Building a Remote Desktop Gateway (RDG) / RD Gateway Server

Posted on 05 Jan 2011 by Ray Heffer

Creating a Remote Desktop Gateway (RD Gateway) is straight forward and can be used to securely access your Windows servers over port 443 using the Remote Desktop Connection Client. I use this to access my home lab when I’m on the road or at work, and it saves exposing your machines to the internet directly over RDP (TCP 3389). The RD Gateway isn’t new, in fact it was available on Windows Server 2008 as TS Gateway, and the installation is the same. For this article, I will be using Windows Server 2008 R2.

I run my RD Gateway on a virtual machine located inside a DMZ that I have created using Vyatta, a free virtual appliance. I won’t go into the firewall configuration here, as this is a quick configuration guide for creating your RDS Gateway.

Step 1: Build a new virtual machine and install Windows Server 2008 R2.

Step 2: Click on Add Roles (in Server Manager). You will then be presented with the following wizard dialog boxes. Click on each image for full screen.

a) Click next

b) Select “Remote Desktop Services” and click next

c) Click next

d) Select “Remote Desktop Gateway and click next”

e) Click “Add Required Role Services”

f) Select “Choose a certificate for SSL encryption later”

g) Select “Create authorization policies” “Now” and click next

h) Add the group(s) that you wish to grant access through the RD Gateway or leave the default “Administrators” and click next

i) Leave the default “Password” selected and click next

j) Click “Browse” to choose which computers RD Gateway users can connect to, or select “Allow users to connect to any computer on the network” and click next

k) Click next on the “Introduction to Network Policy and Access Services” screen

l) Leave the default “Network Policy Server” selected and click next

m) Click next on the “Introduction to Web Server (IIS)” screen

n) Leave the defaults selected and click next

o) Click Install to begin the installation.

When the installation is finished you should be presented with the following screen:

Step 3: Configuring the RD Gateway

  1. Now the RD Gateway is installed, go to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager.
  2. Right click on the RD Gateway server within the RD Gateway Manager console and select Properties.
  3. Select “Create a self-signed certificate” then click “Create and Import Certificate”. You will then be presented with the following: RD Gateway - Create a self-signed certificate
  4. Make sure that the certificate name is the internet DNS (domain) name that resolves to the internet IP address of the RD Gateway server. The firewall will need to allow communication to the server on TCP port 443.
  5. Tick “Store the root certificate” and choose a file location to save the certificate. For example: C:\rd-cert.cer

As this is a self-signed certificate, you will need to import the certificate to your machine that you are accessing the RD Gateway from. To do this, follow these steps:

  1. From the client machine accessing the RD Gateway, right click on the certificate file and click “Install Certificate”
  2. Click Next then select “Place all certificates in the following store”
  3. Browse to “Trusted Root Certification Authorities”, then click Next.
  4. Click Finish

Note: You will need to ensure that the internet (DNS) host name can be resolved to the internet IP address of the RD Gateway server, so make sure that this is the case. This domain name must match the certificate name (E.g.

Step 4: Configuring the Remote Desktop Connection Client

  1. Launch the Remote Desktop Connection client.
  2. Select the “Advanced” tab and click “Settings”.
  3. Select “Use these RD Gateway server settings” (Windows XP will be “Use these TS Gateway settings”)
  4. Enter the server / host name (E.g. of your RD Gateway server5
  5. Optional: Select “Use my RD Gateway credentials for the remote computer”
  6. Click OK.
  7. Finally, under the “General” tab enter the local IP address or server name of the machine you wish to connect to.

Your connection will be tunnelled over SSL, providing your firewall configuration permits TCP port 443 from the internet to your RD Gateway server and TCP port 3389 from the RD Gateway server to your internal network.

Comments are closed for this post.