Deploying Remote Desktop Gateway RDS 2012

1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Ryan Mangan's IT Blog
Data Centre & Cloud Technologist
Deploying Remote Desktop Gateway RDS 2012
What is a Remote Desktop Gateway
A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate
network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the
HTTPS Protocol to create a secure encrypted connection.
A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a
Secure Sockets Layer (SSL) tunnel.
A Remote Desktop Gateway Provides The following Benefits:
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 1/51
Enables Remote Desktop Connections to a corporate network without having to set up a

virtual private network (VPN).
Enables connections to remote computers across firewalls.
Allows you to share a network connection with other programs running on your computer.
This enables you to use your ISP connection instead of your corporate network to send and
receive data over a remote connection.
h p://windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server
Please see the following linkFor more information on deploying a Gateway on the perimeter
network: h p://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-
perimeter-network-firewall-rules.aspx
Deploying a remote desktop Gateway
To start the install, Click on the RD Gateway Icon Highlighted in green on the Deployment
Overview.
Select the server you want to install the role on.
Enter the External FQDN in the SSL Certificate Name (for this example I am using a internal
address)
RDS Gateway is installing…………
Once the install is complete, you can use the links at the bo om of the install window to
configure certificates and review the RD Gateway properties for the deployment.
As highlighted in red, you can seen the Gateway certificate located in the deployment properties
under certificates.
Under the Tab RD Gateway, you can configure the login method and basic gateway se ings.
Once the gateway is installed you will see the RD Gateway symbol appear.
Configuring the Gateway Manager
by right clicking on the local gateway server, you can open the properties.
You can configure the advanced gateway se ings by navigating to the Properties.
The General tab allows you to configure maximum connection.
The SSL Certificate tab allows you to import a external certificate, create a self-signed and
import from a personal store. I would recommend that you assign all certificates and apply the
RD Gateway Certificate last. This is the certificates are not modified by the certificate tab in the
RDS deployment properties.
The Transport Tab allows you to configure RCP-HTTP and the HTTP se ings. You can change
the defaults to meet corporate security requirements.
The Remote Desktop Connection Authorisation Policies (RD CAP) store enables you to
configure local or central NPS Services for centralised management.
The Messaging tab is great for notifying users of outages and maintenance times or other
administrator messages.
Please see the hyperlink below for information on SSL Bridging and tunnelling.
h p://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.ht
ml
The Auditing tab allows you to select what to audit in the log files.
The Server Farm tab allows you to configure multiple Gateway servers for use in a farm (High
Availability).
Connection Policies allow you to configure user access.
You can disable the redirection features for enhanced security.
The Timeouts Tab allows you to limit client sessions.
Resource authorisation Policies allow you to specify the network computers that users can
connect to.
You can define user access in user groups tab.
The Network Resource tab is used to specify the network resources.
The Allowed ports Tab enables you can change the ports to enhance security.
Creating Computer Groups
when creating a High available Connection broker configuration or a Remote desktop session
server Farm you need to create server groups using the manage locally stored computer groups.
Click Create Group
enter the name and the description of the computer group
For connection brokers and RDSH servers, you need to add the servers and the farm name as
mentioned in this tab.
Published by Ryan Mangan
Ryan Mangan works as the CTO at Systech IT Solutions, an application delivery and desktop
virtualization specialist company based in the UK, where he focusses on end-user computing
and emerging technologies. Ryan is an end-user computing specialist with a great passion for
virtualization. A speaker and presenter, he has helped customers and technical communities
with end-user computing solutions, ranging from small to global 30,000-user deployments. He
is the owner and author of ryanmangansitblog.com, where he posts articles about remote
desktop services, VMware, Microsoft Azure, KEMP, and other products and technologies. Ryan
has been awarded VMware vExpert since 2014, has been a member of the NetApp United
program since 2017, and was awarded Technical Person of the Year in 2017 by KEMP
Technologies. View all posts by Ryan Mangan
March 27, 2013

Microsoft, RDS 2012
Gateway, HTTP Secure, HTTPS, RD Gateway, RDS 2012, Remote Desktop Connection,
Remote Desktop Gateway, Remote Desktop Protocol, Remote Desktop Services, secure
sockets layer, Server 2012, SSL, Virtual private network, VPN
81 thoughts on “Deploying Remote Desktop Gateway

RDS 2012”
1. David Raymond (@david_it)

says:
May 1, 2013 at 8:08 pm
Hi Ryan,
First, you “how to” is very usefull.
I have a question for you, i have setup like 1 RDGW. This server only have this role.
3 servers have RDHA,RDSH,RDWEB. How can i add the certificate for RDGW if i can’t reach
him from the console?
In the “deployment properties” all is set ok, but in certificate, the RDGW is grey out. You
have a clue to add it ?
RDCB SSO –> OK

