Configuring The Remote Desktop Gateway

N
Netooze
September 26, 2019

In order to increase the protection level of a Windows server, it might not be enough to change the RDP TCP port. Take into consideration setting up a Remote Desktop Computer Entrance/ Terminal Providers Portal in an Energetic Directory site domain name.

Remote Desktop Gateway, what is it?

Remote Desktop Computer Portal is a Windows server duty that supplies a secure connection, utilizing the SSL protocol, to the server through RDP. The main advantage of this option is that it does not call for the deployment of a VPN server, which is what the entrance is used for.

It needs to be noted that beginning with Windows Server 2008 R2,  the names of  all Remote Desktop Services have actually altered. The previously called Terminal Services has actually been relabelled Remote Desktop computer Providers.

The advantages of Remote Desktop Gateway are as follows:

  • Using an encrypted link, the entrance permits you to connect to internal network resources without the requirement for remote customers to use a VPN link;
  • The entrance offers access control to specific network sources, thereby carrying out extensive security;
  • The entrance allows links to network sources that lag firewalls secretive networks or NATs;
  • Making use of the entrance supervisor console, it becomes feasible to configure permission policies for certain problems that should be fulfilled when attaching to network sources by remote customers. As an instance, you can specify details users who can attach to internal network resources, as well as whether the customer computer system need to be a member of an AD security group, and also whether tool as well as disk redirection is permitted;
  • The Portal Manager Console includes tools for keeping an eye on the condition of the Gateway. Utilizing them, you can assign monitored occasions for auditing, such as fallen short attempts to link to a TS Portal server.

Important! TS Entrance should be in an Energetic Directory site domain name. Entrance setup is carried out just on behalf of the domain manager, on any server in the domain name.

Let's establish a role.

Open Server Manager.

Select " Add Roles and Features ".

At the “ Installation type ” stage , select “ Install roles and features ”.

The next step is to select the current server.

Server role - Remote Desktop Service .

Let's move on to the role service. Select " Remote Desktop Gateway ".

We proceed to the confirmation stage, press the “ Install ” button.

Set connection and resource authorization policy.

In the Remote Desktop Gateway Manager window that opens, in the left part of the window, expand the branch with the server name → Policies → Connection authorization policies.
In the right part of the same window, select Create a new policy → Wizard .

In the “ Wizard for creating new authorization policies ” window that opens , select the recommended option “Create an authorization policy for remote desktop connections and authorization of remote desktop resources”. Press the button " Next ".

In the next step, we enter a convenient name for the connection authorization policy. We recommend giving names in English.

The next step is to choose a convenient authentication method - password or smart card . In our case, we leave only “ Password ” checked. We add groups that can connect to this RD-gateway, for this we press the “ Add group... ” button.

In the group selection window, click on the “ Additional ” button.

The window will resize. Press the " Search " button. Find “ Domain Admins ” in the search results and click the “ OK ” button.

In the group selection window, check the selected object names and click “ OK ”.

The group has been added. To go to the next step, click the “ Next ” button.

In the next step, select the item “ Enable device redirection for all client devices ” and click “ Next ”.

Set timeouts - idle time and session time, values ​​are specified in hours. Click " Next ".

Checking the settings you have made. Everything is correct - click " Next ".

The next step is to configure the resource authorization policy. Specify the desired policy name. Click " Next ".

The next step is to set group membership. Usually, the group is already installed, but if this is not done, you should follow the steps above. Click " Next ".

Select available network resources. To do this, you must select a group that contains servers on which the required user groups could work with remote desktop. Click the " Browse " button.

In the group selection window, click the “ Advanced ” button.

In the modified window, click the " Search " button. In the results window, find " Domain Controllers ". Press " OK ".

Check the selected objects and click “ OK ”.

Once again, check which network group is added and click " Next ".

If the RDP port number has not changed, set the switch value to “ Allow connection only to port 3389 ”. If the port has been changed, the new value must be specified.

Click " Done "

At the stage of confirming the creation of the policy, click the “ Close ” button.

At the end of the settings, the window will look like this.

Install the SSL certificate.

In the same window “ Remote Desktop Gateway Manager ”, in the left window click on the server icon, in the main part of the window - “ View and change certificate properties ”.

In the “Properties <server_name>” window that opens, go to the “SSL Certificate” tab. Set the radio button "Create a self-signed certificate" and click on the button "Create and import a certificate ...".

There are 2 other options though:

  • import of a previously downloaded certificate (previously self-signed or third-party);
  • downloading a third-party certificate (for example, Comodo) and importing it;

In the Create Self-Signed Certificate window , check the settings and click the OK button .

The system will notify you that the certificate was created successfully. there is also information where you can find the certificate file itself. We press the “ OK ” button.

In the server properties window, click the “ Apply ” button.

The self-signed certificate is installed on TCP port 443 (SSL port by default).

We recommend, for security reasons, that you change the default SSL port. To do this, in the main menu of the window, select “ Actions” → “Properties ”.

Go to the “ Transport Options ” tab and set the desired value for the “ HTTPS port ” field. Save the settings by clicking the " Apply " button.

The system will ask for confirmation - we answer " Yes ".

Let's connect through the gateway.

Open the RDP client, go to the " Advanced " tab and click the " Options " button.

In the window that opens, select “ Use the following Remote Desktop Gateway server settings ”. Specify the domain name of the server and, through a colon (:), specify the SSL port. The login method is “ Request a password ”. Click " OK "

Go to the General tab. Specify the address of the computer and the user under which the connection will be made. Press the " Connect " button

The program will ask for a password for the account.

The results of the gateway operation can be checked by tracing - the tracert command.

Start your cloud journey? Take the first step right now.