This article covers the process of deploying a Remote Desktop Gateway on Windows Server 2019. The instructions also apply to Windows Server 2022, 2016, and 2012 R2. Remote Desktop Gateway is a service within the Remote Desktop Services role in Windows Server, designed to provide secure access from the internet to remote desktop services and published RemoteApp applications via an HTTPS gateway. The RD Gateway server acts as an intermediary between external clients and internal RDS services. With RD Gateway (RDGW), users can connect to RDS without needing a VPN. Connections are made using the standard Remote Desktop Connection client (mstsc.exe).
You can purchase original product keys from our catalog:
Windows Server 2022 – from 28.00 €
Windows Server 2019 – from 16.90 €
Windows Server 2016 – from 11.50 €
Windows Server 2012 R2 – from 11.90 €
Installing the RDS-Gateway Role on Windows Server
The Remote Desktop Gateway service is not a mandatory component of an RDS farm and must be installed separately. In most cases, it’s recommended to use a dedicated server for RDGW deployment, though it can be co-hosted with RDWeb.
This guide assumes you already have an Active Directory domain service and an RDS farm deployed in your network.
You can install the Remote Desktop Gateway role via Server Manager (Add roles & Features -> Server Role -> Remote Desktop Services) or PowerShell.
Installation Example via Server Manager
When installing the RDGW service, the IIS web server and Network Policy Server (NPS) role are also installed.
To verify successful installation of the role, run the following command:
Get-WindowsFeature RDS*
Alternatively, install the role using PowerShell:
Install-WindowsFeature RDS-Gateway -IncludeAllSubFeature –IncludeManagementTools
After installation, create access groups in Active Directory using the ADUC console or PowerShell:
– rdgwExtUsers — a group for users allowed to authenticate on RDGW;
– rdgwExternalAdmins — a group for accessing terminal servers via RDGW;
– msk-rds-farm — a group for all RDSH hosts and RD Connection Broker allowed to connect through the gateway.
Configuring RD Gateway Access Policies
Access management for RDGW is configured using the RD Gateway Manager console (tsgateway.msc). Two types of policies need to be configured:
– Connection Authorization Policies (RD CAP) — define who is allowed to authenticate on the RDS Gateway;
– Resource Authorization Policies (RD RAP) — specify which users can connect to which resources via RDGW.
Creating an RD CAP Policy
1. Expand Policies -> Connection Authorization Policies and select Create New Policy -> Wizard.
2. Specify a policy name, e.g., rdgwExtUsers.
3. Select the authentication type (password or smart card) and specify the user group allowed to authenticate on RDGW.
4. Configure redirection of local devices (clipboard, printers, etc.) in RDP sessions.
5. Confirm the policy creation.
You can also create an RDGW client access policy using PowerShell:
Import-Module -Name RemoteDesktopServices
New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'rdgwAllowAutht-CAP' -UserGroups rdgwExtUsers -AuthMethod '1'
Creating an RD RAP Policy
1. In the RD Gateway Manager console, select Policies -> Resource Authorization Policies and choose Create New Policy -> Wizard.
2. Specify a policy name, e.g., rdgwExternalAdmins.
3. Specify the group allowed to connect to internal resources.
4. On the Network Resources tab, specify which servers are allowed for connection (e.g., msk-rds-farm).
5. Allow connections only on the standard RDP port 3389. (By default, it’s recommended to open only the standard RDP port 3389, but you can open additional ports if needed.)
Creating an RD RAP Policy via PowerShell
New-Item -Path RDS:\GatewayServer\RAP -Name allowextAdminMskRDS -UserGroups rdgwExternalAdmins@softcomputers.org -ComputerGroupType 1 -ComputerGroup msk-rds-farm@softcomputers.org
Configuring an SSL Certificate for Remote Desktop Gateway
To secure RDGW connections, an SSL certificate is required. The most optimal choice is a commercial certificate from an external certificate authority or a free Let’s Encrypt certificate. A self-signed SSL certificate can also be used, but clients must trust it. If a client does not trust the RDGW certificate, the connection will fail.
The Subject Name (CN) or Subject Alternative Name (SAN) of the certificate must include the DNS name of the RDGW server used by clients for connections.
Installing a Self-Signed Certificate
1. Open the RD Gateway properties in the RD Gateway Manager console and go to the SSL Certificate tab.
2. Select Create a self-signed certificate -> Create and Import Certificate.
3. Specify the certificate name (the DNS name used for connections) and the path to save the certificate.
Ports for RDGW Connections
– HTTPPort (default) — 443/TCP
– UDPPort (default) — 3391/UDP (using UDP improves performance).