RDCB Publishing –> OK
RDWEB –> OK
RDGW –> grey out
Thanks for you help.
1. Ryan.Mangan
says:
May 1, 2013 at 8:16 pm
Hi,
Ensure that the RDGW role is added to every server group, you can add the certificate
through the RD Gateway manager.
Regards,
1/28/2019 g Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog

says:
May 1, 2013 at 8:28 pm
ok, after, can i remove the role from those ?
2. Ryan.Mangan
says:
May 1, 2013 at 11:04 pm
Don’t install the RDGW to every server, you need to add each server to each other for
remote management.
Best Regards,

says:
May 2, 2013 at 1:32 pm
Thank you Ryan, this help me to fix this.
3. Ryan
says:
June 13, 2013 at 6:52 pm
Hi, Can the RD Gateway server be the same as the actual RDS server that all my clients will
be using for terminal services/remote desktop?
Also, for the certificate… My AD domain is .local and my external is a .com. How do I issue
a public certificate from thawte or godaddy in that case?
Thanks.
1. Ryan.Mangan
says:
June 13, 2013 at 8:35 pm
Hi,
Please can you confirm what server you want to install RD Gateway on. I would
recommend installing RDWA and the RDGW on a separate server from you session
server for security reasons.
please see the following link for publishing certificates:

h p://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/5e9f264d-486c-
4e7b-8004-30f63ec154ff
Best Regards,
4. Stan
says:
August 28, 2013 at 12:51 pm
I followed every steps and can’t access from anywhere except the server itself.
Everything remote concerned is on the same server.
When I use remote connection (don’t bypass the gateway) … doesn’t work at all (first the
cert is invalid. So client communicate correctly with the Gateway. When the cert is added to
the client … connection take ages and then fails.
Help would be very but very appreciated
1. Ryan.Mangan
says:
August 29, 2013 at 12:36 am
Hi,
Can you confirm you are using a using a valid and trusted certificate. the article shows an
untrusted.
Try Restarting your RDS infrastructure.
Have you checked the event logs, is there any errors ?
can you also ensure that the user group is added to the RDG_CAP properties.
Best Regards,
1. Stan
says:
October 9, 2013 at 10:49 am
I created the certificat with the GUI
It is untrusted
2. Ryan.Mangan
says:
you will need to purchase a certificate, I would recommend a SAN or a wild card cert.
Best Regards,
5. Todd
says:
September 24, 2013 at 3:22 pm
Hi Ryan,
Can you help me get a grip on the Licensing for RDGW? Will my install stop tunneling
connections after 120 days. We are using just as the Gateway, no VDI and no RemoteApps.
If i do need CALs, what components must be installed? It is a Server 2012 install.
Thanks,
Todd
1. Ryan.Mangan
says:
Hi, you will need to install the RDS licencing role to use the gateway. Then its a simple
case of adding licences.
Best Regards,
6. Raghu
says:
October 24, 2013 at 6:29 pm
Hi,
I had a high availability setup. All servers are windows 2012. I want to configure idle time
out for RD web access, the URL should be automatically sign out when it will reach idle time
out. RD web access has IIS 8.0 . Is it possible?
Please suggest , how.
7. Pingback: WAF Terminalserver 2k8 RDWEB - Sophos User Bulletin Board

8. jgray
says:
December 3, 2013 at 7:40 pm
Can you use RD Gateway in conjunction with the new Web Application Proxy in server 2012
R2 to allow for more security and reverse proxying?
1. Ryan.Mangan
says:
I haven’t done so but I cannot see why not.
2. RJ
says:
December 9, 2014 at 8:46 am
When I position the Remote Desktop Gateway behind Web Application Proxy, which
method do I need to choose, ADFS Pre-authentication or Pass-through?
9. Ben
says:
January 16, 2014 at 3:17 pm
Any tips for se ing up a RDGW in a DMZ in a single firewall setup?
1. Ryan.Mangan
says:
Apologies if I am teaching you to such eggs but as there is li le information, its hard to
gauge your knowledge.
Add a second Nic to the RDGW and connect that up to your DMZ. Open up the SSL port
(443) only from the public and the DMZ interface, Then finaly NAT the DMZ IP to the
public interface.
If you need any info on the RD Gateway and Ports, have a look at
h p://blogs.msdn.com/b/rds/archive/2013/03/14/what-s-new-in-windows-server-2012-
remote-desktop-gateway.aspx.
Best regards,
10. iHsan
says:
February 4, 2014 at 7:14 pm
Hi Ryan
Thank you very much for this post that was very helpful. However as for me I’m in a li le
confusion:
I have two hyper -v virtual server setup as RDSH-FARM-1 and RDSH-FARM-2 servers (both
of the machines are domain member), All the roles are installed on FARM-1 and FARM-2 has
remote session host installed just for load balancing.
I’ve used local CA to request certificate for RDWA and RDG (RDSH-FARM.co.uk)
RDGATEWAY is setup with all policy rap and cap.
Everything is working internally but not externally. I can browse to RDWA via my public IP
e.g 12.56.45.67/rdweb and can login with user account but soon i try to remote desktop it
says rd gateway server is not reachable?
My question is do i have to have a registered public domain name?

can i not just use the public ip/rdweb to get access to my RDSH server?
If i do need an public resolvable FQDN, can i link my public ip with my iis webserver?
apart from this just to make it short, what exacly i am missing here? and what do i need to
make this work>?
I will really appreciate your help!
1. Ryan.Mangan
says:
Hi, you will need a gateway server for a secure connection to the session hosts. Please
read the article on the RD gateway server.
11. iHsan
says:
just to add on my internal RDSH FQDN is RDSH-FARM1.domain.co.uk
12. Rich
says:
April 22, 2014 at 10:18 pm
Hi Ryan,
Thank you for all of this as all your blogs have extremely helped me in my RDS
deployments.
I am working with an FQDN mydomain.local and trying to setup and RDS 2012
deployment. I have a single server setup.
server.mydomain.local – RD Connection Broker

server.mydomain.local – RD Virtualization Host
server.mydomain.local – RD gateway
server.mydomain.local – RD Web Access
I have an external dns name of remote.mydomain.com and a wildcard cert associated with it.
I setup the gateway with external FQDN remote.mydomain.com. Applied the wildcard cert
for *.mydomain.com successfully to all roles.
RD Connection Broker Enable Single Sign On : Trusted, OK

RD Connection Broker – Publishing : Trusted, OK
RD Web Access : Trusted, OK
RD Gateway : Trusted OK
I created a new DNS zone remote.mydomain.com and pointed it to the IP of the server that
hosts all these roles.
I can now access my VDI collection successfully internally but not externally. The error I get
when connecting externally states:
Remote Desktop can’t connect to the remote computer “server.mydomain.local” for one of
the reasons:
1) Your user account is not authorized to access the RD Gateway “remote.mydomain.com”
2) Your computer is not authorized to access the RD Gateway “remote.mydomain.com”
3) You are using an incompatible method
I tried using the Set-RDPUblishedNamed script after, and set the name to
remote.mydomain.com.
Now both internal and external connections will not authenticated when given the prompt
to login. Saying the credentials did not work.
After se ing the published name to my external fqdn, both the remote computer and the
gateway are pointed to remote.mydomain.com
Pu ing broker in high availability is not an option in this situation because we don’t have a
license for another server.
Any ideas on what I’m missing? I doubt its a permissions issue. Is it a problem with
accessing the gateway? From my understanding once we have access to the gateway
externally, the broker can be internal as a secure rdp connection has already been
established. Any help would be greatly appreciated. Thanks!
13. Raghu
says:
April 26, 2014 at 4:40 pm
Hi Rich,
If you are using self sign wild card certificate, then add this certificate in trusted root
authority of your local desktop/laptop. Then only you will be able to connect externally.
Thanks
1. Ryan.Mangan
says:
April 26, 2014 at 5:03 pm
Just to clarify what Raghu is saying, you would need to export the certificate used on the
gateway server and the. Import the certificate using mmc and store that in the local
computer certificate folder. You can also use the internal certificate authority if you have
one
14. Dave
says:
May 12, 2014 at 9:33 pm
I have my 2012 RD gateway published and is accessible through my TMG Firewall from the
outside world. I noticed that when connecting externally from a Windows 8 PC to a Server
2012 box behind TMG that UDP does not show as being enabled when I connect to The
Server 2012 box from a Windows 8 PC inside TMG UDP is enabled. Has anyone successfully
published Server 2012 RD gateway with UDP working through TMG or any other Firewall
and how? Thanks.
1. Ryan.Mangan
says:
May 14, 2014 at 9:46 pm
Hi, as TMG is end of life, I would not recommend using this for securing RDS. TMG does
not support RDP 8 where as UAG does. Are you wanting to reverse proxy or just simply
publish UDP Traffic. All firewalls will allow you to port forward\NAT UDP
traffic.h ps://social.technet.microsoft.com/wiki/contents/articles/10973.configuring-udp-
support-on-the-rd-gateway-in-windows-server-2012.aspx
1. Dave
says:
May 15, 2014 at 1:44 am
I have a reverse proxy in place for my RD Gateway. I guess going the reverse proxy
route will not allow for UDP traffic, is that correct?
15. KL_Dane
says:
May 28, 2014 at 12:46 pm
Hi Ryan,
Thanks for a good guide.
I have one issue remaining I hope you can help me with. When logon on to rdweb from a
public connection, I am able to log on and see that default RDS connection. When I try to
connect to it I only get an error:
Your computer can’t connect to the remote computer because the Remote Desktop Gateway
server is temporariy unavailable.
Everything is working internally. I am using 2012 R2 servers.

