This period it's crazy and only in science fiction movies saw this situation. But now it's real and must be prepare for lot of changes in the future.
Most of the employee today works from home with Business or Personal Laptops.
IT Pro must already have in place a Business Continuity Plan and Disaster Recovery.
But when you have users to work from home with personal laptops because you don't have other Business Laptops then you must be prepare to protect your company from any unathorize access and attacks in every level.
Today i would like to describe step by step how can create a strong security solution for your Remote Workers without expose your Internal Network.
How to Install Remote Desktop Gateway Server 2016
Remote Desktop Gateway Server is a Remote Desktop Service as a Role that can use to connect the end users secure throught encryption with SSL Certificate with Remote Desktop Connection in Remote Desktop Servers or user pc.
Regardless how you configure the desktops for your end users (physical pc or terminal sessions in remote desktop servers) you can include remote desktop gateway server in connection flow to secure your traffic when connections comes outside of the company.
So let's start of how to install Remote Desktop Gateway Server in 2016
- Open Server Manager
- Click Manage -- Add Roles & Features
- Click Next
- Keep the selection Role-based or feature based installation.
- Keep the selection the same and click Next to prepare the Local Server to add Role or Feature
- Check the Remote Desktop Services. Click Next
- Just click Next without change anything
- Click again Next
- Check Remote Desktop Gateway Service and at the same time click Add Features when a new window appear to install all the Sub Features that needs the specific Role.
- Click Next
- Click Next to proceed with the installation of IIS.
- Don't change anything in the Role Services of IIS. Click Next.
- Once again Next for the NPS.
- Finally click Install and wait to finish.
How to Install Remote Desktop Gateway Server 2016 with Powershell
Except from the GUI Wizard you can use one line of Powershell command to avoid all the above steps with the installation
- Open Powershell as Administrator
- Type the following command
Add-WindowsFeature –Name RDS-Gateway –IncludeAllSubFeature
- When finish you will see something like this
How to configure Remote Desktop Gateway Server 2016
After finish the installation it's time to configure the Remote Desktop Gateway Server 2016 to accept connections from outside.
Let's note all the steps that must follow
- Decide an External FQDN to use for your Remote Desktop Gateway Server when someone wants to connect from outside.
- Buy and Install an SSL Certificate base on your External FQDN
- Create a DNS A Record in your public domain to point your Exteranl FQDN in an public static ip address
- Create a NAT in your Firewall for the RD Gateway Server
- Create the appropriate Access Rules in your Firewall.
- Create New Authorization Policies in the Remote Desktop Gateway Server
- Configure Remote Desktop in one PC outside of your network
Lot of steps? Don't worry! Most of the steps are simple and easy
Decide an External FQDN
First of all you must decide an external FQDN that will use it for
- DNS A Record
- SSL Cerificate
- Remote Desktop Connection to use RD Gateway Server.
For example in my environment i gave the name rdg.askme4tech.com as external FQDN which point to a static public ip address.
Buy and install SSL Certificate
After decide the External FQDN then you must proceed to buy an SSL Certificate from a public Certificate Authority like Godaddy,Comodo or any other that you know or use.
But to test the connection before Buy the SSL Cerificate you can use a Self Sign Certificate from the RD Gateway Server.
Be careful the Self Sign Certificate it's only for test purposes and can't be use it to connect from outside.
Let's create a Self Sign Certificate only for test purposes
- Open RD Gateway Manager
- Right click in the Server Name and select Properties
- Click in SSL Certificate Tab
- Check Create a self sign certificate
- Click in button Create and Import Certificate
- Keep the settings without change it and note where the certificate will be saved. Click OK
- Click OK again
- You can see now the Certificate and the Expiration Date.
- Click Apply.
- Click Yes.
That's it. Let's continue!!
How to Create the DNS A Record
Create a DNS A Record for the External FQDN to point in a static public IP Address.
Note that this can be done from the Host Provider of your Public domain. If you don't have access then ask the support of the Host Provider from your Public Domain to add the DNS A Record
NAT in the Firewall
Ask from your Network Administrator to create a NAT Rule for the Remote Desktop Gateway Server. The details that you must give are the internal and external IP Address (IP Address to point in your External FQDN) of your Remote Desktop Gateway Server
Access Rule in the Firewall
Also you need two access rules in the Firewall
- Allow from Outside the port 443 in the Remote Desktop Gateway Server
- Allow the rdp port (3389) from the Remote Desktop Gateway Server in the PC's or Remote Desktop Servers local ip addresses that you want to connect Remotely
How to Create New Authorization Policies in the Remote Desktop Gateway Server
Only for test purposes we will create New Authorization Policies. Let's start
- Before proceed with the Authorization Policies you must create a new Security Group in the Active Directory which will be include all the users that connect remotely use it the RD Gateway Server.
- Also Create a Security Group in the Active Directory which will be include all the Computer Names that allow to connect remotely the users which will be use the RD Gateway Server.
- Open RD Gateway Manager
- Expand the Server Name.
- Right click in Policies.
- Select Create New Authorization Policies.
- Select Create RD CAP and RD RAP
- Type a name of the RD CAP Policy.
- The RD CAP is to select which users can connect remotely from outside in the Remote Computer using the RD Gateway Server.
- Select the Group from the Active Directory which must include the users.
- Decide if you want to allow redirection
- Keep it as default and click Next
- Just click Next
- Type the name of the RD RAP
- The RD RAP use it to select the resources that will allow in the users to connect inside the network when using RD Gateway Server.
- The Security Group from the Active Directory must be the same because you have already included in RD CAP Policy.
- Now select the Security Group which create in the beginning with the computer names.
- Keep the default settings and click Next
- Click Finish.
- Now expand the Policies and select the Connection or Resource Authorization Policy to see or edit the Policy.
Configure and test the Remote Desktop Connection
After you have configure successful all the above steps let's test if it's working.
From a PC outside of your network open a Remote Desktop Connection
- Click in Advance Tab
- Click in Settings button
- Select Use these RD Gateway server settings and write down the External FQDN .
- Uncheck the Bypass RD Gateway server for local addresses
- Check the Use the RD Gateway server credentials for the remote computer
- Click in General Tab
- In the Computer type the ip address or the computer name of your internal network
- In the User Name type the Domain\username of the user.
- Click Connect and verify that you can connect.
How to use Multi Factor Authentication in RD Gateway Server
Create a Free Duo Security account.
Until now we have create a secure connection for the users that wants to connect remotely from outside.
But what about when you have users with Personal Laptops or either with Business Laptops but you can't monitoring the Internet?
Multi Factor Authentication is a security Layer that combines user+Device before connect in your environment.
You can apply this security with Different ways like Azure MFA but must has specific requirements that takes time.
Remote Desktop Gateway Server with Azure MFA will be one of my next articles but today we need a fast and secure solution if you don't have the specific infrastructure
After my research i found that Duo Security is one of the 3rd party application that can supported by Microsoft for the Remote Desktop Gateway Servers to apply MFA.
Also to note that Duo Security is part of Cisco.
So let's start
- Open https://duo.com/
- Click in Login and follow the steps until create the new user
- After you have Login Duo Admin Panel click in Applications from the left side
- In the right side has a search field. Write rd and it will get the Microsoft RD Gateway.
- Click on it and in the Details you can find
- Integration key
- Secret key
- API hostname
- Keep this because you will need it.
How to enroll the user in Duo Admin Panel
If you have in the production the RD Gateway Server then the best is to enroll first the users in Duo Admin Panel before install the application in RD Gateway Server.
- Login in Duo Admin Panel
- From the left side click on Users
- Click Add User
- Type only the username without the Domain.
- Click Add User
- Fill the email address and leave the option Active for now.
- Go down and click Save Settings
- Now click in Send Enrollment Email
- The user will receive an email like the following.
- So let's do a test and act as end user
- When click in the link from the email will start the Wizard to enroll the user
- Click Start Setup
- Select the device that you want to add.
- In this scenario will use Mobile Phone
- Type your phone number
- Select the type of your phone
- Base on the type of your phone download and follow the instruction to setup the mobile app
- Just follow the instructions Finish Enrollment
- After finish successful the enrollment go in Duo Admin Panel
- Click on the Users and you will see the status of the User Active
- If your RD Gateway Server is in production click on the user and change the option from Active to Bypass.
- We don't want to create any downtime when will be install the Duo Application in the RD Gateway Server
How to install the Duo Authentication for Remote Desktop Gateway Installer Package
Before start the installation base on the Duo Documentation you must note that
Installing Duo's RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway. If operational requirements mandate continued use of RD CAPs/RAPs, you may want to consider installing Duo for Windows Logon at your RDS Session Hosts instead. This alternative also supports passcode authentication.
- Download the Duo Authentication for Remote Desktop Gateway Installer Package in the RD Gateway Server
- Login in RD Gateway Server
- Open the command prompt as Administrator
- Go from command prompt in the path which have download the installer package
- Type the name of the installer package in the command prompt to start the installation.
- Click Next in the Welcome Wizard
- Fill the Integration key , Secret key and API hostname from the Duo Admin Panel
- Base on the Duo Documentation If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Gateway login attempts will be denied if there is a problem contacting the Duo service.
- Duo for RD Gateway sends a user's Windows
sAMAccountNameto Duo's service by default. To send the
userPrincipalNameto Duo instead, check the Use UPN username format box.
- If you decide to check the Use UPN surname format but then you must change the properties of your RD Gateway application in the Duo Admin Panel
- So leave it with the Default Settings and click Next.
- Follow the instruction until finish the installation.
- Note while the installation of Duo run will be restart the RD Gateway service before finish the installation.
How to test the Multi Factor Authentication in RD Gateway Server
- Now you are ready to test the connection from the end user with Multi-Factor Authentication
- Login in Duo Admin Panel
- Click on the User and change the option from Bypass to Active and click on Save Changes
- Login in the PC that we test the Remote Desktop Connection and try to connect again.
- You will receive a notification in your mobile phone to Accept the connection before Login in your Network.
This solution can give you a strong security strategy when your users work from home with his Personal or Business Laptop.