Setting up a 2012 R2 RDS Gateway for a workgroup


I decided that with my home lab setup I needed an RDS gateway, OTT you say? Well yes maybe but I also thought it might be a good learning exercise, and it was!

As I have only ever setup RDS for a domain I set about creating 3 VMs:-

  • Connection Broker
  • Session Host
  • Gateway/Licencing Server/Web App host

After getting everything thing installed I hit upon my first issue…Connection Brokers are not supported outside of a domain environment. Well off that one goes then!

I got my session host working following this fab blog:

However, after I got it all configured I found that again without AD it was only manageable through powershell, and in honesty really didn’t give me any added features that I was interested in so I turned that one off too!

This time onto the real purpose of the blog – a gateway server for my workgroup.

First and for most I had to change the name of my server to something meaningful and add a dns suffix (the fqdn of the external name, eg:

Using system properties > Change > More…

I have blacked out the suffix but there would be from my example before:

This change required a restart.

After this I added the Gateway role using Server Manager > Manage > Role-based or feature-based installation. Note with AD you can use the Remote Desktop Services installation however as we are in a workgroup you have to install each role individually.

Following the wizard through pick the current machine, then select the Remote Desktop Services role and Remote Desktop Gateway. Follow the wizard and install the features it suggests (it will require IIS too but will prompt).

Once installed you will find the Remote Desktop Gateway Manager in your start menu. Use this to configure the gateway.

First things first you need to configure an SSL certificate, you can use a self-signed for testing but you will need to import this to the Trusted Root Certification Authority for the user store on any machine you wish to connect to the gateway on. For ease you may wish to use a third party certificate, I will discuss this in another post. For now to configure with a self-signed certificate: Select properties on your server from the console > Choose SSL Certificate. Follow the wizard to create your certificate, please note for the certificate name enter the “Full Computer Name” that we assigned earlier, eg

Note the location the certificate is saved – this will come in handy later!

After you click ok the certificate will be applied.









Next expand your RD Gateway > Policies > and right click on Connection Authorization Policies > Create New Policy > Wizard.

Create a RD CAP and RD RAP policy together for ease. Firstly we create the CAP, I called mine RD_CAP_01. As mine is quite a simple setup I allowed users to connect if they were a member of the local administrators or the remote desktop users (meaning I could give a limited non admin user access using the RDP group):

I also chose to use password authentication, again as it’s a simple setup:

Following the wizard through I enabled device redirection for all client devices:

And finally configured the timeouts for sessions to lessen the strain my sever is put under if people leave connected sessions:

Secondly I created the RAP, I called mine RD_RAP_01. Following the wizard I added the same groups as above. You can then lock down which resources you wish people to connect to, by creating an RD Gateway-managed group, I however allowed users to connect to any resource.


Finally I allowed it to connect only to 3389, you can configure additional ports or just allow any.

Finish the wizard and apply the policies.

To test connect to an external source or a separate computer, firstly if you are using a self-signed cert you need to import it. Grab the cert from the location above: C:UsersAdministratorDocumentscertname.cer. Copy it onto your other machine and double click:

Click Install Certificate and follow the wizard through. Choosing Current User for the store location.

Choose Place all certificates in the following store and select Trusted Root Certification Authorities:

Finish the wizard and open up Remote Desktop Connection. Choose Show Options and select advanced:

Next choose Settings under Connect from anywhere:

Enter the server name as the same name you added for certificate name and server name earlier in this case If you are using a computer on the same network for testing ensure the box for Bypass RD Gateway server for local addresses is empty.

Now give it a test, all being well you should be able to connect successfully to your network resource via your gateway.

One thing I noted however was I didn’t need to add the 3391 port to my port forwarding on my router but instead 443 was sufficient on its own. For me the RDP program would freeze and be unable to connect, not the most helpful of errors! After allowing 443 through the firewall my connection worked successfully.

About the author