Implementing RDP Proxy

A really cool feature which was introduced in NetScaler 11 is the RDP Proxy feature.
A Use Case I see very often, is a company who e.g. has external consultants that need secure access to an internal RDS Session Host Server in order to support a specific business environment.
This scenario eliminates the need of having distributed VPN Clients and/or firewall rules to manage the RDP traffic.

Requirements for RDP Proxy:

  • NetScaler Enterprise or Platinum license
  • NetScaler Gateway Universal License for each user
    • 1000 CCU are included in Enterprise edition (Minimum NS required for 1000 included CCU license)
    • CCU in Platinum is NOT required – no license limit (Minimum NS required for unlimited license for CCU)

Fig. 1 – Basic Overview


This allows us to “publish” RDP links from our NetScaler Access Portal. Providing access to an internal hosted RDS Session Host.
When a client (Typically Windows or MAC) launches a RDP shortcut from our NetScaler Portal a RDP connection is made from Client to NetScaler Gateway tunneling RDP inside SSL 443, and from NetScaler Gateway a backend connection on RDP 3389 is made towards the RDP Session Host, eg. Windows Server 2012 R2 / 2016 / 2008 R2.

Note that this is NOT a replacement of the Microsoft RDS Session Broker functionality with delivery of Windows Remote Apps. We “only” Publish a Full Desktop to our end-users in this case.

Configuration Guideline – RDP Proxy

Make sure feature is enabled:

Create RDP Client Profile:

Consider following in RDP Client Profile:


Create session policy and bind RDP Client profile:

Use an AAA group to control access upon group membership:

Remember this need to match the exact name as in Active Directory, furthermore NetScaler LDAP policy needs to do LDAP Group Extraction.

Add RDP Bookmarks/URLs:

Bind RDP Bookmarks to AAA Group or NetScaler Gateway:

Set DENY as default authorization rule:

Note. This is a Global Parameter – be cautious doing this in an already established production environment!

Create authorization rule – remember to bind this to the AAA Group:

Optional – deactivate SSO for specific RDP server – eg. on Non-domain joined or if RDP Server is in another AD Domain which NetScaler is not authenticating against:

Bind the traffic policy to AAA Group or NetScaler Gateway Virtual Server.

Leave a Reply

Your email address will not be published. Required fields are marked *