Hi,
In order to allow external connections through RD Gateway, the RD Gateway server must have a certificate installed that the end-user's device recognizes.
You can use the SSL certificate issued by your Internal CA (certificate authority) or purchase a public trusted certificate from public CA. For internal SSL certificate, you will need to import it to both RD Gateway server and all end users' devices, while, for public trusted certificate, only RD Gateway server needs to import it.
Please follow below guidance to create SSL certificate issued by internal CA. If you use certificate from public CA, please ignore and skip this part.
- Install the Certification Authority: https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority
- Using certificates in Remote Desktop Services: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)
PS: Since the RD Gatway sever will be used for external connections, the external FQDN needs to be added to the certficate name. - Make sure the certificate is installed in the local computer’s “Personal” certificate store on the RD gateway server.
Once the SSL certificate is created, you can do following steps to configure the RD Gateway.
If you have RDS Deployment with RDCB role, you can install the RD Gateway role and configure it on the RDCB server.
- Install RD Gateway role by clicking on green icon marked on the picture below
- After the installation completes, go to Edit Deployment Properties > Certificates > RD Gateway > Select existing certificates, and then browse to the location where you saved the certificate you created previously. Look for the file with the .pfx extension. Once done it should show Trusted.
- You will also need to import the SSL certifcate to the end users' devices. [mmc>certificates (local computer)> Trusted Root Certification Authorities certificates]. If you use public certificate, you can skip this step.
If you only have Terminal Server without RDCB, then you can directly install and configure the RD Gateway server.
- Install the RD Gateway role by Server Manager
- Import Certificate: open Server Manager and click on Tools –> Remote Desktop Services –> RD Gateway Manager, right-Click on your server and select properties, go to SSL and click Import Certificate, select the created certificate and import it.
- Import the SSL certifcate to the end users' devices. If you use public certificate, you can skip this step.
After all the configurations are completed, the users will be able to remote connect to the Terminal Server externally through the RD Gateway server.
On the client, open mstsc > navigate to Advanced tab > click Settings to configure Gateway > Input the external FQDN of the RD Gateway server
You can also set CAPs (Connection Authorization Policies) and RAPs (Reosurce Authorization Policies) on the RD Gateway server to specify the users who can connect to this RD Gateway server as well as specify the network resources that users can connect to.
Below blog described the 2016 RDS Deployment step by step, you can read it to learn more details, especially for RD Gateway.
https://nedimmehic.org/2017/01/21/deploying-remote-desktop-services-2016-step-by-step/
RD Gateway: https://nedimmehic.org/2018/03/26/remote-desktop-services-2016-gateway/
Hope the information can help you.
Thanks,
Eleven
----------
If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.