Installing the Remote Desktop Gateway Role Service
Updated: March 2, 2011
Applies To: Windows Server 2008 R2
To install and configure an RD Gateway server, you must add the RD Gateway role service. Windows Server 2008 R2 includes the option to install the RD Gateway role service by using Server Manager. This topic covers the installation and configuration of the RD Gateway role service on the RDG-SRV computer in the CONTOSO domain.
Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To install the Remote Desktop Gateway role service
Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
If the Remote Desktop Services role is not already installed:
In Server Manager, under Roles Summary, click Add Roles.
In the Add Roles Wizard, if the Before You Begin page appears, click Next. This page will not appear if you have already installed other roles and you have selected the Skip this page by default check box.
On the Select Server Roles page, under Roles, select Remote Desktop Services, and then click Next.
On the Remote Desktop Services page, click Next.
On the Select Role Services page, select the Remote Desktop Gateway check box.
If prompted to specify whether you want to install the additional role services required for Remote Desktop Gateway, click Add Required Role Services.
On the Select Role Services page, click Next.
If the Remote Desktop Services role is already installed:
Under Roles Summary, click Remote Desktop Services.
Under Role Services, click Add Role Services.
On the Select Role Services page, select the Remote Desktop Gateway check box, and then click Next.
If prompted to specify whether you want to install the additional role services required for Remote Desktop Gateway, click Add Required Role Services.
On the Select Role Services page, click Next.
On the Choose a Server Authentication Certificate for SSL Encryption page, specify whether to choose an existing certificate for SSL encryption (recommended), create a self-signed certificate for SSL encryption, or choose a certificate for SSL encryption later. If you are completing an installation for a new server that does not yet have certificates, see Obtaining a Certificate for the Remote Desktop Gateway Server for certificate requirements and information about how to obtain and install a certificate.
Under the Choose an existing certificate for SSL encryption (recommended) option, only certificates that have the intended purpose (server authentication) and Enhanced Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the RD Gateway role service will appear in the list of certificates. If you select this option, click Import, and then import a new certificate. A certificate that does not meet these requirements will not appear in the list.
On the Create Authorization Policies for RD Gateway page, specify whether you want to create authorization policies (an RD CAP and an RD RAP) during the Remote Desktop Gateway role service installation process or later. If you select Later, follow the procedures in Creating an RD CAP to create this policy. If you select Now, do the following:
On the Select User Groups That Can Connect Through RD Gateway page, click Add to specify additional user groups. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box.
To specify more than one user group, do either of the following: Type the name of each user group, separating the name of each group with a semi-colon; or add additional groups from different domains by repeating the first part of this step for each group.
After you finish specifying additional user groups, on the Select User Groups That Can Connect Through RD Gateway page, click Next.
On the Create an RD CAP for RD Gateway page, accept the default name for the RD CAP (RD_CAP_01) or specify a new name, select one or more supported Windows authentication methods, and then click Next.
On the Create an RD RAP for RD Gateway page, accept the default name for the RD RAP (RD_RAP_01) or specify a new name, and then do one of the following: Specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer group; or specify that users can connect to any computer on the network. Click Next.
On the Network Policy and Access Services page (which appears if this role service is not already installed), review the summary information, and then click Next.
On the Select Role Services page, verify that Network Policy Server is selected, and then click Next.
On the Web Server (IIS) page (which appears if this role service is not already installed), review the summary information, and then click Next.
On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next.
On the Confirm Installation Selections page, verify that the following role services will be installed:
Remote Desktop Services\RD Gateway
Network Policy and Access Services\Network Policy Server
Web Server (IIS)
RPC over HTTP Proxy
Click Install.
On the Installation Progress page, installation progress will be noted.
If any of these roles, role services, or features has already been installed, installation progress will be noted only for the new roles, role services, or features that are being installed.
On the Installation Results page, confirm that installation for these roles, role services, and features was successful, and then click Close.