Contact UsGet started

Deploying Remote Desktop Gateway

Written by
Updated at February 27, 2025

Warning

In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.

Remote Desktop Gateway (RDGW) is a Windows Server role which allows you to access internal network resources over HTTPS.

In this scenario, users from the Administrators group will access a test VM with a self-signed certificate.

To deploy the Remote Desktop Gateway infrastructure:

  1. Get your cloud ready.
  2. Create a cloud network and subnets.
  3. Create a security group.
  4. Create a gateway VM.
  5. Configure the RDGW role.
  6. Test the RDGW.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

The cost of RDGW infrastructure includes:

Create a cloud network and subnets

Create the rdgw-network cloud network with a subnet in the availability zone where your VMs will reside.

  1. Create a cloud network.

    1. Navigate to the folder where you want to create your cloud network and select VPC.
    2. Click Create network.
    3. Specify the network name: rdgw-network.
    4. Click Create network.
    yc vpc network create --name rdgw-network

    Where rdgw-network is the network name.

    Result:

    id: qqppl6fduhct76qkjh6s
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:49:07Z"
name: rdgw-network
default_security_group_id: enpa139ji55jti00u5sg

    Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.

  2. Create a subnet in rdgw-network.

    1. Select VPC in the folder where you created the network.
    2. Click the name of your cloud network.
    3. Click Add subnet.
    4. Specify rdgw-subnet as the subnet name and select the availability zone from the drop-down list (e.g., ru-central1-d).
    5. Specify the subnet CIDR IP address range: 10.1.0.0/16. For more information about IP address ranges, see Cloud networks and subnets.
    6. Click Create subnet.
    yc vpc subnet create `
  --name rdgw-subnet `
  --zone ru-central1-d `
  --network-name rdgw-network `
  --range 10.1.0.0/16

    Where rdgw-subnet is the subnet name.

    Result:

    id: e9b95m6al33r********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:49:21Z"
name: rdgw-subnet
network_id: qqppl6fduhct********
zone_id: ru-central1-d
v4_cidr_blocks:
- 10.1.0.0/16

    Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create a security group

Create and configure a security group.

  1. Select VPC in the folder where you want to create a security group.

  2. Open the Security groups tab.

  3. Click Create group.

  4. Specify the security group name: my-rdgw-sg.

  5. In the Network field, select the security group network: rdgw-network.

  6. Under Rules, create the following network traffic rules using the instructions below the table:

    Traffic
    direction    		 Description Port
    range    		 Protocol Source
    type    		 Source/Destination
    Inbound icmp ICMP CIDR 0.0.0.0/0
    Inbound self-security Any Any Security group Current
    Inbound tcp 3389 TCP CIDR 0.0.0.0/0
    Inbound rdgw 443 TCP CIDR 0.0.0.0/0
    Outbound default Any Any CIDR 0.0.0.0/0
    1. Select the Outgoing traffic or Incoming traffic tab.
    2. Click Add rule.
    3. In the Port range field of the window that opens, specify a port or range of ports open for inbound or outbound traffic.
    4. In the Protocol field, specify the protocol or leave Any to allow traffic over any protocol.
    5. In the Source or Destination field, select the scope of the rule:
      • CIDR: Rule will apply to a range of IP addresses. In the CIDR blocks field, specify CIDR IP address ranges of source or destination subnets, respectively. To add multiple CIDRs, click Add CIDR.
      • Security group: Rule will apply to the current or the selected security group VMs.
    6. Click Save. Repeat the steps to create all the rules from the table.

  7. Click Save.

yc vpc security-group create --name=my-rdgw-sg `
  --network-name rdgw-network `
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
  --rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
  --rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default

Result:

id: enp136p8s2ae********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct********
status: ACTIVE
rules:
- id: env98jerk9b3********
  description: icmp
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
  v4_cidr_blocks:
   - 0.0.0.0/0

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

Create a gateway VM

Create a VM and give it a public IP address:

  1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image:

    • Navigate to the Custom tab.
    • Click Select and select Create new in the window that opens.
    • In the Contents field, select Image and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload a Microsoft disk image, see Importing a custom image.
    • Optionally, in the Additional field, enable Delete along with the virtual machine to automatically delete this disk when deleting the VM.
    • Click Add disk.

  3. Under Location, select the ru-central1-d availability zone.

  4. Under Disks and file storages, specify your boot disk size: 60 GB.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 2
    • Guaranteed vCPU performance: 100%
    • RAM: 4 GB

  6. Under Network settings, specify:

    • Subnet: rdgw-subnet
    • Public IP address: Auto
    • Security groups: my-rdgw-sg

  7. Under General information, specify the VM name: my-rds-gw.

  8. Click Create VM.

Wait for the VM status to change to Running and reset the password:

  1. Select the VM.
  2. Click Reset password.
  3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
  4. Click Generate password.
  5. Save the New password. It will become unavailable once you close the window.

  1. In PowerShell, create the setpass script setting up the Administrator password using the VM metadata user-data field. The cloudbase-init tool will execute the script on the first run.

    Note

    The first line of the script must be #ps1; otherwise, the cloudbase-init tool will fail.

