Remote Desktop Services – Full Desktop Sessions vs Start Program Automatically vs RemoteApp/RDWeb

FULL DESKTOP SESSIONS:   The most common method of using Remote Desktop Services (RDS) in Windows Server 2016 or Windows Server 2019 is using full “desktop sessions” where each user has their own desktop session to modify/customize the desktop, open programs (usually in simultaneous, multi-user mode – i.e. split MS Access application where each user has their own front-end), save and share files, open MS Office documents (if Office is installed), etc.   Users can share files with other users through the use of public folders.  Desktop sessions are the default method in RDS and are typically easy to use from any device with the Microsoft Remote Desktop Connection client which is built-in on Windows PCs and can be downloaded for MACs, iPhone, android, etc. If you need to share and save files, interface with Office, install several applications, or have full desktop features, you will likely want to use regular/full desktop sessions without adding the advanced configurations and complexity of RemoteApp/RDWeb.  A RDS setup with full desktop sessions can be setup within a few hours.

START PROGRAM AUTOMATICALLY UPON LOGON:  If you want some (or all) users to only open one particular program/application when logging into the server and don’t want to provide a full desktop session, you can set this up within each individual user’s profile settings in the environments tab under properties.  This is easy to setup and you can do it on a user-by-user basis.  Starting with Windows Server 2016, there is a registry key that must be set for this to work so please contact Riptide Hosting to change this registry key.   Using this will make it so your application will open automatically when a user logs into the server and when they close the application the entire session will close without ever providing a desktop session.  This option may works if you have a single program for users to access and don’t want to provide a desktop session.  This option probably will not work well for you if you have multiple applications, need users to save or share files, or export files to Excel, etc. (then you would want to have full desktop sessions).  Contact us for a few screenshots on this option.   For example, in the Environment tab of the particular user’s properties, enable the box by “start the following program at logon” and in the “program file name” field, use a path similar to this which would start a MS Access Application:  “C:\Program Files (x86)\Microsoft Office\Office16\MSACCESS.EXE” “C:\users\xxx\xxx.mdb or .accde”

REMOTEAPP/REMOTEWEB:  RemoteApp/RDWeb is a RDS role that can be installed separately where users login to a website (https://yourdomainname/rdweb or https://yourIPaddress/rdweb) and only see applications that you have published to them.  RemoteApp/RDWeb is a great role to use when you don’t want to provide a desktop session, but it is much more complex to setup and requires the server to be connected to a domain (either domain joined or install the Active Directory Domain Services (ADDS) role on the server), and that you install the RD Connection Broker role and the RD Web Access role.  If you install the ADDS role on the same/single server, you must install ADDS before you install the RDS roles (RD Session Host, RD Gateway, RD Connection Broker, RD License Server, and RD Web Access).   With RemoteApp you will want to install trusted SSL certificates for use with all RDS roles.  Historically RemoteApp did not work particularly good for MAC users and browsers beyond Internet Explorer (due to ActiveX requirements) but these limitations have gone away in newer versions Windows Server.  With RemoteApp/RDweb, you would access your applications through a website at: https://IPADDRESSorFQDN/rdweb.  We recommend you use an IT consultant/firm for setting up RemoteApp/RDWeb that has done it before and we can provide referrals if needed.

FULL DESKTOP SESSIONS WITH GROUP POLICIES:  If you want to provide full desktop sessions but want to lock down what users can see or do more than what is provided by default, you can setup group policies that affect non-administrators users.  Here is an old blog post on doing this on a workgroup server (if your server is domain joined, you can do this through the domain controller): https://www.riptidehosting.com/blog/how-to-create-group-policies-in-server-2012r2-that-only-affect-specified-users/    Setting up group polices is a very powerful method to locking down the server for regular users.  That said, this is relatively complex and easy to accidently lock yourself out so we would recommend you have us take a snapshot first before applying group policies.

Purchasing and Installing a Trusted SSL Certificate to use for RDGW & RDSH

Below are general steps to purchase/install a Trusted SSL Certificate for use with Remote Desktop Gateway (RDGW) and Remote Desktop Session Host (RDSH) that are installed on the same/single server in workgroup mode.  We created this based on using a Trusted SSL Cert from GoDadddy.  Our clients can ask for a more detailed tutorial of this process too.

1. Assumes you have already installed the RDSH and RDGW roles on the remote Windows Server.

2. You need to have the subdomain/url/domain name that you will purchase the ssl cert for to forward to the IP address of the server.  In this example, we want “RDP.widgets.com” to point to IP address of the server xxx.xxx.xxx.xxx. You already own the domain name for widgets.com (which can be any domain name you own through a registrar like GoDaddy).

Go to the parent domain name in GoDaddy, click on Manage DNS, go to zone file section and click “add record”.  Add “A (Host)” record type and add “RDP” (or whatever you are using in front of the domain name) which will make it be “RDP.widgets.com” and the IP address of the remote server.  Click ok/save and after a few minutes you will be able to ping the full name/url and it should return the IP address of the remote server.

We have tried to use Let’s Encrypt (free certs expiring every 60 days) but found it difficult to use with Windows IIS at the time.

3. Create Certificate Request on the remote Windows Server using IIS Manger

Open IIS Manager on remote Windows Server, in the left side pane under connections, click on your server name.  In the middle window, double-click “server certificates” icon which will open the server certificates screen showing your currently used self-signed cert.  In the far right screen under actions, click “create certificate request”.

Fill out the appropriate fields including, Common name (use the exact name of the url you are requesting for the ssl cert – i.e. “RDP.widgets.com”), Organization and Organization unit could be your legal name, State should be spelled out and not abbreviated, and County can be US.  We recommend changing the bit length to 2048 for crypto.  Create filename for CSR (CSR=certificate signing request) which will be saved in c:\windows\system32 unless you specify full path in the file name request.

4. Purchase SSL Cert at GoDaddy by inputting CSR info

Go back into your GoDaddy account. Purchase a SSL cert (we did DV type in this example) at GoDaddy ($79.99/yr although may be able to find discount code for year 1).  After purchase go back into GoDaddy account to SSL cert and press “setup”. 

Click on New Certificate, then choose “Input a CSR” (you will use the CSR you generated on the remote server via IIS Manager).  Do not select “Domain hosted with GoDaddy”.  Type in domain/url field for what you want the SSL cert to issued for, for example “RDP.widgets.com”. 

Copy in the CSR text from the file you created on the remote server, using the entire text including “—-BEG…—- and —-END…—-” characters.  Select the default GoDaddy SSL algorithm.

You will see the SSL Cert fields change to pending verification and you will have to wait approximately 20 minutes for it to change to ready/certificate issued.

5. Download SSL Cert from GoDaddy and copy it to remote server and install it in IIS Manager

Click download, choose IIS (Windows) and it will download the .zip file with certificate.  Copy this .zip file to the remote server and extract it.

Go back into remote Windows Server, IIS manager, the server certificates icon/section and click on “complete certificate request” under actions.

Attach the security cert from the godaddy zip file and create friendly name (the friendly name is just to identify the certificate).  You can put it in the personal store.  For our example, we were able to skip doing anything with the intermediate cert and only had to attach the actual security cert.  In order to attach the security cert, we had to change the file type selection dropdown to show all files. Press OK and exist IIS manager.  Make sure you keep track of the ssl cert expiration date so you renew/reinstall prior to that date otherwise you will be locked out of the remote server.

6. Modify settings on remote Windows Server in RD Gateway Manager to use new SSL cert

Open Remote Desktop Gateway Manager, then properties and the SSL Cert tab.  Click on existing cert from personal store and select your new SSL cert.  Press Import, which will restart Gateway services and your current connection will be disconnected.  You will then have to connect with the new url/ssl cert name in your local RDP connection client. 

