Would you like to see the site in a different language?
TSPLUS BLOG
Configuring a Remote Desktop Gateway (RD Gateway) is one of the most effective ways to secure remote desktop connections without relying on VPNs. This guide explains how to set up RDP Gateway on Windows Server, with clear steps for installation, configuration, testing, and management, while highlighting how TSplus Remote Access can provide a simpler, cost-effective alternative.
)
IT administrators need to provide employees with reliable and secure access to internal desktops and applications. Traditionally, this was achieved by exposing RDP over port 3389 or relying on a VPN. Both approaches introduce complexity and potential security risks. Microsoft’s Remote Desktop Gateway (RD Gateway) solves this by tunneling Remote Desktop connections through HTTPS on port 443. In this article, we will walk through the setup process for RD Gateway on Windows Server and discuss how TSplus Remote Access offers an easier, scalable alternative for organizations of all sizes.
A Remote Desktop Gateway (RD Gateway) is a Windows Server role that allows secure remote connections to internal resources over the internet by tunneling RDP traffic through HTTPS on port 443. It protects against brute-force attacks with SSL/ TLS encryption and applies strict access rules through Connection Authorization Policies (CAPs) and Resource Authorization Policies (RAPs), giving administrators fine-grained control over who can connect and what they can access
One of the biggest advantages of RD Gateway is its reliance on HTTPS, which allows users to connect through networks that would normally block RDP traffic. The integration with SSL certificates also ensures encrypted sessions, and administrators can configure CAPs and RAPs to restrict access based on user roles, device compliance, or time of day.
Although VPNs are a common way to provide remote access, they often require more complex configuration and can expose broader parts of the network than necessary. By contrast, RD Gateway focuses specifically on securing RDP sessions. It does not grant access to the entire network, only to approved desktops and applications. This narrower scope helps reduce the attack surface and simplifies compliance in industries with strict governance requirements.
Before setting up RD Gateway, make sure your server is joined to the Active Directory domain and running Windows Server 2016 or later with the Remote Desktop Services role installed. Administrator rights are required to complete the configuration. You will also need a valid SSL certificate from a trusted CA to secure connections and properly configured DNS records so the external hostname resolves to the server’s public IP. Without these elements in place, the gateway will not function correctly.
The installation can be performed either through the
Server Manager
GUI or PowerShell. Using Server Manager, the administrator adds the Remote Desktop Gateway role through the Add Roles and Features wizard. The process automatically installs required components such as IIS. For automation or faster deployment, PowerShell is a practical option. Running the command
Install-WindowsFeature RDS-Gateway -IncludeAllSubFeature -Restart
installs the role and reboots the server as needed.
Once complete, administrators can confirm the installation with
Get-WindowsFeature RDS-Gateway
, which displays the installed state of the feature.
An SSL certificate must be imported and bound to the RD Gateway server to encrypt all RDP traffic over HTTPS. Administrators open RD Gateway Manager, navigate to the SSL Certificate tab, and import the .pfx file. Using a certificate from a trusted CA avoids client trust issues.
For organizations running test environments, a self-signed certificate may suffice, but in production, public certificates are recommended. They ensure that users connecting from outside the organization do not face warnings or blocked connections.
The next step is to define the policies that control user access. Connection Authorization Policies specify which users or groups are allowed to connect through the gateway. Authentication methods such as passwords, smart cards, or both can be enforced. Device redirection can also be allowed or restricted depending on the security posture.
Resource Authorization Policies then define which internal servers or desktops those users can reach. Administrators can group resources by IP addresses, hostnames, or Active Directory objects. This separation of user and resource policies provides precise control and reduces the risk of unauthorized access.
Testing ensures that the configuration works as expected. On a Windows client, the Remote Desktop Connection client (mstsc) can be used. Under Advanced settings, the user specifies the external hostname of the RD Gateway server. After providing credentials, the connection should be established seamlessly.
Administrators can also run command-line tests with
mstsc /v:
. Monitoring the logs within RD Gateway Manager helps confirm whether authentication and resource authorization are working as configured.
Since RD Gateway uses
port 443
, administrators must allow inbound HTTPS traffic on the firewall. For organizations behind a NAT device, port forwarding must direct requests on port 443 to the RD Gateway server. Proper DNS records must be in place so that the external hostname (for example,
rdgateway.company.com
) resolves to the correct public IP. These configurations ensure that users outside the corporate network can reach the RD Gateway without issue.
Ongoing monitoring is critical to maintaining a secure environment. The RD Gateway Manager provides built-in monitoring tools that show active sessions, session duration, and failed login attempts. Reviewing logs regularly helps identify potential brute-force attacks or misconfigurations. Integrating monitoring with centralized logging platforms can provide even deeper visibility and alerting capabilities.
While RD Gateway is a powerful tool, several common issues can arise during setup and operation. SSL certificate problems are frequent, especially when self-signed certificates are used in production. Using publicly trusted certificates minimizes these headaches.
Another common issue involves DNS misconfiguration. If the external hostname does not resolve properly, users will fail to connect. Ensuring accurate DNS records both internally and externally is essential. Firewall misconfigurations can also block traffic, so administrators should double-check port forwarding and firewall rules when troubleshooting.
Finally, CAP and RAP policies must be carefully aligned. If users are authorized by CAP but not given access by RAP, connections will be denied. Reviewing policy order and scope can resolve such access issues quickly.
While RD Gateway provides a secure method for publishing RDP over HTTPS, it can be complex to deploy and manage, particularly for small and medium-sized businesses. This is where TSplus Remote Access comes in as a simplified, cost-effective solution.
TSplus Remote Access eliminates the need for configuring CAPs, RAPs, and SSL bindings manually. Instead, it provides a straightforward web-based portal that allows users to connect to their desktops or applications directly through a browser. With HTML5 support, no additional client software is required. This makes remote access accessible on any device, including tablets and smartphones.
In addition to ease of deployment, TSplus Remote Access is significantly more affordable than implementing and maintaining Windows Server RDS infrastructure. Organizations can benefit from features such as application publishing, secure web access, and multi-user support, all within a single platform. For IT teams seeking a balance of security, performance, and simplicity, our solution is an excellent alternative to traditional RDP Gateway deployments.
Configuring a Remote Desktop Gateway helps organizations secure RDP traffic and provide encrypted access without exposing port 3389 or relying on VPNs. However, the complexity of managing certificates, CAPs, RAPs, and firewall rules can make RD Gateway challenging for smaller teams. TSplus Remote Access offers a simplified, affordable approach that delivers the same secure connectivity with fewer hurdles. Whether deploying RD Gateway or opting for TSplus, the goal remains the same: enabling reliable, secure, and efficient remote access to support modern workforces.
Your TSplus Team
One-Click Remote Access
The ideal alternative to Citrix and Microsoft RDS for remote desktop access and Windows application delivery.
Try it for freeTRUSTED BY 500,000+ COMPANIES
Related Posts
)
In this technical article, we’ll walk through how to configure RDP via the Windows Registry—both locally and remotely. We'll also cover PowerShell alternatives, firewall configuration, and security considerations.
)
This article offers complete and technically precise methods to change or reset passwords via Remote Desktop Protocol (RDP), ensuring compatibility with domain and local environments, and accommodating both interactive and administrative workflows.
)
Discover how Software as a Service (SaaS) is transforming business operations. Learn about its benefits, common use cases, and how TSplus Remote Access aligns with SaaS principles to enhance remote work solutions.
)
Discover in this article what RDP Remote Desktop Software is, how it works, its key features, benefits, use cases and security best practices.
