How to Configure Remote Desktop Gateway on Windows Server 2019
Remote Desktop Gateway (RD Gateway) is a Windows Server 2019 role service that enables authorised remote users to connect to internal network resources over HTTPS, eliminating the need to expose RDP port 3389 directly to the internet. RD Gateway encapsulates RDP traffic within HTTPS (port 443), which passes through most firewalls and allows secure external access to RD Session Hosts, virtual machines, and remote desktops without VPN. It uses Connection Authorization Policies (CAP) and Resource Authorization Policies (RAP) to control who can connect and what resources they can reach.
Planning the RD Gateway Deployment
RD Gateway should be deployed in the DMZ or with a public IP address, as it is the externally facing component. Internally, it communicates with RD Session Hosts on port 3389. The gateway requires a valid SSL certificate issued by a trusted CA — a self-signed certificate will work for testing but will cause certificate warnings in clients. The certificate’s Common Name or Subject Alternative Name must match the public DNS name clients will use to connect. For load balancing multiple RD Gateway servers, use a hardware load balancer or Windows NLB with a single virtual IP and a wildcard or SAN certificate covering the load-balanced name.
Installing the RD Gateway Role
Install the RD Gateway role service and the management tools on the gateway server. The server should be in the DMZ and domain-joined if Active Directory authentication is required for CAP/RAP policies.
# Install RD Gateway role with management tools
Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name RDS-Gateway
# Open RD Gateway Manager
mmc &
# Then add the Remote Desktop Gateway snap-in, or
Start-Process "tsgateway.msc"Obtaining and Binding an SSL Certificate
Before configuring policies, bind an SSL certificate to the RD Gateway. The certificate must have the Server Authentication extended key usage (EKU) and be trusted by the clients that will connect. Import the certificate into the Local Computer > Personal certificate store.
# Import a PFX certificate into the machine's Personal store
$CertPassword = ConvertTo-SecureString -String "PfxPassword123" -AsPlainText -Force
Import-PfxCertificate -FilePath "C:Certsrdgateway.corp.com.pfx" `
-CertStoreLocation "Cert:LocalMachineMy" `
-Password $CertPassword
# Get the certificate thumbprint
$Cert = Get-ChildItem -Path "Cert:LocalMachineMy" | Where-Object { $_.Subject -like "*rdgateway*" }
Write-Host "Certificate Thumbprint: $($Cert.Thumbprint)"Bind the certificate to the RD Gateway using the RD Gateway Manager or PowerShell/WMI. The gateway uses the certificate for HTTPS on port 443 and for RPC over HTTPS on port 443.
# Bind the certificate to RD Gateway via WMI
$GWConfig = Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayServerSettings"
$GWConfig.SetCertificate($Cert.Thumbprint, "MyCertStore")
$GWConfig.EnableTransport(1) # 1 = HTTPSCreating a Connection Authorization Policy
A Connection Authorization Policy (CAP) defines who is allowed to connect through the RD Gateway. A CAP specifies the user groups that are permitted and the authentication methods allowed (password, smart card, or both). Users must match at least one CAP to be granted a gateway connection.
Create CAPs through RD Gateway Manager (Server Manager > Remote Desktop Services > RD Gateway Manager) or via WMI.
# Create a CAP allowing the RD Users group to connect via password
$GWManager = New-Object -ComObject "TSGatewayServerSettings.TSGatewayServerSettings.1"
# Via RD Gateway Manager WMI class
$CAPClass = Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayConnectionAuthorizationPolicy"
# Create a new CAP using the CreateConnectionAuthorizationPolicy method
$GatewayServer = Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayServer"
$GatewayServer.CreateConnectionAuthorizationPolicy(
"AllowRDUsers", # Policy name
$true, # Enabled
1, # Auth method: 1=Password, 2=SmartCard, 3=Both
"CORPRD Users", # User group(s)
$false, # Device redirection
15 # Session timeout in minutes (0=no limit)
)Creating a Resource Authorization Policy
A Resource Authorization Policy (RAP) defines which internal resources (computers) gateway users are allowed to connect to. RAPs specify a computer group — either an AD security group containing computer accounts, or a managed computer group defined in RD Gateway itself — and which TCP ports are allowed (typically 3389 for RDP).
