Remote Desktop Gateway

In the world of working remote, having access to an internal server may be important. While VPNs can be an option, sometimes a specific system is needed. We see this at Champlain, where ITS students need to access specific systems in specific labs where work has been saved or certain tools are installed on these systems that require licenses. RDP Gateway is a solution to this issue by allowing for a specific system to be connected to from outside the network. In our demo, we used a Windows Server ISO in VMware on Doug's PC on the Burlington-Winooski border and I used my own PC located in downtown Burlington. This allows me to access resources within Doug's network, or if this was an organization, I could access internal resources behind the firewall. This is a secure way to access services like a traditional VPN.

In this configuration, it is assumed a domain has been set up and RD Session Host and RD License Server roles have already been installed (they can be installed during RG Gateway installation if needed). Two Windows hosts are needed, one with Server Manager.

1. In Server Manager, in Add roles & Features go to role-based installation and select your server.
2. In Server roles, expand Remote Desktop Services and select Remote Desktop Gateway (and RD Session Host and License Server if needed). Everything else can be kept as the defaults.
3. Reboot the server after this.
4. In Server Manager, go to Remote Desktop Services, Servers, and under your server's name, right click and select RD Gateway Manager.
5. In RD Gateway Manager, expand the tree and go to policies. Create a "Connection Authorization Policy" (\CAP) so users can login to the gateway and "Resource Authorization Policy" (RAP) for the resources to be accessed.
6. An SSL certificate will need to be created to allow for the client to connect to the server. A self-signed certificate will need to be created by going to RD Gateway Manager and then Properties. Under Properties, click the SSL Tab and then create a self-signed cert. Click on "create and import certificate", change the certificate name to the public IP address. Export the certificate and send to the client.
7. On the client, you will need to add the certificate to your trusted certificates by double clicking on the certificate and clicking "Install Certificate" or in certlm, manually adding it under the Trusted Root Certificate Authories.
8. RD Gateway Manager statuses should be showing as green to show they are properly working
9. In Services, change the RD Gateway Service (named TSGateway) to startup type "Automatic" instead of "Automatic (Delayed Start)".
10. On the client, open the Remote Desktop Client and fill in the computer name and user with the domain.
11. In the advanced tab, click settings and then select "use these gateway settings", enter the IP address of the server and uncheck "Bypass RD gateway server for local addresses".
12. On the server, you can also turn off four inbound Windows firewall rules for Remote Desktop port 3389 FOR PUBLIC PROFILE (Remote Desktop – User Mode (TCP-In) and (UDP-In) and Remote Desktop Services – User Mode (TCP-In) and (UDP-In). Click the firewall rule, go to the advanced tab, uncheck the "Public" box and RDP traffic should go over port 443 outside the server and then 3389 inside the server.
13. On the client, click OK and then connect. You will need to provide credentials before the RDP session is successful.