Windows Server 2019

Remote Desktop Gateway Server 2016 or 2019 Configuration

A look at Remote Desktop Gateway Server 2016 or 2019 Configuration including installing RDS role services, confgiuring NPS, installing SSL and client config

There is no question, there have been a lot of organizations that have had to shift their focus to remote working over the past few weeks/months. If you are a Windows Server shop and also maintain Windows clients for your end users, one of the easiest ways to extend remote work from home is to setup a Remote desktop gateway server 2016 or 2019 to allow remote workers to access a desktop environment to run their normal business applications. If in a panic or a hurry you simply “poked a hole” in your firewall for RDP services directly to a server, now is the time to revisit that solution and make things more secure. Folding RDP services back in to the internal network and only exposing a remote desktop gateway server 2016 or 2019 to the perimeter is by far the better solution. In this post, we will take a look at remote desktop gateway server 2016 or 2019 configuration and see how you can easily stand up a server in the perimeter with the gateway services running that will proxy RDP traffic inside to your internal RDP resources.

Remote Desktop Gateway Server 2016 or 2019 why?

Before we get into the technical details of the solution, let’s look at this question a bit further. Why do you want to go through the trouble to stand up an additional layer in front of your RDP servers? In short, exposing an RDP server directly to the Internet is dangerous. There have been countless RDP flaws that have been revealed over the past few years and these will no doubt continue, especially with the current remote work situation.

Microsoft has a built-in solution in the Remote Desktop Gateway services role that allows proxying these incoming connections over a secure SSL 443 tunnel connection to the Gateway server over which the RDP connection is established to the internal RDP servers that house the actual resources and applications you want your end users to be able to use.

This is way more secure and keeps the highly problematic RDP protocol concealed on the inside underneath a separate layer of security that can be applied with the Remote Desktop Gateway server 2016 or 2019. Let’s take a look at installing a remote desktop gateway server 2016 or 2019 in front of your Remote Desktop Session Host (RDSH) servers internally.

Remote Desktop Gateway Server 2016 or 2019 Configuration

Let’s look at the steps to configure our Remote Desktop Gateway Server (RDGW). The steps for Remote Desktop Gateway Server 2016 or 2019 configuration involve the following:

Installing the Remote Desktop Services Role in 2016 or 2019

The first thing we need to do is install the role for Remote Desktop Services. You can easily do this in the Server Manager Roles and Features wizard.

Install-the-Remote-Desktop-Services-Role
Install the Remote Desktop Services Role

The Select role services wizard will ask which specific Remote Desktop Services will be installed.

Installing-the-Remote-Desktop-Services-role-services
Installing the Remote Desktop Services role services

The Network Policy and Access Services is installed in the installation of Remote Desktop Gateway services.

Network-Policy-Server-is-installed-with-the-Remote-Desktop-Gateway-Role-service
Network Policy Server is installed with the Remote Desktop Gateway Role service

The Web Server Role (IIS) is installed along with the Remote Desktop Gateway role service.

Web-Server-Role-IIS-is-added-to-the-Remote-Desktop-Gateway-server
Web Server Role IIS is added to the Remote Desktop Gateway server

The Web Server role services that will be installed in the process.

Confirm-the-role-services-added-as-part-of-the-Remote-Desktop-Services-installation
IIS Role services added as part of the installation of the Web Server role

Confirm the installation of the selected services supporting the Remote Desktop Gateway role.

Confirm-the-RDS-role-installation-along-with-supporting-role-services
Confirm the RDS role installation along with supporting role services

The Remote Desktop Gateway role service is installed along with the NPS role and Web Server IIS role.

The-RDS-NPS-and-Web-Server-roles-should-install-successfully
The RDS NPS and Web Server roles should install successfully

After installation, launch the RD Gateway Manager console. You will need to create new policies for:

  • Connection Authorization
  • Resource Authorization

Create a Connection Authorization Policy

Create a New Policy under the Connection Authorization Policies.

Create-a-connection-authorization-policy
Create a connection authorization policy

You have the choice to use a wizard or custom creation for the authorization policy.

Create-a-new-connection-authorization-policy-with-Wizard-or-Custom
Create a new connection authorization policy with Wizard or Custom

Below is the custom creation of the connection authorization policy. First, name the policy and make sure it is enabled (it is by default).

Name-the-policy-and-make-sure-it-is-enabled
Name the policy and make sure it is enabled

Under the requirements tab, add the group that will be allowed to connect. This is a required configuration. You can also add a computer group that is optional which defines the computer group allowed to connect.

Add-user-group-memberships-and-computer-group-memberships
Add user group memberships and computer group memberships

There are Device Redirection and Timeouts options that can be configured.

You-can-enable-timeouts-for-disconnects
You can enable timeouts for disconnects

The Connection Authorization Policy is created successfully.

Connection-authorization-policy-is-created-successfully
Connection authorization policy is created successfully

Create a Resource Authorization Policy

Create the Resource Authorization Policy. Click the Create New Policy.

Creating-a-resource-authorization-policy
Creating a resource authorization policy

Create the New Policy using the Wizard or the Custom option.

Create-a-new-policy-with-the-wizard-or-custom
Create a new policy with the wizard or custom

Name the Resource Authorization Policy (RAP) and make sure it is enabled (it is by default).

Name-the-policy-and-make-sure-the-resource-authorization-policy-is-enabled
Name the policy and make sure the resource authorization policy is enabled

Add the user groups whose members can connect to the remote computers on the network through the RDGW.

Add-a-user-group-to-the-resource-authorization-policy
Add a user group to the resource authorization policy

Configure which network resources the users are allowed to connect to. You can select a group that contains the computers that authenticated users are allowed to connect to. Also, you can select to Allow users to connect to any network resource.

Define-the-network-resources-allowed-for-connection
Define the network resources allowed for connection

Allowed ports allows configuring a different port besides 3389 if desired.

Allowed-ports-for-connection
Allowed ports for connection

The resource authorization policy is created successfully.

Resource-authorization-policy-created-successfully
Resource authorization policy created successfully

Install an SSL Certificate on the Remote Desktop Gateway Server

Aside from creating the connection authorization policy and the resource authorization policy, the Remote Desktop Gateway Server needs an SSL certificate installed. Click the View or modify certificate properties.

Installing-a-server-certificate-on-the-remote-desktop-gateway-server
Installing a server certificate on the remote desktop gateway server

For production systems, you need to install a trusted SSL certificate from a certificate authority. However, the great thing about the RDGW properties under the SSL Certificate tab, there is a means to Create and Import Certifiate which allows creating a self-signed certificate.

Create-a-self-signed-certificate-for-Remote-Desktop-Gateway-Server
Create a self signed certificate for Remote Desktop Gateway Server

The Create Self-Signed Certificate dialog box will automatically create the certificate and export the self-signed certificate out so you can import on client machines that will be connecting to the Remote Desktop Gateway 2016 or 2019 server.

Create-a-self-signed-certificate-and-export-the-certificate
Create a self-signed certificate and export the certificate

The certificate is successfully installed and exorted.

The-self-signed-certificate-is-created-successfully-and-the-certificate-is-exported
The self-signed certificate is created successfully and the certificate is exported

Now, under the tab, you will see the following certificate is installed on RDGW.

The-self-signed-certificate-is-installed-on-the-Remote-Desktop-Gateway-server
The self-signed certificate is installed on the Remote Desktop Gateway server

All of the statuses now show green and ready.

All-statuses-are-green-for-the-Remote-Desktop-Gateway-server
All statuses are green for the Remote Desktop Gateway server

Connect to RDSH with Remote Desktop Gateway Server

On a client the mstsc client for Remote Desktop Connection under Advanced > Settings is where you set the Remote Desktop Gateway server.

Remote-Desktop-MSTSC-settings
Remote Desktop MSTSC settings

Enter the Remote Desktop Gateway address under the Use these RD Gateway server settings. You can also set or unset the Bypass RD Gateway server for local addresses as well as the Use my RD Gateway credentials for the remote computer.

Use-RD-Gateway-settings-for-RDP-connection
Use RD Gateway settings for RDP connection

If a client does not have the certificate trusted on the client machine, they will see the following message. If you are using a self-signed certificate, the certificate will need to be imported on the client machine.

Error-encountered-when-certificate-is-not-installed-on-a-client
Error encountered when certificate is not installed on a client
You-will-see-the-remote-desktop-gateway-server-and-the-target-workstation-in-the-trust-dialog
You will see the remote desktop gateway server and the target workstation in the trust dialog

Once you hit Connect you will be successfully connected to your remote desktop through the proxy of the Remote Desktop Gateway Server 2016 or 2019.

Final Thoughts

Remote Desktop Gateway Server 2016 or 2019 Configuration is a straightforward process involving a few steps. This involves installing the role services needed, setting up the Network Policy Server authorization rules, installing the SSL certificate, and then configuring the end user client including installing the certificate.

For those looking for a secure solution to access remote desktops, the Remote Desktop Gateway server is the secure way to do this. For those that may have direct RDP access enabled, pulling back and installing a Remote Desktop Gateway server 2016 or 2019 in front of your RDSH servers will help to secure your remote RDP access.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.