How to Set Up Windows Server 2016 Remote Desktop Gateway

Remote Desktop Gateway (RD Gateway) is a role service in Windows Server 2016 Remote Desktop Services that enables authorised users to connect to internal network resources through HTTPS. Instead of exposing RDP port 3389 directly to the internet (which is a major security risk), RD Gateway tunnels RDP traffic inside HTTPS on port 443, providing encrypted, firewall-friendly remote access. This guide covers installing the RD Gateway role, configuring SSL certificates, creating connection authorisation policies, and testing the setup.

How RD Gateway Works

When a user connects through RD Gateway, their Remote Desktop Connection client establishes an HTTPS connection to the Gateway server on port 443. The Gateway server authenticates the user, checks authorisation policies, and then proxies the RDP connection to the internal target resource (an RDSH server, a workstation, or any RDP-enabled computer). The target resource never needs to be directly exposed to the internet. This architecture dramatically reduces attack surface compared to direct RDP exposure.

Prerequisites

You need a Windows Server 2016 server with a public IP address or a NAT rule forwarding port 443 to it. A valid SSL certificate for the Gateway’s public FQDN (for example rdgateway.contoso.com) is required; a self-signed certificate works for testing but will generate client warnings. The FQDN must be resolvable from the internet via DNS. The server needs the Web Server (IIS) role and the Network Policy and Access Services role as dependencies.

Step 1: Install the RD Gateway Role Service

Install the RD Gateway role service using PowerShell:

Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools

Or use Server Manager: Add Roles and Features > Remote Desktop Services > Remote Desktop Gateway. Accept all dependency prompts including Web Server (IIS) and Network Policy and Access Services, then click Install. No restart is typically required.

Step 2: Obtain and Bind an SSL Certificate

For production, request a certificate from a public CA (Let’s Encrypt, DigiCert, etc.) for your Gateway’s FQDN. Import the certificate into the local machine’s Personal certificate store:

Import-PfxCertificate -FilePath "C:Certsrdgateway.pfx" -CertStoreLocation "Cert:LocalMachineMy" -Password (ConvertTo-SecureString -String "CertPassword123" -AsPlainText -Force)

To generate a self-signed certificate for testing:

$cert = New-SelfSignedCertificate -DnsName "rdgateway.contoso.com" -CertStoreLocation "Cert:LocalMachineMy" -KeyUsage DigitalSignature, KeyEncipherment -NotAfter (Get-Date).AddYears(2)
Write-Host "Thumbprint: $($cert.Thumbprint)"

Step 3: Configure the RD Gateway Server

Open RD Gateway Manager from Administrative Tools. In the left pane, right-click the server name and select Properties. On the SSL Certificate tab, select a certificate from the list or browse to the certificate by thumbprint. Click Apply.

On the Transport Settings tab, verify that HTTPS (port 443) is enabled. You can also enable UDP transport for better performance if your firewall allows UDP 3391.

Configure the SSL certificate via PowerShell by specifying the thumbprint:

Set-RDDeploymentGatewayConfiguration -GatewayMode Custom -GatewayExternalFqdn "rdgateway.contoso.com" -LogonMethod AllowUserToSelectDuringConnection -UseCachedCredentials $true -BypassLocal $true -ConnectionBroker "rdbroker.contoso.com"

Step 4: Create a Connection Authorisation Policy (RD CAP)

An RD Connection Authorisation Policy (RD CAP) defines which users are permitted to connect through the RD Gateway. Open RD Gateway Manager, expand Policies, right-click Connection Authorization Policies, and select Create New Policy > Wizard. Name the policy (for example, “Allow-RDAccess”), select Enable this policy, and add the security groups whose members are allowed to connect through the Gateway (for example, Domain Users or a specific RDS Users group). Configure the allowed client devices (managed devices, unmanaged, or all) and device redirection settings, then finish the wizard.

New-Item -Path "RDS:GatewayServerCAP" -Name "AllowDomainUsers" -UserGroups "domain.localDomain Users" -AuthMethod 1

Step 5: Create a Resource Authorisation Policy (RD RAP)

An RD Resource Authorisation Policy (RD RAP) defines which internal network resources users can connect to through the Gateway. Right-click Resource Authorization Policies and select Create New Policy > Wizard. Name the policy, select Enable this policy, and add the user or group allowed under this policy. On the Network Resource page, choose the target resources: allow users to connect to any network resource, or specify a specific computer group. A computer group can contain explicit computer names or a managed computer group object.

To create a computer group containing specific internal servers:

New-Item -Path "RDS:GatewayServerRAP" -Name "AllowInternalRDSH" -UserGroups "domain.localDomain Users" -ComputerGroupType 2 -ComputerGroup "rdsh01.domain.local"

Step 6: Configure the Client for Gateway Connection

On client machines, open Remote Desktop Connection (mstsc.exe), click Show Options, and go to the Advanced tab. Click Settings under Connect from anywhere. Check Use these RD Gateway server settings and enter the FQDN of your Gateway (for example rdgateway.contoso.com). Select the logon method (usually Allow me to select later or Ask for password). Check Bypass RD Gateway server for local addresses to avoid routing local LAN connections through the Gateway. Click OK and connect.

Alternatively, distribute a pre-configured .rdp file:

full address:s:rdsh01.domain.local
gatewayhostname:s:rdgateway.contoso.com
gatewayusagemethod:i:1
gatewayaccesstoken:s:
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:1
promptcredentialonce:i:1
authentication level:i:3

Step 7: Enable Logging and Monitor Connections

RD Gateway maintains logs in the Windows Event Log under Applications and Services Logs > Microsoft > Windows > TerminalServices-Gateway. Monitor these logs for authentication failures, policy denials, and successful connections. Enable verbose logging in RD Gateway Manager under Server Properties > Audit tab.

Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-Gateway/Operational" | Select-Object TimeCreated, Id, Message -First 30

Security Recommendations

Always use a valid SSL certificate from a trusted CA for production deployments; clients will receive certificate warnings with self-signed certs, undermining security hygiene. Enable multi-factor authentication using Network Policy Server (NPS) with RADIUS-based MFA to add a second factor for Gateway connections. Restrict RD CAP membership to the minimum required groups. Consider using Azure AD Application Proxy or Azure Virtual Desktop as modern alternatives that eliminate the need for an internet-facing RD Gateway entirely.

RD Gateway on Windows Server 2016 provides a secure, scalable, and standards-based solution for remote access to internal resources using existing infrastructure and without purchasing additional VPN solutions.