3 months ago I was involved in a project were a customer needs to give access to external people that are not part of the corporate Active Directory domain. So they build a small domain in the DMZ and placed a RDSH server in the DMZ to give access to these people. Another requirement was two-factor authentication via a one-time password solution.
Of course we can build a full-blown RDS environment including RD Web Access and RD Gateway but this is way too complicated for this number of users who are logging in occasionally. Since NetScaler 10.5 it is possible to place NetScaler Gateway in front of RDS to act as a proxy instead of default TCP 3389 traffic.
Since NetScaler 10.5 you are able to enable RDP Proxy per NetScaler Gateway virtual server. However, to enable this function you needed to install a specific enhancement build. Since NetScaler 11.0 RDP Proxy is directly available.
To enable this feature you need to have a NetScaler Enterprise or NetScaler Platinum platform license or if you are running NetScaler Standard there is a RDP Proxy only add-on license to enable this feature in NetScaler Standard.
Since this is not an ICAPROXY option you also will need a NetScaler Universal license per concurrent user. Keep in mind each NetScaler configuration will contain 5 universal licenses for free, if you expect more then 5 concurrent users you’ll need to order additional universal licenses.
Before building the configuration we have to enable the RDP Proxy feature.
batch Command: (only available in NS 11.0): enable feature RDPProxy
RDP Client Profile
Next we have to create a RDP Client profile. In this client profile we specify the RDP settings like when you specify during setting up a RDP connection. Or when you open an .rdp file via a texteditor.
> Client Profiles are located at NetScaler Gateway > Policies > RDP > Client Profiles
Since NetScaler 11.0 configuring a Pre Shared Key is mandatory!
batch Command: add rdp clientprofile rds_prof_client -rdpUrlOverride DISABLE -redirectClipboard DISABLE -redirectPrinters DISABLE -keyboardHook OnRemote -videoPlaybackMode DISABLE -addUserNameInRdpFile YES -rdpFileName launch.rdp -rdpHost rdp.antonvanpelt.com
RDP Server Profile
After the client profile we have to create a Server Profile. The Server Profile will contain details about the NetScaler Gateway virtual server that will offer the RDP Proxy.
> Server Profiles are located at NetScaler Gateway > Policies > RDP > Server Profiles
batch Command: add rdp serverprofile rds_prof_server_myrdpproxy -rdpIP 192.168.10.10 -psk bd43edb280d3792dbfae144a8320ee0538a23467897694d6361e27091b45679e -encrypted -encryptmethod ENCMTHD_3
As for every NetScaler Gateway we have to create a session profile / policy. In this profile we specify the RDP Client Profile, disable ICA Proxy mode and enable Clientless VPN.
> Session Profiles are located at NetScaler Gateway > Policies > Session > Session Profiles
batch Command: add vpn sessionAction vpn_ses_act_rds -splitTunnel OFF -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -rdpClientProfileName rds_prof_client
We now will create the session policy, keep in mind that we can bind session policies to AAA groups and so link users to different RDP servers.
> Session Policies are located at NetScaler Gateway > Policies > Session > Session Policies
batch Command: add vpn sessionPolicy vpn_ses_pol_rds ns_true vpn_ses_act_rds
RDP Proxy virtual server
In this scenario we will build a separate virtual server with a separate FQDN to offer RDP to the clients like rds.antonvanpelt.com. Therefor we have to create a new NetScaler Gateway virtual server and bind the SSL Certificate, RDP Server Profile, Authentication and Session Policies.
batch Command: add vpn vserver vpn_vserver_rdp.antonvanpelt.com SSL 10.10.1.34 443 -downStateFlush DISABLED -Listenpolicy NONE -rdpServerProfileName rds_prof_server_myrdpproxy
batch Command: bind vpn vserver vpn_vserver_rdp.antonvanpelt.com -policy vpn_ses_pol_rds -priority 100
Default Access Scenario
The default access scenario is that after you authenticate successfully at the NetScaler Gateway logon page you have to specify a URL to download the RDP file.
Optimized access scenario via clientless access
A better access scenario is to create a clientless access page to present bookmarks to the RDP server(s). This can be done via NetScaler Gateway bookmarks. This means that RDP connections can be started like a regular XenApp published app or desktop is started.
> Bookmarks are located at NetScaler Gateway > Resources > Bookmarks
batch Command: add vpn url url_rds_server_1 "RDP 1" "rdp://192.168.10.20" -clientlessAccess ON -iconURL "/logon/Remote_desktop_connection_icon.PNG"
Make sure to bind this URL / Bookmark to either the NetScaler Gateway virtual server or the AAA group.
batch Command: bind vpn vserver vpn_vs_rdp.antonvanpelt.com -urlName url_rds_server_1
This will result in the following clientless access scenario:
You can also offer RDP Proxy via a Unified Gateway virtual server were RDP is available with all other SAAS and ICA Proxy applications. In this case the NetScaler Gateway virtual server that offers RDP Proxy does not require to have a IP address because its part of the Unified Gateway virtual server that has the IP address and is public available.
In this blogpost i tried to show you want is possible with the RDP Proxy functionality in NetScaler today. Because it is NetScaler Gateway we can require two factor authentication based on RADIUS or SAML etc. Although its limited you can now offer a secure desktop via RDP. Hopefully there will be RD Broker support soon. Special thanks to Henry Heres @hereshenry for sharing his experiences on this topic.