This article shows you how to deploy a simple and secure remote access solution using Remote Desktop Gateway. The RD Gateway allows you to connect to desktops and servers in the office using RDP from home Securely.
In a nutshell the Remote Desktop Gateway role provides a RDP type of SSL VPN remote access service over TCP 443 and UDP 3391. You can essentially connect to your work computer from a home device using MSTSC (Remote Desktop connection).
- Lets Encrypt public Certificate – free
- Windows Server licence – Free trial to test this out
Where can i deploy?
- Microsoft Azure
- Amazon AWS
- Google Cloud
Please follow the steps in order for best results….!
First we need a domain joined server (preferably). Navigate to the Add roles and features wizard and install the Remote Desktop Gateway Role service.
Configuring IIS and a HTTPS certificate:
The next steps will be to download the win-acme lets Encrypt client tool for generating a free public SSL certificate. https://www.win-acme.com/
Once downloaded, copy all of the files into the inetpub folder under a newly created folder called lets encrypt as shown in the screenshot.
Then ensure that the you configure external DNS with the FQDN required and ensure ports 443/3391 and port 80 are open on the firewall. You will then need to add the https binding to IIS.
Once this is all in place, you then would run the wacs.exe and follow the steps to generate the public certificate.
follow the steps to create a simple certificate for IIS.
Once completed the certificate will appear in the Web Hosting section of the local computer certificates.
The next step would be to run the importRDGateway script to auto configure the certificate as shown above. this can be found in the lets encrypt folder we created earlier.
Once the script is successfully run, you will see under SSL Certificate in the Remote Gateway Manager, the let’s Encrypt certificate is assigned.
Configuring a basic RAP and CAP Policy:
You need to create both policy’s in accordance to your security requirements. You can create both using a wizard in one sitting. follow the steps of the wizard.
Testing and connecting through the gateway:
This section shows the windows client, however you can use other OS’s and vendor client tools like thin clients to connect to your office resources. If users have apple mac’s this is also supported.
To test connectivity, open up the Remote Desktop Connection (MSTSC) navigate to advanced and configure the gateway details. Once you have configured the gateway settings. Navigate back to the general tab and enter in the computer/server FQDN or name or IP address.
Once connected, you can see from the monitoring section of RD Gateway manager, we are now connected to our remote resources through the Gateway on TCP 443 / UDP3391.
As you can see from the Remote Desktop connection, the device is connected to 10.0.0.6 using the gateway service.
This is a affordable and quick way of deploying a Remote Access Solution for users large or small in size. If you are in need of setting up remote access for workers quickly, this may be the answer.
Point to note, the certificate expires in two months however you can configure the automatic renewal of the certificate. If you only require a temporary solution, this is perfect to get all your staff up and running quickly. If you want this to be more permanent, then you should configure the Automation of the certificate renewal.
find out more about deploying RD Gateway in detail here: https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/
I’ve followed most of the above, but I opted to create my own signed certificate instead of using win-acme.
“Then ensure that the you configure external DNS with the FQDN required and ensure ports 443/3391 and port 80 are open on the firewall”
When you say this do you mean on the network / router? Or are you talking about on my server I need to open up my firewall?
I’ve completed everything and get prompted to sign in, but anytime I enter the credentials I keep getting asked for the credentials again, everything appears to be up and running fine. I think it has something to do with my firewall.
Hi Sean, What firewall do you have ?
Also when you mean signed you mean a public trusted cert right ?
Just wanna say THANK YOU! so much for this. Our public cert expired while still waiting for the validation to go through, this saved my hive by using Let’s Encrypt as the temporary stopgag!