This article explains how to quickly set up a secure Remote Desktop Gateway, allowing users to access their computers from anywhere. Learn how to configure RD Gateway settings, set up an SSL certificate, and configure CAP and RAP policies. Get step-by-step instructions for setting up the RD Gateway, and check our tips on additional security measures to protect your remote machines. Here’s a comprehensive guide for setting up an efficient Remote Desktop Gateway and securing your data today.
What is Remote Desktop Gateway (RD Gateway)?
Remote Desktop Gateway (RD Gateway or RDG) is a Windows Server role that enables users on public networks to access network resources from any device that supports the Remote Desktop Connection client. The network resources can be Remote Desktop Session Host (RD Session Host) servers and Remote Desktop computers.
Why use Remote Desktop Gateway?
When the Remote Desktop Gateway is not deployed, and someone tries to remotely access a Terminal Server (host computer) from their home computer (client computer) over the public internet, they will go over port 3389. In such a setup, the data going over port 3389 between the home computer and the server is not encrypted. To combat this security risk, a Terminal Server Gateway (also called a Remote Desktop Gateway server) can be deployed as a middleman between the home computer and the Terminal Server.
After deploying the RD Gateway server, the information between the Gateway server and the remote computer is encrypted over port 443 using an SSL certificate. This dramatically reduces the risk of unauthorized access over the public internet. After the information gets inside the internal network, port 3389 is used to make the connection to the Terminal Server.
The Remote Desktop Gateway Server acts as a secure connection between computers inside and outside a network, encrypting data sent over the internet. Installing the Remote Desktop Gateway is recommended, especially if you have clients that need to connect to the Terminal Servers through the internet.
How does Remote Desktop Gateway work?
Remote Desktop Gateway (RDG) works by establishing a secure, encrypted Remote Desktop Protocol (RDP) connection between remote users on the public internet and private network resources. RD Gateway uses Secure Sockets Layer (SSL) to encrypt the communication between the clients and the server. It must be accessible through a public IP address that allows inbound TCP connections to port 443 so that users can connect through the internet over HTTPS.
To make Remote Desktop Gateway work, you must install an SSL certificate. We recommend you buy an SSL certificate from a verified provider. However, you can also use a self-signed certificate, which is free.
The Remote Desktop Gateway server should be a separate machine from your Terminal Servers.
Once the connection is established, port 3389 inside the internal network can be used. For this reason, it is recommended to install a Remote Desktop Gateway Server when clients access the terminal server remotely.
How to set up Remote Desktop Gateway?
1. Install the Remote Desktop Role
2. Create CAP and RAP Policies
3. Install an SSL Certificate on RD Gateway
4. Test your setup
5. Enable MFA for RD Gateway
1. Install the Remote Desktop Role
1. Connect to the host server via RDP using admin credentials.
2. Open the Server Manager, click Manage, and select Add Roles and Features.
3. The Add Roles and Features installer will open. You can skip Before you begin by clicking Next.
4. Select Role-based or feature-based installation and click Next.
5. Select Select a server from the server pool and then select the name of your local computer in the Server Pool. Click Next.
6. In Select Server Roles, select Remote Desktop Services and click Next.
7. You can skip Features and Remote Desktop Services by clicking Next on both.
8. In Select roles service, select Remote Desktop Gateway and click Add Features when prompted. Click Next.
9. In Network Policy and Access Services, click Next.
10. You can skip Network Policy and Access Services, Web Server Role (IIS), and Role services by clicking Next on them all.
11. In Confirm installation selections, click Install and wait for the installation to complete.
12. Installation successful. You must now create the Connection Authorization Policy.
2. Create CAP and RAP Policies
Connection Authorization Policy (CAP) allows you to specify which groups can access resources behind the Remote Desktop Gateway. You can use Active Directory Users or Active Directory Computer Objects groups.
Resource Authorization Policy (RAP) allows you to restrict server access based on group memberships. You will need to create Active Directory groups and add servers as members of these groups.
To create a Connection Authorization Policy (CAP) and Resource Authentication Policy (RAP):
1. In the Server Manager, click Tools and select Remote Desktop Services → Remote Desktop Gateway Manager.
2. In the left pane, expand Policies, select Connection Authorization Policies, and right-click it. Then, select Create New Policy → Wizard.
3. Select Create a RD CAP and a RD RAP (recommended) and click Next.
Create a Connection Authentication Policy
4. Enter a name for your Connection Authentication Policy, e.g., Allowed-For-RDGateway-Policy, and click Next.
5. Click Add Group… to add one or more user groups that will be associated with this RD CAP. Users who are members of these groups can connect to this RD Gateway server.
The best practice is to create a separate user group in Active Directory where you add users that you want to allow using Remote Desktop Gateway. For this tutorial, we created such a group in Active Directory and named it Allowed-For-RDGateway.
Click Next.
6. In Device Redirection, you can decide if RD Gateway should transfer local resources like printers and ports to the remote desktop machine for someone who accesses a computer remotely. You do not have to change anything unless you specifically want to. Click Next.
7. Check Enable idle timeout and Enable session timeout and click Next.
8. In RD CAP Summary, click Next.
Create a Resource Authorization Policy
9. Enter a name for your Resource Authentication Policy, e.g., Servers-Available-Via-RDGateway, and click Next.
10. Click Add Group… to add one or more user groups that will be allowed to access network resources. Users in these groups will be able to use the remote desktop to access servers on the network.
For this tutorial, we selected the same Allowed-For-RDGateway group that we selected when configuring the Connection Authorization Policy.
Click Next.
11. Click Browse and select a group that contains the servers that you want the above user groups to be able to remote desktop to.
For this tutorial, we selected the built-in group called Domain Controllers. But you can create one or more additional groups containing servers. For example, one for each department. This way, you can assign groups based on department users and allow them to access only specific servers.
Click Next.
12. If you did change the default remote desktop port, use select Allow connections to these ports and specify the port. Otherwise, select Allow connections only to port 3389.
13. Click Next. Then, in RD RAP Summary, click Finish.
The wizard will create your CAP and RAP policies. You can now click Cancel to close the New Authorization Policies Wizard.
14. You have installed the Remote Desktop Gateway and created CAP and RAP policies. You now need to install an SSL certificate on RD Gateway.
3. Install an SSL Certificate on RD Gateway
The Remote Desktop Gateway requires a valid SSL certificate. For this tutorial, we used a self-signed certificate. Still, we strongly recommend you purchase an SSL certificate for your server (using a fully qualified domain name) from a commercial Certificate Authority (CA) or purchase a wildcard SSL certificate for the domain.
If you already have your SSL certificate, follow these steps to install the SSL certificate on Remote Desktop Gateway:
1. In the Remote Desktop Gateway Manager, right-click the name of your gateway server and then click Properties.
2. Select the SSL Certificate tab and select an existing certificate or import the certificate.
3. Select the PFX certificate file from the file system and enter the password for the certificate when prompted.
4. Successfully importing the certificate means you have successfully installed the certificate on the default SSL port (TCP Port 443).
How to test your Remote Desktop Gateway connection
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
In this guide, you have configured the secure link (RD Gateway) in this guide. If you have not prepared the host computer yet, here’s How to Set Up Remote Desktop.
If you have your host computer and Remote Desktop Gateway ready, do the following.
1. Launch the Remote Desktop Connection app (Start, type “rdp”, launch Remote Desktop Connection).
2. Select the Advanced tab. (You might have to click Show Options first.)
3. In the Connect from anywhere section, click Settings.
4. Select Use these RD Gateway server settings, enter your hostname or IP, and click OK.
5. Select the General tab and click Connect.
6. Provide your RD Gateway Server credentials, and after you get authenticated onto the Gateway server, provide your credentials to get authenticated onto the Remote Desktop server.
7. Congratulations. You remote desktoped in through your Gateway server.
How to protect your Remote Desktop Gateway Connection
So, your Remote Desktop Gateway is up and running. But have you considered ensuring user login security so hackers cannot use RD Gateway to access your resources?
Users who connect via Remote Desktop Gateway provide their username and password. But what if a hacker breaks the password? They can then gain full access to your corporate network.
Mercifully, there is a solution to that, and it is called Multi-Factor Authentication.
MFA is an additional layer of security that adds extra protection for remote access, even when SSL certificates are in use. Besides the login-password pair, MFA requires the user to present a second factor, such as a one-time code or a push notification sent to the user’s mobile device. This ensures that even if an attacker can obtain the password, they still won’t be able to gain access to the corporate network.
Free MFA for Remote Desktop Gateway
Here’s how to instantly increase the security of your RD Gateway in one hour or less.
- Sign up for a Free 30-Day Rublon Trial.
- Enable Multi-Factor Authentication (MFA) for Remote Desktop Gateway.
Related Articles
- How to Change the RDP Port in Windows
- How to Set Up Remote Desktop
- How to Access Windows Programs Remotely
