What is a Remote Desktop Gateway
A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.
A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.
A Remote Desktop Gateway Provides The following Benefits:
- Enables Remote Desktop Connections to a corporate network without having to set up a virtual private network (VPN).
- Enables connections to remote computers across firewalls.
- Allows you to share a network connection with other programs running on your computer. This enables you to use your ISP connection instead of your corporate network to send and receive data over a remote connection.
http://windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server
Please see the following linkFor more information on deploying a Gateway on the perimeter network: http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
Deploying a remote desktop Gateway
To start the install, Click on the RD Gateway Icon Highlighted in green on the Deployment Overview.
Select the server you want to install the role on.
Enter the External FQDN in the SSL Certificate Name (for this example I am using a internal address)
RDS Gateway is installing…………
Once the install is complete, you can use the links at the bottom of the install window to configure certificates and review the RD Gateway properties for the deployment.
As highlighted in red, you can seen the Gateway certificate located in the deployment properties under certificates.
Under the Tab RD Gateway, you can configure the login method and basic gateway settings.
Once the gateway is installed you will see the RD Gateway symbol appear.
Configuring the Gateway Manager
by right clicking on the local gateway server, you can open the properties.
You can configure the advanced gateway settings by navigating to the Properties.
The General tab allows you to configure maximum connection.
The SSL Certificate tab allows you to import a external certificate, create a self-signed and import from a personal store. I would recommend that you assign all certificates and apply the RD Gateway Certificate last. This is the certificates are not modified by the certificate tab in the RDS deployment properties.
The Transport Tab allows you to configure RCP-HTTP and the HTTP settings. You can change the defaults to meet corporate security requirements.
The Remote Desktop Connection Authorisation Policies (RD CAP) store enables you to configure local or central NPS Services for centralised management.
The Messaging tab is great for notifying users of outages and maintenance times or other administrator messages.
Please see the hyperlink below for information on SSL Bridging and tunnelling.
http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html
The Auditing tab allows you to select what to audit in the log files.
The Server Farm tab allows you to configure multiple Gateway servers for use in a farm (High Availability).
Connection Policies allow you to configure user access.
You can disable the redirection features for enhanced security.
The Timeouts Tab allows you to limit client sessions.
Resource authorisation Policies allow you to specify the network computers that users can connect to.
You can define user access in user groups tab.
The Network Resource tab is used to specify the network resources.
The Allowed ports Tab enables you can change the ports to enhance security.
Creating Computer Groups
when creating a High available Connection broker configuration or a Remote desktop session server Farm you need to create server groups using the manage locally stored computer groups.
Click Create Group
enter the name and the description of the computer group
For connection brokers and RDSH servers, you need to add the servers and the farm name as mentioned in this tab.
Hi Ryan,
First, you “how to” is very usefull.
I have a question for you, i have setup like 1 RDGW. This server only have this role.
3 servers have RDHA,RDSH,RDWEB. How can i add the certificate for RDGW if i can’t reach him from the console?
In the “deployment properties” all is set ok, but in certificate, the RDGW is grey out. You have a clue to add it ?
RDCB SSO –> OK
RDCB Publishing –> OK
RDWEB –> OK
RDGW –> grey out
Thanks for you help.
Hi,
Ensure that the RDGW role is added to every server group, you can add the certificate through the RD Gateway manager.
Regards,
ok, after, can i remove the role from those ?
Don’t install the RDGW to every server, you need to add each server to each other for remote management.
Best Regards,
Thank you Ryan, this help me to fix this.
Hi, Can the RD Gateway server be the same as the actual RDS server that all my clients will be using for terminal services/remote desktop?
Also, for the certificate… My AD domain is .local and my external is a .com. How do I issue a public certificate from thawte or godaddy in that case?
Thanks.
Hi,
Please can you confirm what server you want to install RD Gateway on. I would recommend installing RDWA and the RDGW on a separate server from you session server for security reasons.
please see the following link for publishing certificates: http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/5e9f264d-486c-4e7b-8004-30f63ec154ff
Best Regards,
I followed every steps and can’t access from anywhere except the server itself.
