Note: A self-signed certificate was used for the purpose of this tutorial.
Remote Desktop Gateway also known as RD Gateway is a role service that enables authorized remote users to connect to resources on an internal or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be Remote Desktop Session Host (RD Session Host) servers, RD Session Host servers running RemoteApp programs, or computers with Remote Desktop enabled.
Advantages of RD Gateway
RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.
With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. Give them the name or private IP address of the Remote Desktop server that you want your client to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet, or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.
However, to use RD Gateway, you will need to install a valid SSL certificate. Buying an SSL certificate is best instead of using a self-signed certificate i.e., you can get an SSL certificate from Comodo, InstantSSL, Verisign, etc.
In this tutorial, you will learn:
-How to install a SSL certificate
-How to configure RD Gateway
-How to create authorization and resource authorization policy.
-How to test your RD Gateway connection
Install the Remote Desktop Role
Sign into the target server with an administrator’s credentials
In Server Manager, Select Manage, then Select Add Roles and Features. The Add Roles and Features installer will open.
Before You Begin, Select Next and Select Role-Based or feature-based installation, then select Next.
For Select destination server, select Select a server from the server pool. For Server Pool, select the name of your local computer. When you’re done, select Next.
In Select Server Roles > Roles, select Remote Desktop Services and Select Next.
From Select role services, Select only Remote Desktop Gateway.
When you’re prompted to add required features, select Add Features.
From Network Policy and Access Services, select Next.
From Web Server Role (IIS), Select Next.
From Role services, Select Next.
From Confirm installation selections, select Install. Don’t close the installer while the installation process is happening.
Create the Connection Authorization Policy and the Resource Authorization Policy
Open the Remote Desktop Gateway Manager. This is done from the Tools menu from Server Manager.
Go to Servers, right-click the name of your server, then select RD Gateway Manager.
Create Authorization Policies for RD Gateway
A- In the left pane, navigate to Policies
B- Click on Connection Authorization Policies.
C- On the Actions pane on the right, right click Create New Policy, and select Wizard.
Select Create a RD CAP and a RD RAP (recommended) and click Next.
Connection Authorization Policy
Connection Authorization Policy ensures only selected groups (i.e., group members) are allowed to use the Remote Desktop Gateway to access resources.
You can use groups based on active directory users or groups based on the active directory computer objects. To provide flexibility in terms of what machines users can remote desktop from, we recommend using user groups.
Give the policy a name. An intuitive name is Allowed-To-Use-RDGateway, click Next.
For the purposes of this tutorial, We will select the Domain Admins group. Best practice is to create another user group which you add users that you want to allow to use the Remote Desktop Gateway. You can create groups based on what resources the users need to access. In this way, you can add those groups here and then use these groups in the Resource Authorization Policy later on.
Accept the default setting for device redirection and click Next.
Enter the timeout values as per below. Click Next.
Create Resource Authorization Policy
The Resource Authorization Policy is used to restrict access to servers based on group memberships. You will need to create active directory groups and add servers as members of these groups.
Select User Groups which are allowed access to network resources i.e., can remote desktop to servers on the network. For this tutorial, I will select the Domain Admins group as I have already selected Domain Admins as the group which can use the Remote Desktop Gateway. Then click Next.
Select a group that contains the servers that you want the above user groups to be able to remote desktop to.
For this tutorial, we will use the built-in group called Domain Controllers. You can create additional groups containing servers that are related or belong to particular departments. In this way, in the previous steps you can assign groups based on department users and allow them only to access particular servers.
Click Check Name to make sure the group is found, and then click OK, then Next.
If the remote desktop port on the servers were changed from the default, use this screen to specify the port. Otherwise, select Allow connections only to port 3389. Click Next, then Finish.
Confirm creation of the Authorization policies, then click Close.
The Remote Desktop Gateway needs to have an SSL certificate installed. You can purchase an SSL certificate for the fully qualified internet domain name of the Remote Desktop Gateway or purchase a wildcard SSL certificate for the domain.
For the purpose of this tutorial, a Self-Signed Certificate was used.
To install the SSL certificate, firstly click on the remote desktop server name in the Remote Desktop Gateway management console, Right-click on the name of your gateway server, Select Properties.
Open the SSL Certificate tab, select the Import a certificate into the RD Gateway bubble, then select Browse and Import Certificate.
Select the name of your PFX file, then select Open.
Enter the password for the PFX file when prompted and if the password entered is correct, the import will be successful.
We have now successfully installed a self-signed SSL certificate on TCP Port 443 (Default SSL port).
Test RD Gateway connection
We must test connectivity from the Remote Desktop Gateway to the network resources that clients will need to connect to. Specifically, we need to test RDP traffic by using a remote desktop client to connect to the allowed servers.
We’ve allowed the domain controllers to be accessed by the Domain Admins group through the Remote Desktop Gateway, and we’ve allowed the Domain Admins group to be able to use the Remote Desktop Gateway by using the Authorization policies.
With Remote Desktop Gateway installed, it gives you or your users an extra layer of security to connect over an address or DNS name of your gateway server.
All you need to do is to provide the name or private IP address of the Remote Desktop server that you want your users to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet, or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.
Built-In Gateway for your RDP Connections
Now, you know how to install Remote Desktop Gateway in 30 steps (yikes!). What if I told you that there’s a way to dodge this tutorial but get an even better layer of security?
By using V2 Cloud, you get access to RDP connections without the complexity of setting up RD Gateway. That means less work to run your Remote Desktop connections. Here’s how to create a cloud computer in 5 steps.
Step 1: Login to your dashboard
Login to your dashboard and click the + Cloud Computer. You can click the big +.
Step 2: Select the region and the plan you need
Select the region where the Cloud Computer will be hosted. We recommend using the nearest region to your location to avoid any latency. Choose a plan that will best fit the applications you will run and the number of users.
If you’re unsure which plan to choose let us know your project and we will help you select the best plan. If you want a higher plan than what is suggested, please reach out to us and we will build a custom plan for you.
Step 3: Choose the OS and IP address
Choose the operating system depending on the applications you want to run. If you are unsure, simply share your project with us and we will help you choose the best.
Select the type of IP address. We recommend using a private IP address for added security unless you want to host an Internet facing server (e.g. Web Server) where a public IP address would be preferred.
Step 4: Create your cloud computer and add your credit card
Name your instance and click Create Cloud Computer. Add your credit card information and click Submit to start the build process.
Step 5: Wait 20 min and enjoy your new cloud computer!
That’s it! No more tasks and only 25 less steps than setting up your RD Gateway.