Citrix Gateway

Stateless RDP Proxy

The Stateless RDP Proxy accesses an RDP host. Access is granted through the RDPListener on Citrix Gateway when the user authenticates on a separate Citrix Gateway Authenticator. The information required by the RDPListener for Citrix Gateway is securely stored on a STA server. A STA server can be placed anywhere as long as the Citrix Gateway and application enumeration servers can reach it. For details see, https://support.citrix.com/article/CTX101997.

Connection flow

There are two connections involved in the RDP Proxy flow. The first connection is the user’s SSL VPN connection to the Citrix Gateway VIP, and enumeration of the RDP resources.

The second connection is the native RDP client connection to the RDP listener (configured using rdpIP and rdpPort) on the Citrix Gateway, and subsequent proxying of the RDP client to server packets securely.

Connection flow diagram

  1. The User connects to the Authenticator Gateway VIP and provides the credentials.

  2. After successful login to the gateway, the user is redirected to the homepage/external portal which enumerates the remote desktop resources that the user can access.

  3. Once the user selects an RDP resource, a request is received by the Authenticator Gateway VIP, in the format https://AGVIP/rdpproxy/ip:port/rdptargetproxy indicating the published resource that the user clicked. This request has the information about the IP and port of the RDP server that the user has selected.

  4. The authenticator gateway processes the /rdpproxy/ request. Because the user is already authenticated, this request comes with a valid gateway cookie.

  5. The RDPTarget and RDPUser information is stored on the STA server and a STA Ticket is generated. The information is stored as an XML blob which is optionally encrypted using the configured pre-shared key. If encrypted, the blob is base64 encoded and stored. The Authenticator Gateway uses one of the STA servers that is configured on the Gateway virtual server.

  6. The XML blob is in the following format

    <Value name=”IPAddress”>ipaddr</Value>\n<Value name=”Port”>port</Value\>n
    
    <Value name=”`Username`”>username</Value\>\n<Value name=”Password”>pwd\</Value\>
    
  7. The rdptargetproxy obtained in the /rdpproxy/ request is put as the ‘fulladdress’ and the STA ticket (pre-pended with the STA AuthID) is put as the loadbalanceinfo in the.rdp file.

  8. The .rdp file is sent back to the client end-point.

  9. The native RDP client launches and connects to the RDPListener Gateway. It sends the STA ticket in the initial x.224 packet.

  10. The RDPListener Gateway validates the STA ticket and obtains the RDPTarget and RDPUser information. The STA server to be used is retrieved using the ‘AuthID’ present in the loadbalanceinfo.

  11. A Gateway session is created for storing authorization/auditing policies. If a session exists for the user, it is reused.

  12. The RDPListener Gateway connects to the RDPTarget and single signs on using CREDSSP.

Prerequisites

  • User is authenticated on the Citrix Gateway authenticator.

  • The initial /rdpproxy URL and RDP Client are connected to a different RDPListener Citrix Gateway.

  • The Authenticator Gateway using a STA Server securely passes the RDPListener Gateway information.

Configure stateless RDP Proxy by using the CLI

  • Add a rdpServer profile. The server profile is configured on the RDPListener Gateway.

    Note:

    • Once the rdpServer Profile is configured on the VPN virtual server, it cannot be modified. Also, the same serverProfile cannot be reused on another VPN virtual server.
    • The rdpIP and rdpPort, which were previously configured on the VPN virtual server is part of the rdpServerProfile. The rdp Profile is renamed as rdp ClientProfile and the parameter clientSSL is removed. Therefore, the earlier configuration does not work.
     add rdpServer Profile [profilename] -rdpIP [IPV4 address of the RDP listener] -rdpPort [port for terminating RDP client connections] -psk [key to decrypt RDPTarget/RDPUser information, needed while using STA].
    

    The rdpServer profile is configured on the VPN virtual server using the following command:

     add vpn vserver v1 SSL [publicIP] [portforterminatingvpnconnections] -rdpServerProfile [rdpServer Profile]
    

    Important:

    • For stateless RDP proxy, the STA Server validates the STA ticket, sent by the RDP client, to obtain the RDPTarget/RDPUser information. You must bind the STA server in addition to the VPN virtual server. For example;
         add vpn url url4 RDP2 "rdp://1.1.1.0/1.1.1.2:443" ---> here RDP is 1.1.1.0 and 1.1.1.2 is the virtual server
    

The rdp profile command is renamed as rdpClient profile and has new parameters. The multiMonitorSupport command was added. Also, an option to configure custom params, which are not supported as part of the RDP client profile, has been added. The clientSSL param was removed, since the connection is always secured. The client profile is configured on the authenticator Gateway.

add rdpClient profile <name> -rdpHost <optional FQDN that will be put in the RDP file as ‘fulladdress’> [-rdpUrlOverride ( ENABLE | DISABLE )] [-redirectClipboard ( ENABLE | DISABLE )] [-redirectDrives ( ENABLE | DISABLE )]

        [-redirectPrinters ( ENABLE | DISABLE )] [-keyboardHook <keyboardHook>] [-audioCaptureMode ( ENABLE | DISABLE )] [-videoPlaybackMode ( ENABLE | DISABLE )]

        [-rdpCookieValidity <positive_integer>][-multiMonitorSupport ( ENABLE | DISABLE )] [-rdpCustomParams <string>]

The –rdpHost configuration is used in a single Gateway deployment.

  • Associate the RDP Profile with the VPN virtual server.

You can associate an RDP profile either by configuring a sessionAction+sessionPolicy or by setting the global VPN parameter.

Example:

add vpn sessionaction <actname> -rdpClientprofile <rdpprofilename>

add vpn sessionpolicy <polname> NS_TRUE <actname>

bind vpn vserver <vservername> -policy <polname> -priority <prioritynumber>

OR

set vpn parameter –rdpClientprofile <name>

Configure stateless RDP proxy by using the GUI

The following high-level steps are involved in the stateless RDP proxy configuration. For the detailed steps, see RDP Proxy configuration.

  • Create an RDP server profile
  • Create an RDP client profile
  • Create a virtual server
  • Create a bookmark
  • Create or edit a session profile or policy
  • Bind a bookmark

Important:

For stateless RDP proxy, you must bind a STA server in addition to the VPN virtual server.

Connection counter

A new connection counter ns_rdp_tot_curr_active_conn was added, which keeps the record of the number of active connections in use. It can be viewed as a part of the nsconmsg command on the Citrix ADC shell. CLI command to view these counters is planned to be added later.

Upgrade notes

The rdpIP and rdpPort, which were previously configured on the VPN virtual server is part of the rdpServerProfile. The rdp Profile is renamed as rdp ClientProfile and the parameter clientSSL is removed. Therefore, the earlier configuration does not work.

Stateless RDP Proxy