Deploying Remote Desktop Gateway RDS 2012


What is a Remote Desktop Gateway

A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.

A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.

A Remote Desktop Gateway Provides The following Benefits:

  • Enables Remote Desktop Connections to a corporate network without having to set up a virtual private network (VPN).
  • Enables connections to remote computers across firewalls.
  • Allows you to share a network connection with other programs running on your computer. This enables you to use your ISP connection instead of your corporate network to send and receive data over a remote connection.

http://windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server

Please see the following linkFor more information on deploying a Gateway on the perimeter network: http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx 

Deploying a remote desktop Gateway

Gateway1

To start the install, Click on the RD Gateway Icon Highlighted in green on the Deployment Overview.

gateway2

Select the server you want to install the role on.

gateway3

Enter the External FQDN in the SSL Certificate Name (for this example I am using a internal address)

gateway4

RDS Gateway is installing…………

gateway5

gateway6

Once the install is complete, you can use the links at the bottom of the install window to configure certificates and review the RD Gateway properties for the deployment.

gateway7

As highlighted in red, you can seen the Gateway certificate located in the deployment properties under certificates.

gateway8

Under the Tab RD Gateway, you can configure the login method and basic gateway settings.

gateway9

Once the gateway is installed you will see the RD Gateway symbol appear.

Configuring the Gateway Manager

gateway10

by right clicking on the local gateway server, you can open the properties.

gateway11

You can configure the advanced gateway settings by navigating to the Properties.

gateway12

The General tab allows you to configure maximum connection.

gateway13

The SSL Certificate tab allows you to import a external certificate, create a self-signed and import from a personal store. I would recommend that you assign all certificates and apply the RD Gateway Certificate last. This is the certificates are not modified by the certificate tab in the RDS deployment properties.

gateway14

The Transport Tab allows you to configure RCP-HTTP and the HTTP settings. You can change the defaults to meet corporate security requirements.

gateway15

The Remote Desktop Connection Authorisation Policies (RD CAP) store enables you to configure local or central NPS Services for centralised management.

gateway16

The Messaging tab is great for notifying users of outages and maintenance times or other administrator messages.

gateway17

Please see the hyperlink below for information on SSL Bridging and tunnelling.

http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html

gateway18

The Auditing tab allows you to select what to audit in the log files.

Gateway19

The Server Farm tab allows you to configure multiple Gateway servers for use in a farm (High Availability).

Gateway20

Connection Policies allow you to configure user access.

gateway21

gateway22

gateway23

You can  disable the redirection features for enhanced security.

gateway24

The Timeouts Tab allows you to limit client sessions.

gateway25

Resource authorisation Policies allow you to specify the network computers that users can connect to.

gateway26gateway27

You can define user access in user groups tab.

gateway28

The Network Resource tab is used to specify the network resources.

gateway29

The Allowed ports Tab enables you can change the ports to enhance security.

Creating Computer Groups

when creating a High available Connection broker configuration or a Remote desktop session server Farm you need to create server groups using the manage locally stored computer groups.

gateway30

gateway31

Click Create Group

Gateway32

enter the name and the description of the computer group

gateway33

For connection brokers and RDSH servers, you need to add the servers and the farm name as mentioned in this tab.

65 thoughts on “Deploying Remote Desktop Gateway RDS 2012

  1. Hi Ryan,

    First, you “how to” is very usefull.

    I have a question for you, i have setup like 1 RDGW. This server only have this role.
    3 servers have RDHA,RDSH,RDWEB. How can i add the certificate for RDGW if i can’t reach him from the console?

    In the “deployment properties” all is set ok, but in certificate, the RDGW is grey out. You have a clue to add it ?

    RDCB SSO –> OK
    RDCB Publishing –> OK
    RDWEB –> OK
    RDGW –> grey out

    Thanks for you help.

  2. Hi, Can the RD Gateway server be the same as the actual RDS server that all my clients will be using for terminal services/remote desktop?

    Also, for the certificate… My AD domain is .local and my external is a .com. How do I issue a public certificate from thawte or godaddy in that case?

    Thanks.

  3. I followed every steps and can’t access from anywhere except the server itself.
    Everything remote concerned is on the same server.

    When I use remote connection (don’t bypass the gateway) … doesn’t work at all (first the cert is invalid. So client communicate correctly with the Gateway. When the cert is added to the client … connection take ages and then fails.

    Help would be very but very appreciated 🙂

    1. Hi,

      Can you confirm you are using a using a valid and trusted certificate. the article shows an untrusted.

      Try Restarting your RDS infrastructure.

      Have you checked the event logs, is there any errors ?

      can you also ensure that the user group is added to the RDG_CAP properties.

      Best Regards,

  4. Hi Ryan,

    Can you help me get a grip on the Licensing for RDGW? Will my install stop tunneling connections after 120 days. We are using just as the Gateway, no VDI and no RemoteApps.

    If i do need CALs, what components must be installed? It is a Server 2012 install.

    Thanks,
    Todd

  5. Hi,
    I had a high availability setup. All servers are windows 2012. I want to configure idle time out for RD web access, the URL should be automatically sign out when it will reach idle time out. RD web access has IIS 8.0 . Is it possible?
    Please suggest , how.

  6. Can you use RD Gateway in conjunction with the new Web Application Proxy in server 2012 R2 to allow for more security and reverse proxying?

    1. When I position the Remote Desktop Gateway behind Web Application Proxy, which method do I need to choose, ADFS Pre-authentication or Pass-through?

    1. Apologies if I am teaching you to such eggs but as there is little information, its hard to gauge your knowledge.

      Add a second Nic to the RDGW and connect that up to your DMZ. Open up the SSL port (443) only from the public and the DMZ interface, Then finaly NAT the DMZ IP to the public interface.

      If you need any info on the RD Gateway and Ports, have a look at http://blogs.msdn.com/b/rds/archive/2013/03/14/what-s-new-in-windows-server-2012-remote-desktop-gateway.aspx.

      Best regards,

  7. Hi Ryan
    Thank you very much for this post that was very helpful. However as for me I’m in a little confusion:

    I have two hyper -v virtual server setup as RDSH-FARM-1 and RDSH-FARM-2 servers (both of the machines are domain member), All the roles are installed on FARM-1 and FARM-2 has remote session host installed just for load balancing.

    I’ve used local CA to request certificate for RDWA and RDG (RDSH-FARM.co.uk)

    RDGATEWAY is setup with all policy rap and cap.

    Everything is working internally but not externally. I can browse to RDWA via my public IP e.g 12.56.45.67/rdweb and can login with user account but soon i try to remote desktop it says rd gateway server is not reachable?

    My question is do i have to have a registered public domain name?
    can i not just use the public ip/rdweb to get access to my RDSH server?
    If i do need an public resolvable FQDN, can i link my public ip with my iis webserver?

    apart from this just to make it short, what exacly i am missing here? and what do i need to make this work>?

    I will really appreciate your help!

  8. Hi Ryan,

    Thank you for all of this as all your blogs have extremely helped me in my RDS deployments.

    I am working with an FQDN mydomain.local and trying to setup and RDS 2012 deployment. I have a single server setup.

    server.mydomain.local – RD Connection Broker
    server.mydomain.local – RD Virtualization Host
    server.mydomain.local – RD gateway
    server.mydomain.local – RD Web Access

    I have an external dns name of remote.mydomain.com and a wildcard cert associated with it.
    I setup the gateway with external FQDN remote.mydomain.com. Applied the wildcard cert for *.mydomain.com successfully to all roles.

    RD Connection Broker Enable Single Sign On : Trusted, OK
    RD Connection Broker – Publishing : Trusted, OK
    RD Web Access : Trusted, OK
    RD Gateway : Trusted OK

    I created a new DNS zone remote.mydomain.com and pointed it to the IP of the server that hosts all these roles.

    I can now access my VDI collection successfully internally but not externally. The error I get when connecting externally states:

    Remote Desktop can’t connect to the remote computer “server.mydomain.local” for one of the reasons:
    1) Your user account is not authorized to access the RD Gateway “remote.mydomain.com”
    2) Your computer is not authorized to access the RD Gateway “remote.mydomain.com”
    3) You are using an incompatible method

    I tried using the Set-RDPUblishedNamed script after, and set the name to remote.mydomain.com.
    Now both internal and external connections will not authenticated when given the prompt to login. Saying the credentials did not work.

    After setting the published name to my external fqdn, both the remote computer and the gateway are pointed to remote.mydomain.com

    Putting broker in high availability is not an option in this situation because we don’t have a license for another server.

    Any ideas on what I’m missing? I doubt its a permissions issue. Is it a problem with accessing the gateway? From my understanding once we have access to the gateway externally, the broker can be internal as a secure rdp connection has already been established. Any help would be greatly appreciated. Thanks!

