If you want to restrict access to your Remote Access Gateway and add pre-authentication for remote access, you can roll it out through Web Application Proxy. This is a really good way to make sure you have rich pre-authentication for RDG including MFA. Publishing without pre-authentication is also an option and provides a single point of entry into your systems.
How to publish an application in RDG using Web Application Proxy pass-through authentication
Installation will be different depending on whether your RD Web Access (/rdweb) and RD Gateway (rpc) roles are on the same server or on different servers.
If the RD Web Access and RD Gateway roles are hosted on the same RDG server, you can simply publish the root FQDN in Web Application Proxy such as, https://connect.abc.com/.
If the External and Internal FQDN’s are different you should disable request header translation on the RDWeb publishing rule. This can be done by running the following PowerShell script on the Web Application Proxy server
Get-WebApplicationProxyApplication applicationname | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$true
Note If you need to support rich clients such as RemoteApp and Desktop Connections or iOS Remote Desktop connections, these do not support pre-authentication so you have to publish RDG using pass-through authentication.
Add-WebApplicationProxyApplication -Name “CompApp”-ExternalPreauthentication ADFS -ExternalUrl https://CompApp.Contoso.com/-ExternalCertificateThumbprint “70DF0AB8434060DC869D37BBAEF770ED5DD0C32B”-BackendServerUrl http://CompApp:8080/ -ADFSRelyingPartyName “CompAppRP”
Add-WebApplicationProxyApplication -Name “CompApp” -BackendServerUrl http://CompApp/ -ExternalUrl https://CompApp.Contoso.com/-ExternalPreauthentication “PassThrough” -ExternalCertificateThumbprint “A1A657E1A4F276FCC45613C0F6B3BC91AFC4633C”