RD Gateway on AWS
RD Gateway Quick Start

Step 3. Perform Post-Deployment Tasks

After you launch the AWS CloudFormation template for one of the three scenarios in the previous sections and build the stack, follow these steps to complete the configuration of your AWS environment:

  1. Create security groups for your Windows-based instances that will be located in private VPC subnets. Create an ingress rule permitting TCP port 3389 from the RD Gateway security group, CIDR range, or IP address. Associate these groups with instances as they are launched into the private subnets.

  2. Make sure that your administrative clients can resolve the name for the RD Gateway endpoint (e.g., win-1a2b3c4d5e6.example.com). You can create an A (Host) record in DNS that maps the FQDN to the RD gateway’s Elastic IP or public IP address. For testing purposes, you can configure this mapping in the local host’s file on the machine.

  3. Configure administrative clients with the proper configuration settings. This includes installing the root certificate from each RD Gateway server on the client machines (see the next section for instructions). When you use the AWS CloudFormation templates, the default location for the root certificate will be c:\servername.cer on each RD Gateway server.

  4. Modify the RD Gateway security group. Remove the ingress rule permitting TCP port 3389. Create a new ingress rule permitting TCP port 443 from your administrator's IP address.

  5. Make sure that instances in private subnets are associated with a security group containing ingress rules permitting the RD Gateway server IP address to connect via TCP port 3389.

  6. Configure the Remote Desktop connection for administrative clients, as described later in this section.

Installing the Root Certificate

The Quick Start implements a self-signed certificate on the RD gateway intances. After deployment, you must install the root certificate on your administrative clients before you configure the RDP client to connect to your RD gateway instances. The root certificate will automatically be stored as c:\servername.cer.

To distribute this file to administrator workstations and install it, follow these steps:

  1. Open a Command Prompt window using administrative credentials.

  2. Type mmc and press Enter.

  3. In the Console Root window, on the File menu, choose Add/Remove Snap In.

  4. In the Add Standalone Snap-in dialog box, choose Certificates, and then choose Add.

  5. In the Certificates snap-in dialog box, choose Computer account, and then choose Next.

  6. In the Select Computer dialog box, choose Finish.

  7. In the Add Standalone Snap-in dialog box, choose Close.

  8. On the Add/Remove Snap-in dialog box, choose OK.

  9. In the Console Root window, expand Certificates (Local Computer).

  10. Under Certificates (Local Computer), expand Trusted Root Certification Authorities.

  11. Open the context (right-click) window for Certificates, and choose All Tasks > Import.

  12. Navigate to the root certificate (e.g., RDGW1.cer) to complete the installation.


The root certificate will be stored as c:\servername.cer on each RD Gateway when deploying servers using the AWS CloudFormation templates.

Configuring the Remote Desktop Connection Client

Use these steps to configure the Remote Desktop Connection on administrative clients.

  1. Start the Remote Desktop Connection client.

  2. In the computer name field, type the name or IP address of the Windows instance you want to connect to. Keep in mind that this instance needs to be reachable only from the RD gateway, not from the client machine.

       The Remote Desktop Connection client

    Figure 9: The Remote Desktop Connection client

  3. Choose Show Options. On the Advanced tab, choose Settings.

  4. Choose Use these RD Gateway server settings. For server name, specify the FQDN of the RD gateway. If the RD gateway and the server you want to connect to are in the same domain, choose Use My RD Gateway credentials for the remote computer, and then choose OK.

       Advanced properties for the Remote Desktop Connection client

    Figure 10: Advanced properties for the Remote Desktop Connection client


    The FQDN server name of the RD Gateway host must match the certificate and the DNS record (or local HOSTS file entry). Otherwise, the secure connection will generate warnings and might fail.

  5. Enter your credentials, and then choose OK to connect to the server. You can supply the same set of credentials for the RD gateway and the destination server, as shown in Figure 11. If your servers are not domain-joined, you will need to authenticate twice: once for the RD gateway and once for the destination server.

    If your servers aren’t domain-joined, when prompted for the RD Gateway server credentials, provide the Admin User Name and Admin Password credentials you set in step 2, when you launched the Quick Start. Check the Remember my credentials box. (Otherwise, if you’re connecting from a Windows computer, you’ll get prompted for your credentials repeatedly, and will be blocked from entering your remote computer credentials.)

       Providing credentials for the RD gateway and destination server

    Figure 11: Providing credentials for the RD gateway and destination server