by Thomas Preischl, CTA
You want to use Citrix ADC as RDS Gateway with an RDS Broker for your RDS Farm? In this article I will show you how to configure this. As a basis for this article you should read the following article if possible: https://blogs.mycugc.org/2020/03/05/how-to-quickly-and-easily-provide-home-office-workstations-not-only-during-the-outbreak-of-covid-19/
In this article, you will learn how to set up the Citrix ADC for use as a proxy for Remote Desktop Services. This configuration is also a prerequisite for connecting to the Remote Desktop Services Farm. The article already explains how you as a user can connect RDP to any desktop via the Citrix ADC.
But here I would like to explain how you can provide desktops and apps to users from a Remote Desktop Services Farm. We want to use groups to control the assignment of desktops and apps. As a prerequisite for the entire configuration, the farm should already be set up for Remote Desktop Services. This includes the Remote Desktop Connection Brokers And also the session hosts. Internal connections should all work. If you need more information about this, you can read the individual instructions here: https://docs.microsoft.comwindows-server/remote/remote-desktop-services/welcome-to-rds
Configuration on RDS Session Hosts
Before we can start with the configuration of the Citrix ADC, we must make a little bit of configuration on the Session Hosts. Yes, the Session Hosts, not the Broker or somewhere else. I know what I am talking about. 😉
The following setting is best set via GPO on the RDS session hosts. The setting must be made, otherwise the connection via the RDS Connection Broker will not work later when the user comes via the Citrix ADC Gateway. The same setting also causes Connection Broker Load balancing via Citrix ADC to reconnect the correct session even if a disconnect has occurred.
You can find the Setting under:
Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker
The connection is now set from IP to Token based redirection. Then let’s go to the Citrix ADC and continue configuring there.
Citrix ADC Configuration
Create a RDP Server Profile on the Citrix ADC
To make our connections available from the Internet via port 3389 in the future, we first must create a server profile. Here we connect to the Citrix ADC and navigate to the following sub-item of the configuration:
Configuration / Citrix Gateway / Policies / RDP Profiles and Connections / Server Profiles
Here we create a new server profile.
Within the Server Profile we type in Pre Shared Key and we activate the RDP redirection.
Enable the RDP Server Profile on the Citrix vServer
The just-created RDP server profile is now bound to our Citrix Unified Gateway vServer. This activates listening on port 3389 on the VIP of the Gateway vServer. Of course, the NAT on the firewall should be adjusted accordingly and the connection should be allowed from outside.
The RDP server profile is entered directly on the server. You can do this in the advanced basic settings of the vServer.
Important: “ICA only” must also be deactivated for the configuration.
Create a RDP Client Profile that fits to the Server Profile
Now we create an RDP client profile that matches the corresponding RDP server profile. It is important that I enter the Pre Shared Key I used above. The profile will be created under the following menu item in the configuration:
Configuration / Citrix Gateway / Policies / RDP Profiles and Connections / Client Profiles
Here we now create the Client Profile. In the Client Profile we can define settings, which should be used for the later session. For example, Clipboard, Devices or Printer settings. These Policy settings are mandatory for all sessions, which are created over the Citrix ADC as RDS Gateway and the RDS Broker.
My Client profile is looking like that. Please make sure that you enter the settings according to your requirements. As RDP Host you should type in your external FQDN, on which your Port 3389 (Citrix ADC VIP + vServer) is running.
Bind your RDP Client Profile to the Session Policy
The next task I must do is to bind the RDP Client Profile to the Session Policy of the Citrix Unified Gateway vServer. To do that I edit the vserver.
There I select the session policy and edit the corresponding profile.
In the tab “Remote Desktop” I enter the created RDP client profile.
When we have done that, we can now start creating the bookmarks. In the case of bookmarks, these are the applications and website shortcuts that users will later see via the portal of the unified gateway.
Create the Desktop Bookmark and assign it to a Group of Users
I do not want every user to see the desktop of the RDS farm. Therefore, I first create the bookmark and way to assign it to a user group afterwards.
The Bookmarks can be created under the following configuration menu item:
Configuration / Citrix Gateway / Ressources / Bookmarks
It is important that the point “Use Citrix Gateway as a Reverse Proxy” is activated. for a Desktop you have only to enter the following Bookmark URL. The hostname you must enter is any RDS Session host. If it receives the session request, it will redirect it to the RDS Connection Broker, and the session is assigned to the Session Host with the least load.
If you want, you can also use a custom icon for your Desktop or Application.
Create a Bookmark to publish an application on the Portal
If you want to publish an application which is presented over the RDS Farm, you must use a more complex bookmark URL. But do not worry, it’s easy to find out. The easiest way is to open the application over the internal RDWeb and open your connection file in an editor. Then all you must do is put the following information together in order, chained with an “&” in between. Look on this example. In this example, I have entered the finished bookmark URL below. We then enter this URL into our Citrix ADC bookmark.
The finished URL for a Seamless Application therefore looks as follows (all should in one line):
Now we have created the desired bookmarks. Here you can create as many as you like. Now we want to assign them to the corresponding users.
Assign the bookmark to a user group
Since our users are already eagerly waiting for the app or the desktop, we now assign them. To do that, go to the following menu item:
Configuration / Citrix Gateway / User Administration / AAA Groups
Here I create a new AAA Group.
To assign a Bookmark (in our case the App or Desktop) you have to edit the AAA Group and bind a Bookmark to it.
That was it. Do not forget to save your configuration on the ADC.
Test your configuration
Now that we have configured everything, we can now test the assigned applications. For this, I log on to the Citrix Unified Gateway and if everything works correctly, I get my applications displayed.
I hope the article has brought you further and hope it can help some in the community. If you have any questions, feel free to contact me on twitter @thomaspreischl or visit my website https://www.thomaspreischl.de