    #ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)

  2. Create a VM specifying the created script as the metadata source. Specify the my-rdgw-group ID as the security-group-ids value:

    yc compute instance create `
  --name my-rds-gw `
  --hostname my-rds-gw `
  --memory 4 `
  --cores 2 `
  --platform standard-v3 `
  --zone ru-central1-d `
  --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.3,nat-ip-version=ipv4,security-group-ids=<id_my-rdgw-group> `
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk `
  --metadata-from-file user-data=setpass

Result:

```
done (25s)
id: frmogfp7mm1k********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:51:58Z"
name: my-rds-gw
zone_id: ru-central1-d
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmplfvr7g6p********
auto_delete: true
disk_id: fhmplfvr7g6p********
network_interfaces:
- index: "0"
  mac_address: d0:0d:18:83:c8:7b
  subnet_id: e9b95m6al33r********
  primary_v4_address:
  address: 10.1.0.3
  one_to_one_nat:
  address: 178.154.231.126
  ip_version: IPV4
  security_group_ids:
   - enp136p8s2a********
     fqdn: my-rds-gw.ru-central1.internal
     scheduling_policy: {}
     network_settings:
     type: STANDARD
     placement_policy: {}
```

 {% include [cli-metadata-variables-substitution-notice](../../_includes/compute/create/_include--cli-metadata-variables-substitution-notice--649502d.md) %}

Configure the RDGW role

  1. Connect to the created VM via RDP.

  2. Install the required role and management tools:

    Install-WindowsFeature RDS-Gateway -IncludeManagementTools

    Result:

    Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Network Policy and Access Services, Remot...

  3. Import the RDS module:

    Import-Module -Name RemoteDesktopServices

  4. Create a client access policy allowing members of the Administrators group to connect to the RDGW. You can do this using a Windows PowerShell drive that is automatically installed with the role:

    New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'

    Result:

        Directory: RDS:\GatewayServer\CAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-CAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

  5. Create a resource access policy allowing members of the Administrators groups to connect to internal resources through the RDGW.

    New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'

    Result:

        Directory: RDS:\GatewayServer\RAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

  6. Create your RDGW server certificate that will be used for traffic encryption:

    $Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME

  7. Export the created certificate so the gateway clients can upload it to their Trusted Roots Certificate Authorities certificate stores. This is required to trust your self-signed certificate:

    $Certificate | Export-Certificate -FilePath "C:\REGW.cer"

    Result:

        Directory: RDS:\GatewayServer\RAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

  8. Configure RDGW to use your certificate and restart the RDG service to apply the settings:

    Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint
Get-Service TSGateway | Restart-Service

    Result:

        Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/9/2021  11:51 AM            796 REGW.cer

The RDGW VM allows members of the BUILTIN\Administrators group to connect to internal network VMs.

Test the RDGW

  1. Create an internal network VM to which you will connect during the test.

    1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.

    2. Under Boot disk image:

      • Navigate to the Custom tab.
      • Click Select and select Create new in the window that opens.
      • In the Contents field, select Image and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload a Microsoft disk image, see Importing a custom image.
      • Optionally, in the Additional field, enable Delete along with the virtual machine to automatically delete this disk when deleting the VM.
      • Click Add disk.

    3. Under Location, select the ru-central1-d availability zone.

    4. Under Disks and file storages, specify your boot disk size: 60 GB.

    5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

      • Platform: Intel Ice Lake
      • vCPU: 2
      • Guaranteed vCPU performance: 100%
      • RAM: 4 GB

    6. Under Network settings, specify:

      • Subnet: rdgw-subnet
      • Public IP address: No address

    7. Under General information, specify the VM name: test-vm.

    8. Click Create VM.

    Wait for the VM status to change to Running and reset the password:

    1. Select the VM.
    2. Click Reset password.
    3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
    4. Click Generate password.
    5. Save the New password. It will become unavailable once you close the window.

    Create a VM:

    yc compute instance create `
  --name test-vm `
  --hostname test-vm `
  --memory 4 `
  --cores 2 `
  --platform standard-v3 `
  --zone ru-central1-d `
  --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 `
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk `
  --metadata-from-file user-data=setpass

    Result:

    done (19s)
id: fhm5pflreh2j********
folder_id: big67u7m5flp********
created_at: "2021-06-09T11:53:03Z"
name: test-vm
zone_id: ru-central1-d
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmmf65nlbt1********
auto_delete: true
disk_id: fhmmf65nlbt1********
network_interfaces:
- index: "0"
  mac_address: d0:0d:5d:ef:bb:74
  subnet_id: e9b95m6al33r********
  primary_v4_address:
  address: 10.1.0.4
  fqdn: test-vm.ru-central1.internal
  scheduling_policy: {}
  network_settings:
  type: STANDARD
  placement_policy: {}

    Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

  2. Import your RDGW certificate file to the Trusted Roots Certificate Authorities directory of the computer you will connect to the test VM.

    To connect to the gateway by the VM name, specify its name and external IP address in the C:\Windows\system32\drivers\etc\hosts file. Here is an example:

    87.250.250.242 my-rds-gw

  3. Run the mstsc remote desktop client. On the Advanced tab of the connection settings, specify the gateway: my-rds-gw, destination node: test-vm, and username: Administrator.

How to delete the resources you created

If you no longer need the resources you created, i.e., VMs and networks, delete them.

Previous
Deploying Remote Desktop Services
Next
Deploying an Always On availability group with an internal network load balancer