Jump to content
Welcome to our new Citrix community!
  • How to Quickly and Easily Provide Home Office Workstations (Not Only During the Outbreak of COVID-19)


    thomaspreischlrnd.png by Thomas Preischl, CTA

    Everyone is currently talking about COVID-19. In view of the current rapid spread and the danger of infection, many companies are reacting. They want to protect their employees, customers and partners. The most obvious solution in this case is to provide employees with access to their workplace from home. But how is it possible to do this in a simple and fast way without a comprehensive project or a virtual desktop environment? 

    A simple and very effective way is to give users access via a Citrix ADC that acts as a remote desktop proxy. Such a configuration can be set up within a few hours and offers comprehensive protection and easy administration.

    Configuration on Citrix ADC

    As a prerequisite in my case, I only used a pre-installed and basic Citrix ADC VPX.

    The Citrix ADC must have an ADC Advanced or ADC Premium license. Citrix Gateway Universal licenses are also required for each user. However, these usually come with the ADC Advanced (1,000 licenses) and the ADC Premium (unlimited). In addition, our Citrix ADC must be able to communicate via SubnetIP on port 3389 (RDP) with all clients that are to be addressed externally later. Additionally it is necessary that the Netscaler IP can reach an Active Directory Controller with 636 (LDAPs) or 389 (LDAP). On the Clients to which your users want to connect, 3389 (RDP) should be opened and RDP should be allowed for the users.

    I have already imported the SSL certificate.

    Before we can start the configuration, let's enable the feature "RDP Proxy." You can find this under: System | Settings | Configure Advanced Features


    I will now first explain the configuration on the Citrix ADC.

    To do this, first select the menu item "Unified Gateway" in the configuration of the Citrix ADC:



    Now we start the configuration with a click on "Get Started."


    Next, we fill in the IP address (VIP) of our Citrix Gateway. This must be externally accessible over WAN via port 443 (the port can also be changed here) (NAT). In addition we assign a name for our gateway configuration and enter the FQDN. Go on with "Continue."


    In the next step, we choose our SSL certificate. In my case, I have used a Let's Encrypt certificate, which must be renewed every 90 days (but, hey, it's free 😉). If necessary, you can now add one and confirm the whole thing with "Continue."


    Now you can check the chain of the certificate. Ours is fine, so let's move on.


    In the next step, we now enter the Active Directory connection information. I have created a service account for this. This account has only read access to the Active Directory, which is sufficient. With a click on "Test Connection" you can check if the connection works:



    Now we can add a portal theme. Go on to the next step:



    We are not yet adding any applications. Close the wizard with "Continue."



    The base configuration of our Citrix ADC Unified Gateway is now done.



    Add a RDP Profile

    Now we go to the following menu item in the Citrix ADC Configuration and add a RDP profile there: Citrix Gateway | Policies | RDP Profiles and Connections | Client Profiles

    The RDP profile should look like this:

    (I have only changed the name of the RDP File the user later is downloading. You can change the settings as you want.)



    Next we have to adjust our session policy for our Gateway. You can find the gateway under: Citrix Gateway | Citrix Gateway Virtual Servers

    Here, we select "Edit" and jump to the Session Policies.


    Now we edit these according to our requirements.


    Choose your session policy. In your case, only one should be sent and bound here. Select it and go to "Edit Profile."



    Here, we must first enter our Single Sign-on domain. We do this in the point "Published Application." If you don't want to use this one, you can leave it out. But then the users have to choose the login name as follows: "Domain\Username"

    We will adapt this for our case.



    Then we bind our just-created RDP profile. We do that under "Remote Desktop."




    That's about it.

    Provide fixed RDP Sessions, if necessary.

    If necessary, you can now define fixed RDP destinations using the bookmarks. You can do this directly on the Unified Gateway Virtual Server. For this you add a URL to the Published Applications.



    In my case, I'm not doing it. I want my users to be able to enter and establish connections to their office PC themselves.

