Palo Alto Networks Knowledgebase: Enabling RDP access to Citrix environment through GlobalProtect Clientless VPN

Enabling RDP access to Citrix environment through GlobalProtect Clientless VPN

3828
Created On 02/07/19 23:52 PM - Last Updated 02/07/19 23:52 PM
Virtual Systems Virtualization
Resolution

GlobalProtect Clientless VPN supports access to remote desktops (RDPs), VNC or SSH. This document provides information on how you can enable your existing Citrix deployment to provide support for RDP through GlobalProtect Clientless VPN.

 

To enable users to access the Citrix environment securely and remotely through GlobalProtect Clientless VPN, Citrix deployment should be configured to support HTML5 based Receiver. HTML5 based receiver uses secure websockets for remote connection to Virtual Delivery Agents (VDAs). This allows the users to access the published desktops and applications from a browser and do not need to install any additional plugins or software on the user's machine.

 

Receiver for HTML5 is only supported with HTML5 capable browsers. For unsupported browsers, the connection will fall back to the traditional Receiver if configured in Storefront. For more detailed setup guide and support contact Citrix Support Team.

 

Steps to configure Citrix Receiver for HTML5:

  1. Enable SSL support on the VDA
  2. Enable Receiver for HTML5 in Storefront
  3. Configure the delivery controller to enable websockets
  4. Enable SSL on the delivery controller

Enable SSL support on VDA

  1. Obtain an SSL Server certificate for all your VDAs. A certificate issue by a trusted third-party root CA is recommended, however a self-signed certificate can also be used.
  2. Install the certificate in the Computer certificate store (not the user store). If the local certificate store on the VDA is used to generate a CSR, ensure that the private key is marked exportable. If a pkcs12 is used to install certificates, ensure that keys are marked exportable during pkcs12 import.

    Once the certificate is installed, it must indicate that certificate private key is available

    certificate.png

     

  3. Note down the certificate thumbprint, as it will be used to associate the certificate with the VDAcertificate 2.png
  4. Once the certificate is installed, navigate to 'Manage private keys' and allow full control and read permissions for ‘PorticaService’. 
    This service can be added by searching for 'NT SERVICE\PorticaService' under the computer directory (not under the domain)
    permissions.png


  5. Open registry editor on Windows and edit the following registry:
    HKLM\System\CurrentControlSet\Control\TerminalServer\Wds\icawd

    At this registry, you need to complete two steps:
    1. Edit the binary value of 'SSLThumbprint' and manually type the thumbprint saved from step 3
    2. Change the DWORD value of SSLEnabled to 1 (from 0)
    registry editor.png

 

Enable Receiver for HTML5

  1. Navigate to Citrix Storefront from Citrix Studio Console
  2. Under Stores, click on the Receiver for Web Sites tab
  3. On the right, select 'Manage Receiver for Web Sites'manage receiver.png
  4. Select the appropriate entry that shows up, and click on Configure
  5. In the configuration wizard, click on 'Deploy Citrix Receiver'. On this page, you can select either of the two deployment options:
    1. Use Receiver for HTML5 if local Receiver is unavailable
    2. Always use Receiver for HTML5
    storefront.png
  6. Click Apply and Exit

 

Configure the Delivery Controller for Websockets

  1. Under Citrix Studio, navigate to Policies.
  2. Click on 'Create Policy' on a right. Avoid editing the default policy - Unfiltered
  3. In the create policy wizard, search for 'websocket' on the Settings pagecitrix.png
  4. Click on Edit across 'WebSockets connections and select 'Allowed'. Click Ok

    edit settings.png
  5. Similarly, edit WebSockets port number and use value 8008. You can also check the box that says Use default value:8008

    edit settings 2.png
  6. Next, edit Websockets trusted origin server list and use a value of '*'

    edit settings 3.png
  7. On the next page, assign this policy to the appropriate delivery group that was initially created.studio.pngassign policy.png
  8. Finally, provide a name for the policy and check the 'Enable policy' boxstudio2.png

Enable SSL on the delivery controller server

  1. Open Windows PowerShell as an Administrator
  2. Enter the following commands one at a time

    Asnp citrix.*
    Get-BrokerAccessPolicyRule –DesktopGroupName ‘GROUPNAME’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $true
    Set-BrokerSite –DnsResolutionEnabled $true

At this point Receiver for HTML5 should be enabled. When users navigate to Storefront URL, they should see two options on the webpage. An option to install the traditional Receiver, or an option to use the light version (HTML5 version).

Choosing the light version will take them to a logon screen, where they can authenticate using their AD credentials and access published desktops or applications.

 

User experience when using Citrix Receiver for HTML5

citrix forefront.pngwin 10 desktop.png



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRwCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language