GW server is using rdsgw.public.com certificate
Broker and rdweb is using rds.public.com certificate and public DNS have NAT to private IP
rds1 and rds2 are my host servers
Any idea what I am missing?
1. Ryan.Mangan
says:
May 28, 2014 at 12:49 pm
have you configured the gateway to allow a connection to the RDS servers. Is the gateway
behind a Load balancer ? have you tested the gateway connection internally using
MSTSC
1. KL_Dane
says:
May 28, 2014 at 1:03 pm
Hi Ryan,
I have configured the Local Computers Group (rds.public.com+internal FQDN of both

host servers) on the GW and i am using it in my RAP.
The gw is not behind a load balancer.
When i test mstsc with gw from my internal network i am being logged on to the
broker server and not the host server.
I tried to add a public IP to the rdsgw.public.com and NAT it to the gw server. Now I
am recieving a second credential box asking for credentials to the internal broker
FQDN. When typing in my admin credentials it times out eventually.
2. Ryan.Mangan
says:
May 28, 2014 at 1:14 pm
What event logs if any are showing . Have you configured the gateway se ing
internally then a empted to connect to a server which passes through the gateway.
What port have you allowed out on your firewall 443 ? This could a number of things
3. KL_Dane
says:
May 28, 2014 at 1:37 pm
Hi Ryan,
There is no events logged to any of the involved servers.
I have just tried connecting to rds1.domain.local using gw rdsgw.public.com and I got

a connection to the rds1 server.
rdsgw.public.com has port 443 allowed in my fw

rds.public.com has port 80 and 443 allowed in my fw
(80 so that it will redirect the uses to 443 instead of showing a 403 error)
Why is the default RDP shortcut on the rdweb refering to the broker internal address?
Isn’t that the issue remaining to be solved?
4. Ryan.Mangan
says:
May 28, 2014 at 1:49 pm
You have a internal domain of .local and external of .com you need to change the
naming have a look at my article certificates and Sso. You will also have certificate
mismatches which will prompt the credential box
5. KL_Dane
says:
June 2, 2014 at 1:02 pm
Hi Ryan,
Thanks for the quick replies and good assistance. I have solved my public access
issue, with this PowerShell cmd:
Set-RDSessionCollectionConfiguration –CollectionName RDS -CustomRdpProperty
“use redirection server name:i:1 `n alternate full address:s:rds.domain.local `n
authentication level:i:0”
This way it points to the RDS farm name and not the broker server.
and these 2 configurations:

IIS Manager:
drill down to Sites –> Default Web Site (or the name of yours) –> RDWeb –> Pages
Then Click ‘Application Se ngs’
Then for ‘DefaultTSGateway’ fill in the external DNS name of the RD Gateway server
Register the NPS server in Active Directory:

In Server Manager, browse to the following location: Roles\Network Policy and
Access Services\NPS (Local).
Right click on the NPS (Local) node and choose Register server in Active Directory.
Click OK to authorize the server when prompted.
and I have deployed a selfsigned certificate to all my RDSH servers rds.domain.local
Thank you for you quick responces, they did lead me in the right direction to solve
this configuration.
16. Ray
says:
June 1, 2014 at 7:24 am

Hi,
Your posts are great and really helped me to understand this. Have a question for you which
I could not figure out how to do it.
I have a setup with 4 2012R2 servers RDGW1, RDWA1, RDCB1, RDSH1
I want to publish remote apps which is on RDWA1 to internet. If my understanding is

correct I have to forward port 443 from the router to RDGW1. But obviously RDWeb is
hosted on RGWA1, I can not access it when I pointed port 443 to RDGW1.
Would you be able enlighten me on how to achieve this?
Thank you
Ray
1. Ryan.Mangan
says:
June 3, 2014 at 5:41 am
You need to allow external access 443 tcp / 3391 UDP access to the gateway and 443
access to rdweb. You need both publishing externally. Some install both roles in the same
box so to simplify things.
17. Alex
says:
July 8, 2014 at 10:01 am
Hi Ryan, thanks for your tutorial. I installed in DMZ Win 2012R2 with two NICs. On that
machine I’ve run remote desktop services installation (with default published apps) and just
added RDGateway.
RDGateway se ings are Use these : domain.com certificate is public (UCC with 10 SANs).
Under Certificates I added this cert for Connection Broker, WebAccess but RDGateway is
greyed. I am not able to edit this here so I added certificate through GRGateway manager.
Policies are configured locally on NPS server
Since I have my website dimain.com I installed IIS ARR in order to route to the RDGateway
everything with /RDWeb. It seems to be working, I can open the login page, log in but when
I start remote app (that works within LAN – bypass Gateway is selected) I receive an error
“Your Computer can’t connect to the remote computer because RDGateway server is
temporarily unavailable. Try reconnecting later ……”
18. dzilla
says:
Just came across this thread and I think some of you might be able to help. Here is my
breakdown: Using a .local domain, installed RDS with VDI, used the self assigned certificate
during install, went in afterwards and into deployment properties and changed the
certificate to a wildcard public cert.
I am able to access RDweb, log in using domain account, see the VDI published, click on it
and then I get the following error:
“Remote Desktop can’t connect to the remote computer “RDS.internal.local” for one of these
reasons:
1) Your user account is not authorized to access the RD Gateway “rds.publicdomain.com”

2) You computer is not authorized to access the RD Gateway “rds.publicdomain.com”
3) You are using an incompatible method (for example, the RD Gateway might be expecting
a smart card but you provided a password)
Contact your network administrator for assistance.”
The user account I used to log into the RDweb is authorized and also the machine, and I am
not using a smart card deployment. Any ideas?
Thank you,
Derek
1. Ryan.Mangan
says:
your accessing the VDI externally with a .com and internally the domain is a .local. This
is your problem. try disabling certificate authentication. if that works re enable it. TP has
wri en a script which will resolve your issue, have a look under Remote Desktop services
on Technet’s gallary
19. Greg
says:
October 12, 2014 at 10:36 am
Good article. helped a lot, when I accidentally removed NPS from the server and needed to
reconfigure.
20. Adrian
says:
Hello,
we created an RDS farm (one broker server and 2 RDSH servers) We did not install RDG,
because we want the farm to be accessed only internally. When we access the farm by
Remote Desktop, log in and we have the warning screen “the identity of the remote
computer can not be verified…). We created a cert in the broker server, registered it with
godaddy, (something like files.domain.com), and we installed it on the broker. In the
deployment properties for the collection the rd connection broker – enable SSO, rd
connection broker – publishing and rd web access have this certificate installed and the level
is trusted BUT when we access the farm: myfiles.domain.com from remote desktop, log in,
we have the warning screen “the identity of the remote computer can not be verified…). We
looked few days on internet, no luck. The environment is Windows server 2012. Any ideas?
Thank you.
21. Hulda
says:

Definitely imagine that which you said. Your
favourite reason seemed to be at the internet the simplest factor to consider of.
I say to you, I certainly get annoyed whilst folks think about worries that
they just do not know about. You controlled to hit the nail upon the top and also defined out
the whole
thing with no need side-effects , people can take a
signal. Will likely be back to get more. Thanks
22. Darian
says:
Ryan,
One of the things that confuses me most of Microsoft deployments is the external access. I
just see so li le documenation on it that it’s incredible. Everything I’ve read online and blogs
say that the purpose of the gateway is to enable access to your farm from the public internet.
So my thought process was “ok, only open ports 443 & 3391 to the outside and ant it to the
gateway”. However if you do this, while you can use MSTSC, you can’t do remoteapp nor
get to the webaccess. So in the end I had to open up 443 to rdweb server. Is this correct?
23. Amit
says:
Hello,
Am I correct in assuming that after I follow this guide, I will be able to access the RD server
from restrictive client firewalls?
What I Mean by that is, oftne times my users will visit other orgs who have very restrctive
firewall policies. If I set up RD Gateway on 2012 R2, will this tunnel all traffic through 443 to
give RDP a fighting chance of establishing a session?
1. Ryan.Mangan
says:
Yes you will tunnel through on 443 or 3391 like a vpn
1. Amit
says:
Hey, can you clarify which steps exactly above ‘force’ the RD gateway to only utilize
port 443? I’ve configured my system to only use port 443 in both the RD Gateway
Manager > My Server > Policies > Resource Authorization Policies and also in RD
Gateway Manager > right click on My Server > Properties > Transport Se ings tab and
unticked “Enable UDP Transport”.
What I’m trying to accomlish is to get everything running over 443 and not depend on
any ‘non standard’ ports as most security concious orgnanizations tend to block most
ports leaving only 80 & 443 open for standard user access networks.
24. Michael
says:
Hello,
Great post! Serious issue. When I right click properties, the RD CAP Se ings are all grayed
out; I can’t click anything.
Why are they grayed out? I am trying to configure Central NPS
25. nvgoldendog
says:
January 20, 2015 at 11:11 pm
Hi Ryan. Great article. You detailed all the boxes very well. After following your article and
reading some of the posts I was successful in ge ing my RDS Gateway working internally
and externally. I was wondering if you had a blog post on se ing and tweaking WebApps? I
am trying to find a good guide on editing the .RDP files and such. The way I did it on 2008
R2 is not the same as 2012 R2. Thanks!
Lyle Epstein
Kortek Solutions, Las Vegas, NV
1. Ryan.Mangan
says:
The rules and features are the similar on 2012 R2. What are you trying to do. Make
changes to RDP’s or create custom files.
26. ben
says:
January 24, 2015 at 12:29 pm
Hi Ryan,
maybe a stupid question.. but i don’t get it…

I configured my RD Gateway Server to be reachable with an external IP in our DMZ.
I followed your steps above, but which URL should i enter to access it?
I used the external IP of the GW server, but only got IIS Splash page. I checked whatelse
pages are on the gateway setup and tried accessing /rpc which prompts for credentials then
nothing happens…
I used my internal wildcard certificate on my external gw server, which is – of course –
untrusted. Is that the issue? Does is not proceed without having a trusted cert? If so, could i
solve this with importing the internal wildcard cert?
THanks!
Ben
1. Andrea
says:
Same problem here, I can access the RDWEB on my broker internally and externally, but
when I try to point my browser to h ps://rdgwy/rpc (or h ps://remote.domain.com) I’m
promped for the passord and nothing happens…both from internal and from external
It is driving me mad, also because I have no events logged at all on my gateway :-((((
I’m using a wildcard certificate created with my certification authority, naturally I addet
it to my test pc.
Do I need to set any configuration on my session host servers, or the broker?
Any suggestion Ryan can be more than appreciated!!!
1. Ryan.Mangan
says:
March 12, 2017 at 9:32 am
check the RAP and CAP policys. ensure the gateway can communicate outside and
through the network. telnet is a good shout.
27. Mahe
says:
February 25, 2015 at 11:05 am
Hi Ryan,
I had RD Web and RD Gateway on the same server(which was on DMZ),other servers or
separated by each 2 RDSH and 1 Connection Broker.(so total 3 different servers for each role
+ 1 on the DMZ)
With this setup i have achieved access on the INTERNAL and EXTERNALLY.
But when i removed RD Web role from RD Gateway server and i used separate RD web
server(which is not in DMZ) after then i get 404 error.when am accessing with
h ps://ExternalgatewayFQDN/rdweb
So any ideas on what is missing?
1. Ryan.Mangan
says:
Uninstall and ensure iis is removed. Then reinstall
28. Tom Kemp

says:
March 3, 2015 at 1:58 am
Maybe someone has experienced this and can help me out. I have a 6 server environment for
RDS –
2 x AD DS
1 x RD GW + Web Access
1 x RD CB
2 x RD SH
I can see the session collection in Remote Desktop client, and when I connect to an app it
appears to connect, authenticates, then says Connecting to RDP…then nothing, the window
just closes. I check session hosts and no connections appear. Any idea?
29. Inkar
says:
March 11, 2015 at 2:21 pm
Is it possible to tunnel through two RDGW servers?
RDP Client -> RDGW_SiteA -> RDGW_SiteB -> RDSH_server
For security/compliance reasons I can only RDP out using a RDGW server. But I now need to
connect to a remote site that is running a RDGW server.
1. Ryan.Mangan
says:
March 22, 2015 at 9:43 pm
Would it not be easier if you used a site to site VPN ?
1. Inkar
says:
March 24, 2015 at 11:32 am
Hi Ryan,
Unfortunately outgoing RDP is only allowed via a locked down RDGW. No VPN
access would be permi ed between the two sites.
30. Pingback: anyone know any good guides for making rdp servers externally accessible
31. ricardo
says:
October 21, 2015 at 10:59 pm
Hello,
I am having an issue accessing my gateway server from any external sources. There is a
timeout error. The address abc.remote.com works internally.
My setup is like this:
1. One Gateway/web access on same server.

2. Two Session Host servers
3. Two Broke servers
4. SQL server is installed on Gateway server
5. License server is installed on the Brokers
I have a Host A record on my Domain name provider that points to my firewall. Then my
firewall points to my internal Gateway server/ I am allow traffic from external through my
firewall on port 443.
32. Arunkumar
says:
February 29, 2016 at 9:09 am
Hi Ryan,
I have done the RD Gateway setup for one of our clients using self signed certificate, it works
fine internally within the network. But when i try to access from externally i got the below
error: h ps://Public IP/RDWeb
your computer can’t connect to the remote computer because the remote desktop gateway
server address is unreachable or incorrect.
What could be the issue, is it mandatory to purchase self signed certificate for accessing the
Remoteapp externally?
Thank you for your
1. Ryan.Mangan
says:
March 16, 2016 at 12:51 pm
It could be certificates or the RAP and CAP policies in the gateway manager
33. Travis Treadway

says:
Ryan
My setup consists of individual servers:

RDS Licensing Server
RDS Gateway Server / RD Web Access Server
RDS Connection Broker
RDS Session Host 1
RDS Session Host 2
I have two questions. When configuring the RAP policy for the RD Gateway does the
network resource for my Server Group need to be the Connection Broker or the two RDS
Session Hosts? I am guessing it would need to be the Connection Broker seeing how I want
the external end user to be directed to the RDWeb landing page. Once they are directed to
that landing page and login, the Broker Server would determine which RDSH server to use
seeing how they load balanced. Am I correct in my thinking?
If so, after I would need to create a policy in my firewall forwarding all external traffic from
the outside to the RD Gateway Server on say port 4443 and that would redirect users to the
Broker Server and the RDWeb landing page?
Thank you in advance

1. Ryan.Mangan
says:
March 12, 2017 at 9:35 am
first question, yes you need to ensure the connection brokers and session hosts are added
to the group. second question … the connection broker issues a redirection packet which
contains the session host information the user is going to be passed to. The gateway will
create a tunnel to communicate with the connection broker. all what needs to be
presented externally is the web access role and the gateway role.
34. Aamir ul Hassan

says:
Dear Ryan,
hope you doing well.
i have installed RDCB, RDWeb and RD Gateway roles on 2 servers, (Both servers has same
roles for high availability)
now i am facing an issue, i havnt configgured NLB on both servers but my RDCB is working
fine with DNSRR, my web is accessible with both servers public IP address but when i
specify the RD Gateway server in my RDP file, i am able to connect only with my 1st RDGW
server and when i specify the 2nd RDGW server it gives me authentication error.
same RDCAP and RAP are configured on both GW servers all se ings are same, Cert is
configured for both servers.
there is no error or warning event in my GW servers.
the users connect with 1st RDGW their connectivity events shows on both servers. but
conection is only made by 1 servre.
hope you will understand and help to fix this thing.
Regards
35. Ugo
says:
Which of this roles should be installed on a domain joined Machine and which should be
installed on a StandAlone (WorkGroup) Server?
1. Ryan.Mangan
says:
March 12, 2017 at 9:30 am
simple install on a domain joined. the session host and licensing roles / gateway on none
domain joined.
36. Richard Chism

says:
January 10, 2017 at 4:58 am
Where is the binding done so that IIS redirects it to the RDG login page? This is NOT
covered well in ANY of the online help guides and it seems to be where I get stuck. I am
using this under Server 2012 r2. The interface is similar. MMC always stops working. Very
discouraging
1. Ryan.Mangan
says:
March 12, 2017 at 9:26 am
redirection can be configured on the default website on iis. You will see an option for
redirection.
37. mrnasty000
says:
January 10, 2017 at 5:02 am
How do I enable the RD Gateway to link to the IIS manager. All I get is the IIS pages. I need
ONLY to have the RD gateway logon to appear so I can redirect. please help
38. Michael
says:
Hello I created a 4 server RDS 2012 R2 environment. here is the config:
RD Connection Broker Server/License Server – internal network
RD Web Access Server – Internal network
RD Session Host Server – internal network
RD Gateway server – perimeter network
Internally users can connect to the RDWeb access page and then connect to services
published to the RD Web access page. this is working fine. The problem I am having is
external users. I have a an external FQDN in my external DNS and I have that address set in
my Gateway se ing, however when a user connects to h ps:///rdweb they are ge ing a 404
file or directory not found. it is my belief that it is trying to access the IIS server on the
Gateway server where there is no RDWeb instead of sending the traffic to my internal RD
Web Access server that does have the RDWeb service. I have read and re-read your
deployment guide and I am just not sure what is wrong
39. jakubpaliwoda92
says:
Hi,
I have deployed RDS on Windows Server 2016, including 2 brokers in high availability
mode, 3 session hosts, 2 web hosts, 1 license server and 1 gateway.
Everything seems to be working perfectly fine, apart from one thing – the gateway itself.
When external clients connect to RDS farm via gateway via normal remote desktop client for
windows/mac, they end up having their RDP sessions redirected directly to one of the two
broker hosts which is odd.
When clients connect via RDWeb via gateway as well, they end up on the session hosts as
expected.
In both cases, clients use published DNS for RDS server farm which points to both brokers.
This is really strange behavior, and I’m just thinking – is this a limitation of standard remote
desktop clients on Windows/Mac or am I missing something here?
All the best and keep your amazing blogs coming!
1. Ryan.Mangan
says:
March 12, 2017 at 9:24 am
you need to ensure that the gateway is configured correctly. it sounds like the redirect
packet is failing when they hit the connection broker which would indicate a gateway
configuration issue.
40. Mariusz
says:
Hello
Did anyone face Issues described below when instaling RD Gateway
RD Gateway Configuration Failed on With Error: Unable to create a Remote Desktop

connection authorization policy on . The error is 2147749889.
The connection authorization policy “RDG_CAP_AllUsers” could not be created. The

following error occurred: “16389”.
The RD Gateway install steps is the last one during the Sassion Broker configuration. I use
Windows 2012 Standard.
41. Andrew Taylor

says:
June 6, 2018 at 10:10 pm
Can anyone help with a gateway issue I’m having on 2016 please?
Single server setup with HA broker.
Internal domain .LOCAL
External domain .NET
Everything works fine internally bypassing the gateway

Externally I can access and login to RDWeb, but get a login box when I try and load anything
with the internal server name and then get Logon Request Failed.
Wildcard certificate on *.net domain

No redirects on IIS
Gateway has correct FQDN configured.
It has me baffled, any help most welcome!
1. Ryan.Mangan
says:
July 18, 2018 at 3:35 pm
did you get this sorted Andrew
42. YG
says:
October 17, 2018 at 12:25 pm
Great article!!
i have 1 qustion: did RDGateway needs any network connectivity to the RDCB ?
Thanks.
1. Ryan.Mangan
says:
Yes connectivity is needed.
43. Randy
says:
October 30, 2018 at 10:39 pm
Ryan:
Thank you for the knowledge share. I followed the steps, had to go it alone on the certificate
creation, but I can now get to the RDWeb login after the browser tells me the site is insecure.
I am able to login and see the applications I published. Upon clicking the icon of one of the
published apps, I am presented with the RemoteApp dialog box to set local access etc. I
noticed that the Gateway server is the external FQDN and the Remote computer is the
internal FQDN for the RD server. When I click Connect, I get a message that “This computer
can’t verify the identity of the RD Gateway . It’s not safe to connect to servers that can’t be
identified. Contact your network administrator for assistance.”
Thoughts?
This site uses Akismet to reduce spam. Learn how your comment data is processed.
UP ↑

Deploying Remote Desktop Gateway RDS 2012

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Deploying Remote Desktop Gateway RDS 2012

Загружено:

Авторское право:

Доступные форматы

1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog

Ryan Mangan's IT Blog

Data Centre & Cloud Technologist

Deploying Remote Desktop Gateway RDS 2012

What is a Remote Desktop Gateway

A Remote Desktop Gateway Provides The following Beneﬁts:

Enables Remote Desktop Connections to a corporate network without having to set up a

Deploying a remote desktop Gateway

Select the server you want to install the role on.

RDS Gateway is installing…………

Configuring the Gateway Manager

The General tab allows you to conﬁgure maximum connection.

Connection Policies allow you to conﬁgure user access.

You can disable the redirection features for enhanced security.

The Timeouts Tab allows you to limit client sessions.

You can deﬁne user access in user groups tab.

The Network Resource tab is used to specify the network resources.

Creating Computer Groups

Click Create Group

enter the name and the description of the computer group

Published by Ryan Mangan

Technologies. View all posts by Ryan Mangan

March 27, 2013

81 thoughts on “Deploying Remote Desktop Gateway

1. David Raymond (@david_it)

First, you “how to” is very usefull.

RDCB SSO –> OK

Thanks for you help.

1. David Raymond (@david_it)

2. David Raymond (@david_it)

please see the following link for publishing certiﬁcates:

Help would be very but very appreciated

Try Restarting your RDS infrastructure.

Have you checked the event logs, is there any errors ?

If i do need CALs, what components must be installed? It is a Server 2012 install.

7. Pingback: WAF Terminalserver 2k8 RDWEB - Sophos User Bulletin Board

RDGATEWAY is setup with all policy rap and cap.

My question is do i have to have a registered public domain name?

I will really appreciate your help!

server.mydomain.local – RD Connection Broker

RD Connection Broker Enable Single Sign On : Trusted, OK

Everything is working internally. I am using 2012 R2 servers.

Any idea what I am missing?

I have conﬁgured the Local Computers Group (rds.public.com+internal FQDN of both

The gw is not behind a load balancer.

There is no events logged to any of the involved servers.

I have just tried connecting to rds1.domain.local using gw rdsgw.public.com and I got

rdsgw.public.com has port 443 allowed in my fw

and these 2 conﬁgurations:

Register the NPS server in Active Directory:

and I have deployed a selfsigned certiﬁcate to all my RDSH servers rds.domain.local

June 1, 2014 at 7:24 am

I have a setup with 4 2012R2 servers RDGW1, RDWA1, RDCB1, RDSH1

I want to publish remote apps which is on RDWA1 to internet. If my understanding is

Would you be able enlighten me on how to achieve this?

1) Your user account is not authorized to access the RD Gateway “rds.publicdomain.com”

Contact your network administrator for assistance.”

October 30, 2014 at 2:10 am

Why are they grayed out? I am trying to conﬁgure Central NPS

maybe a stupid question.. but i don’t get it…

Any suggestion Ryan can be more than appreciated!!!

So any ideas on what is missing?