Hello.
I'm trying to publish Outlook Anywhere and RDS gateway through proxy Squid reverse. I have apparently correct. The majority web sites https me work correctly. However, Outlook Anywhere and RDS gateway, both using RPC over HTTPS, do not work me. I appear in the register of squid:
I'm trying to publish Outlook Anywhere and RDS gateway through proxy Squid reverse. I have apparently correct. The majority web sites https me work correctly. However, Outlook Anywhere and RDS gateway, both using RPC over HTTPS, do not work me. I appear in the register of squid:
TAG_NONE_ABORTED / 000 https://owa.dominio.com/rpc/rpcproxy.dll?
The message appears to me the RDS gateway is the same but changing URL's.
I suspect the problem comes because I had to activate the 'Ignore Internal Certificate Validation' option, because if I turn, I do not load any pages published in https server. The message I get in the browser when this option is unmarked:
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
Certficate SSL error: certificate issuer (CA) not known: /DC=com/DC=dominio/CN=cert.dominio.com
Certficate SSL error: certificate issuer (CA) not known: /DC=com/DC=dominio/CN=cert.dominio.com
Hey guys, In this entry I want to give you insights on how to setup the Azure Application Proxy to secure your IaaS environment. While my older entry will give you an overview on the architecture is this a more hands on experience on how to setup the architecture. Delete the Public IP that is assigned to your RD Gateway by the Template. Dec 19, 2018 - Provides information about supported configurations for RDS in Windows Server 2016. Using Remote Desktop Services with application proxy services. For your Remote Desktop infrastructure - the Web Access, Gateway,.
PFsense 2.2.5
Squid3 package: 0.4.6
Squid3 package: 0.4.6
I would appreciate any ideas anyone might suggest.
Thank you.
Regards.
Thank you.
Regards.
HomeLabLab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
RDP Proxy configuration with Citrix NetScaler 11. Connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway.
More from the Lab!
RDP Proxy is a new feature initially added in NetScaler 10.5.e and now fully integrated within NetScaler 11. In this post, we will see how to configure RDP Proxy with NetScaler 11 and connect with single sign-on (CredSSP) to Remote Desktop (RDP) connections through NetScaler Gateway without having to configure any RDS server environment (RDS gateway/Web Access).
How does RDP Proxy work ?
- User connects to Unified Gateway website (SSL VPN)
- User authenticates (one-factor or two-factor authentication)
- NetScaler gateway cookie is created
- RDP ressources enumeration
- User clicks on the RDP icon (Ex: https://NSGVIP/rdpproxy/ip:port)
- RDPUser and RDPTarget information are sent and store on one of the STA server configured in the gateway virtual server
- Authorization from the STA server. STA ticket creation
- .rdp file is downloaded to the client (STA ticket included)
- full address:s:NetScalerGatewayURL:port
- loadbalanceinfo:s:STA Ticket
- enablecredsspsupport:i:1
- RDP Settings are provided by the RDP client profile
- NetScaler accepts/proxies the connection to the RDPListener Gateway on the selected port (default 3389 but you can change it)
- RDP Listener validates the STA ticket to the STA server
- RDPUser and RDPTarget are provided to the RDP Listener by the STA server
- Gateway session is created or reused
- RDP Listener does the SSO (CredSSP) to the remote server on port 3389
Advantages of using RDP Proxy
- Cheap solution to access backend servers via RDP
- Microsoft Remote Desktop Services Gateway is not necessary (replaced by NetScaler Gateway)
- Authentication on the NetScaler Gateway
- Two-Factor authentication possible
- No Full VPN
- Single sign-on to the remote host (CredSSP)
- RDP session is only allowed after the user authentication
- You can change the port of the RDP session to anything you want
- With Unified Gateway, you can offer applications via ICA Proxy (XenApp apps, VDI, etc) and applications via RDP Proxy (RDP app) on the same website
- Easy to configure (rdp server profile, rdp client profile, bookmarks, session policy)
Requirements
- At least NetScaler 10.5.e
- Port 3389 open between the NetScaler HA Pair and the backend servers (via the SNIP addresses)
- The RDP listener can be configured on any port. The RDP listener can be configured on port 443 as long as you use a unique IP for it, which is different from the VPN server IP. In the lab, we will configure the RDP listener on the port 3389
- Port 3389/443 should be opened on firewall between end user machine IP and VPN virtual server VIP.
