RDP-Proxy on NetScaler!

In case you weren’t paying attention (it was easy to miss) RDP-proxy is now available on the 10.5 enhancement branch! This feature appears to have been added as of the 10.5 51.1017.e.nc:

Users can connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway. [From Build 51.1017.e] [#422442]

That’s right, you can now configure NetScaler Gateway vServers to host RDP-proxy with CredSSP single-sign on. And it’s not all that difficult to set up; here’s the quick and dirty on doing so.

First, you’ll want to create your RDP profile under the NetScaler Gateway section in the GUI, or using the ‘add rdp profile’ command in the CLI:RDP Profile

RDP Profile CLI

Assuming you can manage building a NetScaler Gateway vServer, there’s not much different here, you just need to specify the RDP IP (optional) and port:

rdp_proxy_vserver

Next, specify the RDP profile in your NetScaler Gateway vServer’s session profile under the new ‘Remote Desktop’ tab:
RDP Session Profile

 

And that should take care of the configuration. Once configured you can launch RDP sessions by logging into the vServer and opening /rdpproxy/rdphostip:

rdp_launch

This will cause the NetScaler to generate a .rdp file that will look something like this:

redirectclipboard:i:0
redirectdrives:i:0
redirectprinters:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
negotiate security layer:i:1
enablecredsspsupport:i:1
authentication level:i:0
full address:s:rdp.desktopsandapps.com:3389
loadbalanceinfo:s:461346de68dd72323493ddd65585ae1b77bbdc1b1c61cafec567bcbbee5a9380

Notice the loadbalanceinfo parameter which is populated with a random string. This reference is used to validate the launch (a self-contained STA of sorts). Also, the enablecredsspsupport parameter instructs the NetScaler to attempt single sign-on to the target RDP host using CredSSP.

Well, that’s about all the time I have for now. Remember that this is in fact an ‘enhancement’ build, though it is now also included in the v11 main branch. Hopefully Citrix continues to improve this functionality as I’m sure they have customers everywhere who could benefit from native RDP-Proxy on the same ADC that’s serving up ICA-Proxy.. Enjoy!

Advertisements

17 thoughts on “RDP-Proxy on NetScaler!

  1. So far this is not as intuitive as I had thought to configure…
    Do you know if a separate virtual server (besides the Gateway virtual server) is required?
    And additionally which IP-address is to be configured where? Where does the “RDP IP” in the server policy need to point? And what is the “RDP Host” in the client policy?
    Too many required addresses/names and too little documentation so far… If you can answer any of these questions it would help me out.

    This functionality is meant to replace/emulate the RDS Gateway functionality right? Not to act as a portal towars the RDS Gateway.

    • Yeah, it’s definitely a work in progress, and has added stateless functionality as of the 10.5 53.9010 release by way of using a STA to pass credentials between gateways. Just bear in mind that if you upgrade to 53.9010 that you’ll need to rebuild your RDP profiles.

      Basically you apply the RDP server profile to the vServer that will host the RDP proxy service, with the RDP IP being the VIP that will actually accept RDP proxy connections, vs. the vServer IP being the web portal VIP.

      Yes, this is a solution that effectively replaces RDS Gateway. Just bear in mind that it can’t enforce client settings (no ‘virtual channel lockdown’), so you’ll need to apply any restrictions on the server side.

    • Where are you stuck? Basically you specify an rdp client profile on your CVPN vServer’s session profile, and the rdp server profile to the rdp proxy vServer (if it’s different).

      Also, as of the latest release you also need to specify a matching pre-shared key to both, so as to allow for encryption of the XML blob that’s sent to/from the STA.

  2. I have been able to get my hands on the .e (Enhancement) version and this feature solves a problem form me so I need to buy it. I just didn’t know if I could get this feature in the Standard version since it is approx 1/2 price of enterprise version

    • Not with XP in particular, though the session host’s platform shouldn’t matter as it just needs to be compatible with the client.

      Does the mstsc status message change prior to failing? Does it fail immediately, or after a period of time? Are you using STAs, and if so are they happy/healthy?

  3. Really good post. I have a question regarding getting fetching the .RDP file on the client.
    The problem I have is that I do not know the actual ipaddress of the VDA hosts nor the domainname. Is there any API on the netscaler that I can call to query the address of a host?

    One thing i tried is that when you fetch the ICA file for a published app (/Resources/LaunchICA) directly on the storefront gives you back an ICA file with the address info looking like
    [Calculator]
    Address=;192.168.168.0:443

    But when you make the same api request to the netscalar gateway, I get the response ICA file with address info filled as follows:
    [Calculator]
    Address=;88;23170;63D31F23170;63D31F23170;63D31F

    What I am trying to achieve is for a given published app for a user, I want to download the RDP file?

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s