Go back to your local RDP connection client (shortcut on desktop if you created that previously) and change IP address in computer name field (general tab) and gateway name (advanced tab) from IP address to the url/ssl cert/fqdn you created – for example, “RDP.widgets.com”

7. Modify setting on remote Windows Server for RD Session Host to use new SSL cert (if needed)

If you see the warning that certificate name doesn’t match and isn’t from a trusted CA, then it is because the new GoDaddy cert isn’t being used for the RDSH (it is being used for RDGW but not RDSH even though they are both on the same server) and the self signed cert is still being used for the RDSH.  This seems to almost always happen in our experience.    (Note: this warning is different than then the “unknown publisher” warning you may see because you are using a custom rdp connection file shortcut…for the “unknown publisher” warning you can click “don’t ask me again…” if you don’t want to see that message again.)

To fix this, use powershell (run as admin) below to change the certificate used for RDSH (NOT GW) to the GoDaddy SSL cert you purchased.  Type each line separately below exactly as shown except the thumbprint info in row 3 will need to be added after the row 1 info has generated (after the first line/row is entered, you will see the thumbprint for the new ssl cert which you will need to enter for line 3 between the “”). 

Get-ChildItem “Cert:\LocalMachine\My”

$PATH = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices)

Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash=”ENTER-THUMBPRINT-HERE“}

Next try to connect again and you should not see the Certificate error message anymore.

Lastly, some clients have noted that they had to enter username as SERVERNAME\username when connecting via rdp connection client, so if you are still having issues, try that method in the rdp file too.

How to Install VPN server on Windows Server 2019

Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong/complex passwords are still very important.  There are other protocols such as L2TP/IPSec, certificate authentication, etc. which can result in a stronger security setup depending on your needs and environment. Toward the end of this document we will show you how to enable L2TP with preshared key and disable PPTP if you want to do that. This post will detail how to setup the VPN role on a Windows server, how to setup the VPN connection client on your local Windows PC, how to disable RDP and other protocols from using the public profile in the Windows firewall, and finally how to extend the VPN setup to LT2P. There is no additional cost for installing the VPN/RRAS role on Windows Server.

STEPS TO INSTALL VPN SERVER ROLE ON WINDOWS SERVER 2019

  1. Log on to Windows Server 2019 using the Administrator account or an account with administrative rights.
  2. Open Server Manager, Dashboard, “Add Roles and Features” wizard, next, then select “role-based or feature-based installation”, next, select your server, next, then on select server roles screen select “Remote Access”, on select features screen can use defaults and press next.  Under Remote Access Role Services select only “DirectAccess and VPN (RAS)” (select to add the features that are automatically selected) and leave the other options of Routing and Web Application Proxy unchecked, next, leave defaults under the Web Server Role Services, next, Click Install (takes a few minutes to install but usually doesn’t require a reboot). Installing Remote Access VPN-1Installing Remote Access VPN-2
  3. At the top bar of Server Manager, you will see a yellow triangle can click on it to select “Open the Getting Started Wizard” or click on “Remote Access” in the left window and click on more in the right windows to get the “Open the Getting Started Wizard”.Open the Getting Started Wizard
  4. Select “Deploy VPN only” (may take up to 1 minute to open) (note: If you deploy DirectAccess, this option requires the server to be connected to a domain – not workgroup mode) Open the Getting Started Wizard-Deploy VPN only selection
  5. Right click on Server name and select “configure and enable routing and remote access” Configure RRAS-1Configure RRAS-2
  6. Select “Custom configuration” Configure RRAS-3
  7. Select “VPN access” only, then Finish, Start Service.  Windows Firewall should automatically open the necessary ports (or you might see message below telling you to manually open the firewall rules). And press OK by message reminding you to open/enable firewall rules. Configure RRAS-4Configure RRAS-5Configure RRAS-6
  8. Go back to Routing and Remote Access by going to Server Manager, Tools (dropdown near upper right corner of server manager), select “Routing and Remote Access”.  Then right click on the server name and select properties.  Then go to IPv4 tab to add static IP address pool in IPv4 tab – see screenshots below: Configure RRAS-7
  9. Next, open “Network and Sharing Center” and click on “change adaptor settings”.  Right click on the ethernet adaptor, highlight the “Internet Protocol Version 4 TCP/IPv4” row, click on properties, advanced and add a secondary IP Address which is private IP in the same subnet as pool above – in this example, used 192.168.0.20 (this will be the IP address you can use to RDP to the server after the VPN connection is made). Ethernet adaptor propertiesEthernet adaptor properties-2
  10. Next, adjust settings for each user you want to be able to VPN to the server by going to Computer Management, Local Users and Groups, Users, and right click on the individual User and enter Properties.  Go to “Dial-In” tab and change “Network Access Permission” section to “Allow Access” (instead of “control access through NPS network policy”.  You need to do this for each user you want to allow VPN access to the server.Change User Properties Dial-In to Allow Access
  11. Open Windows Firewall rules for PPTP (PPTP requires both PPTP-In and GRE-In) and other VPN protocols if you might use them (L2TP or SSTP): Windows Firewall Inbound Rule PPTP GRE L2TP SSTP
  12. Usually it is a good idea to reboot server at this point even if it doesn’t ask for a reboot.

SETUP VPN CONNECTION ON LOCAL PC (to connect loca PC to offsite server via VPN)

  1. On your local PC, Go to Control Panel, Network and Internet, Network and Sharing Center, and “Setup a new connection or network” and then “Connect to a workplace / setup a VPN” or “Add a VPN connection”.  Select “Use My Internet Connection”Setup VPN connection on Local PC
  2. Enter IP address of server you will connect to – this is a public IP address (not private IP address you setup above 192.168.x.x)
  3. Enter description name for connection, then create.
  4. Then go to your VPN connection by clicking start icon and typing VPN, or going to notifications and clicking VPN
  5. Click on the VPN Connection you just setup and press connect.  Enter Username and Password on next screen and click “Connect”
  6. You can adjust setting (security settings and other) by going back to the Connection and entering properties (go to change adaptor settings, find connection, right click for properties where you can change settings to match VPN settings on the server if needed.).  Also you can change VPN settings on the server.

VERIFY THIS AND UNCHECK THE BOX BY “USE DEFAULT GATEWAY ON REMOTE NETWORK” OTHERWISE ALL YOUR TRAFFIC INCLUDING WEB BROWSING WILL GO THROUGH THE REMOTE SERVER WHICH WILL LESSEN YOUR PERFORMANCE. NOTE:   If you can no longer access the internet on your local machine once the VPN connects, you can change this by going to the networking tab in Properties of the VPN Connection, highlight the TCP/IPv4 row, click Properties, click Advanced, and uncheck “use default gateway on remote network”.  (you may have to disconnect and reconnect before this change will apply)Local PC VPN connection - uncheck use default gateway

ADJUSTING FIREWALL RULES TO TURN OFF RDP ACCESS (PORT 3389) ON PUBLIC PROFILE

Note: there are many adjustments you can make to the Windows Firewall and this is just one example/method.  You should properly test any changes made.

  1. Make sure you are logged in via RDP via VPN to the private IP (192.168.0.20 in this example) first before changing these rules below.
  2. First make sure the RAS interface on the server is set to private firewall profile in “network and sharing center” on the server.  If it isn’t (and most likely it is set to public so you will have to change it), change it as follows:  gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies and assign “RAS (Dial In) Interface” to a Private Network Profile. (alternative method– start, secpol, network list manager policies, right click on RAS Interface, network location tab, change it to private) RAS interface must be changed to Private ProfileRAS interface must be changed to Private Profile-2RAS interface must be changed to Private Profile-3
  • Next, Open Windows Firewall with Advanced Security and modify 4 x Inbound Rules,
    • “Remote Desktop Services – User Mode (TCP-In)”
    • “Remote Desktop Services – User Mode (UDP-In)”
    • “Remote Desktop – User Mode (TCP-In)”
    • “Remote Desktop – User Mode (UDP-In)”

and turn it off for Public Profile.  You could/should also modify other rules affecting the public profile to restrict access to private profile only. Adjust inbound firewall rules to exclude public profile

