Note: A self-signed certificate was used for the purpose of this tutorial.
What is Remote Desktop Gateway
Remote Desktop Gateway also known as RD Gateway is a role service that enables authorized remote users to connect to resources on an internal or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be Remote Desktop Session Host (RD Session Host) servers, RD Session Host servers running RemoteApp programs, or computers with Remote Desktop enabled.
Advantages of Remote Desktop Gateway
Remote Desktop(RD) Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.
With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. Give them the name or private IP address of the Remote Desktop server that you want your client to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet, or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.
However, to use RD Gateway, you will need to install a valid SSL certificate. Buying an SSL certificate is best instead of using a self-signed certificate i.e., you can get an SSL certificate from Comodo, InstantSSL, Verisign, etc.
In this tutorial, you will learn:
-How to install a SSL certificate
-How to set up RD Gateway
-How to create authorization and resource authorization policy.
-How to test your RD Gateway connection
How to setup remote desktop gateway
Install the Remote Desktop Role
Sign into the target server with an administrator’s credentials
In Server Manager, Select Manage, then Select Add Roles and Features. The Add Roles and Features installer will open.
Before You Begin, Select Next and Select Role-Based or feature-based installation, then select Next.
For Select destination server, select Select a server from the server pool. For Server Pool, select the name of your local computer. When you’re done, select Next.
In Select Server Roles > Roles, select Remote Desktop Services and Select Next.
From Select role services, Select only Remote Desktop Gateway.
When you’re prompted to add required features, select Add Features.
From Network Policy and Access Services, select Next.
From Web Server Role (IIS), Select Next.
From Role services, Select Next.
From Confirm installation selections, select Install. Don’t close the installer while the installation process is happening.
Create the Connection Authorization Policy and the Resource Authorization Policy
Open the Remote Desktop Gateway Manager. This is done from the Tools menu from Server Manager.
Go to Servers, right-click the name of your server, then select RD Gateway Manager.
Create Authorization Policies for RD Gateway
A- In the left pane, navigate to Policies
B- Click on Connection Authorization Policies.
C- On the Actions pane on the right, right click Create New Policy, and select Wizard.
Select Create a RD CAP and a RD RAP (recommended) and click Next.
Connection Authorization Policy
Connection Authorization Policy ensures only selected groups (i.e., group members) are allowed to use the Remote Desktop Gateway to access resources.
You can use groups based on active directory users or groups based on the active directory computer objects. To provide flexibility in terms of what machines users can remote desktop from, we recommend using user groups.
Give the policy a name. An intuitive name is Allowed-To-Use-RDGateway, click Next.
For the purposes of this tutorial on how to setup a RD gateway, We will select the Domain Admins group. Best practice is to create another user group which you add users that you want to allow to use the Remote Desktop Gateway. You can create groups based on what resources the users need to access. In this way, you can add those groups here and then use these groups in the Resource Authorization Policy later on.
Accept the default setting for device redirection and click Next.
Enter the timeout values as per below. Click Next.
Create Resource Authorization Policy
The Resource Authorization Policy is used to restrict access to servers based on group memberships. You will need to create active directory groups and add servers as members of these groups.
Select User Groups which are allowed access to network resources i.e., can remote desktop to servers on the network. For this tutorial, I will select the Domain Admins group as I have already selected Domain Admins as the group which can use the Remote Desktop Gateway. Then click Next.
Select a group that contains the servers that you want the above user groups to be able to remote desktop to.
For this tutorial on how to setup a remote desktop gateway, we will use the built-in group called Domain Controllers. You can create additional groups containing servers that are related or belong to particular departments. In this way, in the previous steps you can assign groups based on department users and allow them only to access particular servers.
Click Check Name to make sure the group is found, and then click OK, then Next.
If the remote desktop port on the servers were changed from the default, use this screen to specify the port. Otherwise, select Allow connections only to port 3389. Click Next, then Finish.
Confirm creation of the Authorization policies, then click Close.
The Remote Desktop Gateway needs to have an SSL certificate installed. You can purchase an SSL certificate for the fully qualified internet domain name of the Remote Desktop Gateway or purchase a wildcard SSL certificate for the domain.
For the purpose of this tutorial on setting up a remote desktop gateway, a Self-Signed Certificate was used.
To install the SSL certificate, firstly click on the remote desktop server name in the Remote Desktop Gateway management console, Right-click on the name of your gateway server, Select Properties.
Open the SSL Certificate tab, select the Import a certificate into the RD Gateway bubble, then select Browse and Import Certificate.
Select the name of your PFX file, then select Open.
Enter the password for the PFX file when prompted and if the password entered is correct, the import will be successful.
We have now successfully installed a self-signed SSL certificate on TCP Port 443 (Default SSL port).
Test RD Gateway connection
We must test connectivity from the Remote Desktop Gateway to the network resources that clients will need to connect to. Specifically, we need to test RDP traffic by using a remote desktop client to connect to the allowed servers.
We’ve allowed the domain controllers to be accessed by the Domain Admins group through the Remote Desktop Gateway, and we’ve allowed the Domain Admins group to be able to use the Remote Desktop Gateway by using the Authorization policies.
With Remote Desktop Gateway installed, it gives you or your users an extra layer of security to connect over an address or DNS name of your gateway server.
All you need to do is to provide the name or private IP address of the Remote Desktop server that you want your users to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet, or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.
There is a better way to do IT with V2 Cloud
By using V2 Cloud, you get access to a fully-integrated virtual desktop solution, without the traditional complexity of other cloud providers.
There is an easier way to enable secure remote access to employees without sacrificing end-user experience and performance.
V2 Cloud offers a cloud desktop infrastructure with
- No hidden fees
- No complicated setup
- No contracts
- Flat-rate pricing model
We're the #1 virtualization solution for small businesses. Create virtual desktops, servers, and applications to improve productivity and significantly reduce your IT costs.