In Windows Server 2012 later, administrators can also deploy Remote Desktop Gateway in a workgroup environment. The steps are similar to Windows Server 2008 or Windows Server 2008 R2.
To deploy Remote Desktop Gateway in Windows Server 2008 or Windows Server 2008 R2, please read the following web site:
Goal
Deploying Remote Desktop Gateway feature in Windows Server 2012 R2 in a workgroup environment and test it.
Lab environment
Prerequisites
Lab environment
- 2 servers which are installed Windows Server 2012 or later
- 1 servers which is installed Windows Server 2012 R2
- All servers are under workgroup environment
Prerequisites
- The server which will be configured to the Remote Desktop Gateway is named RDG12
- Make sure all servers can communicate with each other is the network
Renaming primary DNS suffix of the server
1. On RDG12, log in as local administrator.
2. Press "Start" button and then enter "sysdm.cpl".
3. On "System Properties" window, under "Computer Name" tab, click "Change".
4. On "Computer Name/Domain Changes" window, click "More".
5. Next to "Primary DNS suffix of this computer", type "<DNS domain name>".
Remark: This is the test lab environment so I entered the internal DNS name. In production environment, you should enter the public DNS domain name.
6. Click "OK" three times to go to "System Properties".
7. Click "Close".
8. Click "Restart Now".
The FQDN of the Remote Desktop Gateway server is used to generating the certificate.
Installing the Remote Desktop Gateway feature
1. On RDG12, log in as local administrator.
2. Launch "Server Manager".
3. On "Server Manager", click "Add roles and features".
4. On "Before You Begin" window, click "Next".
5. On "Installation Type" window, select "Role-based or feature-based installation" option.
6. Click "Next".
7. On "Server Selection" window, click "Next".
8. On "Server Roles" window, check "Remote Desktop Services" option.
9. Click "Next" twice.
10. On "Remote Desktop Services" window, click "Next".
11. On "Role Services" window, check "Remote Desktop Gateway" option and then on "Add Roles and Features Wizard", click "Add Features".
12. Click "Next".
13. On "Network Policy and Access Services" window, click "Next".
14. On "Role Services" window, leave default settings and then click "Next".
15. On "Web Server Role (IIS)" window, click "Next".
16. On "Role Services" window, leave default settings and then click "Next".
17. On "Confirmation" window, click "Install".
18. On "Results" window, click "Close".
We can also perform "PowerShell" cmdlet to install Remote Desktop Gateway feature with associated roles.
Install-WindowsFeature RDS-Gateway -IncludeManagementTools -IncludeAllSubFeature
Configuring Remote Desktop Gateway
6. Click "OK" three times to go to "System Properties".
7. Click "Close".
Installing the Remote Desktop Gateway feature
1. On RDG12, log in as local administrator.
2. Launch "Server Manager".
3. On "Server Manager", click "Add roles and features".
5. On "Installation Type" window, select "Role-based or feature-based installation" option.
7. On "Server Selection" window, click "Next".
10. On "Remote Desktop Services" window, click "Next".
13. On "Network Policy and Access Services" window, click "Next".
Install-WindowsFeature RDS-Gateway -IncludeManagementTools -IncludeAllSubFeature
All required features have been installed in RDG12. Now, we can configure the policy and the certificate in this server.
1. Still in RDG12, launch "Remote Desktop Gateway Manager"..
2. Select "RDG12 (Local)".
At this moment, we need to configure the access rule and certificate for the Remote Desktop Gateway.
3. Right-click "RDG12", select "Properties".
4. On "RDG12 Properties" window, select "SSL Certificate" tab.
5. Click "Create and Import Certificate".
6. On "Create Self-Signed Certificate" window, click "OK".
7. On "RD Gateway" window, click "OK".
The self-signed certificate has been generated and installed into the Remote Desktop Gateway server. In my lab environment, I'm used to using self-signed certificate. Actually, we should use the third-party trusted root certification authorities to sign the certificate for the Remote Desktop Gateway server in production environment.
