RDP Proxy features was initially released in NetScaler 10.5.e release, and was made GA with the 11.0 release. There was a lot of questions about it when it was first released, and some misunderstandings too. Read on to get a understanding on what RDP proxy @ NSGW can do for you.

From a high level perspective RDP Proxy gives the following functionalities:

  • The ability to authenticate a user with multiple factors before giving them access to make an RDC to a backend host
  • Reverse-proxy connection to your RDS host
  • No need for a full VPN connection
  • Control which RDP capabilities is available to the client
  • Encrypt your RDS traffic
  • Change port on RDS traffic from 3389 to your choice(so you can sneak around the FW’s)

Use case:

Remote access to a jump host: If you don’t have a Citrix XD installation for everything, this is a cost effective way to get access to a backend host, from where you can access other resources all from the same portal as you are used to.


The configuration consists of 3 elements.

RDP server profile; this is where you define which ip and port the NetScaler should listen on for incoming connections. The RDP server profile is bound to a NSGW vServer

RDP client profile; this is where you define which RDP capabilities that’s available to the client (print mapping, drive sharing). The RDP Client profile is bound to a session profile.

RDP Bookmarks; This is where you define the backend server/host’s IP address. The RDP bookmarks are bound to a user or a group.

What happens:

Client connects to NS Gateway and is prompted to enter credentials.

List of Remote Desktop resources that the user can access is provided in the Portal.

Once the user clicks on a link, the request is authorized and NS generates the .rdp file.

NS accepts the connection from the RDP client and does SSO to the appropriate backend server and proxies the connection between the client and server.

Example configuration:

enable ns feature ssl sslvpn rdpproxy

enable mode usnip

add aaa user testrdpuser -password testRDPuser123

add vpn url rdp RdpLink "rdp://<backend host ip>" -clientlessAccess ON

add authentication localPolicy localpol ns_true

add rdp serverprofile rdp_server_p1 -rdpIP <external ip#2> -rdpPort 443 -psk citrix

add vpn vserver mygateway SSL <external ip#1> 443 -Listenpolicy NONE -rdpServerProfileName rdp_server_p1

bind vpn vserver mygateway -policy localpol -priority 100

add rdp clientprofile rdp_client_p1 -rdpFileName testrdpfile.rdp -rdpHost <external ip#2> -psk citrix

set vpn sessionAction SETVPNPARAMS_ACT -clientSecurityLog ON -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -rdpClientProfileName rdp_client_p1

set vpn parameter -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -rdpClientProfileName rdp_client_p1

bind aaa user testrdpuser -urlName rdp


RDP Proxy is a part of Unified gateway which is included in NetScaler Enterprise edition, and requires CCU’s

Read more about Unified Gateway here https://www.citrix.com/blogs/2015/05/12/one-url-consolidates-remote-access-infrastructure