Step 2: Installing RD Gateway

Applies To: Windows Server 2008 R2

To install and configure an RD Gateway server, you must add the RD Gateway role service. Windows Server 2008 R2 includes the option to install the RD Gateway role service by using Server Manager. This topic covers the installation and configuration of the RD Gateway role service on the RDG-SRV computer in the CONTOSO domain.

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To install the RD Gateway role service

  1. Log on to RDG-SRV as CONTOSO\Administrator.

  2. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

  3. Under the Roles Summary heading, click Add Roles.

  4. In the Add Roles Wizard, if the Before You Begin page appears, click Next.

  5. On the Select Server Roles page, under roles, select the Remote Desktop Services check box, and then click Next.

  6. On the Remote Desktop Services page, click Next.

  7. On the Select Role Services page, select the Remote Desktop Gateway check box.

  8. If prompted to specify whether you want to install the additional role services that are required for Remote Desktop Gateway, click Add Required Role Services.

  9. On the Select Role Services page, click Next.

  10. On the Choose a Server Authentication Certificate for SSL Encryption page, select Create a self-signed certificate for SSL encryption, and then click Next.

  11. On the Create Authorization Policies for RD Gateway page, select Now, and then click Next.

    1. On the Select User Groups That Can Connect Through RD Gateway page, click Add. In the Select Groups dialog box, specify Domain Users, and then click OK to close the Select Groups dialog box. Click Next.

    2. On the Create an RD CAP for RD Gateway page, enter the name RD_CAP_01 for the Remote Desktop connection authorization policy (RD CAP), select Password, and then click Next.

    3. On the Create an RD RAP for RD Gateway page, enter the name RD_RAP_01 for the Remote Desktop resource authorization policy (RD RAP), and then select Allow users to connect to any computer on the network. Click Next.

  12. On the Network Policy and Access Services page (which appears if this role service is not already installed), review the summary information, and then click Next.

  13. On the Select Role Services page, verify that Network Policy Server is selected, and then click Next.

  14. On the Web Server (IIS) page (which appears if this role service is not already installed), review the summary information, and then click Next.

  15. On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next.

  16. On the Confirm Installation Selections page, verify that the following role services will be installed:

    • Remote Desktop Services\RD Gateway

    • Network Policy and Access Services\Network Policy Server

    • Web Server (IIS)

    • RPC over HTTP Proxy

  17. Click Install.

  18. On the Installation Progress page, the installation progress will be noted.

  19. On the Installation Results page, confirm that installation for these roles, role services, and features was successful, and then click Close.

To export the SSL certificate for the RD Gateway server and copy it to the CONTOSO-CLNT computer

  1. On the RD Gateway server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

    1. Click Start, click Run, type mmc and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.

    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

    6. In the Add or Remove snap-ins dialog box, click OK.

  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates.

  3. Right-click the certificate RDG-SRV.contoso.com, point to All Tasks, and then click Export.

  4. On the Welcome to the Certificate Export Wizard page, click Next.

  5. On the Export Private Key page, click No, do not export private key, and then click Next.

  6. On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is selected, and then click Next.

  7. On the File to Export page, in the File name box, click Browse.

  8. In the Save As dialog box, in the File name box, enter RDG-SRV, and then click Save.

  9. On the File to Export page, click Next.

  10. On the Completing the Certificate Export Wizard page, confirm that the correct certificate is specified, that Export Keys is set to No, and that Include all certificates in the certification path is set to No, and then click Finish.

  11. After the certificate export has successfully completed, a message appears that confirms the export was successful. Click OK.

  12. Close the Certificates snap-in.

  13. Copy the RD Gateway server certificate c:\users\administrator.CONTOSO\Documents\RDG-SRV.cer to the CONTOSO-CLNT computer.

Note

For single sign-on, no changes are needed on the RD Gateway server. Review Deploying Remote Desktop Web Access with Remote Desktop Connection Broker Step-by-Step Guide to implement single sign-on.

You have installed and configured an RD Gateway server. Now you can proceed to Step 3: Installing Forefront TMG.