Installing Remote Desktop Gateway on Windows Server |

remote desktop gateway There is a Remote Desktop Services role on Windows Server that is used to provide secure access to Remote Desktop and publish RemoteApps to the Internet via an HTTPS gateway. A server with the RD Gateway role acts as an intermediary between external RDP clients and internal RD services. When using RDGW, users do not need to configure a VPN to connect to RDS in a corporate network. The standard Remote Desktop Connection client (mstsc.exe) is used to connect. In this article, let’s see how to deploy Remote Desktop Gateway on Windows Server 2019 (this guide is also applicable for Windows Server 2022/2016 and 2012 R2).

Deploy RDS-Gateway Role on Windows Server

The Remote Desktop Gateway service is an optional RDS Farm component, so you will need to install it separately. In most cases, it is recommended to use a dedicated server to deploy RDGW or to combine it with RD Web Access.

It is assumed that Active Directory and RDS farms are already deployed in your network.

you can install remote desktop gateway Roles via Server Manager (Add Roles and Features -> Server Roles -> Remote Desktop Services) or with PowerShell.

Install Remote Desktop Gateway role on Windows Server

When you install the RDGW service, the IIS web server and the NPS (Network Policy Server) role are also installed.

Make sure the rds-gateway role is installed:

Get-WindowsFeature RDS*

powershell - add rds-gateway

Or install the role on Windows Server using the Install-Windows feature command:

Install-WindowsFeature RDS-Gateway -IncludeAllSubFeature –IncludeManagementTools

Create an access group in Active Directory by using the ADUC (dsa.msc) console or PowerShell:

  • rdgwExtuser – Permission to authenticate a group of users on RDGW;
  • rdgwexternal admin – a group for accessing internal RDS hosts via RDGW;
  • mun-rdsfarm — must include all RDS hosts and your RD Connection Broker that you want to allow connections through Remote Desktop Gateway

Configure Remote Desktop Gateway Authorization Policies

RD Gateway Manager ,tsgateway.msc) console is used to manage RDGW authorization policies and access rules, configure two types of policies here:

  • connection authorization policies (RD CAP) – sets that are allowed to authenticate on the RDS gateway;
  • resource authorization policies (RD RAP) – Specifies the users and resources (computers) on the internal network that are allowed to connect via RDGW.

Create the RD cap first:

  1. Expand Policies -> Connection Authorization Policies and select Create New Policy -> Wizard;
  2. Enter policy name (rdgwExtUsers);
  3. Select the authentication type (password and/or smart card) and specify the group of users allowed to authenticate on the RDGW; RDS Gateway Authorization Policy
  4. In Enable or disable device redirection window, you can specify which devices are allowed to be redirected to the RDP session (a clipboard, printer, local drive, etc.); rdgw - configure device redirection
  5. You can then configure timeouts for RDP sessions;
  6. Confirm the creation of the policy.

You can also create an RDGW connection policy using PowerShell:

Import-Module -Name RemoteDesktopServices
New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'rdgwAllowAutht-CAP' -UserGroups rdgwExtUsers -AuthMethod '1'

After that create RD RAP policy:

  1. In the RD Gateway Manager console, click Policies -> Resource Authorization Policies and select Create New Policy -> Wizard; RD Gateway Manager - Resource Authorization Policy
  2. Enter policy name: rdgwExternalAdmins;
  3. Specify the name of the user group allowed to connect to internal RDS resources; Select the allowed security group to add RDS
  4. On the Network Resources tab, specify which RDS servers your external users are allowed to connect to (mun-rdsfarm); Network Resources - Allow access to internal hosts
  5. Then specify the port numbers to which you want to allow connections. By default, it is recommended to open only the default RDP port TCP/3389. But you can also open additional ports; rd gateway - allowed port
  6. The policy is ready.

