How to Configure Remote Desktop Gateway on Windows Server 2012 R2

RD Gateway enables Remote Desktop connections from the internet to internal RDS servers or individual Windows computers without requiring a VPN. It wraps RDP traffic in HTTPS (SSL/TLS on port 443), allowing connections through corporate firewalls and NAT devices that typically block port 3389. Users authenticate at the RD Gateway using their domain credentials, and the gateway policy controls which internal resources they can reach. This guide covers the installation, SSL certificate configuration, Connection Authorization Policies (CAPs), Resource Authorization Policies (RAPs), and client configuration for RD Gateway.

How RD Gateway Works

RDP clients connect to the RD Gateway server on TCP 443 (HTTPS). After authentication, the RD Gateway forwards the RDP session to the target internal server on TCP 3389. The RDP client communicates with the internal resource through the gateway as a proxy, with the gateway decrypting and re-encrypting the traffic. This provides:

  • Firewall traversal without a VPN (only port 443 required)
  • Centralised access control through CAPs and RAPs
  • SSL certificate validation ensuring users connect to a legitimate gateway
  • Device-level authentication options (smart card, NLA)

Prerequisites

  • Windows Server 2012 R2 with IIS installed (required by RD Gateway)
  • A public SSL certificate for the gateway’s public FQDN (e.g., gateway.company.com) from a trusted CA
  • DNS pointing the public FQDN to the gateway’s public IP
  • Port 443 forwarded from the public IP to the RD Gateway server
  • Active Directory user accounts for gateway users

Step 1 — Install the RD Gateway Role

Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools

This also installs IIS and the Network Policy and Access Services components required for RD Gateway authentication.

Step 2 — Configure the SSL Certificate

The SSL certificate must match the public FQDN users connect to. Import the certificate and configure it for RD Gateway:

# Import the PFX certificate:
$CertPwd = ConvertTo-SecureString -String "CertPassword" -AsPlainText -Force
$Cert = Import-PfxCertificate -FilePath "C:Certsgateway.company.com.pfx" -CertStoreLocation "Cert:LocalMachineMy" -Password $CertPwd

# Configure RD Gateway to use the certificate:
$GWConfig = Get-WmiObject -Namespace "rootCIMV2TerminalServices" -Class "Win32_TSGatewayServerSettings"
$GWConfig.SetCertificate($Cert.Thumbprint)
$GWConfig.Put()

Alternatively, use the RD Gateway Manager GUI: right-click the server name and select Properties > SSL Certificate tab.

Step 3 — Create a Connection Authorization Policy (CAP)

A CAP defines which users are allowed to connect through the RD Gateway. At minimum, specify the user groups authorised to use the gateway:

New-Item -Path "RDS:GatewayServerCAP" -Name "Allow-Domain-Users" -UserGroups "DOMAINDomain Users@DOMAIN" -AuthMethod 1

Authentication method values:

  • 1 = Password only
  • 2 = Smart card only
  • 3 = Password or smart card

More detailed CAP configuration using WMI:

$CAPClass = [WmiClass]"rootCIMV2TerminalServices:Win32_TSGatewayConnectionAuthorizationPolicy"
$CAP = $CAPClass.CreateInstance()
$CAP.Name = "Allow-VPN-Users"
$CAP.Status = 1  # Enabled
$CAP.AuthMethod = 1  # Password
$CAP.PasswordEnabled = $true
$CAP.UserGroupNames = "DOMAINVPN-Users"
$CAP.DeviceRedirectionType = 0  # All redirection
$CAP.Put()

Step 4 — Create a Resource Authorization Policy (RAP)

A RAP defines which internal network resources (computers) users can reach through the gateway. It can restrict access to specific computers, a computer group (AD group), or an entire subnet:

New-Item -Path "RDS:GatewayServerRAP" -Name "Allow-RDS-Servers" -UserGroups "DOMAINDomain Users@DOMAIN" -ComputerGroupType 2 -ComputerGroup "DOMAINRDS-Servers"

ComputerGroupType values:

  • 0 = Specific AD group
  • 1 = Specific DNS name
  • 2 = AD group (use with -ComputerGroup)
  • 3 = Allow any computer

Create an Active Directory group and add the target RDS servers to it:

Import-Module ActiveDirectory
New-ADGroup -Name "RDS-Servers" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "RDS-Servers" -Members "rdsh01$", "rdsh02$", "rdcb$"

Step 5 — Configure the RD Gateway in the RDS Deployment

Configure the RDS deployment to route external connections through the RD Gateway:

Set-RDDeploymentGatewayConfiguration -ConnectionBroker "rdcb.domain.com" -GatewayMode Custom -GatewayExternalFqdn "gateway.company.com" -LogonMethod Password -UseCachedCredentials $true -BypassLocal $true

The -BypassLocal setting ensures that users connecting from inside the corporate network do not use the gateway, connecting directly instead.

Step 6 — Configure the RD Gateway on the Client

When a user opens the Remote Desktop client (mstsc.exe) to connect through the gateway:

  1. Open mstsc and enter the target server name
  2. Click Show Options > Advanced > Settings (under Connection settings / RD Gateway)
  3. Select Use these RD Gateway server settings
  4. Enter the gateway FQDN: gateway.company.com
  5. Select the logon method and check Use my RD Gateway credentials for the remote computer to use the same credentials for both

For automated deployment, configure gateway settings in an .rdp file:

full address:s:rdsh01.domain.com
gatewayhostname:s:gateway.company.com
gatewayusagemethod:i:1
gatewaycredentialssource:i:0
gatewayprofileusagemethod:i:1
promptcredentialonce:i:1

Step 7 — Monitor Gateway Connections

# View active gateway connections:
Get-Item -Path "RDS:GatewayServerMonitoredConnections" | Get-ChildItem

# View gateway event logs:
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-Gateway/Admin" | Select-Object -First 20 TimeCreated, Id, Message

Step 8 — Harden RD Gateway Security

# Disable older TLS versions in IIS (require TLS 1.2+):
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server" -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server" -Name "Enabled" -Value 0 -Type DWord

Summary

RD Gateway on Windows Server 2012 R2 provides secure, firewall-friendly remote access to RDS infrastructure and individual Windows computers over HTTPS. By creating Connection Authorization Policies to define who can use the gateway and Resource Authorization Policies to define what they can access, you maintain granular control over remote access without requiring VPN infrastructure. A properly configured RD Gateway with a trusted SSL certificate, NLA authentication, and TLS hardening provides enterprise-grade security for remote users connecting from outside the corporate network.