Hello World,

In this post, we continue our journey through the new RDS (Remote Desktop services) solution provided by Microsoft. You might be interested in reading the previous posts in order to have the necessary background information about our RDS deployment scenario.  Follow these links for previous posts

• RDS – Remote Desktop Services Overview – PART I
• RDS – Remote Desktop Services Roles – Part II
• RDS – Quick Install Remote Desktop Service – Part III
• RDS – New RDMS Management Console – Part IV
• RDS – Accessing your RemoteApp – Part V
• RDS – More configuration for RemoteApp Access – Part VI
• Configuring Windows Integrated Authentication (WIA) – PART VII
• RDS – Publishing RemoteApp – Part VIII

In this post, we will have a look at the Remote Desktop Gateway role.

When to use the RD Gateway Server ?

You might want to provide access to your RemoteApp infrastructure to external users.  The Remote Desktop Gateway server has been designed for this purpose. You can have Internet users connecting to your corporate Remote Desktop Services Infrastructure in a secure way.  The remote Desktop Gateway will basically encapsulate the RPC Traffic into an HTTPS tunnel (RPC over HTTPs) in order to create a secure encrypted connection. The Remote Desktop Gateway will act as a proxy between the external user and the Remote Desktop infrastructure.

The RD Gateway role is usually deployed when there is a need to have internet users accessing corporate resources in a secure manner.  There is another situation where you might want to consider RD Gateway.  In some projects, we have deployed the RD Gateway and this RD Gateway was used by Internal users. Why would you install such server role when you are using it internally ?  Because of firewall !  In these projects, we were working in a large distributed infrastructure where each site was protected by firewalls.

Because it’s not easy to get the firewall port opened for the port 3389 (the one used by RDP Protocol), as a workaround; we have installed RD Gateway servers.  Because the RD Gateway is using port 443 (HTPS), this was not a problem anymore for the firewall guys; the port was already open.    Users located in remote locations were able to connect to the centralized RDS infrastructure through https protocol only.

Installing the RD Gateway Server

Now that you understand what and how to use the RD Gateway, it’s time to install it.  The installation will require to use SSL certificates.  To add a RD Gateway server to our existing infrastructure; we have performed the following tasks :

Step 1 – Open the Server Manager, Locate the Remote Desktop service node. Click on it.   In the overview page, go to the pane deployment overview and click on the icon RD Gateway

Click on Picture for Better Resolution

Step 2 –  The Wizard starts. In the Select a server page, select your server, Press on the arrow. When done . Press Next

Click on Picture for Better Resolution

Step 3 – In the name Self Signed certificate, provide the name to be used.  Because in our scenario; we have deployed all the roles on the same server, we will reuse the same name as the RD Web Server roles. Press Next

Click on Picture for Better Resolution

Step 4 – In the Confirmation Page, review your settings and Press Add

Click on Picture for Better Resolution

Step 5 – In the view progress page, wait for the process to complete

Click on Picture for Better Resolution

Step 6 – When the installation is complete.  You can decide to close the wizard or you can decide to already configure the Certificate Settings.  at the bottom of the page; click on the configure Certificate link

Click on Picture for Better Resolution

Step 7 – The Configure The Deployment Wizard- Node Certificates opens.  Select the RD Gateway role and then press on the button Select existing certificate

Click on Picture for Better Resolution

Click on Picture for Better Resolution

Step 8 – The select existing certificate wizard opens.  Choose the first option and tick the checkbox at the bottom of the page.  Press OK

Click on Picture for Better Resolution

Step 9 – In the Configure the Deployment. Press Apply.  After completioin, you should see that the RD Gateway has a certificate associated.  Press OK to Close the Wizard.

Click on Picture for Better Resolution

Step 10 – If you go back to the overview page of the RDMS, you can see that your RD Gateway role has been installed and ready to be used.

Click on Picture for Better Resolution

Configuring the RD Gateway Server settings

If your users are accessing the RemoteApp via the RDWeb Access interface, you will simply need to ensure that your RDS Deployment has the correct settings applied for the RD Gateway role. You will simply need to check if the RD Gateway server has been specified in the Deployment Configuration Settings.

In the RDMS Console, Overview Page, in the Roles pane, click on the tasks button and select the option edit deployment settings

Click on Picture for Better Resolution

In the Deployment Wizard, select the appropriate settings from the Wizard.  In our scenario, we want to have the users connecting through the Remote Desktop Gateway.  So, we have configured our deployment settings in order to have the RD Gateway specified and used while accessing the remote applications.

Click on Picture for Better Resolution

 

Note:  

You should unchecked the box Bypass RD Gateway for local address… if you want to use RD Gateway for internal use as well.

This is the only action you could perform in order to have your RD Gateway server ready to use

Additional Configuration settings RDGW

After installing the RD Gateway, you will have an additional MMC console that has been installed (which is not integrated with the RDMS Management interface).  If you click on start, and search for Remote Desktop Gateway, you should see the Remote Desktop Gateway Manager Console.  

Click on Picture for Better Resolution

Click on it and the RD Gateway Manager will open

Click on Picture for Better Resolution

From there, you can configure additional settings.  If you right-click on the server object and select properties, you will see the different options available to you.  let quickly go through them.

In the General Tab, you can configure some settings related to the connections. You can allow maximum connection or disable new connections or limit the number of simultaneous connections.

Click on Picture for Better Resolution

In the SSL settings, you should find the same information we have configured through the deployment wizard. You could adjust your settings as well

Click on Picture for Better Resolution

In the Transport settings tab, you can specify the HTTPS port to be used as well if you want to enable or not the UDP settings.  The UDP transport layer is a new feature of RDS 2012 R2. UDP could be used to improve performance over WAN.

 

Click on Picture for Better Resolution

RDS 2012 R2 can create three internal connections.  1 connection will be based on HTTP and ensure that connection between client and target server is established and maintained. The 2 other connections are UDP based and ensure the rich multimedia experience.

Note also that the load balancing architecture has changed.  DNS Round robin is not supported because of the UDP connections. To have fault tolerant RD Gateway infrastructure, you will need to have a hardware or software load balancer that can do IP-Affinity,cookie-based session or SSL session….NLB can be used as load balancer as this one support IP-Affinity.

 

Click on Picture for Better Resolution

The RD CAP store (Connection Authorization Policies) tab define where to get the policies (locally or using another server on the network

Click on Picture for Better Resolution

The Farm tab can be used to specify the farm name you might have created and specify which RDS servers will be part of it.  We will discuss server farms in a coming post.

In the Auditing Tab, you can specify which events you want to have recorded in the Event Viewer

Click on Picture for Better Resolution

You can configure SSL Briding if you want to via the SSL Briding tab

Click on Picture for Better Resolution

via the messaging tab, you can display system messages or login messages when a user logs into your server.

Click on Picture for Better Resolution

CAP and RAP policies on RDGW

In the RD Gateway manager; you should review the policies that have been implemented by default. This check is necessary in order to ensure that the policies allows your users to perform connections to your RDS infrastructure.

In the RD Gateway manager console; click on connection authorization policies node, and you can see the default CAP defined. The default one allow domain users to connect to the RD Gateway server. If you want to you could change or create a new connection policies.

Click on Picture for Better Resolution

If you click on the Resource Authorization polices (RAP)  node, you will see that a default RAP has been created. The RAP tells you which network resources can be accessed.  The default one allow access to all resources. For security reasons, you might want to create a new RAP more restrictive and grant access only to needed resources.

Click on Picture for Better Resolution

 

During my Deployment, I had encountered a small issue while trying to connect to the RD Gateway and accessing my remoteapps.  This is the error message I was getting

Click on Picture for Better Resolution

After checking the event viewer; I’ve found out that the CAP or RAP was to restrictive and wouldn’t let me connect

Click on Picture for Better Resolution

 

Connecting through the RD Gateway Server using RDP Client

To connect to your infrastructure through RD Gateway, you might need to configure your RDP client (if you perform a remote desktop connection directly).  If you open your rdp client, you will see a screen like this

 

Click on Picture for Better Resolution

Click on the Show Options button and you will see advanced settings tab

Click on Picture for Better Resolution

Click on the Advanced tab and tell click on the button Settings 

Click on Picture for Better Resolution

In the connection settings page; you can specify how you want to connect to the RD Gateway 

Click on Picture for Better Resolution

 

If you choose the option  Automatically detect RD Gateway server settings (default), the rdp client will retrieve the value set by a GPO if the gpo has been enabled and configured.

If you choose the option Use these RD Gateway server settings, you basically needs to provide the name and authentication method. for the Name, you will have to use the FQDN

If you choose Do not use an RD Gateway server, you will not connect through the RD Gateway and you will be connecting directly to the Remote computer you want to connect to.

Specify the RD Gateway through GPO

If required, you can use two gpos that can help you automate the RDP client configuration for the RD Gateway settings.  The only limitation of the GPO is that you can specify only one RD Gateway which should be good enough if you want to centralize your infrastructure.

You can create a Group policy where you could configure the user settings for the RD Gateway.  As shown in the screenshot below, you can configure 3 user settings in relation with the RD Gateway server

Click on Picture for Better Resolution

Final Notes

That’s it for this quite long post.  And as you have noticed we are only scratching the surface so far.  We started our journey with a simple/quick deployment for session virtualization. We still need to add one RDS role (RDS Licensing) and we would have a complete RDS infrastructure.   This will be the subject of one of the coming posts.

Now that we have seen how to deploy a simple infrastructure, we might want to look at more complex infrastructure and scenarios.  We might also want to discuss about the VDI solution that can be implemented through RDS roles as well.

This can become a really long series about RDS…… Well we will see

Till Next time

See ya

 

Some advanced Topics readings :

http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx