If users from unsecure networks (primarily the Internet) want to access a remote desktop deployment, an RD Gateway should be placed between them and the local resources. The scenario-based RDS installation introduced with Windows Server 2012 also simplifies the setup of the gateway.

Before adding an RD Gateway to a remote desktop deployment, a few preparations are necessary. This includes planning the topology, i.e., where in the network you want to place the gateway, whether it should join an AD domain, and against which DC the remote users authenticate.

DNS, certificate, choosing a server

Since users access the RDS deployment from outside the corporate network, the gateway must be made accessible under a public name. Therefore, you should configure the corresponding DNS entry in advance.

As communication between the clients and the gateway is done over HTTPS, you will also need an SSL certificate, which should be issued to the external name of the gateway. Usually, you will not use a self-signed certificate; instead, you probably purchase one from a commercial certification authority. Alternatively, you can also use Let's Encrypt, but you would have to renew the certificate every three months.

Since the gateway is exposed to direct access from the Internet, it makes sense to set up a dedicated (virtual) server for it. A further RDS role on the same machine might be RD Web Access. In our example, we also assume that the server is a member of an AD domain.

Adding the gateway

Once you are done with all the preparations, go to the deployment overview in the Server Manager. Click the green plus symbol for RD Gateway to start the installation wizard.

Adding an RD Gateway via the RDS Deployment overview in Server Manager

Adding an RD Gateway via the RDS Deployment overview in Server Manager

The first step is to select the server on which you want to place the gateway. In the next dialog box, you are asked to enter the external FQDN of the server in question, which should match the name on the certificate.

Enter the FQDN under which the RD Gateway can be reached from the Internet

Enter the FQDN under which the RD Gateway can be reached from the Internet

After you confirm, the installation of the required role services will begin.

Assistant in Server Manager for installing the RD Gateway role

Assistant in Server Manager for installing the RD Gateway role

Editing properties

Then open the Tasks menu above the deployment overview and select Edit Deployment Properties. You can change some settings in the first dialog box, such as those for bypassing the gateway for internal clients.

Settings for the RD Gateway in the Server Manager

Settings for the RD Gateway in the Server Manager

The next step is to switch to the Certificates section, highlight RD Gateway, and then click the Select existing certificate button to assign the desired certificate. In this dialog box, you can choose between a certificate that is already installed on the Connection Broker and one that has to be imported first.

Assigning a certificate to the RD Gateway in the deployment overview of the Server Manager

Assigning a certificate to the RD Gateway in the deployment overview of the Server Manager

If you have purchased one from a public CA, choose the second option. After closing the dialog box, click Apply. After a short check, the value OK should appear in the Status column.

Editing the configuration

Using the wizard to install the gateway, as described above, adds the role as well as other components, such as the network policy and access services (NPS) or the RPC-over-HTTP-proxy. It also configures some settings based on default values.

The NPS determines which users or clients are allowed to access the gateway (Connection Authorization Policies [CAP]) and which resources in the network they can reach from the gateway (Resource Authorization Policies [RAP]).

The assistant sets up policies that allow all domain users to access the gateway and several RDS resources (RDG_CAP_AllUsers, RDG_AllDomainComputers, and RDG_RDConnectionBrokers). However, this is not suitable for all environments.

Adjusting CAP and RAP

To change this, start the Remote Desktop Gateway Manager, which can be installed on the server with PowerShell if it is not already available:

Add-WindowsFeature -Name RSAT-RDS-Gateway
Launch Remote Desktop Gateway Manager from the Tools menu of the Server Manager

Launch Remote Desktop Gateway Manager from the Tools menu of the Server Manager

You can then delete RDG_CAP_AllUsers under Connection authorization policies as required and create a new policy. You can configure this policy yourself in the corresponding dialog box with several tabs; alternatively, you can start the assistant, which is able to create a CAP and a RAP in one go.

Wizard in the Remote Desktop Gateway Manager for creating CAP and RAP

Wizard in the Remote Desktop Gateway Manager for creating CAP and RAP

If you want to allow access only to the RDS deployment from the gateway, then you have to enter both the session hosts or virtualization hosts and the connection broker in the RAP. If you have combined several session hosts in a farm, you also have to specify the DNS name of the collection.

The target computers in the network can be included in a RAP in various ways. On the one hand, they can be combined in an AD group and then selected via the Network resource group of the active Directory domain services.

Alternatively, you can create a group of computers managed by the gateway using the corresponding command in the Actions section. It can then be selected in the RAP.

Create a gateway managed computer group

Create a gateway managed computer group

Users must be authorized twice, namely, in a CAP and in a RAP. The former allows them access to the gateway and the latter to the RDS resources. Since it normally makes little sense to authorize users for only one of them, you will usually include the same groups in both rules.

Adding a user group to a connection authorization policy

Adding a user group to a connection authorization policy

Additional settings for the RD Gateway

The properties of the gateway server contain additional settings, some of which can be adjusted depending on the environment. These include:

Subscribe to 4sysops newsletter!

  • Limiting the maximum number of simultaneous connections and the option of not allowing any new connections before a scheduled maintenance.
  • The IP address and the port for HTTPS and UDP can be specified under Transport Settings.
  • Instead of the local NPS, a central Network Policy Server can be used to manage the RD CAPS and RD RAPS.
  • If the RD Gateway doesn't terminate the HTTPS connection and the firewall decrypts and re-encrypts the HTTPS traffic for inspection, then the remote desktop gateway manager offers two options for bridging: HTTPS - HTTPS and HTTPS - HTTP (SSL offloading).
Settings for SSL bridging

Settings for SSL bridging

  • Under Messaging, messages can be displayed on the client, either scheduled (e.g., to announce maintenance) or generally at logon.
  • The Monitoring tab is used to specify which events will be recorded. Auditing is activated for all events by default.

The RD Gateway should now be operational. Before connecting to the gateway from a workstation, you can test to see whether the RDP client on the gateway server is able to start a session on a session host. This way, you verify the connection from the gateway to the RDS deployment.

avataravatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account