Rublon

Secure Remote Access

By

Last updated on February 18, 2025

This article explains how to quickly set up a secure Remote Desktop Gateway, allowing users to access their computers from anywhere. Learn how to configure RD Gateway settings, set up an SSL certificate, and configure CAP and RAP policies. Get step-by-step instructions for setting up the RD Gateway, and check our tips on additional security measures to protect your remote machines. Here’s a comprehensive guide for setting up an efficient Remote Desktop Gateway and securing your data today.

Enhance Your RD Gateway Security with MFA

Protect your remote desktop access with robust multi-factor authentication. Ensure secure and seamless connections every time!

Start Free Trial No Credit Card Required

What is Remote Desktop Gateway (RD Gateway)?

Remote Desktop Gateway (RD Gateway or RDG) is a Windows Server role that enables users on public networks to access network resources from any device that supports the Remote Desktop Connection client. The network resources can be Remote Desktop Session Host (RD Session Host) servers and Remote Desktop computers.

Why use Remote Desktop Gateway?

When the Remote Desktop Gateway is not deployed, and someone tries to remotely access a Terminal Server (host computer) from their home computer (client computer) over the public internet, they will go over port 3389. In such a setup, the data going over port 3389 between the home computer and the server is not encrypted. To combat this security risk, a Terminal Server Gateway (also called a Remote Desktop Gateway server) can be deployed as a middleman between the home computer and the Terminal Server.

After deploying the RD Gateway server, the information between the Gateway server and the remote computer is encrypted over port 443 using an SSL certificate. This dramatically reduces the risk of unauthorized access over the public internet. After the information gets inside the internal network, port 3389 is used to make the connection to the Terminal Server.

The Remote Desktop Gateway Server acts as a secure connection between computers inside and outside a network, encrypting data sent over the internet. Installing the Remote Desktop Gateway is recommended, especially if you have clients that need to connect to the Terminal Servers through the internet.

How does Remote Desktop Gateway work?

Remote Desktop Gateway (RDG) works by establishing a secure, encrypted Remote Desktop Protocol (RDP) connection between remote users on the public internet and private network resources. RD Gateway uses Secure Sockets Layer (SSL) to encrypt the communication between the clients and the server. It must be accessible through a public IP address that allows inbound TCP connections to port 443 so that users can connect through the internet over HTTPS.

Diagram showing how Remote Desktop Gateway works

Tip

To make Remote Desktop Gateway work, you must install an SSL certificate. We recommend getting one from a verified provider, though self-signed certificates can be used for test environments. The RD Gateway server should ideally be a separate machine from your Terminal Servers.

Once the connection is established, port 3389 inside the internal network can be used. For this reason, it is recommended to install a Remote Desktop Gateway Server when clients access the terminal server remotely.

Is Your Remote Desktop Gateway Secure?

Did you know that Remote Desktop Services are a common attack vector? In fact, 90% of ransomware breaches involve RDP abuse. Protect your access with robust multi-factor authentication.

Start Your Free Trial (No Credit Card Required)

How to set up Remote Desktop Gateway?

The following is a step-by-step guide to installing and configuring an RD Gateway on Windows Server. You will see both the GUI-based instructions and, wherever possible, a PowerShell Alternative.

1. Install the Remote Desktop Role

2. Create CAP and RAP Policies

3. Install an SSL Certificate on RD Gateway

4. Test your setup

5. Enable MFA for RD Gateway

1. Install the Remote Desktop Role

1. Connect to the host server via RDP using admin credentials.

Image showing connecting to the host server to install the Remote Desktop role

2. Open the Server Manager, click Manage, and select Add Roles and Features

Image showing opening Add Roles and Features Wizard in the Server Manager

3. The Add Roles and Features installer will open. You can skip Before you begin by clicking Next

Image showing the beginning of the Add Roles and Features Wizard

4. Select Role-based or feature-based installation and click Next.

Image showing selecting the installation type

5. Select Select a server from the server pool and then select the name of your local computer in the Server Pool. Click Next.

Image showing selecting the destination server

6. In Select Server Roles, select Remote Desktop Services and click Next.

Image showing selecting server roles

7. You can skip Features and Remote Desktop Services by clicking Next on both.

Secure Your RD Gateway with MFA – Start Your Free Trial Now →

8. In Select roles service, select Remote Desktop Gateway and click Add Features when prompted. Click Next.

Image showing adding roles and features

9. In Network Policy and Access Services, click Next.

10. You can skip Network Policy and Access Services, Web Server Role (IIS), and Role services by clicking Next on them all.

