Remote Desktop Gateway (RD Gateway) is a role service available in Windows Server 2008 and higher versions. It allows authenticated and authorized remote users to securely connect to resources on an internal corporate or private network over the Internet. RD Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. RD Gateway server is exposed to the Internet (an untrusted network) and because of the reasons discussed in the Perimeter network section , either RD Gateway server is deployed in the perimeter network or RD Gateway server is deployed in the internal network with an ISA server in the perimeter network.
A perimeter network (also known as a DMZ , demilitarized zone , or screened subnet ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway, RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. Hosts in the perimeter network should not be able to establish communication directly with any other host in the internal network, though communication with other hosts in the perimeter network and to the external network is allowed. This allows hosts in the perimeter network to provide services to both the internal and external network, while an intervening firewall controls the traffic between the perimeter network servers and the internal network clients.
Typically, a perimeter network can be designed and deployed in one of the following ways:
In a single firewall perimeter network the firewall has 3 network adapters:
Figure 1: Single firewall perimeter network with RD Gateway server in the perimeter network
In a dual firewall perimeter network, a firewall is located on either side of the perimeter network. One firewall is connected to the external network, one firewall is connected to the internal network, and the perimeter network resides between the two firewalls. This is a more secure approach because an attacker has to break both firewalls in order to get to the internal network.
Figure 2: Dual firewall perimeter network with RD Gateway server in the perimeter network
Following are the possible AD DS models that are suitable for RD Gateway:
When there is no AD DS in the perimeter network, ideally the servers in the perimeter network should be in a workgroup, but the RD Gateway server has to be domain-joined because it has to authenticate and authorize corporate domain users and resources.
The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.
Figure 3: Traffic flow from Internet to perimeter network and from perimeter to Internal network
In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:
In this deployment, there is AD DS in the perimeter network which trusts the internal network forest to authenticate the internal network forest users in the perimeter forest domain. RD Gateway is joined to the perimeter network domain. The trust between the perimeter network forest and the internal network forest is one-way, so configuring RD Gateway to use a central NPS server which is in the internal network is required in this deployment.
The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.
Figure 4: Traffic flow from Internet to perimeter network and from perimeter to internal network
In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:
In this deployment, there is a read-only domain controller (RODC) in the perimeter network for the internal network forest. RD Gateway is joined to the internal network domain and talks to RODC for authentication and authorization purposes.
The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.
Figure 5: Traffic flow from Internet to perimeter network and from perimeter to internal network
In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:
The internal firewall should allow all communication from the RD Gateway server to internal network resources. Here are the ports that need to be opened on the internal firewall when the corresponding traffic (DNS, RADIUDS, RD Gateway Authentication, etc.) destination point is in the internal network.
Firewall rules between the perimeter network (RD Gateway) and the internal network (Domain Controller) to authenticate the user:
The RD Gateway server talks to the NT Directory Service (NTDS) RPC service on AD. The NTDS RPC service listens on an unused high end port. RD Gateway does not know the port number on which NTDS RPC service is listening. So RD Gateway talks to RPC Endpoint Mapper which listens on a constant port and gets the NTDS RPC service port number. Finally it makes a connection to the NTDS RPC service. Fortunately, the Admin can make the NTDS RPC service on AD listen on a constant port by using a registry key. To learn how to configure the registry values on AD for NTDS RPC service ports, see this article .
Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authentication methods through a custom authentication plug-in. If RD Gateway is configured with a custom authentication plug-in, contact the vendor of the authentication plug-in to find out which firewall rules are required for RD Gateway authentication.
Firewall rules between the perimeter network (RD Gateway) and the internal network (domain controller) to authorize the user:
Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authorization methods through a custom authorization plug-in. If RD Gateway is configured with a custom authorization plug-in, contact the vendor of the authorization plug-in to find out which firewall rules are required for the RD Gateway authorization.
Firewall rules between the perimeter network and the internal network to resolve the internal network resources:
Firewall rules between the perimeter network and the internal network to forward RDP packets from client:
Firewall rules between the perimeter network and the internal network to contact CRL distribution point to get the certificate revocation list:
Note: The Certificate Revocation List is needed either to validate the client certificate during smart card authentication or when the certificate deployed on RD Gateway is an enterprise/standalone CA certificate. To know which protocol is needed to contact the CRL distribution point for a certificate, open the certificate and go to the Details tab and look at the CRL Distribution Points field .
If RD Gateway is configured to use a central server running NPS and if the NPS server is not in the perimeter network, then the following additional firewall rules are needed between the perimeter network (RD Gateway) and the internal network (NPS Server).
If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).
This scenario is possible in Windows Server 2008 or higher versions. The WMI service on RD Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article . This fixed WMI port needs to be opened on the firewall.
This scenario is possible in Windows Server 2008 R2. The WMI service on RD Web Access Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article . This fixed WMI port needs to be opened on the firewall.
This scenario is possible in Windows Server 2008 R2.
Note: If there is an ISA server already deployed in the perimeter network of your organization, then RD Gateway server can be put in the internal network which reduces the number of ports that need to be opened on the internal firewall (path from perimeter network to internal network) to one. Also, in order to ensure that un-authenticated traffic does not reach the RD Gateway server (i.e. the internal network), you can pre-authenticate the HTTPS traffic reaching the ISA using One-time-Password (OTP) – a form of RSA SecureID. More information on how to configure ISA can be found in the RD Gateway step-by-step guide.
If authentication is not enabled on ISA, the following is the firewall configuration requirement in RD Gateway (internal network)-ISA (perimeter network) scenario.
If authentication is enabled on ISA, then depending on the ISA authentication method some additional firewall rules may be needed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.