Skip to main content

How to Setup a Remote Desktop Gateway Windows Server 2016

Accomplished systems and network administrator with 10+ years of experience managing server infrastructures and data-center operations.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Introduction

This tutorial will go through the steps of implementing a Remote Desktop Gateway on a Windows Server 2016 server. A Remote Desktop Gateway is often used to allow remote desktop clients to connect from the internet to servers behind the Remote Desktop Gateway located on the corporate network. The Remote Desktop Gateway acts like a “jumphost” except it never hosts the users remote desktop connections. It checks to see if a user belongs to a group that is allowed to remote in and checks to see if a user is allowed to remote into the destination server before allowing the session to the destination server.

Summary of Steps Required to Configure a Remote Desktop Gateway Windows Server 2016

The following is a summary of the steps required to configure a Remote Desktop Gateway on Windows Server 2016. Use it as a checklist to ensure everything has been covered.

  1. Join the Windows 2016 server to the Active Directory domain.
  2. Add the Remote Desktop Services role.
  3. Create a Connection Authorization Policy. This policy specifies which groups are allowed to access this Remote Desktop Gateway.
  4. Create a Resource Authorization Policy. This policy specifies which servers are allowed access by which groups.
  5. Purchase an SSL Certificate from a public Certificate Authority. (You can search the web to find where to purchase this from. No free advertising on this SPACE)
  6. Apply the SSL Certificate to the Remote Desktop Gateway.
  7. Accept the default Remote Desktop Gateway TCP Port of 443 or change it to another port number.
  8. Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway DIRECTLY from the Remote Desktop Gateway server. This is to ensure that there is connectivity from the Remote Desktop Gateway to the servers that clients will need to connect to.
  9. Modify Firewall Rules to allow the Remote Desktop Gateway port to the Remote Desktop Gateway server.
  10. Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway from the internet. You need to configure the Remote Desktop Client with the Remote Desktop Gateway address and port number. NOTE: Older versions of Remote Desktop Connection that came with Windows 7 and Windows 2008R2 has settings for a Remote Desktop Gateway but it doesn’t work. It is good practice to download the latest version of Remote Desktop Connection to use.

    To learn how to configure a Remote Desktop Connection client to use a Remote Desktop Gateway, you can follow

Detailed Steps to Configure a Remote Desktop Gateway Windows Server 2016

The following tutorial shows in detail how to configure a Remote Desktop Gateway on Windows Server 2016.

Adding the Remote Desktop Services Role

Open Server Manager and click on Add roles and features.

how-to-setup-a-remote-desktop-gateway-windows-server-2016
Click Next

Click Next

Choose role-based or feature-based installation and click Next

Choose role-based or feature-based installation and click Next

Click on a server in the server pool and click Next

Click on a server in the server pool and click Next

how-to-setup-a-remote-desktop-gateway-windows-server-2016
Select Remote Desktop Services then click Next

Select Remote Desktop Services then click Next

Click Next

Click Next

Adding the Remote Desktop Gateway Service Role

Click Next

Click Next

Select Remote Desktop Gateway and click Next.

Scroll to Continue
how-to-setup-a-remote-desktop-gateway-windows-server-2016

A window will come up if we want to add features that are required for Remote Desktop Gateway. Click on Add Features.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Next for installing the Network Policy and Access Services.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Next for adding the Web Server Role (IIS).

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Accept the default selections for the Web Server role services and click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Install.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Installation successful.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Create the Connection Authorization Policy and the Resource Authorization Policy

Open the Remote Desktop Gateway Manager. This is done from the Tools menu from Server Manager.

how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016

Create Authorization Policies for RD Gateway

In the left pane, navigate to Policies, click on Connection Authorization Policies. On the Actions pane on the right, right click Create New Policy, and select Wizard.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Select Create a RD CAP and a RD RAP (recommended) and click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Connection Authorization Policy

The Connection Authorization Policy ensures only selected groups ( i.e., group members) are allowed to use the Remote Desktop Gateway to access resources behind the Remote Desktop Gateway. You can use groups based on active directory users or groups based on the active directory computer objects. To provide flexibility in terms of what machines users can remote desktop from, I recommend using user groups.

Give the policy a name. An intuitive name is Allowed-To-Use-RDGateway, click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Add Group.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

For the purposes of this tutorial, I will select the Domain Admins group. Normally you would create another user group which you add users that you want to allow to use the Remote Desktop Gateway. You can create groups based on what resources the users need to access. In this way, you can add those groups here, and then use these groups in the Resource Authorization Policy later on.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

We won’t use the client computer group membership. This option lets you allow connection based on computers that clients are connecting from. These computers need to be domain joined and that domain is in some ways related to the domain that the remote desktop gateway is a part of. Click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Accept the default setting for device redirection, and click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Enter the timeout values as per below. Click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Create Resource Authorization Policy

The Resource Authorization Policy is used to restrict access to servers based on group memberships. You will need to create active directory groups and add servers as members of these groups. Ideally these groups are created based on functionality or by department ownership. These groups of servers are the network resources that must be assigned to user groups for the users to be able to access them.

You can create multiple Resource Authorization Policies to granularly assign certain users access to certain servers.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Select User Groups which are allowed access to network resources i.e. can remote desktop to servers on the network. For this tutorial, I will select the Domain Admins group as I have already selected Domain Admins as the group which can use the Remote Desktop Gateway. Then click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Select a group that contains the servers that you want the above user groups to be able to remote desktop to.

Click Browse.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

For this tutorial, we will use the built-in group called Domain Controllers. You can create additional groups containing servers that are related or belong to particular departments. In this way, in the previous steps you can assign groups based on department users and allow them only to access particular servers.

Click Check Name to make sure the group is found, and then click OK.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

If the remote desktop port on the servers were changed from the default, use this screen to specify the port. Otherwise, select Allow connections only to port 3389. Click Next.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Finish.

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Click Close.

how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016

SSL Certificate

The Remote Desktop Gateway needs to have an SSL certificate installed. You can purchase an SSL certificate for the fully qualified internet domain name of the Remote Desktop Gateway or purchase a wild card SSL certificate for the domain.

To install the SSL certificate, firstly click on the remote desktop server name in the Remote Desktop Gateway management console.

how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016

If you’ve purchased and received the SSL certificate, copy it to any location on the server. Select Import a certificate into the RD Gateway and browse to the certificate to import it.

I haven’t purchased an SSL certificate for this tutorial so I will use a self-signed certificate. It will allow the Remote Desktop Gateway to work from some clients, such as the Microsoft Remote Desktop for Mac, but we will be prompted with a warning about the certificate when we try to connect. We can choose to continue after that.

However, it will not work with the latest windows version of the Remote Desktop Connection client (there is a work around for the purposes of testing).

You MUST use a trusted SSL certificate in your Production Remote Desktop Gateway and this means purchasing a public SSL certificate.

It is possible to setup your own PKI infrastructure in your active directory domain and assign your own SSL certificate and if the client machine is part of the domain, it should trust your domain’s CA. However, Remote Desktop Gateway environments are often used to allow external contractors who have their own laptops to be able to use the network resources. Therefore, it is best to use an SSL from a trusted root authority.

For this tutorial, we will generate a self-signed certificate by clicking on Create and Import Certificate .

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Enter the FQDN internet name of this Remote Desktop Gateway for the Certificate name e.g. rdgateway.yourdomain.com . For this tutorial, I will use the internet IP address that will be associated with this server.

how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016

We have now successfully installed a self-signed SSL certificate on TCP Port 443 (Default SSL port).

We can change the SSL port for the Remote Desktop Gateway to another port number. This is sometimes done by companies to try and trick hackers who may be targeting port 443 because that’s the default SSL port.

To change the SSL port number for the RD Gateway, right click on the Server name and select properties in the Remote Desktop Gateway management console.

how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016

We will change the port to 4430. We will use this port in our tutorial so you will get an understanding of how to configure a different port number in the Remote Desktop client.

Change the port number and click OK

Change the port number and click OK

Click Yes to apply changes

Click Yes to apply changes

how-to-setup-a-remote-desktop-gateway-windows-server-2016

Testing the Remote Desktop Gateway Server Can Access Network Resources

We must test connectivity from the Remote Desktop Gateway to the network resources that clients will need to connect to. Specifically, we need to test RDP traffic by using remote desktop client to connect to the allowed servers.

We’ve allowed the domain controllers to be accessed by the Domain Admins group through the Remote Desktop Gateway, and we’ve allowed the Domain Admins group to be able to use the Remote Desktop Gateway by using the Authorization policies. We will now test connecting to the domain controllers from the Remote Desktop Gateway.

how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016
how-to-setup-a-remote-desktop-gateway-windows-server-2016

We’ve confirmed we can reach the domain controllers from the Remote Desktop Gateway.

Now we need to ensure that external clients can reach the Remote Desktop Gateway.

Configuring the Firewall

Because we are going to be connecting to the Remote Desktop Gateway from the internet, we will need to modify the firewall to allow access to the Remote Desktop Gateway Port.

In the preceding steps, we had changed the TCP port to 4430 for the Remote Desktop Gateway. This means we need to allow TCP Port 4430 inbound on the firewall and to the destination port 4430 on the Remote Desktop Gateway.

If we had used the default port of 443, we would need to allow TCP port 443 instead.

Configuring the Remote Desktop Client with the Remote Desktop Gateway Settings

When configuring a remote desktop client that supports the Remote Desktop Gateway, and you will be connecting using the remote desktop gateway, always remember that the Computer name of the server you want to connect to is the local server name that is resolvable from the Remote Desktop Gateway.