NetScaler Gateway = RD Gateway 5

NetScaler Gateway = RDP Proxy

3 months ago I was involved in a project were a customer needs to give access to external people that are not part of the corporate Active Directory domain. So they build a small domain in the DMZ and placed a RDSH server in the DMZ to give access to these people. Another requirement was two-factor authentication via a one-time password solution.

Of course we can build a full-blown RDS environment including RD Web Access and RD Gateway but this is way too complicated for this number of users who are logging in occasionally. Since NetScaler 10.5 it is possible to place NetScaler Gateway in front of RDS to act as a proxy instead of default TCP 3389 traffic.

In the past several people like Carl Stalhood and Kenny Baldwin already created a blogpost on this topic. In this blogpost I will show you the user experience and how to configure RDP Proxy.

Firmware

Since NetScaler 10.5 you are able to enable RDP Proxy per NetScaler Gateway virtual server. However, to enable this function you needed to install a specific enhancement build. Since NetScaler 11.0 RDP Proxy is directly available.

Licensing

To enable this feature you need to have a NetScaler Enterprise or NetScaler Platinum platform license or if you are running NetScaler Standard there is a RDP Proxy only add-on license to enable this feature in NetScaler Standard.

Since this is not an ICAPROXY option you also will need a NetScaler Universal license per concurrent user. Keep in mind each NetScaler configuration will contain 5 universal licenses for free, if you expect more then 5 concurrent users you’ll need to order additional universal licenses.

Getting Started

Before building the configuration we have to enable the RDP Proxy feature.

Enable RDP Proxy

batch Command: (only available in NS 11.0): enable feature RDPProxy

RDP Client Profile

Next we have to create a RDP Client profile. In this client profile we specify the RDP settings like when you specify during setting up a RDP connection. Or when you open an .rdp file via a texteditor.

> Client Profiles are located at NetScaler Gateway > Policies > RDP > Client Profiles

RDP Client Profile

Since NetScaler 11.0 configuring a Pre Shared Key is mandatory!

batch Command: add rdp clientprofile rds_prof_client -rdpUrlOverride DISABLE -redirectClipboard DISABLE -redirectPrinters DISABLE -keyboardHook OnRemote -videoPlaybackMode DISABLE -addUserNameInRdpFile YES -rdpFileName launch.rdp -rdpHost rdp.antonvanpelt.com

RDP Server Profile

After the client profile we have to create a Server Profile. The Server Profile will contain details about the NetScaler Gateway virtual server that will offer the RDP Proxy.

> Server Profiles are located at NetScaler Gateway > Policies > RDP > Server Profiles

RDP Server Profile

batch Command: add rdp serverprofile rds_prof_server_myrdpproxy -rdpIP 192.168.10.10 -psk bd43edb280d3792dbfae144a8320ee0538a23467897694d6361e27091b45679e -encrypted -encryptmethod ENCMTHD_3

Session Profile

As for every NetScaler Gateway we have to create a session profile / policy. In this profile we specify the RDP Client Profile, disable ICA Proxy mode and enable Clientless VPN.

>  Session Profiles are located at NetScaler Gateway > Policies > Session > Session Profiles

NSG Session Profile

NSG Session Profile

batch Command: add vpn sessionAction vpn_ses_act_rds -splitTunnel OFF -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -rdpClientProfileName rds_prof_client

Session Policy

We now will create the session policy, keep in mind that we can bind session policies to AAA groups and so link users to different RDP servers.

>  Session Policies are located at NetScaler Gateway > Policies > Session > Session Policies

NSG session policy

batch Command: add vpn sessionPolicy vpn_ses_pol_rds ns_true vpn_ses_act_rds

RDP Proxy virtual server

In this scenario we will build a separate virtual server with a separate FQDN to offer RDP to the clients like rds.antonvanpelt.com. Therefor we have to create a new NetScaler Gateway virtual server and bind the SSL Certificate, RDP Server Profile, Authentication and Session Policies.

NetScaler Gateway
Note that we also can offer two factor authentication for this NetScaler Gateway VIP

batch Command: add vpn vserver vpn_vserver_rdp.antonvanpelt.com SSL 10.10.1.34 443 -downStateFlush DISABLED -Listenpolicy NONE -rdpServerProfileName rds_prof_server_myrdpproxy
batch Command: bind vpn vserver vpn_vserver_rdp.antonvanpelt.com -policy vpn_ses_pol_rds -priority 100

Default Access Scenario

The default access scenario is that after you authenticate successfully at the NetScaler Gateway logon page you have to specify a URL to download the RDP file.

Default Access Scenario

Optimized access scenario via clientless access

A better access scenario is to create a clientless access page to present bookmarks to the RDP server(s). This can be done via NetScaler Gateway bookmarks. This means that RDP connections can be started like a regular XenApp published app or desktop is started.

>  Bookmarks are located at NetScaler Gateway > Resources > Bookmarks

NSG Bookmark

batch Command: add vpn url url_rds_server_1 "RDP 1" "rdp://192.168.10.20" -clientlessAccess ON -iconURL "/logon/Remote_desktop_connection_icon.PNG"

Make sure to bind this URL / Bookmark to either the NetScaler Gateway virtual server or the AAA group.

bind bookmark

batch Command: bind vpn vserver vpn_vs_rdp.antonvanpelt.com -urlName url_rds_server_1

This will result in the following clientless access scenario:

RDP Proxy Clientless Access

Unified Gateway

You can also offer RDP Proxy via a Unified Gateway virtual server were RDP is available with all other SAAS and ICA Proxy applications. In this case the NetScaler Gateway virtual server that offers RDP Proxy does not require to have a IP address because its part of the Unified Gateway virtual server that has the IP address and is public available.

Conclusion

In this blogpost i tried to show you want is possible with the RDP Proxy functionality in NetScaler today. Because it is NetScaler Gateway we can require two factor authentication based on RADIUS or SAML etc. Although its limited you can now offer a secure desktop via RDP. Hopefully there will be RD Broker support soon.  Special thanks to Henry Heres @hereshenry for sharing his experiences on this topic.

5 thoughts on “NetScaler Gateway = RD Gateway

  1. Reply Tobias K Jan 12,2016 4:47 pm

    Very nice write-up, Anton! Many thanks for sharing.

  2. Reply Alex D Jan 15,2016 10:29 pm

    Thanks for sharing!

    Any possibility for use RDP-Proxy with VPX Express license?

  3. Reply John M Feb 14,2016 3:51 pm

    Basically, after a user is authenticated he’s free to connect to any back end RDS Server, provided he knows the name or ip address of that server. Seems like a security flaw to me. Any idea if it’s possible to configure rule sets to avoid this (as you can do with resource publishing and NS Gateway plug-in)? No luck so far with global filter rules or response rules dropping http requests containing ‘rdpproxy’.

  4. Reply Paul Blitz May 5,2016 3:47 pm

    There is always the option to set default auth to deny, and use individual auth policies (bound to user or group) just as you would with VPN / Clientless

Leave a Reply

  

  

  

Visit Us On TwitterVisit Us On Linkedin