How to Setup a Remote Desktop Gateway Windows Server 2016
This tutorial will go through the steps of implementing a Remote Desktop Gateway on a Windows Server 2016 server. A Remote Desktop Gateway is often used to allow remote desktop clients to connect from the internet to servers behind the Remote Desktop Gateway located on the corporate network.The Remote Desktop Gateway acts like a “jumphost” except it never hosts the users remote desktop connections. It checks to see if a user belongs to a group that is allowed to remote in and checks to see if a user is allowed to remote into the destination server before allowing the session to the destination server.
Summary of Steps Required to Configure a Remote Desktop Gateway Windows Server 2016
The following is a summary of the steps required to configure a Remote Desktop Gateway on Windows Server 2016. Use it as a checklist to ensure everything has been covered.
- Join the Windows 2016 server to the Active Directory domain.
- Add the Remote Desktop Services role.
- Create a Connection Authorization Policy. This policy specifies which groups are allowed to access this Remote Desktop Gateway.
- Create a Resource Authorization Policy. This policy specifies which servers are allowed access by which groups.
- Purchase an SSL Certificate from a public Certificate Authority. (You can search the web to find where to purchase this from. No free advertising on this SPACE)
- Apply the SSL Certificate to the Remote Desktop Gateway.
- Accept the default Remote Desktop Gateway TCP Port of 443 or change it to another port number.
- Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway DIRECTLY from the Remote Desktop Gateway server. This is to ensure that there is connectivity from the Remote Desktop Gateway to the servers that clients will need to connect to.
- Modify Firewall Rules to allow the Remote Desktop Gateway port to the Remote Desktop Gateway server.
- (I will write up this step in it's own article ) Test the Remote Desktop Connection to a server behind the Remote Desktop Gateway from the internet. You need to configure the Remote Desktop Client with the Remote Desktop Gateway address and port number. NOTE: Older versions of Remote Desktop Connection that came with Windows 7 and Windows 2008R2 has settings for a Remote Desktop Gateway but it doesn’t work. It is good practice to download the latest version of Remote Desktop Connection to use.
Detailed Steps to Configure a Remote Desktop Gateway Windows Server 2016
The following tutorial shows in detail how to configure a Remote Desktop Gateway on Windows Server 2016.
Adding the Remote Desktop Services Role
Open Server Manager and click on Add roles and features
Adding the Remote Desktop Gateway Service Role
Select Remote Desktop Gateway and click Next
A window will come up if we want to add features that are required for Remote Desktop Gateway. Click on Add Features.
Click Next for installing the Network Policy and Access Services
Click Next for adding the Web Server Role (IIS)
Accept the default selections for the Web Server role services and click Next.
Create the Connection Authorization Policy and the Resource Authorization Policy
Open the Remote Desktop Gateway Manager. This is done from the Tools menu from Server Manager.
Create Authorization Policies for RD Gateway
In the left pane, navigate to Policies, click on Connection Authorization Policies. On the Actions pane on the right, right click Create New Policy, and select Wizard.
Select Create a RD CAP and a RD RAP (recommended) and click Next
Connection Authorization Policy
The Connection Authorization Policy ensures only selected groups ( i.e. group members) are allowed to use the Remote Desktop Gateway to access resources behind the Remote Desktop Gateway. You can use groups based on active directory users or groups based on the active directory computer objects. To provide flexibility in terms of what machines users can remote desktop from, I recommend using user groups.
Give the policy a name. An intuitive name is Allowed-To-Use-RDGateway, click Next
Click Add Group
For the purposes of this tutorial, I will select the Domain Admins group. Normally you would create another user group which you add users that you want to allow to use the Remote Desktop Gateway. You can create groups based on what resources the users need to access. In this way, you can add those groups here, and then use these groups in the Resource Authorization Policy later on.
We won’t use the client computer group membership. This option lets you allow connection based on computers that clients are connecting from. These computers need to be domain joined and that domain is in some ways related to the domain that the remote desktop gateway is a part of. Click Next.
Accept the default setting for device redirection, and click Next.
Enter the timeout values as per below. Click Next.
Create Resource Authorization Policy
The Resource Authorization Policy is used to restrict access to servers based on group memberships. You will need to create active directory groups and add servers as members of these groups. Ideally these groups are created based on functionality or by department ownership. These groups of servers are the network resources that must be assigned to user groups for the users to be able to access them.
You can create multiple Resource Authorization Policies to granularly assign certain users access to certain servers.
Select User Groups which are allowed access to network resources i.e. can remote desktop to servers on the network. For this tutorial, I will select the Domain Admins group as I have already selected Domain Admins as the group which can use the Remote Desktop Gateway. Then click Next.
Select a group that contains the servers that you want the above user groups to be able to remote desktop to.
For this tutorial, we will use the built-in group called Domain Controllers. You can create additional groups containing servers that are related or belong to particular departments. In this way, in the previous steps you can assign groups based on department users and allow them only to access particular servers.
Click Check Name to make sure the group is found, and then click OK.
If the remote desktop port on the servers were changed from the default, use this screen to specify the port. Otherwise, select Allow connections only to port 3389. Click Next.
The Remote Desktop Gateway needs to have an SSL certificate installed. You can purchase an SSL certificate for the fully qualified internet domain name of the Remote Desktop Gateway or purchase a wild card SSL certificate for the domain.
To install the SSL certificate, firstly click on the remote desktop server name in the Remote Desktop Gateway management console.
If you’ve purchased and received the SSL certificate, copy it to any location on the server. Select Import a certificate into the RD Gateway and browse to the certificate to import it.
I haven’t purchased an SSL certificate for this tutorial so I will use a self-signed certificate. It will allow the Remote Desktop Gateway to work from some clients, such as the Microsoft Remote Desktop for Mac, but we will be prompted with a warning about the certificate when we try to connect. We can choose to continue after that.
However, it will not work with the latest windows version of the Remote Desktop Connection client (there is a work around for the purposes of testing).
You MUST use a trusted SSL certificate in your Production Remote Desktop Gateway and this means purchasing a public SSL certificate.
It is possible to setup your own PKI infrastructure in your active directory domain and assign your own SSL certificate and if the client machine is part of the domain, it should trust your domain’s CA. However, Remote Desktop Gateway environments are often used to allow external contractors who have their own laptops to be able to use the network resources. Therefore, it is best to use an SSL from a trusted root authority.
For this tutorial, we will generate a self-signed certificate by clicking on Create and Import Certificate .
Enter the FQDN internet name of this Remote Desktop Gateway for the Certificate name e.g. rdgateway.yourdomain.com . For this tutorial, I will use the internet IP address that will be associated with this server.
We have now successfully installed a self-signed SSL certificate on TCP Port 443 (Default SSL port).
We can change the SSL port for the Remote Desktop Gateway to another port number. This is sometimes done by companies to try and trick hackers who may be targeting port 443 because that’s the default SSL port.
To change the SSL port number for the RD Gateway, right click on the Server name and select properties in the Remote Desktop Gateway management console.
We will change the port to 4430. We will use this port in our tutorial so you will get an understanding of how to configure a different port number in the Remote Desktop client.
Testing the Remote Desktop Gateway Server Can Access Network Resources
We must test connectivity from the Remote Desktop Gateway to the network resources that clients will need to connect to. Specifically, we need to test RDP traffic by using remote desktop client to connect to the allowed servers.
We’ve allowed the domain controllers to be accessed by the Domain Admins group through the Remote Desktop Gateway, and we’ve allowed the Domain Admins group to be able to use the Remote Desktop Gateway by using the Authorization policies. We will now test connecting to the domain controllers from the Remote Desktop Gateway.
We’ve confirmed we can reach the domain controllers from the Remote Desktop Gateway.
Now we need to ensure that external clients can reach the Remote Desktop Gateway.
Configuring the Firewall
Because we are going to be connecting to the Remote Desktop Gateway from the internet, we will need to modify the firewall to allow access to the Remote Desktop Gateway Port.
In the preceding steps, we had changed the TCP port to 4430 for the Remote Desktop Gateway. This means we need to allow TCP Port 4430 inbound on the firewall and to the destination port 4430 on the Remote Desktop Gateway.
If we had used the default port of 443, we would need to allow TCP port 443 instead.
Configuring the Remote Desktop Client with the Remote Desktop Gateway Settings
When configuring a remote desktop client that supports the Remote Desktop Gateway, and you will be connecting using the remote desktop gateway, always remember that the Computer name of the server you want to connect to is the local server name that is resolvable from the Remote Desktop Gateway.
When entering the Remote Desktop Gateway details in the client, you need to specify the port if you are not using the default SSL port of 443. In our case, we need to enter rdgateway.yourdomain.com:4430 as the Remote Desktop Gateway server. Had we use the default port, we just need to enter the FQDN without the port number e.g. rdgateway.yourdomain.com .
This concludes the steps involved in setting up the Remote Desktop Gateway Windows Server 2016. You will now be able to configure a remote desktop client to connect using the Remote Desktop Gateway.
NOTE: Make sure you use the latest version of the Remote Desktop Client as I have seen an earlier version that came with Windows 7 not able to connect even though it has settings for a Remote Desktop Gateway.
I will write up a follow up article on how to configure a remote desktop client to use the Remote Desktop Gateway.
© 2018 sengstar2005