Securely Administer Your Remote Windows Network using RDP over SSL

Back in 2013, I wrote a blog post about setting up RD Gateway in Windows 2012 using an AD domain certificate. This post is directed to Windows 2012 R2. There isn’t much difference, but in this tutorial, I’ll demonstrate how to setup RD Gateway with a globally recognized SSL certificate.

Like my previous post about setting up an SSL VPN on Windows 2012 R2, I strongly suggest you forego self-signed and even Enterprise AD certificates, and just use a certificate from This prevents non-domain devices from having to install your CA’s root cert. Getting a legimate cert can take as little as 5 minutes, costs just $5.99 per year and can be obtained in 12 easy steps.

Overall, there are three major steps to getting this going:

  1. Obtain and install your SSL certificate
  2. Install & Configure RD Gateway
  3. Setup your client.

Install the SSL Certificate

Step 1

Follow my tutorial for getting a legit $5.99 cert, down to creating the .pfx file.

Remember to use the external hostname of your RD Gateway server. Say, for example, instead of

Step 2

Import your PFX to the local machine’s Certificate store. To do this, certlm -> Personal -> Certificates -> Right-click, All Tasks -> Import -> Next -> Select your Cert -> Enter your password -> Next -> Finish.


Install and configure RD Gateway

Step 1

Add the Remote Desktop Services role. Server Manager -> Manage -> Add Roles and Features
-> Role-based or feature-based installation.

You will be tempted to check the other one, but don’t. That’s for virtual desktop deployment.


Step 2

Click Remote Desktop Services.


Step 3

Click next a few times, until you’re on the Role Services window. Check only Remote Desktop Gateway.


Step 4

Leave Network Policy Server checked. This will be used to limit the users that can connect, and the resources to which they can connect.


Step 5

When you see the Install confirmation screen, make sure you specify an alternate source path. If the Windows DVD is in drive D:, it’ll be at D:\sources\sxs. Click Install


Step 6

Once the install is complete, navigate to Remote Desktop Gateway Manager.


Step 7

Right click on your server name, and click Properties.


Step 8

Navigate to the SSL Certificate tab. Click Import Certificate.


Step 9

Once you’ve selected your certificate, click Import.


Step 10

Now you’ll be brought back to the RD Gateway Manager main window. Click on your server name. Mine server name is VPN. Whoops! Should have renamed that before taking screenshots. Don’t worry, it shouldn’t say VPN anywhere, unless that’s what you named your server, too.

Click on Create Connection Authorization Policy.


Step 11

If you haven’t created an RD Gateway User Group in AD, do it now. Or use Domain Users, Domain Admins or whatever you wish.


Step 12

Now you’ll be brought back to the RD Gateway Manager main window. Click on Create Resource Authorization Policy.


Step 13

Click the Network Resource Tab and select whatever you wish. Because this is my lab, I allowed users to connect to any network resource.


Step 14

Click OK and now you’re all setup!

In your router, forward port 443 not port 3389 to your Remote Desktop Gateway Server. Remember that this is RD Gateway over SSL, and that happens over port 443. Changing the port is possible, but not covered in this tutorial.

Step 17

Now setup your client. Because RD Gateway will be performing the connections for you, local network names will resolve no matter where you connect from. Enter in a local network server name. You don’t have to use the FQDN, but I do.


Step 18

Click the Advanced tab, click Use these RD Gateway Server Settings. Enter the DNS name that’s associated with your SSL certificate.



Click connect and bask in the glory of secured RDP communications.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security, Windows
4 comments on “Securely Administer Your Remote Windows Network using RDP over SSL
  1. Caleb says:


    This and your VPN how-to are great user-friendly articles. I have a 5-person business with some remote users. I set up a win server 2012 box to allow a couple of silmultanious RDP (remote desktop) sessions on the server and also set up the few local Win10 PCs for RDP. I am not an IT person, just trial/error configs by necessity.

    I just enabled RDP on the server and desktops, set port forwarding for each and operate that way. Also, we are setup as a workgroup, not domain.

    I imagine there are security, reliability etc benefits to the GD Gateway approach you describe (as well as your VNP how-to). Is that the case: i.e. am I better doing your config vs just port forwarding on the router? IN a nutshell, why?

    Also, does this config work for workgroup setup? Am I correct no certificate needed for workgroup?

    Thanks for your articles!!

    • Chrissy LeMaire says:

      Happy to help! I _believe_ I tested non-domain connections out in the past, and it didn’t work. I’ll test again tomorrow, though, and let you know.

  2. Steve French says:

    Thanks for the great how-to Chrissy!

    Follow-up question: I can connect fine and once connected the speed is great, but there is an initial delay of 45-60 seconds.

    I found a couple of references to the remote RDP client timing out trying to connect to port 3389, before it rolls over to port 443.

    Any experience with this and any suggestions for resolution?



    • Chrissy LeMaire says:

      hey Steve! The initial delay of 45-60 seconds sounds like a certificate validation issue where it can’t get the CRL. May want to check your firewall rules or maybe it does try 3389 first.

      Check your GW settings, too. Specify your connection to use the RD Gateway every time and don’t try local first. It’s on that last tab in mstsc where you specify the gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *


Migrating SQL Server?

dbatools is an awesome PowerShell module that helps you migrate entire instances with a single command.

Available from and github

SqlServer Needs You

SqlServer now has a dedicated engineer and Microsoft is asking for our input!

Upvote priorities and cmdlets now


Chrissy LeMaire

Brandon Abshire
View Brandon Abshire, MCDBA's profile on LinkedIn


Chrissy has been awarded the Microsoft MVP for her work in the PowerShell community.

Join us!

Belgian PowerShell
User Group

  SQL PASS PowerShell
Virtual User Group


Upvotes Needed

Help persuade Microsoft to open source SQL Server's PowerShell module, SQLPS.

Upvote now on Microsoft Connect