• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
Innovative solutions for IT workers at home

Standalone RD Gateway Server without RDS Infrastructure

January 5, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Cloud Announces Three New Vertical Cloud Solutions

February 26, 2021
Innovative solutions for IT workers at home

Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

February 26, 2021
Innovative solutions for IT workers at home

What is database encryption?

February 26, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Releases Azure Firewall Premium in Public Preview

February 26, 2021
Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

February 25, 2021
8×8 makes raft of updates to platform

Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

February 25, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

February 25, 2021
Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

February 24, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

February 24, 2021
Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

February 23, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

February 23, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

February 22, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Monday, March 1, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Cloud Announces Three New Vertical Cloud Solutions

    Innovative solutions for IT workers at home

    Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

    Innovative solutions for IT workers at home

    What is database encryption?

    A moment of reckoning: the need for a strong and global cybersecurity response

    Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

    Innovative solutions for IT workers at home

    ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

    A moment of reckoning: the need for a strong and global cybersecurity response

    ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

    Innovative solutions for IT workers at home

    SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

    8×8 makes raft of updates to platform

    Indonesian Mobile Operator Selects NTT for Microsoft Security Project

    Microsoft To Build New Azure Cloud Data Centers In Greece

    NTT completes Microsoft security project for Indonesian mobile operator

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Releases Azure Firewall Premium in Public Preview

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

    8×8 makes raft of updates to platform

    Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

    Microsoft To Open Azure Cloud Data Center Region In Spain

    EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Engineer at VillageMD

    Innovative solutions for IT workers at home

    How to Sync On-Premise Active Directory Passwords with Office 365 and Google Apps in Real-Time

    Microsoft Azure Forms Collaboration to Enhance AI in Healthcare

    Azure Defender is now available for all IoT and OT devices

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Google and Microsoft ID Group Targeting Security Researchers

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home News

Standalone RD Gateway Server without RDS Infrastructure

by AZURE SECURITY NEWS EDITOR
January 5, 2021
in News
0
Innovative solutions for IT workers at home
491
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

In this article, will demonstrate how to deploy standalone RD gateway server on 2012 R2 server without deploying RDS infrastructure. RD Gateway is a built-in windows server role and allows RDP to internal servers from the internet through the Https tunnel.

Article applies to: Windows Server 2012 / 2012 R2 / 2016 / 2019

Remote Desktop (RD) Gateway Overview

This feature is specifically useful for accessing servers hosted in a public cloud such as Azure / AWS from the Internet without needing to configure a VPN connection. It helps to reduce the attack surface on your Windows-based instances while providing a remote administration solution for administrators. 

In fact, you can configure RD Gateway server with on-premise networks (Typically DMZ) as well. RD gateway can control who can connect / RDP and to which internal server. It controls this with Network Policy Server (NPS) component. I feel this is better than allowing point to site VPN connections where partial / entire internal networks would be exposed.

RD Gateway could be one of the good alternatives to allow remote server management / access as compared to paid tools. It does need a server OS license and public IP, but that should not be a roadblock for infrastructures that are hosted in the cloud. Cloud providers can take care of Virtual server hosting, licensing and public IP with reasonable rates. It does not require RDS CALs. It does need a publicly trusted SSL certificate but one can get it from Let’s Encrypt for free or if you already have a wildcard SSL certificate, you can use that.

RD Gateway is basically developed to allow secure connectivity to an RDS application infrastructure from the Internet. RD Gateway should be hosted in a DMZ / isolated network segment if available. It comprises of two components; RPC-Http/Http proxy and NPS. A Proxy component allows RDP connections encapsulated in an HTTPS proxy tunnel to internal resources from the Internet and NPS validates users credentials with domain controllers and evaluates CAP and RAP policies that grant resource access based on configured policies.

From 2012 Server onwards, RD Gateway supports RPC over HTTP, HTTP and UDP based transport protocols encapsulated in SSL tunnel to connect to internal resources. RDP client 8.0 and above do support pure HTTP based encrypted RDP connections encapsulated in SSL tunnels from the Internet. Prior clients do support RPC-HTTP based encrypted RDP connections encapsulated in an SSL tunnel from the Internet.

RD Gateway Deployment and Configuration

Initial Deployment

For this demonstration, I have used Azure cloud servers (Windows server 2012 R2) and RD Gateway deployment would be used to access Azure servers from the Internet. All we need to do is to publish the RD Gateway server on the Internet over HTTPS / SSL. 

The server should listen on TCP 443 and UDP 3391 inbound. The server encapsulates RDP protocol in HTTPS tunnel and the connection remains encrypted. The server can be a part of a workgroup or can be domain member that provides more controls in a domain environment. I had a lab AD domain already set up in Azure and the server was already joined to this domain.

The server should have at least 4 GB memory with dual CPU cores, however, 8 GB memory is recommended based on my experience and there are no special disk space requirements for the RD gateway server. Since this variant is meant for RDP in administration mode, connections are limited and even a minimum hardware config would be fine.

We can deploy multiple RD Gateway servers for high availability/load balancing.

Install RD gateway server role and console from PowerShell, it does install NPS role as well

SSL Certificate Configuration

Now open RD gateway manager from administrative tools

From the above snap, we can see that we need to install a valid SSL certificate (publicly routed domain) from public CA and also need to configure NPS policies to control who and which internal resources can access through this RD Gateway server. I am using “Let’s Encrypt” SSL certificates and there are multiple client utilities available to generate CSR and request certificates from Let’s Encrypt. I have used Certify SSL Manager. You may use GetCert as well. 

My public domain name is exchangelabs.in and certificate common name is “rdgateway.exchangelabs.in“. The server must be published on the Internet with the certificate common name only. Let’s Encrypt does provide SSL certificates which are valid for 90 days. You need to renew certificates every three months. In fact, this can be automated.

Once a certificate is requested and installed on the server, from RD Gateway manager right-click the server in the left pane and click Properties

Click “Import certificates” under SSL certificates tab

Select one with Exchangelabs.in and click Import and click apply on the main property page

Certificate applied

NPS Policy Configuration

Since we wanted to use the NPS component on the same server for connection and resource authorization, we need to instruct the RD Gateway server to use the local server for same.

Next step is to create NPS policies (Connection Authorization Policy – CAP and Resource Authorization Policy – RAP)

From gateway manager, right-click policies and click “Create New authorization Policies”

Select the 1st option to create both policies in one shot and then click next

Name the CAP policy and then click next

Select the Password based authentication method and add AD users group which should be able to connect through this RD Gateway server. You may restrict which computers can connect through this RD Gateway server by specifying the client computers group in active directory. This will restrict access to specific domain-joined computers only from the Internet

On this page, define if the client local resources are allowed to map on the server being connected with RDP through this RD Gateway server

On this page, define the idle session timeout and session time out action

Review the summary and click Next

Give a name to RAP policy and then click Next

Add here are the same AD users group which we previously added under CAP section. These users can connect to internal server resources with RDP

On this page, specify the AD computers group / custom RD Gateway managed groups or allow users to connect to any network resource (computer). The difference between the two is that as with any network resource you can connect to workgroup servers as well. Make your selection and then click Next

By default, the RD Gateway server connects to internal servers over RDP port 3389. You can change this port, however, the same needs to be changed on the internal resource to be connected

The registry needs to be modified on internal resources for that as mentioned in this Microsoft article

View the Summary and then click Finish.

CAP and RAP policies created successfully. Click Close.

Server Transport Settings and SSL Bridging

With Windows 2012 and above, the RD Gateway server supports three types of transports: RPC over HTTP, HTTP, and UDP. However, UDP connection can be made only after the https tunnel is established. Windows RDP clients prior to Version 8 always connect to the RD Gateway with RPC over HTTP transport

Before publishing server to the Internet, make sure that the default TCP 443 and UDP 3391 inbound ports are configured under transport setting tab with RD Gateway server

The next step is to publish the RD Gateway server on the Internet. in my case, this is a VM hosted in Azure, so I got a public IP in Azure directly in NAT with a Gateway internal IP. Also, I have configured Network Security Group (NSG) in Azure which does allow TCP 443 and UDP 3391 inbound on RD Gateway server from the Internet. UDP connections are started with 2012 Server to improve RDP connection performance over poor Internet connections. 

The table below shows the required network ports and protocols for RD gateway functionality

PURPOSEPORTS AND PROTOCOLSSOURCEDESTINATION
Internet to RD gatewayTCP 443 (Https), UDP 3391Open InternetRD gateway Public Interface IP
RD gateway to internal ServersTCP 3389 (RDP)RD Gateway Internal IPInternal servers (resources)
Active Directory Authentication for RD gateway and RDP clientsAD Authentication Ports (Refer Microsoft link)RD Gateway Internal IPDomain Controllers

In Azure we have directly published the RD Gateway server on the Internet. It is a direct NAT connection, hence I have not modified the RD gateway SSL bridging setting. The connections will be decrypted by the server itself.

