Networking / Infrastructure, Server 2016

Publishing Remote Desktop Gateway through Web Application Proxy

If you want to restrict access to your Remote Access Gateway and add pre-authentication for remote access, you can roll it out through Web Application Proxy. This is a really good way to make sure you have rich pre-authentication for RDG including MFA. Publishing without pre-authentication is also an option and provides a single point of entry into your systems.

How to publish an application in RDG using Web Application Proxy pass-through authentication

  1. Installation will be different depending on whether your RD Web Access (/rdweb) and RD Gateway (rpc) roles are on the same server or on different servers.

     

  2. If the RD Web Access and RD Gateway roles are hosted on the same RDG server, you can simply publish the root FQDN in Web Application Proxy such as, https://connect.abc.com/.

    You can also publish the two virtual directories individually e.g. https://connect.abc.com/rdweb/ and https://connect.abc.com/rpc/.

     

  3. If the RD Web Access and the RD Gateway are hosted on separate RDG servers, you have to publish the two virtual directories individually. You can use the same or different external FQDN’s e.g. https://rdweb.abc.com/rdweb/ and https://gateway.abc.com/rpc/.

     

  4. If the External and Internal FQDN’s are different you should disable request header translation on the RDWeb publishing rule. This can be done by running the following PowerShell script on the Web Application Proxy server

    Get-WebApplicationProxyApplication applicationname | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$true
    
    System_CAPS_noteNote
    If you need to support rich clients such as RemoteApp and Desktop Connections or iOS Remote Desktop connections, these do not support pre-authentication so you have to publish RDG using pass-through authentication.
 To Publish a Web application;
Add-WebApplicationProxyApplication -Name “CompApp”
-ExternalPreauthentication ADFS -ExternalUrl https://CompApp.Contoso.com/
-ExternalCertificateThumbprint “70DF0AB8434060DC869D37BBAEF770ED5DD0C32B”
-BackendServerUrl http://CompApp:8080/ -ADFSRelyingPartyName “CompAppRP”
to omit external preauthentication;
Add-WebApplicationProxyApplication -Name “CompApp” -BackendServerUrl http://CompApp/ -ExternalUrl https://CompApp.Contoso.com/
-ExternalPreauthentication “PassThrough” -ExternalCertificateThumbprint “A1A657E1A4F276FCC45613C0F6B3BC91AFC4633C”
Advertisements

1 thought on “Publishing Remote Desktop Gateway through Web Application Proxy”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s