Installing Remote Desktop Gateway on Windows Server

Remote Desktop Gateway is a Remote Desktop Services role on Windows Server that is used to provide secure access to remote desktops and published RemoteApps from the Internet via an HTTPS gateway. A server with the RD Gateway role acts as an intermediary between external RDP clients and internal RD services. When using RDGW, users don’t need to configure a VPN to connect to RDS in a corporate network. The standard Remote Desktop Connection client (mstsc.exe) is used to connect. In this article, let’s look at how to deploy Remote Desktop Gateway on Windows Server 2019 (the guide is also applicable for Windows Server 2022/2016 and 2012 R2).

Deploy RDS-Gateway Role on Windows Server

The Remote Desktop Gateway service is an optional RDS farm component, so you have to install it separately. In most cases, it is recommended to use a dedicated server to deploy RDGW or combine it with RD Web Access.

You can install the Remote Desktop Gateway role through the Server Manager (Add roles & Features -> Server Role -> Remote Desktop Services) or with PowerShell.

When you install the RDGW service, the IIS web server and NPS (Network Policy Server) role are also installed.

Make sure that the RDS-Gateway role is installed:

Get-WindowsFeature RDS*

Or install the role on Windows Server using the Install-WindowsFeature command:

Install-WindowsFeature RDS-Gateway -IncludeAllSubFeature –IncludeManagementTools

Create access groups in Active Directory using the ADUC (dsa.msc) console or with PowerShell:

• rdgwExtUsers – a group of users allowed to authenticate on the RDGW;
• rdgwExternalAdmins – a group to access internal RDS hosts via the RDGW;
• mun-rdsfarm — must include all RDS hosts and your RD Connection Broker that you want to allow connections to through the Remote Desktop Gateway

Configure Remote Desktop Gateway Authorization Policies

The RD Gateway Manager (tsgateway.msc) console is used to manage RDGW authorization policies and access rules, Configure two types of policies here:

• Connection Authorization Policies (RD CAP) – sets who is allowed to authenticate on the RDS Gateway;
• Resource Authorization Policies (RD RAP)– s specifies users and resources (computers) on the internal network that are allowed to connect via RDGW.

Create the RD CAP first:

1. Expand Policies -> Connection Authorization Policies and select Create New Policy -> Wizard;
2. Enter a policy name (rdgwExtUsers);
3. Select an authentication type (a password and/or a smart card) and specify a group of users allowed to authenticate on the RDGW;
4. In the Enable or Disable Device Redirection window, you may specify what devices are allowed to be redirected to an RDP session (a clipboard, printers, local drives, etc.);
5. Then you can configure timeouts for RDP sessions;
6. Confirm the creation of the policy.

You can also create an RDGW connection policy using PowerShell:

Import-Module -Name RemoteDesktopServices
New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'rdgwAllowAutht-CAP' -UserGroups rdgwExtUsers -AuthMethod '1'

After that create the RD RAP policy:

1. In the RD Gateway Manager console, click Policies -> Resource Authorization Policies and select Create New Policy -> Wizard;
2. Enter a policy name: rdgwExternalAdmins;
3. Specify the name of the user group allowed to connect to internal RDS resources;
4. On the Network Resources tab, specify what RDS servers your external users are allowed to connect to (mun-rdsfarm);
5. Then specify the port numbers you want to allow connection to. By default, it is recommended to open only the default RDP port TCP/3389. But you can open additional ports as well;
6. The policy is ready.

You can add this RAP rule using PowerShell:
New-Item -Path RDS:\GatewayServer\RAP -Name allowextAdminMunRDS -UserGroups [email protected] -ComputerGroupType 1 -ComputerGroup [email protected]

Install SSL Certificate for Remote Desktop Gateway

To secure the connection to the RDS gateway, you must install an SSL certificate on it. It is better to use a commercial certificate issued by an external certification authority (CA). You may also use a free Let’s Encrypt SSL certificate (Configure a Let’s Encrypt certificate on IIS for Remote Desktop Gateway) or a self-signed Windows SSL certificate, but note that external clients must trust it. If a client doesn’t trust a certificate on an RDGW server, it won’t be able to connect to the gateway (you can import self-signed SSL certificates to clients manually or using GPO).

1. Open the RDGW server properties in the RD Gateway console and go to the SSL Certificate tab;
2. In this example, we are using a self-signed certificate. Select Create a self-signed certificate -> Create and Import Certificate;
3. Enter the certificate name (this name will be used by your clients to connect to RDGW) and select a directory you want to save the certificate to (distribute this certificate to your RD clients).

The following ports are used to connect to RDGateway on Windows Server 2019:

• HTTPPort (default) — 443 TCP
• UDPPort (default) — 3391 UDP (using UDP transport protocol is optional, however, it allows to significantly improve the tunnel performance and image quality in an RDP session).

Remember to open (forward) these ports from your public IP to your RDGW host on the network hardware.

Open the RDGW Manager and make sure that there are no errors and that all items have green icons.

Configuring RDP Client to Use an RDS Gateway

Then you may configure a Remote Desktop Connection client to connect to your internal RDS hosts through the Remote Desktop Gateway.

1. Run the mstsc.exe client;
2. In the General tab, enter the name of a standalone RDS Host, RDS farm, or a computer you want to connect to via RDP (you may also specify a user name and use saved credentials for the RDP connection);
3. Then go to the Advanced tab and click Settings under Connect from anywhere (Configure settings to connect through Remote Desktop Gateway when I am working remotely) section;
4. Select Use these RD Gateway server settings and specify an external DNS name of your RDGW server (note that this name must be specified in the certificate). If you are using a different port for RDGW, enter it after the server name separated by a colon, for example, gw.woshub.com:4443.
5. To prevent entering a password twice when connecting, check the option Use my RD Gateway credentials for the remote computer;
6. Click Connect and enter user credentials to connect to the RD Gateway server;
7. The client will establish a connection with an RDS/RDP host in your local network;
8. Open the RD Gateway Manager, go to the Monitoring section and make sure that the connection of your client is displayed in the list.

If you are using RDCMan for RDP connections, you can set RD Gateway parameters on the GatewaySetting tab. Check Use a TS Gateway server and set the connection options.

You can monitor successful or failed connections to RDGW in the Event Viewer (Applications and Services Logs -> Microsoft -> Microsoft-Windows-TerminalServices-Gateway -> Operational).

If the user has successfully connected to the RDGW, Event ID 205 will appear from the TerminalServices-Gateway source.

The user "woshub\maxadmin", on client computer "xx.xx.xx.xx", successfully connected to the remote server "mun-rdsgw.woshub.com" using UDP proxy. The authentication method used was: "Cookie".

If you want to run RemoteApps through the RD Gateway, add the following lines to the RemoteApp *.rdp file:

gatewayhostname:s:gw.woshub.com
gatewayusagemethod:i:1

In this article, we showed how to configure the Remote Desktop Gateway role on Windows Server to implement secure remote access to your network using RDP over HTTPS.