I have confirmed with Microsoft Partner Support that MS has no plans to update their 2008 R2 documentation to accomodate changes in Server 2012… thats not nice because this was one complex setup (if you are used to how simple Server 08 R1 TS Gateway was… like me).
The problem with these instructions are that I am writing most of them from memory. So here goes, as best as I can remember.
Server 2012 Remote Desktop Gateway Deployment Guide
Base RD Gateway Install:
- Create a new Server 2012 (VM in my case) and join it to your domain
- Launch your Server 2012 “Server Manager” on your Remote Desktop Server (i.e. NOT the new VM you just created in step 1),
- Right Click on ALL SERVERS and select ADD SERVERS, find your new VM and add it. Microsoft’s overview of this process is available HERE .
- In Server Manager, Click REMOTE DESKTOP SERVICES and in the DEPLOYMENT OVERVIEW window click the blue + on RD GATEWAY
- I don’t recall the details of this process but I recall it being pretty straight forward. Just select the your new VM and do what is obvious.
Configure RD Gateway To Use Network Access Protection
- From here on everything is done on the RD Gateway VM
- Start the REMOTE DESKTOP SERVICES GATEWAY MANAGER and expand your server then POLICIES
- In CONNECTIONH AUTHORIZATION POLICIES, delete the existing policy (don’t worry the next step will build three new ones)
- Launch NETWORK POLICY SERVER and on the GETTING STARTED windows, click CONFIGURE NAP
- Select REMOTE DESKTOP GATEWAY from the drop down list and follow the wizard and complete the wizard which should create three NAP policies for you
- You can go into NETWORK POLICY SERVER > NETWORK ACCESS PROTECTION > SYSTEM HEALTH VALIDATORS > SETTINGS if you want to customize the options but the defaults were good for me
- Launch RD GATEWAY MANAGER > POLICIES > RESOURCE AUTHORIZATION POLICES then double click on the only policy and on the NETWORK REOURSE tab you might want to change the setting from whatever group you have to ALLOW USERS TO CONNECT TO ANY NETWORK RESOURCE . This is because of you might see a “Your user account is not listed in the RD Gateway’s permission list.” as detailed in THIS thread and THIS thread.
- I found THIS Microsoft Article on configuring TS Gateway NAP to be the most useful
Source and Install a Certificate
- We sell certs for about $20 a year so don’t bother to play around with self signed certs
- Launch IIS MANAGER and select your server (not the SITE, but the server)
- Double click SERVER CERTIFICATES
- Right click and select CREATE A CERTIFICATE REQUEST, enter all of the information but be sure to change the BIT LENGTH to 2048
- Submit this to your CA of choice (like US) and go through their approval process
- After you have received your new cert you will need to import it and for me it was more complex because I had an intermediate certificate to import so I followed up to step 18 in THIS help file from GoDaddy.
- In SERVER MANAGER, click REMOTE DESKTOP SERVICES, and on the DEPLOYMENT OVERVIEW window click the TASKS drop down and select EDIT DEPLOYMENT PROPERTIES
- Expand CERTIFICATES, click on RD GATEWAY, and select SELECT EXISTING CERTIFICATE and follow the wizard.
- Note that to get this work I needed to rename my cert to end with .PFX and I did NOT enter a passoword
- To verify it was installed properly, I went to IIS MANAGER, clicked on my server, then SERVER CERTIFICATES and bingo, it looked happy
Configure the Client PC
- Download THIS simple sample script from Microsoft
- Edit the script to include your servers name
- Rename the file to end with .CMD
- Copy that file to a PC you want to test
- Right Click on that file and select RUN AS ADMINISTRATOR
- Check your SERVICES to confirm the NETWORK ACCESS PROTECTION AGENT service is now running
Test the RD Gateway
- At this point I wanted to see if it was all working
- I changed my RD Apps to NOT skip the RD GATEWAY when on the LAN
- SERVER MANAGER > REMOTE DESKTOP SERVICS > TASKS (on DEPLOYMENT OVERVIEW) > EDIT DEPLOYMENT TASKS > RD GATEWAY, UNcheck BY PASS RD GATEWAY SERVER FOR LOCAL ADDRESSES
- on my Windows 7 test PC, I went to REMOTEAPP AND DESKTOP CONNECTIONS > PROPERTIES > and selected UPDATE NOW
- Then I launched a few apps and bingo they still worked (after I made the change suggested in step 2.6 above)!
Connect the RD Gateway to the Web
- Install a second network card (in my case I had VM so this was not an issue)
- Connect that NIC to the web (in my case that meant port forwarding 3389 through to this server as I still wanted this VM to be behind some firewall protection)
Microsoft has a RD Gateway deployment guide available HERE.