Lately a lot of people love to work from home a day or two a week or if they have some kind of private obligations sometimes it is easier to access the work environment from home. To securely access your work computer or Remote Desktop Session host servers in your company data-center Microsoft created Remote Desktop Gateway role that basically is a secure tunnel that allows you to access corporate servers.
Installation of the RD Gateway server was more or less straight forward in Windows Server 2008. In windows server 2012 R2 seems the things are pretty complicated. I must admit I am using Windows server for every day operations and Remote Desktop Sessions Host role installation is my daily job. I can say that at least once a day I deploy one Remote Desktop Session host role that is used mostly for testing :-)
So I will describe here how to deploy simple Remote Desktop Gateway on the Windows Server 2012 R2, with most of the default settings that will allow all to connect through the gateway. In case you will want to tweak permissions you can play with the settings by yourself, this is only quick guide for installing Remote Desktop Gateway role on the Windows Server 2012 R2.
I don’t have a farm of RD session host servers sitting behind and I don’t want to deploy Connection broker, web access and session host server (e.g. complete infrastructure) I just want to have RD Gateway server. The things can get pretty complicated here because in the server manager you won’t have a nice icon where you can click on the green add RD Gateway server role icon and do everything through the wizard. SO I will help you out to deploy standalone RD Gateway role on the Windows Server 2012 R2.
- Open server manager and select add servers roles and features
- Nothing special on the before you begin step, just click next
- It is important to select role based installation here. In case you select Remote Desktop Services installation wizard will lead you through Remote Desktop connection broker, web access and remote desktop session host installation which we don’t want in this simple scenario.
- On the server selection select your server that will host the Remote Desktop Gateway role
- Select Remote Desktop Services role
- You can skip feature if you don’t need any
- On the Remote Desktop Services role you can just click next
- And at last you are now on the step where you will select Remote Desktop Gateway role. Click on that role and in next dialog just click add features because Windows server will need to add additional features like Network Policy and Access services, management for the Network policy and access, the same for the RD gateway etc… Just click add features.
- Make sure RD Gateway role is selected and click next
- It will inform you now about NPS access click next
- Information that NPS policy Server will be installed
- Informational message that IIS will be deployed as well
- Confirmation that RD gateway together with other required services will be installed. I checked the restart check-box just in case something else was pending for the restart
- And voila! Installation starts
- After installation is finished you go back to the server manager and click on the remote desktop services role that was just installed. When you click on the overview you will see a message: There are no RD Connection Broker servers in the server pool. This is okay since we have not deployed complete Remote Desktop Session host environment as we want to have only RD Gateway
- Now go to Tools > Terminal Services > Remote Desktip Gateway Managerand you will see that our Remote Desktop Gateway server is not configured. Now most important thing for the RD Gateway is certificate, if there is no SSL certificate on the server and on the CLIENT this will not work. Certificate needs to be on the both machines in order for this to work. Other things you need to configure are Connection authorization policy (who is able to connect through the RD Gateway) and Resource authorization policy (where authenticated users will be able to connect).
- Let’s start with the SSL certificate. Click on the view or modify certificate properties and you will see that certificate is not available.
- You have multiple options now. You can create a self signed certificate on the server BUT then that self-signed certificate needs to be imported on the client. If the SSL cert is not on the client Remote Desktop Services client will not allow you to connect via the RD Gateway Server. Second is to select existing certificate which I will do in this scenario because locally we have certificate services and our internal self-signed certificates are distributed to the clients. Third is in case you have purchased certificate from third party like Symantec, Comodo or somebody else for this specific gateway you can do that as well. For tests I recommend first option, for internal ppl second option and for production where the internal and external users will connect to your infrastructure I recommend third option. The SSL certs today are really cheap so no worries about that.
- We will continue with configuration of the RD Connection and Resource Authorization polices. The easiest way is through a simple wizard but that is hidden a bit, it was easier in the Windows 2008 R2. So go to Policies and then Create new authorization policy.
- Wizard will open and I recommend for this simple scenario selecting create RD CAP and a RD RAP policy
- Name the RD CAP policy
- Now you need to define who will be able to connect to the RD Gateway server. I have selected only Domain users security group but you can select whoever you want to
- Device redirect and session timeout I left empty currently. Basically you can select there what will be redirected from the client and after how many minutes inactive or active session will be disconnected from the RD Gateway server
- Now let’s create a RD RAP policy, name it somehow descriptive like me :P
- So same user group as you selected before will be allowed to connect through the RD Gateway. Members of there groups can connect to network resources remotely through the RD Gateway. Leave as is or if you want to add somebody else as well do it now
- Now you can select where the users will be able to connect to. You can select an active directory domain services network resource group, existing RD Gateway managed group or simply like me select to connect to any network resource
- Now select allowed ports. Default is only to port 3389 but you can define multiple separated with semi colon or just allow connections to any port
- Finish the wizard and you will receive successful message the RD RAP and RD CAP policies have been created.
- The server is now configured. Go to the client end import self-signed SSL if you used that, or if you already have SSL certificate you go to remote desktop client and then tab advanced then settings
- Now specify the RD gateway server here. Please note that the RD gateway server name here and the server name on the certificate needs to be the SAME! Otherwise you will get an error below: Your computer can’t connect to the remote computer because the Remote Desktop Gateway servers address requested and the certificate subject name do not match. Contact your network administrator for assistance (YOU).
- If you followed this short how to properly and you are able to connect via the Remote Desktop Gateway in the monitoring of the Gateway you will see following. This is single user connected with three sessions, two are over UDP and one is over HTTPS. RD Gateway now also supports UDP connections when the HTTP transport is used and that is introduced in Windows Server 2012, RemoteFX uses UDP to optimize the transport of data over wide area networks.
- In case you need a log of all the users connecting through the RD Gateway you can check this software Remote Desktop Gateway Monitor. RD Gateway manager will show you only currently logged users but of course you don’t have a whole day just to sit and watch at the users, this software is cool and it will provide historical log of all the users, when they used the gateway and where they connected.