Product Documentation

Stateless RDP Proxy

Sep 22, 2017


The Stateless RDP Proxy accesses a RDP host. Access is granted through the RDPListener on NetScaler Gateway when the user authenticates on a separate NetScaler Gateway Authenticator. The information required by the RDPListener for NetScaler Gateway is securely stored on a STA Server.

The flow and new knobs created for this functionality are described here.


This solution should meet the following conditions:

• User is authenticated on NetScaler Gateway Authenticator.

• The initial /rdpproxy URL and RDP Client are connected to a different RDPListener NetScaler Gateway.

• The RDPListener Gateway information is securely passed by the Authenticator Gateway using a STA Server.


Add a new rdpServer Profile.  The server profile is configured on the RDPListener Gateway.

command Kopieren

add rdpServer Profile <profilename> -rdpIP <IPV4 address of the RDP listener> -rdpPort <port for terminating RDP client connections> -psk <key to decrypt RDPTarget/RDPUser information, needed while using STA>

For stateless RDP proxy, the STA Server validates the STA ticket, which is sent by the RDP client, to obtain the RDP Target/RDPUser information.

The rdpServer Profile is configured on the ‘vpn vserver’.

command Kopieren

add vpn vserver v1 SSL <publicIP> <portforterminatingvpnconnections> -rdpServerProfile <rdpServer Profile>


Once the rdpServerProfile is configured on the vpn vserver, it cannot be modified. Also, the same serverProfile cannot be reused on another vpn vserver.

The rdp profile command was renamed as rdpClient profile and has new parameters. The  multiMonitorSupport command was added. Also, an option to configure custom params, which are not supported as part ofthe RDP client profile, has been added. The clientSSL param was removed, since the connection is always secured. The client profile is configured on the Authenticator Gateway.

command Kopieren

add rdpClient profile <name> -rdpHost <optional FQDN that will be put in the RDP file as ‘fulladdress’> [-rdpUrlOverride ( ENABLE | DISABLE )] [-redirectClipboard ( ENABLE | DISABLE )] [-redirectDrives ( ENABLE | DISABLE )]
[-redirectPrinters ( ENABLE | DISABLE )] [-keyboardHook <keyboardHook>] [-audioCaptureMode ( ENABLE | DISABLE )] [-videoPlaybackMode ( ENABLE | DISABLE )]
[-rdpCookieValidity <positive_integer>][-multiMonitorSupport ( ENABLE | DISABLE )] [-rdpCustomParams <string>]

The –rdpHost configuration is used in a single Gateway deployment.

•  Associate the RDP Profile with the vpn vserver.

This can be done either by configuring a sessionAction+sessionPolicy or by setting the global vpn parameter.


command Kopieren

add vpn sessionaction <actname> -rdpClientprofile <rdpprofilename>
add vpn sessionpolicy <polname> NS_TRUE <actname>
bind vpn vserver <vservername> -policy <polname> -priority <prioritynumber>
set vpn parameter –rdpClientprofile <name>

Connection Counter

A new connection counter ns_rdp_tot_curr_active_conn was added, which keeps the record of number of active connections in use. It can be viewed as a part of nsconmsg command on NetScaler shell. Later, we will be providing a new CLI command to view this counters.

Connection Flow

There are two connections involved in the RDP Proxy flow. The first connection is the user’s SSL VPN connection to the NetScaler Gateway VIP, and enumeration of the RDP resources.

The second connection is the native RDP client connection to the RDP listener (configures using rdpIP and rdpPort) on the NetScaler Gateway, and subsequent proxying of the RDP client to server packets securely.

localized image

• User connects to the Authenticator Gateway VIP and provides his/her credentials.

• After successful login to the Gateway, user is redirected to the homepage/external portal which enumerates the remote desktop resources that the user can access. 

• Once the user selects a RDP resource, a request is received by the Authenticator Gateway VIP, in the format https://AGVIP/rdpproxy/ip:port/rdptargetproxy indicating the published resource that the user clicked. This request has the information about the IP and port of the RDP server that the user has selected. 

• The /rdpproxy/ request is processed by the Authenticator Gateway. Since the user is already authenticated, this request comes with a valid Gateway cookie.

• The RDPTarget and RDPUser information is stored on the STA server and a STA Ticket is generated. The information is stored as an XML blob which is optionally encrypted using the configured pre-shared key. If encrypted, the blob is base64 encoded and stored. The Authenticator Gateway will use one of the STA servers that is configured on the Gateway Vserver.

• The XML blob will be in this format

<Value name=”IPAddress”>ipaddr</Value>\n<Value name=”Port”>port</Value>\n

<Value name=”Username”>username</Value>\n<Value name=”Password”>pwd</Value>

• The ‘rdptargetproxy’ obtained in the /rdpproxy/ request is put as the ‘fulladdress’ and the STA ticket (pre-pended with the STA AuthID) is put as the ‘loadbalanceinfo’ in the .rdp file.

• The .rdp file is sent back to the client end-point.

• The native RDP client launches and connects to the RDPListener Gateway. It sends the STA ticket in the initial x.224 packet.

• The RDPListener Gateway validates the STA ticket and obtains the RDPTarget and RDPUser information. The STA server to be used is retrieved using the ‘AuthID’ present in the loadbalanceinfo.

• A Gateway session is created for storing authorization/auditing policies. If a session already exists for the user, it is re-used.

• The RDPListener Gateway connects to the RDPTarget and single signs on using CREDSSP.

Single Gateway Compatibility

If the RDP file is generated using the /rdpproxy/rdptarget/rdptargetproxy URL, we will generate a STA ticket, otherwise the current method of the ‘loadbalanceinfo’ referring to the session directly will be used.

localized image

In case of a single gateway deployment, the /rdpproxy URL comes to the Authenticator Gateway itself. A STA server is not required. The authenticator gateway encodes the RDPTarget and the AAA session cookie securely and sends this as the ‘loadbalanceinfo’ in the .rdp file. When the RDP Client sends this token in the x.224 packet, the authenticator gateway decodes the RDPTarget information, looks up the session and connects to the RDPTarget.

Upgrade Notes

Earlier configuration doesn’t work with this new release, since the parameters rdpIP and rdpPort, which were earlier configured on vpn vserver has been updated to be part of the rdpServerProfile and 'rdp Profile' has been renamed as 'rdp ClientProfile' and the old parameter clientSSL has been removed.


In this build the data between the Gateway and STA server is not encrypted using the preshared key, and is sent unencrypted. This will be addressed in the GA.

Create RDP Server Profile

1. Go to NetScaler Gateway > Policies > RDP.

localized image

2. Go to Server Profiles tab and click Add.

localized image

3. Enter the following information to create the RDP Server Profile.

localized image

Configure RDP Client Profile

1. Go to NetScaler Gateway > Policies > RDP

localized image

2. Go to Client Profiles tab and click Add.

localized image

3. Enter the following information to configure the RDP Server Profile.

localized image

Setup a Virtual Server

1. Go to NetScaler Gateway > Virtual Server.

localized image

2. Click Add to create a new RDP Server.

localized image

3. Complete the data on this Basic Settings page and click OK.

localized image

4. Click the pencil to edit the page.

localized image