Jump to content
Updated Privacy Statement

NetScaler Gateway for RDS Farm

Jens Ostkamp

By Jens Ostkamp
in Core ADC use cases

 Share

Recommended Posts

Jens Ostkamp Enthusiast

Jens Ostkamp

Posted
Posted

Hello everyone,

 

so i have come to an interesting setup I have been trying to test for a couple of time now. The idea is, that I want to use NetScaler Gateway as a Gateway for an RDS Farm.

Basically I want to add Bookmarks as RDP Connection which connects to the RDS Broker Server.

I have found some little posts about this, i know that the RDP Proxy Feature is in general working for an RDP Session to a computer but of course i want to achieve the same with RDS Apps.

The obvious problem has always been, that specific connection parameters aren't present in the RDP File the NetScaler will deliver to the Client. 

Researching the internet,  I have found an interesting comment on a blog post of JG Spiers: https://www.jgspiers.com/rdp-proxy-netscaler-gateway/

"Lafrance
July 27, 2018
Hi,
you can add those special parameters to the bookmark. this allow you to publish multiple RemoteApp + RDP desktop to your users.
here’s an example :
add vpn url RemoteApp RemoteApp “rdp://10.10.10.10?alternate shell:s:||ServiceCenter&remoteapplicationprogram:s:||ServiceCenter&remoteapplicationname:s:ServiceCenter&remoteapplicationcmdline:s:&remoteapplicationmode:i:1” -clientlessAccess ONAll you have to do, is to open the RDP RemoteApp file within a notepad and then extract those parameters and use & to append them after the ? in the bookmarkI used those 5 parameters to make it works. Nothing to change in the RDP ClientProfile. I had RDP Redirection = Enabled in the RDP ServerProfile on NS 12.1"

 

One user is explaining that by adding the specific connection information after the Bookmark URL itself will store them into the RDP File which then "should" correctly work as a whole.

Adding the bookmark with the specific parameters worked perfectly, when I download the RDP-File I can see those parameters added succesfully but I can't establish a connection as I get the error "Connection for this computer cannot be established, because the information provided in the RDP-File couldn't get validated by the connection broker" (roughly translated from german).

Within the Eventviewer of the Connection Broker Server I found the following entry:

 

RD Connection Broker failed to process the connection request for user domain\user.
User's RDP file has invalid hint format.
Error: The request is not supported. 

 

Since my understanding of RDS isn't the best, I am not sure if there are some configrations missing (sounds for me like the broker doesn't "accept" the connection since the request comes from an "invalid" gateway - like if I forgot to add the Appliance to some kind of "allowed" relays, similar to Citrix Publishing where you have to add the Gateway which has to be used for this Store), but if anyone got this configuration working I'd highly appreciate any support regarding this. 

My NetScaler configuration is basically the same JG Spiers describes in his blogpost:

-RDP Server and Client profile (same shared secret, RDP redirection enabled)

-VPN vServer with ICA only unchecked

-correct certificates on both sides

 

Thanks a lot in advance and best regards!

Link to comment
Share on other sites
Sergiu-Konrad Kork Apprentice

Sergiu-Konrad Kork

Posted
Posted

what are you using the RDP server profile for ?

in my deployment, i have it like this:

- LB vServers for the backend RDS services. the bookmarks point to these

- NSAG virtual server that does auth and has the bookmarks added; no RDS server profile configured

- session profile bound to the NSAG vServer, which contains the RDS client profile (among other stuff irrelevant here)

 

The rest is just cosmetics.

Link to comment
Share on other sites
Jens Ostkamp Enthusiast

Jens Ostkamp

Posted
  • Author
Posted
54 minutes ago, Sergiu-Konrad Kork said:

what are you using the RDP server profile for ?

in my deployment, i have it like this:

- LB vServers for the backend RDS services. the bookmarks point to these

- NSAG virtual server that does auth and has the bookmarks added; no RDS server profile configured

- session profile bound to the NSAG vServer, which contains the RDS client profile (among other stuff irrelevant here)

 

The rest is just cosmetics.

hey, thanks for your response!

i use the server profile to configure RDP redirection. i have read in several other posts that this is mandatory if NSGW should be able to work as rdp proxy when there is an RDS broker in the backend farm.

so do you have applications and desktops as bookmarks? how do you separate them? from my understanding i have to add these mentioned parameters after my bookmark link so it is clear which application/desktop a user is trying to connect to.

but i dont use lb vservers, i basically point my gateway directly to the RDS-Broker server (configured within client profile)

Link to comment
Share on other sites
Jens Ostkamp Enthusiast

Jens Ostkamp

Posted
  • Author
Posted

Ah okay, i guess that's the difference then. We have Apps and Desktops and so my goal would be to just always point my RDP Proxy destination towards the RDS Broker Machine which will then manage the incoming connection to the correct worker server/desktop.

I suppose your desktops you use the NetScaler RDP Proxy for are behind your LB vservers? Because my main problem with that setup is, that i can't differentiate between the apps/desktops when I try to establish a connection. That's what I described with putting these "special parameters" (extracted from an .rdp - file the RDSWeb Gateway would deliver) behind the bookmark, because that is what "should" work according to some comments on this JGSpiers blogpost. When I open the .rdp-file I can see that these parameters are indeed included but the connection would always fail with the error message, that the rds broker cant verify the information given in the .rdp-file (even though it is basically the same as when i would use the rds webgateway). 

I used server profile for "RDP Redirection" as I have read on many articles that since 12.1 this option needs to be set regarding RDP Proxy with RDS roles on the backend machines.

 

I already tested - If i use the machines i want to establish an RDP connection to as a direct destination it will work, but I need the broker machine as a destination which then would redirect the request to the correct worker.

My bookmark(s) look like this currently:

 

rdp://fqdn-ofmybrokermachine.domain.de?alternate%20shell:s:||putty&remoteapplicationprogram:s:||putty&remoteapplicationname:s:putty&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

 

My RDP-file delivered by NetScaler Gateway would look like this:

 

alternate shell:s:||putty
remoteapplicationprogram:s:||putty
remoteapplicationname:s:putty
remoteapplicationcmdline:s:
remoteapplicationmode:i:1
redirectclipboard:i:1
redirectdrives:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectpnpdevices:i:0
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
use multimon:i:1
negotiate security layer:i:1
enablecredsspsupport:i:1
authentication level:i:0
full address:s:dns-ofmygatewayserver.domain.de:443
loadbalanceinfo:s:cfc12c53dcf809adf042104f33dd410f7a1f5c1f7025458cf644c4a36dabfa9caaabd7bef383ef68cae252831c709948f05813fa19eb21aa66

 

Basically im trying to replace the RDSWebgateway with a NetScaler Gateway and I have read that it works with these special parameters (when you have to use apps instead of just desktops) but I somehow can't get it to work. I already thought of opening a Citrix Case but I'm afraid that this workaround isn't supported the way I want it to be, so I guess i won't get that much help. Maybe someone here already did a similar setup and can help me through with this.

 

Thank you nonetheless so far! :)

 

Link to comment
Share on other sites
  • 4 weeks later...
Jens Ostkamp Enthusiast

Jens Ostkamp

Posted
  • Author
Posted
On 9/7/2019 at 1:55 PM, Ken Zygmunt said:

Guys

 

just tested Chrome and Mozilla with NetScaler 13.0 Build 36.27, and RemoteApp/Seamless RDP sessions are now working... they no longer start up as a full desktop.

Looks like it was a bug in Build 12.1

 

Regards

 

Ken Z

Hey Ken,

 

thank you very much for your response and testing with NetScaler 13.0.

Would it be possible to share your confguration, so I can test this in my environment?

 

 

Thank you very much in advance!

 

best regards

Jens

Link to comment
Share on other sites
Jens Ostkamp Enthusiast

Jens Ostkamp

Posted
  • Author
Posted
24 minutes ago, Ken Zygmunt said:

Hi Jens

 

Yes, can do that, but I used Carl's Stalhood's notes to do mine, which should be your first port of call for this type of information.

 

https://www.carlstalhood.com/netscaler-gateway-12-rdp-proxy/

 

I'll post my settings tonight when i get back from my journey...

 

Regards

 

Ken Z

Hi Ken,

 

yes, I check Carls site on a regular base, it's probably the best site for ADC information :)

But he is "just" describing RDP Proxy as a feature for published Desktops. In my case i specifically need not only desktops of RDS farm but also applications to work, thats what I described with these special parameters after the bookmark (and if there is more configuration needed apart from putting the special parameters after the bookmark).

To be honest I can't remember if I tested it with IE as well (as you described), but I know I didn't use ADC 13.0.

 

I will do some testing over the day, but it would be awesome if you could share your configuration steps (summarized), if you got RDS Apps via RDP Proxy working :)

 

Thank you very much once again and best regards

Jens

 

Link to comment
Share on other sites
Ken Z Proficient

Ken Z

Posted
Posted (edited)

Jens

 

firstly, i'm assuming that that you've got full desktops working through NetScaler connecting to RDS Hosts assigned to connection broker(s)?

Assuming yes, then there's only one change you need to do to get RemoteApps working, and that's to edit the bookmark/add a new bookmark

Also, all the testing I did assumed that only an RDWebAccess server was installed, not an RDGateway server. If you have an RDGateway server installed, log onto the Connection Broker and disable it.

