none
Convert Remote Desktop Connection from Port 3389 to Gateway 443 RRS feed

  • Question

  • We have a RDS Server that has all roles installed on single 2008 R2 server. Users connect to it via Remote Desktop Connections on port 3389 internally and externally.

    I want to configure to use Remote Desktop Gateway from external so we can close port 3389 to outside world. Where or what do I need to change a part from closing 3389 on Firewall?

    When I test using Remote Desktop and configuring RDG in Advanced tab I am not sure if it is connecting on port 3389 or 443. If 3389 is opened on firewall would it try this by default?
    Friday, March 21, 2014 8:44 AM

Answers

  • Hi,

    Some quick points:

    - You need to install RD Gateway Role Service

    - You need a certificate (and its private key) with a subject name that will match the FQDN that you will use for your RD Gateway.  This certificate needs to be imported into the local computer\Personal store of the RDG

    - You need to configure the certificate in RD Gateway Manager as well as the RD CAP and RD RAP

    - In RemoteApp Manager you need to configure the RD Gateway settings

    - On your firewall, you need TCP port 443 forwarded to the RDG

    - On your firewall, you should configure it to actively refuse incoming TCP 3389 connections if possible.  The default setting for most firewalls would be stealth mode whereby it does not respond at all.  Configuring it to actively refuse the 3389 connections will help speed up connection times for your external users if you enable the Bypass RD Gateway for local addresses setting

    -TP

    • Marked as answer by rbdsolutions Sunday, March 23, 2014 10:17 PM
    Friday, March 21, 2014 8:57 AM
    Moderator

All replies

  • Hi,

    Some quick points:

    - You need to install RD Gateway Role Service

    - You need a certificate (and its private key) with a subject name that will match the FQDN that you will use for your RD Gateway.  This certificate needs to be imported into the local computer\Personal store of the RDG

    - You need to configure the certificate in RD Gateway Manager as well as the RD CAP and RD RAP

    - In RemoteApp Manager you need to configure the RD Gateway settings

    - On your firewall, you need TCP port 443 forwarded to the RDG

    - On your firewall, you should configure it to actively refuse incoming TCP 3389 connections if possible.  The default setting for most firewalls would be stealth mode whereby it does not respond at all.  Configuring it to actively refuse the 3389 connections will help speed up connection times for your external users if you enable the Bypass RD Gateway for local addresses setting

    -TP

    • Marked as answer by rbdsolutions Sunday, March 23, 2014 10:17 PM
    Friday, March 21, 2014 8:57 AM
    Moderator
    • I already have RD Gateway Role Service installed
    • Certificate is already configured
    • I am not using RemoteApp Manager so nothing to do here (Users connecting to Remote Desktop session)
    • Port 443 is forwarded on Firewall.
    • Have not blocked 3389 as yet - would this mean external rdp requests use this port over 443?
    Friday, March 21, 2014 9:31 AM
  • Hi,

    Have not blocked 3389 as yet - would this mean external rdp requests use this port over 443?

    Yes, if Bypass RD Gateway server for local addresses is selected in Remote Desktop Client -- Advanced tab -- Connect from anywhere -- Settings the client will attempt to connect on port 3389.  This setting is selected by default.

    -TP

    Friday, March 21, 2014 9:41 AM
    Moderator
  • I think I will have to take this testing inhouse - too much can go wrong using a semi-production environment.

    Thanks for your input and hopefully I can resolve this once and for all.

    Sunday, March 23, 2014 10:17 PM