Академический Документы
Профессиональный Документы
Культура Документы
A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate
network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the
HTTPS Protocol to create a secure encrypted connection.
A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a
Secure Sockets Layer (SSL) tunnel.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 1/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
h p://windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server
Please see the following linkFor more information on deploying a Gateway on the perimeter
network: h p://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-
perimeter-network-firewall-rules.aspx
To start the install, Click on the RD Gateway Icon Highlighted in green on the Deployment
Overview.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 2/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Enter the External FQDN in the SSL Certificate Name (for this example I am using a internal
address)
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 3/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 4/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Once the install is complete, you can use the links at the bo om of the install window to
configure certificates and review the RD Gateway properties for the deployment.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 5/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
As highlighted in red, you can seen the Gateway certificate located in the deployment properties
under certificates.
Under the Tab RD Gateway, you can configure the login method and basic gateway se ings.
Once the gateway is installed you will see the RD Gateway symbol appear.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 6/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
by right clicking on the local gateway server, you can open the properties.
You can configure the advanced gateway se ings by navigating to the Properties.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 7/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 8/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
The SSL Certificate tab allows you to import a external certificate, create a self-signed and
import from a personal store. I would recommend that you assign all certificates and apply the
RD Gateway Certificate last. This is the certificates are not modified by the certificate tab in the
RDS deployment properties.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 9/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
The Transport Tab allows you to configure RCP-HTTP and the HTTP se ings. You can change
the defaults to meet corporate security requirements.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 10/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
The Remote Desktop Connection Authorisation Policies (RD CAP) store enables you to
configure local or central NPS Services for centralised management.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 11/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
The Messaging tab is great for notifying users of outages and maintenance times or other
administrator messages.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 12/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Please see the hyperlink below for information on SSL Bridging and tunnelling.
h p://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.ht
ml
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 13/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
The Auditing tab allows you to select what to audit in the log files.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 14/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
The Server Farm tab allows you to configure multiple Gateway servers for use in a farm (High
Availability).
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 15/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 16/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 17/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 18/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 19/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 20/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Resource authorisation Policies allow you to specify the network computers that users can
connect to.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 21/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 22/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 23/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
The Allowed ports Tab enables you can change the ports to enhance security.
when creating a High available Connection broker configuration or a Remote desktop session
server Farm you need to create server groups using the manage locally stored computer groups.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 24/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 25/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 26/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
For connection brokers and RDSH servers, you need to add the servers and the farm name as
mentioned in this tab.
Ryan Mangan works as the CTO at Systech IT Solutions, an application delivery and desktop
virtualization specialist company based in the UK, where he focusses on end-user computing
and emerging technologies. Ryan is an end-user computing specialist with a great passion for
virtualization. A speaker and presenter, he has helped customers and technical communities
with end-user computing solutions, ranging from small to global 30,000-user deployments. He
is the owner and author of ryanmangansitblog.com, where he posts articles about remote
desktop services, VMware, Microsoft Azure, KEMP, and other products and technologies. Ryan
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 27/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
has been awarded VMware vExpert since 2014, has been a member of the NetApp United
program since 2017, and was awarded Technical Person of the Year in 2017 by KEMP
Gateway, HTTP Secure, HTTPS, RD Gateway, RDS 2012, Remote Desktop Connection,
Remote Desktop Gateway, Remote Desktop Protocol, Remote Desktop Services, secure
sockets layer, Server 2012, SSL, Virtual private network, VPN
I have a question for you, i have setup like 1 RDGW. This server only have this role.
3 servers have RDHA,RDSH,RDWEB. How can i add the certificate for RDGW if i can’t reach
him from the console?
In the “deployment properties” all is set ok, but in certificate, the RDGW is grey out. You
have a clue to add it ?
1. Ryan.Mangan
says:
May 1, 2013 at 8:16 pm
Hi,
Ensure that the RDGW role is added to every server group, you can add the certificate
through the RD Gateway manager.
Regards,
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 28/51
1/28/2019 g Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
2. Ryan.Mangan
says:
May 1, 2013 at 11:04 pm
Don’t install the RDGW to every server, you need to add each server to each other for
remote management.
