/
  • Last updated
/
  • 11 min read

How To Set Up Remote Desktop Gateway

by Makenzie Buenning, IT Editorial Expert
reviewed by Stan Hunter, Technical Marketing Engineer
How To Set Up Remote Desktop Gateway blog banner image
How To Set Up Remote Desktop Gateway blog banner image

Key Points

Remote Desktop Gateway (RD Gateway) enables secure, authenticated, and encrypted remote access to internal corporate resources via HTTPS.

  • Configure Network Infrastructure: Open TCP Port 443 for basic connectivity and UDP Port 3391 to optimize performance; ensure DNS records resolve to your external FQDN.
  • Install RD Gateway Role: Use Server Manager to add “Remote Desktop Gateway” under the Remote Desktop Services role on a Windows 2019 or 2022 Server.
  • Apply SSL Certificate: Import a certificate from a trusted CA that matches your external URL; self-signed or “.local” certificates should be avoided to prevent client-side blocks.
  • Define Access Policies: Create Connection Authorization Policies (CAP) to specify authorized user groups and Resource Authorization Policies (RAP) to restrict which internal servers they can access.
  • Configure Client-Side Settings: In the RDP client, navigate to “Advanced Settings” to enter the Gateway FQDN and enable the option to use gateway credentials for the remote computer.
  • Enable Modern Security: Integrate Multi-Factor Authentication (MFA) via the NPS Extension or third-party tools to secure the gateway against credential theft.

The modern work environment is no longer confined to the traditional office space. Employees need seamless and secure access to internal resources when working from home, traveling, or in satellite offices. Remote access solutions bridge the geographical gap, enabling users to connect to the corporate network from virtually anywhere. 

While various remote access solutions exist, Microsoft’s Remote Desktop Gateway (RD Gateway) is key. But what is Remote Desktop Gateway server and how does it secure remote access to corporate networks?

In this guide, we will help you understand RD Gateway, offer a step-by-step approach to configure the gateway for remote desktops, provide an overview of security considerations, and discuss how best to address common issues. 

What is RD Gateway?

RD Gateway, Microsoft Remote Desktop Gateway, or simply Remote Desktop Gateway, is a role service in Windows Server that enables authorized remote users to connect to resources within an internal corporate network over a secure channel. It acts as an intermediary between remote desktop clients and the target internal network, ensuring that connections are authenticated, encrypted, and routed through a secure tunnel.

It acts as a gateway between the public internet and the internal network, shielding it against unauthorized access.

Enhance RDG by utilizing NinjaOne Remote Access to create a secure and efficient remote access infrastructure.

Start a free trial today

Reasons to use Remote Desktop Gateway

Organizations often ask how secure Remote Desktop Gateway (RD Gateway) is. There are several reasons an organization may elect to use RD Gateway to manage remote server connectivity. These include:

  • Securing access to internal resources: RD Gateway ensures secure access by authenticating users and routing connections through a common location. This is particularly crucial when dealing with sensitive information or compliance requirements.
  • Encryption and data protection: To further address the question of how secure is Remote Desktop Gateway, RD Gateway encrypts data transmitted using the Remote Desktop Protocol (RDP) with HTTPS, preventing unauthorized interception and ensuring the confidentiality and integrity of information transmitted between the client and the internal network.
  • Centralized access control and auditing: Administrators can establish centralized access controls, defining user permissions and groups. Additionally, RD Gateway provides robust auditing features, allowing organizations to monitor and track user activities for compliance and security purposes.
  • Simplified remote desktop configuration: RD Gateway simplifies the configuration of remote desktop connections by mediating between remote clients and internal resources. This eliminates the need for complex networking setups and facilitates a streamlined user experience.
  • Enhanced user experience and productivity: By providing a secure and seamless connection to internal resources, RD Gateway enhances user experience, promotes productivity among remote employees, and reduces potential connectivity issues.

How Does Remote Desktop Gateway work?

Microsoft Remote Desktop Gateway is an intermediary that mediates connections between remote desktop clients and internal resources. It authenticates users, ensures secure data transmission, and facilitates the seamless flow of information between the remote client and the internal network.

Employing a two-step authentication ensures that users are first authenticated through a secure login process. Once authenticated, the RD Gateway verifies the user’s authorization to access the requested internal resources.

The HTTPS protocol tunnels connections to the internal network  through a secure channel. This ensures that data transmitted between the client and the internal network is encrypted, safeguarding it from potential eavesdropping or tampering.

RD Gateway is compatible with many remote desktop clients, including the native Windows Remote Desktop Connection client, third-party applications, and even mobile devices.  RD Gateway uses load balancing to distribute incoming connections across multiple servers. This maintains performance and availability during high traffic.

Installing RD Gateway

Before setting up RD Gateway, there are several steps that you need to take into consideration first:

Windows server: Ensure you have a Windows Server operating system installed, such as Windows Server 2022 or Windows Server 2019. This provides the foundation for running the RD Gateway role.

Network infrastructure:

  • DNS: Ensure your DNS records are correctly configured and accessible within your network. The DNS server must resolve the server’s hostname and IP address.
  • Firewall rules:  Open the required firewall ports on the Remote Desktop Gateway server and any intermediate firewalls.
    • TCP Port 443: Required for HTTPS, which secures the initial RD Gateway communication and authentication.
    • UDP Port 3391: While TCP 443 is mandatory for the initial connection, opening UDP 3391 allows for a much smoother user experience by enabling RDP’s reliable UDP transport. This significantly reduces “lag” during high-bandwidth tasks like video playback or fast scrolling.
    • Note: Do not open Port 3389 to the public internet, as RD Gateway securely encapsulates this traffic within the HTTPS/UDP tunnels.

Active Directory: Users must have the appropriate permissions to access the Remote Desktop Gateway server and its resources. That’s why one of the prerequisites is having a domain environment with Active Directory for user authentication and authorization.

SSL certificate: A valid SSL certificate from a trusted authority secures communication between the Remote Desktop Gateway server and clients, ensuring data confidentiality and integrity.

Installation

  1. Open Server Manager: Launch Server Manager on your Windows Server. This is the central management tool for Windows Server.
  2. Add Roles and Features: Navigate to the “Manage” menu and select “Add Roles and Features.” This wizard will guide you through adding the necessary roles and features to your server.
  3. Select RD Gateway: Choose “Role-Based or Feature-Based Installation” and select the appropriate server. In the “Select server roles” section, locate and select “Remote Desktop Services” and then “Remote Desktop Gateway.” Follow the on-screen prompts to complete the installation.

Install SSL Certificate

  1. Obtain certificate: An SSL certificate authenticates the Remote Desktop Gateway server to clients and encrypts communication. Therefore, it’s essential to only acquire a valid SSL certificate from a trusted certificate authority.
  2. Import certificate: Use the Microsoft Management Console (MMC) to import the certificate into the local computer’s personal store. This makes the certificate available for use by the RD Gateway.
  3. Configure RD Gateway: Open the RD Gateway Manager, navigate to the server node, and select the “Properties” option. Under the “SSL Certificate” tab, select the installed SSL certificate to associate it with the RD Gateway server.

Setting Up RD Gateway

Configure Server:

  • Network settings: The Remote Desktop Gateway server’s network settings, including IP address, subnet mask, and default gateway, must be correct. This step is important to enable the server to communicate with other devices on the network.
  • Define access rules: A Connection Authorization Policy (CAP) lets you control who can access the remote desktop environment. You can employ this by creating CAPs to specify users or groups who can connect to the Remote Desktop Gateway.

Creating Connection Authorization Policy (CAP)

Create VPN connections:  VPN connections provide a secure tunnel for traffic to reach the RD Gateway. Sometimes, you are also required to create Virtual Private Network (VPN) connections to cater to remote locations or networks that need access to the RD Gateway.

DNS settings: Verify that the server can resolve DNS names correctly. This is essential for accessing network resources.

Set conditions: Preset conditions help you implement additional security measures and restrictions. Define conditions for access, such as specific IP addresses, time periods, or device types.