- DNS resolution working on the NetScaler
- Enterprise or Platinum NetScaler license
- Universal CCU license (5 by default)
- Unified Gateway virtual server. How to License a NetScaler Gateway Appliance.
- Any SSL/TLS server certificates, authentication policies must be bound to the NetScaler Gateway virtual server that is part of the chosen Unified Gateway formation.
Lab configuration
- NS Build 11.0 62.10.nc
- NetScaler HA Pair configured (192.168.1.201)
- Backend server CDC01.citrixguru.lab (10.0.0.71)
- CDC01.citrixguru.lab is properly resolved on the NetScaler (DNS suffix is configured)
- Unified Gateway virtual server configured (192.168.1.17)
- External Unified Gateway address: lab.citrixguru.com
Lab NetScaler Architecture
Configure RDP Proxy with NetScaler Gateway 11
Enable RDP Proxy feature
First, you need to enable the feature on the NetScaler.
Go to NetScaler > System > Settings and select Configure Advanced Features.
Enable RDP Proxy
The feature must be licensed to run this command.
Create RDP Client Profile
Complete the following steps to create the RDP client profile.
Go to NetScaler > NetScaler Gateway > Policies > RDP > Profiles and Connections > Client Profiles and select Add.
- Name: rdp_profile_client
- RDP File name: app.rdp
- RDP Host: lab.citrixguru.com
- Pre Shared key: <key>
- This attribute has been made mandatory with NetScaler 11
You can change RDP settings depending of your needs. For this lab, we are using the default settings.
add rdp client profile
Complete the following steps to configure the RDP listener on port 3389. The server profile is configured on the RDPListener Gateway.
Go to NetScaler > NetScaler Gateway > Policies > RDP > Profiles and Connections > Server Profiles and select Add.
Make sure to use the same Pre Shared key as for the RDP Client profile.
- Name: rdp_server_profile
- RDP IP: 192.168.1.17
- RDP Port: 3389
- Pre Shared key: <key>
- This attribute has been made mandatory with NetScaler 11
The RDP listener can be configured on any port. The RDP listener can be configured on port 443 as long as you use a unique IP for it, which is different from the VPN server IP.
- RDP server profile
add rdp server profile
add vpn sessionAction rdp_session_profile-icaProxy OFF-clientlessVpnMode ON-rdpClientProfileName rdp_profile_client-defaultAuthorizationAction ALLOW |
Create session policy
Go to NetScaler > NetScaler Gateway > Policies > NetScaler Gateway Session Policies and Profiles > Session Profiles and select Add.
- Name: rdp_session_pol
- Profile: rdp_session_profile
- Expression: ns_true
add vpn sessionPolicy
add vpn url CDC01 CDC01'rdp://cdc01.citrixguru.lab'-clientlessAccess ON |
Configure virtual server for RDP proxy
Go to NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers and select your virtual server.
- RDP Server Profile: rdp_server_profile
- ICA proxy not checked
Bind session policy to virtual server.
- Name: rdp_session_pol
bin vpn vserver
2 4 6 8 10 12 | redirectdrives:i:0 keyboardhook:i:2 videoplaybackmode:i:1 negotiate security layer:i:1 authentication level:i:0 loadbalanceinfo:s:5a9afd2966e0e08a8505c8aa2d0c094713e77192ceb73716b0abc35d41930ed0e11e535e83c999dc |
Go to NetScaler > NetScaler Gateway > Policies > RDP Profiles and Connections > Connections.
You can see the current session.
RDP Proxy is pretty cool feature of Citrix NetScaler which can resolve some of the use cases we are facing with our remote access resolution. However the current implementation is too limited to fully replace Microsoft RDS environment. Let’s just hope that Citrix continues to develop this feature in the next version of NetScaler.
Sources: