Skip to main content

How to Setup a Remote Desktop Gateway

Accomplished systems and network administrator with 10+ years of experience managing server infrastructures and data-center operations.

What Is a Remote Desktop Gateway Server?

A Remote Desktop Gateway server is a Windows 2008R2 server which is typically located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server (Terminal Server) located on the corporate or private network. The external network is usually the internet. (In Windows 2008, it is known as TS Gateway or Terminal Services Gateway.)

Why Not Just Connect to the Remote Desktop Server or Terminal Servers Directly From the Internet?

Remote Desktop Servers typically use port 3389. To enable Remote Desktop Servers to be accessed over the internet, you must enable/forward TCP Port 3389 to the Remote Desktop Server. If you have more RD servers than you have internet IP addresses, you will have to start port forwarding other ports to the other RD Servers, i.e. forward TCP Port 3390 on your firewall to Port 3389 on your second RD Server, forward TCP Port 3391 to Port 3389 on your third RD server and so on.

This can be quite confusing for clients because they have to remember what port to connect to.

With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. Give them the name or private IP address of the Remote Desktop server that you want your client to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.

You can create groupings of servers and allow only certain Windows users or groups access to particular servers.

However, to use RDGateway, you will need to install a valid SSL certificate. I find buying an SSL certificate is best instead of using a self-signed one i.e. you can get an SSL certificate from Comodo, InstantSSL, Verisign, etc. You can hook up RD Gateway and RD Web Access together and even let users use Internet Explorer to connect to your Published Remote Apps on your Remote Desktop servers via a Web Proxy.

How to install the Remote Desktop Gateway Role Service?

  1. Install the Remote Desktop Gateway role service via Server Manager. You will need to install the Remote Desktop Services role first.
  2. Once Remote Desktop Gateway Role service is installed, run Remote Desktop Gateway Manager
  3. Go into the Policies section and create the Connection Authorization Policy. This is where you setup who’s allowed to log into the RDGateway.
  4. Go into the Policies section and create the Resource Authorization Policy. This is where you setup what resources can be accessed via RD Gateway and by whom. NOTE: The name and IP addresses that you enter here will be used to match with what the client will type in as the computer name in the RD Client. For example, if you put the server name in the Resource Authorization Policy as MYSERVER, and the RD client is trying to connect to MYSERVER.domain.local, the RD Client will be refused connection DESPITE the two names resolving to the same IP address. You can’t even specify a valid IP address unless it is listed as an allowed resource.
  5. Right click on the RD Gateway server name and select Properties. A window will come up where you can fine tune the properties. You can use the default settings. However, you need to go into the SSL Certificate tab and install a certificate.
  6. Enable/Forward TCP Port 443 (SSL port) on your firewall to the RDGateway server.

Configuring the RDP Client to Talk to the Remote Desktop Gateway

Make sure you install the latest RDP Client or at the very least version 6.1.
You can go into the Advanced section, and click on Settings in the Connect from Anywhere settings. See below screen shots as an example.


This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

Questions & Answers

Question: The picture showing "connect from anywhere" is blocked out on my HP computer and I can't change the local IP address for my remote access. Where do I enable this setting in order to change my "Local IP"?

Scroll to Continue

Answer: Is this a corporate laptop? It could be it's locked down by Group Policy so you can't make changes.

© 2012 sengstar2005


ramy emam on July 29, 2020:

i need help with my rd web access server ,i setup the role service but it didn't work with me

sengstar2005 (author) from Sydney on May 28, 2019:

Hi Ali, I've never had to open up udp/3391 to the internet for RDS. Maybe that is for some other services you are using ?

Ali Bhatia on May 24, 2019:

We also have udp/3391 opened to Internet , is that required

sengstar2005 (author) from Sydney on April 01, 2018:

Hi Rob, thanks for your comment. You forward to Port 443 internally to the Remote Desktop Gateway.

Rob Taylor on March 31, 2018:

You've covered ALMOST everything, but there's one thing that's missing; the "Port Forwarding" settings in the router. Naturally the External port to be opened is 443, HOWEVER, what is the internal port to which 443 is forwarded. Nobody seems to answer that.

sengstar2005 (author) from Sydney on December 02, 2016:

Thanks for your comment Justin. Yes, this article is about Windows 2008R2 Remote Desktop Services. The update to this article was just some minor grammar fixes. Microsoft changed a number of things with regards to Remote Desktop Services installation since Windows 2012. I haven't yet, but will need to create a different article for Windows 2012 and 2016.

Justin on December 02, 2016:

Updated on November 8, 2016 - Yet there's no mention of Server 2016. I assume everything got lumped into RDS and we now have to install everything that is included in RDS just to get RD Gateway?

Related Articles