Ensure these ports are open on your network equipment.
4. Open the RDGW Manager console and verify that there are no errors and all items are green.
Configuring the RDP Client for RD Gateway Connection
To configure the client for connecting through RD Gateway:
1. If using a self-signed certificate, add it to the Trusted Root Certification Authorities store on the client.
2. Open the mstsc.exe client.
3. On the General tab, specify the hostname of the RDSH, farm, or computer you want to connect to via RDP.
4. On the Advanced tab, in the Connect from anywhere section, click Settings.
5. Select Use these RD Gateway server settings and specify the external DNS name of your RDGW server (this name must match the certificate). If using a non-standard RDGW port, specify it after the server name with a colon, e.g., gw.softcomputers.org:4443.
6. To avoid double password entry, enable the Use my RD Gateway credentials for the remote computer option.
After configuration, click Connect and enter the credentials for the connection.
7. The client should establish a connection to the RDS/RDP host in your local network.
8. To monitor connections to the gateway, use the Monitoring section in RD Gateway Manager.
If using the RDCMan utility for RDP connections, RD Gateway settings can be configured on the GatewaySetting tab. Enable the Use a TS Gateway server option and specify the connection parameters.
Successful and failed user connections via RDGW can be tracked using the event log: Applications and Services Logs -> Microsoft -> Microsoft-Windows-TerminalServices-Gateway -> Operational.
These logs help identify who connected, when, and to which resource during RDP connection analysis.
Upon successful user connection through RDGW, an event with Event ID 205 from the TerminalServices-Gateway source will appear in the log:
The user “softcomputers\kbuldogov”, on client computer “xx.xx.xx.xx”, successfully connected to the remote server “msk-rdsman.softcomputers.org” using UDP proxy. The authentication method used was: “Cookie”.
To launch RemoteApp via RD Gateway, add the following lines to the *.rdp file:
gatewayhostname:s:gw.winitpro.ru
gatewayusagemethod:i:1
Configuring RD Gateway in a Workgroup
In some cases, you may deploy an RDSH server in a workgroup (without an Active Directory domain) and securely publish it via RD Gateway.
Steps to Configure RD Gateway in a Workgroup
1. Install the RD Gateway role:
Install-WindowsFeature RDS-Gateway -IncludeAllSubFeature –IncludeManagementTools
2. Open the RD Gateway Manager console (tsgateway.msc) and create a Connection Authorization Policy (CAP). In the policy settings, allow connections via passwords for users in the local BUILTIN\Remote Desktop Users group.
3. Select which devices are allowed to be redirected in RDP sessions (by default, all devices, including printers, local drives, and clipboard, are allowed).
4. Create a new Resource Authorization Policy (RAP). Allow connections for the BUILTIN\Remote Desktop Users group.
5. Select the option Allow users to connect to any network resource (computer).
6. Allow connections only on the RDP port 3389.
7. For connection security, use a self-signed SSL certificate. Generate a certificate with a long validity period using PowerShell:
$todaydate = Get-Date
$addyear = $todaydate.AddYears(5)
New-SelfSignedCertificate -dnsname rdgw.softcomputers.org,123.123.123.12 -notafter $addyear -CertStoreLocation cert:\LocalMachine\My
8. Open the RDGW server properties, go to the SSL Certificates tab, select Select an existing certificate from the RD Gateway Certificates Local/Personal Store -> Import Certificate, and choose the certificate you created.
9. Export the certificate from the RDGW server:
– Open the computer certificate console (certlm.msc);
– Expand the Personal -> Certificates store;
– Select the certificate -> All tasks -> Export.
– Export the certificate to a *.CER file (without the private key).
This certificate must be installed on the client. If the client does not trust the RD Gateway certificate, it will not be able to connect.
You can manually install the certificate in the Trusted Root Certification Authorities store.
10. Open the mstsc client and configure the connection through Remote Desktop Gateway. Specify the RDGW host’s name or IP address in the Advanced -> Settings -> Use these RD Gateway settings section.
11. For the RDP host name, specify localhost and the username in the format rdssrv01\user1, where rdssrv01 is the local computer hostname of the Windows Server with the RDS role.
If the SAN name in the certificate does not match the RD Gateway host name in the connection, you will encounter the following error:
Your computer cannot connect to the remote computer because the remote desktop gateway server address requested, and the certificate subject name do not match.
Your RDSH server is now securely published via RD Gateway with SSL/TLS protection.
