Deploying Remote Desktop Gateway
Warning
In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.
Remote Desktop Gateway (RDGW) is a Windows Server role which allows you to access internal network resources over HTTPS.
In this scenario, users from the Administrators
group will access a test VM with a self-signed certificate.
To deploy the Remote Desktop Gateway infrastructure:
- Get your cloud ready.
- Create a cloud network and subnets.
- Create a security group.
- Create a gateway VM.
- Configure the RDGW role.
- Test the RDGW.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Note
Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.
Required paid resources
The cost of RDGW infrastructure includes:
- Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
- Fee for dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
- Fee for Yandex Cloud outbound internet traffic (see Yandex Compute Cloud pricing).
Create a cloud network and subnets
Create the rdgw-network
cloud network with a subnet in the availability zone where your VMs will reside.
-
Create a cloud network.
Management consoleCLIAPI- Navigate to the folder where you want to create your cloud network and select VPC.
- Click Create network.
- Specify the network name:
rdgw-network
. - Click Create network.
yc vpc network create --name rdgw-network
Where
rdgw-network
is the network name.Result:
id: qqppl6fduhct76qkjh6s folder_id: big67u7m5flplkc6vvpc created_at: "2021-06-09T10:49:07Z" name: rdgw-network default_security_group_id: enpa139ji55jti00u5sg
Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.
-
Create a subnet in
rdgw-network
.Management consoleCLIAPI- Select VPC in the folder where you created the network.
- Click the name of your cloud network.
- Click Add subnet.
- Specify
rdgw-subnet
as the subnet name and select the availability zone from the drop-down list (e.g.,ru-central1-d
). - Specify the subnet CIDR IP address range:
10.1.0.0/16
. For more information about IP address ranges, see Cloud networks and subnets. - Click Create subnet.
yc vpc subnet create ` --name rdgw-subnet ` --zone ru-central1-d ` --network-name rdgw-network ` --range 10.1.0.0/16
Where
rdgw-subnet
is the subnet name.Result:
id: e9b95m6al33r******** folder_id: big67u7m5flp******** created_at: "2021-06-09T10:49:21Z" name: rdgw-subnet network_id: qqppl6fduhct******** zone_id: ru-central1-d v4_cidr_blocks: - 10.1.0.0/16
Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.
Create a security group
Create and configure a security group.
-
Select VPC in the folder where you want to create a security group.
-
Open the Security groups tab.
-
Click Create group.
-
Specify the security group name:
my-rdgw-sg
. -
In the Network field, select the security group network:
rdgw-network
. -
Under Rules, create the following network traffic rules using the instructions below the table:
Trafficdirection Description Portrange Protocol Sourcetype Source/Destination Inbound icmp — ICMP CIDR 0.0.0.0/0 Inbound self-security Any Any Security group Current Inbound tcp 3389 TCP CIDR 0.0.0.0/0 Inbound rdgw 443 TCP CIDR 0.0.0.0/0 Outbound default Any Any CIDR 0.0.0.0/0 - Select the Outgoing traffic or Incoming traffic tab.
- Click Add rule.
- In the Port range field of the window that opens, specify a port or range of ports open for inbound or outbound traffic.
- In the Protocol field, specify the protocol or leave Any to allow traffic over any protocol.
- In the Source or Destination field, select the scope of the rule:
- CIDR: Rule will apply to a range of IP addresses. In the CIDR blocks field, specify CIDR IP address ranges of source or destination subnets, respectively. To add multiple CIDRs, click Add CIDR.
- Security group: Rule will apply to the current or the selected security group VMs.
- Click Save. Repeat the steps to create all the rules from the table.
-
Click Save.
yc vpc security-group create --name=my-rdgw-sg `
--network-name rdgw-network `
--rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
--rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
--rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
--rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
--rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default
Result:
id: enp136p8s2ae********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct********
status: ACTIVE
rules:
- id: env98jerk9b3********
description: icmp
direction: INGRESS
protocol_name: ICMP
protocol_number: "1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.
Create a gateway VM
Create a VM and give it a public IP address:
-
On the folder dashboard in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image:
- Navigate to the Custom tab.
- Click Select and select Create new in the window that opens.
- In the Contents field, select
Image
and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload a Microsoft disk image, see Importing a custom image. - Optionally, in the Additional field, enable Delete along with the virtual machine to automatically delete this disk when deleting the VM.
- Click Add disk.
-
Under Location, select the
ru-central1-d
availability zone. -
Under Disks and file storages, specify your boot disk size:
60 GB
. -
Under Computing resources, navigate to the
Custom
tab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake
- vCPU:
2
- Guaranteed vCPU performance:
100%
- RAM:
4 GB
- Platform:
-
Under Network settings, specify:
- Subnet:
rdgw-subnet
- Public IP address:
Auto
- Security groups:
my-rdgw-sg
- Subnet:
-
Under General information, specify the VM name:
my-rds-gw
. -
Click Create VM.
Wait for the VM status to change to Running
and reset the password:
- Select the VM.
- Click Reset password.
- Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
- Click Generate password.
- Save the New password. It will become unavailable once you close the window.