Best Regards,
3. Ryan
says:
June 13, 2013 at 6:52 pm
Hi, Can the RD Gateway server be the same as the actual RDS server that all my clients will
be using for terminal services/remote desktop?
Also, for the certificate… My AD domain is .local and my external is a .com. How do I issue
a public certificate from thawte or godaddy in that case?
Thanks.
1. Ryan.Mangan
says:
June 13, 2013 at 8:35 pm
Hi,
Please can you confirm what server you want to install RD Gateway on. I would
recommend installing RDWA and the RDGW on a separate server from you session
server for security reasons.
Best Regards,
4. Stan
says:
August 28, 2013 at 12:51 pm
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 29/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
I followed every steps and can’t access from anywhere except the server itself.
Everything remote concerned is on the same server.
When I use remote connection (don’t bypass the gateway) … doesn’t work at all (first the
cert is invalid. So client communicate correctly with the Gateway. When the cert is added to
the client … connection take ages and then fails.
1. Ryan.Mangan
says:
August 29, 2013 at 12:36 am
Hi,
Can you confirm you are using a using a valid and trusted certificate. the article shows an
untrusted.
can you also ensure that the user group is added to the RDG_CAP properties.
Best Regards,
1. Stan
says:
October 9, 2013 at 10:49 am
I created the certificat with the GUI
It is untrusted
2. Ryan.Mangan
says:
October 9, 2013 at 11:05 am
you will need to purchase a certificate, I would recommend a SAN or a wild card cert.
Best Regards,
5. Todd
says:
September 24, 2013 at 3:22 pm
Hi Ryan,
Can you help me get a grip on the Licensing for RDGW? Will my install stop tunneling
connections after 120 days. We are using just as the Gateway, no VDI and no RemoteApps.
Thanks,
Todd
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 30/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
1. Ryan.Mangan
says:
September 25, 2013 at 4:33 pm
Hi, you will need to install the RDS licencing role to use the gateway. Then its a simple
case of adding licences.
Best Regards,
6. Raghu
says:
October 24, 2013 at 6:29 pm
Hi,
I had a high availability setup. All servers are windows 2012. I want to configure idle time
out for RD web access, the URL should be automatically sign out when it will reach idle time
out. RD web access has IIS 8.0 . Is it possible?
Please suggest , how.
1. Ryan.Mangan
says:
December 3, 2013 at 7:41 pm
I haven’t done so but I cannot see why not.
2. RJ
says:
December 9, 2014 at 8:46 am
When I position the Remote Desktop Gateway behind Web Application Proxy, which
method do I need to choose, ADFS Pre-authentication or Pass-through?
9. Ben
says:
January 16, 2014 at 3:17 pm
Any tips for se ing up a RDGW in a DMZ in a single firewall setup?
1. Ryan.Mangan
says:
January 16, 2014 at 6:32 pm
Apologies if I am teaching you to such eggs but as there is li le information, its hard to
gauge your knowledge.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 31/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Add a second Nic to the RDGW and connect that up to your DMZ. Open up the SSL port
(443) only from the public and the DMZ interface, Then finaly NAT the DMZ IP to the
public interface.
If you need any info on the RD Gateway and Ports, have a look at
h p://blogs.msdn.com/b/rds/archive/2013/03/14/what-s-new-in-windows-server-2012-
remote-desktop-gateway.aspx.
Best regards,
10. iHsan
says:
February 4, 2014 at 7:14 pm
Hi Ryan
Thank you very much for this post that was very helpful. However as for me I’m in a li le
confusion:
I have two hyper -v virtual server setup as RDSH-FARM-1 and RDSH-FARM-2 servers (both
of the machines are domain member), All the roles are installed on FARM-1 and FARM-2 has
remote session host installed just for load balancing.
I’ve used local CA to request certificate for RDWA and RDG (RDSH-FARM.co.uk)
Everything is working internally but not externally. I can browse to RDWA via my public IP
e.g 12.56.45.67/rdweb and can login with user account but soon i try to remote desktop it
says rd gateway server is not reachable?
apart from this just to make it short, what exacly i am missing here? and what do i need to
make this work>?
1. Ryan.Mangan
says:
February 11, 2014 at 5:51 pm
Hi, you will need a gateway server for a secure connection to the session hosts. Please
read the article on the RD gateway server.
