RDS8 - Gateway and Certificates on Windows Server 2012

Author by Shannon Fritz

As the name implies, Remote Desktop Services is a way of delivering services for desktops that are not “local”. However, the Quick and Standard deployments of RDS do not include a key component that makes these services available from outside your organization: the RDS Gateway. This role is acts at a proxy over HTTPS to allow a client to tunnel over SSL to your internal resources, limiting exposure and securing communications. In Server Manager, if you want to deploy a separate server for the RDGW role, you’ll want to add that new server to the console which is already managing the rest of your RDS environment. I like to use the manager on the RDCB for this, but any Server Manager console that is managing all of your RDS hosts will work just the same.

clip_image002

In this example I am going to be adding the role to the same server that is already running the RDWA role, so the RDGW and RDWA will be on one server. From the Remote Desktop Servcies area just click on the big green + above RD Gateway to get started. clip_image004

Select the server that you want to install the role and add it to the Selected list on the right.Pick a DNS name that clients will connect to in order to use the Gateway

clip_image006

This should be the External DNS name that can be resolved to an IP address that will NAT port 443 to the RDGW server. NOTE: In this example the RDGW and RDGA roles are on the same server, both of which use port 443. However, if you also NAT port 80 then the RDWA server will redirect web browsers from HTTP to HTTPS. Without access to port 80 your users will have to remember to type https:// when accessing the RDWA. It’s just being nice to your users really. Also notice that the wizard mentions a Self-Signed Certificate. We will change this in just a moment, so click Next.

clip_image008

On the Confirmation page just click Add if you’re happy with the config.

clip_image010

Once completed successfully click Close. 

clip_image012

Notice the warning that a certificate must be configured. You can click on Configure certificate, but if you click Close you can still manage the certificate by selecting “Edit Deployment Properties” under the Overview Tasks.

clip_image014

At this point you can decide to create a new Self-signed certificate that you would apply to all roles or if you’re going to be putting this into production I would suggest that you should be using a 3rd party certificate that all clients will trust be default. I prefer a wildcard certificate for the external domain name being used for the RDWA and RDGW roles. 

clip_image016

When you click “Select existing certificate” you will want to select a .pfx file that contains the Private Key of the certificate. Without the Private Key, the server will not be able to use the certificate. Once you’ve entered the password and checked the box to allow it to be added to the trust root CAs, click OK and then Apply the changes.Once you apply the certificate, do it again for all the remaining roles.

clip_image020

clip_image022

clip_image018

Now your client computers can use the Gateway setting found under More Options / Advanced / Connect from anywhere Settings. Under Server Name simply punch in the external FQDN of the gateway server.

clip_image024

With that set you can now try connecting to the internal name of any server on your company network. When you are prompted for credentials you’ll notice the broker name is listed as one of the servers in the connection path.

clip_image026

And you’re all set! Now you can use RemoteApp and Desktops from anywhere. N’joy!

Author

Shannon Fritz

Infrastructure Architect & Server Team Lead