Solved

RDP access via Citrix

Posted on 2009-05-13
10
652 Views
Last Modified: 2013-11-21
Hi All,

We are running Citrix 4.0 Enterprise.

On our Web Interface we have published a Remote Desktop. This is mainly for servers admins to utilse so they can then RDP from that one to another server they may need to administer.

Some users now want to be able to access their PC's from home via Citrix. Am I correct in thinking that we only need to add their account to the Remote Desktop Users group on their local workstation? There is no need to open any extra ports - as long as the RDP port (not sure which port this is?) is open between the Presentation Server that has the Published Desktop and the workstations? In effect, they are RDP'ing from that PS to their workstation, Citrix/ICA is not involved once they initially connect to the desktop on that PS?

Hope I'm making myself clear :)
0
Comment
Question by:kam_uk
  • 3
  • 2
  • 2
  • +3
10 Comments
 

Expert Comment

by:john275
ID: 24382126
TCP Port 3389 is the RDP port.
0
 
LVL 8

Expert Comment

by:zoubi77
ID: 24382247
I don't think that this will work as you have planed. RDP is only the protocol used by client to access resources on the FARM not on their own PCs. You can create customized mstsc.exe shortcut for EVERY user that will be provided access to his PC.

ICA protocol is MUCH faster than RDP, so I think that you do not need RDP protocol at all. And yes, it's dedicated port is 3389.
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 100 total points
ID: 24382604
It will work as long as:

1. The terminal server can connect to the users PC on TCP 3389
2. The user that logged on the web interface is in the local Remote Desktop group on the PC
3. The user need to know the IP or FQDN of his/her PC (if you don't make a RDP connection file for each user)

4. And offcourse the home PC will need XenApp webclient and reach the web interface.


SG

0
 
LVL 18

Assisted Solution

by:chuckyh
chuckyh earned 50 total points
ID: 24384235
This could be the beginning of a big headache for you. I would recommend against it.

1.  I would not give desktop access to "users" It opens up a big security hole.
2. ICA then RDP into another machine is ok when you need to make an adjustment on a server setting, but if users are going to try and do "work" I think you will get complaints about performance.
0
 

Accepted Solution

by:
StarAdam earned 300 total points
ID: 24386034
If you have RDP icon published on the WebI then and if users gona be accessing it from home then ofcourse the port 3389 needs to be opened for sure if not all, you may also like to consider opening citrix port 1494 as well.  Furthermore, cuz this is gona be running on terminal services, therefore on the certain security policies needs to be applied accordingly on each user's machine as ill highlight below:

Firstly, you may add the users into the Remote Desktop Users Group on their machines but the group also needs to be added into the "Allow log on through Terminal Services" and "Bypass Traverse PChecking" policies in the Local Security Policy on their respective machines.  I have actually taken a screenshot of the Local Policy and the group policies for roaming profile users for you to get a clear picture of it.

Please take a look at an attached file and let me know if that works for you :)

AK
Terminal-Service-Policies.doc
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 3

Author Comment

by:kam_uk
ID: 24389883
Thanks guys...

Out of interest, why would they need the "Bypass Traverse Checking" enabled?
0
 
LVL 8

Assisted Solution

by:zoubi77
zoubi77 earned 50 total points
ID: 24392505


 This privilege does not allow the user to list the contents of a directory, only to traverse directories. Determines which users can traverse directory trees even though the user may not have permissions on the traversed directory.
0
 

Expert Comment

by:StarAdam
ID: 24394979
Yep thats correct, thanx Zoubi77.

Right, so did you try with the settings that I highlighted to you?  lets me know if thats work, I run a citrix environment and i encounter similar issues that you on about.  

Keep me updated on that and let us know if anything else is needed :)
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24397125
Thanks guys, but I'm still unclear *why* users would need "Bypass Traverse Checking"? Why would they want to do this?
0
 
LVL 8

Expert Comment

by:zoubi77
ID: 24397362
Because sometimes you want user to access some subfolder but not folder higher up. For ex. we have folder structure - share\map\goodies  you want to grant access to user only on goodies. But if he wants to get to that folder, he must first click on share than on map and finaly to goodies. If has no NTFS rights on share or map folder, he will be automaticly denied access and will not be even able to get (traverse) to goodies folder.

not so complicated as it may look at first sight
;)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now