1. Install the RD Gateway Role

Open Server Manager

Launch Server Manager on your Windows Server.

Add Roles and Features

  • Click Manage > Add Roles and Features.

Proceed through the wizard

  • Select Role-based or feature-based installation.
  • Choose your server from the server pool.

Install RD Gateway

  • Under Server Roles, expand Remote Desktop Services > check Remote Desktop Gateway.
  • Click Next through remaining screens and install.

Restart if Required

Restart the server if prompted after installation.

2. Configure the SSL Certificate

Obtain a Certificate

Use a trusted CA certificate or create a self-signed one:

  1. Open Server Manager > Tools > Remote Desktop Gateway Manager.
  2. Right-click the server’s name > Properties > SSL Certificate tab.
  3. Click Import a certificate (for production).

Assign the Certificate

  • Select the certificate and apply it to the RD Gateway.
  • Ensure the certificate matches the server’s FQDN (e.g., rd-gateway.example.com).

Verify

Check that the RD Gateway service restarts and binds to port 443 with the certificate.

3. Configure RD Gateway to Use Central NPS Server via RD CAP Store Properties

Open RD Gateway Manager

On the RD Gateway server, go to:

  • Server Manager > Tools > Remote Desktop Gateway Manager.
  • The RD Gateway Manager window opens, showing your server in the left pane (e.g., RD-GATEWAY).

Access Server Properties

  • In the left pane, right-click the RD Gateway server name (e.g., RD-GATEWAY).
  • Select Properties from the context menu.
  • The Properties dialog box for the RD Gateway server appears.
  • In the Properties dialog, click the RD CAP Store tab.
  • This tab controls how Connection Authorization Policies (CAPs) are managed and where authentication requests are sent.

Select Central NPS Server Option

In the RD CAP Store tab, you’ll see two radio button options:

  • Local RD CAP store: Uses CAPs stored locally on the RD Gateway.
  • Central server running NPS: Uses a central NPS server for CAPs and RADIUS authentication.
  • Select the Central server running NPS radio button to delegate CAP processing to the central NPS server.

Add the IP of the Central NPS Server

  1. After selecting Central server running NPS, a section below becomes active with a button labeled Add.
  2. Click Add.
  3. In the Add Central NPS Server dialog:
    • Server Name or IP Address: Enter the IP of the central NPS server.
    • Shared Secret:
      • Check Use a shared secret.
      • Enter a shared secret (e.g., rdg-nps-secret123) that matches what’s configured on the NPS server.
    • Note: This secret must be identical to the one set in the NPS server’s RADIUS client configuration for the RD Gateway.
  4. Click OK to save the NPS server entry.

Verify and Apply

  • Back in the RD CAP Store tab, ensure the central NPS server (e.g., 10.4.0.15) appears in the list of servers.
  • (Optional) If multiple NPS servers are needed for redundancy, repeat the Add process for additional IPs.
  • Click Apply in the Properties dialog to save changes.
  • Click OK to close the dialog.

4. Configure RD Gateway Policies

Configure Resource Authorization Policy (RAP)

Create a RAP

  1. Right-click Policies > Resource Authorization Policies > Create New Policy > Wizard.
  2. Name it (e.g., RDP RAP).

User Groups

  • Add the domain user groups.

Resources

  • Select Allow users to connect to any network resource (for simplicity) or specify a resource group (e.g., a list of RDP server IPs like 192.168.1.100).

Port Settings

  • Allow port 3389 (RDP) or leave as Any if unspecified.

Finish

  • Complete the wizard and enable the RAP.

Table of contents