RDP IP, would be the NetScaler Gateway VIP, and desired port for RDP connection to NetScaler Gateway virtual sever. Specify a Pre-Shared key, and take note of it, it will be used in Step 2. NOTE: As of NetScaler 12.1, there is a new feature called RDPRedirection which adds support for RDPProxy with Connection Broker. In this case keep in mind that we're not talking about NetScaler's native RDP Proxy feature as described by Carl Stalhood in his article here. Instead we're utilizing Content Switching and Unified Gateway features in order to use NetScaler as a frontend for your RDS Gateway and RDWeb, and pass traffic through NetScaler to your internal. In this case keep in mind that we're not talking about NetScaler's native RDP Proxy feature as described by Carl Stalhood in his article here. Instead we're utilizing Content Switching and Unified Gateway features in order to use NetScaler as a frontend for your RDS Gateway and RDWeb, and pass traffic through NetScaler.
Since NetScaler 10.5 you are able to enable RDP Proxy per NetScaler Gateway virtual server. However, to enable this function you needed to install a specific enhancement build. Since NetScaler 11.0 RDP Proxy is directly available.
A list containing the majority of Citrix ADC (formerly NetScaler ADC) support articles collated to make this page a one stop place for you to search for and find information regarding any issues you have with the product and its related dependencies.
Netscaler Rdp Proxy Sso
The page is updated daily with new support articles and information. Articles will change from time and if information here is outdated or incorrect please let me know using the comments. Links may also expire or change so if you find broken links, please again let me know. For each issue, known product versions affected are recorded however that does not mean product versions that aren't listed are not affected.
There is a search box that you can use if looking for a specific fault. For example if you have an error code or error message, use that to perform a search. You can also use your browsers search feature which will perform a search against the whole page based on the words you enter.
NetScaler / Citrix ADC:
Netscaler Rdp Proxy App
| wdt_ID | Brief Description of Issue | Brief Description of Fix | Applicable Product Versions Affected (if known) | Link to supplemental Support Article(s) |
|---|---|---|---|---|
| 1 | In the Persistency Table, you can only see one backend server connection mapped to the source client however when running command 'show ns connection table' you can see connections from the source client to multiple backend servers. | Upgrade to 11.1.54.14. | https://support.citrix.com/article/CTX227016 | |
| 2 | When more than one interface is in the same vLAN, you observe MAC moves and MAC conflicts between the NICs. | Move the affected NICs in to different VLANs or else aggregate the interfaces in to a link aggregated channel. | https://support.citrix.com/article/CTX224626 | |
| 3 | When editing a document through the local machine you receive error 'Cannot open a file, incorrect syntax or file path'. | A WireShark trace shows that the client was sending a request to a server not configured on any of the Content Switching policies. Once the server was mapped to a Load Balanced Virtual Server the document was editable through the local machine. | https://support.citrix.com/article/CTX226892 | |
| 4 | Content Switching Virtual Server sends traffic to the wrong Load Balancing Virtual Server, resulting in users receiving 404 HTTP responses. | Enable 'Drop Invalid HTTP Headers' on NetScaler. When the Content Switch receives HTTP invalid/corrupt header next packets from the same source IP the client may be redirected to an incorrect destination. | https://support.citrix.com/article/CTX226724 | |
| 5 | When trying to add a new node to a cluster, you receive rrror 'Invalid interface name/number'. | Make sure you are not using an incorrect backplane interface ID number. | https://support.citrix.com/article/CTX220432 | |
| 6 | When connecting to RDP via NetScaler Clientless VPN bookmarks, the RDP window terminates with error 'An internal error has occured' and the NetScaler resets the backend connection with reset code 9952. | This is caused by a domain mismatch in the LDAP Profile. The SSO Name attribute should be set to 'SamAccountName'. | https://support.citrix.com/article/CTX226709 | |
| 7 | In a High Availability setup, an unusually large spike in the number of persistent connections may result in under performance of the Secure Socket Funneling channel between the primary and secondary node. This under performance can eventually lead to session build up on the primary node and cause persistence to fail. Users are then sent to backend servers based on the Load Balancing method. | This is a known issue and will be resolved from NetScaler versions 12.0.53.x, 11.1.56.x and 11.0.70.x. As a workaround you can enable Nagle's Algorithm and disable Window Scaling on the 'nstcp_internal_apps' TCP profile. | https://support.citrix.com/article/CTX226583 | |
| 8 | You are unable to bind multiple services to a Load Balancing Virtual Servr at the same time using the GUI. | Upgrade to NetScaler version 11.1.53.x. | NetScaler 11.1.51.x and 11.1.52.x. | https://support.citrix.com/article/CTX226582 |
| 9 | The NetScaler Gateway Plugin interrupts DHCP requests that should be sent through the physical interface. Instead these requests are sent through the VPN tunnel. | This is a known issue. For Windows devices, the issue is fixed in 11.1 and 11.0.67.x. For MAC, a fix should be coming as part of the 'High Sierra' MAC plugin update. | https://support.citrix.com/article/CTX226379 | |
| 10 | Applications launched through NetScaler fail with no specific error. The loading dialog box appears and then dissapears. There is no issue with launches internally via StoreFront direct. | NetScaler tried to resolve the VDAs FQDN over UDP and the DNS response is received with a truncated bit. NetScaler should initiate a DNS query over TCP for the same FQDN but does not. This issue is being worked on by Citrix. As a workaround you can either add the VDA FQDN as a DNS A record directly on NetScaler or else reduce the size of the DNS response so that it can be accomodated in 512 bytes. | https://support.citrix.com/article/CTX226338 |
A list containing the majority of Citrix ADC (formerly NetScaler ADC) support articles collated to make this page a one stop place for you to search for and find information regarding any issues you have with the product and its related dependencies.