Everything remote concerned is on the same server.
When I use remote connection (don’t bypass the gateway) … doesn’t work at all (first the cert is invalid. So client communicate correctly with the Gateway. When the cert is added to the client … connection take ages and then fails.
Help would be very but very appreciated 🙂
Hi,
Can you confirm you are using a using a valid and trusted certificate. the article shows an untrusted.
Try Restarting your RDS infrastructure.
Have you checked the event logs, is there any errors ?
can you also ensure that the user group is added to the RDG_CAP properties.
Best Regards,
I created the certificat with the GUI
It is untrusted
you will need to purchase a certificate, I would recommend a SAN or a wild card cert. Best Regards,
Hi Ryan,
Can you help me get a grip on the Licensing for RDGW? Will my install stop tunneling connections after 120 days. We are using just as the Gateway, no VDI and no RemoteApps.
If i do need CALs, what components must be installed? It is a Server 2012 install.
Thanks,
Todd
Hi, you will need to install the RDS licencing role to use the gateway. Then its a simple case of adding licences.
Best Regards,
Hi,
I had a high availability setup. All servers are windows 2012. I want to configure idle time out for RD web access, the URL should be automatically sign out when it will reach idle time out. RD web access has IIS 8.0 . Is it possible?
Please suggest , how.
Can you use RD Gateway in conjunction with the new Web Application Proxy in server 2012 R2 to allow for more security and reverse proxying?
I haven’t done so but I cannot see why not.
When I position the Remote Desktop Gateway behind Web Application Proxy, which method do I need to choose, ADFS Pre-authentication or Pass-through?
Any tips for setting up a RDGW in a DMZ in a single firewall setup?
Apologies if I am teaching you to such eggs but as there is little information, its hard to gauge your knowledge.
Add a second Nic to the RDGW and connect that up to your DMZ. Open up the SSL port (443) only from the public and the DMZ interface, Then finaly NAT the DMZ IP to the public interface.
If you need any info on the RD Gateway and Ports, have a look at http://blogs.msdn.com/b/rds/archive/2013/03/14/what-s-new-in-windows-server-2012-remote-desktop-gateway.aspx.
Best regards,
Hi Ryan
Thank you very much for this post that was very helpful. However as for me I’m in a little confusion:
I have two hyper -v virtual server setup as RDSH-FARM-1 and RDSH-FARM-2 servers (both of the machines are domain member), All the roles are installed on FARM-1 and FARM-2 has remote session host installed just for load balancing.
I’ve used local CA to request certificate for RDWA and RDG (RDSH-FARM.co.uk)
RDGATEWAY is setup with all policy rap and cap.
Everything is working internally but not externally. I can browse to RDWA via my public IP e.g 12.56.45.67/rdweb and can login with user account but soon i try to remote desktop it says rd gateway server is not reachable?
My question is do i have to have a registered public domain name?
can i not just use the public ip/rdweb to get access to my RDSH server?
If i do need an public resolvable FQDN, can i link my public ip with my iis webserver?
apart from this just to make it short, what exacly i am missing here? and what do i need to make this work>?
I will really appreciate your help!
Hi, you will need a gateway server for a secure connection to the session hosts. Please read the article on the RD gateway server.
just to add on my internal RDSH FQDN is RDSH-FARM1.domain.co.uk
Hi Ryan,
Thank you for all of this as all your blogs have extremely helped me in my RDS deployments.
I am working with an FQDN mydomain.local and trying to setup and RDS 2012 deployment. I have a single server setup.
server.mydomain.local – RD Connection Broker
server.mydomain.local – RD Virtualization Host
server.mydomain.local – RD gateway
server.mydomain.local – RD Web Access
I have an external dns name of remote.mydomain.com and a wildcard cert associated with it.
I setup the gateway with external FQDN remote.mydomain.com. Applied the wildcard cert for *.mydomain.com successfully to all roles.