Understanding the Policy Hierarchy

Before defining your specific rules, it is helpful to understand how these two policies work together to secure your environment. While a CAP acts as the “front door” key, the RAP determines which “rooms” a user is allowed to enter once inside.

Feature CAP (The “Who”) RAP (The “Where”)
Purpose Controls who is allowed to connect to the Gateway. Controls which internal PCs or Servers they can reach.
Common Criteria Active Directory User Group membership, MFA status, or device health. AD Managed Computer Groups or specific network IP ranges.
Security Layer Primary Authentication: Verifies the identity of the remote user. Network Segmentation: Enforces the principle of least privilege.

Creating Resource Authorization Policy (RAP)

Grant access:  Creating a Resource Authorization Policy (RAP) lets you control which resources are accessible to different users. Create RAPs to grant users or groups access to specific resources within the internal network.

Define permissions: Specify the level of access (e.g., full control, read-only) for each resource. This determines what actions users can perform on the resources.

Connecting from the Client: Finalizing the Link

Once the server-side configuration is complete, you must configure the Remote Desktop Connection client on the user’s local machine to recognize and use the Gateway.

To configure the Windows RDP Client (mstsc.exe):

  1. Open Remote Desktop Connection: Search for “Remote Desktop” in the Start menu.
  2. Access Advanced Settings: Click Show Options, then navigate to the Advanced tab.
  3. Configure the Gateway: Under the “Connect from anywhere” section, click the Settings button.
  4. Enter Gateway Details:
    • Select Use these RD Gateway server settings.
    • Server name: Enter the External FQDN of your Gateway (e.g., gateway.yourcompany.com).
    • Logon method: Ensure this is set to “Allow me to select later” or “Password.”
    • Check the box: “Use my RD Gateway credentials for the remote computer” (this allows for a Single Sign-On experience).
  5. Connect: Return to the General tab, enter the internal computer name or IP of your destination server, and click Connect.

Modernizing Security: MFA Integration

In the current threat landscape, relying solely on a username and password for remote access is a significant security risk. To protect against credential theft and brute-force attacks, it is highly recommended to integrate Multi-Factor Authentication (MFA) into your RD Gateway deployment.

By implementing MFA, users must approve a push notification or enter a code on their mobile device before the RD Gateway grants access to the internal network. Common ways to achieve this include:

  • Microsoft Entra MFA (formerly Azure MFA): By installing the NPS Extension for Azure MFA on your Gateway server, you can bridge your on-premises RD Gateway with cloud-based MFA. This allows users to receive a Microsoft Authenticator prompt during the login process.
  • Duo Security: A popular third-party alternative that uses a lightweight proxy to intercept authentication requests and trigger a Duo Push.
  • RADIUS Integration: For organizations using other identity providers, RD Gateway can be configured to communicate with any MFA solution that supports the RADIUS protocol.

Security Note: Implementing MFA at the Gateway level effectively neutralizes the risk of leaked credentials, as the attacker would also need physical access to the user’s secondary device to successfully tunnel into your network.

RD Gateway configuration best practices

Once RD Gateway has been installed, several configuration steps are required to align with remote access best practices:

Establish Remote Desktop Gateway policies

Define Remote Desktop Gateway policies to control user access, connection parameters, and security settings. Launch the RD Gateway Manager and navigate to the “Policies” node. Right-click, and select “Create New Authorization Policies.” Follow the prompts to define access policies based on user groups, resource authorization, and connection parameters.

Define user access permissions and groups

Configure user access permissions and groups to determine who can connect to the RD Gateway and the internal resources. Navigate to “Server Manager” and select “Remote Desktop Services” from the left-hand menu. Under the “Collections” node, select the collection you want to configure. In the “Tasks” pane, click on “Edit properties,” and under the “User Groups” tab, define the user groups allowed to connect.

Customize RD Gateway properties

Customize RD Gateway properties to align with your organization’s requirements and security policies. Launch the RD Gateway Manager, navigate to the server node, right-click, and select “Properties.” Adjust settings such as timeout periods, device redirection, and logging options to match your organization’s needs.

