To enhance the security of your Windows Server, simply changing the RDP TCP port is not enough. In this article, we will cover how to set up the Remote Desktop Gateway (RDG) in an Active Directory domain, allowing secure RDP access over SSL without the need to deploy a VPN.
What is Remote Desktop Gateway?
Remote Desktop Gateway is a Windows Server role that provides a secure connection to the server via RDP over an SSL-encrypted tunnel. The main advantage of this solution is that remote users can connect to internal network resources without deploying a VPN.
Since Windows Server 2008 R2, Terminal Services were renamed to Remote Desktop Services.
Benefits of Remote Desktop Gateway
- Secure Connection: SSL encryption protects data during remote sessions.
- VPN-Free Access: Remote users access internal network resources without a VPN.
- Access Control: Configure authorization policies to control who and how can connect.
- Works Behind Firewalls and NAT: Enables access to resources located behind firewalls.
- Flexible Configuration: Manage device and drive redirection, and choose authentication methods (password or smart card).
- Monitoring and Auditing: Log events such as failed connection attempts for auditing.
The Remote Desktop Gateway server must be joined to an Active Directory domain. Configuration requires domain administrator privileges.
Installing the Remote Desktop Gateway Role
- Open Server Manager.
- Select Add Roles and Features.
- Choose Role-based or feature-based installation.
- Select the target server.
- Under Server Roles, check Remote Desktop Services.
- In the Role Services section, select Remote Desktop Gateway.
- Confirm and click Install.
Configuring Connection and Resource Authorization Policies
- Open Remote Desktop Gateway Manager.
- In the left pane, expand your server name - Policies - Connection Authorization Policies.
- In the right pane, select Create New Policy - Wizard.
- Choose the recommended option:
Create a policy for authorization of remote desktop connections and authorization of remote desktop resources. Click Next. - Enter a policy name (preferably in English).
- Choose authentication methods; typically, select Password only.
- Add groups allowed to connect by clicking Add Group... - Advanced - Find Now - select groups like Domain Admins.
- Enable device redirection if needed.
- Set session and idle timeout values (in hours).
- Review and confirm settings.
- Configure Resource Authorization Policies similarly by specifying policy name, user groups, and network resources (e.g., domain controllers).
- Specify the RDP port (default is 3389; change if needed).
- Finish the wizard.
Installing an SSL Certificate
- In Remote Desktop Gateway Manager, select your server in the left pane.
- In the main window, click View and change certificate properties.
- On the SSL Certificate tab, select Create a self-signed certificate and click Create and import certificate...
Alternatively, import an existing certificate (self-signed or from a third party like Comodo). - Confirm creation and application of the certificate.
- It is recommended to change the default SSL port (443) for better security:
In the menu, select Actions - Properties - Transport Settings, set the new port, and apply. Confirm changes.
Connecting via Remote Desktop Gateway
- Open the Remote Desktop client (mstsc.exe).
- Go to the Advanced tab → Settings.
- Choose Use these RD Gateway server settings.
- Enter the gateway server domain name and SSL port (separated by a colon), set authentication to Ask for password. Click OK.
- Switch to the General tab, enter the target computer address and user name.
- Click Connect and enter your password when prompted.
- You can verify the connection with the tracert command.
Conclusion
Configuring Remote Desktop Gateway ensures secure remote access to internal network resources without the need for a VPN. With SSL encryption and customizable authorization policies, RD Gateway provides reliable and flexible protection, especially in Active Directory environments. Always use trusted certificates and consider changing default ports to enhance security.
FAQ
1. Does Remote Desktop Gateway need to be installed in an Active Directory domain?
Yes, the RD Gateway server must be domain-joined, and setup requires domain admin privileges.
2. Can RD Gateway be used without a VPN?
Yes, RD Gateway provides secure remote access over SSL without VPN.
3. How do I change the SSL port used by RD Gateway?
In Remote Desktop Gateway Manager, go to Actions → Properties → Transport Settings, and specify a new port.
4. Can I restrict access to RD Gateway to specific users?
Yes, connection authorization policies allow specifying user groups and conditions for access.
5. What if I don’t have a trusted SSL certificate?
You can create a self-signed certificate via RD Gateway Manager, but for external access, it’s best to use a certificate from a trusted CA.