Building a Remote Desktop Gateway (RDG) / RD Gateway Server

Creating a Remote Desktop Gateway (RD Gateway) is straight forward and can be used to securely access your Windows servers over port 443 using the Remote Desktop Connection Client.  I use this to access my home lab when I’m on the road or at work, and it saves exposing your machines to the internet directly over RDP (TCP 3389). The RD Gateway isn’t new, in fact it was available on Windows Server 2008 as TS Gateway, and the installation is the same. For this article, I will be using Windows Server 2008 R2.

I run my RD Gateway on a virtual machine located inside a DMZ that I have created using Vyatta, a free virtual appliance. I won’t go into the firewall configuration here, as this is a quick configuration guide for creating your RDS Gateway.

Step 1: Build a new virtual machine and install Windows Server 2008 R2.

Step 2: Click on Add Roles (in Server Manager). You will then be presented with the following wizard dialog boxes. Click on each image for full screen.

Installing Remote Desktop Services Gateway (RD Gateway) - Add roles wizard
a) Click next

Remote Desktop Gateway (RD Gateway) - Select Server Role
b) Select “Remote Desktop Services” and click next

Introduction to Remote Desktop Services
c) Click next

Remote Desktop Gateway role service
d) Select “Remote Desktop Gateway and click next”

Role services and features required for Remote Desktop Gateway
e) Click “Add Required Role Services”

Remote Desktop Gateway (RD Gateway) Server Authentication SSL Certificate
f) Select “Choose a certificate for SSL encryption later”

Remote Desktop Gateway Authorization Policies
g) Select “Create authorization policies”  “Now” and click next

Authorized user groups to connect to the RD Gateway
h) Add the group(s) that you wish to grant access through the RD Gateway or leave the default “Administrators” and click next

RD CAP (Remote Desktop Connection Authorization Policy)

i) Leave the default “Password” selected and click next

RD RAP (Remote Desktop Resource Authorization Policy)
j) Click “Browse” to choose which computers RD Gateway users can connect to, or select “Allow users to connect to any computer on the network” and click next

Introduction to Network Policy and Access Services (RD Gateway)
k) Click next on the “Introduction to Network Policy and Access Services” screen

Remote Desktop Gateway - Network Policy Server Role
l) Leave the default “Network Policy Server” selected and click next

Remote Desktop Gateway - Introduction to Web Server (IIS)
m) Click next on the “Introduction to Web Server (IIS)” screen

Remote Desktop Gateway (RD Gateway) - IIS Web Server Roles
n) Leave the defaults selected and click next

Installing Remote Desktop Services Gateway (RD Gateway)

o) Click Install to begin the installation.

When the installation is finished you should be presented with the following screen:

Remote Desktop Gateway (RD Gateway) - Installation Summary

Step 3: Configuring the RD Gateway

  1. Now the RD Gateway is installed, go to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager.
  2. Right click on the RD Gateway server within the RD Gateway Manager console and select Properties.
  3. Select “Create a self-signed certificate” then click “Create and Import Certificate”. You will then be presented with the following: RD Gateway - Create a self-signed certificate
  4. Make sure that the certificate name is the internet DNS (domain) name that resolves to the internet IP address of the RD Gateway server. The firewall will need to allow communication to the server on TCP port 443.
  5. Tick “Store the root certificate” and choose a file location to save the certificate. For example: C:\rd-cert.cer

As this is a self-signed certificate, you will need to import the certificate to your machine that you are accessing the RD Gateway from. To do this, follow these steps:

  1. From the client machine accessing the RD Gateway, right click on the certificate file and click “Install Certificate”
  2. Click Next then select “Place all certificates in the following store”
  3. Browse to “Trusted Root Certification Authorities”, then click Next.
  4. Click Finish

Note: You will need to ensure that the internet (DNS) host name can be resolved to the internet IP address of the RD Gateway server, so make sure that this is the case. This domain name must match the certificate name (E.g. rdg.mydomain.com)

Step 4: Configuring the Remote Desktop Connection Client

  1. Launch the Remote Desktop Connection client.
  2. Select the “Advanced” tab and click “Settings”.
  3. Select “Use these RD Gateway server settings” (Windows XP will be “Use these TS Gateway settings”)
  4. Enter the server / host name (E.g. rdg.mydomain.com) of your RD Gateway server
  5. Optional: Select “Use my RD Gateway credentials for the remote computer”
  6. Click OK.
  7. Finally, under the “General” tab enter the local IP address or server name of the machine you wish to connect to.

Your connection will be tunnelled over SSL, providing your firewall configuration permits TCP port 443 from the internet to your RD Gateway server and TCP port 3389 from the RD Gateway server to your internal network.

