Connecting to Citrix Infrastructure via RDP through a Linux Bastion Host in AWS

When setting up a Citrix Virtual Apps and Desktops environment in AWS, it is important to keep security considerations in mind. A bastion host is commonly used for added security and separation between external and internal networks, and is typically a stripped-down Linux instance that hosts a proxy server. For Citrix implementations in AWS, an admin might have access to the bastion host, but no direct network access to the Citrix infrastructure. As Citrix infrastructure is comprised of Windows-based instances and includes a GUI-based meta-installer, connectivity through a Linux-based bastion host becomes an issue.

Connecting to a Linux instance in AWS via a bastion host is as simple as PuTTYing to the bastion and SSHing into the desired instance. To create an RDP session to a Windows instance through a bastion host is possible by using port forwarding. Port forwarding is the remapping of the destination IP and a port number. It makes services on a protected network available on the opposite side of a gateway, such as a router. In this case, use port forwarding to map your local port to the RDP port on the desired instance by creating a tunnel in your preferred SSH/Tunneling utility.

For example, in the PuTTY console, create an SSH session. Enter the public IP of the bastion host, provide the private key in the Auth section, and then create a Tunnel. The tunnel’s source port should be an unused local port, such as localhost 5000 and over. The IP address is the IP of the destination host (the Windows instance you are trying to reach) with the RDP port appended (3389). Be sure to save your configurations. Connect to the bastion host, and log in. Then, start an RDP session for your local port.

Set the host name or public IP of the bastion host.

In SSH > Auth, set the private key file in the .ppk format.

In SSH > Tunnels, add the new forwarded port. The Source port should be the arbitrary unused port, and the Destination should be the IP of the destination server behind the bastion host, with the RDP port appended. In the Source port field, click Add to connect a new forwarded port.

Connect to the bastion host via PuTTY, and then log in.

Start an RDP session using the local host to reach the destination server.

Contributed by Jill Fetscher, Citrix Principal Consultant