SOLVED: How to Install and Configure A Server 2012 Remote Desktop Gateway
I have confirmed with Microsoft Partner Support that MS has no plans to update their 2008 R2 documentation to accomodate changes in Server 2012… thats not nice because this was one complex setup (if you are used to how simple Server 08 R1 TS Gateway was… like me).
The problem with these instructions are that I am writing most of them from memory. So here goes, as best as I can remember.
Server 2012 Remote Desktop Gateway Deployment Guide
Base RD Gateway Install:
Create a new Server 2012 (VM in my case) and join it to your domain
Launch your Server 2012 “Server Manager” on your Remote Desktop Server (i.e. NOT the new VM you just created in step 1),
Right Click on ALL SERVERS and select ADD SERVERS, find your new VM and add it. Microsoft’s overview of this process is available HERE .
In Server Manager, Click REMOTE DESKTOP SERVICES and in the DEPLOYMENT OVERVIEW window click the blue + on RD GATEWAY
I don’t recall the details of this process but I recall it being pretty straight forward. Just select the your new VM and do what is obvious.
Configure RD Gateway To Use Network Access Protection
From here on everything is done on the RD Gateway VM
Start the REMOTE DESKTOP SERVICES GATEWAY MANAGER and expand your server then POLICIES
In CONNECTIONH AUTHORIZATION POLICIES, delete the existing policy (don’t worry the next step will build three new ones)
Launch NETWORK POLICY SERVER and on the GETTING STARTED windows, click CONFIGURE NAP
Select REMOTE DESKTOP GATEWAY from the drop down list and follow the wizard and complete the wizard which should create three NAP policies for you
You can go into NETWORK POLICY SERVER > NETWORK ACCESS PROTECTION > SYSTEM HEALTH VALIDATORS > SETTINGS if you want to customize the options but the defaults were good for me
Launch RD GATEWAY MANAGER > POLICIES > RESOURCE AUTHORIZATION POLICES then double click on the only policy and on the NETWORK REOURSE tab you might want to change the setting from whatever group you have to ALLOW USERS TO CONNECT TO ANY NETWORK RESOURCE . This is because of you might see a “Your user account is not listed in the RD Gateway’s permission list.” as detailed in THIS thread and THIS thread.
Launch IIS MANAGER and select your server (not the SITE, but the server)
Double click SERVER CERTIFICATES
Right click and select CREATE A CERTIFICATE REQUEST, enter all of the information but be sure to change the BIT LENGTH to 2048
Submit this to your CA of choice (like US) and go through their approval process
After you have received your new cert you will need to import it and for me it was more complex because I had an intermediate certificate to import so I followed up to step 18 in THIS help file from GoDaddy.
In SERVER MANAGER, click REMOTE DESKTOP SERVICES, and on the DEPLOYMENT OVERVIEW window click the TASKS drop down and select EDIT DEPLOYMENT PROPERTIES
Expand CERTIFICATES, click on RD GATEWAY, and select SELECT EXISTING CERTIFICATE and follow the wizard.
Note that to get this work I needed to rename my cert to end with .PFX and I did NOT enter a passoword
To verify it was installed properly, I went to IIS MANAGER, clicked on my server, then SERVER CERTIFICATES and bingo, it looked happy
Right Click on that file and select RUN AS ADMINISTRATOR
Check your SERVICES to confirm the NETWORK ACCESS PROTECTION AGENT service is now running
Test the RD Gateway
At this point I wanted to see if it was all working
I changed my RD Apps to NOT skip the RD GATEWAY when on the LAN
SERVER MANAGER > REMOTE DESKTOP SERVICS > TASKS (on DEPLOYMENT OVERVIEW) > EDIT DEPLOYMENT TASKS > RD GATEWAY, UNcheck BY PASS RD GATEWAY SERVER FOR LOCAL ADDRESSES
on my Windows 7 test PC, I went to REMOTEAPP AND DESKTOP CONNECTIONS > PROPERTIES > and selected UPDATE NOW
Then I launched a few apps and bingo they still worked (after I made the change suggested in step 2.6 above)!
Connect the RD Gateway to the Web
Install a second network card (in my case I had VM so this was not an issue)
Connect that NIC to the web (in my case that meant port forwarding 3389 through to this server as I still wanted this VM to be behind some firewall protection)
Microsoft has a RD Gateway deployment guide available HERE.