Jump to content
Welcome to our new Citrix community!

Security around the NetScaler RDP Proxy feature

Ken Z

Recommended Posts

Hi everyone


can anyone point me to a technical paper on how "man in the middle" attacks are mitigated when using the NetScaler as an RDP Proxy?


With a normal Citrix session, the NetScaler obtains a 200 second ticket from a STA, so the user has 200 seconds to connect to the session before the ticket becomes invalidated.

With an RDP Proxy connection, the NetScaler downloads an rdp file down to the client device, but what's to stop someone intercepting this file and using it later? Is there an equivalent of an STA for RDP connections?


I notice that you can set a timeout for a cookie during the RDP profile configuration, but how exactly does this cookie setting work? are there any technical papers/blogs explaining the security of the RDP Proxy configuration?




Ken Z

Link to comment
Share on other sites

  • 3 weeks later...



i dont think there is an exact documentation of how the cookie security works. But from my understanding if you configure cookie setting for the rdp-file, the ADC will inject a validity cookie into the downloaded RDP File and when you open it, you will obviously still connect to ADC first, who will check validity of the cookie and if this passes, proxies the connection to desired rdp destination.


Fun fact: as far as I know there is no security feature like this from RDS in general, so basically the described MITM would be possible for RDS infrastructure with no ADC as RDP proxy / gateway in before. That's why ADC has to do its own validation setting 

Link to comment
Share on other sites



thanks for the response.

I was looking for some official/semi-official documentation from Citrix as a customer was after this to send to their cyber-security department who are questioning the security aspects of using the RDP Proxy function of the Citrix ADC.  With a standard Microsoft implementation if an RDS Farm with an RDGateway for remote access, you can configure MFA (such as Duo Security) on the RDGateway service so that when you try running the rdp (or even if you've configured HTML5/webclient) you get a push notification to your Smart Phone App requesting approval. I'm not sure MFA configured on the NetScaler will do the same thing when connecting to 3389 on the NetScaler.


I was hoping Rhonda might give a link to such a document.




Ken Z

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...