Deploying Remote Desktop Gateway

Written by

Updated at May 7, 2025

Get your cloud ready
- Required paid resources
Create a cloud network and subnets
Create a security group
Create a gateway VM
Configure the RDGW role
Test the RDGW
How to delete the resources you created

Warning

In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.

Remote Desktop Gateway (RDGW) is a Windows Server role which allows you to access internal network resources over HTTPS.

In this scenario, users from the Administrators group will access a test VM with a self-signed certificate.

To deploy the Remote Desktop Gateway infrastructure:

If you no longer need the resources you created, delete them.

Get your cloud ready

Navigate to the management console and log in to Yandex Cloud or register a new account.
On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

Required paid resources

The cost of RDGW infrastructure includes:

Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
Fee for dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
Fee for Yandex Cloud outbound internet traffic (see Yandex Compute Cloud pricing).

Create a cloud network and subnets

Create the rdgw-network cloud network with a subnet in the availability zone where your VMs will reside.

Create a cloud network.
Management console

CLI

API
1. Navigate to the folder where you want to create your cloud network and select VPC.
2. Click Create network.
3. Specify the network name: rdgw-network.
4. Click Create network.
```
yc vpc network create --name rdgw-network
```
Where rdgw-network is the network name.

Result:
```
id: qqppl6fduhct76qkjh6s
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:49:07Z"
name: rdgw-network
default_security_group_id: enpa139ji55jti00u5sg
```
Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.
Create a subnet in rdgw-network.
Management console

CLI

API
1. Select VPC in the folder where you created the network.
2. Click the name of your cloud network.
3. Click Add subnet.
4. Specify rdgw-subnet as the subnet name and select the availability zone from the drop-down list (e.g., ru-central1-d).
5. Specify the subnet CIDR IP address range: 10.1.0.0/16. For more information about IP address ranges, see Cloud networks and subnets.
6. Click Create subnet.
```
yc vpc subnet create `
  --name rdgw-subnet `
  --zone ru-central1-d `
  --network-name rdgw-network `
  --range 10.1.0.0/16
```
Where rdgw-subnet is the subnet name.

Result:
```
id: e9b95m6al33r********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:49:21Z"
name: rdgw-subnet
network_id: qqppl6fduhct********
zone_id: ru-central1-d
v4_cidr_blocks:
- 10.1.0.0/16
```
Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create a security group

Create and configure a security group.

Management console

CLI

API

Select VPC in the folder where you want to create a security group.
Open the Security groups tab.
Click Create group.
Specify the security group name: my-rdgw-sg.
In the Network field, select the security group network: rdgw-network.

Under Rules, create the following network traffic rules using the instructions below the table:

Traffic direction	Description	Port range	Protocol	Source type	Source/Destination
Inbound	icmp	—	ICMP	CIDR	0.0.0.0/0
Inbound	self-security	Any	Any	Security group	Current
Inbound	tcp	3389	TCP	CIDR	0.0.0.0/0
Inbound	rdgw	443	TCP	CIDR	0.0.0.0/0
Outbound	default	Any	Any	CIDR	0.0.0.0/0

Select the Outgoing traffic or Incoming traffic tab.
Click Add rule.
In the Port range field of the window that opens, specify a port or range of ports open for inbound or outbound traffic.
In the Protocol field, specify the protocol or leave Any to allow traffic over any protocol.
In the Source or Destination field, select the scope of the rule:
- CIDR: Rule will apply to a range of IP addresses. In the CIDR blocks field, specify CIDR IP address ranges of source or destination subnets, respectively. To add multiple CIDRs, click Add CIDR.
- Security group: Rule will apply to the current or the selected security group VMs.
Click Save. Repeat the steps to create all the rules from the table.

Click Save.

yc vpc security-group create --name=my-rdgw-sg `
  --network-name rdgw-network `
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
  --rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
  --rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default

Result:

id: enp136p8s2ae********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct********
status: ACTIVE
rules:
- id: env98jerk9b3********
  description: icmp
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
  v4_cidr_blocks:
   - 0.0.0.0/0

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

For more information, see Specifics of providing environment variables in metadata via the CLI.

Configure the RDGW role

Connect to the created VM via RDP.

Install the required role and management tools:

Install-WindowsFeature RDS-Gateway -IncludeManagementTools

Result:

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Network Policy and Access Services, Remot...