  9. Hi Rich,
    If you are using self sign wild card certificate, then add this certificate in trusted root authority of your local desktop/laptop. Then only you will be able to connect externally.
    Thanks

    1. Just to clarify what Raghu is saying, you would need to export the certificate used on the gateway server and the. Import the certificate using mmc and store that in the local computer certificate folder. You can also use the internal certificate authority if you have one

  10. I have my 2012 RD gateway published and is accessible through my TMG Firewall from the outside world. I noticed that when connecting externally from a Windows 8 PC to a Server 2012 box behind TMG that UDP does not show as being enabled when I connect to The Server 2012 box from a Windows 8 PC inside TMG UDP is enabled. Has anyone successfully published Server 2012 RD gateway with UDP working through TMG or any other Firewall and how? Thanks.

      1. I have a reverse proxy in place for my RD Gateway. I guess going the reverse proxy route will not allow for UDP traffic, is that correct?

  11. Hi Ryan,
    Thanks for a good guide.
    I have one issue remaining I hope you can help me with. When logon on to rdweb from a public connection, I am able to log on and see that default RDS connection. When I try to connect to it I only get an error:

    Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporariy unavailable.

    Everything is working internally. I am using 2012 R2 servers.
    GW server is using rdsgw.public.com certificate
    Broker and rdweb is using rds.public.com certificate and public DNS have NAT to private IP
    rds1 and rds2 are my host servers

    Any idea what I am missing?

    1. have you configured the gateway to allow a connection to the RDS servers. Is the gateway behind a Load balancer ? have you tested the gateway connection internally using MSTSC

      1. Hi Ryan,

        I have configured the Local Computers Group (rds.public.com+internal FQDN of both host servers) on the GW and i am using it in my RAP.

        The gw is not behind a load balancer.

        When i test mstsc with gw from my internal network i am being logged on to the broker server and not the host server.

        I tried to add a public IP to the rdsgw.public.com and NAT it to the gw server. Now I am recieving a second credential box asking for credentials to the internal broker FQDN. When typing in my admin credentials it times out eventually.

      2. What event logs if any are showing . Have you configured the gateway setting internally then attempted to connect to a server which passes through the gateway. What port have you allowed out on your firewall 443 ? This could a number of things

      3. Hi Ryan,

        There is no events logged to any of the involved servers.

        I have just tried connecting to rds1.domain.local using gw rdsgw.public.com and I got a connection to the rds1 server.

        rdsgw.public.com has port 443 allowed in my fw
        rds.public.com has port 80 and 443 allowed in my fw
        (80 so that it will redirect the uses to 443 instead of showing a 403 error)

        Why is the default RDP shortcut on the rdweb refering to the broker internal address? Isn’t that the issue remaining to be solved?

      4. You have a internal domain of .local and external of .com you need to change the naming have a look at my article certificates and Sso. You will also have certificate mismatches which will prompt the credential box

      5. Hi Ryan,

        Thanks for the quick replies and good assistance. I have solved my public access issue, with this PowerShell cmd:
        Set-RDSessionCollectionConfiguration –CollectionName RDS -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:rds.domain.local `n authentication level:i:0”
        This way it points to the RDS farm name and not the broker server.

        and these 2 configurations:
        IIS Manager:
        drill down to Sites –> Default Web Site (or the name of yours) –> RDWeb –> Pages
        Then Click ‘Application Settngs’
        Then for ‘DefaultTSGateway’ fill in the external DNS name of the RD Gateway server

        Register the NPS server in Active Directory:
        In Server Manager, browse to the following location: Roles\Network Policy and Access Services\NPS (Local).
        Right click on the NPS (Local) node and choose Register server in Active Directory.
        Click OK to authorize the server when prompted.

        and I have deployed a selfsigned certificate to all my RDSH servers rds.domain.local

        Thank you for you quick responces, they did lead me in the right direction to solve this configuration.

  12. Hi,
    Your posts are great and really helped me to understand this. Have a question for you which I could not figure out how to do it.

    I have a setup with 4 2012R2 servers RDGW1, RDWA1, RDCB1, RDSH1

    I want to publish remote apps which is on RDWA1 to internet. If my understanding is correct I have to forward port 443 from the router to RDGW1. But obviously RDWeb is hosted on RGWA1, I can not access it when I pointed port 443 to RDGW1.

    Would you be able enlighten me on how to achieve this?

    Thank you
    Ray

    1. You need to allow external access 443 tcp / 3391 UDP access to the gateway and 443 access to rdweb. You need both publishing externally. Some install both roles in the same box so to simplify things.

  13. Hi Ryan, thanks for your tutorial. I installed in DMZ Win 2012R2 with two NICs. On that machine I’ve run remote desktop services installation (with default published apps) and just added RDGateway.
    RDGateway settings are Use these : domain.com certificate is public (UCC with 10 SANs).
    Under Certificates I added this cert for Connection Broker, WebAccess but RDGateway is greyed. I am not able to edit this here so I added certificate through GRGateway manager.
    Policies are configured locally on NPS server
    Since I have my website dimain.com I installed IIS ARR in order to route to the RDGateway everything with /RDWeb. It seems to be working, I can open the login page, log in but when I start remote app (that works within LAN – bypass Gateway is selected) I receive an error “Your Computer can’t connect to the remote computer because RDGateway server is temporarily unavailable. Try reconnecting later ……”

  14. Just came across this thread and I think some of you might be able to help. Here is my breakdown: Using a .local domain, installed RDS with VDI, used the self assigned certificate during install, went in afterwards and into deployment properties and changed the certificate to a wildcard public cert.

    I am able to access RDweb, log in using domain account, see the VDI published, click on it and then I get the following error:

    “Remote Desktop can’t connect to the remote computer “RDS.internal.local” for one of these reasons:

    1) Your user account is not authorized to access the RD Gateway “rds.publicdomain.com”
    2) You computer is not authorized to access the RD Gateway “rds.publicdomain.com”
    3) You are using an incompatible method (for example, the RD Gateway might be expecting a smart card but you provided a password)

    Contact your network administrator for assistance.”

    The user account I used to log into the RDweb is authorized and also the machine, and I am not using a smart card deployment. Any ideas?

    Thank you,

    Derek

    1. your accessing the VDI externally with a .com and internally the domain is a .local. This is your problem. try disabling certificate authentication. if that works re enable it. TP has written a script which will resolve your issue, have a look under Remote Desktop services on Technet’s gallary

  15. Hello,
    we created an RDS farm (one broker server and 2 RDSH servers) We did not install RDG, because we want the farm to be accessed only internally. When we access the farm by Remote Desktop, log in and we have the warning screen “the identity of the remote computer can not be verified…). We created a cert in the broker server, registered it with godaddy, (something like files.domain.com), and we installed it on the broker. In the deployment properties for the collection the rd connection broker – enable SSO, rd connection broker – publishing and rd web access have this certificate installed and the level is trusted BUT when we access the farm: myfiles.domain.com from remote desktop, log in, we have the warning screen “the identity of the remote computer can not be verified…). We looked few days on internet, no luck. The environment is Windows server 2012. Any ideas? Thank you.

  16. Definitely imagine that which you said. Your
    favourite reason seemed to be at the internet the simplest factor to consider of.
    I say to you, I certainly get annoyed whilst folks think about worries that
    they just do not know about. You controlled to hit the nail upon the top and also defined out the whole
    thing with no need side-effects , people can take a
    signal. Will likely be back to get more. Thanks

  17. Ryan,

    One of the things that confuses me most of Microsoft deployments is the external access. I just see so little documenation on it that it’s incredible. Everything I’ve read online and blogs say that the purpose of the gateway is to enable access to your farm from the public internet. So my thought process was “ok, only open ports 443 & 3391 to the outside and ant it to the gateway”. However if you do this, while you can use MSTSC, you can’t do remoteapp nor get to the webaccess. So in the end I had to open up 443 to rdweb server. Is this correct?

  18. Hello,

    Am I correct in assuming that after I follow this guide, I will be able to access the RD server from restrictive client firewalls?

    What I Mean by that is, oftne times my users will visit other orgs who have very restrctive firewall policies. If I set up RD Gateway on 2012 R2, will this tunnel all traffic through 443 to give RDP a fighting chance of establishing a session?

      1. Hey, can you clarify which steps exactly above ‘force’ the RD gateway to only utilize port 443? I’ve configured my system to only use port 443 in both the RD Gateway Manager > My Server > Policies > Resource Authorization Policies and also in RD Gateway Manager > right click on My Server > Properties > Transport Settings tab and unticked “Enable UDP Transport”.

        What I’m trying to accomlish is to get everything running over 443 and not depend on any ‘non standard’ ports as most security concious orgnanizations tend to block most ports leaving only 80 & 443 open for standard user access networks.

  19. Hello,

    Great post! Serious issue. When I right click properties, the RD CAP Settings are all grayed out; I can’t click anything.

