RDP access via Citrix

Posted on 2009-05-13
Medium Priority
Last Modified: 2013-11-21
Hi All,

We are running Citrix 4.0 Enterprise.

On our Web Interface we have published a Remote Desktop. This is mainly for servers admins to utilse so they can then RDP from that one to another server they may need to administer.

Some users now want to be able to access their PC's from home via Citrix. Am I correct in thinking that we only need to add their account to the Remote Desktop Users group on their local workstation? There is no need to open any extra ports - as long as the RDP port (not sure which port this is?) is open between the Presentation Server that has the Published Desktop and the workstations? In effect, they are RDP'ing from that PS to their workstation, Citrix/ICA is not involved once they initially connect to the desktop on that PS?

Hope I'm making myself clear :)
Question by:kam_uk
  • 3
  • 2
  • 2
  • +3

Expert Comment

ID: 24382126
TCP Port 3389 is the RDP port.

Expert Comment

ID: 24382247
I don't think that this will work as you have planed. RDP is only the protocol used by client to access resources on the FARM not on their own PCs. You can create customized mstsc.exe shortcut for EVERY user that will be provided access to his PC.

ICA protocol is MUCH faster than RDP, so I think that you do not need RDP protocol at all. And yes, it's dedicated port is 3389.
LVL 21

Assisted Solution

snusgubben earned 400 total points
ID: 24382604
It will work as long as:

1. The terminal server can connect to the users PC on TCP 3389
2. The user that logged on the web interface is in the local Remote Desktop group on the PC
3. The user need to know the IP or FQDN of his/her PC (if you don't make a RDP connection file for each user)

4. And offcourse the home PC will need XenApp webclient and reach the web interface.


Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 18

Assisted Solution

chuckyh earned 200 total points
ID: 24384235
This could be the beginning of a big headache for you. I would recommend against it.

1.  I would not give desktop access to "users" It opens up a big security hole.
2. ICA then RDP into another machine is ok when you need to make an adjustment on a server setting, but if users are going to try and do "work" I think you will get complaints about performance.

Accepted Solution

StarAdam earned 1200 total points
ID: 24386034
If you have RDP icon published on the WebI then and if users gona be accessing it from home then ofcourse the port 3389 needs to be opened for sure if not all, you may also like to consider opening citrix port 1494 as well.  Furthermore, cuz this is gona be running on terminal services, therefore on the certain security policies needs to be applied accordingly on each user's machine as ill highlight below:

Firstly, you may add the users into the Remote Desktop Users Group on their machines but the group also needs to be added into the "Allow log on through Terminal Services" and "Bypass Traverse PChecking" policies in the Local Security Policy on their respective machines.  I have actually taken a screenshot of the Local Policy and the group policies for roaming profile users for you to get a clear picture of it.

Please take a look at an attached file and let me know if that works for you :)


Author Comment

ID: 24389883
Thanks guys...

Out of interest, why would they need the "Bypass Traverse Checking" enabled?

Assisted Solution

zoubi77 earned 200 total points
ID: 24392505

 This privilege does not allow the user to list the contents of a directory, only to traverse directories. Determines which users can traverse directory trees even though the user may not have permissions on the traversed directory.

Expert Comment

ID: 24394979
Yep thats correct, thanx Zoubi77.

Right, so did you try with the settings that I highlighted to you?  lets me know if thats work, I run a citrix environment and i encounter similar issues that you on about.  

Keep me updated on that and let us know if anything else is needed :)

Author Comment

ID: 24397125
Thanks guys, but I'm still unclear *why* users would need "Bypass Traverse Checking"? Why would they want to do this?

Expert Comment

ID: 24397362
Because sometimes you want user to access some subfolder but not folder higher up. For ex. we have folder structure - share\map\goodies  you want to grant access to user only on goodies. But if he wants to get to that folder, he must first click on share than on map and finaly to goodies. If has no NTFS rights on share or map folder, he will be automaticly denied access and will not be even able to get (traverse) to goodies folder.

not so complicated as it may look at first sight

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop 7.6 Citrix Policies Graphics
If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question