Before adding an RD Gateway to a remote desktop deployment, a few preparations are necessary. This includes planning the topology, i.e., where in the network you want to place the gateway, whether it should join an AD domain, and against which DC the remote users authenticate.
DNS, certificate, choosing a server ^
Since users access the RDS deployment from outside the corporate network, the gateway must be made accessible under a public name. Therefore, you should configure the corresponding DNS entry in advance.
As communication between the clients and the gateway is done over HTTPS, you will also need an SSL certificate, which should be issued to the external name of the gateway. Usually, you will not use a self-signed certificate; instead, you probably purchase one from a commercial certification authority. Alternatively, you can also use Let's Encrypt, but you would have to renew the certificate every three months.
Since the gateway is exposed to direct access from the Internet, it makes sense to set up a dedicated (virtual) server for it. A further RDS role on the same machine might be RD Web Access. In our example, we also assume that the server is a member of an AD domain.
Adding the gateway ^
Once you are done with all the preparations, go to the deployment overview in the Server Manager. Click the green plus symbol for RD Gateway to start the installation wizard.
The first step is to select the server on which you want to place the gateway. In the next dialog box, you are asked to enter the external FQDN of the server in question, which should match the name on the certificate.
After you confirm, the installation of the required role services will begin.
Editing properties ^
Then open the Tasks menu above the deployment overview and select Edit Deployment Properties. You can change some settings in the first dialog box, such as those for bypassing the gateway for internal clients.
The next step is to switch to the Certificates section, highlight RD Gateway, and then click the Select existing certificate button to assign the desired certificate. In this dialog box, you can choose between a certificate that is already installed on the Connection Broker and one that has to be imported first.
If you have purchased one from a public CA, choose the second option. After closing the dialog box, click Apply. After a short check, the value OK should appear in the Status column.
Editing the configuration ^
Using the wizard to install the gateway, as described above, adds the role as well as other components, such as the network policy and access services (NPS) or the RPC-over-HTTP-proxy. It also configures some settings based on default values.
The NPS determines which users or clients are allowed to access the gateway (Connection Authorization Policies [CAP]) and which resources in the network they can reach from the gateway (Resource Authorization Policies [RAP]).
The assistant sets up policies that allow all domain users to access the gateway and several RDS resources (RDG_CAP_AllUsers, RDG_AllDomainComputers, and RDG_RDConnectionBrokers). However, this is not suitable for all environments.
Adjusting CAP and RAP ^
To change this, start the Remote Desktop Gateway Manager, which can be installed on the server with PowerShell if it is not already available:
Add-WindowsFeature -Name RSAT-RDS-Gateway
You can then delete RDG_CAP_AllUsers under Connection authorization policies as required and create a new policy. You can configure this policy yourself in the corresponding dialog box with several tabs; alternatively, you can start the assistant, which is able to create a CAP and a RAP in one go.
If you want to allow access only to the RDS deployment from the gateway, then you have to enter both the session hosts or virtualization hosts and the connection broker in the RAP. If you have combined several session hosts in a farm, you also have to specify the DNS name of the collection.
The target computers in the network can be included in a RAP in various ways. On the one hand, they can be combined in an AD group and then selected via the Network resource group of the active Directory domain services.
Alternatively, you can create a group of computers managed by the gateway using the corresponding command in the Actions section. It can then be selected in the RAP.
Users must be authorized twice, namely, in a CAP and in a RAP. The former allows them access to the gateway and the latter to the RDS resources. Since it normally makes little sense to authorize users for only one of them, you will usually include the same groups in both rules.
Additional settings for the RD Gateway ^
The properties of the gateway server contain additional settings, some of which can be adjusted depending on the environment. These include:
Subscribe to 4sysops newsletter!
- Limiting the maximum number of simultaneous connections and the option of not allowing any new connections before a scheduled maintenance.
- The IP address and the port for HTTPS and UDP can be specified under Transport Settings.
- Instead of the local NPS, a central Network Policy Server can be used to manage the RD CAPS and RD RAPS.
- If the RD Gateway doesn't terminate the HTTPS connection and the firewall decrypts and re-encrypts the HTTPS traffic for inspection, then the remote desktop gateway manager offers two options for bridging: HTTPS - HTTPS and HTTPS - HTTP (SSL offloading).
- Under Messaging, messages can be displayed on the client, either scheduled (e.g., to announce maintenance) or generally at logon.
- The Monitoring tab is used to specify which events will be recorded. Auditing is activated for all events by default.
The RD Gateway should now be operational. Before connecting to the gateway from a workstation, you can test to see whether the RDP client on the gateway server is able to start a session on a session host. This way, you verify the connection from the gateway to the RDS deployment.