Purchasing and Installing a Trusted SSL Certificate to use for RDGW & RDSH

Below are general steps to purchase/install a Trusted SSL Certificate for use with Remote Desktop Gateway (RDGW) and Remote Desktop Session Host (RDSH) that are installed on the same/single server in workgroup mode.  We created this based on using a Trusted SSL Cert from GoDadddy.  Our clients can ask for a more detailed tutorial of this process too.

1. Assumes you have already installed the RDSH and RDGW roles on the remote Windows Server.

2. You need to have the subdomain/url/domain name that you will purchase the ssl cert for to forward to the IP address of the server.  In this example, we want “RDP.widgets.com” to point to IP address of the server xxx.xxx.xxx.xxx. You already own the domain name for widgets.com (which can be any domain name you own through a registrar like GoDaddy).

Go to the parent domain name in GoDaddy, click on Manage DNS, go to zone file section and click “add record”.  Add “A (Host)” record type and add “RDP” (or whatever you are using in front of the domain name) which will make it be “RDP.widgets.com” and the IP address of the remote server.  Click ok/save and after a few minutes you will be able to ping the full name/url and it should return the IP address of the remote server.

We have tried to use Let’s Encrypt (free certs expiring every 60 days) but found it difficult to use with Windows IIS at the time.

3. Create Certificate Request on the remote Windows Server using IIS Manger

Open IIS Manager on remote Windows Server, in the left side pane under connections, click on your server name.  In the middle window, double-click “server certificates” icon which will open the server certificates screen showing your currently used self-signed cert.  In the far right screen under actions, click “create certificate request”.

Fill out the appropriate fields including, Common name (use the exact name of the url you are requesting for the ssl cert – i.e. “RDP.widgets.com”), Organization and Organization unit could be your legal name, State should be spelled out and not abbreviated, and County can be US.  We recommend changing the bit length to 2048 for crypto.  Create filename for CSR (CSR=certificate signing request) which will be saved in c:\windows\system32 unless you specify full path in the file name request.

4. Purchase SSL Cert at GoDaddy by inputting CSR info

Go back into your GoDaddy account. Purchase a SSL cert (we did DV type in this example) at GoDaddy ($79.99/yr although may be able to find discount code for year 1).  After purchase go back into GoDaddy account to SSL cert and press “setup”. 

Click on New Certificate, then choose “Input a CSR” (you will use the CSR you generated on the remote server via IIS Manager).  Do not select “Domain hosted with GoDaddy”.  Type in domain/url field for what you want the SSL cert to issued for, for example “RDP.widgets.com”. 

Copy in the CSR text from the file you created on the remote server, using the entire text including “—-BEG…—- and —-END…—-” characters.  Select the default GoDaddy SSL algorithm.

You will see the SSL Cert fields change to pending verification and you will have to wait approximately 20 minutes for it to change to ready/certificate issued.

5. Download SSL Cert from GoDaddy and copy it to remote server and install it in IIS Manager

Click download, choose IIS (Windows) and it will download the .zip file with certificate.  Copy this .zip file to the remote server and extract it.

Go back into remote Windows Server, IIS manager, the server certificates icon/section and click on “complete certificate request” under actions.

Attach the security cert from the godaddy zip file and create friendly name (the friendly name is just to identify the certificate).  You can put it in the personal store.  For our example, we were able to skip doing anything with the intermediate cert and only had to attach the actual security cert.  In order to attach the security cert, we had to change the file type selection dropdown to show all files. Press OK and exist IIS manager.  Make sure you keep track of the ssl cert expiration date so you renew/reinstall prior to that date otherwise you will be locked out of the remote server.

6. Modify settings on remote Windows Server in RD Gateway Manager to use new SSL cert

Open Remote Desktop Gateway Manager, then properties and the SSL Cert tab.  Click on existing cert from personal store and select your new SSL cert.  Press Import, which will restart Gateway services and your current connection will be disconnected.  You will then have to connect with the new url/ssl cert name in your local RDP connection client. 

Go back to your local RDP connection client (shortcut on desktop if you created that previously) and change IP address in computer name field (general tab) and gateway name (advanced tab) from IP address to the url/ssl cert/fqdn you created – for example, “RDP.widgets.com”

7. Modify setting on remote Windows Server for RD Session Host to use new SSL cert (if needed)

If you see the warning that certificate name doesn’t match and isn’t from a trusted CA, then it is because the new GoDaddy cert isn’t being used for the RDSH (it is being used for RDGW but not RDSH even though they are both on the same server) and the self signed cert is still being used for the RDSH.  This seems to almost always happen in our experience.    (Note: this warning is different than then the “unknown publisher” warning you may see because you are using a custom rdp connection file shortcut…for the “unknown publisher” warning you can click “don’t ask me again…” if you don’t want to see that message again.)

To fix this, use powershell (run as admin) below to change the certificate used for RDSH (NOT GW) to the GoDaddy SSL cert you purchased.  Type each line separately below exactly as shown except the thumbprint info in row 3 will need to be added after the row 1 info has generated (after the first line/row is entered, you will see the thumbprint for the new ssl cert which you will need to enter for line 3 between the “”). 

Get-ChildItem “Cert:\LocalMachine\My”

$PATH = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices)

Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash=”ENTER-THUMBPRINT-HERE“}

Next try to connect again and you should not see the Certificate error message anymore.

Lastly, some clients have noted that they had to enter username as SERVERNAME\username when connecting via rdp connection client, so if you are still having issues, try that method in the rdp file too.

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389.

Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019

In this example, we had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server.  This server is in workgroup mode and not joined to a domain.  Steps below are used to install the RDGW role on a single server (installing RDGW also installs IIS) so all three roles (RDSH, RDlic, RDGW) are installed on the same server. If you are already licensing RDS with RDS user licenses, there is no additional cost to installing the RD Gateway Role (other than if you purchase a trusted SSL certificate).

  1. Go to Server manager, add roles & features, role-based or feature-based installation, select existing server, in Server roles expand Remote Desktop Services and select Remote Desktop Gateway, click through everything else as defaults. It will take about 5 minutes to install. Although it won’t force a reboot, it is typically a good idea to reboot the server after this step.Installing RD Gateway

2. Next go to Server Manager, Remote Desktop Services, Servers, click on server name and right click into properties and to “RD Gateway Manager”.  (note: in RDS, Overview, you will see a message about needing to be logged in as domain user to manage servers and collections – to have this functionality you need to be connected to a domain instead of in workgroup mode, we are proceeding with workgroup mode only below).RD Gateway Manager

3. In RD Gateway Manager, expand tree and go to policies.  Create a “Connection Authorization Policy” (CAP) for which users can login to the gateway and a “Resource Authorization Policy” (RAP) for what resources can be accessed.  For example, we created policies called CAP1 and RAP1 and used defaults for most everything.  For CAP1, you probably want to add Remote Desktop Users and Administrators to “user group membership”.  For RAP1, under Network Resource, you should change selection to “allow users to connect to any resource” since this is a single server setup.  You can modify these policies later to be more specific and restrictive. RDGW CAP

4. For SSL cert (go back to RD Gateway Manager, Properties), create a self-signed cert by going to properties, SSL tab, create self-signed cert, click on “create and import certificate”, change certificate name to the IP address “xxx.xx.xxx.xx” of the server in the certificate name field.  Copy the self-signed cert to your local PC because you will need it in order to login through the gateway (all users will need it).  If you use a trusted SSL cert from CA then you won’t need to install self-signed cert on each local PC/client like you will with a self signed certificate.  Take note of the self-signed certificate expiration date which should be in 6 months – if you decide to continue to use a self-signed certificate, you will need to generate a new cert before the expiration date.

Note: using a self-signed certificate will require you to install the certificate on each client device.  It is recommended to use a trusted cert (instead of self-signed cert) where you would need to purchase the SSL cert from a company like GoDaddy and it will be in the name of a URL/domain instead of IP address.RDGW properties SSL tab

5. At this point, all items in RD Gateway Manager status should be showing as green / green check marks.RDGW status

6. Go to Services and change the Remote Desktop Gateway Service (service name is TSGateway) to be startup type “automatic” instead of “automatic (delayed)” and make sure it is started/running.  This will allow gateway service to start quicker upon a server reboot otherwise you may get a message that the gateway service is unavailable when trying to log in until you wait several minutes for the service to start.Change RDGW service to automatic

