Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In

How to Set up a Remote Desktop Services Gateway Server in Windows Server 2022, 2019, or 2016

Summary: This guide demonstrates the steps required to set up a Remote Desktop (RD) Gateway Server on a Remote Desktop Services (RDS) deployment.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Introduction

An RDS Gateway server is useful for allowing secure access to an RDS environment for Internet users.

A Remote Desktop Services (RDS) Gateway server uses an SSL certificate to encrypt the communication between the clients and the RDS servers.

IIS is used for authentication and to configure policies to granularly define which users should have access to what resources. 

This guide assumes that an RDS deployment (containing the RDS Connection Broker, Licensing, and Session Hosts roles) already exists.

For more information about setting up basic or advanced RDS deployment, see Dell KB article 217251 How To - Standard Remote Desktop Services Deployment - Step by Step. Another article to view is KB article 215230 Install and Activate an RDS Session Host without a Connection Broker (Workgroup) - Windows Server 2022. 


Deploy the RD Gateway Server Role.

  1. On the Windows Server computer that hosts the Connection Broker role for the RDS deployment, In Server Manager, click Manage then Add Roles and Features. Click Next on the Welcome Screen.

Add roles and features menu

  1. Select a Role-based or feature-based installation and click Next.
  2. ​​​​​Select the target server for the RD Gateway role of this deployment and click Next. In the screenshot below the target server is "rdsfarm." 
  3. In the Roles screen, Expand Remote Desktop Services and click the Remote Desktop Gateway checkbox.

RD Gateway Role selection

  1. Click Add Features to install the prerequisites and then Next until the confirmation screen and then click Install.

  2. Wait for it to finish installing and then click Close.

RD Gateway role installation

  1. Back in Server Managers of the Connection Broker, in the Remote Desktop Services node, click the green circle with the plus sign above RD gateway.

RDS Deployment Overview in Server Manager

  1. Select the server that is configured as the RD Gateway. Move it to the right side and click Next.

RD Gateway server selection wizard

  1. Enter the FQDN of the RD Gateway Server. (This step configures the subject on the Self-Signed certificate created by this wizard. This is not the certificate that is used in this guide.). Click Next.

RD Gateway Self Signed Certificate configuration

  1. Click Add to confirm the addition to the deployment, wait for it to finish installing the role and then click Close.

RD Gateway role installation


Configure the Certificate.

  1. Still in Server Manager, in the Connection Broker, under Deployment Overview, click Tasks and then Edit Deployment Properties.
      
    RDS Deployment Overview screen

  2. Click on the Certificates node.

Configuring the certificate for the deployment

Important!
For testing purposes, it is possible to use a self-signed certificate created here or like the certificate that was automatically created earlier in the wizard. However, a production RDS environment should be configured to use a certificate from a trusted public or domain-based certification authority.
This guide demonstrates how to configure a certificate from a trusted public certification authority. That way, this certificate does not have to be installed on the client computers.
 

  1. Click Select an existing certificate. Enter the path to the certificate. In this demo, the certificate has been copied to the root of the C:\ drive in the domain controller. Enter the password with which it was saved.

  2. Click to check the "Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers" checkbox and click Ok.

Configuring the certificate for the deployment

  1. Notice the Ready to Apply state in the deployment configuration screen. Click Apply.

Configuring the certificate for the deployment

  1. After a few moments, the screen shows that the operation was completed successfully, and the level column recognizes the certificate as "Trusted."

Configuring the certificate for the deployment

NOTE: A Self-Signed certificate would show as "Untrusted." That type of certificate would then have to be copied to the client computers and installed. This is one of the main benefits of using a domain-based or public certification authority certificate as is the case in this guide.
 

  1. Click the RD Web Access role and repeat steps 13-16 to configure it. That way that same certificate is used for IIS. Click Ok to exit the deployment configuration screen.


Configure a Connection Authorization policy and a Resource Authorization policy.

Before users can connect to the deployment using the RD Gateway server, it is required to configure a CAP and a RAP.

