How to Setup a Remote Desktop Gateway
Accomplished systems and network administrator with 10+ years of experience managing server infrastructures and data-center operations.
What Is a Remote Desktop Gateway Server?
A Remote Desktop Gateway server is a Windows 2008R2 server which is typically located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server (Terminal Server) located on the corporate or private network. The external network is usually the internet. (In Windows 2008, it is known as TS Gateway or Terminal Services Gateway.)
Why Not Just Connect to the Remote Desktop Server or Terminal Servers Directly From the Internet?
Remote Desktop Servers typically use port 3389. To enable Remote Desktop Servers to be accessed over the internet, you must enable/forward TCP Port 3389 to the Remote Desktop Server. If you have more RD servers than you have internet IP addresses, you will have to start port forwarding other ports to the other RD Servers, i.e. forward TCP Port 3390 on your firewall to Port 3389 on your second RD Server, forward TCP Port 3391 to Port 3389 on your third RD server and so on.
This can be quite confusing for clients because they have to remember what port to connect to.
With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. Give them the name or private IP address of the Remote Desktop server that you want your client to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.
You can create groupings of servers and allow only certain Windows users or groups access to particular servers.
However, to use RDGateway, you will need to install a valid SSL certificate. I find buying an SSL certificate is best instead of using a self-signed one i.e. you can get an SSL certificate from Comodo, InstantSSL, Verisign, etc. You can hook up RD Gateway and RD Web Access together and even let users use Internet Explorer to connect to your Published Remote Apps on your Remote Desktop servers via a Web Proxy.
How to install the Remote Desktop Gateway Role Service?
- Install the Remote Desktop Gateway role service via Server Manager. You will need to install the Remote Desktop Services role first.
- Once Remote Desktop Gateway Role service is installed, run Remote Desktop Gateway Manager
- Go into the Policies section and create the Connection Authorization Policy. This is where you setup who’s allowed to log into the RDGateway.
- Go into the Policies section and create the Resource Authorization Policy. This is where you setup what resources can be accessed via RD Gateway and by whom. NOTE: The name and IP addresses that you enter here will be used to match with what the client will type in as the computer name in the RD Client. For example, if you put the server name in the Resource Authorization Policy as MYSERVER, and the RD client is trying to connect to MYSERVER.domain.local, the RD Client will be refused connection DESPITE the two names resolving to the same IP address. You can’t even specify a valid IP address unless it is listed as an allowed resource.
- Right click on the RD Gateway server name and select Properties. A window will come up where you can fine tune the properties. You can use the default settings. However, you need to go into the SSL Certificate tab and install a certificate.
- Enable/Forward TCP Port 443 (SSL port) on your firewall to the RDGateway server.
Configuring the RDP Client to Talk to the Remote Desktop Gateway
Make sure you install the latest RDP Client or at the very least version 6.1.
You can go into the Advanced section, and click on Settings in the Connect from Anywhere settings. See below screen shots as an example.
Related Articles
- How To Setup a Remote Desktop Gateway Windows Server 2016
This tutorial will go through the steps of implementing a Remote Desktop Gateway on a Windows Server 2016 server. A Remote Desktop Gateway is often used to allow remote desktop clients to connect from the internet to servers behind the Remote Desktop - How To Configure a Remote Desktop Client To Use a Remote Desktop Gateway
This tutorial shows how to configure a Remote Desktop Client to use a Remote Desktop Gateway. It shows how to configure the Remote Desktop client on both Mac and Windows.It also shows how to use a Self-Signed SSL Certificate with the RD Gateway - How to Install Remote Desktop Services Windows 2016
This tutorial will show how to install Remote Desktop Services in Windows Server 2016 but it can be applied to Windows 2012 or Windows 2012R2. The steps are based on a scenario where there is currently no Remote Desktop Services for Windows 2012 or l - Remote Desktop Session Broker Load Balancing
This article will talk about load balancing terminal servers with relation to Windows Server 2008 R2 servers. - Remote Desktop via Proxy Server to a Remote Desktop Server
This article will outline the principles of setting up your server infrastructure so as to be able to remote desktop via Proxy server to a Remote Desktop Server. The seasoned professional will be able to then apply these concepts. - How to Remote Desktop through a Proxy Server to a Terminal Server
Connecting to a terminal server via a web proxy server.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
Questions & Answers
Question: The picture showing "connect from anywhere" is blocked out on my HP computer and I can't change the local IP address for my remote access. Where do I enable this setting in order to change my "Local IP"?
Answer: Is this a corporate laptop? It could be it's locked down by Group Policy so you can't make changes.
© 2012 sengstar2005
Comments
ramy emam on July 29, 2020:
i need help with my rd web access server ,i setup the role service but it didn't work with me
sengstar2005 (author) from Sydney on May 28, 2019:
Hi Ali, I've never had to open up udp/3391 to the internet for RDS. Maybe that is for some other services you are using ?
Ali Bhatia on May 24, 2019:
We also have udp/3391 opened to Internet , is that required
sengstar2005 (author) from Sydney on April 01, 2018:
Hi Rob, thanks for your comment. You forward to Port 443 internally to the Remote Desktop Gateway.
Rob Taylor on March 31, 2018:
You've covered ALMOST everything, but there's one thing that's missing; the "Port Forwarding" settings in the router. Naturally the External port to be opened is 443, HOWEVER, what is the internal port to which 443 is forwarded. Nobody seems to answer that.
sengstar2005 (author) from Sydney on December 02, 2016:
Thanks for your comment Justin. Yes, this article is about Windows 2008R2 Remote Desktop Services. The update to this article was just some minor grammar fixes. Microsoft changed a number of things with regards to Remote Desktop Services installation since Windows 2012. I haven't yet, but will need to create a different article for Windows 2012 and 2016.
Justin on December 02, 2016:
Updated on November 8, 2016 - Yet there's no mention of Server 2016. I assume everything got lumped into RDS and we now have to install everything that is included in RDS just to get RD Gateway?