RD Connection Broker Enable Single Sign On : Trusted, OK
RD Connection Broker – Publishing : Trusted, OK
RD Web Access : Trusted, OK
RD Gateway : Trusted OK
I created a new DNS zone remote.mydomain.com and pointed it to the IP of the server that hosts all these roles.
I can now access my VDI collection successfully internally but not externally. The error I get when connecting externally states:
Remote Desktop can’t connect to the remote computer “server.mydomain.local” for one of the reasons:
1) Your user account is not authorized to access the RD Gateway “remote.mydomain.com”
2) Your computer is not authorized to access the RD Gateway “remote.mydomain.com”
3) You are using an incompatible method
I tried using the Set-RDPUblishedNamed script after, and set the name to remote.mydomain.com.
Now both internal and external connections will not authenticated when given the prompt to login. Saying the credentials did not work.
After setting the published name to my external fqdn, both the remote computer and the gateway are pointed to remote.mydomain.com
Putting broker in high availability is not an option in this situation because we don’t have a license for another server.
Any ideas on what I’m missing? I doubt its a permissions issue. Is it a problem with accessing the gateway? From my understanding once we have access to the gateway externally, the broker can be internal as a secure rdp connection has already been established. Any help would be greatly appreciated. Thanks!
Hi Rich,
If you are using self sign wild card certificate, then add this certificate in trusted root authority of your local desktop/laptop. Then only you will be able to connect externally.
Thanks
Just to clarify what Raghu is saying, you would need to export the certificate used on the gateway server and the. Import the certificate using mmc and store that in the local computer certificate folder. You can also use the internal certificate authority if you have one
I have my 2012 RD gateway published and is accessible through my TMG Firewall from the outside world. I noticed that when connecting externally from a Windows 8 PC to a Server 2012 box behind TMG that UDP does not show as being enabled when I connect to The Server 2012 box from a Windows 8 PC inside TMG UDP is enabled. Has anyone successfully published Server 2012 RD gateway with UDP working through TMG or any other Firewall and how? Thanks.
Hi, as TMG is end of life, I would not recommend using this for securing RDS. TMG does not support RDP 8 where as UAG does. Are you wanting to reverse proxy or just simply publish UDP Traffic. All firewalls will allow you to port forward\NAT UDP traffic.https://social.technet.microsoft.com/wiki/contents/articles/10973.configuring-udp-support-on-the-rd-gateway-in-windows-server-2012.aspx
I have a reverse proxy in place for my RD Gateway. I guess going the reverse proxy route will not allow for UDP traffic, is that correct?
Hi Ryan,
Thanks for a good guide.
I have one issue remaining I hope you can help me with. When logon on to rdweb from a public connection, I am able to log on and see that default RDS connection. When I try to connect to it I only get an error:
Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporariy unavailable.
Everything is working internally. I am using 2012 R2 servers.
GW server is using rdsgw.public.com certificate
Broker and rdweb is using rds.public.com certificate and public DNS have NAT to private IP
rds1 and rds2 are my host servers
Any idea what I am missing?
have you configured the gateway to allow a connection to the RDS servers. Is the gateway behind a Load balancer ? have you tested the gateway connection internally using MSTSC
Hi Ryan,
I have configured the Local Computers Group (rds.public.com+internal FQDN of both host servers) on the GW and i am using it in my RAP.
The gw is not behind a load balancer.
When i test mstsc with gw from my internal network i am being logged on to the broker server and not the host server.
I tried to add a public IP to the rdsgw.public.com and NAT it to the gw server. Now I am recieving a second credential box asking for credentials to the internal broker FQDN. When typing in my admin credentials it times out eventually.
What event logs if any are showing . Have you configured the gateway setting internally then attempted to connect to a server which passes through the gateway. What port have you allowed out on your firewall 443 ? This could a number of things
Hi Ryan,
There is no events logged to any of the involved servers.
I have just tried connecting to rds1.domain.local using gw rdsgw.public.com and I got a connection to the rds1 server.
rdsgw.public.com has port 443 allowed in my fw
rds.public.com has port 80 and 443 allowed in my fw
(80 so that it will redirect the uses to 443 instead of showing a 403 error)
Why is the default RDP shortcut on the rdweb refering to the broker internal address? Isn’t that the issue remaining to be solved?
You have a internal domain of .local and external of .com you need to change the naming have a look at my article certificates and Sso. You will also have certificate mismatches which will prompt the credential box
Hi Ryan,
Thanks for the quick replies and good assistance. I have solved my public access issue, with this PowerShell cmd:
Set-RDSessionCollectionConfiguration –CollectionName RDS -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:rds.domain.local `n authentication level:i:0”
This way it points to the RDS farm name and not the broker server.
and these 2 configurations:
IIS Manager:
drill down to Sites –> Default Web Site (or the name of yours) –> RDWeb –> Pages
Then Click ‘Application Settngs’
Then for ‘DefaultTSGateway’ fill in the external DNS name of the RD Gateway server
Register the NPS server in Active Directory:
In Server Manager, browse to the following location: Roles\Network Policy and Access Services\NPS (Local).
Right click on the NPS (Local) node and choose Register server in Active Directory.
Click OK to authorize the server when prompted.
and I have deployed a selfsigned certificate to all my RDSH servers rds.domain.local
Thank you for you quick responces, they did lead me in the right direction to solve this configuration.
Hi,
Your posts are great and really helped me to understand this. Have a question for you which I could not figure out how to do it.
I have a setup with 4 2012R2 servers RDGW1, RDWA1, RDCB1, RDSH1
I want to publish remote apps which is on RDWA1 to internet. If my understanding is correct I have to forward port 443 from the router to RDGW1. But obviously RDWeb is hosted on RGWA1, I can not access it when I pointed port 443 to RDGW1.
Would you be able enlighten me on how to achieve this?
Thank you
Ray
You need to allow external access 443 tcp / 3391 UDP access to the gateway and 443 access to rdweb. You need both publishing externally. Some install both roles in the same box so to simplify things.
Hi Ryan, thanks for your tutorial. I installed in DMZ Win 2012R2 with two NICs. On that machine I’ve run remote desktop services installation (with default published apps) and just added RDGateway.
RDGateway settings are Use these : domain.com certificate is public (UCC with 10 SANs).
Under Certificates I added this cert for Connection Broker, WebAccess but RDGateway is greyed. I am not able to edit this here so I added certificate through GRGateway manager.
Policies are configured locally on NPS server
Since I have my website dimain.com I installed IIS ARR in order to route to the RDGateway everything with /RDWeb. It seems to be working, I can open the login page, log in but when I start remote app (that works within LAN – bypass Gateway is selected) I receive an error “Your Computer can’t connect to the remote computer because RDGateway server is temporarily unavailable. Try reconnecting later ……”
Just came across this thread and I think some of you might be able to help. Here is my breakdown: Using a .local domain, installed RDS with VDI, used the self assigned certificate during install, went in afterwards and into deployment properties and changed the certificate to a wildcard public cert.
I am able to access RDweb, log in using domain account, see the VDI published, click on it and then I get the following error:
“Remote Desktop can’t connect to the remote computer “RDS.internal.local” for one of these reasons:
1) Your user account is not authorized to access the RD Gateway “rds.publicdomain.com”
2) You computer is not authorized to access the RD Gateway “rds.publicdomain.com”
3) You are using an incompatible method (for example, the RD Gateway might be expecting a smart card but you provided a password)
Contact your network administrator for assistance.”
The user account I used to log into the RDweb is authorized and also the machine, and I am not using a smart card deployment. Any ideas?
Thank you,
Derek
your accessing the VDI externally with a .com and internally the domain is a .local. This is your problem. try disabling certificate authentication. if that works re enable it. TP has written a script which will resolve your issue, have a look under Remote Desktop services on Technet’s gallary
Good article. helped a lot, when I accidentally removed NPS from the server and needed to reconfigure.
Hello,
we created an RDS farm (one broker server and 2 RDSH servers) We did not install RDG, because we want the farm to be accessed only internally. When we access the farm by Remote Desktop, log in and we have the warning screen “the identity of the remote computer can not be verified…). We created a cert in the broker server, registered it with godaddy, (something like files.domain.com), and we installed it on the broker. In the deployment properties for the collection the rd connection broker – enable SSO, rd connection broker – publishing and rd web access have this certificate installed and the level is trusted BUT when we access the farm: myfiles.domain.com from remote desktop, log in, we have the warning screen “the identity of the remote computer can not be verified…). We looked few days on internet, no luck. The environment is Windows server 2012. Any ideas? Thank you.
Definitely imagine that which you said. Your
favourite reason seemed to be at the internet the simplest factor to consider of.
I say to you, I certainly get annoyed whilst folks think about worries that
they just do not know about. You controlled to hit the nail upon the top and also defined out the whole
thing with no need side-effects , people can take a
signal. Will likely be back to get more. Thanks
Ryan,
One of the things that confuses me most of Microsoft deployments is the external access. I just see so little documenation on it that it’s incredible. Everything I’ve read online and blogs say that the purpose of the gateway is to enable access to your farm from the public internet. So my thought process was “ok, only open ports 443 & 3391 to the outside and ant it to the gateway”. However if you do this, while you can use MSTSC, you can’t do remoteapp nor get to the webaccess. So in the end I had to open up 443 to rdweb server. Is this correct?
Hello,
Am I correct in assuming that after I follow this guide, I will be able to access the RD server from restrictive client firewalls?
What I Mean by that is, oftne times my users will visit other orgs who have very restrctive firewall policies. If I set up RD Gateway on 2012 R2, will this tunnel all traffic through 443 to give RDP a fighting chance of establishing a session?
Yes you will tunnel through on 443 or 3391 like a vpn
Hey, can you clarify which steps exactly above ‘force’ the RD gateway to only utilize port 443? I’ve configured my system to only use port 443 in both the RD Gateway Manager > My Server > Policies > Resource Authorization Policies and also in RD Gateway Manager > right click on My Server > Properties > Transport Settings tab and unticked “Enable UDP Transport”.
What I’m trying to accomlish is to get everything running over 443 and not depend on any ‘non standard’ ports as most security concious orgnanizations tend to block most ports leaving only 80 & 443 open for standard user access networks.
Hello,
Great post! Serious issue. When I right click properties, the RD CAP Settings are all grayed out; I can’t click anything.
Why are they grayed out? I am trying to configure Central NPS
Hi Ryan. Great article. You detailed all the boxes very well. After following your article and reading some of the posts I was successful in getting my RDS Gateway working internally and externally. I was wondering if you had a blog post on setting and tweaking WebApps? I am trying to find a good guide on editing the .RDP files and such. The way I did it on 2008 R2 is not the same as 2012 R2. Thanks!
Lyle Epstein
Kortek Solutions, Las Vegas, NV
The rules and features are the similar on 2012 R2. What are you trying to do. Make changes to RDP’s or create custom files.
Hi Ryan,
maybe a stupid question.. but i don’t get it…
I configured my RD Gateway Server to be reachable with an external IP in our DMZ.
I followed your steps above, but which URL should i enter to access it?
I used the external IP of the GW server, but only got IIS Splash page. I checked whatelse pages are on the gateway setup and tried accessing /rpc which prompts for credentials then nothing happens…
I used my internal wildcard certificate on my external gw server, which is – of course – untrusted. Is that the issue? Does is not proceed without having a trusted cert? If so, could i solve this with importing the internal wildcard cert?
THanks!
Ben
Same problem here, I can access the RDWEB on my broker internally and externally, but when I try to point my browser to https://rdgwy/rpc (or https://remote.domain.com) I’m promped for the passord and nothing happens…both from internal and from external 😦
It is driving me mad, also because I have no events logged at all on my gateway :-((((
I’m using a wildcard certificate created with my certification authority, naturally I addet it to my test pc.
Do I need to set any configuration on my session host servers, or the broker?