A Connection Authorization Policy (CAP) allows you to specify WHO is permitted to connect to the RDS Gateway Server.

A Resource Authorization Policy (RAP) allows you to specify WHAT servers or computers the authorized users have access to.
 

  1. On the RDS Gateway server, open Server Manager, click Tools, Remote Desktop Services, and then Remote Desktop Gateway Manager.

Accessing RD Gateway Manager from Server Manager

  1. Right-click the server name (RDSFARM in the image) and then click Properties.

Configuring RD Gateway server properties

  1. Under the Server Farm tab, add the name of the RD gateway server (again, RDSFARM in the image) and click Apply

    Server Farm tab

  2. Ignore the error about a load balancer. It is expected. Click Ok, Apply one more time and the status now shows OK.

Expected load balancing error
 

Added RD Gateway Server

  1. In the SSL certificate tab, it is possible to view and change the certificate configuration of the RD gateway server. Even create a new self-signed certificate if needed. All this, however, has already been configured in the connection broker.

Certificate tab

  1. Click Ok to exit out of the properties screen.

  2. Back in the main screen of RD Gateway Manager, expand the server and then policies.
     

  3. Right-click Connection Authorization Policies then click Create New Policy and then Wizard.

Creating a New Connection Authorization Policy

  1. Select Create an RD CAP and an RD RAP (recommended). Click Next.

Creating a New Connection Authorization Policy

  1. Enter a name for the RD CAP. Click Next.

  2. Click Add Group and enter the name of the group containing the users that are allowed to connect. Domain Users are used for this guide image. Click Next.

Creating a New Connection Authorization Policy

  1. Leave the defaults in the Device Redirection and Session Timeout steps, clicking Next on both screens as well as in the Summary screen and then proceed with the RD RAP.

  2. Enter a Name, click Next. Leave the default in the User Group section, Click Next again.

Creating a New Resource Authorization Policy

  1. In the Network Resource screen, if there is an active directory group containing the computer accounts of the Session Hosts servers of this RDS deployment, specify it. Otherwise, select "Allow users to connect to any network resource (computer)" option. Click Next.

Creating a New Resource Authorization Policy

  1. Leave the default port of 3389 for intranet gateway to RDS session hosts communication. Click Next.

  2. Click Finish in the summary screen and then Close.

Creating a New Resource Authorization Policy


The RDS Gateway server is ready to be placed beyond the firewall, facing the Internet users. A user trying to connect to the RDS session hosts from a home or remote office location over the Internet must go through this RDS Gateway server first.


Connect to the Deployment

  1. To connect to the RDS deployment using the newly configured RD Gateway, on the Remote Desktop Connection app of the client machine, enter the name of the RD Session Host or the target machine.

Remote Desktop Connection app

  1. Click on the Show Options button, Advanced tab and, on the Connect from Anywhere section, Click Settings.

Remote Desktop Connection app

  1. Click the "Use these RD Gateway server settings" ratio button and enter the public DNS name of the RDS Gateway.

Configuring the RD Gateway in the Remote Desktop Connection app

  1. Click OK and Connect. Enter the domain username and password for the RD Gateway Server and the target Session Host. The connection should succeed.

NOTE: For this to work, the public DNS name specified must resolve to the public IP address assigned to the RDS Gateway machine. This is something that must be configured in the settings of the Public DNS service in use.
 
NOTE: If a Self-Signed certificate or a certificate from an internal PKI is used for the RD Gateway deployment, this certificate must be installed on the client computer first before the connection can succeed.
 
NOTE: If the RDS Gateway machine is behind a firewall or NAT device, the only port that must be allowed in and forwarded to the RD Gateway server is TCP port 443.


Monitor the RD Gateway Connections

Back in the RDS Gateway machine, In RD Gateway Manager and under Monitoring, the connection details are visible.

Monitoring the Connection in RD Gateway Manager

Additional Information

Refer to this video:


You can also view this video on YouTube .

Affected Products

Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022
Article Properties
Article Number: 000219517
Article Type: How To
Last Modified: 04 Jan 2024
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.