How to Setup a Remote Desktop Gateway Windows Server 2016

Updated on August 2, 2018

Introduction

This tutorial will go through the steps of implementing a Remote Desktop Gateway on a Windows Server 2016 server. A Remote Desktop Gateway is often used to allow remote desktop clients to connect from the internet to servers behind the Remote Desktop Gateway located on the corporate network.The Remote Desktop Gateway acts like a “jumphost” except it never hosts the users remote desktop connections. It checks to see if a user belongs to a group that is allowed to remote in and checks to see if a user is allowed to remote into the destination server before allowing the session to the destination server.

Summary of Steps Required to Configure a Remote Desktop Gateway Windows Server 2016

The following is a summary of the steps required to configure a Remote Desktop Gateway on Windows Server 2016. Use it as a checklist to ensure everything has been covered.


  1. Join the Windows 2016 server to the Active Directory domain.
  2. Add the Remote Desktop Services role.
  3. Create a Connection Authorization Policy. This policy specifies which groups are allowed to access this Remote Desktop Gateway.
  4. Create a Resource Authorization Policy. This policy specifies which servers are allowed access by which groups.
  5. Purchase an SSL Certificate from a public Certificate Authority. (You can search the web to find where to purchase this from. No free advertising on this SPACE)
  6. Apply the SSL Certificate to the Remote Desktop Gateway.
  7. Accept the default Remote Desktop Gateway TCP Port of 443 or change it to another port number.
  8. Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway DIRECTLY from the Remote Desktop Gateway server. This is to ensure that there is connectivity from the Remote Desktop Gateway to the servers that clients will need to connect to.
  9. Modify Firewall Rules to allow the Remote Desktop Gateway port to the Remote Desktop Gateway server.
  10. Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway from the internet. You need to configure the Remote Desktop Client with the Remote Desktop Gateway address and port number. NOTE: Older versions of Remote Desktop Connection that came with Windows 7 and Windows 2008R2 has settings for a Remote Desktop Gateway but it doesn’t work. It is good practice to download the latest version of Remote Desktop Connection to use.

    To learn how to configure a Remote Desktop Connection client to use a Remote Desktop Gateway, you can follow this article:
    http://hub.me/am7AP

Detailed Steps to Configure a Remote Desktop Gateway Windows Server 2016

The following tutorial shows in detail how to configure a Remote Desktop Gateway on Windows Server 2016.

Adding the Remote Desktop Services Role

Open Server Manager and click on Add roles and features

Click Next
Click Next
Choose role-based or feature-based installation and click Next
Choose role-based or feature-based installation and click Next
Click on a server in the server pool and click Next
Click on a server in the server pool and click Next
Select Remote Desktop Services then click Next
Select Remote Desktop Services then click Next
Click Next
Click Next

Adding the Remote Desktop Gateway Service Role

Click Next
Click Next

Select Remote Desktop Gateway and click Next

A window will come up if we want to add features that are required for Remote Desktop Gateway. Click on Add Features.

Click Next.

Click Next for installing the Network Policy and Access Services

Click Next for adding the Web Server Role (IIS)

Accept the default selections for the Web Server role services and click Next.

Click Install

Installation successful.

Create the Connection Authorization Policy and the Resource Authorization Policy

Open the Remote Desktop Gateway Manager. This is done from the Tools menu from Server Manager.

Create Authorization Policies for RD Gateway

In the left pane, navigate to Policies, click on Connection Authorization Policies. On the Actions pane on the right, right click Create New Policy, and select Wizard.

Select Create a RD CAP and a RD RAP (recommended) and click Next

Connection Authorization Policy

The Connection Authorization Policy ensures only selected groups ( i.e. group members) are allowed to use the Remote Desktop Gateway to access resources behind the Remote Desktop Gateway. You can use groups based on active directory users or groups based on the active directory computer objects. To provide flexibility in terms of what machines users can remote desktop from, I recommend using user groups.

Give the policy a name. An intuitive name is Allowed-To-Use-RDGateway, click Next

Click Add Group

For the purposes of this tutorial, I will select the Domain Admins group. Normally you would create another user group which you add users that you want to allow to use the Remote Desktop Gateway. You can create groups based on what resources the users need to access. In this way, you can add those groups here, and then use these groups in the Resource Authorization Policy later on.

We won’t use the client computer group membership. This option lets you allow connection based on computers that clients are connecting from. These computers need to be domain joined and that domain is in some ways related to the domain that the remote desktop gateway is a part of. Click Next.

Accept the default setting for device redirection, and click Next.

Enter the timeout values as per below. Click Next.

Click Next

Create Resource Authorization Policy

The Resource Authorization Policy is used to restrict access to servers based on group memberships. You will need to create active directory groups and add servers as members of these groups. Ideally these groups are created based on functionality or by department ownership. These groups of servers are the network resources that must be assigned to user groups for the users to be able to access them.