11. iHsan
says:
February 4, 2014 at 7:16 pm
just to add on my internal RDSH FQDN is RDSH-FARM1.domain.co.uk
12. Rich
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 32/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
says:
April 22, 2014 at 10:18 pm
Hi Ryan,
Thank you for all of this as all your blogs have extremely helped me in my RDS
deployments.
I am working with an FQDN mydomain.local and trying to setup and RDS 2012
deployment. I have a single server setup.
I have an external dns name of remote.mydomain.com and a wildcard cert associated with it.
I setup the gateway with external FQDN remote.mydomain.com. Applied the wildcard cert
for *.mydomain.com successfully to all roles.
I created a new DNS zone remote.mydomain.com and pointed it to the IP of the server that
hosts all these roles.
I can now access my VDI collection successfully internally but not externally. The error I get
when connecting externally states:
Remote Desktop can’t connect to the remote computer “server.mydomain.local” for one of
the reasons:
1) Your user account is not authorized to access the RD Gateway “remote.mydomain.com”
2) Your computer is not authorized to access the RD Gateway “remote.mydomain.com”
3) You are using an incompatible method
I tried using the Set-RDPUblishedNamed script after, and set the name to
remote.mydomain.com.
Now both internal and external connections will not authenticated when given the prompt
to login. Saying the credentials did not work.
After se ing the published name to my external fqdn, both the remote computer and the
gateway are pointed to remote.mydomain.com
Pu ing broker in high availability is not an option in this situation because we don’t have a
license for another server.
Any ideas on what I’m missing? I doubt its a permissions issue. Is it a problem with
accessing the gateway? From my understanding once we have access to the gateway
externally, the broker can be internal as a secure rdp connection has already been
established. Any help would be greatly appreciated. Thanks!
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 33/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
13. Raghu
says:
April 26, 2014 at 4:40 pm
Hi Rich,
If you are using self sign wild card certificate, then add this certificate in trusted root
authority of your local desktop/laptop. Then only you will be able to connect externally.
Thanks
1. Ryan.Mangan
says:
April 26, 2014 at 5:03 pm
Just to clarify what Raghu is saying, you would need to export the certificate used on the
gateway server and the. Import the certificate using mmc and store that in the local
computer certificate folder. You can also use the internal certificate authority if you have
one
14. Dave
says:
May 12, 2014 at 9:33 pm
I have my 2012 RD gateway published and is accessible through my TMG Firewall from the
outside world. I noticed that when connecting externally from a Windows 8 PC to a Server
2012 box behind TMG that UDP does not show as being enabled when I connect to The
Server 2012 box from a Windows 8 PC inside TMG UDP is enabled. Has anyone successfully
published Server 2012 RD gateway with UDP working through TMG or any other Firewall
and how? Thanks.
1. Ryan.Mangan
says:
May 14, 2014 at 9:46 pm
Hi, as TMG is end of life, I would not recommend using this for securing RDS. TMG does
not support RDP 8 where as UAG does. Are you wanting to reverse proxy or just simply
publish UDP Traffic. All firewalls will allow you to port forward\NAT UDP
traffic.h ps://social.technet.microsoft.com/wiki/contents/articles/10973.configuring-udp-
support-on-the-rd-gateway-in-windows-server-2012.aspx
1. Dave
says:
May 15, 2014 at 1:44 am
I have a reverse proxy in place for my RD Gateway. I guess going the reverse proxy
route will not allow for UDP traffic, is that correct?
15. KL_Dane
says:
May 28, 2014 at 12:46 pm
Hi Ryan,
Thanks for a good guide.
I have one issue remaining I hope you can help me with. When logon on to rdweb from a
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 34/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
public connection, I am able to log on and see that default RDS connection. When I try to
connect to it I only get an error:
Your computer can’t connect to the remote computer because the Remote Desktop Gateway
server is temporariy unavailable.
1. Ryan.Mangan
says:
May 28, 2014 at 12:49 pm
have you configured the gateway to allow a connection to the RDS servers. Is the gateway
behind a Load balancer ? have you tested the gateway connection internally using
MSTSC
1. KL_Dane
says:
May 28, 2014 at 1:03 pm
Hi Ryan,
When i test mstsc with gw from my internal network i am being logged on to the
broker server and not the host server.
I tried to add a public IP to the rdsgw.public.com and NAT it to the gw server. Now I
am recieving a second credential box asking for credentials to the internal broker
FQDN. When typing in my admin credentials it times out eventually.
2. Ryan.Mangan
says:
May 28, 2014 at 1:14 pm
What event logs if any are showing . Have you configured the gateway se ing
internally then a empted to connect to a server which passes through the gateway.
What port have you allowed out on your firewall 443 ? This could a number of things
3. KL_Dane
says:
May 28, 2014 at 1:37 pm
Hi Ryan,
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 35/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Why is the default RDP shortcut on the rdweb refering to the broker internal address?
Isn’t that the issue remaining to be solved?
4. Ryan.Mangan
says:
May 28, 2014 at 1:49 pm
You have a internal domain of .local and external of .com you need to change the
naming have a look at my article certificates and Sso. You will also have certificate
mismatches which will prompt the credential box
5. KL_Dane
says:
June 2, 2014 at 1:02 pm
Hi Ryan,
Thanks for the quick replies and good assistance. I have solved my public access
issue, with this PowerShell cmd:
Set-RDSessionCollectionConfiguration –CollectionName RDS -CustomRdpProperty
“use redirection server name:i:1 `n alternate full address:s:rds.domain.local `n
authentication level:i:0”
This way it points to the RDS farm name and not the broker server.
Thank you for you quick responces, they did lead me in the right direction to solve
this configuration.
16. Ray
says:
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 36/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Thank you
Ray
1. Ryan.Mangan
says:
June 3, 2014 at 5:41 am
You need to allow external access 443 tcp / 3391 UDP access to the gateway and 443
access to rdweb. You need both publishing externally. Some install both roles in the same
box so to simplify things.
17. Alex
says:
July 8, 2014 at 10:01 am
Hi Ryan, thanks for your tutorial. I installed in DMZ Win 2012R2 with two NICs. On that
machine I’ve run remote desktop services installation (with default published apps) and just
added RDGateway.
RDGateway se ings are Use these : domain.com certificate is public (UCC with 10 SANs).
Under Certificates I added this cert for Connection Broker, WebAccess but RDGateway is
greyed. I am not able to edit this here so I added certificate through GRGateway manager.
Policies are configured locally on NPS server
Since I have my website dimain.com I installed IIS ARR in order to route to the RDGateway
everything with /RDWeb. It seems to be working, I can open the login page, log in but when
I start remote app (that works within LAN – bypass Gateway is selected) I receive an error
“Your Computer can’t connect to the remote computer because RDGateway server is
temporarily unavailable. Try reconnecting later ……”
18. dzilla
says:
September 19, 2014 at 5:33 pm
Just came across this thread and I think some of you might be able to help. Here is my
breakdown: Using a .local domain, installed RDS with VDI, used the self assigned certificate
during install, went in afterwards and into deployment properties and changed the
certificate to a wildcard public cert.
I am able to access RDweb, log in using domain account, see the VDI published, click on it
and then I get the following error:
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 37/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
“Remote Desktop can’t connect to the remote computer “RDS.internal.local” for one of these
reasons:
The user account I used to log into the RDweb is authorized and also the machine, and I am
not using a smart card deployment. Any ideas?
Thank you,
Derek
1. Ryan.Mangan
says:
September 30, 2014 at 8:23 pm
your accessing the VDI externally with a .com and internally the domain is a .local. This
is your problem. try disabling certificate authentication. if that works re enable it. TP has
wri en a script which will resolve your issue, have a look under Remote Desktop services
on Technet’s gallary
19. Greg
says:
October 12, 2014 at 10:36 am
Good article. helped a lot, when I accidentally removed NPS from the server and needed to
reconfigure.
20. Adrian
says:
October 30, 2014 at 1:10 am
Hello,
we created an RDS farm (one broker server and 2 RDSH servers) We did not install RDG,
because we want the farm to be accessed only internally. When we access the farm by
Remote Desktop, log in and we have the warning screen “the identity of the remote
computer can not be verified…). We created a cert in the broker server, registered it with
godaddy, (something like files.domain.com), and we installed it on the broker. In the
deployment properties for the collection the rd connection broker – enable SSO, rd
connection broker – publishing and rd web access have this certificate installed and the level
is trusted BUT when we access the farm: myfiles.domain.com from remote desktop, log in,
we have the warning screen “the identity of the remote computer can not be verified…). We
looked few days on internet, no luck. The environment is Windows server 2012. Any ideas?