You can add this RAP rule using PowerShell:
New-Item -Path RDS:\GatewayServer\RAP -Name allowextAdminMunRDS -UserGroups [email protected] -ComputerGroupType 1 -ComputerGroup [email protected]

Install SSL Certificate for Remote Desktop Gateway

To secure the connection to the RDS gateway, you need to install an SSL certificate on it. It is better to use a commercial certificate issued by an external certification authority (CA). You can also use a free Let’s Encrypt SSL certificate (Configure Let’s Encrypt Certificate on IIS for Remote Desktop Gateway) or a self-signed Windows SSL certificate, but note that external clients must trust this. If a client does not trust a certificate on the RDGW server, it will not be able to connect to the gateway (you can import a self-signed SSL certificate to the client manually or by using a GPO).

An FQDN (DNS) name of your RDGW server must be specified in the Subject Name (CN) or Subject Alternative Name fields of the certificate. It will be used for connection by external client (available from web).

  1. Open RDGW Server Properties in RD Gateway Console and go to ssl certificate tab;
  2. In this example, we are using a self-signed certificate. to select Create Self Signed Certificate , Create and import certificates, Configure SSL Certificate on RD Gateway
  3. Enter the certificate name (this name will be used by your client to connect to RDGW) and select the directory you want to save the certificate in (distribute this certificate to your RD client). Use self-signed certificate on RD Gateway

The following ports are used to connect to RDGateway on Windows Server 2019:

  • HTTPPort (default) – 443 TCP
  • UDPport (default) – 3391 UDP (using the UDP transport protocol is optional, however, this allows to significantly improve tunneling performance and image quality in an RDP session).

Remember to open (forward) these ports from your public IP on the network hardware to your RDGW host.

Remote Desktop Gateway HTTP Transport Port 443

Open RDGW Manager and make sure there are no errors and that all items have green markings.

RDGW Status

Configuring the RDP Client to Use the RDS Gateway

You can then configure the Remote Desktop Connection client to connect to your internal RDS host via Remote Desktop Gateway.

  1. run mstsc.exe Customer;
  2. In General tab, enter the name of a standalone RDS host, RDS farm, or a computer that you want to connect to via RDP (you can also specify a username and use the saved credentials for the RDP connection ); mstsc - RDP Connection Properties
  3. go back to advanced tab and click Adjustment below Connect from Anywhere (configure settings to connect via Remote Desktop Gateway when I’m working remotely) section;
  4. to select Use These RD Gateway Server Settings and specify the external DNS name of your RDGW server (note that this name must be specified in the certificate). If you are using a different port for RDGW, enter it after the server name separated by a colon, for example,, mstsc client - use RD gateway
  5. To prevent entering password twice when connecting, check the option Use my RD Gateway credentials for the remote computer,
  6. Click Connect and enter user credentials to connect to RD Gateway Server;
  7. The client will establish a connection with the RDS/RDP host in your local network;
  8. Open RD Gateway Manager, go to the Monitoring section and make sure your client’s connection is displayed in the list. RD Gateway connection monitoring
If you are using RDCMan for RDP connection, you can set RD Gateway parameter gateway setting tab. the inspection Use TS Gateway Server and set the connection options. rdcman - TS Gateway Settings

You can monitor successful or unsuccessful connections to RDGW in Event Viewer (Application and Service Logs -> Microsoft -> Microsoft-Windows-Terminal Services-Gateway -> Operational).

If the user has successfully connected to RDGW, Event ID 205 from Terminal Services-Gateway Source will appear.

The user "woshub\maxadmin", on client computer "xx.xx.xx.xx", successfully connected to the remote server "" using UDP proxy. The authentication method used was: "Cookie".

Event ID 205 - Third Gateway Successful Connection

If you want to run RemoteApps through RD Gateway, add following lines to RemoteApp *.rdp file:

In this article, we showed how to configure the Remote Desktop Gateway role on Windows Server to implement secure remote access on your network using RDP over HTTPS.

Leave a Comment