RD Gateway on AWS
RD Gateway Quick Start

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Appendix B: Setting up RD Gateway Manually on AWS

In the following sections, we’ve provided information on the manual setup and configuration tasks for RD Gateway. These tasks are automated by the Quick Start templates. If you decide to perform them manually, you’ll need to set up the VPC architecture described in the Best Practices section and illustrated in Figure 3. For details on the recommended VPC design, see the Quick Start for building a modular and scalable virtual network architecture with Amazon VPC.

Installing RD Gateway

The installation of the RD Gateway role is straightforward. Use the following command from a PowerShell instance started with administrative privileges:

Install-WindowsFeature RDS-Gateway -IncludeManagementTools

Once complete, the RD Gateway role, along with all prerequisite software and administration tools, will be installed on your EC2 instance running Windows Server 2012 R2.

For Windows Server 2008 R2-based installations, we recommend following the detailed installation instructions in the Microsoft documentation.

Implementing a Self-Signed Certificate

If you decide to use a self-signed certificate, you will need to install the root CA certificate on every client device. As an automated solution, the AWS CloudFormation templates provided in this guide use a self-signed certificate for the RD Gateway service. If you aren't using the automated deployment, you can use RD Gateway management tools, which provide a mechanism for generating a self-signed certificate.

  1. Launch the RD Gateway Manager.

  2. Open the context (right-click) menu for the local server name, and then choose Properties.

    
            Navigating the RD Gateway Manager

    Figure 13: Navigating the RD Gateway Manager

  3. On the SSL Certificate tab, make sure that Create a self-signed certificate is selected, and then choose Create and Import a Certificate.

    
            SSL certificate settings on the RD gateway

    Figure 14: SSL certificate settings on the RD gateway

  4. Make sure that the correct fully-qualified domain name (FQDN) is listed for the Certificate name. Make note of the root certificate location, and then choose OK.

    
            Creating a self-signed certificate

    Figure 15: Creating a self-signed certificate

  5. After you install the certificate, close and reopen the server's Properties dialog box to verify that the new self-signed certificate was successfully installed.

    
            Viewing the SSL certificate settings after creating a new certificate

    Figure 16: Viewing the SSL certificate settings after creating a new certificate

Configuring Connection and Resource Authorization Policies

During manual deployment, once you’ve installed the RD Gateway role and an SSL certificate, you’ll be ready to configure connection and resource authorization policies. (Note that the Quick Start templates automatically configure these for you.)

To configure the policies:

  1. Launch the RD Gateway Manager.

  2. Open the context (right-click) menu for the Policies branch, and choose Create New Authorization Policies.

    
          Navigating the RD Gateway Manager

    Figure 17: Navigating the RD Gateway Manager

  3. In the Create New Authorization Policies wizard, choose Create a RD CAP and a RD RAP (recommended), and then choose Next.

    
          Selecting authorization policies

    Figure 18: Selecting authorization policies

  4. Enter a friendly name for your RD CAP, and then choose Next.

  5. On the Select Requirements screen, define the authentication method and groups that should be permitted to connect to the RD gateway, and then choose Next.

    
          Configuring authentication method and groups for RD CAP

    Figure 19: Configuring authentication method and groups for RD CAP

  6. Choose whether to enable or disable device redirection, and then choose Next.

  7. Specify your timeout and reconnection settings, and then choose Next.

  8. On the RD CAP Settings Summary screen, choose Next.

  9. Enter a friendly name for your RD RAP, and then choose Next.

  10. Select the user groups that will be associated with the RAP, and then choose Next.

    
          Selecting group memberships for RD RAP

    Figure 20: Selecting group memberships for RD RAP

  11. Select the Windows-based instances (network resources) that administrators should be able to connect to through the RD gateway. This can be a security group in Active Directory that contains specific computers. The following example allows administrators to connect to any computer. Choose Next.

    
          Selecting network resources

    Figure 21: Selecting network resources

  12. Allow connections to TCP port 3389, and then choose Next.

    
          Selecting the RDP port

    Figure 22: Selecting the RDP port

  13. Choose Finish, and then Close.