Deploying Remote Desktop Gateway
Warning
In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.
Remote Desktop Gateway (RDGW) is a Windows Server service for accessing resources that have no internet access via a secure HTTPS communication channel.
In this use case, users from the Administrators
group are granted access to a test VM using a self-signed certificate.
To deploy the Remote Desktop Gateway infrastructure:
- Prepare your cloud.
- Create a cloud network and subnets.
- Create a security group.
- Create a VM for the gateway.
- Configure the RDGW role.
- Test the RDGW.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Note
Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.
Required paid resources
The cost of installing RDGW includes:
- Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
- Fee for using dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
- Cost of outgoing traffic from Yandex Cloud to the internet (see Yandex Compute Cloud pricing).
Create a cloud network and subnets
Create a cloud network named rdgw-network
with a subnet in the availability zone where your VMs will be located.
-
Create a cloud network.
Management consoleCLIAPI- Select VPC in the folder where you want to create a cloud network.
- Click Create network.
- Enter the network name:
rdgw-network
. - Click Create network.
yc vpc network create --name rdgw-network
Where
rdgw-network
is the network name.Result:
id: qqppl6fduhct76qkjh6s folder_id: big67u7m5flplkc6vvpc created_at: "2021-06-09T10:49:07Z" name: rdgw-network default_security_group_id: enpa139ji55jti00u5sg
Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.
-
Create a subnet in the network
rdgw-network
.Management consoleCLIAPI- Select VPC in the folder to create a subnet in.
- Click the name of the cloud network.
- Click Add subnet.
- Fill out the form: enter
rdgw-subnet
as a subnet name and select the appropriate availability zone from the drop-down list (for example,ru-central1-a
). - Enter the subnet CIDR, which is its IP address and mask:
10.1.0.0/16
. For more information about subnet IP address ranges, see Cloud networks and subnets. - Click Create subnet.
yc vpc subnet create ` --name rdgw-subnet ` --zone ru-central1-a ` --network-name rdgw-network ` --range 10.1.0.0/16
Where
rdgw-subnet
is the subnet name.Result:
id: e9b95m6al33r62n5vkab folder_id: big67u7m5flplkc6vvpc created_at: "2021-06-09T10:49:21Z" name: rdgw-subnet network_id: qqppl6fduhct76qkjh6s zone_id: ru-central1-a v4_cidr_blocks: - 10.1.0.0/16
Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.
Create a security group
Create and set up a security group.
-
Select VPC in the folder where you want to create a security group.
-
Open the Security groups tab.
-
Click Create group.
-
Enter the security group name:
my-rdgw-sg
. -
In the Network field, select the network to assign the security group to:
rdgw-network
. -
Under Rules, create the following traffic management rules according to the instructions below the table:
Trafficdirection Description Portrange Protocol Sourcetype Source/Purpose Incoming icmp — ICMP CIDR 0.0.0.0/0 Incoming self-security Any Any Security group Current Incoming tcp 3389 TCP CIDR 0.0.0.0/0 Incoming RDGW 443 TCP CIDR 0.0.0.0/0 Outgoing default Any Any CIDR 0.0.0.0/0 - Select the Outgoing traffic or Incoming traffic tab.
- Click Add rule.
- In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
- In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
- In the Purpose or Source field, select the purpose of the rule:
- CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
- Security group: Rule will apply to the VMs from the current group or the selected security group.
- Click Save. Repeat the steps to create all the rules from the table.
-
Click Save.
yc vpc security-group create --name=my-rdgw-sg `
--network-name rdgw-network `
--rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
--rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
--rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
--rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
--rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default
Result:
id: enp136p8s2ael7ob6klg
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct76qkjh6s
status: ACTIVE
rules:
- id: env98jerk9b3tcp68k61
description: icmp
direction: INGRESS
protocol_name: ICMP
protocol_number: "1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.
Create a VM for the gateway
Create a VM with a public address:
- On the folder page in the management console
, click Create resource and select Virtual machine. - In the Name field, enter a name for the VM:
my-rds-gw
. - Select the
ru-central1-a
availability zone. - Under Image/boot disk selection, click the Cloud Marketplace tab and then Show more. In the window that opens, select the Windows Server 2022 Datacenter image.
- Under Disks, enter 60 GB for the size of the boot disk.
- Under Computing resources:
- Select the platform: Intel Ice Lake.
- Specify the required number of vCPUs and the amount of RAM:
- vCPU: 2
- Guaranteed vCPU share: 100%
- RAM: 4 GB
- Under Network settings, click Add network and select
rdgw-network
. Selectrdgw-subnet
. Under Public address, select Automatically. Select themy-rdgw-sg
security group. - Click Create VM.
Wait for the VM status to change to Running
and reset the password:
- Select the VM.
- Click Reset password.
- Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
- Click Generate password.
- Save the New password. It will become unavailable once you close the window.
