Windows Server 2012 / 2012 R2 - RDS - Force the use of the RD gateway for local users

Page 1 / 2

When you deploy a gateway in an RDS infrastructure, this allows your users to access your RDS infrastructure resources from the outside (Internet).
In addition, it also allows you to manage the security of your RDS infrastructure through connection authorization (RD CAP) and resource access policies (RD RAP).

However, by default, users in your LAN will be able to access RemoteApp desktops and/or programs without being controlled by these policies.

If you want these policies to also apply to local users (present in the Active Directory), you will need to configure your RDS infrastructure to make RDS gateway mandatory.

  1. Force the use of the gateway
  2. Fix the gateway access problem from the local network
  3. Connection via the RDS gateway
  4. Manage permissions on the RDS gateway
  5. Enable single sign-on (SSO) for the gateway

1. Force the use of the gateway

To get started, open the Server Manager and go to : Remote Desktop Services -> Overview -> Tasks -> Edit Deployment Properties.

In the "Certificates" section, make sure that you have deployed a valid certificate for your Remote Desktop Services Gateway.

If this is not the case, refer to the "Import the RDS gateway certificate" step of our RDS - Deploy the RD gateway to provide secure access from the outside.

Then, as you can see in the image below, the certificate will be valid for the external name of your RDS gateway.

In the "RD Gateway" section :

  • select the "Use these RD Gateway server settings" option
  • enter the external name (displayed in the Certificates section). In our case : rds.informatiweb-tuto.net
  • check the "Use RD Gateway credentials for remote computers" box so that users don't have to log in twice when trying to access a RemoteApp program or RDS desktop
  • uncheck "Bypass RD Gateway server for local addresses" to force all your users (including those in your local network) to use the gateway

Now, open the RDS web access from a client PC (or refresh the page if it was already open) and try to access a desktop or a RemoteApp program.
As you can see, Windows will try to connect to the "RDS.INFORMATIWEB.LAN" remote computer via the "rds.informatiweb-tuto.net" gateway server.

As you can see, Windows will ask you to authenticate to connect to the "rds.informatiweb-tuto.net" gateway.

Windows is trying to start the RemoteApp program.

And the connection fails.
Indeed, since the local loopback is blocked by routers by default, you will not be able to access the gateway via its external IP address because you are inside the local network.

Our problem of certificate is due to the fact that the router provided by our ISP uses a somewhat strange SSL certificate (which has expired for years).
But, the problem really comes from this network loopback blocked by default routers. It's for this reason that Windows receives an error generated by our router and not by our server running Windows Server 2012.

If you are looking for the IP address associated with your external domain from your client PC, you will see that it actually points to an external IP address (WAN).

Batch

nslookup rds.informatiweb-tuto.net

2. Fix the gateway access problem from the local network

To solve this problem, you can use our little trick that is to hide the external IP address of the external domain (in our case : rds.informatiweb-tuto.net) by the local IP address which corresponds to the same server.

To do this, open the DNS manager on your Active Directory server and create a new forward lookup zone.

Select "Primary zone".

Enter your full external domain name.
In our case : rds.informatiweb-tuto.net

Click Next.

Click Finish.

In this new forward lookup zone, create a single A record with only the local IP address of your RDS gateway server.
For the name, leave the box blank.

Empty the DNS cache of your client PC by using the command :

ipconfig /flushdns

Then, use again the nslookup command as before :

Batch

nslookup rds.informatiweb-tuto.net

As you can see, now client PCs on your local network will use the local IP address instead of the external IP address (WAN) to connect to the RDS gateway.
This eliminates the problem of blocking network loopback.

3. Connection via the RDS gateway

Now, try restarting a RemoteApp program or a desktop that you should have access to.

The RemoteApp program or the desired desktop appears without problem.

On your RDS server, you will see that this user is connected to your server.

And that it is connected via the RD Gateway.

If you wish, you can close a connection or preferably disconnect the user (to close all his associated connections).

Click Yes to disconnect the user from the gateway.

On the client PC, your user will see that the RD Gateway server administrator has terminated their connection.