The Remote Desktop Gateway [RDG] role enables you to access your RDS environment remotely over 443.
vBoring Blog Series:
- Setup Remote Desktop Services in Windows Server 2012 R2
- Setup RD Licensing Role on Windows Server 2012 R2
- Setup RD Gateway Role on Windows Server 2012 R2
Install the RD Gateway Role:
If your Gateway server is going to be a separate server add it to the Server Pool of your RDS Environment by going to Manage -> Add Servers
In Server Manger of your RDS environment click the RD Gateway icon
Select the server from the server pool you want to install the RD Gateway role. Click Next
For installation it will create a self-signed SSL certificate that can be changed later. Enter the URL you want to use and click Next
Confirm your selections and FQDN name, click Add
Once it finishes click Close
Back on Server Manager the RD Gateway will have have a icon to signify the role is installed.
Configure RD Gateway – Apply SSL Certificate:
RDS Gateway will work on self signed certificates but it requires a few additional steps for it to work on remote computers outside your LAN. I did my initial setup using self signed certs but will eventually change to a trusted SSL certificate. It is easy to change once a trusted SSL certificate is obtained.
To create the self signed certificate go to Tasks -> Edit Deployment Properties
Click Certificates -> RD Gateway -> Create new certificate
Enter the following information:
- Certificate Name: use your Gateway URL
- Password: Don’t loose the password!
- Check the box to Store this Certificate and pick a folder location for safe keeping
- Check the box to Allow the certificate to be added to the Trust Root Certification Authorities
The RD Gateway will now show Ready to apply. Click Apply
Once finished it will show Success. Click Ok.
For the new certificate to take affect either restart the RD Gateway server or restart the RD Gateway service (labeled as Remote Desktop Gateway in services.msc)
If you have a third party SSL certificate (Such as GoDaddy, DigiCert, StartSSL, etc) you can apply it the same way. I create a wildcard cert using StartSSL, having a trusted SSL certificate makes external access to much easier:
Configure RD Gateway – Permissions and Network Resources:
By default the RD Gateway is set to allow all Domain Users access to use RD Gateway but with no Network Resources to connect to. To configure both these options open the Remote Desktop Gateway Manager:
Start -> Control Panel -> Administrative Tools -> Remote Desktop Services -> Remote Desktop Gateway Manager
Drill down to the Resource Authorization Policies and select RDG_AllDomainComputers then click Properties.
On the Users Groups tab you can change who has permissions to use the RD Gateway. (By default Domain Users have access). You could create a Active Directory group called RD-Users so only users of that group have access for security purposes.
To configure what computers can be access through the RD Gateway go to the Network Resources tab. By default the middle option is selected with no groups created. You have three options:
- The first option is to assign permission to a AD Organizational Unit. Example: You can select Domain Computers.
- The second option allows you to create a RD Gateway managed group then add servers into the list. This is a nice option if you want only a few or small amount of servers accessiable.
- The last option is to allow any server to be connected. The least secure and should be used only in home labs!
Click Apply and OK to save your changes.
Configure RD Gateway Port Forwarding:
This step does not involve configuration of your RDS environment but on your network. In order for traffic from the outside to reach your RD Gateway server you will need to pen some ports up in your firewall.
If you are setting this up in your home lab where you don’t have a DMZ and only behind a single firewall (router) then you only need to setup port forwarding on 443 to your RD Gateway server.
If you are setting this up in a enterprise where the RD Gateway is in the DMZ then there are quite a few ports that need to be opened up, to read about these ports and firewall scenarios check out this Microsoft MSDN blog post:
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
How to use RD Gateway for RDP:
Now that your RD Gateway is setup you are ready to connect to your environment! Open Remote Desktop Connection and go to Show Options:
Click on the Advanced tab then Settings:
Enter the name of your Gateway as accessed remotely then click Ok:
Now back on the General tab enter the name of the internal server you wish to connect. When connecting you should get prompted for your credentials.
If everything is configured correctly you should be connected to your internal computer using RDP externally through your RD Gateway!
Great article. Thank you 🙂
Very useful article, in my case I am not able to apply the certificates, Role Services RD Gateway under level column shown Unknown as well as grade out.
Regards,
Alaa
Doesn’t appear to allow me to save a wilcard cert when trying to create a new one. *.mydomain.com is highlighted in red and unable to click okay.
You’ve covered everything except what I need. I need to know what INTERNAL port to which Port 443 is forwarded. Everything I check manages to leave that part out. Super frustrating.
Hi Rob! Apologies I didn’t do a breakdown of ports. Check this article out: https://social.technet.microsoft.com/Forums/windows/en-US/a241a5be-e39d-4dfc-a513-e4f83c4dc906/rd-gateway-ports-and-certificates?forum=winserverTS
Hi Rob. Is there a chance to use RD Gateway to connect over Broker to one of the RDS Session Hosts or is it just possible to connect to a specific session host? If i have to enter a specific session host, the Connection would not be possible during a maintenance window of this Server. If it would be possible to use the collection, then the Connection would still be possible if just one Server is in a maintenance window… Gabi