Import the RDS module:

Import-Module -Name RemoteDesktopServices

Create a client access policy allowing members of the Administrators group to connect to the RDGW. You can do this using a Windows PowerShell drive that is automatically installed with the role:

New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'

Result:

    Directory: RDS:\GatewayServer\CAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-CAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

Create a resource access policy allowing members of the Administrators groups to connect to internal resources through the RDGW.

New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'

Result:

    Directory: RDS:\GatewayServer\RAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

Create your RDGW server certificate that will be used for traffic encryption:

$Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME

Export the created certificate so the gateway clients can upload it to their Trusted Roots Certificate Authorities certificate stores. This is required to trust your self-signed certificate:

$Certificate | Export-Certificate -FilePath "C:\REGW.cer"

Result:

    Directory: RDS:\GatewayServer\RAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

Configure RDGW to use your certificate and restart the RDG service to apply the settings:

Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint
Get-Service TSGateway | Restart-Service

Result:

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/9/2021  11:51 AM            796 REGW.cer

The RDGW VM allows members of the BUILTIN\Administrators group to connect to internal network VMs.

Test the RDGW

Create an internal network VM to which you will connect during the test.
Management console

CLI

API
1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.
2. Under Boot disk image:
  - Navigate to the Custom tab.
  - Click Select and select Create in the window that opens.
  - In the Contents field, select Image and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload a Microsoft disk image, see Importing a custom image.
  - Optionally, in the Additional field, enable Delete along with the virtual machine to automatically delete this disk when deleting the VM.
  - Click Add disk.
3. Under Location, select the ru-central1-d availability zone.
4. Under Disks and file storages, specify your boot disk size: 60 GB.
5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:
  - Platform: Intel Ice Lake
  - vCPU: 2
  - Guaranteed vCPU performance: 100%
  - RAM: 4 GB
6. Under Network settings, specify:
  - Subnet: rdgw-subnet
  - Public IP address: No address
7. Under General information, specify the VM name: test-vm.
8. Click Create VM.
Wait for the VM status to change to Running and reset the password:
1. Select the VM.
2. Click Reset password.
3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
4. Click Generate password.
5. Save the New password. It will become unavailable once you close the window.
Create a VM:
```
yc compute instance create `
  --name test-vm `
  --hostname test-vm `
  --memory 4 `
  --cores 2 `
  --platform standard-v3 `
  --zone ru-central1-d `
  --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 `
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk `
  --metadata-from-file user-data=setpass
```
Result:
```
done (19s)
id: fhm5pflreh2j********
folder_id: big67u7m5flp********
created_at: "2021-06-09T11:53:03Z"
name: test-vm
zone_id: ru-central1-d
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmmf65nlbt1********
auto_delete: true
disk_id: fhmmf65nlbt1********
network_interfaces:
- index: "0"
  mac_address: d0:0d:5d:ef:bb:74
  subnet_id: e9b95m6al33r********
  primary_v4_address:
  address: 10.1.0.4
  fqdn: test-vm.ru-central1.internal
  scheduling_policy: {}
  network_settings:
  type: STANDARD
  placement_policy: {}
```
Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.
Import your RDGW certificate file to the Trusted Roots Certificate Authorities directory of the computer you will connect to the test VM.

To connect to the gateway by the VM name, specify its name and external IP address in the C:\Windows\system32\drivers\etc\hosts file. Here is an example:
```
87.250.250.242 my-rds-gw
```
Run the mstsc remote desktop client. On the Advanced tab of the connection settings, specify the gateway: my-rds-gw, destination node: test-vm, and username: Administrator.

How to delete the resources you created

If you no longer need the resources you created, i.e., VMs and networks, delete them.

Deploying Remote Desktop Gateway

Get your cloud readyGet your cloud ready

Required paid resourcesRequired paid resources

Create a cloud network and subnetsCreate a cloud network and subnets

Create a security groupCreate a security group

Create a gateway VMCreate a gateway VM

Configure the RDGW roleConfigure the RDGW role

Test the RDGWTest the RDGW

How to delete the resources you createdHow to delete the resources you created

Was the article helpful?

Get your cloud ready

Required paid resources

Create a cloud network and subnets

Create a security group

Create a gateway VM

Configure the RDGW role

Test the RDGW

How to delete the resources you created