remote desktop gateway There is a Remote Desktop Services role on Windows Server that is used to provide secure access to Remote Desktop and publish RemoteApps to the Internet via an HTTPS gateway. A server with the RD Gateway role acts as an intermediary between external RDP clients and internal RD services. When using RDGW, users do not need to configure a VPN to connect to RDS in a corporate network. The standard Remote Desktop Connection client (mstsc.exe) is used to connect. In this article, let’s see how to deploy Remote Desktop Gateway on Windows Server 2019 (this guide is also applicable for Windows Server 2022/2016 and 2012 R2).
Deploy RDS-Gateway Role on Windows Server
The Remote Desktop Gateway service is an optional RDS Farm component, so you will need to install it separately. In most cases, it is recommended to use a dedicated server to deploy RDGW or to combine it with RD Web Access.
you can install remote desktop gateway Roles via Server Manager (Add Roles and Features -> Server Roles -> Remote Desktop Services) or with PowerShell.
When you install the RDGW service, the IIS web server and the NPS (Network Policy Server) role are also installed.
Make sure the rds-gateway role is installed:
Or install the role on Windows Server using the Install-Windows feature command:
Install-WindowsFeature RDS-Gateway -IncludeAllSubFeature –IncludeManagementTools
Create an access group in Active Directory by using the ADUC (dsa.msc) console or PowerShell:
- rdgwExtuser – Permission to authenticate a group of users on RDGW;
- rdgwexternal admin – a group for accessing internal RDS hosts via RDGW;
- mun-rdsfarm — must include all RDS hosts and your RD Connection Broker that you want to allow connections through Remote Desktop Gateway
Configure Remote Desktop Gateway Authorization Policies
RD Gateway Manager ,
tsgateway.msc) console is used to manage RDGW authorization policies and access rules, configure two types of policies here:
- connection authorization policies (RD CAP) – sets that are allowed to authenticate on the RDS gateway;
- resource authorization policies (RD RAP) – Specifies the users and resources (computers) on the internal network that are allowed to connect via RDGW.
Create the RD cap first:
- Expand Policies -> Connection Authorization Policies and select Create New Policy -> Wizard;
- Enter policy name (rdgwExtUsers);
- Select the authentication type (password and/or smart card) and specify the group of users allowed to authenticate on the RDGW;
- In Enable or disable device redirection window, you can specify which devices are allowed to be redirected to the RDP session (a clipboard, printer, local drive, etc.);
- You can then configure timeouts for RDP sessions;
- Confirm the creation of the policy.
You can also create an RDGW connection policy using PowerShell:
Import-Module -Name RemoteDesktopServices
New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'rdgwAllowAutht-CAP' -UserGroups rdgwExtUsers -AuthMethod '1'
After that create RD RAP policy:
- In the RD Gateway Manager console, click Policies -> Resource Authorization Policies and select Create New Policy -> Wizard;
- Enter policy name: rdgwExternalAdmins;
- Specify the name of the user group allowed to connect to internal RDS resources;
- On the Network Resources tab, specify which RDS servers your external users are allowed to connect to (mun-rdsfarm);
- Then specify the port numbers to which you want to allow connections. By default, it is recommended to open only the default RDP port TCP/3389. But you can also open additional ports;
- The policy is ready.
Install SSL Certificate for Remote Desktop Gateway
To secure the connection to the RDS gateway, you need to install an SSL certificate on it. It is better to use a commercial certificate issued by an external certification authority (CA). You can also use a free Let’s Encrypt SSL certificate (Configure Let’s Encrypt Certificate on IIS for Remote Desktop Gateway) or a self-signed Windows SSL certificate, but note that external clients must trust this. If a client does not trust a certificate on the RDGW server, it will not be able to connect to the gateway (you can import a self-signed SSL certificate to the client manually or by using a GPO).
An FQDN (DNS) name of your RDGW server must be specified in the Subject Name (CN) or Subject Alternative Name fields of the certificate. It will be used for connection by external client (available from web).
- Open RDGW Server Properties in RD Gateway Console and go to ssl certificate tab;
- In this example, we are using a self-signed certificate. to select Create Self Signed Certificate , Create and import certificates,
- Enter the certificate name (this name will be used by your client to connect to RDGW) and select the directory you want to save the certificate in (distribute this certificate to your RD client).
The following ports are used to connect to RDGateway on Windows Server 2019:
- HTTPPort (default) – 443 TCP
- UDPport (default) – 3391 UDP (using the UDP transport protocol is optional, however, this allows to significantly improve tunneling performance and image quality in an RDP session).
Remember to open (forward) these ports from your public IP on the network hardware to your RDGW host.
Open RDGW Manager and make sure there are no errors and that all items have green markings.
Configuring the RDP Client to Use the RDS Gateway
You can then configure the Remote Desktop Connection client to connect to your internal RDS host via Remote Desktop Gateway.
- In General tab, enter the name of a standalone RDS host, RDS farm, or a computer that you want to connect to via RDP (you can also specify a username and use the saved credentials for the RDP connection );
- go back to advanced tab and click Adjustment below Connect from Anywhere (configure settings to connect via Remote Desktop Gateway when I’m working remotely) section;
- to select Use These RD Gateway Server Settings and specify the external DNS name of your RDGW server (note that this name must be specified in the certificate). If you are using a different port for RDGW, enter it after the server name separated by a colon, for example,
- To prevent entering password twice when connecting, check the option Use my RD Gateway credentials for the remote computer,
- Click Connect and enter user credentials to connect to RD Gateway Server;
- The client will establish a connection with the RDS/RDP host in your local network;
- Open RD Gateway Manager, go to the Monitoring section and make sure your client’s connection is displayed in the list.
You can monitor successful or unsuccessful connections to RDGW in Event Viewer (Application and Service Logs -> Microsoft -> Microsoft-Windows-Terminal Services-Gateway -> Operational).
If the user has successfully connected to RDGW, Event ID 205 from Terminal Services-Gateway Source will appear.
The user "woshub\maxadmin", on client computer "xx.xx.xx.xx", successfully connected to the remote server "mun-rdsgw.woshub.com" using UDP proxy. The authentication method used was: "Cookie".
If you want to run RemoteApps through RD Gateway, add following lines to RemoteApp
In this article, we showed how to configure the Remote Desktop Gateway role on Windows Server to implement secure remote access on your network using RDP over HTTPS.