Deploying the RD Gateway Service Role in a 2012 / 2012 R2 RDS Farm

Applies to: Windows Server 2012 and 2012 R2

For any RDS farm, there is a very good chance users will be accessing the farm from a remote location outside of the corporate network. When doing so, it is critical to secure their connection, especially when corporate data is being accessed. In order to secure a user’s connection into a RDS farm, a RD Gateway server will be required. The RD Gateway enables authorized remote users to connect to resources in an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be RD Session Host servers, RD Session Host servers running RemoteApp programs, or computers with Remote Desktop enabled.

The following will cover the steps needed in deploying a RD Gateway Server into a 2012 / 2012R2 RDS farm. Before deploying the RD Gateway Server, the RDS farm should already be built and configured. Please check out the following for more information on deploying a 2012 / 2012R2 Remote Desktop Services (RDS) farm.

Requirements:
Existing 2012 RDS Farm
SSL Certificate along with its private key.
Designated domain joined Windows 2012 / 2012 R2 server
 

Within Server Manager, highlight the Overview section of the Remote Desktop Services node. Inside the deployment section, click on the RD Gateway button.

1

A wizard will come up which will ask you to select the RD Gateway server. Find the designated server, add it, and hit next. Here our designated server is RDGWY01.

2

It will then ask for the FQDN which will be used to connect to the RD Gateway Server. This must match the FQDN listed on the SSL certificate which will be used for the deployment. Enter the FQDN and hit Next. In our example, our SSL certificate and RD Gateway FQDN is remote.demolab.int.

3

Confirm the settings and hit Add.

4

Once completed, click on the configure certificate link in order to install the SSL certificate.

5

On the Manage Certificate window, highlight the RD Gateway Role service and click on the button “Select existing certificate”.

6

The certificate we will be using for our RD Gateway is located in the directory \\dc01\d$\Certs. Click on the browse button.

7

Locate and select the certificate and hit the open button.

8

Enter the password for the certificate and check the box “Allow the Certificate to be added to the Trusted Root Certification Authorities store on the destination computers”.  Hit OK.

9

Back on the deployment properties screen, hit apply.

10

Once it is applied successfully, close the deployment properties window and the RD Gateway wizard.

11

Congratulations! You have successfully deployed the RD Gateway server for your 2012 /2012 R2 Remote Desktop Farm.

© 2014 Eddie Kwasnik “the Wolf” All Rights Reserved

About these ads

, , , , , ,

  1. #1 by Has on April 13, 2014 - 3:49 pm

    Hi,
    Thanks for this great guide. Can you please advise where on the network the RDS Gateway should be placed? For Server 2008R2, if you placed it in the internal LAN, you had to place TMG in front of it (I’ve seen TMG placed in the DMZ and in the LAN). As TMG (and UMG) are being retired, what options do we have for placing the RDS GW in the internal LAN? For example, can Server 2012R2′ s secure application publishing help in any way?
    Thanks,
    Has

    • #2 by Eddie Kwasnik on April 14, 2014 - 2:45 pm

      Great question. One of the things Ive always had problems with, is the fact the RD Gateway has a requirement of being domain joined. This is needed in order to process the RD Gateway CAP and RAP policies. By using a server like UAG or TMG, it gives an added set of protection. With 2012 R2 as far as I am aware of, there is no requirement to place a TMG or UAG server in front of the RD Gateway server.

      For the clients I’ve worked with, I went over the different firewall rules and security concerns needed for both scenarios and based on their company’s security requirements allowed them to make the decision of the location of the RD Gateway server. Either location is still a concern since the server is still domain joined. The easiest is to have it within the LAN since there are fewer firewall rules to make, but it doesn’t make it the most secure. Another alternative is to incorporate a device similar to Big-IPs F5 device with the RDS environment.

  2. #3 by aspiringmaniac169.jimdo.com on May 7, 2014 - 8:42 pm

    L’eոsemble de cces ρosts sont sincèrement instructifs

  3. #4 by Joe Sparks on June 9, 2014 - 4:28 pm

    I did all this and the cert error has went away, but I can not get access from the outside. I put the GW in the DMZ and created the necessary rules, joined it to the domain and can even remote in to manage. I then assigned a public IP to it and created a DNS entry on our ISP. I did a nslookup on the name and it resolved but when I try and get to the site using a brower from an external ISP I get a “This Page Can’t Be Displayed” it would be better if I at least got an IIS error. Any idea’s?

    • #5 by Eddie Kwasnik on June 9, 2014 - 10:43 pm

      Did you install the rd web access role on the gateway? If not, add the role to the gateway server.

      • #6 by Joe Sparks on June 9, 2014 - 11:24 pm

        No I did not, I will do that tomorrow

        Sent from my Windows Phone ________________________________

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: