Menu
RD Gateway on AWS
Quick Start Reference Deployment Guide

RD Gateway Setup

Initial Remote Administration Architecture

When you initially configure your RD Gateways, the servers in the public subnet will need an inbound security group rule permitting TCP port 3389 from the administrator's source IP address or subnet. Windows instances sitting behind the RD Gateway in a private subnet should be in their own isolated tier. For example, a group of web server instances in a private subnet may be associated with their own web tier security group. This security group will need an inbound rule allowing connections from the RD Gateway on TCP port 3389.

Using this architecture, an administrator can use a traditional RDP connection to an RD Gateway to configure the local server. The RD Gateway can also be used as a jump box; once an RDP connection is established to the desktop of the RD Gateway, an administrator can start a new RDP client session to initiate a connection to an instance in a private subnet.


			Initial Architecture for Remote Administration

Figure 3: Initial Architecture for Remote Administration

While this architecture works well for initial administration, it is not recommended for the long term. To further secure connections and reduce the number of RDP sessions required to administer the servers in the private subnets, the RD Gateway service should be installed and configured with an SSL certificate, and connection and authorization policies.

RD Gateway Installation

The installation of the RD Gateway role is very straightforward. This can be performed from the Server Manager or with a single PowerShell command on Windows Server 2012:

Copy
Install-WindowsFeature RDS-Gateway -IncludeManagementTools

This command should be run from a PowerShell instance started with administrative privileges. Once complete, the RD Gateway role, along with all pre-requisite software and administration tools, will be installed on your Windows Server 2012, Amazon EC2 instance.

For Windows Server 2008 R2-based installations, we recommend following the detailed installation instructions in the Remote Desktop Services documentation (Microsoft TechNet Library).

SSL Certificates

The RD Gateway role uses Transport Layer Security (TLS) to encrypt communications over the Internet between administrators and gateway servers. To support TLS, a valid X.509 SSL certificate must be installed on each RD Gateway. Certificates can be acquired in a number of ways, including the following common options:

  • Your own PKI infrastructure, such as a Microsoft Enterprise Certificate Authority (CA)

  • Certificates issued by a public CA, such as Verisign or Digicert

  • Self-signed certificates

For smaller test environments, implementing a self-signed certificate is a straightforward process that allows you to get up and running quickly. However, if you have a large number of varying administrative devices that need to establish a connection to your gateways, we recommend using a public certificate.

In order for an RDP client to establish a secure connection with an RD Gateway, the following certificate and DNS requirements must be met:

  • The issuing CA of the certificate installed on the gateway must be trusted by the RDP client. For example, the root CA certificate must be installed in the client machine’s Trusted Root Certification Authorities store.

  • The subject name used on the certificate installed on the gateway must match the DNS name used by the client to connect to the server; for example, rdgw1.example.com.

  • The client must be able to resolve the host name (for example, rdgw1.example.com) to the EIP of the RD Gateway. This will require a Host (A) record in DNS.

There are various considerations when choosing the right CA to obtain an SSL certificate. For example, a public certificate may be ideal since the issuing CA will be widely trusted by the majority of client devices that need to connect to your gateways. On the other hand, you may choose to utilize your own PKI infrastructure to ensure that only the machines that are part of your organization will trust the issuing CA.

Implementing a Self-Signed Certificate

If you choose a self-signed certificate, you will need to install the root CA certificate on every client device. Keep in mind that in order to provide an automated solution, the AWS CloudFormation templates provided in this guide utilize a self-signed certificate for the RD Gateway service. If you are not using the automated deployment, you can follow the steps below to generate a self-signed certificate.

The RD Gateway management tools provide a mechanism for generating a self-signed certificate.

To install a self-signed certificate:

  1. Launch the RD Gateway Manager.

  2. Right-click the local server name, and select Properties.

    
					Navigating the RD Gateway Manager

    Figure 4: Navigating the RD Gateway Manager

  3. On the SSL Certificate tab, ensure that Create a self-signed certificate is selected and click Create and Import a Certificate.

    
					SSL Certificate Settings on the RD Gateway

    Figure 5: SSL Certificate Settings on the RD Gateway

  4. Ensure that the correct fully-qualified domain name (FQDN) is listed for the Certificate name. Make note of the root certificate location and click OK.

    
					Creating a Self-Signed Certificate

    Figure 6: Creating a Self-Signed Certificate

  5. After installing the certificate, closing and reopening the server's Properties dialog box will show the new self-signed certificate successfully installed.

    
					Viewing the SSL Certificate Settings After Creating a New Certificate

    Figure 7: Viewing the SSL Certificate Settings After Creating a New Certificate

Connection and Resource Authorization Policies

Once you've installed the RD Gateway role and an SSL certificate, you are ready to configure connection and resource authorization policies.

  • Connection authorization policies – Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway instance. For example, you can select a group of users from your domain, such as Domain Admins.

  • Resource authorization policies – Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal Windows-based instances that remote users can connect to through an RD Gateway instance. For example, you can choose specific domain-joined computers which administrators can connect to through the RD Gateway.

To configure the policies:

  1. Launch the RD Gateway Manager.

  2. Right-click the Policies branch and select Create New Authorization Policies.

    
					RD Gateway Authorization Policies

    Figure 8: RD Gateway Authorization Policies

  3. In the Create New Authorization Policies wizard, select Create a RD CAP and a RD RAP (recommended), and then click Next.

    
					Select Authorization Policies

    Figure 9: Select Authorization Policies

  4. Provide a friendly name for your RD CAP, and then click Next.

  5. On the Select Requirements screen, define the authentication method and groups that should be permitted to connect to the RD Gateway, and then click Next.

    
					Configure Authentication Method and Groups for RD CAP

    Figure 10: Configure Authentication Method and Groups for RD CAP

  6. Choose whether to enable or disable device redirection, and then click Next.

  7. Specify your time-out and reconnection settings, and then click Next.

  8. On the RD CAP Settings Summary screen, click Next.

  9. Provide a friendly name for your RD RAP, and then click Next.

  10. Select the user groups that will be associated with the RAP, and then click Next.

    
					Select Group Memberships for RD RAP

    Figure 11: Select Group Memberships for RD RAP

  11. Select the Windows-based instances (network resources) that administrators should be able to connect to through the RD Gateway. This can be a security group in AD containing specific computers. For this example, we'll allow administrators to connect to any computer. Click Next.

    
					Select Network Resources

    Figure 12: Select Network Resources

  12. Allow connections to TCP port 3389, and then click Next.

    
					Select RDP Port

    Figure 13: Select RDP Port

  13. Click Finish, and then click Close.

RD Gateway Architecture on the AWS Cloud

After you configure connection and resource authorization policies, you can modify the security group for RD Gateway to use a single inbound rule permitting TCP port 443. This modification will allow a Transport Layer Security (TLS) encrypted RDP connection to be proxied through the gateway over TCP port 443 directly to one or more Windows-based instances in private subnets on TCP port 3389. This configuration increases the security of the connection and also prevents the need to initiate an RDP session to the desktop of the RD Gateway.


			Architecture for RD Gateway Administrative Access

Figure 14: Architecture for RD Gateway Administrative Access