 

Firstly, use Chrome to connect to a RDS WebAccess server, log on, and click on a RemoteApp app. This will download the rdp file allowing you to save it/edit it with notepad to view the settings. Copy the following lines from it... (the example below is for a published Windows Calculator)

 

alternate shell:s:||win32calc

remoteapplicationprogram:s:||win32calc

remoteapplicationname:s:Calculator

remoteapplicationcmdline:s:

remoteapplicationmode:i:1

 

The above five lines should be concatenated with an '&' and start with a '?'. i.e

 

?alternate shell:s:||win32calc&remoteapplicationprogram:s:||win32calc&remoteapplicationname:s:Calculator&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

 

Next, go to Citrix Gateway/Resources/Bookmarks and add a new bookmark

 

Name:   <Anything unique>

Text to display: <What you want to appear in the browser>

Bookmark: rdp://<FQDN of one your your RDS Hosts>, e.g. rdshost1.comtoso.com and then add the above concatenated line

Tick 'Use Citrix Gateway as a Reverse Proxy'

Save Settings

 

NOTE: the bookmark should point to one of your RDS hosts, NOT the connection broker!!!!!!!!!!!!!

 

so, assuming your bookmark is the example above, the bookmark should have

 

rdp://rdshost1.comtoso.com?alternate shell:s:||win32calc&remoteapplicationprogram:s:||win32calc&remoteapplicationname:s:Calculator&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

 

NOTE: This should be all on one line - the editor split i over two...

 

Add that bookmark to your Virtual Server.

That is all the change you need to make to a working RDP Proxy to get RemoteApps working.

As i said at the beginning, this is assuming that you've got full RDS desktops working through the NetScaler...

 

Regards

 

Ken Z

 

Edited by kzygmun399
added an extra explanation
  • Like 3
Link to comment
Share on other sites
Jens Ostkamp Enthusiast

Jens Ostkamp

Posted
  • Author
Posted

Hey Ken,

 

thank you VERY VERY much for this detailed explanation!!

I will try to test this asap. I couldn't really test my setup with NetScaler 13.0 as I was busy yesterday, but I will surely get back to you when I have configured everything as you explained.

I think the biggest mistake on my part until now was, that i pointed the bookmark to the connection broker and not one of the RDS-Hosts (probably Loadbalancing these gonna make some sense here), everything else looks pretty much the same in my lab environment.

Again, thank you so much!

 

I will reply when i tested everything :)

 

best regards

Link to comment
Share on other sites
Jens Ostkamp Enthusiast

Jens Ostkamp

Posted
  • Author
Posted
11 hours ago, Ken Zygmunt said:

Jens

 

firstly, i'm assuming that that you've got full desktops working through NetScaler connecting to RDS Hosts assigned to connection broker(s)?

Assuming yes, then there's only one change you need to do to get RemoteApps working, and that's to edit the bookmark/add a new bookmark

Also, all the testing I did assumed that only an RDWebAccess server was installed, not an RDGateway server. If you have an RDGateway server installed, log onto the Connection Broker and disable it.

 

Firstly, use Chrome to connect to a RDS WebAccess server, log on, and click on a RemoteApp app. This will download the rdp file allowing you to save it/edit it with notepad to view the settings. Copy the following lines from it... (the example below is for a published Windows Calculator)

 

alternate shell:s:||win32calc

remoteapplicationprogram:s:||win32calc

remoteapplicationname:s:Calculator

remoteapplicationcmdline:s:

remoteapplicationmode:i:1

 

The above five lines should be concatenated with an '&' and start with a '?'. i.e

 

?alternate shell:s:||win32calc&remoteapplicationprogram:s:||win32calc&remoteapplicationname:s:Calculator&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

 

Next, go to Citrix Gateway/Resources/Bookmarks and add a new bookmark

 

Name:   <Anything unique>

Text to display: <What you want to appear in the browser>

Bookmark: rdp://<FQDN of one your your RDS Hosts>, e.g. rdshost1.comtoso.com and then add the above concatenated line

Tick 'Use Citrix Gateway as a Reverse Proxy'

Save Settings

 

NOTE: the bookmark should point to one of your RDS hosts, NOT the connection broker!!!!!!!!!!!!!

 

so, assuming your bookmark is the example above, the bookmark should have

 

rdp://rdshost1.comtoso.com?alternate shell:s:||win32calc&remoteapplicationprogram:s:||win32calc&remoteapplicationname:s:Calculator&remoteapplicationcmdline:s:&remoteapplicationmode:i:1

 

NOTE: This should be all on one line - the editor split i over two...

 

Add that bookmark to your Virtual Server.

That is all the change you need to make to a working RDP Proxy to get RemoteApps working.

As i said at the beginning, this is assuming that you've got full RDS desktops working through the NetScaler...

 

Regards

 

Ken Z

 

I could test everything now and it works perfectly. Thank you so much for your assistance and passively explaining how RDS works :D! Greatly appreciated!!

 

Best regards

Jens

Link to comment
Share on other sites
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...