Can't connect using Remote Desktop Gateway

- Workstations run Windows 7 64-Bit SP1
- Server is running Windows Server 2012 R2
- Network is pretty simple, consumer-grade routers on both ends, no advanced firewalls.
- We have a trusted certificate provided by, we created the CSR using IIS.
- This server runs a few different roles, in particular, IIS hosts an internal company website, it runs WSUS, WDS, and RRAS.

We are attempting to set up Remote Desktop Gateway so that a home user can connect to their work PC from home, via the gateway on the server. I've followed the various guides for setting up Remote Desktop Gateway, set up the RAP and CAP, installed the trusted SSL cert.

When I try to connect using the Remote Desktop client, it hangs at "Initiation remote connection"... then fails with the error:

Remote Desktop Client error
In the event log on the RD Gateway server, I see this:

Error in RD Gateway server's event log  under "TerminalServices-Gateway" section
Here's some screenshots of how NPS and RD Gateway are configured:

NPS ConfigurationNPS ConfigurationRD Gateway Configuration
LVL 31
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

make sure that you install RDP 8.1 client on win 7 machines
Also ensure that you are entering RD gateway public FQDN in RDP connection under RD gateway settings
This FQDN should match certificate you installed on RD Gateway server
Ensure that you can telnet on tcp 443 to RD gateway server public IP
Frosty555Author Commented:
Latest RDP client is installed. Done.

I am entering the public FQDN for the RD Gateway in the client, it is not the common name of the certificate but it is one of the SANs.

I was able to go to https://<fqdn> and see the IIS start page in a web browser, so that works.

But oddly enough if I attempt to use telnet, it sits and hangs at "Connecting to <fqdn>...". Same thing if I use putty, it sits there and doesn't seem to establish the connection. What could that mean?

--edit-- nevermind, telnet DOES work, the response looks weird since the server doesn't really reply to anything I say, unlike an HTTP connection where it responds with an HTTP 400 error, but the behavior I see when I telnet to my RD gateway is identical to the behavior I see if I telnet into Google.
If you have RD gateway server public name in certificate as SAN, it should work

One more thing,
Please check RD gateway console and navigate to RAP and CAP, these two needs to be setup correctly

Also if your internal domain name and external dns name is different, you need to either create rdp custom property to avoid certificate errors or you need to change RDS deployment name
Check below article

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Frosty555Author Commented:
So I ended up going the "kill a fly with a sledgehammer" approach. I removed all of the Remote Desktop gateway roles from this server, and spun up a brand new virtual machine which would be dedicated to the task. Decided to use Server 2008 R2 because we had a license for it available.

Followed these instructions verbatim:

Made sure to export my trusted SSL certificate + primary key from the old server, and import it into the new server, and then assigned it in RD Gateway. And then made sure to register NPS in Active Directory.

We had a spare public static IP address for our Internet and a spare SAN available on the certificate, so I used that.

Boom. Everything works immediately, with no trouble whatsoever.

I have no idea what was wrong with the main server but I imagine it's something to do with IIS.
With 2012 RDS, Microsoft increased use of certificates and flow is little bit changed

The general rule to avoid failures with RD Gateway 2012

Ensure you use RDS Public FQDN in RD gateway settings on client computers and certificate should contains that FQDN
All hosts you are connecting to through RD Gateway must have valid RDP certificate with proper FQDN (The common name of certificate must match to RD session host server FQDN)
The RDS publishing name on RD Connection broker must match to public certificate that is binded to RD connection broker, if there is mismatch, you should change RDS deployment name with TP's script as mentioned in above post or you need to use alternate server name for RD connection broker publishing to avoid errors
Please check The social. TechNet article in earlier link on the same question
Frosty555Author Commented:
You're probably right that there was some kind of certificate issue, or wrong FQDN used somewhere, it would make sense. It's hard to say what the real problem was.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.