Jump to content
Welcome to our new Citrix community!

Presenting RDP to Remote Users

Recommended Posts

I have some remote users who need to RDP to  specific server. Currently they do this

over a LAN to LAN tunnel. But I'd like to move this to some type of client VPN and 

I'd like to incorporate two factor authentication for each session. 


Would this be done with Citrix Gateway?

Or what other means could I use for presenting the RDP desktop to authenticated users?

How can I tell if I'm licensed for this?

Link to comment
Share on other sites

Authe stuff:

The Citrix Gateway with vpn vserver can do the two factor authentication.

For authentication requirements, the gateway can do the ldap + radius two factor authentication.  Requires Advanced Edition or Premium edition (former enterprise/platinum editions) to take advantage of integration with authentication vserver for advanced authentication policies at this point to get off classic engine.  


Connection types:

Option 1: Is you could use it in full vpn mode (requiring the gateway vpn client).  Access can be controlled trhough authorization and session policies.

Option 2:  You can use the RDP proxy feature and rdp bookmarks to specific destinations can be advertised via the gateway portal page. (basically client to gateway (RDP via gateway) and then gateway to rdp destination)  RDP Proxy was added around 11.0 and later.  RDP Proxy:  https://www.carlstalhood.com/netscaler-gateway-12-rdp-proxy/ and https://docs.citrix.com/en-us/citrix-gateway/current-release/rdp-proxy.html

Option 3:  Published RDP via Citrix VAD (former XA/XD environment) if you already had a CVAD/XA/XD deployment and wanted to just leverage it instead of a full vpn connection.


My guess is you are looking at option 1 or option 2.


Licensing... exact terminology varies on which firmware you are running. Feel free to update the version you are on and we can clarify terms. Depending on pre 12.1 or post 12.1...

Your Gateway feature is included in Citrix ADC STandard, Advanced, Premium licenses.  If you have a gateway only license, it might depend.

But use of the vpn full tunnel connection, clientless features or the rdp proxy requires the use of the vpn universal licenses (vpn ccu licenses). Most modern systems will include these; some older systems may not have it licensed.  If you do a  show license from the cli:

Confirm the  Citrix Gateway (NetScaler Gateway) feature is licensed

And that you see licenses quantity or unlimited listed for VPN Licenses (and not just the ICA Proxy licenses).  The exact listing may vary depending on the age of your current deployment.








  • Like 2
Link to comment
Share on other sites

It looks like we're licensed for VPN..

> sho license
        License status:
                           Web Logging: YES
                      Surge Protection: YES
                        Load Balancing: YES
                     Content Switching: YES
                     Cache Redirection: YES
                          Sure Connect: YES
                   Compression Control: YES
                     Delta Compression: NO
                      Priority Queuing: YES
                        SSL Offloading: YES
          Global Server Load Balancing: YES
                        GSLB Proximity: YES
                   Http DoS Protection: YES
                       Dynamic Routing: YES
                     Content Filtering: YES
                   Content Accelerator: YES
                    Integrated Caching: YES
                               SSL VPN: YES  (Maximum users = Unlimited)  (Maximum ICA users = Unlimited)
                                   AAA: YES
                          OSPF Routing: YES
                           RIP Routing: YES
                           BGP Routing: YES
                               Rewrite: YES
             IPv6 protocol translation: YES
                  Application Firewall: YES
                             Responder: YES
                        HTML Injection: YES
                        NetScaler Push: YES
                   Web Interface on NS: YES
                               AppFlow: YES
                           CloudBridge: YES
                          ISIS Routing: YES
                            Clustering: YES
                              CallHome: YES
                                AppQoE: YES
                       Appflow for ICA: YES
                                  RISE: YES
                Front End Optimization: YES
                       Large Scale NAT: YES
                             RDP Proxy: YES
                            Reputation: YES
                         URL Filtering: NO
                    Video Optimization: YES
                         Forward Proxy: NO
                      SSL Interception: NO
             Remote Content Inspection: YES
                          Adaptive TCP: YES
          Connection Quality Analytics: YES
                       Model Number ID: 1000
                          License Type: Platinum License
                        Licensing mode: Local
                    Days to expiration: Permanent

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...