Official Microsoft Support for SBS 2011 and 2008 has ended on January 14, 2020. Use promo code 'sbsmigration' and get 10% discount on your SBS 2011 or 2008 migration kit.
How to setup RDS Gateway as a replacement for ‘Access Anywhere’ from the Essentials Experience role

How to setup RDS Gateway as a replacement for ‘Access Anywhere’ or 'Remote Web Workplace'

In all previous versions of the ‘Essentials Experience’ role on Windows Server 2012 or 2016, we had something that was called ‘Access Anywhere’ and that consisted of two parts. One was the VPN over SSL functionality and the other part was that you could go to remote.domain.com/remote and click on a tile of a computer inside (see below screenshot) your network and connect to it as it was a ‘Terminal Server’, not a real ‘Terminal Server’ but it did the same as the big brother does. It offered a way of accessing computers inside your own network so that you could work from home or anywhere in the world. Out of the box, there is no such solution on a Windows Server 2019 (Essentials) that enables you to connect to workstations inside your network. You could use some VPN solution or as some people do open port 3389 and route that to a workstation inside your Lan. The last is a very bad solution and should not be done.

This tutorial can also replace Remote Web Workplace (RWW) to computers inside your Lan which was previously offered on SBS 2011 or SBS 2008

A much better solution is to install and configure RDP Gateway services. This can be done on the ‘only’ server you have in your network if you are a small company or if you have the option to install an extra VM you can dedicate that as your RDP Gateway server. The best part of all of this is that it is completely FREE. There are no licensing costs involved for RD Gateway as far as I know because the workstations you are connecting to inside your Lan are covered by the license you already own! You must always check licensing requirements with your vendor. We are no licensing experts and do accept any responsibility when the licensing information we give you here is incorrect.

We install RD Gateway and all the tools from Powershell and not from Server Manager. This is soo much faster than doing this with the GUI.

  1. From the Start Menu run an elevated Powershell prompt
  2. Run Add-WindowsFeature -Name RDS-Gateway -IncludeAllSubFeature –IncludeManagementTools
    Add-WindowsFeature -Name RDS-Gateway -IncludeAllSubFeature –IncludeManagementTools
  1. From the same elevated Powershell prompt run New-ADGroup -Name "RDP Users" -SamAccountName "RDP Users" -GroupCategory Security -GroupScope Global -DisplayName "RDP Users" -Path "CN=Users,DC=Numinous,DC=local" -Description "Members of this group are RDP Gateway Users". This will create the ‘RDP Users’ security Group.
    New-ADGroup -Name "RDP Users" -SamAccountName "RDP Users" -GroupCategory Security -GroupScope Global -DisplayName "RDP Users" -Path "CN=Users,DC=Numinous,DC=local" -Description "Members of this group are RDP Gateway Users"
  2. And with this command, we will create another security group named ‘RDP Computers’. Run New-ADGroup -Name "RDP Computers" -SamAccountName "RDP Computers" -GroupCategory Security -GroupScope Global -DisplayName "RDP Computers" -Path "CN=Users,DC=Numinous,DC=local" -Description "Members of this group are RDP Gateway Client Computers"
    New-ADGroup -Name "RDP Computers" -SamAccountName "RDP Computers" -GroupCategory Security -GroupScope Global -DisplayName "RDP Computers" -Path "CN=Users,DC=Numinous,DC=local" -Description "Members of this group are RDP Gateway Client Computers"
  3. With Add-ADGroupMember -Identity "RDP Users" -Members Ken we add User Ken to the security group “RDP Users”
    Add-ADGroupMember -Identity "RDP Users" -Members Ken
  4. With Get-ADGroupMember –Identity “RDP Users” we check if Ken was added.
    Get-ADGroupMember –Identity “RDP Users”
  5. In my lab setup, I have one workstation joined to the domain and the name of that machine is W10. We need to add that machine to the correct security group which is “RDP Computers”. We do that with Add-ADGroupMember -Identity "RDP Computers" -Members W10$. Notice the $ at the end of the workstation? The SAM account name of a computer object in the Active Directory has a $ sign at the end.
    Add-ADGroupMember -Identity "RDP Computers" -Members W10$
  6. With Get-ADGroupMember –Identity “RDP Computers” we check if this worked.
    Get-ADGroupMember –Identity “RDP Computers”

There are two steps involved in this. One is to allow “Allow users to connect remotely by using Remote Desktop Services” and the other one is to add the “RDP Users” group to the “BUILTIN\Remote Desktop Users” group. We have also included a backup of this Group Policy in the file you can download from the bottom of this tutorial.

  1. From Server Manager choose Group Policy Management.
  2. Right-click your domain and choose ‘Create a GPO in this domain, and link it here’.
  3. I named it ‘Enable RDP Access’.
  4. Click Add
  5. Type ‘rdp’ and click Check Names
  6. There are two Security Groups we just created. Select ‘RDP Users’ and click OK
  7. Once again click Add
  8. And again type ‘rdp’ and click Check Names.
  9. Now select ‘RDP Computers’ and click OK
  10. Click OK
  11. Select ‘Authenticated Users’ and choose Remove
  12. Click OK
  13. Click OK
  14. Right-click the GPO and click Edit.
  15. Go the hive as shown in the screenshot and click Add Group.
  16. Click Browse
  17. Type ‘remote’ and click Check Names
  18. Select ‘Remote Desktop Users’ and click OK
  19. Click OK
  20. Click OK
  21. We will make our ‘RDP Users’ a member of the local Remote Desktop Users group on each workstation that gets this policy applied. Click Add
  22. Click Browse
  23. Type ‘rdp’ and click Check Names
  24. Select ‘RDP Users’ and click OK
  25. Make sure you have the ‘RDP Users’ and click OK
  26. Click Apply and OK
  27. Our RDP Users group is now a member of the BUILTIN\Remote Desktop Users on each workstation that gets the policy.
  28. Now we need to turn on Remote Desktop Services on the client so that we can connect
  29. Check Enabled and click OK
  30. Click the cross to close the GPO Editor
  31. Click the tab ‘Settings’ and check that you see the settings as in the screenshot.

We have exported our configuration to an XML file (download at the bottom of this tutorial) you can use to import (change the server tag in that file so that it fits your server name) in our own Remote Desktop Gateway Manager but before we do that we need to get a valid certificate and import that.

  1. Open Remote Desktop Gateway Manager from Server Manager
  2. Where you get that certificate from is out of the scope of this guide but it must a certificate from an official CA like Comodo or Lets Encrypt. Click on the link to ‘modify certificate properties’.
  3. Click Browse and Import a certificate. We already have a valid certificate for ‘remote.numinous-travel.com’ and we own the private key.
  4. Click Open
  5. Type the password
  6. Click OK
  7. Click Apply and then choose ‘Select an existing certificate..’
  8. Click Import Certificate
  9. Click Import
  10. Click Apply
  11. There is our certificate listed.
  12. I have exported my configuration to an XML file that you can use to import. Very easy!
  13. Browse to the XML file and click OK
  14. Click Yes.
  15. Click OK
  16. All looks OK now. Time to some testing!

We need to create an RDP Connector. The first one is for testing purposes but when all is fine you can use that (without credentials) and distribute to users who need access to RD Gateway on your network.

  1. In the Search box type Remote and start ‘Remote Desktop Connection’.
  2. Type the full local hostname of the computer in your Lan to where you want to connect
  3. Click the Advanced tab and then Settings
  4. Type the FQDN you use to connect. It is the same as the name on your certificate
  5. Click ‘Save As’ and save it to your desktop
  6. Click Connect
  7. Click Connect again
  8. Make sure you type domain\username
  9. And again
  10. We are now logged on to workstation W10 using RD Gateway
  11. I tested it also with another user and check in RD Gateway Manager. Ken is logged on now to W10 workstation. If you get a warning that a normal Domain User cannot use RD Gateway make sure the user is a member of the RDP Users security group.

Subscribe and receive ‘how to’ and ‘best practice’ articles on server and cloud maintenance, design and troubleshooting.

  • Monthly newsletter with a summary of all new tutorials
  • Get an email as soon as a new tutorial has been published

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

Phone +31 85 876 9409

KvK 30202318

VAT Id 814036739B01