Deploying Remote Desktop Gateway Step-By-Step Guide
15
Deploying Remote Desktop Gateway Step-by-Step Guide Microsoft Corporation Published: April 2009 Updated: May 2011 Abstract Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), in the Windows Server® 2008 R2 operating system, provides technologies that enable authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. In this guide, we will set up an RD Gateway server to use for connecting to a Remote Desktop Session Host (RD Session Host) server by using a Remote Desktop client computer.
-
Upload
feroz-kazi -
Category
Documents
-
view
74 -
download
2
Transcript of Deploying Remote Desktop Gateway Step-By-Step Guide
Deploying Remote Desktop Gateway Step-by-Step Guide
Microsoft Corporation
Published: April 2009
Updated: May 2011
AbstractRemote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), in
the Windows Server® 2008 R2 operating system, provides technologies that enable authorized
remote users to connect to resources on an internal corporate or private network, from any
Internet-connected device that can run the Remote Desktop Connection (RDC) client. In this
guide, we will set up an RD Gateway server to use for connecting to a Remote Desktop Session
Host (RD Session Host) server by using a Remote Desktop client computer.
Copyright Information
This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2011 Microsoft Corporation. All rights reserved.Microsoft, Windows, and Windows Server are
trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
Deploying Remote Desktop Gateway Step-by-Step Guide.............................................................4
About this guide........................................................................................................................... 4
What this guide does not provide.............................................................................................4
Technology review....................................................................................................................... 5
Scenario: Deploying Remote Desktop Gateway..........................................................................5
Step 1: Setting Up the Contoso Domain.........................................................................................6
Configure the RD Gateway server (RDG-SRV)........................................................................7
Step 2: Installing RD Gateway........................................................................................................9
Step 3: Verifying RD Gateway Functionality..................................................................................11
Related topics............................................................................................................................ 13
Deploying Remote Desktop Gateway Step-by-Step Guide
About this guideThis step-by-step guide walks you through the process of setting up a working Remote Desktop
Session Host (RD Session Host) server accessible by using Remote Desktop Gateway
(RD Gateway) in a test environment. During this process, you will create a test deployment that
includes the following components:
An RD Gateway server
An RD Session Host server
A Remote Desktop Connection client computer
This guide assumes that you previously completed the steps in the Installing Remote Desktop
Session Host Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=147292), and that you
have already deployed the following components:
An RD Session Host server
A Remote Desktop Connection client computer
An Active Directory Domain Services domain controller
This guide includes the following topics:
Step 1: Setting Up the Contoso Domain
Step 2: Installing RD Gateway
Step 3: Verifying RD Gateway Functionality
The goal of RD Gateway is to enable authorized remote users to connect to resources on an
internal corporate or private network, from any Internet-connected device that can run the
Remote Desktop Connection (RDC) client. The network resources can be RD Session Host
servers, RD Session Host servers running RemoteApp programs, or computers with Remote
Desktop enabled.
What this guide does not provideThis guide does not provide the following:
An overview of Remote Desktop Services.
Guidance for setting up Active Directory Domain Services or an RD Session Host server. This information can be found in the Installing Remote Desktop Session Host Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=147292). For a downloadable version of this document, see the Installing Remote Desktop Session Host Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=147293) in the Microsoft Download Center.
4
If you have previously configured the computers in the Installing Remote Desktop
Session Host Step-by-Step Guide, you should repeat the steps in that guide with new
installations.
Guidance for setting up a perimeter network or firewall rules. This information can be found in the RD Gateway deployment in a perimeter network & Firewall rules (http://go.microsoft.com/fwlink/?LinkId=210571).
Complete technical reference for Remote Desktop Services.
Technology reviewRD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to help establish a secure,
encrypted connection between remote users on the Internet and the internal network resources
on which their productivity applications run.
To function correctly, RD Gateway requires several role services and features to be installed and
running. When you use Server Manager to install the RD Gateway role service, the following
additional roles, role services, and features are automatically installed and started, if they are not
already installed:
Remote procedure call (RPC) over HTTP Proxy
Web Server (IIS) [Internet Information Services]
IIS must be installed and running for the RPC over HTTP Proxy feature to function.
Network Policy and Access Services
Scenario: Deploying Remote Desktop GatewayWe recommend that you first use the steps provided in this guide in a test lab environment. Step-
by-step guides are not necessarily meant to be used to deploy Windows Server® features without
additional deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this step-by-step guide, you will have an RD Session Host server that users
can connect to with the Remote Desktop client computer by using RD Gateway. You can then test
and verify this functionality by connecting to the RD Session Host server by using RD Gateway
from the Remote Desktop client as an authorized remote user.
The test environment described in this guide includes four computers connected to a private
network using the following operating systems, applications, and services.
Computer name Operating system Applications and services
CONTOSO-DC Windows Server 2008 R2 Active Directory Domain
Services (AD DS), DNS
RDSH-SRV Windows Server 2008 R2 RD Session Host
Important
5
Computer name Operating system Applications and services
CONTOSO-CLNT Windows 7 Remote Desktop Connection
RDG-SRV Windows Server 2008 R2 RD Gateway
The computers form a private network and are connected through a common hub or Layer 2
switch. This step-by-step exercise uses private addresses throughout the test lab configuration.
The private network ID 10.0.0.0/24 is used for the network. The domain controller is named
CONTOSO-DC for the domain named contoso.com. The following figure shows the configuration
of the test environment.
Step 1: Setting Up the Contoso Domain
To prepare your RD Gateway test environment in the CONTOSO domain, you must configure the
RD Gateway server (RDG-SRV).
Use the following table as a reference when setting up the appropriate computer names,
operating systems, and network settings that are required to complete the steps in this guide.
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
Important
6
Computer name Operating system
requirement
IP settings DNS settings
CONTOSO-DC Windows
Server 2008 R2
IP address:
10.0.0.1
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
Configured by DNS
server role
RDSH-SRV Windows
Server 2008 R2
IP address:
10.0.0.2
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
Preferred:
10.0.0.1
CONTOSO-CLNT Windows 7 IP address:
10.0.0.3
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
Preferred:
10.0.0.1
RDG-SRV Windows
Server 2008 R2
IP address:
10.0.0.11
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
Preferred:
10.0.0.1
Configure the RD Gateway server (RDG-SRV)To configure the RD Gateway server, you must:
Install Windows Server 2008 R2.
Configure TCP/IP properties.
Join RDG-SRV to the contoso.com domain.
Install the RD Gateway role service.
First, install Windows Server 2008 R2 on a stand-alone server.
7
1. Start your computer by using the Windows Server 2008 R2 product CD.
2. When prompted for a computer name, type RDG-SRV.
3. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that RDG-SRV has an IPv4 static IP address of 10.0.0.11.
1. Log on to RDG-SRV with the RDG-SRV\Administrator account.
2. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change adapter settings, right-click Local Area Connection, and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Click Use the following IP address. In the IP address box, type 10.0.0.11. In the Subnet mask box, type 255.255.255.0. In the Default gateway box, type 10.0.0.1.
5. Click Use the following DNS server addresses. In the Preferred DNS server box, type 10.0.0.1.
6. Click OK, and then close the Local Area Connection Properties dialog box.
Next, join RDG-SRV to the contoso.com domain.
1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change settings.
3. On the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, under Member of, click Domain, and then type contoso.com.
5. Click More, and in the Primary DNS suffix of this computer box, type contoso.com.
6. Click OK, and then click OK again.
7. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for CONTOSO\Administrator, and then click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming you to the contoso.com domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
10. Click Restart Now.
You have prepared your test environment. Now you can proceed to Step 2: Installing RD
Gateway.
To install Windows Server 2008 R2
To configure TCP/IP properties
To join RDG-SRV to the contoso.com domain
8
Step 2: Installing RD Gateway
To install and configure an RD Gateway server, you must add the RD Gateway role service.
Windows Server 2008 R2 includes the option to install the RD Gateway role service by using
Server Manager. This topic covers the installation and configuration of the RD Gateway role
service on the RDG-SRV computer in the CONTOSO domain.
Membership in the local Administrators group, or equivalent, on the RD Gateway server that
you plan to configure, is the minimum required to complete this procedure. Review details about
using the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Log on to RDG-SRV as CONTOSO\Administrator.
2. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
3. Under the Roles Summary heading, click Add Roles.
4. In the Add Roles Wizard, if the Before You Begin page appears, click Next.
5. On the Select Server Roles page, under roles, select the Remote Desktop Services check box, and then click Next.
6. On the Remote Desktop Services page, click Next.
7. On the Select Role Services page, select the Remote Desktop Gateway check box.
8. If prompted to specify whether you want to install the additional role services required for Remote Desktop Gateway, click Add Required Role Services.
9. On the Select Role Services page, click Next.
10. On the Choose a Server Authentication Certificate for SSL Encryption page, select Create a self-signed certificate for SSL encryption, and then click Next.
11. On the Create Authorization Policies for RD Gateway page, select Now, and then click Next.
a. On the Select User Groups That Can Connect Through RD Gateway page, click Add. In the Select Groups dialog box, specify Domain Users, and then click OK to close the Select Groups dialog box. Click Next.
b. On the Create an RD CAP for RD Gateway page, enter the name RD_CAP_01 for the Remote Desktop connection authorization policy (RD CAP), select Password, and then click Next.
c. On the Create an RD RAP for RD Gateway page, enter the name RD_RAP_01 for the Remote Desktop resource authorization policy (RD RAP), and then select Allow users to connect to any computer on the network. Click Next.
12. On the Network Policy and Access Services page (which appears if this role service is not already installed), review the summary information, and then click Next.
13. On the Select Role Services page, verify that Network Policy Server is selected, and then click Next.
To install the RD Gateway role service
9
14. On the Web Server (IIS) page (which appears if this role service is not already installed), review the summary information, and then click Next.
15. On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next.
16. On the Confirm Installation Selections page, verify that the following role services will be installed:
Remote Desktop Services\RD Gateway
Network Policy and Access Services\Network Policy Server
Web Server (IIS)
RPC over HTTP Proxy
17. Click Install.
18. On the Installation Progress page, installation progress will be noted.
19. On the Installation Results page, confirm that installation for these roles, role services, and features was successful, and then click Close.
1. On the RD Gateway server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
a. Click Start, click Run, type mmc and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, and then click Next.
e. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates.
3. Right-click the certificate RDG-SRV.contoso.com, point to All Tasks, and then click Export.
4. On the Welcome to the Certificate Export Wizard page, click Next.
5. On the Export Private Key page, click No, do not export private key, and then click Next.
6. On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is selected, and then click Next.
7. On the File to Export page, in the File name box, click Browse.
8. In the Save As dialog box, in the File name box, enter RDG-SRV, and then click Save.
9. On the File to Export page, click Next.
10. On the Completing the Certificate Export Wizard page, confirm that the correct
To export the SSL certificate for the RD Gateway server and copy it to the CONTOSO-CLNT computer
10
certificate is specified, that Export Keys is set to No, and that Include all certificates in the certification path is set to No, and then click Finish.
11. After the certificate export has successfully completed, a message appears confirming that the export was successful. Click OK.
12. Close the Certificates snap-in.
13. Copy the RD Gateway server certificate c:\users\administrator.CONTOSO\Documents\RDG-SRV.cer, to the CONTOSO-CLNT computer.
For single sign on, no changes are needed on the RD Gateway server. Review
Deploying Remote Desktop Web Access with Remote Desktop Connection Broker
Step-by-Step Guide to implement single sign on.
You have installed and configured an RD Gateway server. Now you can proceed to Step 3:
Verifying RD Gateway Functionality.
Step 3: Verifying RD Gateway Functionality
To verify the functionality of the RD Gateway deployment, complete the following:
Install the SSL certificate for the RD Gateway server on the CONTOSO-CLNT computer.
Enable certificate revocation checking on the CONTOSO-CLNT computer (optional).
Log on to CONTOSO-CLNT as Morgan Skinner and use Remote Desktop Connection (RDC) to connect to the RD Session Host server (RDSH-SRV) by using the RD Gateway server (RDG-SRV).
1. Log on to CONTOSO-CLNT as CONTOSO\Administrator.
2. Open the Certificates snap-in console by doing the following:
a. Click Start, click Run, type mmc and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, and then click Next.
e. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
3. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Trusted Root Certification Authorities.
4. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and
Note
To install the SSL certificate for the RD Gateway server on the CONTOSO-CLNT computer
11
then click Import.
5. On the Welcome to the Certificate Import Wizard page, click Next.
6. On the File to Import page, in the File name box, click Browse, and then browse to the location where you copied the SSL certificate for the RD Gateway server. From the file type drop-down list, select All Files (*.*). Select the certificate RDG-SRV.cer, click Open, and then click Next.
7. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next.
8. On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected and that the following certificate settings appear:
Certificate Store Selected by User: Trusted Root Certification Authorities
Content: Certificate
File Name: FilePath\RDG-SRV.cer
9. Click Finish.
10. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.
11. With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the CONTOSO-CLNT computer.
12. Log off from the CONTOSO-CLNT computer.
12
1. Log on to CONTOSO-CLNT as CONTOSO\Administrator.
2. Click Start, point to All Programs, and then click Accessories.
3. Right-click Command Prompt, and then click Run as administrator.
4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
5. At the command prompt, type reg add "HKCU\Software\Microsoft\Terminal Server Gateway\Transports\Rpc" /v CheckForRevocation /t REG_DWORD /d 1.
Warning
The publishing and maintenance of the certificate revocation list is an integral
part of the public key infrastructure (PKI), and it is external to RD Gateway. Do
not enable certificate revocation checking on RD Gateway client computers until
you have confirmed that your deployment can support this; otherwise, even the
basic connection to an end resource through the RD Gateway server will not
work. This is the reason why certificate revocation checking is disabled by default
on the RD Gateway client, and the recommendation is to turn it on as a security
best practice only after ensuring that the certificate revocation list is accessible
from the Internet.
6. Log off the computer.
1. Log on to CONTOSO-CLNT as Morgan Skinner.
2. Click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.
3. In the Remote Desktop Connection dialog box, click Options.
4. On the Advanced tab, click Settings.
5. On the RD Gateway Server Settings page, click Use these RD Gateway server settings, enter the following settings, and then click OK.
Server name: RDG-SRV.contoso.com
Logon method: Allow me to select later
Bypass RD Gateway server for local addresses: Clear check box
6. On the General tab, in the Computer box, type rdsh-srv, and then click Connect.
7. In the Windows Security dialog box, type the password for contoso\mskinner, and then click OK.
8. If the connection is successful, a Windows desktop will appear on the screen for RDSH-SRV.
To enable certificate revocation checking on the CONTOSO-CLNT computer (optional)
To connect to RDSH-SRV with RDC by using RDG-SRV
13
You have successfully deployed and demonstrated the functionality of RD Gateway on Remote
Desktop Services by using the simple scenario of connecting to an RD Session Host server by
using RD Gateway with an authorized remote user account by using Remote Desktop
Connection. You can also use this deployment to explore some of the additional capabilities of
Remote Desktop Services through additional configuration and testing.
Related topics Step 1: Setting Up the Contoso Domain
Step 2: Installing RD Gateway
Step 3: Verifying RD Gateway Functionality
Deploying Remote Desktop Gateway Step-by-Step Guide (Home)
14
