by Thomas Preischl, CTA
Everyone is currently talking about COVID-19. In view of the current rapid spread and the danger of infection, many companies are reacting. They want to protect their employees, customers and partners. The most obvious solution in this case is to provide employees with access to their workplace from home. But how is it possible to do this in a simple and fast way without a comprehensive project or a virtual desktop environment?
A simple and very effective way is to give users access via a Citrix ADC that acts as a remote desktop proxy. Such a configuration can be set up within a few hours and offers comprehensive protection and easy administration.
Configuration on Citrix ADC
As a prerequisite in my case, I only used a pre-installed and basic Citrix ADC VPX.
The Citrix ADC must have an ADC Advanced or ADC Premium license. Citrix Gateway Universal licenses are also required for each user. However, these usually come with the ADC Advanced (1,000 licenses) and the ADC Premium (unlimited). In addition, our Citrix ADC must be able to communicate via SubnetIP on port 3389 (RDP) with all clients that are to be addressed externally later. Additionally it is necessary that the Netscaler IP can reach an Active Directory Controller with 636 (LDAPs) or 389 (LDAP). On the Clients to which your users want to connect, 3389 (RDP) should be opened and RDP should be allowed for the users.
I have already imported the SSL certificate.
Before we can start the configuration, let’s enable the feature “RDP Proxy.” You can find this under: System | Settings | Configure Advanced Features
I will now first explain the configuration on the Citrix ADC.
To do this, first select the menu item “Unified Gateway” in the configuration of the Citrix ADC:
Now we start the configuration with a click on “Get Started.”
Next, we fill in the IP address (VIP) of our Citrix Gateway. This must be externally accessible over WAN via port 443 (the port can also be changed here) (NAT). In addition we assign a name for our gateway configuration and enter the FQDN. Go on with “Continue.”
In the next step, we choose our SSL certificate. In my case, I have used a Let’s Encrypt certificate, which must be renewed every 90 days (but, hey, it’s free 😉). If necessary, you can now add one and confirm the whole thing with “Continue.”
Now you can check the chain of the certificate. Ours is fine, so let’s move on.
In the next step, we now enter the Active Directory connection information. I have created a service account for this. This account has only read access to the Active Directory, which is sufficient. With a click on “Test Connection” you can check if the connection works:
Now we can add a portal theme. Go on to the next step:
We are not yet adding any applications. Close the wizard with “Continue.”
The base configuration of our Citrix ADC Unified Gateway is now done.
Add a RDP Profile
Now we go to the following menu item in the Citrix ADC Configuration and add a RDP profile there: Citrix Gateway | Policies | RDP Profiles and Connections | Client Profiles
The RDP profile should look like this:
(I have only changed the name of the RDP File the user later is downloading. You can change the settings as you want.)
Next we have to adjust our session policy for our Gateway. You can find the gateway under: Citrix Gateway | Citrix Gateway Virtual Servers
Here, we select “Edit” and jump to the Session Policies.
Now we edit these according to our requirements.
Choose your session policy. In your case, only one should be sent and bound here. Select it and go to “Edit Profile.”
Here, we must first enter our Single Sign-on domain. We do this in the point “Published Application.” If you don’t want to use this one, you can leave it out. But then the users have to choose the login name as follows: “Domain\Username”
We will adapt this for our case.
Then we bind our just-created RDP profile. We do that under “Remote Desktop.”
That’s about it.
Provide fixed RDP Sessions, if necessary.
If necessary, you can now define fixed RDP destinations using the bookmarks. You can do this directly on the Unified Gateway Virtual Server. For this you add a URL to the Published Applications.
In my case, I’m not doing it. I want my users to be able to enter and establish connections to their office PC themselves.
How users can add connections and connect from outside.
Users can now connect externally on the Citrix ADC via the FQDN of the Unified Gateway.
So, log in with your Username and Password.
Now choose “Clientless Access.”
On the overview page, users can now enter their own RDP connection using their PC name or IP address. To do this, users must click on the “Add” button in the “Personal Web Sites” area.
Connections added by the user can be removed later with “Remove.”
The connections for an RDP connection should look as follows. In addition to the name for the RDP connection, the PC name or IP address including port 3389 (for RDP) is entered here. I have added a description. Please do not forget to check the box “RDP Link.” Then you can create the link with “Add.”
Once we have created the link, we can click on it in the “Personal Web Sites” section and we will be offered an RDP file for download. We can then save it or start it directly.
Here you can also get the cli commands for your Citrix ADC:
#Replace the following
#192.168.1.200 < YOUR IPAddress for the Gateway VIP
#dc=lab,dc=local < YOUR LDAP BIND
#firstname.lastname@example.org < Serviceuser für Citrix ADC LDAP Connection
#PASSWORD < YOUR PASSWORD
#login.thomaspreischl.de < YOUR FQDN
#lab.local < YOUR SSO DOMAIN
ENABLE NS Feature RDPProxy
add authentication ldapAction 192.168.1.200_LDAP -serverIP 192.168.1.200 -serverPort 636 -ldapBase "dc=lab,dc=local" -ldapBindDn email@example.com -ldapBindDnPassword PASSWORD -ldapLoginName sAMAccountName -secType SSL
add cs vserver RemoteGateway SSL 192.168.1.120 443 -cltTimeout 180 -persistenceType NONE
add vpn vserver UG_VPN_RemoteGateway SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -vserverFqdn login.thomaspreischl.de
add cs action UG_CSACT_RemoteGateway -targetVserver UG_VPN_RemoteGateway
add cs policy UG_CSPOL_RemoteGateway -rule is_vpn_url -action UG_CSACT_RemoteGateway
bind cs vserver RemoteGateway -policyName UG_CSPOL_RemoteGateway -priority 63000
add vpn sessionAction UG_VPN_SAct_192.168.1.120 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -ntDomain lab.local -clientlessVpnMode ON -rdpClientProfileName RDP
add vpn sessionPolicy UG_VPN_SPol_192.168.1.120 true UG_VPN_SAct_192.168.1.120
add rdp clientprofile RDP -rdpFileName remotePC.rdp
set ssl vserver UG_VPN_RemoteGateway -ssl3 DISABLED -tls13 ENABLED -dtls1 DISABLED
bind vpn vserver UG_VPN_RemoteGateway -portaltheme X1
bind vpn vserver UG_VPN_RemoteGateway -policy 192.168.1.200_LDAP_pol
bind vpn vserver UG_VPN_RemoteGateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_RemoteGateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_RemoteGateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_RemoteGateway -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_RemoteGateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver UG_VPN_RemoteGateway -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver UG_VPN_RemoteGateway -policy UG_VPN_SPol_192.168.1.120 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST
bind ssl vserver UG_VPN_RemoteGateway -certkeyName login
bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_256
bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_384
bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_224
bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_521
bind ssl vserver RemoteGateway -eccCurveName P_256
bind ssl vserver RemoteGateway -eccCurveName P_384
bind ssl vserver RemoteGateway -eccCurveName P_224
bind ssl vserver RemoteGateway -eccCurveName P_521
I hope this article helps you to provide your users with a safe and fast alternative as a home office workplace. Have a good time and don’t get infected 😉