Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Compute Cloud
  • Getting started
    • Overview
    • Creating a Linux VM
    • Creating a Windows VM
    • Creating instance groups
  • Step-by-step instructions
    • All instructions
    • Creating VMs
      • Creating a Linux VM
      • Creating a Windows VM
      • Creating a VM from a set of disks
      • Creating a VM with disks from snapshots
      • Creating a VM from a custom image
      • Creating a VM with a GPU
      • Making a VM preemptible
    • DSVM
      • Overview
      • Creating a VM from a public DSVM image
    • Placement groups
      • Creating a placement group
      • Deleting a placement group
      • Creating a VM in a placement group
      • Adding a VM to a placement group
      • Removing a VM from a placement group
    • Images with pre-installed software
      • Creating a VM from a public image
      • Configuring software
      • Running a VM based on a public image
      • Getting a list of public images
    • Getting information about a VM
      • Getting information about a VM
      • Getting serial port's output
    • Managing VMs
      • Stopping and starting a VM
      • Attaching a disk to a VM
      • Detaching a disk from a VM
      • Moving a VM to a different availability zone
      • Moving a VM to another folder
      • Attaching a public IP address to a VM
      • Detaching a public IP address from a VM
      • Making a VM's public IP address static
      • Updating a VM
      • Changing VM computing resources
      • Deleting a VM
    • Working on VMs
      • Connecting to a VM via SSH
      • Connecting to a VM via RDP
      • Connecting to a VM via PowerShell
      • Working with Yandex Cloud from inside a VM
      • Installing NVIDIA drivers
      • Restoring access to a VM
    • Creating new disks
      • Creating an empty disk
      • Creating an empty disk with a large block
      • Creating a non-replicated disk
    • Disk management
      • Creating a disk snapshot
      • Updating a disk
      • Moving a disk to another folder
      • Deleting a disk
      • Deleting a disk snapshot
    • Disk placement groups
      • Creating a disk placement group
      • Removing a disk from a placement group
    • Creating new images
      • Preparing a disk image
      • Uploading your image
      • Creating an image from a disk
      • Creating an image from a snapshot
      • Creating an image from other custom image
    • Managing images
      • Getting a list of images
      • Deleting a disk image
    • File storage
      • Creating file storage
      • Attaching file storage to a VM
      • Detaching file storage from a VM
      • Updating file storage
      • Deleting file storage
    • Managing the serial console
      • Getting started
      • Connecting to a serial console via SSH
      • Connecting to a serial console via CLI
      • Starting your terminal in the Windows serial console (SAC)
      • Disabling access to the serial console
    • Creating instance groups
      • Creating a fixed-size instance group
      • Creating a fixed-size instance group with a network load balancer
      • Creating a fixed-size instance group with an L7 load balancer
      • Creating an automatically scaled instance group
      • Creating an instance group from a Container Optimized Image
      • Creating an instance group based on the YAML specification
    • Getting information about instance groups
      • Getting a list of instance groups
      • Getting information about an instance group
      • Getting a list of instances in a group
    • Managing instance groups
      • Editing an instance group
      • Edit an instance group based on the YAML specification
      • Configuring application health check on the VM
      • Updating a group
        • Incremental update
        • Uninterrupted updates
      • Pausing an instance group
      • Resuming an instance group
      • Stopping an instance group
      • Starting an instance group
      • Deleting an instance group
    • Dedicated hosts
      • Creating a VM in a group of dedicated hosts
      • Creating a VM on a dedicated host
  • Yandex Container Solution
  • Practical guidelines
    • Configuring NTP time synchronization
    • Running instance groups with auto scaling
    • Automatically scaling an instance group for handling messages from a queue
    • Updating an instance group under load
    • Deploying Remote Desktop Gateway
    • Transferring logs from a VM instance to Yandex Cloud Logging
  • Concepts
    • Relationship between resources
    • Virtual machines
      • Overview
      • Platforms
      • vCPU performance levels
      • Preemptible VMs
      • Network on a VM
      • Software-accelerated network
      • Live migration
      • Placement groups
      • Statuses
      • Metadata
    • Graphics accelerators
    • Disks and file storage
      • Overview
      • Disks
      • Disk snapshots
      • Non-replicated disk placement groups
      • File storage
      • Read and write operations
    • Images
    • Instance groups
      • Overview
      • Access
      • YAML specification
      • Instance template
      • Variables in an instance template
      • Policies
        • Overview
        • Allocation policy
        • Deployment policy
        • Scaling policy
      • Scaling types
      • Auto-healing
      • Updating
        • Overview
        • Allocating instances across zones
        • Deployment algorithm
        • Rules for updating virtual machines
        • Changing secondary disks in an instance template
      • Stopping and pausing an instance group
      • Statuses
    • Dedicated host
    • Backups
    • Quotas and limits
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
      • From March 1 to May 1, 2019
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • DiskPlacementGroupService
      • DiskService
      • DiskTypeService
      • FilesystemService
      • HostGroupService
      • HostTypeService
      • ImageService
      • InstanceService
      • PlacementGroupService
      • SnapshotService
      • ZoneService
      • InstanceGroupService
      • OperationService
    • REST
      • Overview
      • DiskPlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listDisks
        • listOperations
        • update
      • Disk
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • move
        • update
      • DiskType
        • Overview
        • get
        • list
      • Filesystem
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • HostGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listHosts
        • listInstances
        • listOperations
        • update
      • HostType
        • Overview
        • get
        • list
      • Image
        • Overview
        • create
        • delete
        • get
        • getLatestByFamily
        • list
        • listOperations
        • update
      • Instance
        • Overview
        • addOneToOneNat
        • attachDisk
        • attachFilesystem
        • create
        • delete
        • detachDisk
        • detachFilesystem
        • get
        • getSerialPortOutput
        • list
        • listOperations
        • move
        • removeOneToOneNat
        • restart
        • start
        • stop
        • update
        • updateMetadata
        • updateNetworkInterface
      • PlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listInstances
        • listOperations
        • update
      • Snapshot
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Zone
        • Overview
        • get
        • list
      • Operation
        • Overview
        • get
      • InstanceGroup
        • Overview
        • list
        • get
        • listLogRecords
        • updateFromYaml
        • updateAccessBindings
        • pauseProcesses
        • stop
        • start
        • delete
        • listInstances
        • createFromYaml
        • update
        • setAccessBindings
        • listOperations
        • create
        • listAccessBindings
        • resumeProcesses
  • Questions and answers
    • General questions
    • Virtual machines
    • Connection
    • Disks, snapshots, and images
    • Disaster recovery
    • Monitoring
    • Licensing
    • All questions on the same page
  1. Practical guidelines
  2. Deploying Remote Desktop Gateway

Deploying Remote Desktop Gateway

Written by
Yandex Cloud
  • Before you start
    • Required paid resources
  • Create a cloud network and subnets
  • Create a security group
  • Create a VM for the gateway
  • Configure the RDGW role
  • Test the RDGW
  • Delete the created resources

Remote Desktop Gateway (RDGW) is a Windows Server service for accessing resources that have no internet access via a secure HTTPS communication channel.

In this use case, users from the Administrators group are granted access to a test VM using a self-signed certificate.

Before you start

Before working, you need to register in Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

Required paid resources

The cost of installing RDGW includes:

  • A fee for continuously running VMs (see pricing for Yandex Compute Cloud).
  • A fee for using dynamic or static public IP addresses (see pricing for Yandex Virtual Private Cloud).
  • The cost of outgoing traffic from Yandex Cloud to the internet (see pricing for Yandex Compute Cloud).

Create a cloud network and subnets

Create a cloud network named rdgw-network with a subnet in the availability zone where your VMs will be located.

  1. Create a cloud network.

    Management console
    CLI
    1. Open the Virtual Private Cloud section in the folder where you want to create the cloud network.
    2. Click Create network.
    3. Enter the network name: rdgw-network.
    4. Click Create network.
    yc vpc network create --name rdgw-network
    

    Command execution result:

    id: qqppl6fduhct76qkjh6s
    folder_id: big67u7m5flplkc6vvpc
    created_at: "2021-06-09T10:49:07Z"
    name: rdgw-network
    default_security_group_id: enpa139ji55jti00u5sg
    
  2. Create a subnet in the network rdgw-network.

    Management console
    CLI
    1. Open Virtual Private Cloud in the folder where you want to create the subnet.
    2. Click on the name of the cloud network.
    3. Click Add subnet.
    4. Fill out the form: enter rdgw-subnet as a subnet name and select the desired availability zone from the drop-down list (for example, ru-central1-a).
    5. Enter the subnet CIDR, which is its IP address and mask: 10.1.0.0/16. For more information about subnet IP ranges, see Cloud networks and subnets.
    6. Click Create subnet.
    yc vpc subnet create `
      --name rdgw-subnet `
      --zone ru-central1-a `
      --network-name rdgw-network `
      --range 10.1.0.0/16
    

    Command execution result:

    id: e9b95m6al33r62n5vkab
    folder_id: big67u7m5flplkc6vvpc
    created_at: "2021-06-09T10:49:21Z"
    name: rdgw-subnet
    network_id: qqppl6fduhct76qkjh6s
    zone_id: ru-central1-a
    v4_cidr_blocks:
    - 10.1.0.0/16
    

Create a security group

Create and set up a security group.

Management console
CLI
  1. Open the Virtual Private Cloud section in the folder to create a security group in.

  2. Open the Security groups tab.

  3. Click Create group.

  4. Enter the security group name: my-rdgw-sg.

  5. In the Network field, select the network to assign the security group to: rdgw-network.

  6. Under Rules, create the following traffic management rules according to the instructions below the table:

    Traffic
    direction
    Description Port
    range
    Protocol Source
    type
    Source/Purpose
    Incoming ICMP — ICMP CIDR 0.0.0.0/0
    Incoming self-security Any Any Security group Current
    Incoming TCP 3389 TCP CIDR 0.0.0.0/0
    Incoming RDGW 443 TCP CIDR 0.0.0.0/0
    Outgoing default Any Any CIDR 0.0.0.0/0
    1. Select the Outgoing traffic or Incoming traffic tab.
    2. Click Add rule.
    3. In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
    4. In the Protocol field, specify the desired protocol or leave Any to allow traffic transmission over any protocol.
    5. In the Purpose or Source field, select the purpose of the rule:
      • CIDR: The rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
      • Security group: The rule will apply to the VMs from the current group or the selected security group.
    6. Click Save. Repeat the steps to create all rules from the table.
  7. Click Save.

yc vpc security-group create --name=my-rdgw-sg `
  --network-name rdgw-network `
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
  --rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
  --rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default 

Command execution result:

id: enp136p8s2ael7ob6klg
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct76qkjh6s
status: ACTIVE
rules:
- id: env98jerk9b3tcp68k61
  description: icmp
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
  v4_cidr_blocks:
   - 0.0.0.0/0

Create a VM for the gateway

Create a VM with a static address:

Management console
CLI
  1. On the folder page in the management console, click Create resource and select Virtual machine.
  2. In the Name field, enter a name for the VM: my-rds-gw.
  3. Select the availability zone ru-central1-a.
  4. Under Image/boot disk selection, select the 2019 Datacenter image.
  5. Under Disks, enter 60 GB for the size of the boot disk.
  6. Under Computing resources:
    • Choose a platform: Intel Ice Lake.
    • Specify the number of vCPUs and amount of RAM:
      • vCPU: 2
      • Guaranteed vCPU share: 100%
      • RAM: 4 GB
  7. Under Network settings, click Add network and select rdgw-network. Select rdgw-subnet. Under Public address, select Automatically. Select the my-rdgw-sg security group.
  8. Under Access, specify the data required to access the VM: enter your password in the Password field.
  9. Click Create VM.
  1. In the PowerShell terminal, create a script named setpass to set up a password for the Administrator account using the user-data field in the VM's metadata. The cloudbase-init utility executes it on the first run.

    Note

    The first line of the script must only contain #ps1, otherwise the cloudbase-init utility won't execute the script.

    #ps1
    Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force) 
    
  2. Create a VM and specify the created script as the metadata source. As the security-group-ids parameter, enter the ID of the my-rdgw-group security group:

    yc compute instance create `
         --name my-rds-gw `
         --hostname my-rds-gw `
         --memory 4 `
         --cores 2 `
         --platform-id=standard-v3 `
         --zone ru-central1-a `
         --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.3,nat-ip-version=ipv4,security-group-ids=<id_my-rdgw-group> `
         --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk `
         --metadata-from-file user-data=setpass
    
Command execution result:

```
done (25s)
id: frmogfp7mm1kg87c25f3
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:51:58Z"
name: my-rds-gw
zone_id: ru-central1-a
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmplfvr7g6pfv63fsr7
auto_delete: true
disk_id: fhmplfvr7g6pfv63fsr7
network_interfaces:
- index: "0"
  mac_address: d0:0d:18:83:c8:7b
  subnet_id: e9b95m6al33r62n5vkab
  primary_v4_address:
  address: 10.1.0.3
  one_to_one_nat:
  address: 178.154.231.126
  ip_version: IPV4
  security_group_ids:
   - enp136p8s2ael7ob6klg
     fqdn: my-rds-gw.ru-central1.internal
     scheduling_policy: {}
     network_settings:
     type: STANDARD
     placement_policy: {}
```

Configure the RDGW role

  1. Connect to the created VM via RDP.

  2. Install the required roles and management snap-ins:

    Install-WindowsFeature RDS-Gateway -IncludeManagementTools
    

    Command execution result:

    Success Restart Needed Exit Code      Feature Result
    ------- -------------- ---------      --------------
    True    No             Success        {Network Policy and Access Services, Remot...
    
  3. Import the RDS module:

    Import-Module -Name RemoteDesktopServices
    
  4. Create a client access policy to allow all Administrators local group accounts to connect to the RDGW. You can do this using a Windows PowerShell drive that is created automatically when importing the role:

    New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'
    

    Command execution result:

        Directory: RDS:\GatewayServer\CAP
    
    Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
    ----                   ----      ------------         --   ----------------- ---------------------
    Default-CAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...
    
  5. Create a resource access policy to allow all Administrators local group accounts to connect to any internal resource through the created RDGW.

    New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'
    

    Command execution result:

        Directory: RDS:\GatewayServer\RAP
    
    Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
    ----                   ----      ------------         --   ----------------- ---------------------
    Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...
    
  6. Create a certificate with the name of the server to be used for connecting to the gateway and encrypting traffic:

    $Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME
    
  7. Export the created certificate to later upload it to the Trusted Roots Certificate Authorities certificate store on the computer connecting to the VM. This is necessary for the client to trust the self-signed RDGW certificate:

    $Certificate | Export-Certificate -FilePath "C:\REGW.cer"
    

    Command execution result:

        Directory: RDS:\GatewayServer\RAP
    
    Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
    ----                   ----      ------------         --   ----------------- ---------------------
    Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...
    
  8. Specify which certificate the RDGW should use. Restart the Remote Desktop Gateway service to apply the settings:

    Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint
    Get-Service TSGateway | Restart-Service
    

    Command execution result:

        Directory: C:\
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----         6/9/2021  11:51 AM            796 REGW.cer
    

The gateway VM with the RDGW role configured allows BUILTIN\Administrators local group accounts to connect to VMs that do not have direct internet access.

Test the RDGW

  1. Create a VM with no internet access and connect to it during the test.

    Management console
    CLI
    1. On the folder page in the management console, click Create resource and select Virtual machine.
    2. In the Name field, enter the VM name: test-vm.
    3. Select the availability zone ru-central1-a.
    4. Under Image/boot disk selection, select the 2019 Datacenter image.
    5. Under Disks, enter 60 GB for the size of the boot disk.
    6. Under Computing resources:
      • Choose a platform: Intel Ice Lake.
      • Specify the number of vCPUs and amount of RAM:
        • vCPU: 2
        • Guaranteed vCPU share: 100%
        • RAM: 4 GB
    7. Under Network settings, click Add network and select rdgw-network. Select rdgw-subnet. Under Public address, select No address.
    8. Under Access, specify the data required to access the VM: enter your password in the Password field.
    9. Click Create VM.

    Create a VM:

    yc compute instance create `
      --name test-vm `
      --hostname test-vm `
      --platform-id=standard-v3 `
      --memory 4 `
      --cores 2 `
      --zone ru-central1-a `
      --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 `
      --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk `
      --metadata-from-file user-data=setpass
    

    Command execution result:

    done (19s)
    id: fhm5pflreh2jellq97r0
    folder_id: big67u7m5flplkc6vvpc
    created_at: "2021-06-09T11:53:03Z"
    name: test-vm
    zone_id: ru-central1-a
    platform_id: standard-v3
    resources:
    memory: "4294967296"
    cores: "2"
    core_fraction: "100"
    status: RUNNING
    boot_disk:
    mode: READ_WRITE
    device_name: fhmmf65nlbt131b3e36l
    auto_delete: true
    disk_id: fhmmf65nlbt131b3e36l
    network_interfaces:
    - index: "0"
      mac_address: d0:0d:5d:ef:bb:74
      subnet_id: e9b95m6al33r62n5vkab
      primary_v4_address:
      address: 10.1.0.4
      fqdn: test-vm.ru-central1.internal
      scheduling_policy: {}
      network_settings:
      type: STANDARD
      placement_policy: {}
    
  2. Import the created certificate to the Trusted Roots Certificate Authorities directory on the computer that you'll use to connect to the test VM.

    To connect to the gateway using the VM name, specify the name and external IP address of the created RDGW in the C:\Windows\system32\drivers\hosts file. For example:

    87.250.250.242 my-rds-gw
    
  3. Run the mstsc utility that creates remote desktop connections. In the settings on the Advanced tab, specify the my-rds-gw VM name as the gateway, the test-vm name as the destination node, and Administrator as the username.

Delete the created resources

If you no longer need the created resources, delete the VMs and networks.

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Before you start
  • Required paid resources
  • Create a cloud network and subnets
  • Create a security group
  • Create a VM for the gateway
  • Configure the RDGW role
  • Test the RDGW
  • Delete the created resources