Deploying Remote Desktop Gateway
Remote Desktop Gateway (RDGW) is a Windows Server service for accessing resources that have no internet access via a secure HTTPS communication channel.
In this use case, users from the Administrators
group are granted access to a test VM using a self-signed certificate.
Before you start
Before working, you need to register in Yandex Cloud and create a billing account:
- Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
- On the billing page, make sure you linked a billing account, and it has the
ACTIVE
orTRIAL_ACTIVE
status. If you don't have a billing account, create one.
If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.
Learn more about clouds and folders.
Required paid resources
The cost of installing RDGW includes:
- A fee for continuously running VMs (see pricing for Yandex Compute Cloud).
- A fee for using dynamic or static public IP addresses (see pricing for Yandex Virtual Private Cloud).
- The cost of outgoing traffic from Yandex Cloud to the internet (see pricing for Yandex Compute Cloud).
Create a cloud network and subnets
Create a cloud network named rdgw-network
with a subnet in the availability zone where your VMs will be located.
-
Create a cloud network.
Management consoleCLI- Open the Virtual Private Cloud section in the folder where you want to create the cloud network.
- Click Create network.
- Enter the network name:
rdgw-network
. - Click Create network.
yc vpc network create --name rdgw-network
Command execution result:
id: qqppl6fduhct76qkjh6s folder_id: big67u7m5flplkc6vvpc created_at: "2021-06-09T10:49:07Z" name: rdgw-network default_security_group_id: enpa139ji55jti00u5sg
-
Create a subnet in the network
rdgw-network
.Management consoleCLI- Open Virtual Private Cloud in the folder where you want to create the subnet.
- Click on the name of the cloud network.
- Click Add subnet.
- Fill out the form: enter
rdgw-subnet
as a subnet name and select the desired availability zone from the drop-down list (for example,ru-central1-a
). - Enter the subnet CIDR, which is its IP address and mask:
10.1.0.0/16
. For more information about subnet IP ranges, see Cloud networks and subnets. - Click Create subnet.
yc vpc subnet create ` --name rdgw-subnet ` --zone ru-central1-a ` --network-name rdgw-network ` --range 10.1.0.0/16
Command execution result:
id: e9b95m6al33r62n5vkab folder_id: big67u7m5flplkc6vvpc created_at: "2021-06-09T10:49:21Z" name: rdgw-subnet network_id: qqppl6fduhct76qkjh6s zone_id: ru-central1-a v4_cidr_blocks: - 10.1.0.0/16
Create a security group
Create and set up a security group.
-
Open the Virtual Private Cloud section in the folder to create a security group in.
-
Open the Security groups tab.
-
Click Create group.
-
Enter the security group name:
my-rdgw-sg
. -
In the Network field, select the network to assign the security group to:
rdgw-network
. -
Under Rules, create the following traffic management rules according to the instructions below the table:
Trafficdirection Description Portrange Protocol Sourcetype Source/Purpose Incoming ICMP — ICMP CIDR 0.0.0.0/0 Incoming self-security Any Any Security group Current Incoming TCP 3389 TCP CIDR 0.0.0.0/0 Incoming RDGW 443 TCP CIDR 0.0.0.0/0 Outgoing default Any Any CIDR 0.0.0.0/0 - Select the Outgoing traffic or Incoming traffic tab.
- Click Add rule.
- In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
- In the Protocol field, specify the desired protocol or leave Any to allow traffic transmission over any protocol.
- In the Purpose or Source field, select the purpose of the rule:
- CIDR: The rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
- Security group: The rule will apply to the VMs from the current group or the selected security group.
- Click Save. Repeat the steps to create all rules from the table.
-
Click Save.
yc vpc security-group create --name=my-rdgw-sg `
--network-name rdgw-network `
--rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
--rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
--rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
--rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
--rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default
Command execution result:
id: enp136p8s2ael7ob6klg
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct76qkjh6s
status: ACTIVE
rules:
- id: env98jerk9b3tcp68k61
description: icmp
direction: INGRESS
protocol_name: ICMP
protocol_number: "1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
Create a VM for the gateway
Create a VM with a static address:
- On the folder page in the management console, click Create resource and select Virtual machine.
- In the Name field, enter a name for the VM:
my-rds-gw
. - Select the availability zone
ru-central1-a
. - Under Image/boot disk selection, select the 2019 Datacenter image.
- Under Disks, enter 60 GB for the size of the boot disk.
- Under Computing resources:
- Choose a platform: Intel Ice Lake.
- Specify the number of vCPUs and amount of RAM:
- vCPU: 2
- Guaranteed vCPU share: 100%
- RAM: 4 GB
- Under Network settings, click Add network and select
rdgw-network
. Selectrdgw-subnet
. Under Public address, select Automatically. Select themy-rdgw-sg
security group. - Under Access, specify the data required to access the VM: enter your password in the Password field.
- Click Create VM.
-
In the PowerShell terminal, create a script named
setpass
to set up a password for theAdministrator
account using theuser-data
field in the VM's metadata. Thecloudbase-init
utility executes it on the first run.Note
The first line of the script must only contain
#ps1
, otherwise thecloudbase-init
utility won't execute the script.#ps1 Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)
-
Create a VM and specify the created script as the metadata source. As the
security-group-ids
parameter, enter the ID of themy-rdgw-group
security group:yc compute instance create ` --name my-rds-gw ` --hostname my-rds-gw ` --memory 4 ` --cores 2 ` --platform-id=standard-v3 ` --zone ru-central1-a ` --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.3,nat-ip-version=ipv4,security-group-ids=<id_my-rdgw-group> ` --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk ` --metadata-from-file user-data=setpass
Command execution result:
```
done (25s)
id: frmogfp7mm1kg87c25f3
folder_id: big67u7m5flplkc6vvpc
created_at: "2021-06-09T10:51:58Z"
name: my-rds-gw
zone_id: ru-central1-a
platform_id: standard-v3
resources:
memory: "4294967296"
cores: "2"
core_fraction: "100"
status: RUNNING
boot_disk:
mode: READ_WRITE
device_name: fhmplfvr7g6pfv63fsr7
auto_delete: true
disk_id: fhmplfvr7g6pfv63fsr7
network_interfaces:
- index: "0"
mac_address: d0:0d:18:83:c8:7b
subnet_id: e9b95m6al33r62n5vkab
primary_v4_address:
address: 10.1.0.3
one_to_one_nat:
address: 178.154.231.126
ip_version: IPV4
security_group_ids:
- enp136p8s2ael7ob6klg
fqdn: my-rds-gw.ru-central1.internal
scheduling_policy: {}
network_settings:
type: STANDARD
placement_policy: {}
```
Configure the RDGW role
-
Connect to the created VM via RDP.
-
Install the required roles and management snap-ins:
Install-WindowsFeature RDS-Gateway -IncludeManagementTools
Command execution result:
Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Network Policy and Access Services, Remot...
-
Import the RDS module:
Import-Module -Name RemoteDesktopServices
-
Create a client access policy to allow all
Administrators
local group accounts to connect to the RDGW. You can do this using a Windows PowerShell drive that is created automatically when importing the role:New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'
Command execution result:
Directory: RDS:\GatewayServer\CAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-CAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Create a resource access policy to allow all
Administrators
local group accounts to connect to any internal resource through the created RDGW.New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'
Command execution result:
Directory: RDS:\GatewayServer\RAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-RAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Create a certificate with the name of the server to be used for connecting to the gateway and encrypting traffic:
$Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME
-
Export the created certificate to later upload it to the
Trusted Roots Certificate Authorities
certificate store on the computer connecting to the VM. This is necessary for the client to trust the self-signed RDGW certificate:$Certificate | Export-Certificate -FilePath "C:\REGW.cer"
Command execution result:
Directory: RDS:\GatewayServer\RAP Name Type CurrentValue GP PermissibleValues PermissibleOperations ---- ---- ------------ -- ----------------- --------------------- Default-RAP - Get-Item, Get-ChildItem, Remove-Item,...
-
Specify which certificate the RDGW should use. Restart the Remote Desktop Gateway service to apply the settings:
Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint Get-Service TSGateway | Restart-Service
Command execution result:
Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/9/2021 11:51 AM 796 REGW.cer
The gateway VM with the RDGW role configured allows BUILTIN\Administrators
local group accounts to connect to VMs that do not have direct internet access.
Test the RDGW
-
Create a VM with no internet access and connect to it during the test.
Management consoleCLI- On the folder page in the management console, click Create resource and select Virtual machine.
- In the Name field, enter the VM name:
test-vm
. - Select the availability zone
ru-central1-a
. - Under Image/boot disk selection, select the 2019 Datacenter image.
- Under Disks, enter 60 GB for the size of the boot disk.
- Under Computing resources:
- Choose a platform: Intel Ice Lake.
- Specify the number of vCPUs and amount of RAM:
- vCPU: 2
- Guaranteed vCPU share: 100%
- RAM: 4 GB
- Under Network settings, click Add network and select
rdgw-network
. Selectrdgw-subnet
. Under Public address, select No address. - Under Access, specify the data required to access the VM: enter your password in the Password field.
- Click Create VM.
Create a VM:
yc compute instance create ` --name test-vm ` --hostname test-vm ` --platform-id=standard-v3 ` --memory 4 ` --cores 2 ` --zone ru-central1-a ` --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 ` --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk ` --metadata-from-file user-data=setpass
Command execution result:
done (19s) id: fhm5pflreh2jellq97r0 folder_id: big67u7m5flplkc6vvpc created_at: "2021-06-09T11:53:03Z" name: test-vm zone_id: ru-central1-a platform_id: standard-v3 resources: memory: "4294967296" cores: "2" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmmf65nlbt131b3e36l auto_delete: true disk_id: fhmmf65nlbt131b3e36l network_interfaces: - index: "0" mac_address: d0:0d:5d:ef:bb:74 subnet_id: e9b95m6al33r62n5vkab primary_v4_address: address: 10.1.0.4 fqdn: test-vm.ru-central1.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}
-
Import the created certificate to the
Trusted Roots Certificate Authorities
directory on the computer that you'll use to connect to the test VM.To connect to the gateway using the VM name, specify the name and external IP address of the created RDGW in the
C:\Windows\system32\drivers\hosts
file. For example:87.250.250.242 my-rds-gw
-
Run the
mstsc
utility that creates remote desktop connections. In the settings on the Advanced tab, specify themy-rds-gw
VM name as the gateway, thetest-vm
name as the destination node, andAdministrator
as the username.
Delete the created resources
If you no longer need the created resources, delete the VMs and networks.