Thank you.
21. Hulda
says:
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 38/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
22. Darian
says:
October 30, 2014 at 2:49 pm
Ryan,
One of the things that confuses me most of Microsoft deployments is the external access. I
just see so li le documenation on it that it’s incredible. Everything I’ve read online and blogs
say that the purpose of the gateway is to enable access to your farm from the public internet.
So my thought process was “ok, only open ports 443 & 3391 to the outside and ant it to the
gateway”. However if you do this, while you can use MSTSC, you can’t do remoteapp nor
get to the webaccess. So in the end I had to open up 443 to rdweb server. Is this correct?
23. Amit
says:
December 10, 2014 at 10:32 pm
Hello,
Am I correct in assuming that after I follow this guide, I will be able to access the RD server
from restrictive client firewalls?
What I Mean by that is, oftne times my users will visit other orgs who have very restrctive
firewall policies. If I set up RD Gateway on 2012 R2, will this tunnel all traffic through 443 to
give RDP a fighting chance of establishing a session?
1. Ryan.Mangan
says:
December 11, 2014 at 1:08 am
Yes you will tunnel through on 443 or 3391 like a vpn
1. Amit
says:
December 11, 2014 at 1:14 am
Hey, can you clarify which steps exactly above ‘force’ the RD gateway to only utilize
port 443? I’ve configured my system to only use port 443 in both the RD Gateway
Manager > My Server > Policies > Resource Authorization Policies and also in RD
Gateway Manager > right click on My Server > Properties > Transport Se ings tab and
unticked “Enable UDP Transport”.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 39/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
What I’m trying to accomlish is to get everything running over 443 and not depend on
any ‘non standard’ ports as most security concious orgnanizations tend to block most
ports leaving only 80 & 443 open for standard user access networks.
24. Michael
says:
December 26, 2014 at 7:46 am
Hello,
Great post! Serious issue. When I right click properties, the RD CAP Se ings are all grayed
out; I can’t click anything.
25. nvgoldendog
says:
January 20, 2015 at 11:11 pm
Hi Ryan. Great article. You detailed all the boxes very well. After following your article and
reading some of the posts I was successful in ge ing my RDS Gateway working internally
and externally. I was wondering if you had a blog post on se ing and tweaking WebApps? I
am trying to find a good guide on editing the .RDP files and such. The way I did it on 2008
R2 is not the same as 2012 R2. Thanks!
Lyle Epstein
Kortek Solutions, Las Vegas, NV
1. Ryan.Mangan
says:
January 25, 2015 at 9:38 pm
The rules and features are the similar on 2012 R2. What are you trying to do. Make
changes to RDP’s or create custom files.
26. ben
says:
January 24, 2015 at 12:29 pm
Hi Ryan,
I used the external IP of the GW server, but only got IIS Splash page. I checked whatelse
pages are on the gateway setup and tried accessing /rpc which prompts for credentials then
nothing happens…
I used my internal wildcard certificate on my external gw server, which is – of course –
untrusted. Is that the issue? Does is not proceed without having a trusted cert? If so, could i
solve this with importing the internal wildcard cert?
THanks!
Ben
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 40/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
1. Andrea
says:
December 7, 2016 at 11:07 am
Same problem here, I can access the RDWEB on my broker internally and externally, but
when I try to point my browser to h ps://rdgwy/rpc (or h ps://remote.domain.com) I’m
promped for the passord and nothing happens…both from internal and from external
It is driving me mad, also because I have no events logged at all on my gateway :-((((
I’m using a wildcard certificate created with my certification authority, naturally I addet
it to my test pc.
Do I need to set any configuration on my session host servers, or the broker?
1. Ryan.Mangan
says:
March 12, 2017 at 9:32 am
check the RAP and CAP policys. ensure the gateway can communicate outside and
through the network. telnet is a good shout.