Comments

  1. Tongers says

    if you wish to have 2 servers behind the RDG – how best to configure aND/OR is it possible even – for load sharing or is it best to direct different user groups to different servers. Ideally I would like that if one server is down then users automatically get directed to the other.

    Also how can you copy the first rd server to a second I am using ESXi 4.1.there are some applications as well as office loaded on it.

    thanks in advance for any advice.

  2. Frank Rosati says

    Great job. Easy to follow. Don’t understand why Microsoft can’t present something like this.

  3. joe says

    I have tried installing rdweb however it is asking for Network Policy Server. This has been a thorny issue. I cannot seem to remove NPS without having to reinstall the rds gateway. Any ideas?

  4. deheugden says

    youre talking about a certificate for the acces gatewat; is this the only certificate you need or do the terminal servers also need ssl licences?
    second, when i want my users to connect from their home over the internet to my published apps, lets say remoteapps.mydomain.local(my domainname is domain.local), how should i fix that? should i get a domainregistration for remoteapps.mydomain.local and how should i link this domainname to my tsserver?
    many thanks

  5. MJ Almassud says

    Excellent and simple to follow article.

    I followed your article and I was able to get the first RD Gateway and it seems to be working great.

    Thanks a lot.

    MJ

  6. Tom says

    Thanks Ray,
    I used your article to setup a RD Gateway Server on a VM. All went fine till the end. My domain is .local, so my RD Gateway server’s name is RDserver.domainname.local. Every thing I read regarding the Self assigned Certs says it should be Rdserver.domainname.com and not .local. Hence I cannot get it to work externally at all. Internal is fine, but I don’t care about internal. I even changed the name of the computer to Rdserver.domainname.com just to see if I could trick it… but that did not work either. Firewall settings are all set, ports open etc.
    Any suggestions?
    Best,
    TB

  7. Noel-Gutmann Romain says

    I’ve easily and successfully create my RDPGateway. The lonely problem i’had is to store the RDP Gateway machine in a Virtual one. I use VMWare Workstation 8, and when i do so, i lost connection all the time with the physical host. If i try to connect to an other VM it’s ok. the problem seems to come from the virtual Network created by VMWare…

    Because when i use an old physical machine on which i’ve installed W2K8R2, i never lost connection with my computer on which VMWare Workstation is installed.

  8. Todd says

    Thanks for the writeup!
    I was banging my head against the proverbial wall until I found this.
    Key things that helped me out:
    1. creating the self signed cert with the external address, not the internal
    2. the very last step on the client, setting the “connect to” as the internal IP address, not the external name.

    Only other thing to note is on windows vista or 7 machines, there is a policy setting that needs to be enabled for users to store their passwords, if so desired. Found instruction on that here:
    http://netport.org/?p=255

    Thanks again!!

    Todd

  9. Bill says

    I’m with Tom…wondering if I can use RD Gateway if my server sits on an AD domain called mydomain.localdomain? If so, what points in this excellent posting would need to change?

  10. says

    Oh, man…it’s working!! “Make sure that the certificate name is the internet DNS (domain) name that resolves to the internet IP address of the RD Gateway server” is what did the trick.

    Thank you so much for this!!

  11. Kenneth says

    Hello there.

    I followed the instructions exactly as they are and got running right after the last step. thank you so much for the article.

  12. Murray says

    Hi there, can you tell me what the minimum physical hardware specs are for a RD Gateway. Building a small 30 user remote access solution.

    • says

      I don’t think it’s too demanding to be honest and for a small environment a Windows 2008 R2 server with a single CPU / 4GB RAM will be fine. Are you building a virtual machine? If so you may find it uses a lot less and can reduce down to 2GB.

  13. Eric says

    I’m setting one up in a small office, a workgroup environment with 2008r2 TS in the lan, and iis in a dmz (also 2008r2), where I’ll add RDG. Microsoft in their documents seems to imply that RDG needs to talk to a DC in the trusted lan for user authentication – with a 1 way trust. Does this mean it won’t work in a small workgroup environment? Would inserting the same 5 users on the RDG with the same passwords as the main Remote Desktop Server suffice?

  14. RW0r1d says

    Nice document Ray. I would like some opinions on a slight variation to your design though considering Microsoft’s 3 recommended models (your design following #3). What about instead of a Vyatta host, the host is a 2008R2 with HyperV and RODC with the RD Gateway on a VM Hyper V guest? You have the cost overhead of a Windows server instead of a free Vyatta host but you have the RODC authentication in the DMZ and could place other VMs if your hardware is adequately sized.

Leave a Reply