11. In Confirm installation selections, click Install and wait for the installation to complete.

Image showing confirming installation selections

12. Installation successful. You must now create the Connection Authorization Policy.

PowerShell Alternative: Installing the Remote Desktop Gateway Role

If you’d like to install the RD Gateway role via PowerShell instead of the GUI:

1. Open PowerShell as Administrator and run the following command:

Install-WindowsFeature RDS-Gateway -IncludeAllSubFeature -Restart

This will install the Remote Desktop Gateway role along with any required dependencies and prompt for a restart if needed.

2. After the server restarts, confirm the installation:

Get-WindowsFeature RDS-Gateway

Make sure the Install State is Installed.

Effortless MFA for RD Gateway

Set up multi-factor authentication quickly and enhance your remote desktop security. Protect your access with ease!

Start Free Trial No Credit Card Required

2. Create CAP and RAP Policies

Connection Authorization Policy (CAP) allows you to specify which groups can access resources behind the Remote Desktop Gateway. You can use Active Directory Users or Active Directory Computer Objects groups.

Resource Authorization Policy (RAP) allows you to restrict server access based on group memberships. You will need to create Active Directory groups and add servers as members of these groups.

To create a Connection Authorization Policy (CAP) and Resource Authentication Policy (RAP):

1. In the Server Manager, click Tools and select Remote Desktop Services → Remote Desktop Gateway Manager.

Image showing how to open the Remote Desktop Gateway Manager

2. In the left pane, expand Policies, select Connection Authorization Policies, and right-click it. Then, select Create New Policy → Wizard.

Image showing how to create authorization policies for Remote Access Gateway

3. Select Create a RD CAP and a RD RAP (recommended) and click Next.

Image showing the Create New Authorization Policies Wizard

Create a Connection Authentication Policy

4. Enter a name for your Connection Authentication Policy, e.g., Allowed-For-RDGateway-Policy, and click Next.

Image showing entering a name for the Connection Authentication Policy (CAP)

5. Click Add Group… to add one or more user groups that will be associated with this RD CAP. Users who are members of these groups can connect to this RD Gateway server.

The best practice is to create a separate user group in Active Directory where you add users that you want to allow using Remote Desktop Gateway. For this tutorial, we created such a group in Active Directory and named it Allowed-For-RDGateway.

Image showing adding groups for the Connection Authentication Policy (CAP)

Click Next.

6. In Device Redirection, you can decide if RD Gateway should transfer local resources like printers and ports to the remote desktop machine for someone who accesses a computer remotely. You do not have to change anything unless you specifically want to. Click Next.

Image showing enabling device redirection for the Connection Authentication Policy (CAP)

7. Check Enable idle timeout and Enable session timeout and click Next.

Image showing setting session timeouts for Connection Authentication Policy (CAP)

8. In RD CAP Summary, click Next.

Create a Resource Authorization Policy

9. Enter a name for your Resource Authentication Policy, e.g., Servers-Available-Via-RDGateway, and click Next.

Image showing creating a Resource Authentication Policy (RAP)

10. Click Add Group… to add one or more user groups that will be allowed to access network resources. Users in these groups will be able to use the remote desktop to access servers on the network.

For this tutorial, we selected the same Allowed-For-RDGateway group that we selected when configuring the Connection Authorization Policy.

Image showing selecting user groups for the Resource Authentication Policy (RAP)

Click Next.

11. Click Browse and select a group that contains the servers that you want the above user groups to be able to remote desktop to.

For this tutorial, we selected the built-in group called Domain Controllers. But you can create one or more additional groups containing servers. For example, one for each department. This way, you can assign groups based on department users and allow them to access only specific servers.

Image showing selecting network resources for the Resource Authentication Policy (RAP)

Click Next.

12. If you did change the default remote desktop port, use select Allow connections to these ports and specify the port. Otherwise, select Allow connections only to port 3389.

Image showing selecting allowed ports for the Resource Authentication Policy (RAP)

13. Click Next. Then, in RD RAP Summary, click Finish.

The wizard will create your CAP and RAP policies. You can now click Cancel to close the New Authorization Policies Wizard.

Image showing the confirmation that CAP and RAP policies have been created

14. You have installed the Remote Desktop Gateway and created CAP and RAP policies. You now need to install an SSL certificate on RD Gateway.

MFA For Remote Desktop Services

Protect your entire RDS environment with our award-winning MFA platform. Achieve top security and compliance.