Any suggestion Ryan can be more than appreciated!!!
check the RAP and CAP policys. ensure the gateway can communicate outside and through the network. telnet is a good shout.
Hi Ryan,
I had RD Web and RD Gateway on the same server(which was on DMZ),other servers or separated by each 2 RDSH and 1 Connection Broker.(so total 3 different servers for each role + 1 on the DMZ)
With this setup i have achieved access on the INTERNAL and EXTERNALLY.
But when i removed RD Web role from RD Gateway server and i used separate RD web server(which is not in DMZ) after then i get 404 error.when am accessing with https://ExternalgatewayFQDN/rdweb
So any ideas on what is missing?
Uninstall and ensure iis is removed. Then reinstall
Maybe someone has experienced this and can help me out. I have a 6 server environment for RDS –
2 x AD DS
1 x RD GW + Web Access
1 x RD CB
2 x RD SH
I can see the session collection in Remote Desktop client, and when I connect to an app it appears to connect, authenticates, then says Connecting to RDP…then nothing, the window just closes. I check session hosts and no connections appear. Any idea?
Is it possible to tunnel through two RDGW servers?
RDP Client -> RDGW_SiteA -> RDGW_SiteB -> RDSH_server
For security/compliance reasons I can only RDP out using a RDGW server. But I now need to connect to a remote site that is running a RDGW server.
Would it not be easier if you used a site to site VPN ?
Hi Ryan,
Unfortunately outgoing RDP is only allowed via a locked down RDGW. No VPN access would be permitted between the two sites.
Hello,
I am having an issue accessing my gateway server from any external sources. There is a timeout error. The address abc.remote.com works internally.
My setup is like this:
1. One Gateway/web access on same server.
2. Two Session Host servers
3. Two Broke servers
4. SQL server is installed on Gateway server
5. License server is installed on the Brokers
I have a Host A record on my Domain name provider that points to my firewall. Then my firewall points to my internal Gateway server/ I am allow traffic from external through my firewall on port 443.
Hi Ryan,
I have done the RD Gateway setup for one of our clients using self signed certificate, it works fine internally within the network. But when i try to access from externally i got the below error: https://Public IP/RDWeb
your computer can’t connect to the remote computer because the remote desktop gateway server address is unreachable or incorrect.
What could be the issue, is it mandatory to purchase self signed certificate for accessing the Remoteapp externally?
Thank you for your
It could be certificates or the RAP and CAP policies in the gateway manager
Ryan
My setup consists of individual servers:
RDS Licensing Server
RDS Gateway Server / RD Web Access Server
RDS Connection Broker
RDS Session Host 1
RDS Session Host 2
I have two questions. When configuring the RAP policy for the RD Gateway does the network resource for my Server Group need to be the Connection Broker or the two RDS Session Hosts? I am guessing it would need to be the Connection Broker seeing how I want the external end user to be directed to the RDWeb landing page. Once they are directed to that landing page and login, the Broker Server would determine which RDSH server to use seeing how they load balanced. Am I correct in my thinking?
If so, after I would need to create a policy in my firewall forwarding all external traffic from the outside to the RD Gateway Server on say port 4443 and that would redirect users to the Broker Server and the RDWeb landing page?
Thank you in advance
first question, yes you need to ensure the connection brokers and session hosts are added to the group. second question … the connection broker issues a redirection packet which contains the session host information the user is going to be passed to. The gateway will create a tunnel to communicate with the connection broker. all what needs to be presented externally is the web access role and the gateway role.
Dear Ryan,
hope you doing well.
i have installed RDCB, RDWeb and RD Gateway roles on 2 servers, (Both servers has same roles for high availability)
now i am facing an issue, i havnt configgured NLB on both servers but my RDCB is working fine with DNSRR, my web is accessible with both servers public IP address but when i specify the RD Gateway server in my RDP file, i am able to connect only with my 1st RDGW server and when i specify the 2nd RDGW server it gives me authentication error.
same RDCAP and RAP are configured on both GW servers all settings are same, Cert is configured for both servers.
there is no error or warning event in my GW servers.
the users connect with 1st RDGW their connectivity events shows on both servers. but conection is only made by 1 servre.
hope you will understand and help to fix this thing.
