Can't connect using Remote Desktop Gateway

Posted on 2014-08-12
Last Modified: 2014-08-18
- Workstations run Windows 7 64-Bit SP1
- Server is running Windows Server 2012 R2
- Network is pretty simple, consumer-grade routers on both ends, no advanced firewalls.
- We have a trusted certificate provided by, we created the CSR using IIS.
- This server runs a few different roles, in particular, IIS hosts an internal company website, it runs WSUS, WDS, and RRAS.

We are attempting to set up Remote Desktop Gateway so that a home user can connect to their work PC from home, via the gateway on the server. I've followed the various guides for setting up Remote Desktop Gateway, set up the RAP and CAP, installed the trusted SSL cert.

When I try to connect using the Remote Desktop client, it hangs at "Initiation remote connection"... then fails with the error:

Remote Desktop Client error
In the event log on the RD Gateway server, I see this:

Error in RD Gateway server's event log  under "TerminalServices-Gateway" section
Here's some screenshots of how NPS and RD Gateway are configured:

NPS ConfigurationNPS ConfigurationRD Gateway Configuration
Question by:Frosty555
    LVL 34

    Expert Comment

    make sure that you install RDP 8.1 client on win 7 machines
    Also ensure that you are entering RD gateway public FQDN in RDP connection under RD gateway settings
    This FQDN should match certificate you installed on RD Gateway server
    Ensure that you can telnet on tcp 443 to RD gateway server public IP
    LVL 31

    Author Comment

    Latest RDP client is installed. Done.

    I am entering the public FQDN for the RD Gateway in the client, it is not the common name of the certificate but it is one of the SANs.

    I was able to go to https://<fqdn> and see the IIS start page in a web browser, so that works.

    But oddly enough if I attempt to use telnet, it sits and hangs at "Connecting to <fqdn>...". Same thing if I use putty, it sits there and doesn't seem to establish the connection. What could that mean?

    --edit-- nevermind, telnet DOES work, the response looks weird since the server doesn't really reply to anything I say, unlike an HTTP connection where it responds with an HTTP 400 error, but the behavior I see when I telnet to my RD gateway is identical to the behavior I see if I telnet into Google.
    LVL 34

    Accepted Solution

    If you have RD gateway server public name in certificate as SAN, it should work

    One more thing,
    Please check RD gateway console and navigate to RAP and CAP, these two needs to be setup correctly

    Also if your internal domain name and external dns name is different, you need to either create rdp custom property to avoid certificate errors or you need to change RDS deployment name
    Check below article
    LVL 31

    Author Comment

    So I ended up going the "kill a fly with a sledgehammer" approach. I removed all of the Remote Desktop gateway roles from this server, and spun up a brand new virtual machine which would be dedicated to the task. Decided to use Server 2008 R2 because we had a license for it available.

    Followed these instructions verbatim:

    Made sure to export my trusted SSL certificate + primary key from the old server, and import it into the new server, and then assigned it in RD Gateway. And then made sure to register NPS in Active Directory.

    We had a spare public static IP address for our Internet and a spare SAN available on the certificate, so I used that.

    Boom. Everything works immediately, with no trouble whatsoever.

    I have no idea what was wrong with the main server but I imagine it's something to do with IIS.
    LVL 34

    Assisted Solution

    With 2012 RDS, Microsoft increased use of certificates and flow is little bit changed

    The general rule to avoid failures with RD Gateway 2012

    Ensure you use RDS Public FQDN in RD gateway settings on client computers and certificate should contains that FQDN
    All hosts you are connecting to through RD Gateway must have valid RDP certificate with proper FQDN (The common name of certificate must match to RD session host server FQDN)
    The RDS publishing name on RD Connection broker must match to public certificate that is binded to RD connection broker, if there is mismatch, you should change RDS deployment name with TP's script as mentioned in above post or you need to use alternate server name for RD connection broker publishing to avoid errors
    Please check The social. TechNet article in earlier link on the same question
    LVL 31

    Author Closing Comment

    You're probably right that there was some kind of certificate issue, or wrong FQDN used somewhere, it would make sense. It's hard to say what the real problem was.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    OfficeMate Freezes on login or does not load after login credentials are input.
    This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now