Securely Administer Your Remote Windows Network using RDP over SSL

Back in 2013, I wrote a blog post about setting up RD Gateway in Windows 2012 using an AD domain certificate. This post is directed to Windows 2012 R2. There isn’t much difference, but in this tutorial, I’ll demonstrate how to setup RD Gateway with a globally recognized SSL certificate.

Like my previous post about setting up an SSL VPN on Windows 2012 R2, I strongly suggest you forego self-signed and even Enterprise AD certificates, and just use a certificate from cheapsslsecurity.com. This prevents non-domain devices from having to install your CA’s root cert. Getting a legimate cert can take as little as 5 minutes, costs just $5.99 per year and can be obtained in 12 easy steps.

Overall, there are three major steps to getting this going:

  1. Obtain and install your SSL certificate
  2. Install & Configure RD Gateway
  3. Setup your client.

Install the SSL Certificate

Step 1

Follow my tutorial for getting a legit $5.99 cert, down to creating the .pfx file.

Remember to use the external hostname of your RD Gateway server. Say, for example, rdgateway.acme.com instead of rdgateway.ad.local.

Step 2

Import your PFX to the local machine’s Certificate store. To do this, certlm -> Personal -> Certificates -> Right-click, All Tasks -> Import -> Next -> Select your Cert -> Enter your password -> Next -> Finish.

rootstore

Install and configure RD Gateway

Step 1

Add the Remote Desktop Services role. Server Manager -> Manage -> Add Roles and Features
-> Role-based or feature-based installation.

You will be tempted to check the other one, but don’t. That’s for virtual desktop deployment.

role-based

Step 2

Click Remote Desktop Services.

rdgw1

Step 3

Click next a few times, until you’re on the Role Services window. Check only Remote Desktop Gateway.

rdgw2

Step 4

Leave Network Policy Server checked. This will be used to limit the users that can connect, and the resources to which they can connect.

rdgw3

Step 5

When you see the Install confirmation screen, make sure you specify an alternate source path. If the Windows DVD is in drive D:, it’ll be at D:\sources\sxs. Click Install

rdgw4

Step 6

Once the install is complete, navigate to Remote Desktop Gateway Manager.

rdgw5

Step 7

Right click on your server name, and click Properties.

rdgw6

Step 8

Navigate to the SSL Certificate tab. Click Import Certificate.

rdgw7

Step 9

Once you’ve selected your certificate, click Import.

rdgw8

Step 10

Now you’ll be brought back to the RD Gateway Manager main window. Click on your server name. Mine server name is VPN. Whoops! Should have renamed that before taking screenshots. Don’t worry, it shouldn’t say VPN anywhere, unless that’s what you named your server, too.

Click on Create Connection Authorization Policy.

rdgw9

Step 11

If you haven’t created an RD Gateway User Group in AD, do it now. Or use Domain Users, Domain Admins or whatever you wish.

rdgw10

Step 12

Now you’ll be brought back to the RD Gateway Manager main window. Click on Create Resource Authorization Policy.

rdgw14

Step 13

Click the Network Resource Tab and select whatever you wish. Because this is my lab, I allowed users to connect to any network resource.

rdgw11

Step 14

Click OK and now you’re all setup!

In your router, forward port 443 not port 3389 to your Remote Desktop Gateway Server. Remember that this is RD Gateway over SSL, and that happens over port 443. Changing the port is possible, but not covered in this tutorial.

Step 17

Now setup your client. Because RD Gateway will be performing the connections for you, local network names will resolve no matter where you connect from. Enter in a local network server name. You don’t have to use the FQDN, but I do.

rdgw12

Step 18

Click the Advanced tab, click Use these RD Gateway Server Settings. Enter the DNS name that’s associated with your SSL certificate.

rdgw13

Done!

Click connect and bask in the glory of secured RDP communications.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security, Windows
4 comments on “Securely Administer Your Remote Windows Network using RDP over SSL
  1. Caleb says:

    Hi

    This and your VPN how-to are great user-friendly articles. I have a 5-person business with some remote users. I set up a win server 2012 box to allow a couple of silmultanious RDP (remote desktop) sessions on the server and also set up the few local Win10 PCs for RDP. I am not an IT person, just trial/error configs by necessity.

    I just enabled RDP on the server and desktops, set port forwarding for each and operate that way. Also, we are setup as a workgroup, not domain.

    I imagine there are security, reliability etc benefits to the GD Gateway approach you describe (as well as your VNP how-to). Is that the case: i.e. am I better doing your config vs just port forwarding on the router? IN a nutshell, why?

    Also, does this config work for workgroup setup? Am I correct no certificate needed for workgroup?

    Thanks for your articles!!

    • Chrissy LeMaire says:

      Happy to help! I _believe_ I tested non-domain connections out in the past, and it didn’t work. I’ll test again tomorrow, though, and let you know.

  2. Steve French says:

    Thanks for the great how-to Chrissy!

    Follow-up question: I can connect fine and once connected the speed is great, but there is an initial delay of 45-60 seconds.

    I found a couple of references to the remote RDP client timing out trying to connect to port 3389, before it rolls over to port 443.

    Any experience with this and any suggestions for resolution?

    Cheers,

    Steve

    • Chrissy LeMaire says:

      hey Steve! The initial delay of 45-60 seconds sounds like a certificate validation issue where it can’t get the CRL. May want to check your firewall rules or maybe it does try 3389 first.

      Check your GW settings, too. Specify your connection to use the RD Gateway every time and don’t try local first. It’s on that last tab in mstsc where you specify the gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *

*