How to Quickly and Easily Provide Home Office Workstations (Not Only During the Outbreak of COVID-19)

By Thomas Preischl posted 03-05-2020 01:33 PM

  

Everyone is currently talking about COVID-19. In view of the current rapid spread and the danger of infection, many companies are reacting. They want to protect their employees, customers and partners. The most obvious solution in this case is to provide employees with access to their workplace from home. But how is it possible to do this in a simple and fast way without a comprehensive project or a virtual desktop environment? 

A simple and very effective way is to give users access via a Citrix ADC that acts as a remote desktop proxy. Such a configuration can be set up within a few hours and offers comprehensive protection and easy administration.

 

Configuration on Citrix ADC

As a prerequisite in my case, I only used a pre-installed and basic Citrix ADC VPX.

The Citrix ADC must have an ADC Advanced or ADC Premium license. Citrix Gateway Universal licenses are also required for each user. However, these usually come with the ADC Advanced (1,000 licenses) and the ADC Premium (unlimited). In addition, our Citrix ADC must be able to communicate via SubnetIP on port 3389 (RDP) with all clients that are to be addressed externally later. Additionally it is necessary that the Netscaler IP can reach an Active Directory Controller with 636 (LDAPs) or 389 (LDAP). On the Clients to which your users want to connect, 3389 (RDP) should be opened and RDP should be allowed for the users.

I have already imported the SSL certificate.

Before we can start the configuration, let's enable the feature "RDP Proxy." You can find this under: System | Settings | Configure Advanced Features


01.png

I will now first explain the configuration on the Citrix ADC.

To do this, first select the menu item "Unified Gateway" in the configuration of the Citrix ADC:


02.png

Now we start the configuration with a click on "Get Started."



03.png

 

Next, we fill in the IP address (VIP) of our Citrix Gateway. This must be externally accessible over WAN via port 443 (the port can also be changed here) (NAT). In addition we assign a name for our gateway configuration and enter the FQDN. Go on with "Continue."


04.pngIn the next step, we choose our SSL certificate. In my case, I have used a Let's Encrypt certificate, which must be renewed every 90 days (but, hey, it's free 😉). If necessary, you can now add one and confirm the whole thing with "Continue."


05.png

Now you can check the chain of the certificate. Ours is fine, so let's move on.

06.png
In the next step, we now enter the Active Directory connection information. I have created a service account for this. This account has only read access to the Active Directory, which is sufficient. With a click on "Test Connection" you can check if the connection works:

07.png
Now we can add a portal theme. Go on to the next step:

 
08.pngWe are not yet adding any applications. Close the wizard with "Continue."

09.png

The base configuration of our Citrix ADC Unified Gateway is now done.

10.png 

Add a RDP Profile

Now we go to the following menu item in the Citrix ADC Configuration and add a RDP profile there: Citrix Gateway | Policies | RDP Profiles and Connections | Client Profiles

The RDP profile should look like this:
(
I have only changed the name of the RDP File the user later is downloading. You can change the settings as you want.)

11.png

Next we have to adjust our session policy for our Gateway. You can find the gateway under: Citrix Gateway | Citrix Gateway Virtual Servers

Here, we select "Edit" and jump to the Session Policies.


12.png

Now we edit these according to our requirements.


13.png

Choose your session policy. In your case, only one should be sent and bound here. Select it and go to "Edit Profile."


14.png

Here, we must first enter our Single Sign-on domain. We do this in the point "Published Application." If you don't want to use this one, you can leave it out. But then the users have to choose the login name as follows: "Domain\Username"

We will adapt this for our case.


15.png


Then we bind our just-created RDP profile. We do that under "Remote Desktop."


16.png

 

That's about it.


Provide fixed RDP Sessions, if necessary.

If necessary, you can now define fixed RDP destinations using the bookmarks. You can do this directly on the Unified Gateway Virtual Server. For this you add a URL to the Published Applications.


17.png

18.png


In my case, I'm not doing it. I want my users to be able to enter and establish connections to their office PC themselves.

 

How users can add connections and connect from outside.

Users can now connect externally on the Citrix ADC via the FQDN of the Unified Gateway.

So, log in with your Username and Password.


19.png


Now choose "Clientless Access."

20.png

On the overview page, users can now enter their own RDP connection using their PC name or IP address. To do this, users must click on the "Add" button in the "Personal Web Sites" area.

Connections added by the user can be removed later with "Remove."

21.png


The connections for an RDP connection should look as follows. In addition to the name for the RDP connection, the PC name or IP address including port 3389 (for RDP) is entered here. I have added a description. Please do not forget to check the box "RDP Link." Then you can create the link with "Add."


22.png


Once we have created the link, we can click on it in the "Personal Web Sites" section and we will be offered an RDP file for download. We can then save it or start it directly.


23.png

Here you can also get the cli commands for your Citrix ADC:

 

#Replace the following

 

#192.168.1.200 < YOUR IPAddress for the Gateway VIP

#dc=lab,dc=local < YOUR LDAP BIND

#joe@ad.thomaspreischl.de < Serviceuser für Citrix ADC LDAP Connection

#PASSWORD < YOUR PASSWORD

#login.thomaspreischl.de < YOUR FQDN

#lab.local < YOUR SSO DOMAIN

 

ENABLE NS Feature RDPProxy

 

add authentication ldapAction 192.168.1.200_LDAP -serverIP 192.168.1.200 -serverPort 636 -ldapBase "dc=lab,dc=local" -ldapBindDn joe@ad.thomaspreischl.de -ldapBindDnPassword PASSWORD  -ldapLoginName sAMAccountName -secType SSL

 

add cs vserver RemoteGateway SSL 192.168.1.120 443 -cltTimeout 180 -persistenceType NONE

 

add vpn vserver UG_VPN_RemoteGateway SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -vserverFqdn login.thomaspreischl.de

 

add cs action UG_CSACT_RemoteGateway -targetVserver UG_VPN_RemoteGateway

 

add cs policy UG_CSPOL_RemoteGateway -rule is_vpn_url -action UG_CSACT_RemoteGateway

 

bind cs vserver RemoteGateway -policyName UG_CSPOL_RemoteGateway -priority 63000

 

add vpn sessionAction UG_VPN_SAct_192.168.1.120 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -ntDomain lab.local -clientlessVpnMode ON -rdpClientProfileName RDP

 

add vpn sessionPolicy UG_VPN_SPol_192.168.1.120 true UG_VPN_SAct_192.168.1.120

 

add rdp clientprofile RDP -rdpFileName remotePC.rdp

 

set ssl vserver UG_VPN_RemoteGateway -ssl3 DISABLED -tls13 ENABLED -dtls1 DISABLED

 

bind vpn vserver UG_VPN_RemoteGateway -portaltheme X1

bind vpn vserver UG_VPN_RemoteGateway -policy 192.168.1.200_LDAP_pol

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST

bind vpn vserver UG_VPN_RemoteGateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE

bind vpn vserver UG_VPN_RemoteGateway -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE

bind vpn vserver UG_VPN_RemoteGateway -policy UG_VPN_SPol_192.168.1.120 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST

 

bind ssl vserver UG_VPN_RemoteGateway -certkeyName login

 

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_256

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_384

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_224

bind ssl vserver UG_VPN_RemoteGateway -eccCurveName P_521

 

bind ssl vserver RemoteGateway -eccCurveName P_256

bind ssl vserver RemoteGateway -eccCurveName P_384

bind ssl vserver RemoteGateway -eccCurveName P_224

bind ssl vserver RemoteGateway -eccCurveName P_521

 
I hope this article helps you to provide your users with a safe and fast alternative as a home office workplace. Have a good time and don't get infected ;)

You can also visit or book me on my website: https://www.thomaspreischl.de or follow me on twitter: ThomasPreischl.

 

​​
#CitrixADC
#NetScaler_Gateway
#Flexible_Working
#Citrix_Gateway

Comments

03-06-2020 09:19 PM

Excellent article. Thank you!