-
In PowerShell, create the
setpass
script setting up theAdministrator
password using the VM metadatauser-data
field. Thecloudbase-init
tool will execute the script on the first run.Note
The first line of the script must be
#ps1
; otherwise, thecloudbase-init
tool will fail.#ps1 Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)
-
Create a VM specifying the created script as the metadata source. Specify the
my-rdgw-group
ID as thesecurity-group-ids
value:yc compute instance create ` --name my-rds-gw ` --hostname my-rds-gw ` --memory 4 ` --cores 2 ` --platform standard-v3 ` --zone ru-central1-d ` --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.3,nat-ip-version=ipv4,security-group-ids=<id_my-rdgw-group> ` --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk ` --metadata-from-file user-data=setpass
Result:
```
done (25s)
id: frmogfp7mm1k********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:51:58Z"
name: my-rds-gw
zone_id: ru-central1-d
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmplfvr7g6p********
auto_delete: true
disk_id: fhmplfvr7g6p********
network_interfaces:
- index: "0"
mac_address: d0:0d:18:83:c8:7b
subnet_id: e9b95m6al33r********
primary_v4_address:
address: 10.1.0.3
one_to_one_nat:
address: 178.154.231.126
ip_version: IPV4
security_group_ids:
- enp136p8s2a********
fqdn: my-rds-gw.ru-central1.internal
scheduling_policy: {}
network_settings:
type: STANDARD
placement_policy: {}
```
{% include [cli-metadata-variables-substitution-notice](../../_includes/compute/create/_include--cli-metadata-variables-substitution-notice--649502d.md) %}
Configure the RDGW role
-
Connect to the created VM via RDP.
-
Install the required role and management tools
:Install-WindowsFeature RDS-Gateway -IncludeManagementTools
Result:
Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Network Policy and Access Services, Remot...
-
Import the RDS module:
Import-Module -Name RemoteDesktopServices
-
Create a client access policy allowing members of the
Administrators
group to connect to the RDGW. You can do this using a Windows PowerShell drive that is automatically installed with the role:New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'
Result:
Directory: RDS:\GatewayServer\CAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-CAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Create a resource access policy allowing members of the
Administrators
groups to connect to internal resources through the RDGW.New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'
Result:
Directory: RDS:\GatewayServer\RAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-RAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Create your RDGW server certificate that will be used for traffic encryption:
$Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME
-
Export the created certificate so the gateway clients can upload it to their
Trusted Roots Certificate Authorities
certificate stores. This is required to trust your self-signed certificate:$Certificate | Export-Certificate -FilePath "C:\REGW.cer"
Result:
Directory: RDS:\GatewayServer\RAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-RAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Configure RDGW to use your certificate and restart the RDG service to apply the settings:
Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint Get-Service TSGateway | Restart-Service
Result:
Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/9/2021 11:51 AM 796 REGW.cer
The RDGW VM allows members of the BUILTIN\Administrators
group to connect to internal network VMs.
Test the RDGW
-
Create an internal network VM to which you will connect during the test.
Management consoleCLIAPI-
On the folder dashboard in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image:
- Navigate to the Custom tab.
- Click Select and select Create new in the window that opens.
- In the Contents field, select
Image
and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload a Microsoft disk image, see Importing a custom image. - Optionally, in the Additional field, enable Delete along with the virtual machine to automatically delete this disk when deleting the VM.
- Click Add disk.
-
Under Location, select the
ru-central1-d
availability zone. -
Under Disks and file storages, specify your boot disk size:
60 GB
. -
Under Computing resources, navigate to the
Custom
tab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake
- vCPU:
2
- Guaranteed vCPU performance:
100%
- RAM:
4 GB
- Platform:
-
Under Network settings, specify:
- Subnet:
rdgw-subnet
- Public IP address:
No address
- Subnet:
-
Under General information, specify the VM name:
test-vm
. -
Click Create VM.
Wait for the VM status to change to
Running
and reset the password:- Select the VM.
- Click Reset password.
- Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
- Click Generate password.
- Save the New password. It will become unavailable once you close the window.
Create a VM:
yc compute instance create ` --name test-vm ` --hostname test-vm ` --memory 4 ` --cores 2 ` --platform standard-v3 ` --zone ru-central1-d ` --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 ` --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk ` --metadata-from-file user-data=setpass
Result:
done (19s) id: fhm5pflreh2j******** folder_id: big67u7m5flp******** created_at: "2021-06-09T11:53:03Z" name: test-vm zone_id: ru-central1-d platform_id: standard-v3 resources: memory: "4294967296" cores: "2" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmmf65nlbt1******** auto_delete: true disk_id: fhmmf65nlbt1******** network_interfaces: - index: "0" mac_address: d0:0d:5d:ef:bb:74 subnet_id: e9b95m6al33r******** primary_v4_address: address: 10.1.0.4 fqdn: test-vm.ru-central1.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}
Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.
-
-
Import your RDGW certificate file to the
Trusted Roots Certificate Authorities
directory of the computer you will connect to the test VM.To connect to the gateway by the VM name, specify its name and external IP address in the
C:\Windows\system32\drivers\etc\hosts
file. Here is an example:87.250.250.242 my-rds-gw
-
Run the
mstsc
remote desktop client. On the Advanced tab of the connection settings, specify the gateway:my-rds-gw
, destination node:test-vm
, and username:Administrator
.
How to delete the resources you created
If you no longer need the resources you created, i.e., VMs and networks, delete them.