Netscaler Rdp Proxy Sso
The page is updated daily with new support articles and information. Articles will change from time and if information here is outdated or incorrect please let me know using the comments. Links may also expire or change so if you find broken links, please again let me know. For each issue, known product versions affected are recorded however that does not mean product versions that aren't listed are not affected.
There is a search box that you can use if looking for a specific fault. For example if you have an error code or error message, use that to perform a search. You can also use your browsers search feature which will perform a search against the whole page based on the words you enter.
NetScaler / Citrix ADC:
Netscaler Rdp Proxy App
| wdt_ID | Brief Description of Issue | Brief Description of Fix | Applicable Product Versions Affected (if known) | Link to supplemental Support Article(s) |
|---|---|---|---|---|
| 1 | In the Persistency Table, you can only see one backend server connection mapped to the source client however when running command 'show ns connection table' you can see connections from the source client to multiple backend servers. | Upgrade to 11.1.54.14. | https://support.citrix.com/article/CTX227016 | |
| 2 | When more than one interface is in the same vLAN, you observe MAC moves and MAC conflicts between the NICs. | Move the affected NICs in to different VLANs or else aggregate the interfaces in to a link aggregated channel. | https://support.citrix.com/article/CTX224626 | |
| 3 | When editing a document through the local machine you receive error 'Cannot open a file, incorrect syntax or file path'. | A WireShark trace shows that the client was sending a request to a server not configured on any of the Content Switching policies. Once the server was mapped to a Load Balanced Virtual Server the document was editable through the local machine. | https://support.citrix.com/article/CTX226892 | |
| 4 | Content Switching Virtual Server sends traffic to the wrong Load Balancing Virtual Server, resulting in users receiving 404 HTTP responses. | Enable 'Drop Invalid HTTP Headers' on NetScaler. When the Content Switch receives HTTP invalid/corrupt header next packets from the same source IP the client may be redirected to an incorrect destination. | https://support.citrix.com/article/CTX226724 | |
| 5 | When trying to add a new node to a cluster, you receive rrror 'Invalid interface name/number'. | Make sure you are not using an incorrect backplane interface ID number. | https://support.citrix.com/article/CTX220432 | |
| 6 | When connecting to RDP via NetScaler Clientless VPN bookmarks, the RDP window terminates with error 'An internal error has occured' and the NetScaler resets the backend connection with reset code 9952. | This is caused by a domain mismatch in the LDAP Profile. The SSO Name attribute should be set to 'SamAccountName'. | https://support.citrix.com/article/CTX226709 | |
| 7 | In a High Availability setup, an unusually large spike in the number of persistent connections may result in under performance of the Secure Socket Funneling channel between the primary and secondary node. This under performance can eventually lead to session build up on the primary node and cause persistence to fail. Users are then sent to backend servers based on the Load Balancing method. | This is a known issue and will be resolved from NetScaler versions 12.0.53.x, 11.1.56.x and 11.0.70.x. As a workaround you can enable Nagle's Algorithm and disable Window Scaling on the 'nstcp_internal_apps' TCP profile. | https://support.citrix.com/article/CTX226583 | |
| 8 | You are unable to bind multiple services to a Load Balancing Virtual Servr at the same time using the GUI. | Upgrade to NetScaler version 11.1.53.x. | NetScaler 11.1.51.x and 11.1.52.x. | https://support.citrix.com/article/CTX226582 |
| 9 | The NetScaler Gateway Plugin interrupts DHCP requests that should be sent through the physical interface. Instead these requests are sent through the VPN tunnel. | This is a known issue. For Windows devices, the issue is fixed in 11.1 and 11.0.67.x. For MAC, a fix should be coming as part of the 'High Sierra' MAC plugin update. | https://support.citrix.com/article/CTX226379 | |
| 10 | Applications launched through NetScaler fail with no specific error. The loading dialog box appears and then dissapears. There is no issue with launches internally via StoreFront direct. | NetScaler tried to resolve the VDAs FQDN over UDP and the DNS response is received with a truncated bit. NetScaler should initiate a DNS query over TCP for the same FQDN but does not. This issue is being worked on by Citrix. As a workaround you can either add the VDA FQDN as a DNS A record directly on NetScaler or else reduce the size of the DNS response so that it can be accomodated in 512 bytes. | https://support.citrix.com/article/CTX226338 |
Symptoms or Error
After logging in successfully they are able to click on RDP Application and download the 'app.rdp' file.
We observe this error message on the Client PC's.
When taking a packet capture on Netscaler or Backend Server we notice no connections opened towards the Backend Server for RDP Application on TCP Port 3389.
Solution
Some network firewalls deployed in b/w Clients and Netscaler can block/TCP reset incoming connections after the 'app.rdp' file is downloaded and launched.Netscaler Rdp Proxy Connection Broker
Even though this traffic is on the same Destination Port 443 which was used earlier to connect to VPN and Download the RDP File.
- We may need to allow the applications like Ms-rdp, Ssl, Cotp, T.120 in firewall rules to allow this traffic.