You can create multiple Resource Authorization Policies to granularly assign certain users access to certain servers.

Select User Groups which are allowed access to network resources i.e. can remote desktop to servers on the network. For this tutorial, I will select the Domain Admins group as I have already selected Domain Admins as the group which can use the Remote Desktop Gateway. Then click Next.

Select a group that contains the servers that you want the above user groups to be able to remote desktop to.

Click Browse.

For this tutorial, we will use the built-in group called Domain Controllers. You can create additional groups containing servers that are related or belong to particular departments. In this way, in the previous steps you can assign groups based on department users and allow them only to access particular servers.

Click Check Name to make sure the group is found, and then click OK.

Click Next

If the remote desktop port on the servers were changed from the default, use this screen to specify the port. Otherwise, select Allow connections only to port 3389. Click Next.

Click Finish.

Click Close.

SSL Certificate

The Remote Desktop Gateway needs to have an SSL certificate installed. You can purchase an SSL certificate for the fully qualified internet domain name of the Remote Desktop Gateway or purchase a wild card SSL certificate for the domain.

To install the SSL certificate, firstly click on the remote desktop server name in the Remote Desktop Gateway management console.

If you’ve purchased and received the SSL certificate, copy it to any location on the server. Select Import a certificate into the RD Gateway and browse to the certificate to import it.

I haven’t purchased an SSL certificate for this tutorial so I will use a self-signed certificate. It will allow the Remote Desktop Gateway to work from some clients, such as the Microsoft Remote Desktop for Mac, but we will be prompted with a warning about the certificate when we try to connect. We can choose to continue after that.

However, it will not work with the latest windows version of the Remote Desktop Connection client (there is a work around for the purposes of testing).

You MUST use a trusted SSL certificate in your Production Remote Desktop Gateway and this means purchasing a public SSL certificate.

It is possible to setup your own PKI infrastructure in your active directory domain and assign your own SSL certificate and if the client machine is part of the domain, it should trust your domain’s CA. However, Remote Desktop Gateway environments are often used to allow external contractors who have their own laptops to be able to use the network resources. Therefore, it is best to use an SSL from a trusted root authority.

For this tutorial, we will generate a self-signed certificate by clicking on Create and Import Certificate .

Enter the FQDN internet name of this Remote Desktop Gateway for the Certificate name e.g. rdgateway.yourdomain.com . For this tutorial, I will use the internet IP address that will be associated with this server.

We have now successfully installed a self-signed SSL certificate on TCP Port 443 (Default SSL port).

We can change the SSL port for the Remote Desktop Gateway to another port number. This is sometimes done by companies to try and trick hackers who may be targeting port 443 because that’s the default SSL port.

To change the SSL port number for the RD Gateway, right click on the Server name and select properties in the Remote Desktop Gateway management console.

We will change the port to 4430. We will use this port in our tutorial so you will get an understanding of how to configure a different port number in the Remote Desktop client.

Change the port number and click OK
Change the port number and click OK
Click Yes to apply changes
Click Yes to apply changes

Testing the Remote Desktop Gateway Server Can Access Network Resources

We must test connectivity from the Remote Desktop Gateway to the network resources that clients will need to connect to. Specifically, we need to test RDP traffic by using remote desktop client to connect to the allowed servers.

We’ve allowed the domain controllers to be accessed by the Domain Admins group through the Remote Desktop Gateway, and we’ve allowed the Domain Admins group to be able to use the Remote Desktop Gateway by using the Authorization policies. We will now test connecting to the domain controllers from the Remote Desktop Gateway.

We’ve confirmed we can reach the domain controllers from the Remote Desktop Gateway.

Now we need to ensure that external clients can reach the Remote Desktop Gateway.

Configuring the Firewall

Because we are going to be connecting to the Remote Desktop Gateway from the internet, we will need to modify the firewall to allow access to the Remote Desktop Gateway Port.

In the preceding steps, we had changed the TCP port to 4430 for the Remote Desktop Gateway. This means we need to allow TCP Port 4430 inbound on the firewall and to the destination port 4430 on the Remote Desktop Gateway.

If we had used the default port of 443, we would need to allow TCP port 443 instead.

Configuring the Remote Desktop Client with the Remote Desktop Gateway Settings

When configuring a remote desktop client that supports the Remote Desktop Gateway, and you will be connecting using the remote desktop gateway, always remember that the Computer name of the server you want to connect to is the local server name that is resolvable from the Remote Desktop Gateway.

When entering the Remote Desktop Gateway details in the client, you need to specify the port if you are not using the default SSL port of 443. In our case, we need to enter rdgateway.yourdomain.com:4430 as the Remote Desktop Gateway server. Had we use the default port, we just need to enter the FQDN without the port number e.g. rdgateway.yourdomain.com .

Summary

This concludes the steps involved in setting up the Remote Desktop Gateway Windows Server 2016. You will now be able to configure a remote desktop client to connect using the Remote Desktop Gateway.

NOTE: Make sure you use the latest version of the Remote Desktop Client as I have seen an earlier version that came with Windows 7 not able to connect even though it has settings for a Remote Desktop Gateway.

I will write up a follow up article on how to configure a remote desktop client to use the Remote Desktop Gateway.


© 2018 sengstar2005

Comments

    0 of 8192 characters used
    Post Comment

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      8 weeks ago from Sydney

      Thanks.

    • profile image

      Jonas 

      2 months ago

      Thanks for the excellent guide, it has been very helpful. A tip is to have two network interfaces, one for the outside and one for the inside.

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      3 months ago from Sydney

      Hi Baster, I am not sure how you have set this up, but I suggest you follow the checklist in the tutorial to help you with your troubleshooting. Also, the following article shows how to configure an RDP client to use the RD Gateway : http://hub.me/am7AP

    • profile image

      Baster 

      3 months ago

      I have configured the remote desktop gateway, and when accessing through the external network, I always prompt the user name and password error. Is there any error in my configuration?

    • profile image

      K.Miller 

      3 months ago

      Great Tutorial.

      The only step I struggled with was the installation of the self-signed certificate because it needed to be installed in the Trusted Root Certificates. Once I got past that, I was good to go!

      Thanks for all your hard work in making this work.

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      4 months ago from Sydney

      Hi Lucas, please follow my article. The scenario is for configuring Remote Desktop Gateway so external users can access internal resources. The whole point of RD Gateway is so you don’t need VPN. And yes, for Production, BUY an SSL certificate from well known third party. The first part of the article summarizes the steps needed. You can use this as a checklist, to make sure you cover everything. The second part expands on each point with explanations.

    • profile image

      Lucas 

      4 months ago

      Hi Sengstar2005, thanks for you tips. But I need to configure my server to be able access from external enviroment? Right?

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      4 months ago from Sydney

      Hi Jun, if you mean those 5 users are going to remote desktop into your remote desktop server, you can install the RD CALs on your RD Licensing Server. Your remote desktop server needs to point to your RD Licensing server.

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      4 months ago from Sydney

      Hi Lucas, I will assume that it's a certificate issue as you would have made sure the SSL port was opened as well to the Remote Desktop Gateway. If you are using an SSL certificate signed by your domain's CA server, firstly, make sure the "external" server name of the remote desktop gateway you used in your Remote Desktop Client is in the SSL certificate. Since you would have the "internal" server name of the RD Gateway in the certificate already, then you would have to add this external name as a Subject Alternative Name (SAN) in the certificate. This way, you can use two different DNS names and the SSL certificate would be valid for both the names. Since this external machine is not on your domain, after you installed the new SSL certificate with the SAN name on the RD Gateway, you will have to export this SSL certificate and import it into the Computer's Personal Certificate store. Then you will also need to export your CA's certificate and import it into the Computer's Trusted Root Certification Authorities certificate store. Basically, this is one way I know of to get around purchasing a third party SSL certificate, and to make your PC trust the SSL certificate.

    • profile image

      Lucas Amorim 

      4 months ago

      To tell you the truth, I've already made countless attempts here.

      But to confirm what you said, yes. On my internal network it goes normally, but when I'm on an external network, outside of my domain, even though I can ping my server, I can not access it.

    • profile image

      Jun 

      4 months ago

      I have 5 users outside the company to connect to my server? Where can i install the CAL user license? thank you.

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      4 months ago from Sydney

      Hi Lucas, without seeing or knowing your setup, I can only guess at what you have done. So I am assuming that your Remote Desktop Gateway works from machines in your domain on the internal network, and you have installed either a self-signed SSL certificate or an SSL certificate issued by your internal CA server on the Remote Desktop Gateway?

    • profile image

      Lucas 

      4 months ago

      I'm having trouble getting external access. Internal was ok. But externally I can not access, what should I do to get external access over VPN and without Ceritifcate?

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      4 months ago from Sydney

      Can you translate to English?

    • profile image

      martin chung 

      5 months ago

      Thanks Seng. That came in handy ;)

    • profile image

      lolix 

      5 months ago

      OK, got it ; HTTPS...

    • profile image

      lolix 

      5 months ago

      Great Tutorial. Thanks.

      I don't understand why the Web Server role is required.

    • sengstar2005 profile imageAUTHOR

      sengstar2005 

      5 months ago from Sydney

      Thanks Norm. The systems in the tutorial was also setup within AWS.

    • profile image

      Norm Bagley 

      5 months ago

      Thank you! This was one of the best and most straight forward articles on this subject! I was able to take the information and with some good troubleshooting, set up a Windows Bastian Host (RDP Gateway) jumpbox for accessing our Systems within AWS Cloud.

      Norm

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://turbofuture.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)