What is a Remote Desktop GatewayA Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.A Remote Desktop Gateway Provides The following Benefits:. Enables Remote Desktop Connections to a corporate network without having to set up a virtual private network (VPN). Enables connections to remote computers across firewalls. Allows you to share a network connection with other programs running on your computer. Published by Ryan ManganRyan Mangan works as the CTO at Systech IT Solutions, an application delivery and desktop virtualization specialist company based in the UK, where he focuses on end-user computing and emerging technologies.
![]()
Ryan is an end-user computing specialist with a great passion for virtualization. Hi RyanThank you very much for this post that was very helpful. However as for me I’m in a little confusion:I have two hyper -v virtual server setup as RDSH-FARM-1 and RDSH-FARM-2 servers (both of the machines are domain member), All the roles are installed on FARM-1 and FARM-2 has remote session host installed just for load balancing.I’ve used local CA to request certificate for RDWA and RDG (RDSH-FARM.co.uk)RDGATEWAY is setup with all policy rap and cap.Everything is working internally but not externally. I can browse to RDWA via my public IP e.g 12.56.45.67/rdweb and can login with user account but soon i try to remote desktop it says rd gateway server is not reachable?My question is do i have to have a registered public domain name?can i not just use the public ip/rdweb to get access to my RDSH server?If i do need an public resolvable FQDN, can i link my public ip with my iis webserver?apart from this just to make it short, what exacly i am missing here? And what do i need to make this work?I will really appreciate your help!
PowerShell all versions: New-Object System.Net.Sockets.TcpClient).Connect(‘rdpservername1’, 3389) If port 3389 is unavailable, you should check that Remote Connection is enabled on the remote server (right click on Start button System Remote settings Allow remote connections to this computer).
![]()
Hi Ryan,Thank you for all of this as all your blogs have extremely helped me in my RDS deployments.I am working with an FQDN mydomain.local and trying to setup and RDS 2012 deployment. I have a single server setup.server.mydomain.local – RD Connection Brokerserver.mydomain.local – RD Virtualization Hostserver.mydomain.local – RD gatewayserver.mydomain.local – RD Web AccessI have an external dns name of remote.mydomain.com and a wildcard cert associated with it.I setup the gateway with external FQDN remote.mydomain.com. Applied the wildcard cert for.mydomain.com successfully to all roles.RD Connection Broker Enable Single Sign On: Trusted, OKRD Connection Broker – Publishing: Trusted, OKRD Web Access: Trusted, OKRD Gateway: Trusted OKI created a new DNS zone remote.mydomain.com and pointed it to the IP of the server that hosts all these roles.I can now access my VDI collection successfully internally but not externally. The error I get when connecting externally states:Remote Desktop can’t connect to the remote computer “server.mydomain.local” for one of the reasons:1) Your user account is not authorized to access the RD Gateway “remote.mydomain.com”2) Your computer is not authorized to access the RD Gateway “remote.mydomain.com”3) You are using an incompatible methodI tried using the Set-RDPUblishedNamed script after, and set the name to remote.mydomain.com.Now both internal and external connections will not authenticated when given the prompt to login. Saying the credentials did not work.After setting the published name to my external fqdn, both the remote computer and the gateway are pointed to remote.mydomain.comPutting broker in high availability is not an option in this situation because we don’t have a license for another server.Any ideas on what I’m missing?
I doubt its a permissions issue. Is it a problem with accessing the gateway? From my understanding once we have access to the gateway externally, the broker can be internal as a secure rdp connection has already been established.
Any help would be greatly appreciated. Hi Ryan,Thanks for a good guide.I have one issue remaining I hope you can help me with.
When logon on to rdweb from a public connection, I am able to log on and see that default RDS connection. When I try to connect to it I only get an error:Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporariy unavailable.Everything is working internally. I am using 2012 R2 servers.GW server is using rdsgw.public.com certificateBroker and rdweb is using rds.public.com certificate and public DNS have NAT to private IPrds1 and rds2 are my host serversAny idea what I am missing?
Hi Ryan,I have configured the Local Computers Group (rds.public.com+internal FQDN of both host servers) on the GW and i am using it in my RAP.The gw is not behind a load balancer.When i test mstsc with gw from my internal network i am being logged on to the broker server and not the host server.I tried to add a public IP to the rdsgw.public.com and NAT it to the gw server. Now I am recieving a second credential box asking for credentials to the internal broker FQDN.
When typing in my admin credentials it times out eventually. Hi Ryan,Thanks for the quick replies and good assistance. Hi,Your posts are great and really helped me to understand this. Have a question for you which I could not figure out how to do it.I have a setup with 4 2012R2 servers RDGW1, RDWA1, RDCB1, RDSH1I want to publish remote apps which is on RDWA1 to internet. If my understanding is correct I have to forward port 443 from the router to RDGW1. But obviously RDWeb is hosted on RGWA1, I can not access it when I pointed port 443 to RDGW1.Would you be able enlighten me on how to achieve this?Thank youRay. Hi Ryan, thanks for your tutorial.
I installed in DMZ Win 2012R2 with two NICs. On that machine I’ve run remote desktop services installation (with default published apps) and just added RDGateway.RDGateway settings are Use these: domain.com certificate is public (UCC with 10 SANs).Under Certificates I added this cert for Connection Broker, WebAccess but RDGateway is greyed.
I am not able to edit this here so I added certificate through GRGateway manager.Policies are configured locally on NPS serverSince I have my website dimain.com I installed IIS ARR in order to route to the RDGateway everything with /RDWeb. It seems to be working, I can open the login page, log in but when I start remote app (that works within LAN – bypass Gateway is selected) I receive an error “Your Computer can’t connect to the remote computer because RDGateway server is temporarily unavailable. Try reconnecting later ”. Just came across this thread and I think some of you might be able to help.
Hello,we created an RDS farm (one broker server and 2 RDSH servers) We did not install RDG, because we want the farm to be accessed only internally. When we access the farm by Remote Desktop, log in and we have the warning screen “the identity of the remote computer can not be verified). We created a cert in the broker server, registered it with godaddy, (something like files.domain.com), and we installed it on the broker. In the deployment properties for the collection the rd connection broker – enable SSO, rd connection broker – publishing and rd web access have this certificate installed and the level is trusted BUT when we access the farm: myfiles.domain.com from remote desktop, log in, we have the warning screen “the identity of the remote computer can not be verified). We looked few days on internet, no luck. The environment is Windows server 2012.
Ryan,One of the things that confuses me most of Microsoft deployments is the external access. I just see so little documenation on it that it’s incredible. Everything I’ve read online and blogs say that the purpose of the gateway is to enable access to your farm from the public internet. So my thought process was “ok, only open ports 443 & 3391 to the outside and ant it to the gateway”.
However if you do this, while you can use MSTSC, you can’t do remoteapp nor get to the webaccess. So in the end I had to open up 443 to rdweb server. Is this correct? Hey, can you clarify which steps exactly above ‘force’ the RD gateway to only utilize port 443? I’ve configured my system to only use port 443 in both the RD Gateway Manager My Server Policies Resource Authorization Policies and also in RD Gateway Manager right click on My Server Properties Transport Settings tab and unticked “Enable UDP Transport”.What I’m trying to accomlish is to get everything running over 443 and not depend on any ‘non standard’ ports as most security concious orgnanizations tend to block most ports leaving only 80 & 443 open for standard user access networks. Hi Ryan,maybe a stupid question.
But i don’t get itI configured my RD Gateway Server to be reachable with an external IP in our DMZ.I followed your steps above, but which URL should i enter to access it?I used the external IP of the GW server, but only got IIS Splash page. I checked whatelse pages are on the gateway setup and tried accessing /rpc which prompts for credentials then nothing happensI used my internal wildcard certificate on my external gw server, which is – of course – untrusted. Is that the issue? Does is not proceed without having a trusted cert? If so, could i solve this with importing the internal wildcard cert?THanks!Ben. Same problem here, I can access the RDWEB on my broker internally and externally, but when I try to point my browser to (or ) I’m promped for the passord and nothing happensboth from internal and from external ?It is driving me mad, also because I have no events logged at all on my gateway:-((((I’m using a wildcard certificate created with my certification authority, naturally I addet it to my test pc.Do I need to set any configuration on my session host servers, or the broker?Any suggestion Ryan can be more than appreciated!!!
Hello,I am having an issue accessing my gateway server from any external sources. There is a timeout error. The address abc.remote.com works internally.My setup is like this:1. One Gateway/web access on same server.2. Two Session Host servers3.
Two Broke servers4. SQL server is installed on Gateway server5. License server is installed on the BrokersI have a Host A record on my Domain name provider that points to my firewall.
Then my firewall points to my internal Gateway server/ I am allow traffic from external through my firewall on port 443. RyanMy setup consists of individual servers:RDS Licensing ServerRDS Gateway Server / RD Web Access ServerRDS Connection BrokerRDS Session Host 1RDS Session Host 2I have two questions.
When configuring the RAP policy for the RD Gateway does the network resource for my Server Group need to be the Connection Broker or the two RDS Session Hosts? I am guessing it would need to be the Connection Broker seeing how I want the external end user to be directed to the RDWeb landing page. Once they are directed to that landing page and login, the Broker Server would determine which RDSH server to use seeing how they load balanced.
Am I correct in my thinking?If so, after I would need to create a policy in my firewall forwarding all external traffic from the outside to the RD Gateway Server on say port 4443 and that would redirect users to the Broker Server and the RDWeb landing page?Thank you in advance. Hello I created a 4 server RDS 2012 R2 environment.
Here is the config:RD Connection Broker Server/License Server – internal networkRD Web Access Server – Internal networkRD Session Host Server – internal networkRD Gateway server – perimeter networkInternally users can connect to the RDWeb access page and then connect to services published to the RD Web access page. This is working fine.
The problem I am having is external users. I have a an external FQDN in my external DNS and I have that address set in my Gateway setting, however when a user connects to they are getting a 404 file or directory not found. It is my belief that it is trying to access the IIS server on the Gateway server where there is no RDWeb instead of sending the traffic to my internal RD Web Access server that does have the RDWeb service. I have read and re-read your deployment guide and I am just not sure what is wrong.
Ryan:Thank you for the knowledge share. I followed the steps, had to go it alone on the certificate creation, but I can now get to the RDWeb login after the browser tells me the site is insecure. I am able to login and see the applications I published.
Upon clicking the icon of one of the published apps, I am presented with the RemoteApp dialog box to set local access etc. I noticed that the Gateway server is the external FQDN and the Remote computer is the internal FQDN for the RD server. When I click Connect, I get a message that “This computer can’t verify the identity of the RD Gateway.
It’s not safe to connect to servers that can’t be identified. Contact your network administrator for assistance.”Thoughts?
A few days ago I replaced the mstsc.exe and mstscax.dll files in the System32 folder with the old ones, but it still wasn't working. Today I see in this post that I also needed to replace the files in the SysWOW64 folder. But my Windows.old folder is gonenow! I didn't know Microsoft deletes it 30 days after an update! What do I do now? Or are the mstsc.exe and mstscax.dll files the same in the System32 and the SysWOW64 folder?In any case, is Microsoft going to do anything about this problem??
From searching the internet I get the impression that noone that has updated to the 1703 build is able to connect to a remote desktop anymore!
![]() Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |