RDP Proxy using a separate virtual server, when I use the domain name (example.com) as the RDP host it works. However, when I use the unified gateway domain name (unified.example.com) as the RDP Host I cannot get a connection. Why is this happening?

    Reply

  15. Hi Carl thanks for the blog.

    I want to replace UAG with Net Scaler which is a gateway for backend RDS2012 setup. I tried to use RDP proxy feature of Netscaler but found that it is only used to publish RDP of the standalone server and doesn’t integrate well with the RDS 2012 farm like RDP Broker, RDS host Servers, RDP APPs, etc which we can easily configure onUAG 2010.

    Also We have configured multi factor authentication (Radius and AD) on UAG and users cannot download the RDP app in RDP format which forces them to login to UAG portal first and then access the RDP apps.

    Can I achieve above via Netscaler.

    Reply

  16. A quick one carl; and great article btw. You mention binding a bookmark to an AAA group? Where do you do this? I can only seem to bind policies through authorisation for aaa groups. Im looking to have individual rdp proxy bookmarks per user/group in AD.

    Reply

    1. Go to NetScaler Gateway > User Administration > AAA Groups. Add a group that matches the AD group name. Then you can bind bookmarks to the group.

      Reply

  17. Hi Carl,

    is there a way to use RDP – Proxy with VPX Express License ?

    “There’s also a CCU add-on for Standard Edition”
    Did you get any information about restrictions and pricing ?

    Thanks

    Reply

    1. Express = Standard so I don’t think so. I just found a pricing guide saying that RDP Proxy needs Enterprise Edition and Gateway Universal licenses.

      The FAQ mentions the add-on license but I haven’t found any details on that.

      Reply

        1. If my instructions didn’t help you then you can post your question to discussions.citrix.com or call Citrix Support. Almost every NetScaler appliance comes with support. If you found something wrong with my instructions let me know and I’ll fix it.

          Reply

    2. Hi Andrew,

      I have a little Demo (ESXi) with AAA-Groups to demonstrate different access variants over Universal Gateway with CSW-Rules in front. One scenario is access to published apps and desktops with ica pxoxy on. Another scenario is clientless access with Bookmarks to Websites, StoreFront, ShareFile and RDP-Proxy over the same vserver. It works fine.

      @Carl

      thanks for the great blog, and sorry for my bad englisch.

      Ralf

      Reply

  19. Hi Calr,

    thank for the article, if can please help me on this, i launch the RDP session to the desired workstation with full VPN connetion , but with clienteles connection it dosen’t work, kindly help me on this.

    Reply

  20. Hi Carl, Nice article. However i’m unable to get it working. No matter what I do I get prompted to download or use the Netscaler Gateway Plugin (Although clientless is configured, as far as I can see). If I continue and use the AGEE, and click the bookmark I get http 403 errors. I wondered if any config (Apart from install the session host role) is required on the RDP server (Win 2012r2).

    Thanks

    Reply

  21. Hey Carl, first of all thanks for the blog 🙂

    I’ve got this setup as suggested and when connecting I get the RDP file as expected with the STA stuff in there, it opens and begins to connect. If I packet capture I can see packets going from the subnet IP to the correct RDS box, the RDS client goes through its process..securing, configuring, estimating and then fails with can’t connect.

    Any ideas? If I connect via full tunnel I can RDP fine so the endpoint is working. Been at this for days now :S

    Reply

    1. Gateway won’t allow RDP unless the user has been authenticated.

      I added a note about Stateless RDP. Basically it allows you to authenticate to one Gateway but use a different Gateway for the RDP connection. The Gateways use STA to authenticate each other.

      Reply

      1. Ok, so then it would be SSL from the client instead of 3389? Current deployment is UGW and RDPProxy on top, and then it only works if I open 3389 externally to the VIP (user get’s authenticated all the way even SSO)

        Reply

  23. Hi,

    tried to establish a RDP-proxy-connection. Without success.

    I’m able to get the rdp-file. But when the MSTSC-client try to connect to the RDP-server I get the error-message that it can’t connect to the remote computer.

    This is my configuration:

    Win-Client -> Internet -> NAT-IP -> Firewall -> DMZ-NetScaler with RDP-proxy-config -> Firewall -> internal NetScaler with LB-RDP-Vserver -> RDP-server.

    Because the SSL-VPN-technique of the NetScaler is not common to me, I have a problem to understand the functionality to access the RDP-server over the internet, because I try to access an internal IP-adress over the internet (entry in downloaded rdp-file).
    How can I check whether a VPN-connection is established when I try to access the RDP-server over SSL-VPN-RDP-proxy?

    Thank you in advance!

    Reply

    1. RDP Proxy does not require a full VPN tunnel. If you have a VPN tunnel then you don’t need RDP Proxy since you can connect to the RDP server directly.

      Reply

      1. Ok. This is comprehensible. But I’ve still a problem in understanding how I can connect via the internet with the MSTSC-client to an internal-IP-address.

        Reply

        1. Without VPN, you use NetScaler Gateway RDP Proxy to generate the .RDP file for you. Then you simply launch the .RDP file. The connection should be proxied through NetScaler Gateway RDP Proxy.

          Reply

        2. I just realized that my instructions were missing the RDP Host field in the RDP Client Profile. The RDP Host should be a FQDN that resolves to the RDP Proxy Listener.

          Reply

          1. With the entry of the missing RDP-host in the RDP client profile I am able to reach my RDP-server.
            But I am not able to accomplish a RDP-session. At the configuring-phase at the MSTSC-side I got a error message “An internal error has occurred.”. I’ve checked the firewall-logs whether something is blocked between the related stations. Nothing blocked.
            At the RDP-host I see a successful login and an immediate logout of the user in the Windows-Security-log. Any idea?

          2. Hi,

            new awareness. I tried with Windows 2008R1-host as RDP-host all the time (because this is our productive RDS-environment). As I tried Windows 7 and Windows 2008R2 the connection worked. So what is the difference between 2008R1 and 2008R2/Win7 in RDP via NetScaler RDP-proxy?

          4. I assume you mean with “NLA” “Network Location Awareness” (the windows-integrated firewall-setting).
            I’ve tested it with different 2008R1- und 2008R2-systems on which the same domain-GPOs operate and we don’t use local security-settings.
            Can you give me a tip which NLA-setting could be a reason for my problem?

          5. Just wondering if there’s any difference. I don’t have any 2008 R1 servers to test against. I wonder if it’s because 2008 R1 doesn’t support RDP 8.0.

          6. Hi,

            now it’s getting confusing. Since yesterday I’m neither able to connect to 2008R1 nor to 2008R2 (which worked last week!). The error I receive from MSTSC-client is “An authentication error has occured (Code: 0x80004005) Remote computer: [FQDN-name of NS-gateway]”.
            The only changes are actual MS-patches for the server.

          7. I saw a similar problem when using REST calls to create my 11.0 build 63 Gateway vServer. To fix it, I had to open the Gateway vServer, go to Other Settings (or Profiles), click the pencil icon, don’t change anything and click OK. This caused the RDP Proxy to start working. I think it’s a bug.

          8. Unbelievable… after opening the Gateway vserver, opened “Other settings” and closed it, 2008R2-servers work again! Thank you very much!
            Now I have the old situation. 2008R2 works, 2008R1 not. Continuing debuging…

          9. Update: I tried connecting to Windows 2003 Server via RDP over RDP-Proxy. Same problem like 2008R1. It looks like that the NetScaler RDP Proxy has a problem with RDP <= 2008R1.
            I have already played around with NTLM settings on 2008R1- and MSTSC-side. Without success.
            Any idea? I am thankful for every tip or new idea!

          10. It might require RDP 8. I don’t have any older OSs to try with. Try asking at discussions.citrix.com.

          11. I’m just somewhat confused here, will this be the same FQDN as the gateway vServer or the FQDN of the actual RDP server on the inside? Thanks for a great write up of an confusing issue 🙂

          12. You mean the RDP Proxy Host field? That should be the Gateway FQDN unless you’ve split them out.

  25. Hi, Is there a API Call to netscaler I can make to get the RDP File for a given ICA File?
    What I want to achieve is that once i have the list of app published, I want to have the ability to download the .rdp file for a particular ICA file. Is it possible?

    Reply

    1. You want to use RDP instead of ICA/HDX? Why?

      For published apps, they are published using Citrix, not RemoteApp, so connecting using RDP probably won’t work.

      Reply

      1. Without going into much detail on what my solution is, I am working on a solution with combines RDP proxying within Citrix infrastructure. Where most of the things are done programmatically for which I need to know as to how can I fetch the address of a host on demand basis so that I can get the RDP file for the host.

        I have my netscaler setup to proxy RDP traffic and I do get the .RDP file when I go to the browser and do something like https://mynetscalar/rdpproxy/192.0.0.1

        But the issue I have is I do not always know the IP address (192.0.0.1) of the host nor its domainName?

        I tried calling the /Resource/LaunchICA API which gives me back the .ICA file for a published remote app and when you take a look at the contents of this .ICA file in the response, you see different info depending on where this request was made to:

        api call (/resources/launchICA) to storefront, gives back a response

        [Calculator]
        Address=;192.168.168.0:443

        among other data but address is what interests me.

        The same API call against the netscaler gives me back a response with address containing some random string

        [Calculator]
        Address==;88;23170;63D31F23170;63D31F23170;63D31F

        Q is, Is there any configuration change I can make on the netscaler to make sure the ipaddress of the host is sent as part of the ICA file just like the storefront?

        Once I get the Address, Then I can make this call to fetch the .RDP file
        https://mynetscalar/rdpproxy/HOST IP ADDRESS

        Much appreciate your quick response!

        Thanks.

        Reply

        1. You’d need to configure StoreFront to not rewrite the ICA file for NetScaler Gateway. In other words, remove (or unbind) the Gateway configs from the StoreFront console. But I’m not sure how to do that but also allow authentication at the Gateway and SSON to StoreFront. You might be able to do clientless access to StoreFront with a Traffic Policy that does forms-based auth to StoreFront. Or you can configure StoreFront to accept Basic Auth but I’ve never tried it. http://docs.citrix.com/en-us/storefront/3/configure-authentication-and-delegation/sf-configure-auth-service.html

          Reply

  26. Hi, can I ask a question re: this article? I have a strange situation where when users connect to their desktop, they get an error “This computer can’t connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator”.

    I found another person thru Citrix forums having the same problem as me but no replies. The issue is that the remote users are connecting to their target machines, but the full name is being passed in, instead of the username. Thus, the Event Viewer on the target machine shows “Unknown user name or bad password”. So instead of domain\cstalhood, “Carl Stalhood” is sent in as the username.

    I reconfigured the client profile to not insert the username into the .rdp file in the hopes that it would force the users to have to enter the credentials but that doesn’t work either. Seems like there’s some SSO functionality built into it, regardless.

    I tried this on Netscaler 11 and 10.5 and the results are identical. Have you come across this before?

    Reply

      1. Whoa! Thank you! I didn’t think to look there. It was set to the default “cn”. I set it to “new” and then input sAMAccountName. Works like a charm now! Thank you!

        Reply

  27. Nice Articles Carls…Enjoyed…I have done two months before when product got release…It was clients requirement for RDP session to be managed through Gateway…:)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *