RDP access via Citrix

Hi All,

We are running Citrix 4.0 Enterprise.

On our Web Interface we have published a Remote Desktop. This is mainly for servers admins to utilse so they can then RDP from that one to another server they may need to administer.

Some users now want to be able to access their PC's from home via Citrix. Am I correct in thinking that we only need to add their account to the Remote Desktop Users group on their local workstation? There is no need to open any extra ports - as long as the RDP port (not sure which port this is?) is open between the Presentation Server that has the Published Desktop and the workstations? In effect, they are RDP'ing from that PS to their workstation, Citrix/ICA is not involved once they initially connect to the desktop on that PS?

Hope I'm making myself clear :)
Who is Participating?
StarAdamConnect With a Mentor Commented:
If you have RDP icon published on the WebI then and if users gona be accessing it from home then ofcourse the port 3389 needs to be opened for sure if not all, you may also like to consider opening citrix port 1494 as well.  Furthermore, cuz this is gona be running on terminal services, therefore on the certain security policies needs to be applied accordingly on each user's machine as ill highlight below:

Firstly, you may add the users into the Remote Desktop Users Group on their machines but the group also needs to be added into the "Allow log on through Terminal Services" and "Bypass Traverse PChecking" policies in the Local Security Policy on their respective machines.  I have actually taken a screenshot of the Local Policy and the group policies for roaming profile users for you to get a clear picture of it.

Please take a look at an attached file and let me know if that works for you :)

TCP Port 3389 is the RDP port.
I don't think that this will work as you have planed. RDP is only the protocol used by client to access resources on the FARM not on their own PCs. You can create customized mstsc.exe shortcut for EVERY user that will be provided access to his PC.

ICA protocol is MUCH faster than RDP, so I think that you do not need RDP protocol at all. And yes, it's dedicated port is 3389.
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

snusgubbenConnect With a Mentor Commented:
It will work as long as:

1. The terminal server can connect to the users PC on TCP 3389
2. The user that logged on the web interface is in the local Remote Desktop group on the PC
3. The user need to know the IP or FQDN of his/her PC (if you don't make a RDP connection file for each user)

4. And offcourse the home PC will need XenApp webclient and reach the web interface.


chuckyhConnect With a Mentor Commented:
This could be the beginning of a big headache for you. I would recommend against it.

1.  I would not give desktop access to "users" It opens up a big security hole.
2. ICA then RDP into another machine is ok when you need to make an adjustment on a server setting, but if users are going to try and do "work" I think you will get complaints about performance.
kam_ukAuthor Commented:
Thanks guys...

Out of interest, why would they need the "Bypass Traverse Checking" enabled?
zoubi77Connect With a Mentor Commented:

 This privilege does not allow the user to list the contents of a directory, only to traverse directories. Determines which users can traverse directory trees even though the user may not have permissions on the traversed directory.
Yep thats correct, thanx Zoubi77.

Right, so did you try with the settings that I highlighted to you?  lets me know if thats work, I run a citrix environment and i encounter similar issues that you on about.  

Keep me updated on that and let us know if anything else is needed :)
kam_ukAuthor Commented:
Thanks guys, but I'm still unclear *why* users would need "Bypass Traverse Checking"? Why would they want to do this?
Because sometimes you want user to access some subfolder but not folder higher up. For ex. we have folder structure - share\map\goodies  you want to grant access to user only on goodies. But if he wants to get to that folder, he must first click on share than on map and finaly to goodies. If has no NTFS rights on share or map folder, he will be automaticly denied access and will not be even able to get (traverse) to goodies folder.

not so complicated as it may look at first sight
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.