# Create a computer group in RD Gateway for allowed RDS servers
$GatewayServer = Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayServer"
# Create a managed resources computer group
$GatewayServer.CreateComputerGroup("RDSServers", "RD Session Host servers", 1)
# Add computers to the group
$ComputerGroup = Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayManagedComputerGroup" |
Where-Object { $_.Name -eq "RDSServers" }
$ComputerGroup.AddComputers(@("rdsh01.corp.local", "rdsh02.corp.local"))
# Create a RAP allowing RD Users to connect to RDSServers on port 3389
$GatewayServer.CreateResourceAuthorizationPolicy(
"AllowAccessToRDSHosts", # Policy name
$true, # Enabled
"CORPRD Users", # User group
"RDSServers", # Computer group name
1, # Computer group type: 1=managed, 2=AD
"3389" # Allowed ports
)Enabling RD Gateway Monitoring and Logging
Enable logging to track connections through the RD Gateway for security auditing and troubleshooting.
# Enable event logging in RD Gateway
$GWSettings = Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayServerSettings"
$GWSettings.SetLogEventCount($true, 50000)
# View RD Gateway events in Event Viewer
Get-EventLog -LogName "Microsoft-Windows-TerminalServices-Gateway/Operational" -Newest 50 |
Select-Object TimeGenerated, EntryType, Message | Format-List
# Or via Get-WinEvent
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-Gateway/Operational" -MaxEvents 20 |
Select-Object TimeCreated, Id, MessageConfiguring RD Gateway on Client Machines
Clients connect to internal resources through RD Gateway by specifying the gateway address in the Remote Desktop Connection client. In mstsc.exe, go to the Advanced tab and enter the gateway server address. Alternatively, configure this in RDP files distributed to users.
# Example RDP file contents for gateway-connected session
# Save this as rdsh01_via_gateway.rdp
full address:s:rdsh01.corp.local
gatewayhostname:s:rdgateway.corp.com
gatewayusagemethod:i:1
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:1
promptcredentialonce:i:1
username:s:CORPjsmithFirewall Configuration
The RD Gateway server requires inbound HTTPS (TCP 443) from the internet. The internal firewall must allow RD Gateway to reach RD Session Hosts on TCP 3389. No other ports need to be opened to the internet. This significantly reduces the attack surface compared to exposing RDP directly.
# Allow HTTPS inbound on the RD Gateway server
New-NetFirewallRule -DisplayName "RD Gateway HTTPS Inbound" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-Action Allow
# Allow RD Gateway to reach internal RDSH servers on 3389
New-NetFirewallRule -DisplayName "RD Gateway to RDSH Internal" `
-Direction Outbound `
-Protocol TCP `
-RemotePort 3389 `
-Action AllowMonitoring Active Gateway Connections
View active connections through the RD Gateway Manager console or query via WMI to monitor who is connected through the gateway.
# List active connections through RD Gateway
Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayConnection" |
Select-Object UserName, ClientAddress, ConnectedResource, IdleTime, ConnectedTime | Format-Table -AutoSize
# Disconnect a specific session
$Connection = Get-WmiObject -Namespace "rootcimv2TerminalServices" -Class "Win32_TSGatewayConnection" |
Where-Object { $_.UserName -eq "CORPjsmith" }
$Connection.Disconnect()Conclusion
Remote Desktop Gateway on Windows Server 2019 provides secure external access to internal RDP resources without exposing port 3389 directly. The combination of HTTPS transport, SSL certificate authentication, Connection Authorization Policies, and Resource Authorization Policies creates a multi-layered access control framework. By deploying RD Gateway in the DMZ with proper CAP and RAP configuration, organisations can enable secure remote work for users connecting from outside the corporate network while maintaining granular control over which users can reach which internal resources.