Start Free Trial No Credit Card Required

PowerShell Alternative: Creating CAP and RAP Policies

Note

Unfortunately, Microsoft does not provide straightforward native PowerShell cmdlets (as of Windows Server 2022) to create CAP and RAP policies directly in RD Gateway. CAP/RAP policies rely on NPS (Network Policy Server) integrations and the Remote Desktop Gateway Manager.

If you need to script these configurations, you can:

• Export/Import NPS configurations via netsh nps export and netsh nps import.

• Manipulate policy objects via WMI or Custom Scripts (more advanced scenarios).

For most admins, creating CAP and RAP remains a manual GUI task or an advanced script-based approach with NPS configuration exports.

3. Install an SSL Certificate on RD Gateway

The Remote Desktop Gateway requires a valid SSL certificate. For this tutorial, we used a self-signed certificate. Still, we strongly recommend you purchase an SSL certificate for your server (using a fully qualified domain name) from a commercial Certificate Authority (CA) or purchase a wildcard SSL certificate for the domain.

If you already have your SSL certificate, follow these steps to install the SSL certificate on Remote Desktop Gateway:

1. In the Remote Desktop Gateway Manager, right-click the name of your gateway server and then click Properties.

2. Select the SSL Certificate tab and select an existing certificate or import the certificate.

3. Select the PFX certificate file from the file system and enter the password for the certificate when prompted.

4. Successfully importing the certificate means you have successfully installed the certificate on the default SSL port (TCP Port 443).

PowerShell Alternative: Installing & Binding an SSL Certificate

1. Obtain a .pfx certificate (from a trusted CA for production or self-signed for testing).

2. Import the certificate into the Local Machine’s Personal store:

$pfxPath = "C:\path\to\cert.pfx"

$pfxPass = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force

Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation "Cert:\LocalMachine\My" -Password $pfxPass

3. (Optional) Configure your RDS deployment to use this certificate for RD Gateway if you have a full RDS environment with a Connection Broker. For example:

# Replace below with your actual Connection Broker name and certificate details

$connectionBroker = "MyConnectionBroker.domain.local"

Set-RDCertificate -Role RDGateway `

                 -ConnectionBroker $connectionBroker `

                 -ImportPath $pfxPath `

                 -Password $pfxPass `

                 -Force

Note

If you are using RD Gateway in a standalone setup (not part of a full RDS farm), you may need to bind the certificate via the Remote Desktop Gateway Manager GUI or advanced scripts. Microsoft’s built-in cmdlets primarily support integrated RDS deployments with a Connection Broker.

How to Test Your Remote Desktop Gateway Connection

The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.

The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.

In this guide, you have configured the secure link (RD Gateway) in this guide. If you have not prepared the host computer yet, here’s How to Set Up Remote Desktop.

If you have your host computer and Remote Desktop Gateway ready, do the following.

1. Launch the Remote Desktop Connection app (Start, type “rdp”, launch Remote Desktop Connection).

2. Select the Advanced tab. (You might have to click Show Options first.)

3. In the Connect from anywhere section, click Settings.

Image showing the Advanced tab in Remote Desktop Connection

4. Select Use these RD Gateway server settings, enter your hostname or IP, and click OK.

Image showing how to use RD Gateway for RDP connections

5. Select the General tab and click Connect

6. Provide your RD Gateway Server credentials, and after you get authenticated onto the Gateway server, provide your credentials to get authenticated onto the Remote Desktop server.

7. Congratulations. You remote desktoped in through your Gateway server.

PowerShell Alternative: Quick Test with MSTSC Parameters

While there’s no single cmdlet to “test” the RD Gateway connection, you can launch mstsc.exe from a PowerShell session with parameters:

# Example: Connect to "TargetServer" via "RDGatewayServer"
mstsc.exe /v:TargetServer.domain.local /gateway:RDGatewayServer.domain.local

You will be prompted for credentials in the same manner.

How to Protect Your Remote Desktop Gateway Connection

So, your Remote Desktop Gateway is up and running. But have you considered ensuring user login security so hackers cannot use RD Gateway to access your resources?

Users who connect via Remote Desktop Gateway provide their username and password. But what if a hacker breaks the password? They can then gain full access to your corporate network.

Mercifully, there is a solution to that, and it is called Multi-Factor Authentication. 

MFA is an additional layer of security that adds extra protection for remote access, even when SSL certificates are in use. Besides the login-password pair, MFA requires the user to present a second factor, such as a one-time code or a push notification sent to the user’s mobile device. This ensures that even if an attacker can obtain the password, they still won’t be able to gain access to the corporate network.

Free MFA for Remote Desktop Gateway

Here’s how to instantly increase the security of your RD Gateway in one hour or less.

Related Articles