Deploying Remote Desktop Gateway Step-

by-Step Guide
Microsoft Corporation
Published: April 2009
Updated: May 2011

Abstract
Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), in
the Windows Server® 2008 R2 operating system, provides technologies that enable authorized
remote users to connect to resources on an internal corporate or private network, from any
Internet-connected device that can run the Remote Desktop Connection (RDC) client. In this
guide, we will set up an RD Gateway server to use for connecting to a Remote Desktop Session
Host (RD Session Host) server by using a Remote Desktop client computer.
Copyright Information
This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2011 Microsoft Corporation. All rights reserved.Microsoft, Windows, and Windows Server are
trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
Deploying Remote Desktop Gateway Step-by-Step Guide.............................................................4
About this guide........................................................................................................................... 4
What this guide does not provide............................................................................................. 4
Technology review....................................................................................................................... 5
Scenario: Deploying Remote Desktop Gateway..........................................................................5

Step 1: Setting Up the Contoso Domain......................................................................................... 6

Configure the RD Gateway server (RDG-SRV)........................................................................7

Step 2: Installing RD Gateway........................................................................................................ 9

Step 3: Verifying RD Gateway Functionality..................................................................................11

Related topics............................................................................................................................ 13
Deploying Remote Desktop Gateway Step-
by-Step Guide

About this guide

This step-by-step guide walks you through the process of setting up a working Remote Desktop
Session Host (RD Session Host) server accessible by using Remote Desktop Gateway
(RD Gateway) in a test environment. During this process, you will create a test deployment that
includes the following components:
 An RD Gateway server
 An RD Session Host server
 A Remote Desktop Connection client computer
This guide assumes that you previously completed the steps in the Installing Remote Desktop
Session Host Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=147292), and that you
have already deployed the following components:
 An RD Session Host server
 A Remote Desktop Connection client computer
 An Active Directory Domain Services domain controller
This guide includes the following topics:
 Step 1: Setting Up the Contoso Domain
 Step 2: Installing RD Gateway
 Step 3: Verifying RD Gateway Functionality
The goal of RD Gateway is to enable authorized remote users to connect to resources on an
internal corporate or private network, from any Internet-connected device that can run the
Remote Desktop Connection (RDC) client. The network resources can be RD Session Host
servers, RD Session Host servers running RemoteApp programs, or computers with Remote
Desktop enabled.

What this guide does not provide

This guide does not provide the following:
 An overview of Remote Desktop Services.
 Guidance for setting up Active Directory Domain Services or an RD Session Host server. This
information can be found in the Installing Remote Desktop Session Host Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=147292). For a downloadable version of this
document, see the Installing Remote Desktop Session Host Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=147293) in the Microsoft Download Center.

4
 Important
If you have previously configured the computers in the Installing Remote Desktop
Session Host Step-by-Step Guide, you should repeat the steps in that guide with new
installations.
 Guidance for setting up a perimeter network or firewall rules. This information can be found in
the RD Gateway deployment in a perimeter network & Firewall rules
(http://go.microsoft.com/fwlink/?LinkId=210571).
 Complete technical reference for Remote Desktop Services.

Technology review
RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to help establish a secure,
encrypted connection between remote users on the Internet and the internal network resources
on which their productivity applications run.
To function correctly, RD Gateway requires several role services and features to be installed and
running. When you use Server Manager to install the RD Gateway role service, the following
additional roles, role services, and features are automatically installed and started, if they are not
already installed:
 Remote procedure call (RPC) over HTTP Proxy
 Web Server (IIS) [Internet Information Services]
IIS must be installed and running for the RPC over HTTP Proxy feature to function.
 Network Policy and Access Services

Scenario: Deploying Remote Desktop Gateway

We recommend that you first use the steps provided in this guide in a test lab environment. Step-
by-step guides are not necessarily meant to be used to deploy Windows Server® features without
additional deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this step-by-step guide, you will have an RD Session Host server that users
can connect to with the Remote Desktop client computer by using RD Gateway. You can then test
and verify this functionality by connecting to the RD Session Host server by using RD Gateway
from the Remote Desktop client as an authorized remote user.
The test environment described in this guide includes four computers connected to a private
network using the following operating systems, applications, and services.