Regards
Which of this roles should be installed on a domain joined Machine and which should be installed on a StandAlone (WorkGroup) Server?
simple install on a domain joined. the session host and licensing roles / gateway on none domain joined.
Where is the binding done so that IIS redirects it to the RDG login page? This is NOT covered well in ANY of the online help guides and it seems to be where I get stuck. I am using this under Server 2012 r2. The interface is similar. MMC always stops working. Very discouraging
redirection can be configured on the default website on iis. You will see an option for redirection.
How do I enable the RD Gateway to link to the IIS manager. All I get is the IIS pages. I need ONLY to have the RD gateway logon to appear so I can redirect. please help
Hello I created a 4 server RDS 2012 R2 environment. here is the config:
RD Connection Broker Server/License Server – internal network
RD Web Access Server – Internal network
RD Session Host Server – internal network
RD Gateway server – perimeter network
Internally users can connect to the RDWeb access page and then connect to services published to the RD Web access page. this is working fine. The problem I am having is external users. I have a an external FQDN in my external DNS and I have that address set in my Gateway setting, however when a user connects to https:///rdweb they are getting a 404 file or directory not found. it is my belief that it is trying to access the IIS server on the Gateway server where there is no RDWeb instead of sending the traffic to my internal RD Web Access server that does have the RDWeb service. I have read and re-read your deployment guide and I am just not sure what is wrong
Hi,
I have deployed RDS on Windows Server 2016, including 2 brokers in high availability mode, 3 session hosts, 2 web hosts, 1 license server and 1 gateway.
Everything seems to be working perfectly fine, apart from one thing – the gateway itself.
When external clients connect to RDS farm via gateway via normal remote desktop client for windows/mac, they end up having their RDP sessions redirected directly to one of the two broker hosts which is odd.
When clients connect via RDWeb via gateway as well, they end up on the session hosts as expected.
In both cases, clients use published DNS for RDS server farm which points to both brokers.
This is really strange behavior, and I’m just thinking – is this a limitation of standard remote desktop clients on Windows/Mac or am I missing something here?
All the best and keep your amazing blogs coming!
you need to ensure that the gateway is configured correctly. it sounds like the redirect packet is failing when they hit the connection broker which would indicate a gateway configuration issue.
Hello
Did anyone face Issues described below when instaling RD Gateway
RD Gateway Configuration Failed on With Error: Unable to create a Remote Desktop connection authorization policy on . The error is 2147749889.
The connection authorization policy “RDG_CAP_AllUsers” could not be created. The following error occurred: “16389”.
The RD Gateway install steps is the last one during the Sassion Broker configuration. I use Windows 2012 Standard.
Can anyone help with a gateway issue I’m having on 2016 please?
Single server setup with HA broker.
Internal domain .LOCAL
External domain .NET
Everything works fine internally bypassing the gateway
Externally I can access and login to RDWeb, but get a login box when I try and load anything with the internal server name and then get Logon Request Failed.
Wildcard certificate on *.net domain
No redirects on IIS
Gateway has correct FQDN configured.
It has me baffled, any help most welcome!
did you get this sorted Andrew
Great article!!
i have 1 qustion: did RDGateway needs any network connectivity to the RDCB ?
Thanks.
Yes connectivity is needed.
Ryan:
Thank you for the knowledge share. I followed the steps, had to go it alone on the certificate creation, but I can now get to the RDWeb login after the browser tells me the site is insecure. I am able to login and see the applications I published. Upon clicking the icon of one of the published apps, I am presented with the RemoteApp dialog box to set local access etc. I noticed that the Gateway server is the external FQDN and the Remote computer is the internal FQDN for the RD server. When I click Connect, I get a message that “This computer can’t verify the identity of the RD Gateway . It’s not safe to connect to servers that can’t be identified. Contact your network administrator for assistance.”
Thoughts?