NetScaler 12.1 RDP Connection Redirection

[Julian Jakob]

Hey folks,

 

is it just me who is confused of the edocs about the new RDP feature "RDP Connection Redirection" so now it is possible to use RDP Proxy with Session Hosts which are member of a RDP Collection of a RD Connection Broker at NetScaler 12.1?

 

See https://docs.citrix.com/en-us/netscaler-gateway/12-1/rdp-redirection.html 

 

I had RDP Proxy up and running at NS 12.0, in this version you don't need any RDP Server Profiles.

 

During the docs described you have to create a RDP Server Profile because of the new option "RDP Redirection".

 

Now I am confused which IP Adress I should use for the "RDP IP". I tried EVERYTHING (internal FQDN NSGW; external FQDN NSGW, VIP of my NSGW, VIP of my CS vServer, IP of my Broker, IP of a Session Host,...) and create several RDP Server Profiles which I bound to my NSGW and to my NSGW_NA which is behind a CS vServer (Unified Gateway)

 

I also do researching the following sentence described in the docs:

 

- RDP Proxy feature is supported only with token-based redirection supporting IP cookies. IP-based routing tokens “msts=” are handed back by Windows session broker or Connection broker when “Use IP Address Redirection” functionality is disabled.

 

->> So I disabled the usage of IP Address Redirection, following these articles then it should automatically use the token based redirection:

 

http://www.jasonfilley.com/rdpcookies.html

https://support.citrix.com/article/CTX225499

 

But no changes after I set the GPO. No RDP connection is working. If I unbind the RDP Server Profile under my NSGW everything works again (if I remove my Session Hosts of my Broker... :) ) So I am at my "old" environment with NS 12.0. But my goal is to use this new feature so from LAN User can connect via RDP through my Broker and via WAN they can connect also through my Broker via NSGW RDP Proxy.

 

Anybody here tried the new feature, too and is understanding how this should really work? Think the ctx doc is very "small" described.

 

Thanks and Best Regards

Julian

 

 

[Julian Jakob]

Opened a Case at Citrix.

 

Case #77616012

 

Support said:

"I checked with my team and currently they are working on bringing up a document which includes detailed steps and appropriate information."

 

Hm...

[Morten Kallesoslashe]

I'll just tag along on this thread, 

The documentation is some what sparesome, and my initial try of configuring this feature did not succeed.

[Salim Gani1709159939]

..

Edited September 10, 2018 by sgani606
Posted from wrong account

[Ian McCarthy1709159511]

Has anyone got this feature to work? I'm in the same boat as Julian, if I load balance my RDP servers using just NetScaler (no RD Connection Broker) things work fine, but if I add in an RD Connection Broker with redirection then connections fail 50% of the time.

 

For me I have the following config:

 

2 x RD Web Access servers for internal access (load balanced by NetScaler)

2 x RD Connection Brokers

15 x RD Session Hosts

2 x NetScaler Enterprise Edition in H/A with a Gateway configured and RDP Proxy feature enabled

 

Internal users access direct without issue via the Rd Connection Broker.

 

External users connect via NetScaler Gateway with an RDP client profile.

 

Like Julian I have tried with and without an RDP server profile applied (both with and without connection redirection enabled), also both with and without token based redirection enabled (as per the links above).

 

Ian

[donna weber1709153480]

I finally got this working. A server profile is required since that's where the Redirection box is located. SSO is also required.

RDP ip in the RDP server profile should be the ip of the vserver

Use a preshared key and enable Redirection.

In the RDP client profile, RDP Host is the FQDN of the vserver. I also filled in the RDP Listener field with ip:port of the vserver, and preshared key.

In the session profile, click the box for Single Sign-on to Web Applications. This is located right after the AlwaysON Profile Name.

 

Donna

[Morten Kallesoslashe]

Hi Donna,

 

Can you share some screenshots of the userexperience when the solution is working?

 

Its still a bit unclear what users see....

[donna weber1709153480]

The user will connect to the virtual server and get the netscaler login page. After logging in, they will see the bookmark icon. Clicking that will download the .rdp file. Once they open it, it will look like any other rdp connection.

[Julian Jakob]

On ‎22‎.‎10‎.‎2018 at 3:38 PM, donna weber1709153480 said:

I finally got this working. A server profile is required since that's where the Redirection box is located. SSO is also required.

RDP ip in the RDP server profile should be the ip of the vserver

Use a preshared key and enable Redirection.

In the RDP client profile, RDP Host is the FQDN of the vserver. I also filled in the RDP Listener field with ip:port of the vserver, and preshared key.

In the session profile, click the box for Single Sign-on to Web Applications. This is located right after the AlwaysON Profile Name.

 

Donna

 

Hi Donna,

 

thanks for your info and update. Still a Little bit confused. Which vServer do you mean? A RDP vServer which includes all of your RDP Session Hosts (for load balancing) or of your RDP Session Broker? I've got a RDP Farm with many Session Hosts and two Brokers.

 

Thanks and Regards

Julian

[donna weber1709153480]

Ok, let me backup a bit. I was answering the specific questions in the original post, but let me give a run down of what is needed. We have a virtual server just for the rdp proxy/redirection, but that may not be the case for you. 

Here are the steps for setting this up. I'm not going to list each field, since most of it hasn't changed from previous versions.

1. create rdp profiles for server and client under Netscaler Gateway\Policies\RDP. For the server profile, In 12.1 you do need the server profile. The RDP IP field is the ip address of the virtual server where you are configuring rdp proxy. We used port 3389 (on backend this is from SNIP to RDS servers). PreShared key is required. RDP redirection must be enabled. For the client profile, set whatever is needed for clipboard, drives, etc. RDP Host is the FQDN of the virtual server where rdp proxy will be used. RDP Listener is the ip address:port of the virtual server and the port being used for rdp. enter preshared key.

2. create session policy and profile under netscaler gateway\Policies\session. In the profile, the settings are the same as in previous versions. In the Client Experience tab, you just need to make sure you check the box by Single Sign-on to Web Applications which is right under the AlwaysON Profile Name field. No changes from previous versions for Security tab or Published Apps tab. In the Remote Desktop tab, add your RDP Client profile created previously. Create your session policy.

3. Create your bookmark for the RDS collection.  NetScaler Gateway\Resources\Bookmarks. In the Bookmark field, enter the ip of your Connection Broker in the format rdp://ip.of.connection.broker   There's no need to do the load balancing on the Netscaler since the RDS collection is already load balanced. At least we let the RDS collection/connection broker do it's thing and we only pointed to it. Check  the box to Use Netscaler Gateway As a Reverse Proxy.

4. In our case, I set up a new virtual server specifically for RDP Proxy. Create it as you normally would. Add the RDP Server Profile. Add your ssl certificate, authentication, etc. On Published Applications, Click No URL, select the Bookmark created earlier and Bind it. Bind the session policy.

 

 

[Morten Kallesoslashe]

Hey Donna,

 

Thanks for the screenshots. i got an last clarifying question,

The RDP bookmarks that are shown on the portal page, are they controlled on NetScaler, or the RDP session broker?(i am unsure of the naming and which function they serve in RDP land)

 

Morten

[Julian Jakob]

On 5.11.2018 at 9:56 AM, Morten Kallesoslashe said:

Hey Donna,

 

Thanks for the screenshots. i got an last clarifying question,

The RDP bookmarks that are shown on the portal page, are they controlled on NetScaler, or the RDP session broker?(i am unsure of the naming and which function they serve in RDP land)

 

Morten

 

Yeah I'm sorry Donna but till today it's not clear how this setup should work as Citrix doesn't update their description in https://docs.citrix.com/en-us/citrix-gateway/12-1/rdp-proxy/rdp-redirection.html 

[Ken Z]

Morten

 

the bookmarks that appear in the Browser are all controlled via the NetScaler...

 

Regards

 

Ken Z