Intro to Windows 2008 R2 Remote Desktop Gateway

     Remote access to your servers and workstations through terminal services or RDP is an easy way of doing work away from the office. However, without taking into consideration the security of these connections you are opening up a fairly large whole for someone to exploit. There are many applications and scripts available that a would be attacker can use to gain access to these terminal servers if you simply opened up port 3389 to the rest of the world. Windows 2008 introduced the Terminal Server Gateway and is rebranded as the Remote Desktop Gateway in R2. By using this gateway, you not only provide pre-authorized access to you terminal server, you also gain the benefit of using RPC over HTTPS, eliminating the need for additional ports to be open on you firewall and the ability to use RDP behind most corporate firewalls using port 443.

I will explain the steps necessary to configure this service as well as the RDP client in order to access your servers in a more secure manner.

Open Server Manager and select Roles –> Add Roles

Select “Remote Desktop Services” from the role list

And “Remote Desktop Gateway” from Role Services

You will be prompted to add additional services. Click “Add Required Role Services” and click Next

When prompted to Choose a Server Authentication Certificate for SSL select “Choose a certificate for SSL encryption later”. We do not currently have a certificate loaded and need IIS to generate the request which we will take care of later in this tutorial.

When prompted to Create Authorization Policy for RD Gateway select “Later”

On the “Network Policy and Access Services” Select Role Services page ensure the “Network Policy Server” is selected.

On the “Web Services (IIS)” Select Role Services accept defaults.

On the “Confirm Installation Selections” page ignore the 2 warnings as they will be addressed later.

Once complete it is time to move onto configuration.

Generate SSL Certificate:

Open Server Manager –> Web Server (IIS) –> Internet Information Services (IIS) –> Hostname –> Server Certificates

I have an Enterprise CA so I am selecting “Create Domain Certificate” if you needed to use a third party CA you would select “Create Certificate Request” (3rd party Certificates are not covered in this document)

Fill in your appropriate details

Select your Online Certificate Authority

Assign Certificate to the RD Gateway

Server Manager –> Remote Desktop Services –> RD Gateway Manager –> Hostname –> View or modify certificate properties.

Select “Import Certificate”

Import the recently created certificate

Create connection authorization policy

Name your policy

On the Requirements tab, Add the Users or Groups you want to have access

You can make changes to the other options as you see fit.

Create resource authorization policy

Name your policy

Select which Users or Groups can connect to remote computers

On the Network Resource tab you can specify which resources are available to connect the the RD Gateway. for the purpose of this tutorial we will use “Allow users to connect to any network resource”

On the Allowed Ports tab accept the default “Allow connections only through TCP port 3389”

Client Configuration

Open Remote Desktop Connection

Enter the host you want to connect to:

On the Advanced tab click “Settings” under Connect from anywhere

Select “User these TS Gateway server settings” and enter you server name

Enter you credentials

You should now be connected to your intended host.

You can monitor the remote connections through the Monitoring tab under “RD Gateway Manager” in Server Manager.

I may cover more of the features and configuration of the RD Gateway at a later time, but for now you should be able to enjoy most of the benefits and security this service provides.