RD Gateway Migration: Preparing to Migrate
Updated: July 19, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
This topic contains instructions for preparing for the migration of RD Gateway settings. It assumes that you are migrating a working deployment of RD Gateway, including dependencies.
To prepare to migrate the RD Gateway role service, see the following sections:
Permissions required to complete RD Gateway migration
Preparing other computers (clients and servers) in the enterprise
Preparing your destination RD Gateway server
At minimum, you must be a member of the Administrators group on the destination server to migrate RD CAPs and RD RAPs to an RD Gateway server running Windows Server 2008 R2 by using RD Gateway Manager.
RD Gateway is dependent on Web Server (IIS) and SSL-compatible X.509 certificates. They must be migrated separately. If the Network Access Protection (NAP) policies have been configured, they must be migrated separately as well. Use the following information to migrate these dependencies.
To migrate Web Server (IIS), use the IIS Web Deployment Tool Web Deploy (http://go.microsoft.com/fwlink/?LinkID=146695).
An SSL-compatible X.509 certificate is required before RD Gateway can serve connections. You can purchase an SSL-compatible X.509 certificate or use one that your organization already owns.
Obtain a new certificate. To obtain a new SSL certificate, follow the steps in the Help topic Obtain a Certificate for the Remote Desktop Gateway Server (http://go.microsoft.com/fwlink/?LinkID=178454). If the SSL certificate is not in .pfx format, you must export it to a .pfx file. For more information, see the section Export the SSL certificate later in this topic.
Use an existing certificate. If your organization has already purchased an SSL certificate signed by a certification authority (CA), you can export the certificate by using the private key. This is done by exporting the certificate to a .pfx file, which you secure with a password. You can then import that file to your destination server.
To prepare your certificate to be used in your RD Gateway deployment, you must export the certificate to a .pfx file. You will need to create a password for this file. After you create this file, lock it in a secure place.
To export your certificate to a .pfx file from an existing server, follow the steps in the Help topic Export a Certificate with the Private Key (http://go.microsoft.com/fwlink/?LinkID=186422).
You can import the certificate when you install the RD Gateway role service, or you can import it later. You must import the certificate before you import the settings on the destination server.
To import a certificate when you install the RD Gateway role service, see Install the Remote Desktop Gateway Role Service (http://go.microsoft.com/fwlink/?LinkId=188054).
To import the .pfx file after the RD Gateway role service has been installed, see Import a Certificate (http://go.microsoft.com/fwlink/?LinkId=188055).
After you obtain and import the certificate to the RD Gateway server, you must map the certificate to the RD Gateway server by using RD Gateway Manager.
To map the certificate to the RD Gateway server, see Select an Existing Certificate for Remote Desktop Gateway (http://go.microsoft.com/fwlink/?LinkId=188056).
For information about how to configure NAP attributes for TS CAPs, see the topic Configuring the TS Gateway NAP Scenario in the TS Gateway Server Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=188061).
If you are migrating RD Gateway settings between domains, there must be a trust relationship between the two domains. If there is not, the computer groups and user groups included in the RD CAPs and RD RAPs on the source server won’t be understood on the destination server, and the RD CAPs and RD RAPs will be invalidated. For more information, see Managing Domain and Forest Trusts (http://go.microsoft.com/fwlink/?LinkId=188073).
If you are migrating RD Gateway settings between servers on the same domain, no preparation of other computers in the enterprise is required.
You can import RD Gateway policy and configuration settings to an existing configured and activated RD Gateway server running Windows Server 2008 R2, or you can deploy a new RD Gateway server.
Back up your RD Gateway settings on the destination server before importing the settings from the source server.
You may at some point want to restore the original settings on the server that you are migrating to (the destination server). To make a copy of the original settings, export the destination server settings before you begin the migration, and then if there is a problem during the migration you can use this copy as a backup to restore. To export the settings on your destination server, follow the instructions to export the TS Gateway or RD Gateway settings in RD Gateway Migration: Migrating the RD Gateway Role Service.
To deploy a new RD Gateway server, see Remote Desktop Gateway Manager (http://go.microsoft.com/fwlink/?LinkId=188074).
You must install an SSL-compatible X.509 certificate before importing the RD Gateway settings to the destination server. If you have not already installed it, you should install it at this point in the migration. To install the SSL certificate, see Migrate SSL certificates for RD Gateway earlier in this topic.