How to Setup a Remote Desktop Gateway

A Remote Desktop Gateway server is a Windows 2008R2 server which typically is located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server (Terminal Server) located on the corporate or private network. The external network is usually the internet. (In Windows 2008, it is known as TS Gateway or Terminal Services Gateway).

Remote Desktop Servers typically use port 3389. To enable Remote Desktop Servers to be accessed over the internet, you must enable/forward TCP Port 3389 to the Remote Desktop Server. If you have more RD servers than you have internet IP addresses, you will have to start port forwarding other ports to the other RD Servers i.e. forward TCP Port 3390 on your firewall to Port 3389 on your second RD Server, forward TCP Port 3391 to Port 3389 on your third RD server and so on.

This can be quite confusing for clients because they have to remember what port to connect to.

With Remote Desktop Gateway installed, you can give your clients the address or DNS name of the gateway server. Give them the name or private IP address of the Remote Desktop server that you want your client to connect to. It doesn’t matter that the name of the RD Server is not resolvable on the internet or the IP address is from a private range. As long as the RD Gateway can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Destop Server.

You can create groupings of servers and allow only certain Windows users or groups access to particular servers.

However, to use RDGateway, you will need to install a valid SSL certificate. I find buying an SSL certificate is best instead of using a self-signed one i.e. you can get an SSL certificate from Comodo, InstantSSL, Verisign, etc. . You can hook up RD Gateway and RD Web Access together and even let users use Internet Explorer to connect to your Published Remote Apps on your Remote Desktop servers via a Web Proxy.

1. Install the Remote Desktop Gateway role service via Server Manager. You will need to install the Remote Desktop Services role first.
2. Once Remote Desktop Gateway Role service is installed, run Remote Desktop Gateway Manager
3. Go into the Policies section and create the Connection Authorization Policy. This is where you setup who’s allowed to log into the RDGateway.
4. Go into the Policies section and create the Resource Authorization Policy. This is where you setup what resources can be accessed via RD Gateway and by whom.

NOTE: The name and IP addresses that you enter here will be used to match with what the client will type in as the computer name in the RD Client. For example, if you put the server name in the Resource Authorization Policy as MYSERVER, and the RD client is trying to connect to MYSERVER.domain.local, the RD Client will be refused connection DESPITE the two names resolving to the same IP address. You can’t even specify a valid IP address unless it is listed as an allowed resource.

5. Right click on the RD Gateway server name and select Properties. A window will come up where you can fine tune the properties. You can use the default settings. However, you need to go into the SSL Certificate tab and install a certificate.
6. Enable/Forward TCP Port 443 (SSL port) on your firewall to the RDGateway server.

Make sure you install the latest RDP Client or at the very least version 6.1.
You can go into the Advanced section, and click on Settings in the Connect from Anywhere settings. See below screen shots as an example.