How to Setup a Remote Desktop Gateway

Updated on August 4, 2018

What Is a Remote Desktop Gateway Server?

A Remote Desktop Gateway server is a Windows 2008R2 server which typically is located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server (Terminal Server) located on the corporate or private network. The external network is usually the internet. (In Windows 2008, it is known as TS Gateway or Terminal Services Gateway).

Why Not Just Connect to the Remote Desktop Server or Terminal Servers Directly from the Internet?

Remote Desktop Servers typically use port 3389. To enable Remote Desktop Servers to be accessed over the internet, you must enable/forward TCP Port 3389 to the Remote Desktop Server. If you have more RD servers than you have internet IP addresses, you will have to start port forwarding other ports to the other RD Servers, i.e. forward TCP Port 3390 on your firewall to Port 3389 on your second RD Server, forward TCP Port 3391 to Port 3389 on your third RD server and so on.

This can be quite confusing for clients because they have to remember what port to connect to.

With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. Give them the name or private IP address of the Remote Desktop server that you want your client to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.

You can create groupings of servers and allow only certain Windows users or groups access to particular servers.

However, to use RDGateway, you will need to install a valid SSL certificate. I find buying an SSL certificate is best instead of using a self-signed one i.e. you can get an SSL certificate from Comodo, InstantSSL, Verisign, etc. . You can hook up RD Gateway and RD Web Access together and even let users use Internet Explorer to connect to your Published Remote Apps on your Remote Desktop servers via a Web Proxy.

How to install the Remote Desktop Gateway Role Service?

  1. Install the Remote Desktop Gateway role service via Server Manager. You will need to install the Remote Desktop Services role first.
  2. Once Remote Desktop Gateway Role service is installed, run Remote Desktop Gateway Manager
  3. Go into the Policies section and create the Connection Authorization Policy. This is where you setup who’s allowed to log into the RDGateway.
  4. Go into the Policies section and create the Resource Authorization Policy. This is where you setup what resources can be accessed via RD Gateway and by whom. NOTE: The name and IP addresses that you enter here will be used to match with what the client will type in as the computer name in the RD Client. For example, if you put the server name in the Resource Authorization Policy as MYSERVER, and the RD client is trying to connect to MYSERVER.domain.local, the RD Client will be refused connection DESPITE the two names resolving to the same IP address. You can’t even specify a valid IP address unless it is listed as an allowed resource.
  5. Right click on the RD Gateway server name and select Properties. A window will come up where you can fine tune the properties. You can use the default settings. However, you need to go into the SSL Certificate tab and install a certificate.
  6. Enable/Forward TCP Port 443 (SSL port) on your firewall to the RDGateway server.

Configuring the RDP Client to Talk to the Remote Desktop Gateway

Make sure you install the latest RDP Client or at the very least version 6.1.
You can go into the Advanced section, and click on Settings in the Connect from Anywhere settings. See below screen shots as an example.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

Questions & Answers

  • The picture showing "connect from anywhere" is blocked out on my HP computer and I can't change the local IP address for my remote access. Where do I enable this setting in order to change my "Local IP"?

    Is this a corporate laptop? It could be it's locked down by Group Policy so you can't make changes.

© 2012 sengstar2005


    0 of 8192 characters used
    Post Comment
    • profile image

      ramy emam 

      2 weeks ago

      i need help with my rd web access server ,i setup the role service but it didn't work with me

    • sengstar2005 profile imageAUTHOR


      14 months ago from Sydney

      Hi Ali, I've never had to open up udp/3391 to the internet for RDS. Maybe that is for some other services you are using ?

    • profile image

      Ali Bhatia 

      14 months ago

      We also have udp/3391 opened to Internet , is that required

    • sengstar2005 profile imageAUTHOR


      2 years ago from Sydney

      Hi Rob, thanks for your comment. You forward to Port 443 internally to the Remote Desktop Gateway.

    • profile image

      Rob Taylor 

      2 years ago

      You've covered ALMOST everything, but there's one thing that's missing; the "Port Forwarding" settings in the router. Naturally the External port to be opened is 443, HOWEVER, what is the internal port to which 443 is forwarded. Nobody seems to answer that.

    • sengstar2005 profile imageAUTHOR


      3 years ago from Sydney

      Thanks for your comment Justin. Yes, this article is about Windows 2008R2 Remote Desktop Services. The update to this article was just some minor grammar fixes. Microsoft changed a number of things with regards to Remote Desktop Services installation since Windows 2012. I haven't yet, but will need to create a different article for Windows 2012 and 2016.

    • profile image


      3 years ago

      Updated on November 8, 2016 - Yet there's no mention of Server 2016. I assume everything got lumped into RDS and we now have to install everything that is included in RDS just to get RD Gateway?


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)