CTA2020 mycugc

Citrix ADC as RDP Proxy

This article was already published as part of the Citrix CTA 2020 Program on the Citrix User Group Community Website. You will find here a step-by-step guide how you can configure Citrix ADC as RDP Proxy.

A simple and very effective way is to give users access via a Citrix ADC that acts as a remote desktop proxy. Such a configuration can be set up within a few hours and offers comprehensive protection and easy administration.

If you want go straight forward to the cli command section, just click here.

Requirements

As a prerequisite in my case, I only used a pre-installed and basic Citrix ADC VPX.

The Citrix ADC must have an ADC Advanced or ADC Premium license. Citrix Gateway Universal licenses are also required for each user. However, these usually come with the ADC Advanced (1,000 licenses) and the ADC Premium (unlimited). In addition, our Citrix ADC must be able to communicate via SubnetIP on port 3389 (RDP) with all clients that are to be addressed externally later. Additionally it is necessary that the Netscaler IP can reach an Active Directory Controller with 636 (LDAPs) or 389 (LDAP). On the Clients to which your users want to connect, 3389 (RDP) should be opened and RDP should be allowed for the users.

I have already imported the SSL certificate.

Configure Citrix ADC as RDP Proxy

Enable RDP Proxy Feature

Before we can start the configuration, let’s enable the feature “RDP Proxy.” You can find this under: 
System | Settings | Configure Advanced Features

Citrix ADC as RDP Proxy - Feature enable

I will now first explain the configuration on the Citrix ADC.

Configure the Unified Gateway

To do this, first select the menu item “Unified Gateway” in the configuration of the Citrix ADC:

Citrix ADC as RDP Proxy - Config UG

Now we start the configuration with a click on “Get Started.”

Citrix ADC as RDP Proxy - Config UG

Next, we fill in the IP address (VIP) of our Citrix Gateway. This must be externally accessible over WAN via port 443 (the port can also be changed here) (NAT). In addition we assign a name for our gateway configuration and enter the FQDN. Go on with “Continue.”

Citrix ADC as RDP Proxy - Config UG

In the next step, we choose our SSL certificate. In my case, I have used a Let’s Encrypt certificate, which must be renewed every 90 days (but, hey, it’s free ūüėČ). If necessary, you can now add one and confirm the whole thing with “Continue.”

Citrix ADC as RDP Proxy - Config UG

Now you can check the chain of the certificate. Ours is fine, so let’s move on.

Citrix ADC as RDP Proxy - Config UG

In the next step, we now enter the Active Directory connection information. I have created a service account for this. This account has only read access to the Active Directory, which is sufficient. With a click on “Test Connection” you can check if the connection works:

Citrix ADC as RDP Proxy - Config UG

Now we can add a portal theme. Go on to the next step:

Citrix ADC as RDP Proxy - Config UG

We are not yet adding any applications. Close the wizard with “Continue.”

Citrix ADC as RDP Proxy - Config UG

The base configuration of our Citrix ADC Unified Gateway is now done.

Citrix ADC as RDP Proxy - Config UG

Add a RDP Profile

Now we go to the following menu item in the Citrix ADC Configuration and add a RDP profile there: Citrix Gateway | Policies | RDP Profiles and Connections | Client Profiles

The RDP profile should look like this:
(I have only changed the name of the RDP File the user later is downloading. You can change the settings as you want.)

Citrix ADC as RDP Proxy - RDP Profile

Next we have to adjust our session policy for our Gateway. You can find the gateway under: 

Citrix Gateway | Citrix Gateway Virtual Servers

Here, we select “Edit” and jump to the Session Policies.

Citrix ADC as RDP Proxy - RDP Profile

Now we edit these according to our requirements.

Citrix ADC as RDP Proxy - RDP Profile

Choose your session policy. In your case, only one should be sent and bound here. Select it and go to “Edit Profile.”

Citrix ADC as RDP Proxy - RDP Profile

Here, we must first enter our Single Sign-on domain. We do this in the point “Published Application.” If you don’t want to use this one, you can leave it out. But then the users have to choose the login name as follows: “Domain\Username”

We will adapt this for our case.

Citrix ADC as RDP Proxy - RDP Profile

Then we bind our just-created RDP profile. We do that under “Remote Desktop.”

Citrix ADC as RDP Proxy - RDP Profile

That’s about it.

Provide fixed RDP Sessions, if necessary.

If necessary, you can now define fixed RDP destinations using the bookmarks. You can do this directly on the Unified Gateway Virtual Server. For this you add a URL to the Published Applications.

Citrix ADC as RDP Proxy - RDP Profile
Citrix ADC as RDP Proxy - Fix RDP

In my case, I’m not doing it. I want my users to be able to enter and establish connections to their office PC themselves.

How users can add connections and connect from outside.

Users can now connect externally on the Citrix ADC via the FQDN of the Unified Gateway.

So, log in with your Username and Password.

Citrix ADC as RDP Proxy - Test from outside

Now choose “Clientless Access.”

Citrix ADC as RDP Proxy - Test from outside

On the overview page, users can now enter their own RDP connection using their PC name or IP address. To do this, users must click on the “Add” button in the “Personal Web Sites” area.

Connections added by the user can be removed later with “Remove.”

Citrix ADC as RDP Proxy - Test from outside

The connections for an RDP connection should look as follows. In addition to the name for the RDP connection, the PC name or IP address including port 3389 (for RDP) is entered here. I have added a description. Please do not forget to check the box “RDP Link.” Then you can create the link with “Add.”

Citrix ADC as RDP Proxy - Test from outside

Once we have created the link, we can click on it in the “Personal Web Sites” section and we will be offered an RDP file for download. We can then save it or start it directly.

Citrix ADC as RDP Proxy - Test from outside

CLI Commands

CLI Commands

#Replace the following

 

#192.168.1.200 < YOUR IPAddress for the Gateway VIP

#dc=lab,dc=local < YOUR LDAP BIND

#joe@ad.thomaspreischl.de < Serviceuser f√ľr Citrix ADC LDAP Connection

#PASSWORD < YOUR PASSWORD

#login.thomaspreischl.de < YOUR FQDN

#lab.local < YOUR SSO DOMAIN

 

ENABLE NS Feature RDPProxy

 

add authentication ldapAction 192.168.1.200_LDAP -serverIP 192.168.1.200 -serverPort 636 -ldapBase "dc=lab,dc=local" -ldapBindDn joe@ad.thomaspreischl.de -ldapBindDnPassword PASSWORD  -ldapLoginName sAMAccountName -secType SSL

 

add cs vserver RemoteGateway SSL 192.168.1.120 443 -cltTimeout 180 -persistenceType NONE

 

add vpn vserver UG_VPN_RemoteGateway SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -vserverFqdn login.thomaspreischl.de

 

add cs action UG_CSACT_RemoteGateway -targetVserver UG_VPN_RemoteGateway

 

add cs policy UG_CSPOL_RemoteGateway -rule is_vpn_url -action UG_CSACT_RemoteGateway

 

bind cs vserver RemoteGateway -policyName UG_CSPOL_RemoteGateway -priority 63000

 

add vpn sessionAction UG_VPN_SAct_192.168.1.120 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -ntDomain lab.local -clientlessVpnMode ON -rdpClientProfileName RDP

 

add vpn sessionPolicy UG_VPN_SPol_192.168.1.120 true UG_VPN_SAct_192.168.1.120

 

add rdp clientprofile RDP -rdpFileName remotePC.rdp

 

set ssl vserver UG_VPN_RemoteGateway -ssl3 DISABLED -tls13 ENABLED -dtls1 DISABLED

 

bind vpn vserver UG_VPN_RemoteGateway -portaltheme X1

bind vpn vserver UG_VPN_RemoteGateway -policy 192.168.1.200_LDAP_pol

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE

bind vpn vserver UG_VPN_RemoteGateway -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE

bind vpn vserver UG_VPN_RemoteGateway -policy UG_VPN_SPol_192.168.1.120 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST

 

bind ssl vserver UG_VPN_RemoteGateway -certkeyName login

 

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_256

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_384

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_224

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_521

 

bind ssl vserver RemoteGateway -eccCurveName P_256

bind ssl vserver RemoteGateway -eccCurveName P_384

bind ssl vserver RemoteGateway -eccCurveName P_224

bind ssl vserver RemoteGateway -eccCurveName P_521

I hope this article helps you to provide your users with a safe and fast alternative as a home office workplace. You see it¬īs very fast, simple and secure to use Citrix ADC as RDP Proxy. Also check out my other articles with useful tips for Citrix ADC.

1 thought on “Citrix ADC as RDP Proxy”

  1. Pingback: Citrix ADC as RDS Gateway with RDS Broker - Thomas Preischl

Leave a Comment

Your email address will not be published. Required fields are marked *