8. Click "OK".
9. Next to "Connection Authorization Policies" and then right-click, select "Create New Policy > Wizard".
10. On "Create Authorization Policies for RD Gateway" window, select "Create a RD CAP and a RD RAP (recommended)".
11. Click "Next".
12. On "Create an RD CAP" window, next to the empty blank, type "RD_CAP_01".
13. Click "Next".
14. On "Select Requirements" window, next to "User group membership (required)", click "Add Group".
In this page, we can select to use "Password" and "Smartcard" to authenticate users. Plus, we can also configure the user group and computer group which are allowed connecting the Remote Desktop Gateway.
15. On "Select Groups" window, enter "Administrators" and then click "OK".
16. Click "Next".
17. On "Enable or Disable Device Redirection" window, click "Next".
We can also control the device redirection by Remote Desktop Gateway server.
18. On "Set Session Timeouts" window, click "Next".
19. On "RD CAP Settings Summary" window, click "Next".
We can create more than one RD CAP policy to control different users or computers group.
20. On "Create an RD RAP" window, next to the empty blank, type "RD_RAP_01".
21. On "Select User Groups" window, click "Next".
22. On "Select Network Resources" window, select "Allow users to connect to any network resource (computer)".
23. Click "Next".
In workgroup environment, we can also control the destination computer by IP address or computer name by selecting "Select an existing RD Gateway-managed group or create a new one" option.
Enter a name for the group and IP address or computer name of the server.
Remark: If the computer name cannot be looked up when you press "Add", you get the following error.
24. On "Select Allowed Ports" window, select "Allow connections only to port 3389".
TCP port 3389 is the default port of Remote Desktop Service. If the port of Remote Desktop Connection is changed, you need to select the other option in the window.
25. Click "Next".
26. On "RD RAP Settings Summary" window, click "Finish".
27. On "Confirm Creation of Authorization Policies" window, click "Close".
Now, the Remote Desktop Gateway server is ready. We can connect to the Remote Desktop Gateway and then to a computer which is enabled Remote Desktop.
Export and import the certificate to a workstation (optional step)
To connect to Remote Desktop Gateway, the Remote Desktop Connection version must be at least 6.0 or later.
Because we used the self-signed certificate, we need to export and import the certificate to a computer which will be connected to the Remote Desktop Gateway server. If you use the certificate which is signed by the third-party trusted Root certification authorities like Cybertrust, DigiCert, VeriSign and so on , you don't need to export and import the certificate
1. On RDG12, log in as Local Administrator.
2. Press "Start" button and then enter "mmc".
3. On the menu, click "File > Add/Remove Snap-in".
4. On "Add or Remove Snap-ins" window, select "Certificates", and then click "Add".
5. On "Certificates snap-in" window, select "Computer account".
6. Click "Next".
7. On "Select Computer" window, click "Finish".
8. On "Add or Remove Snap-ins" window, click "OK".
9. Expand "Certificates (Local Computer) > Personal > Certificates".
10. On right pane, right-click "RDG12.tls1.lab", select "All Tasks > Export".
11. On "Welcome to the Certificate Export Wizard" window, click "Next".
12. On "Export Private Key" window, click "Next".
13. On "Export File Format" window, still select "DER encoded binary x.509 (.CER)", click "Next".
14. On "File to Export" window, next to "File name", enter "C:\RDG12.CER".
15. Click "Next".
16. On "Completing the Certificate Export Wizard" window, click "Finish".
17. On "Certificate Export Wizard" window, click "OK".
18. Copy the certificate to C:\ of a computer which will be connected to the Remote Desktop Gateway server, named Server1.
