Load Balancing Remote Desktop Gateway with Citrix NetScaler

It may seem a bit ironic to use a Citrix NetScaler to load balance plain vanilla RDS, but the NetScaler wasn’t always a Citrix product and it certainly has a thousand more uses than just an Access Gateway appliance. So today we’ll be using it to load balance and content switch our Remote Desktop Gateway server(s).

First, I’ll assume that you’ve already got RD Gateway up and working with a publicly trusted cert. Next, we need to configure servers and services for the RD Gateway server(s).

  1. In Traffic Management > Load Balancing > Servers – add entries for the RDG servers (in this example, I only have one)
  2. In Traffic Management > Load Balancing > Services – add services for each server. These will be type: SSL 
  3. In Traffic Management > Load Balancing > Virtual Servers – create a new load balanced virtual server; bind the recently created service(s), and set the persistence to source IP. The vServer can be directly addressable or not – the only reason to assign an IP would be if you are using this vServer for another purpose outside of Content Switching, but in this example, a non-addressable vServer is fine.
Next, we need to setup the Content Switching policies and actions – this allows us to use the same URL\Certificate for multiple services. We will need one action and two policies:
  • Action: Name: CSW-RDG-Action (or anything meaningful); Target LB Virtual Server: the vServer created above
  • Policies:
    • Name: CSW-RDG-Web-Pol
      • Action: CSW-RDG-Action
      • Expression: HTTP.REQ.URL.REGEX_MATCH(re-^/RDWeb/*-)
    • Name: CSW-RDG-Pol
      • Action: CSW-RDG-Action
      • Expression: HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“MS-RDGateway/1.0”)

We’ve got two policies in this case because I’m also running RDS web on the same server as RDGateway. So here’s what you should end up with:

A few notes:
  • This was configured using NetScaler 10.5 and RDGateway\RDWeb running on 2012 R2. I would imagine this would work just fine on any other NetScaler version. As for the RDS components – I would imagine the User-Agent string should be the same, and RDWeb has always been in the URL for RDWeb
  • Be careful copy\pasting into the expression editor or console – ASCII <> Unicode
See Part 2 for the other policies needed for mobile devices and RemoteAppAndDesktop connections.

4 thoughts on “Load Balancing Remote Desktop Gateway with Citrix NetScaler”

  1. I've follow your method and manage to actually configure the webpage to actually work but the rds gateway still doesn't work ive triple check teh expression and i didnt copy paste did it from scratch…

    it says unable to contact computer but my rds gateway i did verify its working piror putting it to my rds gateway.

  2. Hi,

    Are you using RDS Gateway and Brokers?
    Is the 3389 vServer only for internal access? Which Servers should I bound to the vServer? All my RDS Servers or the Brokers?

    I have two Gateways and two Brokers on my environment and would like to use Netscaler to LB and HA.

    Thank you,


  3. Marcos-

    This configuration is only for RD Gateway.

    The 3389 vServer allows for internal connections through the RD Gateway when using the RemoteAppandDesktop connection in Win7+. The two RD Gateways should be configured either as an IP or non-IP load balanced vServer on the NetScaler, with a Content Switching vServer in front of it. See this post for the full CSW bindings for the gateway: http://blogs.serioustek.net/post/2014/10/04/load-balancing-remote-desktop-gateway-with-citrix-netscaler-part-2.aspx and the associated services for the gateway LBVserver.

    I do not know if it is possible to load balance RD Broker servers using the NetScaler – and I don't know if it is really needed – per this Microsoft article: http://blogs.msdn.com/b/rds/archive/2012/06/27/rd-connection-broker-high-availability-in-windows-server-2012.aspx – HA RD Broker servers require an SQL DB, etc. So it sounds like making them HA in the deployment config already gives you active active load balancing…no need to complicate with a load balancer (if it is even possible). Note that HA RD Brokers are only supported in 2012+….anything older and it looks like a cluster is required.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.