    How users can add connections and connect from outside.

    Users can now connect externally on the Citrix ADC via the FQDN of the Unified Gateway.

    So, log in with your Username and Password.


    Now choose "Clientless Access."



    On the overview page, users can now enter their own RDP connection using their PC name or IP address. To do this, users must click on the "Add" button in the "Personal Web Sites" area.

    Connections added by the user can be removed later with "Remove."



    The connections for an RDP connection should look as follows. In addition to the name for the RDP connection, the PC name or IP address including port 3389 (for RDP) is entered here. I have added a description. Please do not forget to check the box "RDP Link." Then you can create the link with "Add."



    Once we have created the link, we can click on it in the "Personal Web Sites" section and we will be offered an RDP file for download. We can then save it or start it directly.



    Here you can also get the cli commands for your Citrix ADC:

    #Replace the following




    # < YOUR IPAddress for the Gateway VIP


    #dc=lab,dc=local < YOUR LDAP BIND


    #joe@ad.thomaspreischl.de < Serviceuser für Citrix ADC LDAP Connection




    #login.thomaspreischl.de < YOUR FQDN


    #lab.local < YOUR SSO DOMAIN




    ENABLE NS Feature RDPProxy




    add authentication ldapAction -serverIP -serverPort 636 -ldapBase "dc=lab,dc=local" -ldapBindDn joe@ad.thomaspreischl.de -ldapBindDnPassword PASSWORD  -ldapLoginName sAMAccountName -secType SSL




    add cs vserver RemoteGateway SSL 443 -cltTimeout 180 -persistenceType NONE




    add vpn vserver UG_VPN_RemoteGateway SSL -loginOnce ON -Listenpolicy NONE -vserverFqdn login.thomaspreischl.de




    add cs action UG_CSACT_RemoteGateway -targetVserver UG_VPN_RemoteGateway




    add cs policy UG_CSPOL_RemoteGateway -rule is_vpn_url -action UG_CSACT_RemoteGateway




    bind cs vserver RemoteGateway -policyName UG_CSPOL_RemoteGateway -priority 63000




    add vpn sessionAction UG_VPN_SAct_192.168.1.120 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -ntDomain lab.local -clientlessVpnMode ON -rdpClientProfileName RDP




    add vpn sessionPolicy UG_VPN_SPol_192.168.1.120 true UG_VPN_SAct_192.168.1.120




    add rdp clientprofile RDP -rdpFileName remotePC.rdp




    set ssl vserver UG_VPN_RemoteGateway -ssl3 DISABLED -tls13 ENABLED -dtls1 DISABLED




    bind vpn vserver UG_VPN_RemoteGateway -portaltheme X1


    bind vpn vserver UG_VPN_RemoteGateway -policy


    bind vpn vserver UG_VPN_RemoteGateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST


    bind vpn vserver UG_VPN_RemoteGateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST


    bind vpn vserver UG_VPN_RemoteGateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST


    bind vpn vserver UG_VPN_RemoteGateway -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST


    bind vpn vserver UG_VPN_RemoteGateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE


    bind vpn vserver UG_VPN_RemoteGateway -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE


    bind vpn vserver UG_VPN_RemoteGateway -policy UG_VPN_SPol_192.168.1.120 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST




    bind ssl vserver UG_VPN_RemoteGateway -certkeyName login




    bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_256


    bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_384


    bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_224


    bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_521




    bind ssl vserver RemoteGateway -eccCurveName P_256


    bind ssl vserver RemoteGateway -eccCurveName P_384


    bind ssl vserver RemoteGateway -eccCurveName P_224


    bind ssl vserver RemoteGateway -eccCurveName P_521


    I hope this article helps you to provide your users with a safe and fast alternative as a home office workplace. Have a good time and don't get infected ;)

    You can also visit or book me on my website: https://www.thomaspreischl.de or follow me on twitter: ThomasPreischl. ​

    User Feedback

    Recommended Comments

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...