19. On Server1, log in as Local Administrator.
20. Launch "Windows Explorer" and then navigate to "C:\".
21. Double-click "RDG12".
22. On "Certificate" window, click "Install Certificate".
23. On "Welcome to the Certificate Import Wizard" window, still select "Current User" and then click "Next".
24. On "Certificate Store" window, select "Place all certificate in the following store" and then click "Browse".
25. On "Select Certificate Store" window, select "Trusted Root Certification Authorities" and then click "OK".
26. Click "Next".
27. On "Completing the certificate Import Wizard" window, click "Finish".
28. On "Security Warning" window, click "Yes" to install the certificate.
Using Remote Desktop Connection with Remote Desktop Gateway Settings
1. Still in Server1, launch "Remote Desktop Connection".
2. In "Remote Desktop Connection", click "Show Options".
3. Click "Advanced" tab.
4. Next to "Connect from anywhere", click "Settings".
5. On "Connection Settings", select "Use these RD Gateway server settings" and then enter "RDG12.tls1.lab".
6. Un-check "Bypass RD Gateway server for local addresses".
7. Click "OK".
8. Back to "General" tab.
Now, the Remote Desktop Connection session will pass through Remote Desktop Gateway.
Remark: When you are logging in the Remote Desktop Gateway, you may need to enter the following log on name format.
Remark: We can create the certificate request by IIS and then submit the certificate request to the third-party Root certification authority to request the certificate for the Remote Desktop Gateway server.
More information:
1. Still in RDG12, launch "Remote Desktop Gateway Manager"..
2. Select "RDG12 (Local)".
3. Right-click "RDG12", select "Properties".
8. Click "OK".
9. Next to "Connection Authorization Policies" and then right-click, select "Create New Policy > Wizard".
12. On "Create an RD CAP" window, next to the empty blank, type "RD_CAP_01".
14. On "Select Requirements" window, next to "User group membership (required)", click "Add Group".
15. On "Select Groups" window, enter "Administrators" and then click "OK".
17. On "Enable or Disable Device Redirection" window, click "Next".
18. On "Set Session Timeouts" window, click "Next".
20. On "Create an RD RAP" window, next to the empty blank, type "RD_RAP_01".
"
In workgroup environment, we can also control the destination computer by IP address or computer name by selecting "Select an existing RD Gateway-managed group or create a new one" option.
25. Click "Next".
26. On "RD RAP Settings Summary" window, click "Finish".
Export and import the certificate to a workstation (optional step)
To connect to Remote Desktop Gateway, the Remote Desktop Connection version must be at least 6.0 or later.
Because we used the self-signed certificate, we need to export and import the certificate to a computer which will be connected to the Remote Desktop Gateway server. If you use the certificate which is signed by the third-party trusted Root certification authorities like Cybertrust, DigiCert, VeriSign and so on , you don't need to export and import the certificate
1. On RDG12, log in as Local Administrator.
2. Press "Start" button and then enter "mmc".
7. On "Select Computer" window, click "Finish".
9. Expand "Certificates (Local Computer) > Personal > Certificates".
10. On right pane, right-click "RDG12.tls1.lab", select "All Tasks > Export".
16. On "Completing the Certificate Export Wizard" window, click "Finish".
18. Copy the certificate to C:\ of a computer which will be connected to the Remote Desktop Gateway server, named Server1.
19. On Server1, log in as Local Administrator.
20. Launch "Windows Explorer" and then navigate to "C:\".
21. Double-click "RDG12".
27. On "Completing the certificate Import Wizard" window, click "Finish".
1. Still in Server1, launch "Remote Desktop Connection".
2. In "Remote Desktop Connection", click "Show Options".
6. Un-check "Bypass RD Gateway server for local addresses".
8. Back to "General" tab.
Now, the Remote Desktop Connection session will pass through Remote Desktop Gateway.
Remark: When you are logging in the Remote Desktop Gateway, you may need to enter the following log on name format.
This posting is provided “AS IS” with no warranties, and confers no rights!
Nice guide Terry.
ReplyDeleteThank you for taking the time to write this.
/Atle Ofsti
Perfect! Thanx!
ReplyDelete