  • Now it is time to connect and test your changes.
  • Connect to the server via VPN first, then you can RDP to the server using the private IP (192.168.0.20 in example above) when VPN is active.  You shouldn’t be able to RDP to the public IP address.  You should test all scenarios after deployment.

Congratulations, Now your PPTP VPN should be setup and working!

OPTIONAL STEPS TO SETUP/CONFIGURE L2TP:

The steps above will create a “point-to-point tunneling protocol” (PPTP) VPN connection and will open the Windows Server firewall for PPTP, L2TP and SSTP (or you manually enabled these rules) although L2TP & SSTP require additional configuration to work.   You can increase security by implementing L2TP or SSTP.  One example is L2TP with “pre-shared key” where you enter a pre-shared key in RRAS properties on the security tab (on server) and then also enter the pre-shared key on the client PC VPN connection.  When you connect, the windows VPN client on the PC will show if connected as PPTP or L2TP.  In security options on the PC VPN client, you can select which protocol to use if more than PPTP has been setup on the server.  If you are using L2TP instead of PPTP, you can then turn off PPTP on the Windows Server and also disable the PPTP firewall rule (see below).

How to enable L2TP/IPsec VPN and disable PPTP protocol

Configure L2TP with preshared key:

  1. First may sure the Windows Firewall inbound rules on the server allow L2TP (if you had only enabled the inbound firewall rules for PPTP and GRE earlier, you should also enable L2TP now).  Open RAAS Management Console, right click on server name, and go to properties.  Go to security tab and enable the checkbox by “allow custom IPsec policy for L2TP/IKEv2 connection” and create/enter a complex password in the “preshared key” field.L2TP preshared key on server settings
  2. The preshared key is something that is the same for all users
  3. Now disconnect your current PPTP session and reconnect using L2TP/preshared key settings in your local connection client.  Go to you local VPN network adaptor settings and adjust accordingly.L2TP preshared key on local PC VPN connection settings
  4. Now login to server and disable PPTP by clicking on ports, right click to properties, highlight the PPTP row and uncheck the top two boxes to disable PPTP. Disable PPTP ports
  5. Last, disable Windows firewall rules for PPTP and GRE if only using L2TP.

Office 365 plans changing names to Microsoft 365 plans

In April 2020, some Office 365 Plans will be re-branded as Microsoft 365 Plans. The plan features are not changing (yet) but the plan names are. Here is a list of new plan names:

Office 365 Pro Plus will be Microsoft 365 Apps for Enterprisehttps://docs.microsoft.com/en-us/deployoffice/name-change

Office 365 Business will be Microsoft 365 Apps for Business
Office 365 Business Essentials will be Microsoft 365 Business Basic
Office 365 Business Premium will be Microsoft 365 Business Standard
Microsoft 365 Business will be Microsoft 365 Business Premium

Office 365 E1, E3, E5 will not be changing names

IMPORTANT: Only Office 365 ProPlus stand-alone plan (or plans that include ProPlus such as Office 365 E3 & E5) come with shared computer activation. Office 365 Business does NOT include ProPlus/shared computer activation. Shared computer activation is required to install Office on Remote Desktop Services (RDS).

Riptide Hosting can provide Office licensing (Office Standard, Office Professional, or individual components like Excel, Word, MS Access) on a monthly, per-user basis through our MS SPLA agreeement. We can provide Office licensing on any of our hosted offerings (VMs or Dedicated servers). Clients cannot use their own Office 365 licensing on our Virtual Servers. Clients could use their own Office 365 licensing on one of our Dedicated Hardware Servers if they have the appropriate Office 365 ProPlus plan.

Riptide Hosting Virtual Servers – all Microsoft licensing for Windows Server, Office, RDS and SQL Server are licensed through Riptide on a monthly basis. You cannot use your own licensing on our Virtual Servers.

Riptide Hosting Dedicated Servers – either Riptide Hosting can provide the Microsoft licesning on a monthly basis through our MS SPLA, or you could use your own MS licensing on the dedicated server but only certain plans will work on a RDS/terminal server which are Office365 ProPlus Standalone or Office365 Enterprise E3 or E5. Office365 Business plans do not include ProPlus and will not work on a Windows RDS server.

Another option to consider is if your users don’t need a local install of Office on the server (to do things like export reports from an application to Excel), then users might be able to just use the web based versions of Excel/Word by logging into their Microsoft account with OneDrive (or Google Docs, etc). Heavy users of Office will likely want it installed on the server but the web based versions might work fine for occasional use.

Comparison of Riptide Hosting’s Windows VMs and Dedicated Hardware Servers

Windows Server Virtual Servers VMs:

  • Lower cost entry point when you have fewer users and fewer resource needs
  • Very flexible because cpu/ram/disk space can be added in minutes – so start smaller/less expensive and expand as needed
  • Able to bundle Riptide’s Microsoft Licensing via SPLA on both VMs or Dedicated for Windows, RDS, Office & SQL
  • Limitation on our VMs: Cannot use your own MS licensing, free SQL Express is ok.  Can only use Office & SQL Standard licensing through Riptide.
  • Full image backup included where we can restore a full VM in minutes
  • Includes 1 Public/Static IP address
  • Cannot use your own hardware firewall/vpn device (which you can colocate with a dedicated server)
  • Generally limited to 300 GB disk space is which plenty for most but not all clients

Windows Dedicated Hardware Servers:

  • Great for handling much higher levels of users, cpu, ram and disk space
  • Comes with much higher amounts of CPU, disk space and RAM
  • Includes 3 Public/Static IP addresses
  • Dedicated server is the only option to use your own Microsoft licensing for SQL Server Standard or Office due to Microsoft Licensing Terms
  • Not as flexible because we have to swap out hardware pieces to increase ram, cpu, disk space
  • More expensive entry-point
  • Able to use Riptide’s Microsoft Licensing via SPLA on both VMs or Dedicated for Windows, RDS, Office & SQL
  • If applicable, having a dedicated server is the only option for a client to co-locate a hardware firewall/VPN device in front of the server
  • We have an optional full image backup offering (starting at $150/mo) (which is more expensive than on VMs)
  • Dell Idrac Enterprise offering out-of-band console access (uses one of the three IP addresses)

Avoiding Downtime – How Riptide Hosting helps keep your business server & applications running.

Power Failures – Our datacenters have redundant commercial power feeds, UPS systems and diesel generators. Compare this to a single power feed that is typical in an office building.

Network / Internet / ISP Failures – Riptide Hosting uses premium bandwidth with multiple network providers blended together for maximum update. Compare this to a single telecom provider that is typical in an office building.

Hard Drive Failures – Our servers are deployed with hard drives in mirrored array(s) – RAID1 or more, so a single drive failure does not cause data loss.

Riptide Hosting offers several types of hosting from Windows Server VMs to fully Dedicated Hardware Servers. We offer a 100% SLA for power and network availability. Our enterprise datacenters are staffed 24/7. We offer backup offerings and MS Licensing through the MS SPLA program.

Our VMs are scalable where it is easy to increase server resources such as ram, cpu and disk space. And the MS SPLA program allows us to offer Microsoft licensing on a monthly basis without you have to commit to long-term licensing or large up-front capital investments for licensing.

