Deploy an RDS Farm Windows 2012R2/2016/2019


Windows Server 2012R2 Windows Server 2016 Windows Server 2019 Windows Server 2022

Remote Desktop Gateway – Gateway RDS

To summarize, the Remote Desktop Gateway allows access to resources (servers / computers) accessible from outside the enterprise on port 443 (https) without the need to establish a VPN connection and applying security strategies.

Remote Desktop Services Gateway Installation

1. Go to Overview 1 of Remote Desktop Services and click on Service Gateway … 2 . This will open the role installation wizard for the RDS farm.

Vue ensemble de la ferme RDS

2. Select server 1 where the role is to be installed and click Next 2 .

Sélectionner le serveur qui va avoir le rôle

3. Enter the name of the SSL certificate 1 (usually the publication name on the internet) and click Next 2 .

Création du certificat

4. Click Add 1 to start the installation.

Confirmer le rôle

5. Wait during the installation …

Installation en cours...

6. Installation completed, click Close 1 .

Installation terminée

Installing RD Gateway Manager on the Broker Server

Reminder : all the manipulations are carried out from the broker server. When installing the RDS Gateway the management console was installed on the target server.

1. Open a PowerShell command prompt as an administrator.

2. Enter the following line to install the console:

Install-WindowsFeature RSAT-RDS-GATEWAY

Remote Desktop Gateway role overview

To use the RDS gateway with a self-signed certificate, it must be deployed to the endpoints as a Trusted Root Certification Authority.

To work the Remote Desktop Gateway uses 2 types of policies:

  • Connection authorization policies: These define who can connect to the gateway (users and extensions), which devices are redirected, and the timeout of the sessions.
  • Resource Access Authorization Policies: They define who can connect to what.

1. Open the console from Server Manager, Tools 1 / Terminal Services 2 / Remote Desktop Gateway Manager 3 .

Ouvrir la console de Gestion

2. Click Connect to Remote Desktop Gateway Server 1 . In the new Remote Server 2 check box, enter the name of the server where the role is installed 3 and click OK 4 .

Connexion au serveur

3. When installing the role, the wizard created two 1 strategies, which makes the gateway normally usable.

Aperçu de la console

Having added a DNS record for the RDS farm (rds.rdr-it.intra) and configuring client access with this record, it is necessary to modify the resource access policy or add a computer in the Active Directory with that name.

4. In the Actions menu click Properties 1 . A window opens with different tabs available to change the options and behavior of the Remote Desktop Gateway service.

Propriétés du rôle

By default when installing a self-signed SSL certificate is created, it can be changed from the SSL Certificate tab or from the Server Manager in the Remote Desktop Services section.

Connection Authorization Policies

1. From the left menu, go to the Connection Authorization Policy 1 folder. From here, it is possible to see and manage the strategies in place. Double click on the strategy RDG_CAP_AllUsers 2 .

Stratégie d'autorisation des connexions

2. General tab: from here it is possible to change the name of the strategy and the activated or not by ticking the box Enable this strategy.

Général

3. Requirements tab: Define the user configuration to connect to the gateway services. Belonging to a group for the user, this parameter is mandatory. The other optional but very useful parameter to increase the security level is the group membership for the computer. By setting this option it is possible for example to prevent an employee from logging in from his personal computer.

Configuration requise

4. Device Redirection tab: How to configure the collection, it is possible to define which devices are redirected through the gateway. The settings in the policy take precedence over the settings in the collection. That is, if the printers are allowed in the collection and not allowed by the gateway, during a connection through the gateway the user will not have the printers.

Redirection de périphériques

Resource Access Authorization Strategies

1. From the left menu, go to the Resource Access Permit Policies 1 folder. From here, it is possible to see and manage the strategies in place. Double click on the strategy RDG_AllDomainComputers 2 .

Stratégies d'autorisation d'accès aux ressources

2. General tab: from here it is possible to change the name of the strategy and the activated or not by ticking the box Enable this strategy.

Général

3. User Groups tab: Define who can use this policy.

Groupes d'utilisateurs

4. Network Resource tab: What this policy can access.

Ressource réseau

5. Ports Allowed tab: If remote desktop access has been configured on a port other than 3389, you must configure it here.

Configuration

In this part, we will see how to make the gateway usable for the RDS farm. Several methods and solutions are available. Choose the best solution for your environment and the desired level of security.

Method 1: Allow access to all resources (deprecated)

Open the RDG_AllDomainComputers strategy and go to the Network Resource 1 tab, check Allow users to connect to any 2 network resource. Click on the Apply 3 and OK 4 buttons.

Autoriser l'accès à tout

Explanation : This method allows access to all computers (even off-domain) that have Remote Desktop enabled. In production it is not advisable to use this solution.

Method 2: Use the default configuration

As explained at the beginning of this tutorial, using a DNS alias for host servers prevents the connection to the RDS shutdown because the RDS computer (AD object) does not exist.

1. Go to the domain controller and open the Active Directory Users and Computers console and go to OR RDS 1 .

Utilisateurs et ordinateurs Active Directory

2. Right-click on OR 1 , go to New 2 and click on Computer 3 .

Ajouter un objet Ordinateur

3. Enter the Computer Name 1 that corresponds to your alias and click OK 2 .

Configuration de l'objet

4. The computer is created 1 and is a member of the group: Computer Domain 2 .

Vérification de l'objet

With this method, the default rules work with the RDS farm.

