Home Lab Secrets: Building the Killer Home Lab Part 4 (Deploying Remote a Desktop Gateway)


In Part 3 of this series we deployed an PKI Infrastructure within our lab. In Part 4 we will be adding Remote Connectivity capabilities within our lab using Remote Desktop Services. The specific feature we are going to setup for use within our lab is the Remote Desktop Gateway Service. This service securely encapsulates the RDP protocol using port 443/TCP, which allows you to traverse firewall’s that do not allow direct RDP (3389/TCP) traffic to your home lab.

There are many different ways to deploy Remote Desktop Services. The deployment type you select will be based upon your requirements. There are 2 methods for Deploying Remote Desktop Services. The first method is the Remote Desktop Services Role deployment. This method deploys RDS as a server Role similar to deploying a Web Server. The second method is the Remote Desktop Services Installation Deployment. This method provides many customized deployments which include Virtual Machine-Based or Session –Based deployments across a single server or multiple servers. For the purpose of time and reducing complexing for our Home lab, we will be using the Remote Desktop Services Role deployment method to deploy our Remote Desktop Gateway. Let’s get started!!!

In the previous article we deployed a Web Server (KHL-Web) which was used as our Web CRL Distribution Point for our PKI deployment. This server was configured to allow certificates that were issued from the KHL Certificate Authority (KHL-CA) to check for revocation. Although internal clients can reach the CRL Distribution Point via UNC (\\khl-ca.it.dmgva.com\CertEnroll) or DNS (http://khl-ca.it.dmgva.com\CertEnroll\) external clients will be denied since we do not have an External Endpoint created on our Azure VM for port 80/TCP. While we are at it we will also create our Endpoint for our Remote Desktop Gateway which will be on port 443/TCP. Following the steps below, lets create our Azure Endpoints that will allow port 80/TCP & 443/TCP traffic:

Creating Endpoints

1.  Log into the portal by accessing the URL listed below:

https://manage.windowsazure.com

2.  In the Left-Pane click on VIRTUAL MACHINES then in the Right-Pane click on KHL-WEB.

3.  Under khl-web click on ENDPOINTS.

4.  On the Bottom-Bar click ADD.

5.  At the Add an endpoint to a virtual machine window click the Arrow to proceed.

EndPoint1

6.  At the Specify the details of the endpoint screen use the NAME pull-down menu and select HTTP, then click the Check Box to complete.

EndPoint2

Note: While the port is being added the addition of additional ports is disabled. This process should take about 20-30 seconds.

7.  On the Bottom-Bar click ADD.

8.  At the Add an endpoint to a virtual machine window click the Arrow to proceed.

9.  At the Specify the details of the endpoint screen use the NAME pull-down menu and select HTTPS, then click the Check Box to complete.

Installing Remote Desktop Services Binaries

Now that we have our Endpoints created, lets head back over to our VM and deploy our Remote Desktop Services following the steps below:

1.  Log into the portal by accessing the URL listed below:

https://manage.windowsazure.com

2.  In the Left-Pane click on VIRTUAL MACHINES then in the Right-Pane click on KHL-WEB.

3.  Under khl-web click on DASHBOARD then on the Bottom-Bar click CONNECT.

4.  At the File Save pop-up click Save then Open.

5.  At the Remote Desktop Connection pop-up select Don’t ask me again for connections to this computer then click Connect.

6.  At the Windows Security pop-up enter the following Credentials then click OK:

         Username: killerhomelab\khl-admin

         Password:   blueberries

7.  From the taskbar click on Server Manager.

8.  Under the Configure this local server section click on Add roles and features.

9.  At the Before you begin screen click Next.

10.  At the Select installation type screen click Next.

11.  At the Select destination server screen click Next.

12.  At the Select server roles screen select Remote Desktop Services then click Next.

13.  At the Select features screen click Next.

14.  At the Remote Desktop Services screen click Next.

15.  At the Select role services screen select Remote Desktop Gateway then click Next. (at the pop-up click Add Features)

16.  At the Network Policy and Access Services screen click Next.

17.  At the Select role services screen click Next.

18.  At the Web Server Role (IIS) screen click Next.

19.  At the Select role services screen click Next.

20.  The Confirm installation selections screen click Install.

21.  When setup completes click Close.

Configuring Remote Desktop Gateway

Now that we have the binaries installed we will configure our Remote Desktop Gateway Role. This can be done by using the Remote Desktop Gateway Manager with the steps below:

!!!Note: Before configuring the Remote Desktop Gateway make sure the following KB3172614 has been installed

1.  In the Left-Pane click on VIRTUAL MACHINES then in the Right-Pane click on KHL-WEB.

2.  From the taskbar click on Server Manager.

3.  From within Server Manager click on Tools and select Terminal Services | Remote Desktop Gateway Manager

4.  In the Left-Pane right-click KHL-WEB (Local) and select Properties.

5.  Click on the SSL Certificate tab then select Select an existing certificate from the RD Gateway KHL-WEB Certificates (Local Computer)/Personal Store then click on the Import Certificate button.

RDGateway1

6.  At the Import Certificate pop-up select rdpweb.killerhomelab.com then click Import, OK.

rdpwebcertimport1

7.  In the Left-Pane expand KHL-WEB (Local) and right-click on Policies and select Create New Authorization Policies.

8.  At the Create Authorization Policies for RD Gateway screen click Next.

9.  At the Create an RD CAP screen enter KHL RD CAP then click Next.

10.  At the Select Requirements screen make sure Password is selected and also select Smartcard.

11.  Under the User Group membership (required): section click the Add Group button.

!!!Note: IF you receive a Microsoft Management Console error

12.  At the Select Groups pop-up enter Domain Users then click Check Names.

13.  Once resolved (Underlined) click OK then click Next.

14.  At the Enable or Disable Device Redirection screen click Next.

15.  At the Set Session Timeouts screen click Next.

16.  At the RD CAP Settings Summary screen click Next.

17.  At the Create an RD RAP screen enter KHL RD RAP then click Next.

18.  At the Select User Groups screen confirm that KILLERHOMELAB\Domain Users is added under the User group membership (required): section then click Next.

19.  At the Select Network Resources screen select Allow users to connect to any network resource (computer) then click Next.

20.  At the Select Allowed Ports screen select Allow connections to any port then click Next.

21.  At the RD RAP Settings Summary screen click Finish, then Close.

Now that we have deployed our RD Gateway it’s time to test. For our test we can use any Windows based computer. Although RD Gateway is supported on multiple Operating Systems and Platforms, the procedures below assume a Windows OS will be used.

Configuring Name Resolution

In order to test on our workstation, we will need to have name resolution to our Public IP assigned to our KHL-WEB Azure VM. I actually have killerhomelab.com registered however for the purpose of keeping this a true “Home Lab Series” I will provide the process necessary to use Host File manipulation to provide name resolution.

In order to determine the IP address, we need to point to we will ping the Azure FQDN which will be in the following format:

KHL-WEB.cloudapp.net

In my case the IP assigned was 13.72.188.172. This IP will need to resolve to the FQDN that we used for our Web Server Certificate that was issued in Part 3. This FQDN is:

Rdpweb.it.dmgva.com (Remote Desktop Gateway Server)

khl-ca.it.dmgva.com (Certificate Distribution Point)

!!!Note: If you have your domain registered simply create 2 A Records for “rdpweb” and “khl-ca” within your Name Registrar using the Public IP for your Azure VM that you obtained above and skip the “Host File Modification” section below.  If you already completed Part 3 these records should already be created.

Host File Modification

Now that we have our FQND and Public IP Address of our Azure VM, we will need to add an entry into our Host File following the steps below:

1.  Open an Elevated Command Prompt.

2.  From the command prompt enter the following:

Notepad C:\Windows\System32\drivers\etc\hosts

3.  Scroll down to the absolute bottom of the host file and enter the following using your own Public IP then Save and close the file:

13.72.188.172 rdpweb.it.dmgva.com

13.72.188.172 khl-ca.it.dmgva.com

Our last step before testing our RD Gateway is trusting our Certificate Authority that issued our Certificate. This can be done by importing the KHL-CA into our Trusted Root Certification Authorities Local Store on the client that we are connecting from. This can be done by following the steps below:

1.  Open Internet Explorer and enter the following URL:

http://khl-ca.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

2.  At the File Download click Open.

3.  At the Certificate window click on Install Certificate.

4.  At the Welcome to the Certificate Import Wizard screen click Next.

5.  At the Certificate Store screen select Place all certificates in the following store then click Browse.

6.  Select Trusted Root Certification Authorities then click OK, then Next.

7.  At the Completing the Certificate Import Wizard screen click Finish.

8.  At the Security Warning click Yes.

9.  At the Certificate Import Wizard pop-up click OK.

Now we are ready to test our RDP connection!!! From your test workstation lets open our Remote Desktop Client and follow the steps below:

1.  Open your Remote Desktop Client then under Computer enter khl-dc then click on Show Options.

RDP1

2.  Click on the Advanced tab then under the Connect from anywhere section click on Settings.

RDP2

3.  Under Connection settings select Use these RD Gateway server settings.

4.  Under Server name: enter rdpweb.it.dmgva.com

5.  Under Logon Settings select on Use my RD Gateway credentials for the remote computer and OK then click Connect!

rdpgateway1

6.  At the Enter your Credentials pop-up enter the foll20owing then click OK:

Username:         killerhomelab\khl-admin

Password:           blueberries

!!!Note: If you get the message below, your Certificate is not added to the correct Local Certificate Store.

rdpgatewaynotrust

7.  At the Remote Desktop Connection certificate warning select Don’t ask me again for connections to this computer then click Yes.

RDPCertWarning

You have now deployed your first Remote Desktop Gateway Server!!! If you noticed, we were actually able to connect using the NetBIOS name of our Domain Controller (KHL-DC). This is because our connection from the outside world connects on port 443/TCP to our RD Gateway Server then the RD Gateway tunnels to the client we are trying to connect to on port 3389/TCP.

Let’s test out our VPN. Since we have a VPN between our Azure VM’s and our On-Premise VM’s, our RD Gateway Server should also be able to tunnel traffic to our On-Premise Servers. Using the steps below let’s try and connect to our On-Premise Domain Controller.

1.  Open your Remote Desktop Client then under Computer enter op-dc then click on Show Options.

2.  Click on the Advanced tab then under the Connect from anywhere section click on Settings.

3.  Under Connection settings select Use these RD Gateway server settings.

4.  Under Server name: enter rdpweb.it.dmgva.com

5.  Under Logon Settings select on Use my RD Gateway credentials for the remote computer and OK then click Connect!

6.  At the Enter your Credentials pop-up enter the following then click OK:

Username:         killerhomelab\khl-admin

Password:           blueberries

7.  At the Remote Desktop Connection certificate warning select Don’t ask me again for connections to this computer then click Yes.

Congratulations!!! You have now deployed a Remote Desktop Services within your lab that can be used to connect not only to Azure VM’s but also to your On-Premise VM’s!!! This completes Part 4 of the Killer Home Lab Series. In Part 5 we will be adding Email Services within our lab using Exchange 2016. Have fun with the lab!!!

Comments (0)

Skip to main content