How to Set up a Remote Desktop Services Gateway Server in Windows Server 2022, 2019, or 2016

Introduction

An RDS Gateway server is useful for allowing secure access to an RDS environment for Internet users.

A Remote Desktop Services (RDS) Gateway server uses an SSL certificate to encrypt the communication between the clients and the RDS servers.

IIS is used for authentication and to configure policies to granularly define which users should have access to what resources. 

This guide assumes that an RDS deployment (containing the RDS Connection Broker, Licensing, and Session Hosts roles) already exists.

For more information about setting up basic or advanced RDS deployment, see Dell KB article 217251 How To - Standard Remote Desktop Services Deployment - Step by Step. Another article to view is KB article 215230 Install and Activate an RDS Session Host without a Connection Broker (Workgroup) - Windows Server 2022. 

Deploy the RD Gateway Server Role.

1. On the Windows Server computer that hosts the Connection Broker role for the RDS deployment, In Server Manager, click Manage then Add Roles and Features. Click Next on the Welcome Screen.

2. Select a Role-based or feature-based installation and click Next.
3. ​​​​​Select the target server for the RD Gateway role of this deployment and click Next. In the screenshot below the target server is "rdsfarm." 
4. In the Roles screen, Expand Remote Desktop Services and click the Remote Desktop Gateway checkbox.

5. Click Add Features to install the prerequisites and then Next until the confirmation screen and then click Install.

6. Wait for it to finish installing and then click Close.

7. Back in Server Managers of the Connection Broker, in the Remote Desktop Services node, click the green circle with the plus sign above RD gateway.

8. Select the server that is configured as the RD Gateway. Move it to the right side and click Next.

9. Enter the FQDN of the RD Gateway Server. (This step configures the subject on the Self-Signed certificate created by this wizard. This is not the certificate that is used in this guide.). Click Next.

10. Click Add to confirm the addition to the deployment, wait for it to finish installing the role and then click Close.

Configure the Certificate.

11. Still in Server Manager, in the Connection Broker, under Deployment Overview, click Tasks and then Edit Deployment Properties.
      
    

12. Click on the Certificates node.

Important!
For testing purposes, it is possible to use a self-signed certificate created here or like the certificate that was automatically created earlier in the wizard. However, a production RDS environment should be configured to use a certificate from a trusted public or domain-based certification authority.
This guide demonstrates how to configure a certificate from a trusted public certification authority. That way, this certificate does not have to be installed on the client computers.
 

13. Click Select an existing certificate. Enter the path to the certificate. In this demo, the certificate has been copied to the root of the C:\ drive in the domain controller. Enter the password with which it was saved.

14. Click to check the "Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers" checkbox and click Ok.

15. Notice the Ready to Apply state in the deployment configuration screen. Click Apply.

16. After a few moments, the screen shows that the operation was completed successfully, and the level column recognizes the certificate as "Trusted."

17. Click the RD Web Access role and repeat steps 13-16 to configure it. That way that same certificate is used for IIS. Click Ok to exit the deployment configuration screen.

Configure a Connection Authorization policy and a Resource Authorization policy.

Before users can connect to the deployment using the RD Gateway server, it is required to configure a CAP and a RAP.

A Connection Authorization Policy (CAP) allows you to specify WHO is permitted to connect to the RDS Gateway Server.

A Resource Authorization Policy (RAP) allows you to specify WHAT servers or computers the authorized users have access to.
 

18. On the RDS Gateway server, open Server Manager, click Tools, Remote Desktop Services, and then Remote Desktop Gateway Manager.

19. Right-click the server name (RDSFARM in the image) and then click Properties.

20. Under the Server Farm tab, add the name of the RD gateway server (again, RDSFARM in the image) and click Apply. 
    
    

21. Ignore the error about a load balancer. It is expected. Click Ok, Apply one more time and the status now shows OK.

22. In the SSL certificate tab, it is possible to view and change the certificate configuration of the RD gateway server. Even create a new self-signed certificate if needed. All this, however, has already been configured in the connection broker.

23. Click Ok to exit out of the properties screen.

24. Back in the main screen of RD Gateway Manager, expand the server and then policies.
     

25. Right-click Connection Authorization Policies then click Create New Policy and then Wizard.

26. Select Create an RD CAP and an RD RAP (recommended). Click Next.

27. Enter a name for the RD CAP. Click Next.

28. Click Add Group and enter the name of the group containing the users that are allowed to connect. Domain Users are used for this guide image. Click Next.

29. Leave the defaults in the Device Redirection and Session Timeout steps, clicking Next on both screens as well as in the Summary screen and then proceed with the RD RAP.

30. Enter a Name, click Next. Leave the default in the User Group section, Click Next again.

31. In the Network Resource screen, if there is an active directory group containing the computer accounts of the Session Hosts servers of this RDS deployment, specify it. Otherwise, select "Allow users to connect to any network resource (computer)" option. Click Next.

32. Leave the default port of 3389 for intranet gateway to RDS session hosts communication. Click Next.

33. Click Finish in the summary screen and then Close.

The RDS Gateway server is ready to be placed beyond the firewall, facing the Internet users. A user trying to connect to the RDS session hosts from a home or remote office location over the Internet must go through this RDS Gateway server first.

Connect to the Deployment

1. To connect to the RDS deployment using the newly configured RD Gateway, on the Remote Desktop Connection app of the client machine, enter the name of the RD Session Host or the target machine.

2. Click on the Show Options button, Advanced tab and, on the Connect from Anywhere section, Click Settings.

3. Click the "Use these RD Gateway server settings" ratio button and enter the public DNS name of the RDS Gateway.

4. Click OK and Connect. Enter the domain username and password for the RD Gateway Server and the target Session Host. The connection should succeed.

Monitor the RD Gateway Connections

Back in the RDS Gateway machine, In RD Gateway Manager and under Monitoring, the connection details are visible.