-
In the PowerShell terminal, create a script named
setpass
to set up a password for theAdministrator
account using theuser-data
field in the VM metadata. Thecloudbase-init
utility executes it on the first run.Note
The first line of the script must only contain
#ps1
, otherwise thecloudbase-init
utility won't execute the script.#ps1 Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)
-
Create a VM and specify the created script as the metadata source. As the
security-group-ids
parameter, enter the ID of themy-rdgw-group
security group:yc compute instance create ` --name my-rds-gw ` --hostname my-rds-gw ` --memory 4 ` --cores 2 ` --platform standard-v3 ` --zone ru-central1-a ` --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.3,nat-ip-version=ipv4,security-group-ids=<id_my-rdgw-group> ` --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk ` --metadata-from-file user-data=setpass
Result:
done (25s)
id: frmogfp7mm1kg87c25f3
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:51:58Z"
name: my-rds-gw
zone_id: ru-central1-a
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmplfvr7g6pfv63fsr7
auto_delete: true
disk_id: fhmplfvr7g6pfv63fsr7
network_interfaces:
- index: "0"
mac_address: d0:0d:18:83:c8:7b
subnet_id: e9b95m6al33r62n5vkab
primary_v4_address:
address: 10.1.0.3
one_to_one_nat:
address: 178.154.231.126
ip_version: IPV4
security_group_ids:
- enp136p8s2ael7ob6klg
fqdn: my-rds-gw.ru-central1.internal
scheduling_policy: {}
network_settings:
type: STANDARD
placement_policy: {}
Configure the RDGW role
-
Connect to the created VM via RDP.
-
Set the required roles and management snap-ins
:Install-WindowsFeature RDS-Gateway -IncludeManagementTools
Result:
Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Network Policy and Access Services, Remot...
-
Import the RDS module:
Import-Module -Name RemoteDesktopServices
-
Create a client access policy to allow all
Administrators
local group accounts to connect to the RDGW. You can do this using a Windows PowerShell drive that is created automatically when importing the role:New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'
Result:
Directory: RDS:\GatewayServer\CAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-CAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Create a resource access policy to allow all
Administrators
local group accounts to connect to any internal resource through the created RDGW.New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'
Result:
Directory: RDS:\GatewayServer\RAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-RAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Create a certificate with the name of the server to be used for connecting to the gateway and encrypting traffic:
$Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME
-
Export the created certificate to later upload it to the
Trusted Roots Certificate Authorities
certificate store on the computer connecting to the VM. This is necessary for the client to trust the self-signed RDGW certificate:$Certificate | Export-Certificate -FilePath "C:\REGW.cer"
Result:
Directory: RDS:\GatewayServer\RAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-RAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Specify which certificate the RDGW should use. Restart the Remote Desktop Gateway service to apply the settings:
Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint Get-Service TSGateway | Restart-Service
Result:
Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/9/2021 11:51 AM 796 REGW.cer
The gateway VM with the RDGW role configured allows BUILTIN\Administrators
local group accounts to connect to VMs that do not have direct internet access.
Test the RDGW
-
Create a VM with no internet access and connect to it during the test.
Management consoleCLIAPI- On the folder page in the management console
, click Create resource and select Virtual machine. - In the Name field, enter the VM name:
test-vm
. - Select the
ru-central1-a
availability zone. - Under Image/boot disk selection, click the Cloud Marketplace tab and then Show more. In the window that opens, select the Windows Server 2022 Datacenter image.
- Under Disks, enter 60 GB for the size of the boot disk.
- Under Computing resources:
- Select the platform: Intel Ice Lake.
- Specify the required number of vCPUs and the amount of RAM:
- vCPU: 2
- Guaranteed vCPU share: 100%
- RAM: 4 GB
- Under Network settings, click Add network and select
rdgw-network
. Selectrdgw-subnet
. Under Public address, select No address. - Click Create VM.
Wait for the VM status to change to
Running
and reset the password:- Select the VM.
- Click Reset password.
- Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
- Click Generate password.
- Save the New password. It will become unavailable once you close the window.
Create a VM:
yc compute instance create ` --name test-vm ` --hostname test-vm ` --memory 4 ` --cores 2 ` --platform standard-v3 ` --zone ru-central1-a ` --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 ` --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk ` --metadata-from-file user-data=setpass
Result:
done (19s) id: fhm5pflreh2jellq97r0 folder_id: big67u7m5flplkc6vvpc created_at: "2021-06-09T11:53:03Z" name: test-vm zone_id: ru-central1-a platform_id: standard-v3 resources: memory: "4294967296" cores: "2" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmmf65nlbt131b3e36l auto_delete: true disk_id: fhmmf65nlbt131b3e36l network_interfaces: - index: "0" mac_address: d0:0d:5d:ef:bb:74 subnet_id: e9b95m6al33r62n5vkab primary_v4_address: address: 10.1.0.4 fqdn: test-vm.ru-central1.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}
Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.
- On the folder page in the management console
-
Import the created certificate to the
Trusted Roots Certificate Authorities
directory on the computer that you will use to connect to the test VM.To connect to the gateway using the VM name, specify the name and external IP address of the created RDGW in the
C:\Windows\system32\drivers\etc\hosts
file. Here is an example:87.250.250.242 my-rds-gw
-
Run the
mstsc
utility that creates remote desktop connections. In the settings on the Advanced tab, specify themy-rds-gw
VM name as the gateway, thetest-vm
name as the destination node, andAdministrator
as the username.
How to delete the resources you created
If you no longer need the created resources, delete the VM instances and networks.