Troubleshooting common configuration issues

If errors or difficulties arise during or after the setup process, your first stop should be the Event Viewer. Navigate to Applications and Services Logs > Microsoft > Windows > TerminalServices-Gateway to find specific logs that indicate whether a CAP or RAP is blocking a user.

The FQDN and Certificate Health

The most frequent cause of connection failure is an SSL mismatch or trust issue.

  • The FQDN Rule: Your SSL certificate must match the External URL users type into their client (e.g., remote.yourcompany.com).
  • No .local Certificates: Public clients will reject certificates issued to internal names (like myserver.local). Always use a publicly resolvable domain.

Managing Certificate Expiration

A common cause for total service outages is SSL certificate expiration. Regularly monitor the expiry dates and configure reminders to allow sufficient time for renewals. This ensures the secure tunnel remains active and prevents sudden connectivity issues for your entire workforce.

Network and Firewall Alignment

If the certificate is valid but the connection fails, verify that TCP Port 443 is open on your external firewall. For optimized performance, ensure UDP Port 3391 is also reachable to allow for smoother RDP data transport.

Boost the security and efficiency of your remote access setup by integrating NinjaOne Remote Access with RDG.

Watch a demo

Secure your remote connections the right way – watch how to set up Remote Desktop Gateway.

Embrace the full potential of RD Gateway

Setting up a Remote Desktop Gateway provides secure and efficient remote access. Proper setup, maintenance, and operation ensure the RD Gateway functions as a reliable access point for organizations

RD Gateway is pivotal in ensuring encrypted and authenticated connections, allowing organizations to embrace remote work without compromising security.

NinjaOne Remote is NinjaOne’s remote access tool integrated directly into NinjaOne RMM. Built from the ground up, it offers a strong and secure RDP tool using our own gateway. Watch a demo or sign up for a free trial to see Ninja Remote in action. 

Start your free trial
Embracing Automation at Every Level

FAQs

RD Gateway acts as a secure intermediary between remote desktop clients and internal network resources. It authenticates users, encrypts data over HTTPS, and routes RDP traffic securely through a single access point, eliminating the need to expose Port 3389 to the internet..

You need a Windows Server (2019 or 2022), properly configured DNS records, firewall rules allowing TCP port 443 (and optionally UDP Port 3391 for better performance). You also require, Active Directory for authentication, and a valid SSL certificate from a trusted authority that matches your external FQDN.

Connection Authorization Policies (CAP) define who is allowed to connect through the gateway (e.g., specific user groups or MFA-enabled users). Resource Authorization Policies (RAP) specify where those users can go by defining which internal PCs or servers they are permitted to access

Performance issues are often caused by relying solely on TCP Port 443. For a smoother experience, ensure UDP Port 3391 is open on your firewall. This enables RDP’s reliable UDP transport, which significantly reduces latency for mouse movements and video.

Yes. In fact, it is a security best practice. RD Gateway can be integrated with Microsoft Entra MFA (via the NPS Extension) or third-party providers like Duo Security to require a mobile push notification before a connection is granted.

Start by checking the Event Viewer under TerminalServices-Gateway for specific policy blocks. Additionally, verify that your SSL certificate hasn’t expired and that the certificate name matches the external URL you are using to connect

You might also like

How to Speed Up Database Troubleshooting blog banner image

How to Speed Up Database Troubleshooting

How to Avoid Vendor Lock-In in DevOps Tooling blog banner image

How to Avoid Vendor Lock-In in DevOps Tooling

How to Prepare Your Data Estate for AI Adoption blog banner image

How to Prepare Your Data Estate for AI Adoption

How to Plan for Major Incidents in IT Service Management blog banner image

How to Plan for Major Incidents in IT Service Management

How to Adapt ITSM Metrics for a Modern Workforce blog banner image

How to Adapt ITSM Metrics for a Modern Workforce

How to Design Service Catalog Workflows That Improve Request Efficiency blog banner image

How to Design Service Catalog Workflows That Improve Request Efficiency

Back to Blog Home
Ready to simplify the hardest parts of IT?
Start a free trial
Get a demo

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept