This article was already published as part of the Citrix CTA 2020 Program on the Citrix User Group Community Website. You will find here a step-by-step guide how you can configure Citrix ADC as RDP Proxy.
A simple and very effective way is to give users access via a Citrix ADC that acts as a remote desktop proxy. Such a configuration can be set up within a few hours and offers comprehensive protection and easy administration.
If you want go straight forward to the cli command section, just click here.
As a prerequisite in my case, I only used a pre-installed and basic Citrix ADC VPX.
The Citrix ADC must have an ADC Advanced or ADC Premium license. Citrix Gateway Universal licenses are also required for each user. However, these usually come with the ADC Advanced (1,000 licenses) and the ADC Premium (unlimited). In addition, our Citrix ADC must be able to communicate via SubnetIP on port 3389 (RDP) with all clients that are to be addressed externally later. Additionally it is necessary that the Netscaler IP can reach an Active Directory Controller with 636 (LDAPs) or 389 (LDAP). On the Clients to which your users want to connect, 3389 (RDP) should be opened and RDP should be allowed for the users.
I have already imported the SSL certificate.
Configure Citrix ADC as RDP Proxy
Enable RDP Proxy Feature
Before we can start the configuration, let’s enable the feature “RDP Proxy.” You can find this under:
System | Settings | Configure Advanced Features
I will now first explain the configuration on the Citrix ADC.
Configure the Unified Gateway
To do this, first select the menu item “Unified Gateway” in the configuration of the Citrix ADC:
Now we start the configuration with a click on “Get Started.”
Next, we fill in the IP address (VIP) of our Citrix Gateway. This must be externally accessible over WAN via port 443 (the port can also be changed here) (NAT). In addition we assign a name for our gateway configuration and enter the FQDN. Go on with “Continue.”
In the next step, we choose our SSL certificate. In my case, I have used a Let’s Encrypt certificate, which must be renewed every 90 days (but, hey, it’s free 😉). If necessary, you can now add one and confirm the whole thing with “Continue.”
Now you can check the chain of the certificate. Ours is fine, so let’s move on.
In the next step, we now enter the Active Directory connection information. I have created a service account for this. This account has only read access to the Active Directory, which is sufficient. With a click on “Test Connection” you can check if the connection works:
Now we can add a portal theme. Go on to the next step:
We are not yet adding any applications. Close the wizard with “Continue.”
The base configuration of our Citrix ADC Unified Gateway is now done.
Add a RDP Profile
Now we go to the following menu item in the Citrix ADC Configuration and add a RDP profile there: Citrix Gateway | Policies | RDP Profiles and Connections | Client Profiles
The RDP profile should look like this:
(I have only changed the name of the RDP File the user later is downloading. You can change the settings as you want.)
Next we have to adjust our session policy for our Gateway. You can find the gateway under:
Citrix Gateway | Citrix Gateway Virtual Servers
Here, we select “Edit” and jump to the Session Policies.
Now we edit these according to our requirements.
Choose your session policy. In your case, only one should be sent and bound here. Select it and go to “Edit Profile.”
Here, we must first enter our Single Sign-on domain. We do this in the point “Published Application.” If you don’t want to use this one, you can leave it out. But then the users have to choose the login name as follows: “Domain\Username”
We will adapt this for our case.
Then we bind our just-created RDP profile. We do that under “Remote Desktop.”
That’s about it.
Provide fixed RDP Sessions, if necessary.
If necessary, you can now define fixed RDP destinations using the bookmarks. You can do this directly on the Unified Gateway Virtual Server. For this you add a URL to the Published Applications.
In my case, I’m not doing it. I want my users to be able to enter and establish connections to their office PC themselves.
How users can add connections and connect from outside.
Users can now connect externally on the Citrix ADC via the FQDN of the Unified Gateway.
So, log in with your Username and Password.
Now choose “Clientless Access.”
On the overview page, users can now enter their own RDP connection using their PC name or IP address. To do this, users must click on the “Add” button in the “Personal Web Sites” area.
Connections added by the user can be removed later with “Remove.”
The connections for an RDP connection should look as follows. In addition to the name for the RDP connection, the PC name or IP address including port 3389 (for RDP) is entered here. I have added a description. Please do not forget to check the box “RDP Link.” Then you can create the link with “Add.”
Once we have created the link, we can click on it in the “Personal Web Sites” section and we will be offered an RDP file for download. We can then save it or start it directly.
#Replace the following #192.168.1.200 < YOUR IPAddress for the Gateway VIP #dc=lab,dc=local < YOUR LDAP BIND #email@example.com < Serviceuser für Citrix ADC LDAP Connection #PASSWORD < YOUR PASSWORD #login.thomaspreischl.de < YOUR FQDN #lab.local < YOUR SSO DOMAIN ENABLE NS Feature RDPProxy add authentication ldapAction 192.168.1.200_LDAP -serverIP 192.168.1.200 -serverPort 636 -ldapBase "dc=lab,dc=local" -ldapBindDn firstname.lastname@example.org -ldapBindDnPassword PASSWORD -ldapLoginName sAMAccountName -secType SSL add cs vserver RemoteGateway SSL 192.168.1.120 443 -cltTimeout 180 -persistenceType NONE add vpn vserver UG_VPN_RemoteGateway SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -vserverFqdn login.thomaspreischl.de add cs action UG_CSACT_RemoteGateway -targetVserver UG_VPN_RemoteGateway add cs policy UG_CSPOL_RemoteGateway -rule is_vpn_url -action UG_CSACT_RemoteGateway bind cs vserver RemoteGateway -policyName UG_CSPOL_RemoteGateway -priority 63000 add vpn sessionAction UG_VPN_SAct_192.168.1.120 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -ntDomain lab.local -clientlessVpnMode ON -rdpClientProfileName RDP add vpn sessionPolicy UG_VPN_SPol_192.168.1.120 true UG_VPN_SAct_192.168.1.120 add rdp clientprofile RDP -rdpFileName remotePC.rdp set ssl vserver UG_VPN_RemoteGateway -ssl3 DISABLED -tls13 ENABLED -dtls1 DISABLED bind vpn vserver UG_VPN_RemoteGateway -portaltheme X1 bind vpn vserver UG_VPN_RemoteGateway -policy 192.168.1.200_LDAP_pol bind vpn vserver UG_VPN_RemoteGateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST bind vpn vserver UG_VPN_RemoteGateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST bind vpn vserver UG_VPN_RemoteGateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST bind vpn vserver UG_VPN_RemoteGateway -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST bind vpn vserver UG_VPN_RemoteGateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE bind vpn vserver UG_VPN_RemoteGateway -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE bind vpn vserver UG_VPN_RemoteGateway -policy UG_VPN_SPol_192.168.1.120 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST bind ssl vserver UG_VPN_RemoteGateway -certkeyName login bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_256 bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_384 bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_224 bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_521 bind ssl vserver RemoteGateway -eccCurveName P_256 bind ssl vserver RemoteGateway -eccCurveName P_384 bind ssl vserver RemoteGateway -eccCurveName P_224 bind ssl vserver RemoteGateway -eccCurveName P_521
I hope this article helps you to provide your users with a safe and fast alternative as a home office workplace. You see it´s very fast, simple and secure to use Citrix ADC as RDP Proxy. Also check out my other articles with useful tips for Citrix ADC.