{"id":1757,"date":"2020-04-23T19:01:45","date_gmt":"2020-04-24T01:01:45","guid":{"rendered":"http:\/\/www.RiptideHosting.com\/blog\/?p=1757"},"modified":"2020-04-25T09:12:20","modified_gmt":"2020-04-25T15:12:20","slug":"installing-the-remote-desktop-gateway-role-rdgw-on-windows-server-2019","status":"publish","type":"post","link":"https:\/\/www.RiptideHosting.com\/blog\/installing-the-remote-desktop-gateway-role-rdgw-on-windows-server-2019\/","title":{"rendered":"Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019"},"content":{"rendered":"\n

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389.<\/strong><\/p>\n\n\n\n

<\/p>\n\n\n\n

Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019<\/u><\/strong><\/p>\n\n\n\n

In this example, we had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server. \u00a0This server is in workgroup mode and not joined to a domain.\u00a0 Steps below are used to install the RDGW role on a single server (installing RDGW also installs IIS) so all three roles (RDSH, RDlic, RDGW) are installed on the same server. If you are already licensing RDS with RDS user licenses, there is no additional cost to installing the RD Gateway Role (other than if you purchase a trusted SSL certificate).<\/p>\n\n\n\n

  1. Go to Server manager, add roles & features, role-based or feature-based installation, select existing server, in Server roles expand Remote Desktop Services and select Remote Desktop Gateway, click through everything else as defaults. It will take about 5 minutes to install. Although it won\u2019t force a reboot, it is typically a good idea to reboot the server after this step.\"Installing<\/li><\/ol>\n\n\n\n

    2. Next go to Server Manager, Remote Desktop Services, Servers, click on server name and right click into properties and to \u201cRD Gateway Manager\u201d.  (note: in RDS, Overview, you will see a message about needing to be logged in as domain user to manage servers and collections \u2013 to have this functionality you need to be connected to a domain instead of in workgroup mode, we are proceeding with workgroup mode only below).\"RD<\/p>\n\n\n\n

    3. In RD Gateway Manager, expand tree and go to policies.  Create a \u201cConnection Authorization Policy\u201d (CAP) for which users can login to the gateway and a \u201cResource Authorization Policy\u201d (RAP) for what resources can be accessed.  For example, we created policies called CAP1 and RAP1 and used defaults for most everything.  For CAP1, you probably want to add Remote Desktop Users and Administrators to \u201cuser group membership\u201d.  For RAP1, under Network Resource, you should change selection to \u201callow users to connect to any resource\u201d since this is a single server setup.  You can modify these policies later to be more specific and restrictive. \"RDGW<\/p>\n\n\n\n

    4. For SSL cert (go back to RD Gateway Manager, Properties), create a self-signed cert by going to properties, SSL tab, create self-signed cert, click on \u201ccreate and import certificate\u201d, change certificate name to the IP address \u201cxxx.xx.xxx.xx\u201d of the server in the certificate name field.  Copy the self-signed cert to your local PC because you will need it in order to login through the gateway (all users will need it).  If you use a trusted SSL cert from CA then you won\u2019t need to install self-signed cert on each local PC\/client like you will with a self signed certificate.  Take note of the self-signed certificate expiration date which should be in 6 months \u2013 if you decide to continue to use a self-signed certificate, you will need to generate a new cert before the expiration date.<\/p>\n\n\n\n

    Note: using a self-signed certificate will require you to install the certificate on each client device.  It is recommended to use a trusted cert (instead of self-signed cert) where you would need to purchase the SSL cert from a company like GoDaddy and it will be in the name of a URL\/domain instead of IP address.\"RDGW<\/p>\n\n\n\n

    5. At this point, all items in RD Gateway Manager status should be showing as green \/ green check marks.\"RDGW<\/p>\n\n\n\n

    6. Go to Services and change the Remote Desktop Gateway Service (service name is TSGateway) to be startup type \u201cautomatic\u201d instead of \u201cautomatic (delayed)\u201d and make sure it is started\/running.  This will allow gateway service to start quicker upon a server reboot otherwise you may get a message that the gateway service is unavailable when trying to log in until you wait several minutes for the service to start.\"Change<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    Connecting to RDGW from your local PC<\/u><\/strong><\/p>\n\n\n\n

    1. 7Open the Remote Desktop Connection client on your local PC and expand all field by clicking show options.<\/li>
    2. On the general tab, make sure computer name field is the IP address of the server.  You will be entering the IP address on both the General tab and the Advanced tab using the same IP address since the RDSH server and the RDGW server are the same server in this example.<\/li>
    3. Before connecting, going to the Advanced tab<\/li>
    4. Click on Settings box under Connect from Anywhere<\/li>
    5. Select \u201cuse these gateway settings\u201d<\/li>
    6. Enter IP address of the server for Server Name<\/li>
    7. Uncheck the box to \u201cBypass RD gateway server for local addresses\u201d<\/li>
    8. Check the box to use same credentials for RD gateway server and remote computer since same server in this example\"Local<\/li>
    9. Press OK, go back to local resources tab and select what local devices should be redirected (typically printers and clipboard should be redirected, but not local drives under the more button \u2013 redirecting local drives uses bandwidth\/resources so only do it when needed)<\/li>
    10. Go to general tab, decide if you want credentials to be allowed to be saved, and save the customized rdp file as a shortcut on your desktop by clicking \u201csave as\u201d and give it a useful name.<\/li>
    11. When you connect, you may first get a warning message that says \u201cThe publisher of this remote connection can\u2019t be identified. Do you want to connect anyway? OR \u201cthe identity of the remote computer cannot be verified. Do you want to connect anyway?\u201d<\/strong> You can click the box to \u201cdon\u2019t ask me again for connections to this computer\u201d if you don\u2019t want to see this message every time, and continue.  This message typically happens because you are using a rdp shortcut on your local desktop that you customized or because you are using a self-signed certificate.<\/li>
    12. Connect and you will get a message to enter your credentials which will be used for both RDSH and RDGW, select whether to remember credentials or not.<\/li>
    13. If you try to connect and you get a message \u201cThis computer can\u2019t verify the identity of the RD Gateway XXXXX\u2026.<\/strong>\u201d and it won\u2019t connect, it is because you are using a self-signed certificate and haven\u2019t put a copy of the certificate in your trusted root certificate authorities on your local PC.  So go back on the server and copy the cert from the users\\username\\documents\\certname.cer folder of server to you local PC\/desktop, then double click it on your local PC, select \u201cinstall certificate\u201d and select \u201cLocal Machine\u201d store location and select this specific location \u201cTrusted Root Certificate Authorities\u201d (don\u2019t do automatic location).  THIS WILL HAVE TO BE DONE ON ALL LOCAL PCs TO CONNECT WHEN USING SELF-SIGNED CERTS.<\/li>
    14. If you are have trouble logging in, try typing username as servername\\username so WIN-XXXXXX\\Administrator or ServerX\\Dan etc.<\/li><\/ol>\n\n\n\n

      Turn off port 3389 to internet to force traffic to use port 443\/RDGW<\/u><\/strong><\/p>\n\n\n\n

      1. Next, turn off the four inbound Windows firewall rules for Remote Desktop for port 3389 FOR PUBLIC PROFILE (Remote Desktop \u2013 User Mode (TCP-In) and (UDP-In) and Remote Desktop Services \u2013 User Mode (TCP-In) and (UDP-In).  Click into the firewall rule, go to the advanced tab, and uncheck the \u201cPublic\u201d box so the rule doesn\u2019t apply to the public profile.\"RDGW<\/li>
      2. RDP Traffic then should go over port 443 from the outside to the server and then 3389 internal to the server.  You can test this by trying to login via RDP without Gateway settings.<\/li>
      3. You can modify\/disable other Remote Desktop inbound firewall rules if needed too.<\/li><\/ol>\n\n\n\n

        <\/p>\n\n\n\n

        Additional Notes:<\/u><\/strong><\/p>\n\n\n\n

        See different post on how to purchase and install a SSL certificate from a trusted CA. http:\/\/www.riptidehosting.com\/blog\/purchasing-and-installing-a-trusted-ssl-certificate-to-use-for-rdgw-rdsh\/<\/a><\/p>\n\n\n\n

        <\/p>\n","protected":false},"excerpt":{"rendered":"

        Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389. Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019 In this example, we had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server. \u00a0This server […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,15,99],"tags":[52],"class_list":["post-1757","post","type-post","status-publish","format-standard","hentry","category-all-posts","category-windows-server-2016","category-windows-server-2019","tag-remote-desktop"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/comments?post=1757"}],"version-history":[{"count":3,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1757\/revisions"}],"predecessor-version":[{"id":1776,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1757\/revisions\/1776"}],"wp:attachment":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/media?parent=1757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/categories?post=1757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/tags?post=1757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}