Install and Configure Remote Desktop Gateway Server

Today security is the most important task in IT.For every task or Project the first think is security before proceed to completed. I wrote 3 Parts of Remote Desktop Servers Farm and  Load Balancing months ago. Now i will write how can use RD Gateway Server to connect Remotely in your LAN from the Internet more secure.

Related articles before start to Deploy Remote Desktop Gateway Server

Remote Desktop Servers Farm and  Load Balancing - Part 1


What is Remote Desktop Gateway Server and where can use it? 

Base on Microsoft from Overview of Remote Desktop Gateway

<< Remote Desktop Gateway (RD Gateway) is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be Remote Desktop Session Host (RD Session Host) servers, RD Session Host servers running RemoteApp programs, or computers with Remote Desktop enabled.

RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.>>

RDG Design 

There are different designs for integrating Remote Desktop Gateway Server.I don't want to analyze any architecture but  I will explain the most common that used.

RD Gateway Server inside the LAN.

Use the RD Gateway Server inside the LAN and just allow 443 port in Firewall between Internet and RD Gateway Server.. This is the simplest method but the most insecure. With RD Gateway Server provide some protection but you publish your LAN in the Internet. This method it's better to use in Lab Environment for training purposes.

RD Gateway Server in DMZ.

Create a DMZ in Firewall and move the RD Gateway Server. So can isolate the RD Gateway Server fro m your Internal Network. You must open port 443 between Internet and RDG and port 3389 between RDG and Internal Network. It's more difficult solution and must have advance experience with Firewall unless need Network Administrator to create the DMZ and the traffic between Internet-DMZ-LAN. This solution it's recommended if you want to use RD Gateway Server.

You can find more methods for the Design of RD Gateway but i will stay with these 2 most common methods. For the article i will use method 2 because it's more secure.


Install Remote Desktop Gateway Server

After decide how can integrate RD Gateway Server we must install the RD Gateway Role. 

  • Log in the Server that use as RD Gateway Server
  • Click in Server Manager.
  • Click Add Roles
  • Click Next
  • Select Remote Desktop Services. Click Next
  • Check Remote Desktop Gateway and click in Add Required Role Services that need to proceed in next step.Click Next

  • For now select Choose a certificate  for SSLencryption later. But it's required to install an SSL Certificate to work with RD Gateway Server.

  • Select Now to Create authorization Policies.Click Next.
    With Authorization Policies in RD Gateway Server you can choose which user can connect to this RD Gateway Server.


  • For now allow only Administrators and will be choose after installation the user Groups that want to connect to this RD Gateway Server. Click Next.

  • Use the default name for RD CAP or change it and click Next

  • Use the default name for RD RAP or change it as you want. Select Allow users to connect to any computers in the Network. Click Next

  • You can see a quick Overview for Network Policy and Access Services. Click Next.

  • The selection of Network Policy Server is check by default. Click Next

  • Another one quick overview for IIS. Click Next.

  • Click Next with the default options.

  • This step is just a Confirmation for your Options. As you can see you have 1 warning which say that RD Gateway it's not operate without Certificate. Click Install

  • Wait until finish. 
  • After finish the installation do  Restart.

Install SSL Certificate in RD Gateway Server

The first step after finish the installation to be functional RD Gateway Server is to install an SSL Certificate. You can create a self sign Certificate to use it only from your LAN. I recommend to use it and do tests from your LAN until configure it and can connect through RD Gateway. 

Before install the SSL Certificate must request CSR from your IIS. Find how can do it in Generate CSR (Certificate Signing Request) - IIS 7

But RD Gateway Server will use it if you have users out of your company and must be connect from the Internet. So you must find one provider and buy an SSL Certificate. You need a Basic SSL Certificate and not any wildcard or more advance. To be honest i search lot until find what type of SSL Certificate must be install for RD Gateway.

  • Open RD Gateway Manager
  • Right Click in Server and select Properties.

  • Select SSL Certificate Tab and click Import Certificate.

  • Select the SSL Certificate that you have install before and click Import.

  • If the SSL Certificate imported you can see all the details of the SSL Certificate.

Configure  (RD CAPs) 

After buy and install SSL Certificate you must configure RD CAP.  This Policy allow specific user groups to connect in RD Gateway Server base of your selection.

  • Start - - -> Administrative Tools - - -> Remote Desktop Services - - > Remote Desktop Gateway Manager.
  • Expand RDG - - > Policies and you will find the Connection Authorization Policies and Resource Authorization Policies.
  • Click in Connection Authorization Policies and double click in RD_CAP.

  • Select Requirements Tab.
  • In User group (membership) define which groups you want to allow. It's required and must be Groups and not individual Users. Unless you can't connect.

  • When finish Click OK.

Configure (RD RAPs) 

RD RAP Policy us also required and allow network resources that can be connect the User Group through RD Gateway Server.

  • Start - - -> Administrative Tools - - -> Remote Desktop Services - - > Remote Desktop Gateway Manager.
  • Expand RDG - - > Policies and you can will find the Connection Authorization Policies and Resource Authorization Policies.
  • Click in Resource Authorization Policies and double click in RD_RAP.

  • Select User Groups Tab. Specify the User groups. Probably will be the same as in RD CAP Policy.
  • Select Network Resource and decide in which Computers wants users to connect. If you don't have any Restriction check Allow users to connect to any network Resource.

  • If you want users to connect in specific Servers or PC check in Select an existing RG Gateway Manage group or create new one.

  • Click Browse. Click Create New Group​.

  • Type the name. Select Network Resources Tab.Add the IP Address of the Server or PC. Click OK and OK.

  • When finish Click OK.

Verifying RD Gateway Functionality

It's time to verify that the RD Gateway Server works. Go in client PC. 

  • Open Remote Desktop Connection.
  • Select Show Options.

  • Select Advance Tab
  • Click in Settings.

  • Select Use the RD Gateway Server Settings.
  • Type the name that you have decide to give in A Records of your DNS(Same name must has the SSL Certificate). For example
  • Click OK.

  • Select General Tab
  • Type the internal IP Address of your Server or PC and click Connect

  • Write the appropriate credentials and if all the settings are correct will be connect.

  • If not then you have lot of configuration to check where is the problem.
  • Most of them are:
  1. Be sure that you have type the right address and name in Records of your DNS. (If you aren't sure ask your provider to check it). Also you can open cmd and ping the name that have give in A Records and check if you return the right IP Address. It doesn't matter if Time out because it's in the Internet and it's Normal
  2. Check your Firewall Settings. If the RD Gateway Server is in the LAN (which not recommended) you must open port 443 only to your RD Gateway Server.
  3. If your RD Gateway Server is on DMZ then read the article to check your ports that must be open
  4. Check the RD RAP and RD CAP Policies. At least must have the User Group that allow to connect in the RD Gateway Server.
  5. If you use Local Users must be created also in RD Gateway Server with the same usernames and passwords.


To be honest the configuration of DMZ in the Firewall it's very very difficult if you don't have do it again. I spent 3 days in y Work to configure properly and allow to communicate DMZ with the appropriate Servers in the Inside Network in appropriate Ports.

Disqus Comments
Partner link: mantapslot idncash pandora188 naga303 dewatogel megawin188 ingatbola88 indobet vegas4d luxury777 luxury138 bro138 bos88 sky77 ligaplay88 dewagg login qqnusa hoki368 login zeus138 roma77 pokerseri autowin88 mantra88 warungtoto