In case you weren’t paying attention (it was easy to miss) RDP-proxy is now available on the 10.5 enhancement branch! This feature appears to have been added as of the 10.5 51.1017.e.nc:
Users can connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway. [From Build 51.1017.e] [#422442]
That’s right, you can now configure NetScaler Gateway vServers to host RDP-proxy with CredSSP single-sign on. And it’s not all that difficult to set up; here’s the quick and dirty on doing so.
First, you’ll want to create your RDP profile under the NetScaler Gateway section in the GUI, or using the ‘add rdp profile’ command in the CLI:
Assuming you can manage building a NetScaler Gateway vServer, there’s not much different here, you just need to specify the RDP IP (optional) and port:
Next, specify the RDP profile in your NetScaler Gateway vServer’s session profile under the new ‘Remote Desktop’ tab:
And that should take care of the configuration. Once configured you can launch RDP sessions by logging into the vServer and opening /rdpproxy/rdphostip:
This will cause the NetScaler to generate a .rdp file that will look something like this:
redirectclipboard:i:0 redirectdrives:i:0 redirectprinters:i:1 keyboardhook:i:2 audiocapturemode:i:0 videoplaybackmode:i:1 negotiate security layer:i:1 enablecredsspsupport:i:1 authentication level:i:0 full address:s:rdp.desktopsandapps.com:3389 loadbalanceinfo:s:461346de68dd72323493ddd65585ae1b77bbdc1b1c61cafec567bcbbee5a9380
Notice the loadbalanceinfo parameter which is populated with a random string. This reference is used to validate the launch (a self-contained STA of sorts). Also, the enablecredsspsupport parameter instructs the NetScaler to attempt single sign-on to the target RDP host using CredSSP.
Well, that’s about all the time I have for now. Remember that this is in fact an ‘enhancement’ build, though it is now also included in the v11 main branch. Hopefully Citrix continues to improve this functionality as I’m sure they have customers everywhere who could benefit from native RDP-Proxy on the same ADC that’s serving up ICA-Proxy.. Enjoy!
Desktops & Apps 
So far this is not as intuitive as I had thought to configure…
Do you know if a separate virtual server (besides the Gateway virtual server) is required?
And additionally which IP-address is to be configured where? Where does the “RDP IP” in the server policy need to point? And what is the “RDP Host” in the client policy?
Too many required addresses/names and too little documentation so far… If you can answer any of these questions it would help me out.
This functionality is meant to replace/emulate the RDS Gateway functionality right? Not to act as a portal towars the RDS Gateway.
Yeah, it’s definitely a work in progress, and has added stateless functionality as of the 10.5 53.9010 release by way of using a STA to pass credentials between gateways. Just bear in mind that if you upgrade to 53.9010 that you’ll need to rebuild your RDP profiles.
Basically you apply the RDP server profile to the vServer that will host the RDP proxy service, with the RDP IP being the VIP that will actually accept RDP proxy connections, vs. the vServer IP being the web portal VIP.
Yes, this is a solution that effectively replaces RDS Gateway. Just bear in mind that it can’t enforce client settings (no ‘virtual channel lockdown’), so you’ll need to apply any restrictions on the server side.
I am struggling to get this work. any detailed steps.very confusing
Where are you stuck? Basically you specify an rdp client profile on your CVPN vServer’s session profile, and the rdp server profile to the rdp proxy vServer (if it’s different).
Also, as of the latest release you also need to specify a matching pre-shared key to both, so as to allow for encryption of the XML blob that’s sent to/from the STA.
Do you know if this RDP Proxy feature is available in the Standard or only the Enterprise edition of VPX?
It’s currently only available on the .e (Enhancement) release branch, though it should be mainlined as of v11.0
I have been able to get my hands on the .e (Enhancement) version and this feature solves a problem form me so I need to buy it. I just didn’t know if I could get this feature in the Standard version since it is approx 1/2 price of enterprise version
Ah, sorry I misunderstood the question; it’s included with NetScaler Gateway CCU licenses.
Having issues using this to remote into Windows XP have you seen this
Not with XP in particular, though the session host’s platform shouldn’t matter as it just needs to be compatible with the client.
Does the mstsc status message change prior to failing? Does it fail immediately, or after a period of time? Are you using STAs, and if so are they happy/healthy?
Does this support Remote app connections to? and i suppose it wont require running from IE as RDweb does?
There is no browser dependency (besides the handling of the .rdp file), and though I haven’t tried it with RemoteApp, I’d be surprised if it didn’t work.
Really good post. I have a question regarding getting fetching the .RDP file on the client.
The problem I have is that I do not know the actual ipaddress of the VDA hosts nor the domainname. Is there any API on the netscaler that I can call to query the address of a host?
One thing i tried is that when you fetch the ICA file for a published app (/Resources/LaunchICA) directly on the storefront gives you back an ICA file with the address info looking like
[Calculator]
Address=;192.168.168.0:443
But when you make the same api request to the netscalar gateway, I get the response ICA file with address info filled as follows:
[Calculator]
Address=;88;23170;63D31F23170;63D31F23170;63D31F
What I am trying to achieve is for a given published app for a user, I want to download the RDP file?
Thanks!
Do people has this working with remote apps / rdp desktop including Single Sign on?
RDP desktops work fine with credssp single sign-on. I haven’t tested remote apps, but would assume they’d work as well.