This tutorial shows how to configure a Remote Desktop Client to use a Remote Desktop Gateway. It shows how to configure the Remote Desktop client for both Mac and Windows. It also shows how to connect to a Remote Desktop Gateway that is using a Self-Signed certificate.
The following are the summary of steps usually involved in configuring a Remote Desktop Client to use a Remote Desktop Gateway.
- Verify the external server name or IP address and Port for the Remote Desktop Gateway
- Install an SSL Certificate on the Remote Desktop Gateway
- IF USING A SELF-SIGNED SSL CERTIFICATE: Trusting the Self-Signed SSL Certificate on the client. This step is optional on Mac clients, but MUST be done on Windows PCs to connect.
- Configuring the Remote Desktop client on the Mac AND/OR configuring the Remote Desktop client on Windows
Verify the External DNS name or IP Address and Port Number of the Remote Desktop Gateway
Go to Server Manager -> Tools -> Remote Desktop Services -> Remote Desktop Gateway Manager
In RD Gateway Manager, right click on the RD Gateway server and select Properties. Then click on the Transport Settings tab. Obtain the Port number configured. The default is TCP Port 443.
Your systems administrator should be able to tell you what your external DNS name or external IP address is for the Remote Desktop Gateway.
Installing an SSL Certificate
There must be an SSL certificate installed on the Remote Desktop Gateway server before clients can connect through the RD Gateway. You can either use a third-party SSL certificate (recommended, especially for Production) or use a self-signed certificate.
If you use a self-signed certificate, you must export the public key and import it into your client PCs that you are going to be connecting in from. This is not practical for Production environments, but is handy for proof of concept or test environments.
SSL Certificates need to be created based on the external name that will be used to connect to the RD Gateway whether through a third party or Self-Signed. You can also use wildcard SSL certificates.
If Self-Signed and no external name has been created, i.e., this is a test environment, then you should use the external IP address that will be used to connect in as the name.
This external DNS name or IP address will be used to configure the Remote Desktop Client.
If you click on the SSL Certificate tab, you have a choice to import the third-party SSL certificate or generate a Self-Signed certificate. In our tutorial, we will just go ahead and generate a Self-Signed certificate.
We won't use the default Certificate name, as depending on how you name your active directory domain, and how you setup your DNS zones, it may not be able to be resolved from the internet. Instead, we will replace it with the external IP address of the Remote Desktop Gateway. This can just be a forwarded external IP address of your firewall.
Be aware that whatever name is on the Self-Signed certificate, that will be the server name you need to enter for the Remote Desktop Gateway in the client. If you don't use the name in the certificate, the client will prompt with a warning about the SSL certificate not matching the server name you used. In later Windows Remote Desktop clients, it will warn you and WON'T let you connect to the RD Gateway.
Trusting the Self-Signed Certificate on the Client
If using a third-party SSL certificate from a well-known certificate authority company, the SSL certificate will be recognised and trusted on most systems which will be connecting in. You don't need to do the additional step of trusting the SSL certificate on the client.
However, if you are using a self-signed certificate, your clients will warn about the certificate not being trusted, and on some versions of the Remote Desktop Client in Windows, it will not let you connect. If you are using a Mac, you can ignore this step as you are given the option to Trust the certificate when you are connecting in.
However, this tutorial will also show the steps of how to import the SSL Certificate on a Mac just as a reference.
Exporting and Importing the Self-Signed Certificate
If you had installed a self-signed certificate, you will need to export the certificate from the server (minus the private key) and then import it into your client machine.
How to Export the SSL Certificate
Recall that when you were creating the self-signed SSL certificate, you were told where a copy of the SSL certificate was copied to, and the name to use on the certificate. See previous screen shots. You can just get a copy of that file, or you can export it using the Certificates snap-in in the MMC Console.
How To Import the SSL Certificate on Windows
Log into the Windows PC as an account that has local administrators rights. Copy the exported certificate to the PC.
Right-click on the certificate and select install.
OPTIONAL: How To Import the SSL Certificate on a Mac
(This step is optional on a Mac, as the Mac Remote Desktop Client will allow you the option of trusting this certificate, so that subsequent connections using this certificate will be trusted.)
Go to the Utilities folder and open the Keychain Access utility.
Go into the File menu, and select Import Items
Right click on the imported certificate and select Get Info. We will then specify to trust the Secure Sockets Layer (SSL)
After you've changed the value for Secure Sockets Layer (SSL) to Always Trust, close the window. A dialog box will prompt for the administrator account to update the settings.
Configure the Remote Desktop Client in Windows
If you are going to be running the Remote Desktop Connection client from a Windows 7 or Windows 2008R2 machine (or earlier versions), you will need to ensure you download the latest Remote Desktop Connection client for those operating systems as the original versions for those operating systems doesn’t seem to work with the Remote Desktop Gateway even though they have a setting for it.
The Remote Desktop Connection client which comes with later versions of Windows will support Remote Desktop Gateway.
You can ignore the warning as the remote server which we will connect to doesn't have a trusted certificate
Configure Remote Desktop Client for Mac
Download the latest Microsoft Remote Desktop from the App Store.
Open the Microsoft Remote Desktop application, and click on the + New button.
Enter a Connection Name. This is a name that will help you know what this connection is or where it connects to.
For the PC Name, enter the local or internal name of the server. This is the locally resolvable server name.
For example, if I have a domain controller with the name of DC1, I can put in its name DC1 or FQDN i.e. DC1.DOMAIN.LOCAL in the PC name.
This name does not need to be resolvable from the internet, but needs to be resolvable from the Remote Desktop Gateway.
You can now connect by double clicking on the name of the connection.
The below example is from a machine that DID NOT have the Self-Signed certificate imported and trusted. This initial warning will not appear if this had been done. However, on a Mac Remote Desktop client, we can choose to trust this certificate so in future, we won't be prompted with a warning about the certificate on this Remote Desktop Gateway.
We have now seen how to configure the Remote Desktop Client for Windows and Mac, and how to import Self-Signed certificates into a Windows PC and a Mac.
- How to Setup a Remote Desktop Gateway Windows Server 2016
This tutorial will go through the steps of implementing a Remote Desktop Gateway on a Windows Server 2016 server. A Remote Desktop Gateway is often used to allow remote desktop clients to connect from the internet to servers behind the Remote Desktop
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
Questions & Answers
Question: How do you prevent the users from bypassing an RD gateway with a remote desktop client?
Answer: If they try to bypass the RD Gateway, they won't be able to access your internal servers. Also, with GP, I haven't tried to apply the RD Gateway settings using it, but it should work if there's an option for it.
© 2018 sengstar2005
Oleg on April 01, 2020:
sengstar2005 (author) from Sydney on March 31, 2020:
Hi Oleg, you can Google instructions on how to get the active sessions from the CLI. I did a quick search and can see a few blogs on how to write scripts to show the connections going through the RD Gateway. This script does the same as using Remote Desktop Gateway manager and going to the Monitoring tab.
Oleg on March 30, 2020:
Thank you for instruction.
How can i watch active rdp session from cli ?
sengstar2005 (author) from Sydney on March 27, 2020:
Don Stevens on March 26, 2020:
this was one of the best explanations / instructions that I have found during my 25 year IT career. Thank you so much for posting this, being so clear, and correct. I wish I had found this article a month ago!!!!! don@TFI
Jason2509 on November 27, 2019:
Excellent article - greatly appreciated followed without issue except Im using the gateway to access the url for remote apps. It works perfect internally (of course), externally I can get to the url, sign in and see the apps but keep getting the Can't connect to the remote computer for one of these reasons. I have a cap and rap setup but am missing something. Thanks in advance