Configuring NAP Integration with RD Gateway Step-by-Step Guide

Applies To: Windows Server 2008 R2

About this guide

This step-by-step guide walks you through the process of setting up a working Remote Desktop Session Host (RD Session Host) server in a test environment. This server is accessible by using Remote Desktop Gateway (RD Gateway), and it uses Network Access Protection (NAP) to enforce health requirements on client computers. During this process, you will create a test deployment that includes the following components:

  • An RD Gateway server

  • An RD Session Host server

  • A Remote Desktop Connection client computer

This guide assumes that you previously completed the steps in the Deploying Remote Desktop Gateway Step-by-Step Guide, and that you have already deployed the following components:

  • An RD Session Host server

  • A Remote Desktop Connection client computer

  • An Active Directory Domain Services domain controller

This guide includes the following topics:

The goal of configuring the RD Gateway server with NAP is to enforce health requirements on client computers, while allowing external access to internal resources. By using NAP, you can help ensure that clients meet the health policy requirements of your organization before they are allowed to connect to internal network resources by using RD Gateway servers.

What this guide does not provide

This guide does not provide the following:

Important

If you have previously configured the computers by using the Installing Remote Desktop Session Host Step-by-Step Guide, you should repeat the steps in that guide for the new installations.

Technology review

To enhance security, you can configure RD Gateway servers and clients to use Network Access Protection (NAP). NAP is a health policy creation, enforcement, and remediation technology that is included in Windows® 7 and Windows Server® 2008 R2. By using NAP, you can enforce health requirements on client computers that connect to the RD Gateway server, which can include enabling firewalls, and setting security update requirements and other required computer configurations.

By using NAP, you can help ensure that client computers meet the health policy requirements of your organization before they are allowed to connect to internal network resources through RD Gateway servers.

Scenario: Deploying Remote Desktop Gateway

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy features in Windows Server without additional deployment documentation, and this guide should be used with discretion as a stand-alone document.

Upon completion of this step-by-step guide, you will have an RD Session Host server that users can connect to with the Remote Desktop client computer by using RD Gateway. The client computers will use NAP to enforce health requirements. You can then test and verify this functionality by connecting to the RD Session Host server by using RD Gateway from the Remote Desktop client as an authorized remote user.

The test environment described in this guide includes five computers that are connected to a private network using the following operating systems, applications, and services.

Computer name Operating system Applications and services

CONTOSO-DC

Windows Server 2008 R2

Active Directory Domain Services (AD DS), DNS

RDSH-SRV

Windows Server 2008 R2

RD Session Host

CONTOSO-CLNT

Windows 7

Remote Desktop Connection

RDG-SRV

Windows Server 2008 R2

RD Gateway

 

The computers form a private network, and they are connected through a common hub or Layer 2 switch. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the network. The domain controller is named CONTOSO-DC for the domain named contoso.com. The following figure illustrates the server scenario for RD Gateway, and it uses NAP to enforce client health policies.