Computer name Operating system Applications and services

CONTOSO-DC Windows Server 2008 R2 Active Directory Domain

Services (AD DS), DNS
RDSH-SRV Windows Server 2008 R2 RD Session Host
CONTOSO-CLNT Windows 7 Remote Desktop Connection

5
RDG-SRV Windows Server 2008 R2 RD Gateway

 
The computers form a private network and are connected through a common hub or Layer 2
switch. This step-by-step exercise uses private addresses throughout the test lab configuration.
The private network ID 10.0.0.0/24 is used for the network. The domain controller is named
CONTOSO-DC for the domain named contoso.com. The following figure shows the configuration
of the test environment.

Step 1: Setting Up the Contoso Domain

To prepare your RD Gateway test environment in the CONTOSO domain, you must configure the
RD Gateway server (RDG-SRV).
Use the following table as a reference when setting up the appropriate computer names,
operating systems, and network settings that are required to complete the steps in this guide.

Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).

Computer name Operating system IP settings DNS settings

requirement

CONTOSO-DC Windows IP address: Configured by DNS

Server 2008 R2 10.0.0.1 server role

6
 Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
RDSH-SRV Windows IP address: Preferred:
Server 2008 R2 10.0.0.2 10.0.0.1
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
CONTOSO-CLNT Windows 7 IP address: Preferred:
10.0.0.3 10.0.0.1
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
RDG-SRV Windows IP address: Preferred:
Server 2008 R2 10.0.0.11 10.0.0.1
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1

Configure the RD Gateway server (RDG-SRV)

To configure the RD Gateway server, you must:
 Install Windows Server 2008 R2.
 Configure TCP/IP properties.
 Join RDG-SRV to the contoso.com domain.
 Install the RD Gateway role service.
First, install Windows Server 2008 R2 on a stand-alone server.

To install Windows Server 2008 R2
1. Start your computer by using the Windows Server 2008 R2 product CD.
2. When prompted for a computer name, type RDG-SRV.
3. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that RDG-SRV has an IPv4 static IP address of 10.0.0.11.

To configure TCP/IP properties

7
1. Log on to RDG-SRV with the RDG-SRV\Administrator account.
2. Click Start, click Control Panel, click Network and Internet, click Network and
Sharing Center, click Change adapter settings, right-click Local Area Connection,
and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
4. Click Use the following IP address. In the IP address box, type 10.0.0.11. In the
Subnet mask box, type 255.255.255.0. In the Default gateway box, type 10.0.0.1.
5. Click Use the following DNS server addresses. In the Preferred DNS server box,
type 10.0.0.1.
6. Click OK, and then close the Local Area Connection Properties dialog box.
Next, join RDG-SRV to the contoso.com domain.

To join RDG-SRV to the contoso.com domain

1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change settings.
3. On the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, under Member of, click
Domain, and then type contoso.com.
5. Click More, and in the Primary DNS suffix of this computer box, type contoso.com.
6. Click OK, and then click OK again.
7. When a Computer Name/Domain Changes dialog box appears prompting you for
administrative credentials, provide the credentials for CONTOSO\Administrator, and
then click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming you to the
contoso.com domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click Close.
10. Click Restart Now.
You have prepared your test environment. Now you can proceed to Step 2: Installing RD
Gateway.

Step 2: Installing RD Gateway

To install and configure an RD Gateway server, you must add the RD Gateway role service.
Windows Server 2008 R2 includes the option to install the RD Gateway role service by using
Server Manager. This topic covers the installation and configuration of the RD Gateway role
service on the RDG-SRV computer in the CONTOSO domain.
Membership in the local Administrators group, or equivalent, on the RD Gateway server that
you plan to configure, is the minimum required to complete this procedure. Review details about

8
using the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).

