Share via

Get RDS (session broker) to accept any connections

Thim 5 Reputation points
2025-07-10T03:40:15.2133333+00:00

I am configuring the RDP proxy using the Citrix ADC but after months of trying, I am still unable to RDP back to Windows machine with Session Broker farm. I am able to connect to standalone Windows machine but failed on those RDS farm (Session broker with DNS LB). Citrix support has been on this case since April this year but still failed. This is the process flow:

  1. I will login from my laptop to the ADC login page.
  2. Click on the bookmark, download the rdp file and RDP via port 443 using ADC clientless VPN
  3. It will prompt for credentials (means the RDS machines are able to be connect)
  4. Then ADC will connect to my RDS servers using port 3389

But during this process, redirection happens and from what I am seeing on the Wireshark redirection happens. But once the session broker redirects me to a available (the last machine) machine, that machine rejects my connections. Is there anyway to allow every connections? Everyone was stump and out of ideas on how to fix this as this only happens on session brokers machine but works well on standalone. Nothing much on the event logs. Just would like to know if anyone has experience in configuring Citrix ADC with RDP proxy and how to fix on the session broker? Basically it is the session broker which is throwing this error to us.

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Smith Pham 2,510 Reputation points Independent Advisor
    2025-07-15T08:12:56.97+00:00

    Hi Thim,

    This issue stems from how RDS Connection Broker redirection works — it redirects the incoming connection to another RDS host, but the Citrix ADC (NetScaler) RDP proxy isn't aware of this redirection and cannot handle it properly unless specific configurations are made.

    Root Cause

    The RDP session is being redirected by the Session Broker to a target host, but the redirected session fails because:

    The ADC can't initiate a second outbound connection as part of the redirection.

    The target host rejects the connection because it's expecting a direct RDP session with SSO, but the proxy breaks that continuity.

    DNS-based load balancing and Session Broker redirection often conflict with Citrix ADC's RDP proxy limitations.

    Straight Solution

    To get it working, you must disable RDP redirection, or force all connections to go to a single host in the farm, bypassing Session Broker logic. Here's how:

    Option 1: Disable RDP Redirection (Force redirection off)

    On each RDS host in the farm:

    Open Group Policy Editor (gpedit.msc)

    Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections

    Enable the policy: "Restrict Remote Desktop Services users to a single Remote Desktop Services session"

    Disable redirection by setting: "Use RD Connection Broker load balancing" → Disabled

    This forces all sessions to stay on the initial connection target and bypass broker redirection.

    Option 2: Direct RDP to Specific RDS Hosts

    If you cannot disable redirection globally:

    Create individual bookmarks for each RDS host in the ADC portal.

    This avoids DNS round-robin or Broker-based redirection entirely.

    • Ensure SSO is not enforced via Broker, or set UseRDGateway=false and EnablecredSSP=yes in the .rdp file to force credentials to pass correctly. ✅ Option 1: Disable RDP Redirection (Force redirection off) On each RDS host in the farm:
      1. Open Group Policy Editor (gpedit.msc)
      2. Navigate to:
        Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
      3. Enable the policy:
        "Restrict Remote Desktop Services users to a single Remote Desktop Services session"
      4. Disable redirection by setting:
        "Use RD Connection Broker load balancing" → Disabled

      This forces all sessions to stay on the initial connection target and bypass broker redirection.

      Option 2: Direct RDP to Specific RDS Hosts If you cannot disable redirection globally:
      • Create individual bookmarks for each RDS host in the ADC portal.
      • This avoids DNS round-robin or Broker-based redirection entirely.
      • Ensure SSO is not enforced via Broker, or set UseRDGateway=false and EnablecredSSP=yes in the .rdp file to force credentials to pass correctly.

    Best Regards,

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.