To increase the security level of the Windows server, it is not enough to change the TCP port RDP. Consider configuring the remote desktop gateway in the Active Directory domain.
Remote Desktop Gateway — what is it?
Remote Desktop Gateway is a Windows server role that provides a secure connection using the SSL protocol to the server via RDP. The main advantage of this solution is that you do not need to deploy a VPN server, and this is what the gateway is for.
It should be noted that starting with Windows Server 2008 R2, the names of all Remote Desktop Services were changed. The previously named Terminal Services were renamed Remote Desktop Services.
Advantages of Remote Desktop Gateway
- Using an encrypted connection, the gateway allows to connect to internal network resources without the need for a VPN connection by remote users;
- The gateway provides the ability to control access to certain network resources, thereby realizing comprehensive protection;
- The gateway allows connection to network resources that are located behind firewalls in private networks or NAT;
- You can use the gateway manager console to configure authorization policies for certain conditions that must be met when remote users connect to network resources. As an example, you can specify specific users who can connect to internal network resources, as well as whether the client computer should be a member of the AD security group, whether redirection of the device and disk is permissible;
- The gateway manager console contains tools designed to monitor the status of the gateway. Using them, you can assign monitored events for auditing, such as failed attempts to connect to the terminal services gateway server.
Important! The terminal services gateway must be part of an Active Directory domain. Gateway configuration is performed only on behalf of the domain administrator, on any server in the domain.
Setting the role.
Open the server manager.
Select “Add roles and components”.
At the stage “Installation type”, select “Installing roles and components”.
The next step is to select the current server.
Server role —Remote desktop service.
Go to the role service. Select “Remote desktop gateway”.
We proceed to the confirmation step, click the “Install” button.
Configuring the connection and resource authorization policy.
In the window that opens, the remote desktop gateway manager, in the left part of the window, open the branch with the server name → Policies → Connection authorization policies.
In the right part of the same window, select Create a new policy → Wizard.
In the window that opens, “Wizard for creating new authorization policies”, select the recommended option «Create a policy for authorization of remote desktop connections and authorization of remote desktop resources.» Press the button “Next”.
In the next step, enter a convenient name for the connection authorization policy. We recommend giving names in English.
The next step will be to choose a convenient authentication method — password or smart card. In our case, we leave only “Password” checked. We add groups that can connect to this RD-gateway, for this, click the “Add Group …” button.
In the group selection window, click on the button “Additionally”.
The window will resize. Click the “Search” button. In the search results, we find «Administrators of the domain” and click on the button “OK”.
In the group selection window, check the selected object names and click “OK”.
The group is added. To go to the next step, click the “Next” button.
In the next step, select “Enable device redirection for all client devices» and click «Next”.
Set timeouts — downtime and session time, values are indicated in hours. Click “Next”.
Check the settings. Everything is correct — click “Next”.
In the next step, configure the resource authorization policy. Specify the desired policy name. Click “Next”.
The next step is to establish group membership. Usually, the group is already installed, but if this is not done, you should follow the steps above. Click “Next”.
We select available network resources. To do this, select the group that contains the servers on which the required user groups could work with remote desktop. Press the button “Overview”.
In the group selection window, click the “Additionally” button.
In the changed window, click the “Search” button. In the result window, we find «Domain controllers”.
We check the selected objects and click “OK”.
Once again we check which network group is added and click “Next”.
If the RDP port number has not changed, set the switch value to “Allow the connection only to port 3389”. If the port has been changed, specify a new value.
At the stage of confirming the creation of the policy, click the “Close” button.
At the end of the setup, the window will look similar.
Install the SSL certificate.
In the same window “Manager of the remote desktop gateway”, in the left window, click on the server icon, in the main part of the window — “View and change properties of the certificate».
In the opened window “Properties <server name>”, go to the tab “SSL Certificate”. Set the switch “Create a self-signed certificate” and click on the button “Create and import certificate …”.
Although 2 more options are possible:
- import of a previously uploaded certificate (self-signed earlier or third-party);
- Download a third-party certificate (for example, Comodo) and import it;
In the window “Creating a self-signed certificate” we check the settings and click the button “OK”.
The system will notify that the certificate was created successfully, there is also information where you can find the certificate file itself. Press the button “OK”.
In the server properties window, click the “Apply” button.
The self-signed certificate is installed on TCP port 443 (SSL port by default).
For security reasons, we recommend that you change the default SSL port. To do this, in the main menu of the window, select “Actions” → “Properties”.
Go to the tab “Transport settings” and set the desired value for the field “HTTPS port”. Save the settings by clicking the “Apply” button.
The system will ask for confirmation — answer “Yes”.
Connecting via the gateway.
Open the RDP client, go to the tab “Additionally” and press the button “Settings”.
In the window that opens, select “Use the following Remote desktop gateway server settings». We indicate the domain name of the server and through the colon (:) indicate the SSL port. The login method is “Request Password”. Click “OK”.
Go to the tab “General”. Specify the address of the computer and the user under which the connection will be made. Push the button “Connect”
The program will ask for the password from the account.
The results of the gateway can be checked by tracing — the tracert command.