RDP Proxy features was initially released in NetScaler 10.5.e release, and was made GA with the 11.0 release. There was a lot of questions about it when it was first released, and some misunderstandings too. Read on to get a understanding on what RDP proxy @ NSGW can do for you.
From a high level perspective RDP Proxy gives the following functionalities:
- The ability to authenticate a user with multiple factors before giving them access to make an RDC to a backend host
- Reverse-proxy connection to your RDS host
- No need for a full VPN connection
- Control which RDP capabilities is available to the client
- Encrypt your RDS traffic
- Change port on RDS traffic from 3389 to your choice(so you can sneak around the FW’s)
Remote access to a jump host: If you don’t have a Citrix XD installation for everything, this is a cost effective way to get access to a backend host, from where you can access other resources all from the same portal as you are used to.
The configuration consists of 3 elements.
RDP server profile; this is where you define which ip and port the NetScaler should listen on for incoming connections. The RDP server profile is bound to a NSGW vServer
RDP client profile; this is where you define which RDP capabilities that’s available to the client (print mapping, drive sharing). The RDP Client profile is bound to a session profile.
RDP Bookmarks; This is where you define the backend server/host’s IP address. The RDP bookmarks are bound to a user or a group.
Client connects to NS Gateway and is prompted to enter credentials.
List of Remote Desktop resources that the user can access is provided in the Portal.
Once the user clicks on a link, the request is authorized and NS generates the .rdp file.
NS accepts the connection from the RDP client and does SSO to the appropriate backend server and proxies the connection between the client and server.
enable ns feature ssl sslvpn rdpproxy
enable mode usnip
add aaa user testrdpuser -password testRDPuser123
add vpn url rdp RdpLink "rdp://<backend host ip>" -clientlessAccess ON
add authentication localPolicy localpol ns_true
add rdp serverprofile rdp_server_p1 -rdpIP <external ip#2> -rdpPort 443 -psk citrix
add vpn vserver mygateway SSL <external ip#1> 443 -Listenpolicy NONE -rdpServerProfileName rdp_server_p1
bind vpn vserver mygateway -policy localpol -priority 100
add rdp clientprofile rdp_client_p1 -rdpFileName testrdpfile.rdp -rdpHost <external ip#2> -psk citrix
set vpn sessionAction SETVPNPARAMS_ACT -clientSecurityLog ON -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -rdpClientProfileName rdp_client_p1
set vpn parameter -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -rdpClientProfileName rdp_client_p1
bind aaa user testrdpuser -urlName rdp
RDP Proxy is a part of Unified gateway which is included in NetScaler Enterprise edition, and requires CCU’s
Read more about Unified Gateway here https://www.citrix.com/blogs/2015/05/12/one-url-consolidates-remote-access-infrastructure