Setup RD Gateway Role on Windows Server 2012 R2

The Remote Desktop Gateway [RDG] role enables you to access your RDS environment remotely over 443.

Remote Desktop Serivces - Gateway Role
RDS Architecture

vBoring Blog Series:

  1. Setup Remote Desktop Services in Windows Server 2012 R2
  2. Setup RD Licensing Role on Windows Server 2012 R2
  3. Setup RD Gateway Role on Windows Server 2012 R2

Install the RD Gateway Role:

If your Gateway server is going to be a separate server add it to the Server Pool of your RDS Environment by going to Manage -> Add Servers

RD Gateway - Server Pool

In Server Manger of your RDS environment click the RD Gateway icon

RD Gateway 1 - Time to install Gateway

Select the server from the server pool you want to install the RD Gateway role. Click Next

RD Gateway 2 - Server Selection

For installation it will create a self-signed SSL certificate that can be changed later. Enter the URL you want to use and click Next

RD Gateway 3 - SSL Certificate Name

Confirm your selections and FQDN name, click Add

RD Gateway 4 - Confirmation

Once it finishes click Close

RD Gateway 5 -Results

Back on Server Manager the RD Gateway will have have a icon to signify the role is installed.

RD Gateway 6 - Deployment Overview

Configure RD Gateway – Apply SSL Certificate:

RDS Gateway will work on self signed certificates but it requires a few additional steps for it to work on remote computers outside your LAN. I did my initial setup using self signed certs but will eventually change to a trusted SSL certificate. It is easy to change once a trusted SSL certificate is obtained.

To create the self signed certificate go to Tasks -> Edit Deployment Properties

RD Gateway 7 - Edit Deployment Properties

Click Certificates -> RD Gateway -> Create new certificate

RD Gateway 8 - Create new certificate

Enter the following information:

  • Certificate Name: use your Gateway URL
  • Password: Don’t loose the password!
  • Check the box to Store this Certificate and pick a folder location for safe keeping
  • Check the box to Allow the certificate to be added to the Trust Root Certification Authorities

RD Gateway 9 - New certificate details

The RD Gateway will now show Ready to apply. Click Apply

RD Gateway 10 - Ready to Apply

Once finished it will show Success. Click Ok.

For the new certificate to take affect either restart the RD Gateway server or restart the RD Gateway service (labeled as Remote Desktop Gateway in services.msc)

RD Gateway 11 - Certificate applied

If you have a third party SSL certificate (Such as GoDaddy, DigiCert, StartSSL, etc) you can apply it the same way. I create a wildcard cert using StartSSL, having a trusted SSL certificate makes external access to much easier:

RDS Gateway - Trusted SSL Cert

Configure RD Gateway – Permissions and Network Resources:

By default the RD Gateway is set to allow all Domain Users access to use RD Gateway but with no Network Resources to connect to. To configure both these options open the Remote Desktop Gateway Manager:

Start -> Control Panel -> Administrative Tools -> Remote Desktop Services -> Remote Desktop Gateway Manager

RD Gateway 12 - Remote Desktop Gateway Manager

Drill down to the Resource Authorization Policies and select RDG_AllDomainComputers then click Properties.

On the Users Groups tab you can change who has permissions to use the RD Gateway. (By default Domain Users have access). You could create a Active Directory group called RD-Users so only users of that group have access for security purposes.

RD Gateway 13 - User Group Permissions

To configure what computers can be access through the RD Gateway go to the Network Resources tab. By default the middle option is selected with no groups created. You have three options:

  • The first option is to assign permission to a AD Organizational Unit. Example: You can select Domain Computers.
  • The second option allows you to create a RD Gateway managed group then add servers into the list. This is a nice option if you want only a few or small amount of servers accessiable.
  • The last option is to allow any server to be connected. The least secure and should be used only in home labs!

Click Apply and OK to save your changes.

RD Gateway 14 - Network Resource Permissions

Configure RD Gateway Port Forwarding:

This step does not involve configuration of your RDS environment but on your network. In order for traffic from the outside to reach your RD Gateway server you will need to pen some ports up in your firewall.

If you are setting this up in your home lab where you don’t have a DMZ and only behind a single firewall (router) then you only need to setup port forwarding on 443 to your RD Gateway server.

If you are setting this up in a enterprise where the RD Gateway is in the DMZ then there are quite a few ports that need to be opened up, to read about these ports and firewall scenarios check out this Microsoft MSDN blog post:

http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

How to use RD Gateway for RDP:

Now that your RD Gateway is setup you are ready to connect to your environment! Open Remote Desktop Connection and go to Show Options:

 RD Gateway 1 - RDP Configuration

Click on the Advanced tab then Settings:

RD Gateway 2 - Advanced Settings

Enter the name of your Gateway as accessed remotely then click Ok:

RD Gateway 3 - Gateway Server Settings

Now back on the General tab enter the name of the internal server you wish to connect. When connecting you should get prompted for your credentials.

RD Gateway 4 - Gateway Credentials

If everything is configured correctly you should be connected to your internal computer using RDP externally through your RD Gateway!

6 thoughts on “Setup RD Gateway Role on Windows Server 2012 R2”

  1. Very useful article, in my case I am not able to apply the certificates, Role Services RD Gateway under level column shown Unknown as well as grade out.

    Regards,

    Alaa

    Reply
  2. Doesn’t appear to allow me to save a wilcard cert when trying to create a new one. *.mydomain.com is highlighted in red and unable to click okay.

    Reply
  3. You’ve covered everything except what I need. I need to know what INTERNAL port to which Port 443 is forwarded. Everything I check manages to leave that part out. Super frustrating.

    Reply
  4. Hi Rob. Is there a chance to use RD Gateway to connect over Broker to one of the RDS Session Hosts or is it just possible to connect to a specific session host? If i have to enter a specific session host, the Connection would not be possible during a maintenance window of this Server. If it would be possible to use the collection, then the Connection would still be possible if just one Server is in a maintenance window… Gabi

    Reply

Leave a Reply