Connecting to RDGW from your local PC

  1. 7Open the Remote Desktop Connection client on your local PC and expand all field by clicking show options.
  2. On the general tab, make sure computer name field is the IP address of the server.  You will be entering the IP address on both the General tab and the Advanced tab using the same IP address since the RDSH server and the RDGW server are the same server in this example.
  3. Before connecting, going to the Advanced tab
  4. Click on Settings box under Connect from Anywhere
  5. Select “use these gateway settings”
  6. Enter IP address of the server for Server Name
  7. Uncheck the box to “Bypass RD gateway server for local addresses”
  8. Check the box to use same credentials for RD gateway server and remote computer since same server in this exampleLocal Connection Client Gateway settings
  9. Press OK, go back to local resources tab and select what local devices should be redirected (typically printers and clipboard should be redirected, but not local drives under the more button – redirecting local drives uses bandwidth/resources so only do it when needed)
  10. Go to general tab, decide if you want credentials to be allowed to be saved, and save the customized rdp file as a shortcut on your desktop by clicking “save as” and give it a useful name.
  11. When you connect, you may first get a warning message that says “The publisher of this remote connection can’t be identified. Do you want to connect anyway? OR “the identity of the remote computer cannot be verified. Do you want to connect anyway?” You can click the box to “don’t ask me again for connections to this computer” if you don’t want to see this message every time, and continue.  This message typically happens because you are using a rdp shortcut on your local desktop that you customized or because you are using a self-signed certificate.
  12. Connect and you will get a message to enter your credentials which will be used for both RDSH and RDGW, select whether to remember credentials or not.
  13. If you try to connect and you get a message “This computer can’t verify the identity of the RD Gateway XXXXX….” and it won’t connect, it is because you are using a self-signed certificate and haven’t put a copy of the certificate in your trusted root certificate authorities on your local PC.  So go back on the server and copy the cert from the users\username\documents\certname.cer folder of server to you local PC/desktop, then double click it on your local PC, select “install certificate” and select “Local Machine” store location and select this specific location “Trusted Root Certificate Authorities” (don’t do automatic location).  THIS WILL HAVE TO BE DONE ON ALL LOCAL PCs TO CONNECT WHEN USING SELF-SIGNED CERTS.
  14. If you are have trouble logging in, try typing username as servername\username so WIN-XXXXXX\Administrator or ServerX\Dan etc.

Turn off port 3389 to internet to force traffic to use port 443/RDGW

  1. Next, turn off the four inbound Windows firewall rules for Remote Desktop for port 3389 FOR PUBLIC PROFILE (Remote Desktop – User Mode (TCP-In) and (UDP-In) and Remote Desktop Services – User Mode (TCP-In) and (UDP-In).  Click into the firewall rule, go to the advanced tab, and uncheck the “Public” box so the rule doesn’t apply to the public profile.RDGW firewall rules
  2. RDP Traffic then should go over port 443 from the outside to the server and then 3389 internal to the server.  You can test this by trying to login via RDP without Gateway settings.
  3. You can modify/disable other Remote Desktop inbound firewall rules if needed too.

Additional Notes:

See different post on how to purchase and install a SSL certificate from a trusted CA. http://www.riptidehosting.com/blog/purchasing-and-installing-a-trusted-ssl-certificate-to-use-for-rdgw-rdsh/

RD Gateway Role in RDS

Update: see more detailed post on how to install the RD Gateway Role on Windows Server 2019/2016 here:  http://www.riptidehosting.com/blog/installing-the-remote-desktop-gateway-role-rdgw-on-windows-server-2019/

RD Gateway Role in RDS

Using the Remote Desktop Gateway Role (RDGW) provides additional security by forcing RDP traffic over https/port 443 (requires SSL certificate) instead of port 3389.

General steps to install the RDGW role on Windows Server 2016: (we have a more detailed post on this too)

  • Install RDGW role which will also install IIS
  • In RD Gateway Manager, create CAP and RAP policies for who can login to the gateway and what resources they can access.
  • For initial testing/deployment, you can create a self-signed certification and change the certificate name to IP address in the name field. Using a self-signed certificate will require you to install the certificate on each client device. Using a SSL cert issued by a certificate authority is preferred and can only be issued in the domain name, not IP address).
  • Confirm that all items in the RD Gateway Manager have green checkmarks.
  • From the RD Connection Client on your local PC, go to more options, advanced tab, enter gateway settings before connecting.
  • Turn off port 3389 to the outside on the Windows Firewall on the server to force traffic to use port 443.

Test deployment