RDP-Proxy on NetScaler!

In case you weren’t paying attention (it was easy to miss) RDP-proxy is now available on the 10.5 enhancement branch! This feature appears to have been added as of the 10.5 51.1017.e.nc:

Users can connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway. [From Build 51.1017.e] [#422442]

That’s right, you can now configure NetScaler Gateway vServers to host RDP-proxy with CredSSP single-sign on. And it’s not all that difficult to set up; here’s the quick and dirty on doing so.

First, you’ll want to create your RDP profile under the NetScaler Gateway section in the GUI, or using the ‘add rdp profile’ command in the CLI:RDP Profile

RDP Profile CLI

Assuming you can manage building a NetScaler Gateway vServer, there’s not much different here, you just need to specify the RDP IP (optional) and port:


Next, specify the RDP profile in your NetScaler Gateway vServer’s session profile under the new ‘Remote Desktop’ tab:
RDP Session Profile


And that should take care of the configuration. Once configured you can launch RDP sessions by logging into the vServer and opening /rdpproxy/rdphostip:


This will cause the NetScaler to generate a .rdp file that will look something like this:

negotiate security layer:i:1
authentication level:i:0
full address:s:rdp.desktopsandapps.com:3389

Notice the loadbalanceinfo parameter which is populated with a random string. This reference is used to validate the launch (a self-contained STA of sorts). Also, the enablecredsspsupport parameter instructs the NetScaler to attempt single sign-on to the target RDP host using CredSSP.

Well, that’s about all the time I have for now. Remember that this is in fact an ‘enhancement’ build, though it is now also included in the v11 main branch. Hopefully Citrix continues to improve this functionality as I’m sure they have customers everywhere who could benefit from native RDP-Proxy on the same ADC that’s serving up ICA-Proxy.. Enjoy!



  1. jotheman · January 26, 2015

    So far this is not as intuitive as I had thought to configure…
    Do you know if a separate virtual server (besides the Gateway virtual server) is required?
    And additionally which IP-address is to be configured where? Where does the “RDP IP” in the server policy need to point? And what is the “RDP Host” in the client policy?
    Too many required addresses/names and too little documentation so far… If you can answer any of these questions it would help me out.

    This functionality is meant to replace/emulate the RDS Gateway functionality right? Not to act as a portal towars the RDS Gateway.

    • Kenny Baldwin · January 26, 2015

      Yeah, it’s definitely a work in progress, and has added stateless functionality as of the 10.5 53.9010 release by way of using a STA to pass credentials between gateways. Just bear in mind that if you upgrade to 53.9010 that you’ll need to rebuild your RDP profiles.

      Basically you apply the RDP server profile to the vServer that will host the RDP proxy service, with the RDP IP being the VIP that will actually accept RDP proxy connections, vs. the vServer IP being the web portal VIP.

      Yes, this is a solution that effectively replaces RDS Gateway. Just bear in mind that it can’t enforce client settings (no ‘virtual channel lockdown’), so you’ll need to apply any restrictions on the server side.

  2. Chidex · May 12, 2015

    I am struggling to get this work. any detailed steps.very confusing

    • Kenny Baldwin · May 12, 2015

      Where are you stuck? Basically you specify an rdp client profile on your CVPN vServer’s session profile, and the rdp server profile to the rdp proxy vServer (if it’s different).

      Also, as of the latest release you also need to specify a matching pre-shared key to both, so as to allow for encryption of the XML blob that’s sent to/from the STA.

  3. VPXuser · June 23, 2015

    Do you know if this RDP Proxy feature is available in the Standard or only the Enterprise edition of VPX?

    • Kenny Baldwin · June 23, 2015

      It’s currently only available on the .e (Enhancement) release branch, though it should be mainlined as of v11.0

  4. VPXuser · June 23, 2015

    I have been able to get my hands on the .e (Enhancement) version and this feature solves a problem form me so I need to buy it. I just didn’t know if I could get this feature in the Standard version since it is approx 1/2 price of enterprise version

    • Kenny Baldwin · June 23, 2015

      Ah, sorry I misunderstood the question; it’s included with NetScaler Gateway CCU licenses.

  5. Pingback: NetScaler Gateway 11 – RDP Proxy | Carl Stalhood
  6. cadams9603 · September 14, 2015

    Having issues using this to remote into Windows XP have you seen this

    • Kenny Baldwin · September 14, 2015

      Not with XP in particular, though the session host’s platform shouldn’t matter as it just needs to be compatible with the client.

      Does the mstsc status message change prior to failing? Does it fail immediately, or after a period of time? Are you using STAs, and if so are they happy/healthy?

  7. Martin · September 21, 2015

    Does this support Remote app connections to? and i suppose it wont require running from IE as RDweb does?

    • Kenny Baldwin · September 21, 2015

      There is no browser dependency (besides the handling of the .rdp file), and though I haven’t tried it with RemoteApp, I’d be surprised if it didn’t work.

  8. sujay · September 22, 2015

    Really good post. I have a question regarding getting fetching the .RDP file on the client.
    The problem I have is that I do not know the actual ipaddress of the VDA hosts nor the domainname. Is there any API on the netscaler that I can call to query the address of a host?

    One thing i tried is that when you fetch the ICA file for a published app (/Resources/LaunchICA) directly on the storefront gives you back an ICA file with the address info looking like

    But when you make the same api request to the netscalar gateway, I get the response ICA file with address info filled as follows:

    What I am trying to achieve is for a given published app for a user, I want to download the RDP file?


  9. Pingback: NetScaler Gateway 11.1 – RDP Proxy – Carl Stalhood
  10. A. Rommens · August 11, 2016

    Do people has this working with remote apps / rdp desktop including Single Sign on?

    • Kenny Baldwin · August 11, 2016

      RDP desktops work fine with credssp single sign-on. I haven’t tested remote apps, but would assume they’d work as well.

  11. Pingback: Citrix RDP Proxy – Digital Cloud Zone
  12. Pingback: NetScaler Gateway 12 – RDP Proxy – Carl Stalhood
  13. Pingback: RDP Proxy – NetScaler Gateway 12 / Citrix Gateway 12.1 – Carl Stalhood

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s