Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Deploying Remote Desktop Gateway

Written by
Updated at October 17, 2024

Warning

In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.

Remote Desktop Gateway (RDGW) is a Windows Server service for accessing resources that have no internet access via a secure HTTPS communication channel.

In this use case, users from the Administrators group are granted access to a test VM using a self-signed certificate.

To deploy the Remote Desktop Gateway infrastructure:

  1. Prepare your cloud.
  2. Create a cloud network and subnets.
  3. Create a security group.
  4. Create a VM for the gateway.
  5. Configure the RDGW role.
  6. Test the RDGW.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

The cost of installing RDGW includes:

Create a cloud network and subnets

Create a cloud network named rdgw-network with a subnet in the availability zone where your VMs will be located.

  1. Create a cloud network.

    1. Select VPC in the folder where you want to create a cloud network.
    2. Click Create network.
    3. Enter the network name: rdgw-network.
    4. Click Create network.
    yc vpc network create --name rdgw-network

    Where rdgw-network is the network name.

    Result:

    id: qqppl6fduhct76qkjh6s
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:49:07Z"
name: rdgw-network
default_security_group_id: enpa139ji55jti00u5sg

    Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.

  2. Create a subnet in the network rdgw-network.

    1. Select VPC in the folder to create a subnet in.
    2. Click the name of the cloud network.
    3. Click Add subnet.
    4. Fill out the form: enter rdgw-subnet as a subnet name and select the appropriate availability zone from the drop-down list (for example, ru-central1-a).
    5. Enter the subnet CIDR, which is its IP address and mask: 10.1.0.0/16. For more information about subnet IP address ranges, see Cloud networks and subnets.
    6. Click Create subnet.
    yc vpc subnet create `
  --name rdgw-subnet `
  --zone ru-central1-a `
  --network-name rdgw-network `
  --range 10.1.0.0/16

    Where rdgw-subnet is the subnet name.

    Result:

    id: e9b95m6al33r62n5vkab
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:49:21Z"
name: rdgw-subnet
network_id: qqppl6fduhct76qkjh6s
zone_id: ru-central1-a
v4_cidr_blocks:
- 10.1.0.0/16

    Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create a security group

Create and set up a security group.

  1. Select VPC in the folder where you want to create a security group.

  2. Open the Security groups tab.

  3. Click Create group.

  4. Enter the security group name: my-rdgw-sg.

  5. In the Network field, select the network to assign the security group to: rdgw-network.

  6. Under Rules, create the following traffic management rules according to the instructions below the table:

    Traffic
    direction    		 Description Port
    range    		 Protocol Source
    type    		 Source/Purpose
    Incoming icmp ICMP CIDR 0.0.0.0/0
    Incoming self-security Any Any Security group Current
    Incoming tcp 3389 TCP CIDR 0.0.0.0/0
    Incoming RDGW 443 TCP CIDR 0.0.0.0/0
    Outgoing default Any Any CIDR 0.0.0.0/0
    1. Select the Outgoing traffic or Incoming traffic tab.
    2. Click Add rule.
    3. In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
    4. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
    5. In the Purpose or Source field, select the purpose of the rule:
      • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
      • Security group: Rule will apply to the VMs from the current group or the selected security group.
    6. Click Save. Repeat the steps to create all the rules from the table.

  7. Click Save.

yc vpc security-group create --name=my-rdgw-sg `
  --network-name rdgw-network `
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
  --rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
  --rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default

Result:

id: enp136p8s2ael7ob6klg
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct76qkjh6s
status: ACTIVE
rules:
- id: env98jerk9b3tcp68k61
  description: icmp
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
  v4_cidr_blocks:
   - 0.0.0.0/0

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

Create a VM for the gateway

Create a VM with a public address:

  1. On the folder page in the management console, click Create resource and select Virtual machine.
  2. In the Name field, enter a name for the VM: my-rds-gw.
  3. Select the ru-central1-a availability zone.
  4. Under Image/boot disk selection, click the Cloud Marketplace tab and then Show more. In the window that opens, select the Windows Server 2022 Datacenter image.
  5. Under Disks, enter 60 GB for the size of the boot disk.
  6. Under Computing resources:
    • Select the platform: Intel Ice Lake.
    • Specify the required number of vCPUs and the amount of RAM:
      • vCPU: 2
      • Guaranteed vCPU share: 100%
      • RAM: 4 GB
  7. Under Network settings, click Add network and select rdgw-network. Select rdgw-subnet. Under Public address, select Automatically. Select the my-rdgw-sg security group.
  8. Click Create VM.

Wait for the VM status to change to Running and reset the password:

  1. Select the VM.
  2. Click Reset password.
  3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
  4. Click Generate password.
  5. Save the New password. It will become unavailable once you close the window.

  1. In the PowerShell terminal, create a script named setpass to set up a password for the Administrator account using the user-data field in the VM metadata. The cloudbase-init utility executes it on the first run.

    Note

    The first line of the script must only contain #ps1, otherwise the cloudbase-init utility won't execute the script.

