RDP Proxy

RDP Proxy Overview and Enhancements through Citrix Gateway

The following RDP Proxy features provide access to a remote desktop farm through Citrix Gateway:

  • Secure RDP traffic through CVPN or ICAProxy mode (without Full Tunnel).

  • Single sign on (SSO) to RDP servers through Citrix Gateway. Also provides an option to disable SSO if needed).

  • Enforcement (SmartAccess) feature, where Citrix ADC administrators can disable certain RDP capabilities through Citrix Gateway configuration.

  • Single/Stateless(Dual)  Gateway solution for all needs (VPN/ICA/RDP/Citrix Endpoint Management).

  • Compatibility with native Windows MSTSC client for RDP without the need for any custom clients.

  • Use of existing Microsoft-provided RDP client on MACOSX, iOS, and Android.

Deployment Overview

The following figure depicts an overview of the deployment:

localized image

The RDP Proxy functionality is provided as part of the Citrix Gateway. In a typical deployment, the RDP client runs on a remote user’s machine. The Citrix Gateway appliance is deployed within the DMZ, and the RDP server farm is in the internal corporate network. The remote user connects to the Citrix Gateway public IP address, establishes a SSL VPN connection, and authenticates himself/herself, after which he or she can access the Remote desktops through the Citrix Gateway appliance.

The RDP-proxy feature is supported in CVPN and ICAProxy modes.

Deployment Through CVPN

In this mode the RDP links are published on the Gateway home page or portal, as bookmarks, through the ‘add vpn url’ configuration or through external portal. The user can click on these links to get access to the Remote Desktop.

Deployment Through ICAProxy

In this mode a custom home page is configured on the Gateway VIP by using the wihome parameter. This home page can be customized with the list of Remote desktop resources that the user is allowed to access. This custom page can be hosted on Citrix ADC, or if external, it can be an iFrame in the existing Gateway portal page.

In either mode, after the user clicks the provisioned RDP link or icon, an HTTPS request for the corresponding resource arrives at the Citrix Gateway.  The Gateway generates the RDP file content for the requested connection and pushes it to the client. The native RDP client is invoked, and it connects to an RDP listener on Gateway. Gateway does SSO to the RDP server by supporting enforcement (smart access), in which the gateway blocks client access to certain RDP features, based on the Citrix ADC configuration, and then it proxies the RDP traffic between the RDP client and the server.

Enforcement Details

The Citrix ADC administrator can configure certain RDP capabilities through Citrix Gateway configuration. Citrix Gateway provides the “RDP enforcement” feature for important RDP parameters. Citrix ADC ensures that the client cannot enable blocked parameters. If the blocked parameters are enabled,the RDP enforcement feature supersedes the client-enabled parameters, and they are not honored.

Supported RDP Parameters for Enforcement

Enforcement for following redirection parameters is supported. These are configurable as part of an RDP client profile.

  • Redirection of ClipBoard

  • Redirection of Printers

  • Redirection of Disk Drives

  • Redirection of COM ports

  • Redirection of pnp devices

Connection Flow

Connection flow can be divided into two steps:

  • RDP resource enumeration and RDP file download.

  • RDP Connection launch.

Based on the above connection flow, there are two deployment solutions:

  • Stateless (Dual) gateway solution - the RDP resource enumeration and RDP file download happens through authenticator gateway but RDP connection launch happens through RDP Listener gateway.

  • Single gateway solution - the RDP resource enumeration, RDP file download, and RDP connection launch happen through the same gateway.

Stateless (Dual) Gateway Compatibility

The following figure depicts the deployment:

localized image

  • User connects to the Authenticator Gateway VIP and provides his or her credentials.

  • After successful login to the Gateway, user is redirected to the home page or external portal, which enumerates the remote desktop resources that the user can access.

  • Once the user selects an RDP resource, a request is received by the Authenticator Gateway VIP, in the format https://vserver-vip/rdpproxy/rdptarget/listener indicating the published resource that the user clicked. This request has the information about the IP address and port of the RDP server that the user has selected.

  • The /rdpproxy/ request is processed by the Authenticator Gateway. Since the user is already authenticated, this request comes with a valid Gateway cookie.

  • The RDPTarget and RDPUser information is stored on the STA server, and an STA Ticket is generated. The information stored on  the STA server is encrypted by using the configured pre-shared key. The Authenticator Gateway uses one of the STA servers that is configured on the Gateway Vserver.

  • The ‘Listener’ info obtained in the /rdpproxy/ request is put into the .rdp file as the “fulladdress,” and the STA ticket (pre-pended with the STA AuthID) is put into the .rdp file as the “loadbalanceinfo.”

  • The .rdp file is sent back to the client end-point.

  • The native RDP client launches and connects to the RDPListener Gateway. It sends the STA ticket in the initial packet.

    The RDPListener Gateway validates the STA ticket and obtains the RDPTarget and RDPUser information. The STA server to be used is retrieved by using the ‘AuthID’ present in the loadbalanceinfo.

Single Gateway Compatibility

The following figure depicts the deployment:

localized image

In the case of a single gateway deployment, the STA server is not required. The authenticator gateway encodes the RDPTarget and the AAA session cookie securely and sends them as the loadbalanceinfo in the .rdp file. When the RDP Client sends this token in the initial packet, the authenticator gateway decodes the RDPTarget information, looks up the session, and connects to the RDPTarget.

License Requirements for RDP Proxy

Platinum edition, Platinum edition, Enterprise edition

Note RDP Proxy function is not available to customers who have only a Gateway platform license or only the Standard edition.

RDP proxy feature has to be enabled for RDP proxy to work.

enable feature rdpProxy

Configuration Steps

The high level configuration steps are listed as follows:

  1. Enable the feature
  2. Create Bookmarks on the Gateway portal or use a customized Gateway portal that enumerates RDP resources
  3. Configure an RDP Client Profile
  4. Configure an RDP Server Profile

Enable the Required Features and Modes

  • enable ns feature ssl

  • enable ns feature sslvpn

  • enable ns feature rdpproxy

  • enable mode usnip

Creating Bookmarks

  1. Create bookmarks on the portal page to access the RDP resources: (The actualURL starts with rdp://).

  2. Add vpn url <urlName> <linkName>  <actualURL>

    • The URL must be in the following format: rdp://<TargetIP:Port>.
    • For Stateless RDP proxy mode, The URL must be in the following format: rdp://<TargetIP:Port>/<ListenerIP:Port>

    • The URL will be published on the portal in the format: https://<VPN-VIP>/rdpproxy/<TargetIP:Port> https://<VPN-VIP>/rdpproxy/<TargetIP:Port>/<ListenerIP:Port>
  3. Bind the bookmarks to the user, or group, or the vpn virtual server, or vpn global.

Configuring a Client Profile

Configure the client profile on the authenticator gateway. The following is a sample configuration:

add rdpClient profile <name> [-addUserNameInRdpFile ( YES | NO )] [-audioCaptureMode ( ENABLE | DISABLE )] [-keyboardHook <keyboardHook>] [-multiMonitorSupport ( ENABLE | DISABLE )] [-psk <string>] [-rdpCookieValidity <positive_integer>] [-rdpCustomParams <string>] [-rdpFileName <string>] [-rdpHost <optional FQDN that will be put in the RDP file as ‘fulladdress>] [-rdpUrlOverride ( ENABLE | DISABLE )] [-redirectClipboard ( ENABLE | DISABLE )] [-redirectComPorts ( ENABLE | DISABLE )] [-redirectDrives ( ENABLE | DISABLE )] [-redirectPnpDevices ( ENABLE | DISABLE )] [-redirectPrinters ( ENABLE | DISABLE )] [-videoPlaybackMode ( ENABLE | DISABLE )]

Associate the RDP client Profile with the vpn vserver.

This can be done either by configuring a sessionAction+sessionPolicy or by setting the global vpn parameter.

Example:

add vpn sessionaction <actname> -rdpClientprofile <rdpprofilename>

add vpn sessionpolicy <polname> NS_TRUE <actname>

bind vpn vserver <vservername> -policy <polname> -priority <prioritynumber>

OR

set vpn parameter –rdpClientprofile <name>

Configuring a Server Profile

Configure the server profile on the listener gateway.

add rdpServer Profile <profilename> -rdpIP <IPV4 address of the RDP listener> -rdpPort <port for terminating RDP client connections> -psk <key to decrypt RDPTarget/RDPUser information, needed while using STA>

The rdpServer Profile must be configured on the ‘vpn vserver’.

add vpn vserver v1 SSL <publicIP> <portforterminatingvpnconnections> -rdpServerProfile <rdpServer Profile>

Sample Configuration

localized image

  • Enable the required features and modes

    • enable ns feature ssl

    • enable ns feature sslvpn

    • enable ns feature rdpproxy

    • enable mode usnip

  • Add VPN URL for the user with target information

     add aaa user Administrator –password freebsd123$%^
    
     add vpn url rdp RdpLink rdp://rdpserverinfo
    
     add dns addrec rdpserverinfo 10.102.147.132
    
     bind aaa user Administrator  –urlName rdp
    
  • Configure RDP client and server profile for the VPN connection

     add rdp clientprofile p1 –psk citrix -redirectClipboard ENABLE
    
     add rdp serverprofile p1 -rdpIP 10.102.147.134 -psk citrix
    
     add vpn vserver mygateway SSL  10.102.147.134 443 –rdpserverprofile p1
    
     set vpn parameter -clientlessVpnMode ON -defaultAuthorizationAction ALLOW -rdpClientProfileName p1
    
     add ssl certKey gatewaykey -cert rdp_rootcert.pem  -key rdp_rootkey
    
     bind ssl vserver mygateway -certkeyName gatewaykey
    
  • ADD SNIP for connection from Citrix ADC to target

     add ns ip 10.102.147.135  255.255.255.0 –type SNIP
    

Option to Disable SSO

The SSO (Single sign On) feature with RDP proxy can be disabled by configuring Citrix ADC traffic policies so the user is always prompted for credentials. When SSO is disabled, RDP enforcement (Smart Access) doesn’t work.

Example Configuration:

add vpn trafficaction <TrafficActionName> HTTP -SSO OFF

Traffic policy can be configured as per the requirement, following are two examples:

• To disable SSO for all the traffic:

add vpn trafficpolicy <TrafficPolicyName>  "url contains rdpproxy" <TrafficActionName>

• To disable SSO based on Source/Destination IP/FQDN

add vpn trafficPolicy <TrafficPolicyName>  "REQ.HTTP.URL CONTAINS rdpproxy && REQ.IP.SOURCEIP == <IP/FQDN>" <TrafficActionName> bind vpnvserver rdp -policy <TrafficActionName>

Support for Single Listener

  • Single Listener for Both RDP and SSL Traffic.

  • The RDP file download and RDP traffic can be handled through the same 2 tuple (i.e. IP and Port) on Citrix ADC.

Bookmark

RDP link generation through Portal. Instead of configuring the RDP links for the user or publishing the RDP links through an external portal, you can give users an option to generate their own URL’s by providing targerIP:Port. For stateless RDP-proxy deployment, the administrator can include RDP listener information in FQDN: Port format as part of the RDP Client Profile. This is done under the rdpListener option. This configuration will be used for the RDP link generation through the portal in Dual Gateway mode.

localized image

RDP Proxy Configuration

Do the following to configure RDP Proxy:

  1. Expand Citrix Gateway, expand Policies, right-click RDP, and click Enable Feature.

    localized image

  2. Click RDP on the left. On the right, switch to the Client Profiles tab and click Add.

    localized image

  3. Give the Client Profile a name and configure it as desired. Scroll down

    localized image

  4. In the RDP Host field, enter the FQDN that resolves to the RDP Proxy listener, which is typically the same FQDN as the Citrix Gateway appliance’s FDQN.

  5. Near the bottom is a Pre Shared Key. Enter a password and click OK. You’ll need this later.

    localized image

  6. Give the Server Profile a name.

  7. Enter the IP address of the Gateway Virtual Server you’re going to bind this.

  8. Enter the same Pre Shared Key you configured for the RDP Client Profile. Click Create.

    localized image

  9. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand Citrix Gateway, expand Resources, and click Bookmarks.

    localized image

  10. On the right, click Add.

    localized image

  11. Give the Bookmark a name.

  12. For the URL, enter rdp://MyRDPServer using IP or DNS.

  13. Check the box next to Use Citrix Gateway As a Reverse Proxy and click Create.

  14. Create more bookmarks as desired.

    localized image

  15. Create or edit a session profile or policy.

  16. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.

    localized image

  17. On the Remote Desktop tab, select the RDP Client Profile you created earlier.

    localized image

  18. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.

    localized image

  19. On the Published Applications tab, make sure ICA Proxy is OFF.

    localized image

  20. Modify or Create your Gateway Virtual Server.

  21. In the Basic Settings section, click More.

    localized image

  22. Use the RDP Server Profile drop-down to select the RDP Server Profile you created earlier.

    localized image

  23. Scroll down. Make sure ICA Only is not checked.

    localized image

  24. Bind a certificate.

  25. Bind authentication policies.

  26. Bind the session policy/profile that has the RDP Client Profile configured. localized image

  27. Click RDP on the left. On the right, switch to the Client Profiles tab and click Add.

    localized image

  28. Give the Client Profile a name and configure it as desired. Scroll down

    localized image

  29. In the RDP Host field, enter the FQDN that resolves to the RDP Proxy listener, which is typically the same FQDN as the Citrix Gateway appliance’s FDQN.

  30. Near the bottom is a Pre Shared Key. Enter a password and click OK. You’ll need this later.

    localized image

  31. Give the Server Profile a name.

  32. Enter the IP address of the Gateway Virtual Server you’re going to bind this.

  33. Enter the same Pre Shared Key you configured for the RDP Client Profile. Click Create.

    localized image

  34. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand Citrix Gateway, expand Resources, and click Bookmarks.

    localized image

  35. On the right, click Add.

    localized image

  36. Give the Bookmark a name.

  37. For the URL, enter rdp://MyRDPServer using IP or DNS.

  38. Check the box next to Use Citrix Gateway As a Reverse Proxy and click Create.

  39. Create more bookmarks as desired.

    localized image

  40. Create or edit a session profile or policy.

  41. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.

    localized image

  42. On the Remote Desktop tab, select the RDP Client Profile you created earlier.

    localized image

  43. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.

    localized image

  44. On the Published Applications tab, make sure ICA Proxy is OFF.

    localized image

  45. Modify or Create your Gateway Virtual Server.

  46. In the Basic Settings section, click More.

    localized image

  47. Use the RDP Server Profile drop-down to select the RDP Server Profile you created earlier.

    localized image

  48. Scroll down. Make sure ICA Only is not checked.

    localized image

  49. Bind a certificate.

  50. Bind authentication policies.

  51. Bind the session policy/profile that has the RDP Client Profile configured.

    localized image

  52. You can bind Bookmarks to either the Citrix Gateway virtual server or to an AAA group. To bind to the Citrix Gateway virtual server, on the right, in the Advanced Settings section, click Published Applications.

    localized image

  53. On the left, in the Published Applications section, click No Url.

    localized image

  54. Bind your Bookmarks.

    localized image

  55. Since ICA Only is not specified forthis Citrix Gateway virtual server, make sure your Citrix Gateway Universal licenses are configured correctly. On the left, expand Citrix Gateway and click Global Settings.

    localized image

  56. On the right, click Change authentication AAA settings.

    localized image

  57. Change the Maximum Number of Users to your licensed limit.

    localized image

  58. If you want to connect to RDP servers by using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).

    localized image

  59. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).

    localized image

  60. Connect to your Gateway and log on.

    localized image

  61. If you configured Bookmarks, click the Bookmark.

    localized image

  62. You can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/192.168.1.50) or DNS name (/rdpproxy/myserver).

    localized image

  63. Open the downloaded .rdp file.

    localized image

  64. You can view the currently connected users by going to Citrix Gateway Policies > RDP. On the right is the Connections tab.

    localized image