Jump to content
Welcome to our new Citrix community!

Recommended Posts

Hi Guys

 

Got a NetScaler ADC being used as an RDP Proxy via a bookmark, and all working well. 

Users connect to the VIP on https://....

When they click on the Bookmark, it downloads the RDP file, passes it through to the local RDP client and makes a connection to the NetScaler on 3389. This then proxies to the internal RDP farm successfully.

 

My question... Is the RDP connection between the client device and NetScaler over the RDP (TCP 3389) encrypted at all?

 

Regards

 

Ken Z

Link to comment
Share on other sites

3 hours ago, Ken Zygmunt said:

Hi Guys

 

Got a NetScaler ADC being used as an RDP Proxy via a bookmark, and all working well. 

Users connect to the VIP on https://....

When they click on the Bookmark, it downloads the RDP file, passes it through to the local RDP client and makes a connection to the NetScaler on 3389. This then proxies to the internal RDP farm successfully.

 

My question... Is the RDP connection between the client device and NetScaler over the RDP (TCP 3389) encrypted at all?

 

Regards

 

Ken Z

 

It's OK, managed to determine this myself. in my environment, the connection between mtsc.exe and the NetScaler RDP Listener was using TLS 1.2

 

Regards

 

Ken

Link to comment
Share on other sites

On 4/24/2020 at 8:25 PM, Keith Drone said:

For reference, RDP is in itself done over TLS, so you are correct

Keith

 

Can you point me to any official Microsoft articles that definitively state this? I've got a customer that is using the RDP Proxy functionality of NetScaler, but is a bit worried because it's not being used via a VPN that he recognises so he thinks it;s not secure.

 

Regards

 

Ken Z

Link to comment
Share on other sites

On 4/24/2020 at 5:21 PM, Ken Zygmunt said:

 

It's OK, managed to determine this myself. in my environment, the connection between mtsc.exe and the NetScaler RDP Listener was using TLS 1.2

 

Regards

 

Ken

 

You are right. You create a SSL session to the gateway and tunnel RDP inside SSL. The gateway will than connect via native RDP to the server. This is RDP encryption.

 

On 4/24/2020 at 9:25 PM, Keith Drone said:

For reference, RDP is in itself done over TLS, so you are correct

 

I don't know if this is actually true. And of course we have no influence on encryption methods. But it's not relevant, the gateway dies, and it will be very good encryption, if you score an A+ with the gateway.

 

Greetings

 

Johannes Norz

CTA, CCI and CCE-N

Link to comment
Share on other sites

17 hours ago, Johannes Norz said:

 

You are right. You create a SSL session to the gateway and tunnel RDP inside SSL. The gateway will than connect via native RDP to the server. This is RDP encryption.

 

 

I don't know if this is actually true. And of course we have no influence on encryption methods. But it's not relevant, the gateway dies, and it will be very good encryption, if you score an A+ with the gateway.

 

Greetings

 

Johannes Norz

CTA, CCI and CCE-N

Johannes

 

I didn't think you could do an SSLLabs rating on the RDP Listener, only on the VIP...

 

Regards

Link to comment
Share on other sites

3 hours ago, Ken Zygmunt said:

Johannes

 

I didn't think you could do an SSLLabs rating on the RDP Listener, only on the VIP...

 

Regards

 

Of course not. What I wanted to say: You would not have any influence on RDP encryption, no matter what they are using, so it would not be sufficient for the internet (we have seen so many changes during the last years, CBC had been the best, now it's crap, 128 had been OK, now it's nut enough any more and so on), so encryption on ADC is way more secure.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...