HOW-TO Setup Windows 2012 Server Core Remote Desktop Services to Securely Administer Windows over RDP and SSL

Read this updated post instead. It’s superior in a number of ways ;)

Alright, so I’ve wanted to setup a Remote Desktop Gateway for years, but the configuration seemed so.. time-intensive. Then I moved to Belgium, my living situation changed and I didn’t want to setup a whole new VPN server to access my virtual lab.

Initially, I set up my RD Gateway using too many Remote Desktop Services: Remote Desktop Connection Broker, Remote Desktop Gateway & Remote Desktop Web Access, but that was because was lead astray by Windows 2012’s new GUI. Now, I’ve narrowed it down only to RD Gateway and I’m even fond of Metro (:O)

So to get this going, all you have to do is install and configure the Remote Desktop Gateway Services (RD Gateway) Role. That seems obvious, but Server Manager’s interface which prominently displays an unconfigured “Remote Desktop Services” tab made me think I was missing something.

During the Role installation do: Role-based or feature-based installation -> Remote Desktop Services -> Remote Desktop Gateway

Then click Next a bunch of times. Something odd, when it asks you “Do you need an alternate source path?”, even if you have the Windows Server 2012 ISO attached, you’ll still need to click “Specify an alternate source path” and enter D:\sources\sxs (assuming your ISO is attached to D:)

Click Install and wait for the installation to complete. Now it’s time to configure RD Gateway.

OPTIONAL: If you’re on a domain with a Certificate Authority, you’ll want to configure IIS to use a Domain Certificate. Open IIS Manager -> Select your server -> Server Certificates -> Create Domain Certificate. For “Common Name” make sure you enter your external FQDN. Note: I chose to go with since I have a dynamic IP. It’s required that you use an externally resolvable hostname, otherwise Remote Desktop will fail if you try to use an IP or mismatched hosts.

Now, you’ll need to configure RD Gateway. Go to Server Manager -> Tasks -> RD Gateway Manager.

Click View or modify certificate properties. If you don’t have a Domain Certificate, just click Create and import certificate and ensure you use your external FQDN for the certificate name. Otherwise, choose Select an existing certificate…. Choose your certificate

Click Import -> Apply. Now that you’re back at the RD Gateway Manager, expand the tree under your server name. Click Policies then on the right, click Create Authorization Polices for RD Gateway. Create an RD CAP and RD RAP (Recommended). In the name field, you can enter whatever you’d like. I chose “Default” -> Next -> Add Group -> Domain Admins -> (leave Client Computer blank)

Next, you’ll be given the option to Enable or Disable Device Redirection. I just choose the default (all clients) and click Next -> Next -> Next – Default -> Next -> Allow users to connect to any network resource -> Next -> Allow Connections only to port 3389 -> Next -> Finish

Finally, open up Services and Start Remote Desktop Gateway

Voila! Now you can go modify your router rules to connect port 443 to your RD Gateway Server and/or read the important notes below.

A few important things to note
As an added security pre-caution, I went into IIS and disabled Anonymous access to my root IIS folder and ensured Windows Authentication was still enabled for the RPC folders.

Configuring the Remote Desktop Client is easy. Open up your Remote Desktop Client -> Advanced -> (Connect from Anywhere) Settings.

Enter the external hostname that you entered earlier during the configuration of RD Gateway. Go back to the general tab, and enter the FQDN of the domain server you wish to connect to. Don’t worry about resolving the hostname if you’re using an external DNS server — DNS is resolved at the RD Gateway so if the RD Gateway can resolve the hostname, you’re set.

If you choose to use a self-signed cert or you are attempting to connect from a computer that’s not on the domain, you’ll have to import the SSL cert to your Trusted Root Certification Authority. Otherwise, you’ll receive the error “This computer can’t verify the identity of the RD Gateway ‘’. It’s not safe to connect to servers that are not identified. Contact your network administrator for assistance.”

There are a few ways to do this, but here’s how I do it. I use Chrome to hit my server (ex.

Click Certificate Information -> Details -> Copy to File. Save the cert, then find it using Windows Explorer. Right-click on the cert -> Install Certificate -> Place all Certificate in the Following Store -> Trusted Root Certification Authority -> Next -> Finish -> Yes.

You should now be able to connect and securely manage your network, all over SSL :)

Chrissy has worked in IT for nearly 20 years, and currently serves as a Sr. Systems Engineer for a federal contractor in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became a Microsoft PowerShell MVP. You can follow her on Twitter at @cl.

Posted in IIS, Security, Windows
4 comments on “HOW-TO Setup Windows 2012 Server Core Remote Desktop Services to Securely Administer Windows over RDP and SSL
  1. Steve Salmon says:

    Hi Chrissy,

    I appreciate this is an old post, but just wanted to confirm that you got an RDS gateway configured to work on a Server Core OS? I am currently implementing RDS and am interested to know if I can use Core to create the Gateway and Connection Broker servers. I know I can set the CB’s up in this way, I’ve tried it, but never for the gateways.

    Can you confirm?



  2. MCSE Chennai says:

    thanks for the information! where i have to place RDG ? within domain or in DMZ?

    • Chrissy LeMaire says:

      Either. In the DMZ, off the domain would work, too, you would just have to authenticate twice within the RDP client.

Leave a Reply

Your email address will not be published. Required fields are marked *



We are IT pros who grew up living and loving life in Cajun Country.


Chrissy LeMaire
View Chrissy LeMaire, BSc. MCITP's profile on LinkedIn

Brandon Abshire
View Brandon Abshire, MCDBA's profile on LinkedIn


Chrissy LeMaire
Microsoft PowerShell MVP