    #ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)

  2. Create a VM and specify the created script as the metadata source. As the security-group-ids parameter, enter the ID of the my-rdgw-group security group:

    yc compute instance create `
  --name my-rds-gw `
  --hostname my-rds-gw `
  --memory 4 `
  --cores 2 `
  --platform standard-v3 `
  --zone ru-central1-a `
  --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.3,nat-ip-version=ipv4,security-group-ids=<id_my-rdgw-group> `
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk `
  --metadata-from-file user-data=setpass

Result:

done (25s)
id: frmogfp7mm1kg87c25f3
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:51:58Z"
name: my-rds-gw
zone_id: ru-central1-a
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmplfvr7g6pfv63fsr7
auto_delete: true
disk_id: fhmplfvr7g6pfv63fsr7
network_interfaces:
- index: "0"
  mac_address: d0:0d:18:83:c8:7b
  subnet_id: e9b95m6al33r62n5vkab
  primary_v4_address:
  address: 10.1.0.3
  one_to_one_nat:
  address: 178.154.231.126
  ip_version: IPV4
  security_group_ids:
   - enp136p8s2ael7ob6klg
     fqdn: my-rds-gw.ru-central1.internal
     scheduling_policy: {}
     network_settings:
     type: STANDARD
     placement_policy: {}

Configure the RDGW role

  1. Connect to the created VM via RDP.

  2. Set the required roles and management snap-ins:

    Install-WindowsFeature RDS-Gateway -IncludeManagementTools

    Result:

    Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Network Policy and Access Services, Remot...

  3. Import the RDS module:

    Import-Module -Name RemoteDesktopServices

  4. Create a client access policy to allow all Administrators local group accounts to connect to the RDGW. You can do this using a Windows PowerShell drive that is created automatically when importing the role:

    New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'

    Result:

        Directory: RDS:\GatewayServer\CAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-CAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

  5. Create a resource access policy to allow all Administrators local group accounts to connect to any internal resource through the created RDGW.

    New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'

    Result:

        Directory: RDS:\GatewayServer\RAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

  6. Create a certificate with the name of the server to be used for connecting to the gateway and encrypting traffic:

    $Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME

  7. Export the created certificate to later upload it to the Trusted Roots Certificate Authorities certificate store on the computer connecting to the VM. This is necessary for the client to trust the self-signed RDGW certificate:

    $Certificate | Export-Certificate -FilePath "C:\REGW.cer"

    Result:

        Directory: RDS:\GatewayServer\RAP

Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
----                   ----      ------------         --   ----------------- ---------------------
Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...

  8. Specify which certificate the RDGW should use. Restart the Remote Desktop Gateway service to apply the settings:

    Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint
Get-Service TSGateway | Restart-Service

    Result:

        Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/9/2021  11:51 AM            796 REGW.cer

The gateway VM with the RDGW role configured allows BUILTIN\Administrators local group accounts to connect to VMs that do not have direct internet access.

Test the RDGW

  1. Create a VM with no internet access and connect to it during the test.

    1. On the folder page in the management console, click Create resource and select Virtual machine.
    2. In the Name field, enter the VM name: test-vm.
    3. Select the ru-central1-a availability zone.
    4. Under Image/boot disk selection, click the Cloud Marketplace tab and then Show more. In the window that opens, select the Windows Server 2022 Datacenter image.
    5. Under Disks, enter 60 GB for the size of the boot disk.
    6. Under Computing resources:
      • Select the platform: Intel Ice Lake.
      • Specify the required number of vCPUs and the amount of RAM:
        • vCPU: 2
        • Guaranteed vCPU share: 100%
        • RAM: 4 GB
    7. Under Network settings, click Add network and select rdgw-network. Select rdgw-subnet. Under Public address, select No address.
    8. Click Create VM.

    Wait for the VM status to change to Running and reset the password:

    1. Select the VM.
    2. Click Reset password.
    3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
    4. Click Generate password.
    5. Save the New password. It will become unavailable once you close the window.

    Create a VM:

    yc compute instance create `
  --name test-vm `
  --hostname test-vm `
  --memory 4 `
  --cores 2 `
  --platform standard-v3 `
  --zone ru-central1-a `
  --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 `
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk `
  --metadata-from-file user-data=setpass

    Result:

    done (19s)
id: fhm5pflreh2jellq97r0
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T11:53:03Z"
name: test-vm
zone_id: ru-central1-a
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmmf65nlbt131b3e36l
auto_delete: true
disk_id: fhmmf65nlbt131b3e36l
network_interfaces:
- index: "0"
  mac_address: d0:0d:5d:ef:bb:74
  subnet_id: e9b95m6al33r62n5vkab
  primary_v4_address:
  address: 10.1.0.4
  fqdn: test-vm.ru-central1.internal
  scheduling_policy: {}
  network_settings:
  type: STANDARD
  placement_policy: {}

    Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

  2. Import the created certificate to the Trusted Roots Certificate Authorities directory on the computer that you will use to connect to the test VM.

    To connect to the gateway using the VM name, specify the name and external IP address of the created RDGW in the C:\Windows\system32\drivers\etc\hosts file. Here is an example:

    87.250.250.242 my-rds-gw

  3. Run the mstsc utility that creates remote desktop connections. In the settings on the Advanced tab, specify the my-rds-gw VM name as the gateway, the test-vm name as the destination node, and Administrator as the username.

How to delete the resources you created

If you no longer need the created resources, delete the VM instances and networks.

Previous
Deploying an Always On availability group with an internal network load balancer
Next
All tutorials