How To Setup A Remote Desktop Gateway Windows Server 2016

Installing the Remote Desktop Gateway Function (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389.

Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019

In this case, nosotros had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server.  This server is in workgroup mode and not joined to a domain.  Steps below are used to install the RDGW function on a unmarried server (installing RDGW also installs IIS) so all iii roles (RDSH, RDlic, RDGW) are installed on the same server. If you are already licensing RDS with RDS user licenses, at that place is no additional toll to installing the RD Gateway Role (other than if you lot purchase a trusted SSL certificate).

1. Go to Server director, add roles & features, role-based or characteristic-based installation, select existing server, in Server roles expand Remote Desktop Services and select Remote Desktop Gateway, click through everything else as defaults. It will take virtually 5 minutes to install. Although it won't force a reboot, information technology is typically a practiced idea to reboot the server after this footstep.

2. Adjacent get to Server Director, Remote Desktop Services, Servers, click on server name and right click into properties and to "RD Gateway Manager".  (annotation: in RDS, Overview, you will see a message about needing to be logged in as domain user to manage servers and collections – to have this functionality you demand to exist connected to a domain instead of in workgroup mode, we are proceeding with workgroup way only below).

3. In RD Gateway Manager, expand tree and get to policies.  Create a "Connection Authorization Policy" (CAP) for which users can login to the gateway and a "Resource Authorisation Policy" (RAP) for what resource can exist accessed.  For instance, we created policies called CAP1 and RAP1 and used defaults for nearly everything.  For CAP1, you probably want to add Remote Desktop Users and Administrators to "user grouping membership".  For RAP1, nether Network Resources, y'all should modify option to "allow users to connect to any resource" since this is a unmarried server setup.  You can modify these policies after to exist more specific and restrictive.

4. For SSL cert (get back to RD Gateway Manager, Properties), create a self-signed cert by going to properties, SSL tab, create cocky-signed cert, click on "create and import certificate", change certificate name to the IP accost "30.xx.xxx.xx" of the server in the document name field.  Copy the cocky-signed cert to your local PC considering you volition need it in order to login through the gateway (all users will need it).  If you use a trusted SSL cert from CA then you lot won't demand to install self-signed cert on each local PC/customer like y'all volition with a self signed certificate.  Accept note of the cocky-signed certificate expiration engagement which should be in 6 months – if you lot decide to keep to utilize a cocky-signed document, you will need to generate a new cert before the expiration date.

Annotation: using a self-signed certificate will require you lot to install the certificate on each client device.  Information technology is recommended to use a trusted cert (instead of cocky-signed cert) where you would need to purchase the SSL cert from a company like GoDaddy and it will be in the name of a URL/domain instead of IP address.

five. At this bespeak, all items in RD Gateway Director status should be showing as green / green check marks.

six. Go to Services and change the Remote Desktop Gateway Service (service proper noun is TSGateway) to be startup type "automated" instead of "automated (delayed)" and brand certain it is started/running.  This will allow gateway service to beginning quicker upon a server reboot otherwise y'all may get a message that the gateway service is unavailable when trying to log in until y'all await several minutes for the service to get-go.

Connecting to RDGW from your local PC

1. 7Open the Remote Desktop Connection client on your local PC and expand all field past clicking testify options.
2. On the full general tab, make certain computer name field is the IP address of the server.  Y'all will be entering the IP address on both the Full general tab and the Avant-garde tab using the same IP address since the RDSH server and the RDGW server are the aforementioned server in this instance.
3. Before connecting, going to the Avant-garde tab
4. Click on Settings box under Connect from Anywhere
5. Select "utilize these gateway settings"
6. Enter IP address of the server for Server Proper name
7. Uncheck the box to "Bypass RD gateway server for local addresses"
8. Cheque the box to use same credentials for RD gateway server and remote computer since same server in this example
9. Press OK, go back to local resources tab and select what local devices should be redirected (typically printers and clipboard should be redirected, but non local drives under the more button – redirecting local drives uses bandwidth/resource and so simply do it when needed)
10. Go to general tab, decide if you lot desire credentials to be allowed to exist saved, and save the customized rdp file as a shortcut on your desktop past clicking "save as" and requite it a useful name.
11. When you connect, you may offset get a warning message that says "The publisher of this remote connexion can't be identified. Do you lot desire to connect anyway? OR "the identity of the remote computer cannot be verified. Do you want to connect anyway?" You can click the box to "don't ask me again for connections to this figurer" if you don't want to see this bulletin every time, and continue.  This message typically happens because you are using a rdp shortcut on your local desktop that you customized or because you are using a cocky-signed certificate.
12. Connect and you will get a bulletin to enter your credentials which will exist used for both RDSH and RDGW, select whether to remember credentials or non.
13. If you endeavour to connect and yous get a bulletin "This estimator can't verify the identity of the RD Gateway XXXXX…." and it won't connect, it is considering you lot are using a self-signed certificate and haven't put a re-create of the document in your trusted root certificate authorities on your local PC.  So go back on the server and copy the cert from the users\username\documents\certname.cer folder of server to you local PC/desktop, so double click it on your local PC, select "install certificate" and select "Local Machine" store location and select this specific location "Trusted Root Certificate Regime" (don't do automatic location).  THIS Volition HAVE TO Be Done ON ALL LOCAL PCs TO CONNECT WHEN USING Self-SIGNED CERTS.
14. If y'all are have problem logging in, try typing username as servername\username so WIN-XXXXXX\Ambassador or ServerX\Dan etc.

Plow off port 3389 to internet to strength traffic to use port 443/RDGW

1. Adjacent, plough off the four inbound Windows firewall rules for Remote Desktop for port 3389 FOR PUBLIC PROFILE (Remote Desktop – User Mode (TCP-In) and (UDP-In) and Remote Desktop Services – User Manner (TCP-In) and (UDP-In).  Click into the firewall rule, go to the advanced tab, and uncheck the "Public" box so the rule doesn't apply to the public contour.
2. RDP Traffic then should go over port 443 from the outside to the server and and then 3389 internal to the server.  You can test this by trying to login via RDP without Gateway settings.
3. You tin can modify/disable other Remote Desktop inbound firewall rules if needed likewise.

Additional Notes:

See different postal service on how to purchase and install a SSL certificate from a trusted CA. http://world wide web.riptidehosting.com/blog/purchasing-and-installing-a-trusted-ssl-certificate-to-use-for-rdgw-rdsh/

Source: https://www.riptidehosting.com/blog/installing-the-remote-desktop-gateway-role-rdgw-on-windows-server-2019/

Posted by: cummingsbuiting.blogspot.com

Share this post