To install the RD Gateway role service

1. Log on to RDG-SRV as CONTOSO\Administrator.
2. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
3. Under the Roles Summary heading, click Add Roles.
4. In the Add Roles Wizard, if the Before You Begin page appears, click Next.
5. On the Select Server Roles page, under roles, select the Remote Desktop Services
check box, and then click Next.
6. On the Remote Desktop Services page, click Next.
7. On the Select Role Services page, select the Remote Desktop Gateway check box.
8. If prompted to specify whether you want to install the additional role services required
for Remote Desktop Gateway, click Add Required Role Services.
9. On the Select Role Services page, click Next.
10. On the Choose a Server Authentication Certificate for SSL Encryption page,
select Create a self-signed certificate for SSL encryption, and then click Next.
11. On the Create Authorization Policies for RD Gateway page, select Now, and then
click Next.
a. On the Select User Groups That Can Connect Through RD Gateway page,
click Add. In the Select Groups dialog box, specify Domain Users, and then click
OK to close the Select Groups dialog box. Click Next.
b. On the Create an RD CAP for RD Gateway page, enter the name RD_CAP_01
for the Remote Desktop connection authorization policy (RD CAP), select
Password, and then click Next.
c. On the Create an RD RAP for RD Gateway page, enter the name RD_RAP_01
for the Remote Desktop resource authorization policy (RD RAP), and then select
Allow users to connect to any computer on the network. Click Next.
12. On the Network Policy and Access Services page (which appears if this role service
is not already installed), review the summary information, and then click Next.
13. On the Select Role Services page, verify that Network Policy Server is selected, and
then click Next.
14. On the Web Server (IIS) page (which appears if this role service is not already
installed), review the summary information, and then click Next.
15. On the Select Role Services page, accept the default selections for Web Server (IIS),
and then click Next.
16. On the Confirm Installation Selections page, verify that the following role services
will be installed:
 Remote Desktop Services\RD Gateway
 Network Policy and Access Services\Network Policy Server
 Web Server (IIS)

9
  RPC over HTTP Proxy
17. Click Install.
18. On the Installation Progress page, installation progress will be noted.
19. On the Installation Results page, confirm that installation for these roles, role
services, and features was successful, and then click Close.

To export the SSL certificate for the RD Gateway server and copy it to the CONTOSO-
CLNT computer
1. On the RD Gateway server, open the Certificates snap-in console. If you have not
already added the Certificates snap-in console, you can do so by doing the following:
a. Click Start, click Run, type mmc and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click
Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, and then click
Next.
e. In the Select Computer dialog box, click Local computer: (the computer this
console is running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
2. In the Certificates snap-in console, in the console tree, expand Certificates (Local
Computer), expand Personal, and then click Certificates.
3. Right-click the certificate RDG-SRV.contoso.com, point to All Tasks, and then click
Export.
4. On the Welcome to the Certificate Export Wizard page, click Next.
5. On the Export Private Key page, click No, do not export private key, and then click
Next.
6. On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is
selected, and then click Next.
7. On the File to Export page, in the File name box, click Browse.
8. In the Save As dialog box, in the File name box, enter RDG-SRV, and then click Save.
9. On the File to Export page, click Next.
10. On the Completing the Certificate Export Wizard page, confirm that the correct
certificate is specified, that Export Keys is set to No, and that Include all certificates
in the certification path is set to No, and then click Finish.
11. After the certificate export has successfully completed, a message appears confirming
that the export was successful. Click OK.
12. Close the Certificates snap-in.
13. Copy the RD Gateway server certificate
c:\users\administrator.CONTOSO\Documents\RDG-SRV.cer, to the CONTOSO-
CLNT computer.

10
 Note
For single sign on, no changes are needed on the RD Gateway server. Review
Deploying Remote Desktop Web Access with Remote Desktop Connection Broker
Step-by-Step Guide to implement single sign on.
You have installed and configured an RD Gateway server. Now you can proceed to Step 3:
Verifying RD Gateway Functionality.

Step 3: Verifying RD Gateway Functionality

To verify the functionality of the RD Gateway deployment, complete the following:
 Install the SSL certificate for the RD Gateway server on the CONTOSO-CLNT computer.
 Enable certificate revocation checking on the CONTOSO-CLNT computer (optional).
 Log on to CONTOSO-CLNT as Morgan Skinner and use Remote Desktop Connection (RDC)
to connect to the RD Session Host server (RDSH-SRV) by using the RD Gateway server
(RDG-SRV).

To install the SSL certificate for the RD Gateway server on the CONTOSO-CLNT
computer
1. Log on to CONTOSO-CLNT as CONTOSO\Administrator.
2. Open the Certificates snap-in console by doing the following:
a. Click Start, click Run, type mmc and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click
Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, and then click
Next.
e. In the Select Computer dialog box, click Local computer: (the computer this
console is running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
3. In the Certificates snap-in console, in the console tree, expand Certificates (Local
Computer), and then click Trusted Root Certification Authorities.
4. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and
then click Import.
5. On the Welcome to the Certificate Import Wizard page, click Next.
6. On the File to Import page, in the File name box, click Browse, and then browse to
the location where you copied the SSL certificate for the RD Gateway server. From the
file type drop-down list, select All Files (*.*). Select the certificate RDG-SRV.cer, click
Open, and then click Next.
7. On the Certificate Store page, accept the default option (Place all certificates in the
following store - Trusted Root Certification Authorities), and then click Next.
8. On the Completing the Certificate Import Wizard page, confirm that the correct
11
 certificate has been selected and that the following certificate settings appear:
 Certificate Store Selected by User: Trusted Root Certification Authorities
 Content: Certificate
 File Name: FilePath\RDG-SRV.cer
9. Click Finish.
10. After the certificate import has successfully completed, a message appears confirming
that the import was successful. Click OK.
11. With Certificates selected in the console tree, in the details pane, verify that the
correct certificate appears in the list of certificates on the CONTOSO-CLNT computer.
12. Log off from the CONTOSO-CLNT computer.

To enable certificate revocation checking on the CONTOSO-CLNT computer (optional)

1. Log on to CONTOSO-CLNT as CONTOSO\Administrator.
2. Click Start, point to All Programs, and then click Accessories.
3. Right-click Command Prompt, and then click Run as administrator.
4. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Yes.
5. At the command prompt, type reg add "HKCU\Software\Microsoft\Terminal Server
Gateway\Transports\Rpc" /v CheckForRevocation /t REG_DWORD /d 1.

Warning
The publishing and maintenance of the certificate revocation list is an integral
part of the public key infrastructure (PKI), and it is external to RD Gateway. Do
not enable certificate revocation checking on RD Gateway client computers
until you have confirmed that your deployment can support this; otherwise,
even the basic connection to an end resource through the RD Gateway server
will not work. This is the reason why certificate revocation checking is disabled
by default on the RD Gateway client, and the recommendation is to turn it on
as a security best practice only after ensuring that the certificate revocation list
is accessible from the Internet.
6. Log off the computer.

To connect to RDSH-SRV with RDC by using RDG-SRV

1. Log on to CONTOSO-CLNT as Morgan Skinner.
2. Click Start, point to All Programs, point to Accessories, and then click Remote
Desktop Connection.
3. In the Remote Desktop Connection dialog box, click Options.
4. On the Advanced tab, click Settings.
5. On the RD Gateway Server Settings page, click Use these RD Gateway server
settings, enter the following settings, and then click OK.
 Server name: RDG-SRV.contoso.com

12
  Logon method: Allow me to select later
 Bypass RD Gateway server for local addresses: Clear check box
6. On the General tab, in the Computer box, type rdsh-srv, and then click Connect.
7. In the Windows Security dialog box, type the password for contoso\mskinner, and
then click OK.
8. If the connection is successful, a Windows desktop will appear on the screen for
RDSH-SRV.
You have successfully deployed and demonstrated the functionality of RD Gateway on Remote
Desktop Services by using the simple scenario of connecting to an RD Session Host server by
using RD Gateway with an authorized remote user account by using Remote Desktop
Connection. You can also use this deployment to explore some of the additional capabilities of
Remote Desktop Services through additional configuration and testing.

Related topics
 Step 1: Setting Up the Contoso Domain
 Step 2: Installing RD Gateway
 Step 3: Verifying RD Gateway Functionality
 Deploying Remote Desktop Gateway Step-by-Step Guide (Home)

13