Explanation : This method allows access to all computers in the domain. Adding a fictitious computer allows the gateway to validate that the rds.rdr-it.intra computer is part of the AD group and allows access.

Method 3: Allow Access to a Restricted Active Directory Group on the RDS Farm

Prerequisites: have done the method 2 procedure.

This method consists of creating a group, in which we will put the RDS servers and declare it in the resource access strategy.

1. Return to the Active Directory Users and Computers console and go to OR RDS 1 .

Utilisateurs et ordinateurs Active Directory

2. Click the 1 icon to create a group in the container.

Ajouter un groupe

3. Enter Group Name 1 and click OK 2 .

Paramètres du groupe

4. Select Computer objects 1 to be added to the group, right-click and click Add to a 2 group.

Ajouter les ordinateurs au groupe

5. Enter the name of the 1 group that has just been created and click on OK 2 .

Sélectionner le groupe

6. Click OK 1 to close the confirmation window.

Confirmation de l'action

7. Double-click on group 1 , go to Members tab 2 and check that Computers 3 have been added.

Vérification des membres

8. Go back to the Gateway Management Console, go to the Resource Access Permit Policies 1 folder and double-click on the default 2 strategy.

Modifier la stratégie

9. Go to the Network Resources 1 tab and click Browse … 2 .

Modifier les ressources

10. Enter the name of the group 1 and click OK 2 .

Entrer le nom du groupe

11. Click Apply 1 and OK 2 .

Valider les modifications

12. The group change 1 is visible in the overview of the strategy.

Visualisation des modifications

To use RemoteApps from outside the network (Internet), you have to add the broker server to the group.

Method 4: Using the Gateway Managed Groups

This method is equivalent to method 3 unlike the groups used for the permissions are managed directly by the gateway, which allows to add computers out of domain or another domain without approval relationship.

1. On the gateway management console, go to the Resource Access Permission Policies 1 folder and double-click on the default 2 strategy.

Modifier la stratégie

2. Go to the Network Resources 1 tab, select the option Select or create Remote Desktop Gateway managed group 2 and click Browse … 3 .

Ressource réseau - groupe géré

3. Click Create a new group … 1 .

Ajouter un groupe

4. Enter the Group Name 1 and go to the Network Resources 2 tab.

Nom du groupe

5. Enter the server fqdn server name 1 and click Add 2 .

Déclarer les serveurs

6. Add all host servers that make up the RDS farm and the alias 1 and click OK 2 .

Serveur de la ferme

7. Select the 1 group that has just been created and click on OK 2 .

Sélectionner le groupe

8. Check that the group is selected 1 , validate the servers that compose it 2 then click on Apply 3 and OK 4 .

Valider les parametres

9. The group change 1 is visible in the overview of the strategy.

Stratégie modifiée

As for method 3, if you want to use RemoteApps from outside your network, you have to add the broker server to the group.

More with the Remote Desktop Gateway

Now we will put in place the necessary strategies to allow administrators to access all resources

For the creation of strategies, there are two methods:

  1. Creation using the wizard that will guide us in setting up the connections and resources strategies.
  2. Create the two strategies separately.

In this tutorial, we will use the wizard.

1. From the Management Console, go to Strategies 1 and click Create Authorization Policies 2 .

Ouvrir l'assistant de création

2. Check the first option 1 to create the two rules and click Next 2 .

Choix du type de stratégie

3. Give a name of 1 for the connection authorization policy and click Next 2 .

Nom de la stratégie d'autorisation des connexions

4. Click Add 1 for one group settings.

Ajouter un groupe

5. Select the Domain Admins group 1 and click OK 2 .

Sélection du groupe

6. To increase the security level, it is possible to add a computer group. Click Next 1 .

Passer à l'étape suivante

7. Enable or disable Device Redirection 1 and click Next 2 .

Configuration de la redirection des périphériques

8. Set session times 1 and click Next 2 .

Délais des sessions

9. A summary of the strategy is displayed, click Next 1 to move to the resource access strategy.

Résumé de la stratégie

10. Name strategy 1 and click Next 2 .

Nommer la stratégie d'autorisation d'accès aux ressources

11. The home group is already defined, click Next 1 .

Groupe à qui s'applique la stratégie

12. Select the Allow users to connect to any network resource (computer) 1 option and click Next 2 .

Ressources disponibles

13. Depending on the ports used adjust the parameters 1 and click Next 2 .

Configuration des ports autorisés

14. A summary of the strategy is displayed, click Finish 1 .

Résumé de la stratégie

15. Strategies are created, click Close 1 .

Confirmation de création

16. Go to the folder containing the connection authorization strategies 1 and select the new strategy 2 .

Stratégie ajoutée dans la console

Connection policies are read as the rules of a firewall from top to bottom (Order). By selecting a strategy, it is possible to modify its order by the Actions menu on the right of the console.

We are done with the Remote Desktop Gateway role. We will now see the Remote Desktop Services License Manager.




2 thoughts on “Deploy an RDS Farm Windows 2012R2/2016/2019”

  1. Hi,

    Thank you a lot for the documentation it is very help full
    what do you mean by (If you want to install licenses later, you have to right-click on the server from the console and click Install licenses)
    I would like to skip the license part for now

    Thank you

    Reply

Leave a Comment