Remote Desktop Gateway

Applies To: Windows Server 2008 R2

What are the major changes?

Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2 that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be Remote Desktop Session Host (RD Session Host) servers, RD Session Host servers running RemoteApp programs, or computers and virtual desktops with Remote Desktop enabled. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and internal network resources.

The following changes are available in Windows Server 2008 R2:

  • Configurable idle and session timeouts

  • Background session authentication and authorization

  • System and logon messages

  • Device redirection enforcement

  • Network Access Protection (NAP) remediation

  • Pluggable authentication and authorization

Who will be interested in these features?

The improvements to the RD Gateway role service will be of interest to organizations that currently use or are interested in extending Remote Desktop Services to clients that are not directly connected to the corporate network.

Are there any special considerations?

To take advantage of the new functionality introduced for RD Gateway in Windows Server 2008 R2, you must use the following:

  • A Windows Server 2008 R2 server configured as an RD Session Host server.

  • A Windows Server 2008 R2 server configured as an RD Gateway server.

  • Remote Desktop clients using Remote Desktop Connection (RDC) 7.0.

Note

Existing functionality will still work with terminal servers running Windows Server 2008 or Windows Server 2003.

What new functionality do these features provide?

The new functionality provided by these features in the RD Gateway role service is described in the following sections.

Configurable idle and session timeouts

RD Gateway allows you to configure idle and session timeouts on the RD Gateway server. An idle timeout provides the ability to reclaim resources used by inactive user sessions without affecting the user's session or data. This helps free up resources on the RD Gateway server. After being disconnected, the user will be able to reestablish the session by using RDC. A session timeout provides the capability to periodically enforce new policies on active user connections. This ensures that any system changes to user properties, such as domain accounts, Remote Desktop connection authorization policy (RD CAP) changes, or Remote Desktop resource authorization policy (RD RAP) changes, are enforced on existing sessions.

  • An idle timeout provides the ability to reclaim resources used by inactive user sessions without affecting the user's session or data. This helps free up resources on the RD Gateway server. After being disconnected, the user will be able to reestablish the session by using RDC.

  • A session timeout provides the capability to periodically enforce new policies on active user connections. This ensures that any system changes to user properties, such as domain accounts, RD CAP changes, or RD RAP changes, are enforced on existing sessions.

The idle and session timeouts are configured on the Timeout tab of the RD CAP by using Remote Desktop Gateway Manager.

Why is this change important?

Configurable idle and session timeouts with RD Gateway help you gain better control of users who are connecting through RD Gateway. Timeouts allow you to reclaim resources from sessions that are not currently in use, helping to ensure that idle sessions are not wasting system resources. User properties that are changed can still be enforced for users accessing the system by using remote desktop sessions.

Background session authentication and authorization

When a timeout has been reached, the remote session can be disconnected or the session can be silently re-authenticated and reauthorized. If the option to silently re-authenticate and reauthorize is selected, after a configured session timeout has been reached, sessions for users whose property information has not changed are not affected, and authentication and authorization requests are sent in the background.

Why is this change important?

Background authentication and authorization requests are done automatically and require no user interaction.

System and logon messages

System and logon messages can be added to RD Gateway in Windows Server 2008 R2 and displayed to the remote desktop user. System messages can be used to inform users of server maintenance issues such as shutdown and restarts. Logon messages can be used to display a logon notice to users before they gain access to remote resources.

You can configure RD Gateway to only allow connections from remote desktop clients that support system and logon messages. Remote desktop clients must be running RDC 7.0 to connect by using this setting.

The system and logon messages are configured on the Messaging tab of the RD Gateway server Properties, by using Remote Desktop Gateway Manager.

Why is this change important?

Messaging can be used to keep remote desktop clients more informed. System messages can be used to inform users of upcoming server downtimes. Logon messages can be used to display legal information that the remote desktop user must acknowledge before starting an RD Gateway session.

Device redirection enforcement

An RD Gateway server running Windows Server 2008 R2 includes the option to allow remote desktop clients to only connect to RD Session Host servers that enforce device redirection. RDC 7.0 is required for device redirection to be enforced by the RD Session Host server running Windows Server 2008 R2.

Device redirection enforcement is configured on the Device Redirection tab of the RD CAP by using Remote Desktop Gateway Manager.

Why is this change important?

Device redirection enforcement helps prevent malicious code on remote clients from overriding security polices set by an administrator.

Network Access Protection (NAP) remediation

An RD Gateway server running Windows Server 2008 R2 enables you to update client computers that are not in compliance with the health policy. This helps keep managed clients in compliance with the latest software updates. Administrators can set CAP policies so that unmanaged clients do not receive updates, and are only provided health feedback allowing users to manually update their systems.

Why is this change important?

NAP remediation allows you to manage remote clients by updating them with the latest software updates and settings. This helps keep remote clients in compliance with network security policies.

Pluggable authentication and authorization

Pluggable authentication provides APIs which can be used to write authentication and authorization plug-ins for integration with RD Gateway. RD Gateway exposes interfaces for authoring custom authentication and authorization plug-ins.

Why is this change important?

Pluggable authentication and authorization allows you to use non-Windows-based methods for authentication and authorization. You can use this to develop your own custom plug-ins to better fit your network admission requirements.

Which editions include these features?

RD Gateway is available in the following editions of Windows Server 2008 R2:

  • Windows Server 2008 R2 Standard

  • Windows Server 2008 R2 Enterprise

  • Windows Server 2008 R2 Datacenter

RD Gateway is not available in the following editions of Windows Server 2008 R2:

  • Windows Web Server 2008 R2

  • Windows Server 2008 R2 for Itanium-Based Systems

Additional references

For information about other new features in Remote Desktop Services, see What's New in Remote Desktop Services.