Focus on your business and relieve yourself of worries about server hardware, network connectivity issues and MS licensing complexities. Our datacenters are designed with infrastructure to keep your business applications and servers running with redundant power and network bandwidth.

Methods to Secure Windows Remote Desktop RDP

How To Secure Windows Remote Desktop

In September 2018 the FBI issued a public service announcement regarding risks and hacking attempts again the RDP protocol.  See the announcement here which includes some suggestions (with additional considerations below) https://www.ic3.gov/media/2018/180927.aspx

Considerations For Securing your Windows Server / RDP Terminal Server

Here is a list of various actions to consider to help secure your remote server environment:

After applying any of the actions above, make sure to test whether they are working properly.  You can open multiple RDP sessions using different user names initiated from one PC which can be useful for testing.

The information provided in this document/post is intended to provide general information only and is not a complete listing of available considerations.  The content is provided AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness, reliability, or fitness for a particular purpose.  You should be discussing all security policies and related procedures, configurations, monitoring and other server management functions with your IT staff or consultants.  Riptide Hosting does not provide managed services and is not a substitute for you maintaining your own IT staff/consultants. 

RD Session Host Security settings in Windows Server 2016

RD Session Host Security settings in Windows Server 2016 (SSL, High encryption, etc.)

Gpedit.msc, computer configuration, administrative templates, windows components, remote desktop services, remote desktop session host, security, see various options.

  • “Require use of specific security layer for remote (RDP) connections” – Changing Security Layer to SSL is the recommendation listed in Windows 2016,
  • “Client Connection Encryption Level to High” – enabled/Yes
  • “Require Secure RPC communication” – enabled/Yes
  • “Require user authentication for remote connections by using NLA” – enabled/Yes

RD Gateway Role in RDS

Update: see more detailed post on how to install the RD Gateway Role on Windows Server 2019/2016 here:  http://www.riptidehosting.com/blog/installing-the-remote-desktop-gateway-role-rdgw-on-windows-server-2019/

RD Gateway Role in RDS

Using the Remote Desktop Gateway Role (RDGW) provides additional security by forcing RDP traffic over https/port 443 (requires SSL certificate) instead of port 3389.

General steps to install the RDGW role on Windows Server 2016: (we have a more detailed post on this too)

  • Install RDGW role which will also install IIS
  • In RD Gateway Manager, create CAP and RAP policies for who can login to the gateway and what resources they can access.
  • For initial testing/deployment, you can create a self-signed certification and change the certificate name to IP address in the name field. Using a self-signed certificate will require you to install the certificate on each client device. Using a SSL cert issued by a certificate authority is preferred and can only be issued in the domain name, not IP address).
  • Confirm that all items in the RD Gateway Manager have green checkmarks.
  • From the RD Connection Client on your local PC, go to more options, advanced tab, enter gateway settings before connecting.
  • Turn off port 3389 to the outside on the Windows Firewall on the server to force traffic to use port 443.

Test deployment

Windows Server Lockout Policies

Lockout Policies (based on username attempts, not IP addresses):

To lock out an account for a period of time after a number of incorrect login attempts (to create delay with recurring failed logins), you can set up Account Lockout Policies in Windows.  It does NOT apply to the Administrator account (so you may want to disable the Administrator account and create a different account with administrator rights – see previous suggestion).  Lockout policies can be useful to prevent brute-force password guessing attacks but can cause your accounts to be locked out without you being able to access the server (so plan accordingly).

Local Security Policy (secpol.msc) -> Security Policies -> Account Policies -> Account Lockout Policy, set values for the three options, OR

Gpedit.msc -> Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Policies -> Account Policies -> Account Lockout Policy, set values for the three options

To unlock an account, (if a legit user is locked out) login under an active account (with administrator properties), go to the locked out user’s properties, and uncheck the box by “account is locked out”.

You can see detailed status of a user account by opening the command prompt and typing “net user [username]”