    Why are they grayed out? I am trying to configure Central NPS

  20. Hi Ryan. Great article. You detailed all the boxes very well. After following your article and reading some of the posts I was successful in getting my RDS Gateway working internally and externally. I was wondering if you had a blog post on setting and tweaking WebApps? I am trying to find a good guide on editing the .RDP files and such. The way I did it on 2008 R2 is not the same as 2012 R2. Thanks!
    Lyle Epstein
    Kortek Solutions, Las Vegas, NV

  21. Hi Ryan,

    maybe a stupid question.. but i don’t get it…
    I configured my RD Gateway Server to be reachable with an external IP in our DMZ.
    I followed your steps above, but which URL should i enter to access it?

    I used the external IP of the GW server, but only got IIS Splash page. I checked whatelse pages are on the gateway setup and tried accessing /rpc which prompts for credentials then nothing happens…
    I used my internal wildcard certificate on my external gw server, which is – of course – untrusted. Is that the issue? Does is not proceed without having a trusted cert? If so, could i solve this with importing the internal wildcard cert?

    THanks!
    Ben

  22. Hi Ryan,
    I had RD Web and RD Gateway on the same server(which was on DMZ),other servers or separated by each 2 RDSH and 1 Connection Broker.(so total 3 different servers for each role + 1 on the DMZ)

    With this setup i have achieved access on the INTERNAL and EXTERNALLY.

    But when i removed RD Web role from RD Gateway server and i used separate RD web server(which is not in DMZ) after then i get 404 error.when am accessing with https://ExternalgatewayFQDN/rdweb

    So any ideas on what is missing?

  23. Maybe someone has experienced this and can help me out. I have a 6 server environment for RDS –
    2 x AD DS
    1 x RD GW + Web Access
    1 x RD CB
    2 x RD SH

    I can see the session collection in Remote Desktop client, and when I connect to an app it appears to connect, authenticates, then says Connecting to RDP…then nothing, the window just closes. I check session hosts and no connections appear. Any idea?

  24. Is it possible to tunnel through two RDGW servers?
    RDP Client -> RDGW_SiteA -> RDGW_SiteB -> RDSH_server

    For security/compliance reasons I can only RDP out using a RDGW server. But I now need to connect to a remote site that is running a RDGW server.

      1. Hi Ryan,

        Unfortunately outgoing RDP is only allowed via a locked down RDGW. No VPN access would be permitted between the two sites.

  25. Hello,

    I am having an issue accessing my gateway server from any external sources. There is a timeout error. The address abc.remote.com works internally.

    My setup is like this:

    1. One Gateway/web access on same server.
    2. Two Session Host servers
    3. Two Broke servers
    4. SQL server is installed on Gateway server
    5. License server is installed on the Brokers

    I have a Host A record on my Domain name provider that points to my firewall. Then my firewall points to my internal Gateway server/ I am allow traffic from external through my firewall on port 443.

  26. Hi Ryan,

    I have done the RD Gateway setup for one of our clients using self signed certificate, it works fine internally within the network. But when i try to access from externally i got the below error: https://Public IP/RDWeb

    your computer can’t connect to the remote computer because the remote desktop gateway server address is unreachable or incorrect.

    What could be the issue, is it mandatory to purchase self signed certificate for accessing the Remoteapp externally?

    Thank you for your

  27. How do I enable the RD Gateway to link to the IIS manager. All I get is the IIS pages. I need ONLY to have the RD gateway logon to appear so I can redirect. please help

  28. Hello I created a 4 server RDS 2012 R2 environment. here is the config:
    RD Connection Broker Server/License Server – internal network
    RD Web Access Server – Internal network
    RD Session Host Server – internal network
    RD Gateway server – perimeter network
    Internally users can connect to the RDWeb access page and then connect to services published to the RD Web access page. this is working fine. The problem I am having is external users. I have a an external FQDN in my external DNS and I have that address set in my Gateway setting, however when a user connects to https:///rdweb they are getting a 404 file or directory not found. it is my belief that it is trying to access the IIS server on the Gateway server where there is no RDWeb instead of sending the traffic to my internal RD Web Access server that does have the RDWeb service. I have read and re-read your deployment guide and I am just not sure what is wrong

  29. Hello
    Did anyone face Issues described below when instaling RD Gateway

    RD Gateway Configuration Failed on With Error: Unable to create a Remote Desktop connection authorization policy on . The error is 2147749889.

    The connection authorization policy “RDG_CAP_AllUsers” could not be created. The following error occurred: “16389”.

    The RD Gateway install steps is the last one during the Sassion Broker configuration. I use Windows 2012 Standard.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s