How to Configure a Remote Desktop Client to Use a Remote Desktop Gateway

Updated on July 13, 2018

This tutorial shows how to configure a Remote Desktop Client to use a Remote Desktop Gateway. It shows how to configure the Remote Desktop client for both Mac and Windows. It also shows how to connect to a Remote Desktop Gateway that is using a Self-Signed certificate.

Summary

The following are the summary of steps usually involved in configuring a Remote Desktop Client to use a Remote Desktop Gateway.

  1. Verify the external server name or IP address and Port for the Remote Desktop Gateway
  2. Install an SSL Certificate on the Remote Desktop Gateway
  3. IF USING A SELF-SIGNED SSL CERTIFICATE: Trusting the Self-Signed SSL Certificate on the client. This step is optional on Mac clients, but MUST be done on Windows PCs to connect.
  4. Configuring the Remote Desktop client on the Mac AND/OR configuring the Remote Desktop client on Windows

Verify the External DNS name or IP Address and Port Number of the Remote Desktop Gateway

Go to Server Manager -> Tools -> Remote Desktop Services -> Remote Desktop Gateway Manager

In RD Gateway Manager, right click on the RD Gateway server and select Properties. Then click on the Transport Settings tab. Obtain the Port number configured. The default is TCP Port 443.

Your systems administrator should be able to tell you what your external DNS name or external IP address is for the Remote Desktop Gateway.

Installing an SSL Certificate

There must be an SSL certificate installed on the Remote Desktop Gateway server before clients can connect through the RD Gateway. You can either use a third-party SSL certificate (recommended, especially for Production) or use a self-signed certificate.

If you use a self-signed certificate, you must export the public key and import it into your client PCs that you are going to be connecting in from. This is not practical for Production environments, but is handy for proof of concept or test environments.

SSL Certificates need to be created based on the external name that will be used to connect to the RD Gateway whether through a third party or Self-Signed. You can also use wildcard SSL certificates.

If Self-Signed and no external name has been created, i.e., this is a test environment, then you should use the external IP address that will be used to connect in as the name.

This external DNS name or IP address will be used to configure the Remote Desktop Client.

If you click on the SSL Certificate tab, you have a choice to import the third-party SSL certificate or generate a Self-Signed certificate. In our tutorial, we will just go ahead and generate a Self-Signed certificate.

We will replace the default certificate name with an external DNS name or external IP address
We will replace the default certificate name with an external DNS name or external IP address

We won't use the default Certificate name, as depending on how you name your active directory domain, and how you setup your DNS zones, it may not be able to be resolved from the internet. Instead, we will replace it with the external IP address of the Remote Desktop Gateway. This can just be a forwarded external IP address of your firewall.

Use the external IP address
Use the external IP address
Hit OK to apply the Certificate
Hit OK to apply the Certificate

Be aware that whatever name is on the Self-Signed certificate, that will be the server name you need to enter for the Remote Desktop Gateway in the client. If you don't use the name in the certificate, the client will prompt with a warning about the SSL certificate not matching the server name you used. In later Windows Remote Desktop clients, it will warn you and WON'T let you connect to the RD Gateway.

Trusting the Self-Signed Certificate on the Client

If using a third-party SSL certificate from a well-known certificate authority company, the SSL certificate will be recognised and trusted on most systems which will be connecting in. You don't need to do the additional step of trusting the SSL certificate on the client.

However, if you are using a self-signed certificate, your clients will warn about the certificate not being trusted, and on some versions of the Remote Desktop Client in Windows, it will not let you connect. If you are using a Mac, you can ignore this step as you are given the option to Trust the certificate when you are connecting in.

However, this tutorial will also show the steps of how to import the SSL Certificate on a Mac just as a reference.

Exporting and Importing the Self-Signed Certificate

If you had installed a self-signed certificate, you will need to export the certificate from the server (minus the private key) and then import it into your client machine.

How to Export the SSL Certificate

Recall that when you were creating the self-signed SSL certificate, you were told where a copy of the SSL certificate was copied to, and the name to use on the certificate. See previous screen shots. You can just get a copy of that file, or you can export it using the Certificates snap-in in the MMC Console.

How To Import the SSL Certificate on Windows

Log into the Windows PC as an account that has local administrators rights. Copy the exported certificate to the PC.

Right-click on the certificate and select install.

Right-click on the certificate, and select Install
Right-click on the certificate, and select Install
Select Local Machine
Select Local Machine
Place the certificate in the Trusted Root Certification Authorities Certificate store
Place the certificate in the Trusted Root Certification Authorities Certificate store

OPTIONAL: How To Import the SSL Certificate on a Mac

(This step is optional on a Mac, as the Mac Remote Desktop Client will allow you the option of trusting this certificate, so that subsequent connections using this certificate will be trusted.)

Go to the Utilities folder and open the Keychain Access utility.

The Keychain Access Utility
The Keychain Access Utility

Go into the File menu, and select Import Items

Select the exported certificate and click on Open
Select the exported certificate and click on Open
Enter the administrator credentials on your Mac to make changes
Enter the administrator credentials on your Mac to make changes
The certificate imports successfully
The certificate imports successfully

Right click on the imported certificate and select Get Info. We will then specify to trust the Secure Sockets Layer (SSL)

Expand the Trust section
Expand the Trust section
Change the value for Secure Sockets Layer (SSL) to Always Trust
Change the value for Secure Sockets Layer (SSL) to Always Trust

After you've changed the value for Secure Sockets Layer (SSL) to Always Trust, close the window. A dialog box will prompt for the administrator account to update the settings.

Configure the Remote Desktop Client in Windows

If you are going to be running the Remote Desktop Connection client from a Windows 7 or Windows 2008R2 machine (or earlier versions), you will need to ensure you download the latest Remote Desktop Connection client for those operating systems as the original versions for those operating systems doesn’t seem to work with the Remote Desktop Gateway even though they have a setting for it.

The Remote Desktop Connection client which comes with later versions of Windows will support Remote Desktop Gateway.

Click on "Show Options"
Click on "Show Options"
Click on the ""Advance tab, and click on "Settings" in the Connect from anywhere section
Click on the ""Advance tab, and click on "Settings" in the Connect from anywhere section
Enter the RD Gateway server name or IP address, then click OK
Enter the RD Gateway server name or IP address, then click OK
Select "Connect and don't warn me" under the "If server authentication fails" section
Select "Connect and don't warn me" under the "If server authentication fails" section
Enter the computer/server name and the username used to connect to this server
Enter the computer/server name and the username used to connect to this server

Click Connect

You can ignore the warning as the remote server which we will connect to doesn't have a trusted certificate

The credentials to enter is the user account that  has been given rights in the Connection Authorization Policy and the Resource Authorization Policy in Remote Desktop Gateway Manager
The credentials to enter is the user account that has been given rights in the Connection Authorization Policy and the Resource Authorization Policy in Remote Desktop Gateway Manager
This account is the user account that has access to this server (either local or domain account)
This account is the user account that has access to this server (either local or domain account)

Configure Remote Desktop Client for Mac

Download the latest Microsoft Remote Desktop from the App Store.

Open the Microsoft Remote Desktop application, and click on the + New button.

Enter a Connection Name. This is a name that will help you know what this connection is or where it connects to.

For the PC Name, enter the local or internal name of the server. This is the locally resolvable server name.

For example, if I have a domain controller with the name of DC1, I can put in its name DC1 or FQDN i.e. DC1.DOMAIN.LOCAL in the PC name.

This name does not need to be resolvable from the internet, but needs to be resolvable from the Remote Desktop Gateway.

Select Add Gateway
Select Add Gateway
Click the "+" symbol on the lower left pane to add an RD Gateway and it's details. You can add more than one RD Gateway and select which one to use if you have different networks to connect to.
Click the "+" symbol on the lower left pane to add an RD Gateway and it's details. You can add more than one RD Gateway and select which one to use if you have different networks to connect to.
The credentials to enter is the user account that  has been given rights in the Connection Authorization Policy and the Resource Authorization Policy in Remote Desktop Gateway Manager
The credentials to enter is the user account that has been given rights in the Connection Authorization Policy and the Resource Authorization Policy in Remote Desktop Gateway Manager
Select the RD Gateway we just added to use with this connection setup
Select the RD Gateway we just added to use with this connection setup

You can now connect by double clicking on the name of the connection.

The below example is from a machine that DID NOT have the Self-Signed certificate imported and trusted. This initial warning will not appear if this had been done. However, on a Mac Remote Desktop client, we can choose to trust this certificate so in future, we won't be prompted with a warning about the certificate on this Remote Desktop Gateway.

Click on Show Certificate so we can then trust the certificate for future connections
Click on Show Certificate so we can then trust the certificate for future connections
Tick the "Always trust..." and click on Continue
Tick the "Always trust..." and click on Continue
Enter the administrator credentials that can update the certificate settings
Enter the administrator credentials that can update the certificate settings
We are now prompted with a warning about the destination server's certificate
We are now prompted with a warning about the destination server's certificate
We use the same steps to trust this server as we did the Remote Desktop Gateway's certificate
We use the same steps to trust this server as we did the Remote Desktop Gateway's certificate
In subsequent connections, we will not be prompted with a warning about the certificates of the Remote Desktop Gateway or this destination server again.
In subsequent connections, we will not be prompted with a warning about the certificates of the Remote Desktop Gateway or this destination server again.

Conclusion

We have now seen how to configure the Remote Desktop Client for Windows and Mac, and how to import Self-Signed certificates into a Windows PC and a Mac.

© 2018 sengstar2005

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://turbofuture.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)