However, if you are installing the RD Gateway server in a corporate network and the public IP is configured in the firewall, then it is recommended to bridge / offload the SSL connections in the firewall and depending on what you configure in the firewall, the RD gateway needs to be configured as shown below

Select the 1st radio button if the firewall is configured for SSL bridging – SSL bridging is a process where a security firewall device in DMZ decrypts SSL traffic, inspects the packets for safety, and then re-encrypts it before sending it on to the RD Gateway server. The RD Gateway server has to decrypt the traffic again. The server should have a powerful CPU if the connecting user base is more as it has to decrypt and process all connections

OR

Select the 2nd radio button if the firewall is configured for SSL offloading – SSL offloading is a process where the security firewall device in DMZ decrypts SSL traffic and sends unencrypted packets (http) to the RD Gateway server. Firewall to RD Gateway traffic remains unencrypted. This option keep server processor free as it does not need to process / decrypt connection requests

OR

If the firewall is configured with a pass through option, then do not use SSL Bridging. Firewall do not decrypt SSL traffic and encrypted connections will be terminated and decrypted on the RD Gateway server directly. That is what Azure did here as SSL traffic is directly forwarded to the RD Gateway server over IP NAT and port forwarding. The server should have a powerful CPU if connecting to the user base is more

DNS Configuration

Configure DNS records for the RD Gateway server with a public DNS

Also add with internal AD\DNS server

Client Connectivity

Now from the Internet client (RDP 10), we can test the connectivity to internal servers

From the external client machine, open the RDP client, navigate to the advanced tab and click on Settings. There, configure the RD Gateway server public FQDN as shown above. Also, select the last checkbox to forward Gateway credentials to the Internal server while connecting through RDP since both servers are part of the same AD domain.

Now type the internal server hostname followed by the internal ADDomain\username and click connect

When prompted, supply the credentials and click OK. Note that the user must be part of the AD group configured with NPS policy to allow connecting through the RD Gateway

With clients connected to the internal server seamlessly and securely, you can see and click the padlock in the connection status bar

You can now view the connected sessions, The HTTP and UDP connection is taken from the Windows 10 RDP client

The RPC HTTP connection is taken from the Windows 7 RDP client (7.1)

We can disconnect either user or connection. Disconnecting a user will disconnect all sessions initiated by him.

RD gateway load balancing and High Availability

The 2012 RD Gateway server supports hardware and software load balancing but does not support DNS round-robin based load balancing. The RD Gateway servers part of load balancing must be added to the RD Gateway farm as shown above.

DNS Round Robin load balancing is not supported because the server uses HTTP transport and this transport uses two HTTP channels (input and output) which must be routed to the same RD Gateway server. DNS Round Robin may not route both channels to the same server. However, hardware and software load balancers support IP / Cookie-based affinity ensures that both HTTP connections are routed to the same RD Gateway. Also, the UDP and HTTP connections may be handled by separate RD Gateway servers. Microsoft NLB can be used since it supports IP based affinity. Within Azure, you can use Azure software Load Balancers

I have covered most of standalone RD Gateway server aspects here and hope that you may find it useful.

If you have any comments to share about any of the information presented here, I encourage you to leave a comment below or Ask a Question to get help from myself and other highly talented experts at Experts Exchange.

Reference: https://www.experts-exchange.com/articles/33710/Standalone-RD-Gateway-Server-without-RDS-Infrastructure.html

Share196Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Cloud Announces Three New Vertical Cloud Solutions

by AZURE SECURITY NEWS EDITOR
February 26, 2021
0

Microsoft is boosting its industry-cloud solutions with the announcement of three new programs. To help get these new Azure offerings...

Innovative solutions for IT workers at home

Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

by AZURE SECURITY NEWS EDITOR
February 26, 2021
0

 Privacera, the cloud data governance and security leader founded by the creators of Apache Ranger™, today announced a technology partnership...

Innovative solutions for IT workers at home

What is database encryption?

by AZURE SECURITY NEWS EDITOR
February 26, 2021
0

Database encryption protects sensitive information by scrambling the data when it’s stored, or, as it has become popular to say,...

A moment of reckoning: the need for a strong and global cybersecurity response

Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

by AZURE SECURITY NEWS EDITOR
February 25, 2021
0

Latest launched research document on Global Cloud Security in Banking Market study of 111 Pages provides detailed analysis with presentable...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Cloud Announces Three New Vertical Cloud Solutions

February 26, 2021
Innovative solutions for IT workers at home

Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

February 26, 2021
Innovative solutions for IT workers at home

What is database encryption?

February 26, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In