27. Mahe
says:
February 25, 2015 at 11:05 am
Hi Ryan,
I had RD Web and RD Gateway on the same server(which was on DMZ),other servers or
separated by each 2 RDSH and 1 Connection Broker.(so total 3 different servers for each role
+ 1 on the DMZ)
With this setup i have achieved access on the INTERNAL and EXTERNALLY.
But when i removed RD Web role from RD Gateway server and i used separate RD web
server(which is not in DMZ) after then i get 404 error.when am accessing with
h ps://ExternalgatewayFQDN/rdweb
1. Ryan.Mangan
says:
February 25, 2015 at 11:03 pm
Uninstall and ensure iis is removed. Then reinstall
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 41/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
1 x RD GW + Web Access
1 x RD CB
2 x RD SH
I can see the session collection in Remote Desktop client, and when I connect to an app it
appears to connect, authenticates, then says Connecting to RDP…then nothing, the window
just closes. I check session hosts and no connections appear. Any idea?
29. Inkar
says:
March 11, 2015 at 2:21 pm
Is it possible to tunnel through two RDGW servers?
RDP Client -> RDGW_SiteA -> RDGW_SiteB -> RDSH_server
For security/compliance reasons I can only RDP out using a RDGW server. But I now need to
connect to a remote site that is running a RDGW server.
1. Ryan.Mangan
says:
March 22, 2015 at 9:43 pm
Would it not be easier if you used a site to site VPN ?
1. Inkar
says:
March 24, 2015 at 11:32 am
Hi Ryan,
Unfortunately outgoing RDP is only allowed via a locked down RDGW. No VPN
access would be permi ed between the two sites.
30. Pingback: anyone know any good guides for making rdp servers externally accessible
31. ricardo
says:
October 21, 2015 at 10:59 pm
Hello,
I am having an issue accessing my gateway server from any external sources. There is a
timeout error. The address abc.remote.com works internally.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 42/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
I have a Host A record on my Domain name provider that points to my firewall. Then my
firewall points to my internal Gateway server/ I am allow traffic from external through my
firewall on port 443.
32. Arunkumar
says:
February 29, 2016 at 9:09 am
Hi Ryan,
I have done the RD Gateway setup for one of our clients using self signed certificate, it works
fine internally within the network. But when i try to access from externally i got the below
error: h ps://Public IP/RDWeb
your computer can’t connect to the remote computer because the remote desktop gateway
server address is unreachable or incorrect.
What could be the issue, is it mandatory to purchase self signed certificate for accessing the
Remoteapp externally?
1. Ryan.Mangan
says:
March 16, 2016 at 12:51 pm
It could be certificates or the RAP and CAP policies in the gateway manager
I have two questions. When configuring the RAP policy for the RD Gateway does the
network resource for my Server Group need to be the Connection Broker or the two RDS
Session Hosts? I am guessing it would need to be the Connection Broker seeing how I want
the external end user to be directed to the RDWeb landing page. Once they are directed to
that landing page and login, the Broker Server would determine which RDSH server to use
seeing how they load balanced. Am I correct in my thinking?
If so, after I would need to create a policy in my firewall forwarding all external traffic from
the outside to the RD Gateway Server on say port 4443 and that would redirect users to the
Broker Server and the RDWeb landing page?
1. Ryan.Mangan
says:
March 12, 2017 at 9:35 am
first question, yes you need to ensure the connection brokers and session hosts are added
to the group. second question … the connection broker issues a redirection packet which
contains the session host information the user is going to be passed to. The gateway will
create a tunnel to communicate with the connection broker. all what needs to be
presented externally is the web access role and the gateway role.
i have installed RDCB, RDWeb and RD Gateway roles on 2 servers, (Both servers has same
roles for high availability)
now i am facing an issue, i havnt configgured NLB on both servers but my RDCB is working
fine with DNSRR, my web is accessible with both servers public IP address but when i
specify the RD Gateway server in my RDP file, i am able to connect only with my 1st RDGW
server and when i specify the 2nd RDGW server it gives me authentication error.
same RDCAP and RAP are configured on both GW servers all se ings are same, Cert is
configured for both servers.
there is no error or warning event in my GW servers.
the users connect with 1st RDGW their connectivity events shows on both servers. but
conection is only made by 1 servre.
Regards
35. Ugo
says:
December 12, 2016 at 4:42 pm
Which of this roles should be installed on a domain joined Machine and which should be
installed on a StandAlone (WorkGroup) Server?
1. Ryan.Mangan
says:
March 12, 2017 at 9:30 am
simple install on a domain joined. the session host and licensing roles / gateway on none
domain joined.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 44/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
Where is the binding done so that IIS redirects it to the RDG login page? This is NOT
covered well in ANY of the online help guides and it seems to be where I get stuck. I am
using this under Server 2012 r2. The interface is similar. MMC always stops working. Very
discouraging
1. Ryan.Mangan
says:
March 12, 2017 at 9:26 am
redirection can be configured on the default website on iis. You will see an option for
redirection.
37. mrnasty000
says:
January 10, 2017 at 5:02 am
How do I enable the RD Gateway to link to the IIS manager. All I get is the IIS pages. I need
ONLY to have the RD gateway logon to appear so I can redirect. please help
38. Michael
says:
January 10, 2017 at 8:21 pm
Hello I created a 4 server RDS 2012 R2 environment. here is the config:
RD Connection Broker Server/License Server – internal network
RD Web Access Server – Internal network
RD Session Host Server – internal network
RD Gateway server – perimeter network
Internally users can connect to the RDWeb access page and then connect to services
published to the RD Web access page. this is working fine. The problem I am having is
external users. I have a an external FQDN in my external DNS and I have that address set in
my Gateway se ing, however when a user connects to h ps:///rdweb they are ge ing a 404
file or directory not found. it is my belief that it is trying to access the IIS server on the
Gateway server where there is no RDWeb instead of sending the traffic to my internal RD
Web Access server that does have the RDWeb service. I have read and re-read your
deployment guide and I am just not sure what is wrong
39. jakubpaliwoda92
says:
February 21, 2017 at 5:50 pm
Hi,
I have deployed RDS on Windows Server 2016, including 2 brokers in high availability
mode, 3 session hosts, 2 web hosts, 1 license server and 1 gateway.
Everything seems to be working perfectly fine, apart from one thing – the gateway itself.
When external clients connect to RDS farm via gateway via normal remote desktop client for
windows/mac, they end up having their RDP sessions redirected directly to one of the two
broker hosts which is odd.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 45/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
When clients connect via RDWeb via gateway as well, they end up on the session hosts as
expected.
In both cases, clients use published DNS for RDS server farm which points to both brokers.
This is really strange behavior, and I’m just thinking – is this a limitation of standard remote
desktop clients on Windows/Mac or am I missing something here?
1. Ryan.Mangan
says:
March 12, 2017 at 9:24 am
you need to ensure that the gateway is configured correctly. it sounds like the redirect
packet is failing when they hit the connection broker which would indicate a gateway
configuration issue.
40. Mariusz
says:
February 22, 2017 at 1:56 pm
Hello
Did anyone face Issues described below when instaling RD Gateway
The RD Gateway install steps is the last one during the Sassion Broker configuration. I use
Windows 2012 Standard.
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 46/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
1. Ryan.Mangan
says:
July 18, 2018 at 3:35 pm
did you get this sorted Andrew
42. YG
says:
October 17, 2018 at 12:25 pm
Great article!!
i have 1 qustion: did RDGateway needs any network connectivity to the RDCB ?
Thanks.
1. Ryan.Mangan
says:
October 21, 2018 at 7:48 pm
Yes connectivity is needed.
43. Randy
says:
October 30, 2018 at 10:39 pm
Ryan:
Thank you for the knowledge share. I followed the steps, had to go it alone on the certificate
creation, but I can now get to the RDWeb login after the browser tells me the site is insecure.
I am able to login and see the applications I published. Upon clicking the icon of one of the
published apps, I am presented with the RemoteApp dialog box to set local access etc. I
noticed that the Gateway server is the external FQDN and the Remote computer is the
internal FQDN for the RD server. When I click Connect, I get a message that “This computer
can’t verify the identity of the RD Gateway . It’s not safe to connect to servers that can’t be
identified. Contact your network administrator for assistance.”
Thoughts?
This site uses Akismet to reduce spam. Learn how your comment data is processed.
UP ↑
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 47/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 48/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 49/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 50/51
1/28/2019 Deploying Remote Desktop Gateway RDS 2012 – Ryan Mangan's IT Blog
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ 51/51