Many of you know what RD Gateway is, but for those that don’t I’ll try to explain using a short version. RD Gateway is a Windows Server 2008 R2 role that gives administrators the power to allow users to connect using Remote Desktop Protocol to internal servers/workstations without opening to many ports in their firewall(s). The only port an administrator needs to open is 443, which is the port SSL is using. You can find the explained long version here. So for example if you have ten users that need remote desktop access you don’t have to customize ports any more; you know…user 1 connects to work.domain.com:3391, user2 connect to work.domain.com:3392 and so on. All you have to do is create a CNAME or A record on your public DNS server that points to your RD Gateway server, or the public address of your firewall.
For this lab I have a Domain Controller, a RD Gateway Server, a RD Session Host server (it can be a simple server that supports more than one RD connection), and an external client running Windows 7. All servers are running Windows Server 2008 R2 SP1, and are joined to the domain vkernel.ro. If your internal domain name (eg: vkernel.local) differs from the external one, it will be a bit of a headache to configure the RD gateway, and maybe I will write an article in the future about this, but right now we’ll just stick with one domain which is also a public one. An Internal Enterprise Root CA is used to issue certificates in this lab, is just cheaper. The external client has the root certificate installed on the local machine Trusted Root Certificates Store, but if you have a lot of external clients I recommend you purchase a commercial certificate. Before we get started, I want to mention that the server names are very important, because those names are used on your external DNS server. You will understand what I mean as we go along.
First we need to request and install a certificate on the RD Gateway server, or the connection will not be established. If the Common Name in the certificate is different from the computer name (RD Gateway server) you will get an error message and the connection will be discarded.
To get rid of this message and be able to connect, when you request the certificate make sure you use the RD Gateway server name in the Common Name field of the certificate. In my case, my RD Gateway server in called “RDGateway.vkernel.ro”, so my Common Name field in the certificate is the same.
This is not over, there is still one more thing about the RD Gateway name, at the client side. When you type the RD Gateway name in the server settings field on the RD client you need to type the name of the RD Gateway server that is also found in the certificate.
Did I confused you enough? Good, because there is more to come. Now you might say, but what if I don’t want to use the RD Gateway server name for clients to connect ? Some server names are too long or too complicated, and I don’t want my users to type in the RD client something like this “ROWTNDFG.domain.com”. I hear you, and the solution is to use a SAN certificate, but I’ll stress this again, even if you use a SAN certificate that RD Gateway server name needs to be present in the SAN attribute field or the Common Name field of the certificate or the connection will be dropped. Now let’s request that certificate so we can assigned it to the RD Gateway server. Open the Certificate Store by using the Run command and typing mmc.exe.
Go to File > Add/Remove Snap-in, click Certificates then the Add button. Choose Computer account > Local computer.
Right click the Personal folder and choose All tasks > Request New Certificate.
Since we have an Active Directory infrastructure here, we are going with Active Directory Enrollment Policy, so leave the default selection and press Next to continue.
Check the Computer box and click Enroll.
Click Finish to close the Certificate Enrollment wizard.
The certificate is in our Certificates Store ready to be installed on the RD Gateway server.
Log on to the RD Gateway server, go to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager. Once the console is opened right-click the server and choose Properties.
Go to the SSL Certificate tab, choose the second option “Select an existing certificate from the RD Gateway Certificates …” then click the Import Certificate button.
Select the certificate from the list and click Import. This is the certificate we just requested from our internal CA.
As you can see some certificate details are displayed on the SSL Certificates tab after the import. Click OK to close the server Properties.
The RD Gateway Manager Console should now look like this.
The next step is to create the A records on our public DNS zone, so clients know where is the IP address for RDGateway.vkernel.ro and for RDHost.vkernel.ro. Never mentioned the RDHost before, but this is my RD Session host server where clients connect and open their RD sessions. So log on to your cPannel or whatever administration console you have for your domain, and go to the DNS Zone Editor.
On the name box under Add an A Record, type the FQDN of you RD Gateway server, then the IP address where the server can be found. When done hit the Add a Record button to create the entry. Do the same for your RD Session host server.
Our RD Gateway server is in place and configured, so are our DNS records. The only step left is to do open the port 443 on the firewall. Since there are thousands of models out there I can’t show you all, so I will leave this to you. If you have a router and the RD Gateway and RD Host servers are behind this router you will need to forward port 443 to the RD Gateway server from the outside world. When this is complete go to one of your external clients and open the RD client console (Start > Run > mstsc). Expand the console by clicking the Options button, then go to the Advanced tab and click the Settings button.
Select Use this RD Gateway server settings radio button and in the Server name box type the FQDN of your RD Gateway server; mine is RDGateway.vkernel.ro. Now clear the box Bypass RD Gateway server for local addresses, because you can have connections problems with this as you can read here. Click OK when you’re done.
On the General tab type the RD Session Host server name in the Computer box; mine is RDHost.vkernel.ro. Click Connect.
Type the log on credentials and click OK.
By now you should get a certificate warning from your RD Session Host server, and this is because the certificate on this server is self signed; in my case anyway. To get rid of this warning you need to replace the self signed certificate on the RD Session Host server with one issued from the internal CA. Read here to see how is done, but for now click Yes to continue.
And now you should have a RD connection made trough a RD Gateway server. You can check that by clicking the Connection Properties icon from the RD bar.
Want content like this delivered right to your