Remote Desktop Gateway and Resulting Internet Communication in Windows Server 2008 R2

Applies To: Windows 7, Windows Server 2008 R2

In this section

Benefits and purposes of Remote Desktop Gateway

Examples of security-related features in Remote Desktop Gateway

Procedure for viewing or changing Group Policy settings that affect Remote Desktop Gateway in Windows Server 2008 R2

Additional references

This section provides overview information about Remote Desktop Gateway (RD Gateway) and information about some Group Policy settings that affect RD Gateway. The section also provides suggestions for other sources of information about RD Gateway to help you balance your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets. However, it is beyond the scope of this document to describe all aspects of maintaining appropriate levels of privacy and security in an organization running servers that use RD Gateway to support remote users who are communicating across the Internet.

Benefits and purposes of Remote Desktop Gateway

Remote Desktop Gateway is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client version 6. The network resources can be Remote Desktop Session Host (RD Session Host) servers, RD Session Host servers running RemoteApp programs, Remote Desktop Virtualization Host, or computers with Remote Desktop enabled.

RD Gateway uses the Remote Desktop Protocol (RDP) over Hypertext Transfer Protocol Secure (HTTPS) to establish a secure, encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.

RD Gateway enables remote users to connect to internal network resources over the Internet by using an encrypted connection without configuring a virtual private network (VPN) connection.

For more information about RD Gateway, see Additional references later in this section.

RD Gateway includes a variety of settings and features related to security, some of which are described in the following list. For additional information about security-related improvements in RD Gateway, see Additional references later in this topic.

  • RD Gateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources.

  • RD Gateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.

  • RD Gateway enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators. You do not need to perform additional configuration for the RD Gateway server or clients for this scenario.

    Prior to Windows Server® 2008, security measures prevented remote users from connecting to internal network resources across firewalls and network address translators. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes at the firewalls and proxies. Remote Desktop transmits RDP traffic by using RPC over HTTPS tunnel on port 443. Because most corporations open port 443 to enable Internet connectivity, RD Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls and proxies.

  • The Remote Desktop Gateway Manager enables you to configure authorization policies that define conditions that must be met for remote users to connect to internal network resources. For example, you can specify the following:

    • Who can connect to network resources (the user groups that can connect)

    • What network resources (computer groups) users can connect to

    • Whether client computers must be members of Active Directory® security groups

    • Whether device redirection is allowed

    • Whether clients need to use smart card authentication or password authentication, or whether they can use either method

  • You can configure RD Gateway servers and Remote Desktop Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows Server 2008 R2, Windows Server 2008, Windows® 7, Windows Vista®, and Windows XP Service Pack 3. With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.

Note

Computers running Windows Server 2008 R2 or Windows Server 2008 cannot be used as NAP clients when RD Gateway enforces NAP. Only computers running Windows 7, Windows Vista, and Windows XP SP3 can be used as NAP clients when RD Gateway enforces NAP.

For information about how to configure RD Gateway to use NAP for health policy enforcement for Remote Desktop Services clients that connect to RD Gateway servers, see [Remote Desktop Services](https://go.microsoft.com/fwlink/?linkid=138055).  
  
  • You can use RD Gateway server with Microsoft® Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host RD Gateway servers in a private network rather than a perimeter network, behind an ISA Server. The SSL connection from the Remote Desktop Services client can be terminated at the ISA Server, which is accessible from the Internet.

    For information about how to configure ISA Server as an SSL termination device for RD Gateway server scenarios, see Remote Desktop Services.

  • The Remote Desktop Gateway Manager provides tools to help you monitor RD Gateway connection status, health, and events. By using Remote Desktop Gateway Manager, you can specify events (such as unsuccessful connection attempts to the RD Gateway server) that you want to monitor for auditing purposes.

Procedure for viewing or changing Group Policy settings that affect Remote Desktop Gateway in Windows Server 2008 R2

The following procedure explains how to view or change Group Policy settings that affect RD Gateway in Windows Server 2008 R2.

To view or change Group Policy settings that affect Remote Desktop Gateway

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate Group Policy object (GPO).

  2. Expand User Configuration, expand Policies (if present), expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, and then click RD Gateway.

  3. In the details pane, double-click each setting that you want to view or change. If you want more information about a setting, double-click the setting and then click the Explain tab.

    For all of these settings, if you select Enabled, you can then select or clear a check box labeled Allow users to change this setting. The settings are as follows:

    • Set RD Gateway authentication method

    • Enable connection through RD Gateway

    • Set RD Gateway server address

Additional references

For more information, see the following resources: