A really cool feature which was introduced in NetScaler 11 is the RDP Proxy feature.
A Use Case I see very often, is a company who e.g. has external consultants that need secure access to an internal RDS Session Host Server in order to support a specific business environment.
This scenario eliminates the need of having distributed VPN Clients and/or firewall rules to manage the RDP traffic.
Requirements for RDP Proxy:
- NetScaler Enterprise or Platinum license
- NetScaler Gateway Universal License for each user
- 1000 CCU are included in Enterprise edition (Minimum NS 11.1.49.16 required for 1000 included CCU license)
- CCU in Platinum is NOT required – no license limit (Minimum NS 11.1.49.16 required for unlimited license for CCU)
Fig. 1 – Basic Overview
This allows us to “publish” RDP links from our NetScaler Access Portal. Providing access to an internal hosted RDS Session Host.
When a client (Typically Windows or MAC) launches a RDP shortcut from our NetScaler Portal a RDP connection is made from Client to NetScaler Gateway tunneling RDP inside SSL 443, and from NetScaler Gateway a backend connection on RDP 3389 is made towards the RDP Session Host, eg. Windows Server 2012 R2 / 2016 / 2008 R2.
Note that this is NOT a replacement of the Microsoft RDS Session Broker functionality with delivery of Windows Remote Apps. We “only” Publish a Full Desktop to our end-users in this case.
Configuration Guideline – RDP Proxy
Make sure feature is enabled:
1 |
enable ns feature RDPProxy |
Create RDP Client Profile:
1 |
add rdp clientprofile RDP-Client-Profile -redirectDrives ENABLE -rdpFileName app.rdp -rdpHost "NetScaler Gateway FQDN" |
Consider following in RDP Client Profile:
Create session policy and bind RDP Client profile:
1 2 3 |
add vpn sessionAction sprof-rdp-default -defaultAuthorizationAction DENY -SSO ON -ssoCredential PRIMARY -icaProxy OFF -rdpClientProfileName RDP-Client-Profile add vpn sessionPolicy spol-default ns_true sprof-rdp-default |
Use an AAA group to control access upon group membership:
Remember this need to match the exact name as in Active Directory, furthermore NetScaler LDAP policy needs to do LDAP Group Extraction.
1 |
add aaa group RDP-Access |
Add RDP Bookmarks/URLs:
1 2 |
add vpn url "RDP APPSRV01" "RDP AppServer01" "rdp://appserver01.demo.local" -clientlessAccess ON -iconURL "/logon/RDP.ico" add vpn url "RDP APPSRV02" "RDP APPSRV02" "rdp://appserver02.demo.local" -clientlessAccess ON -iconURL "/logon/RDP.ico" |
Bind RDP Bookmarks to AAA Group or NetScaler Gateway:
1 2 3 |
bind aaa group RDP-Access -urlName "RDP APPSRV01" bind aaa group RDP-Access -urlName "RDP APPSRV02" bind vpn vserver nsg_login.demosite.dk -urlName "RDP APPSRV01" |
Set DENY as default authorization rule:
Note. This is a Global Parameter – be cautious doing this in an already established production environment!
1 |
set tm sessionParameter -defaultAuthorizationAction DENY |
Create authorization rule – remember to bind this to the AAA Group:
1 |
add authorization policy allow_http_appsrv01 "REQ.IP.DESTIP == 192.168.0.111 && REQ.TCP.DESTPORT == 3389" ALLOW |
Optional – deactivate SSO for specific RDP server – eg. on Non-domain joined or if RDP Server is in another AD Domain which NetScaler is not authenticating against:
1 2 |
add vpn trafficAction traf-prof-diable-sso-rdp http -SSO OFF add vpn trafficPolicy traf-pol-disable-sso-rdp "REQ.HTTP.URL CONTAINS /rdpproxy/appserver01.demo.local" traf-prof-diable-sso-rdp |
Bind the traffic policy to AAA Group or NetScaler Gateway Virtual Server.