Remote Desktop Gateway (RD Gateway) lets authorized users connect to internal network resources — such as other Windows VMs, desktop PCs, or application servers — over the internet using encrypted RDP tunnels without exposing individual machines directly. Setting up RD Gateway on your Windows VPS provides a secure, audited entry point for remote access that centralizes authentication and firewall management.
If you are evaluating Windows VPS options to host RD Gateway, compare Windows VPS plans with attention to network throughput and inbound traffic allowances — both critical for gateway performance.
Prerequisites
- Windows VPS running Windows Server 2019, 2022, or 2025 (Standard or Datacenter edition)
- Static public IP address assigned to the VPS
- An SSL certificate (self-signed for testing, trusted CA for production)
- Active Directory domain (optional — RD Gateway works with local accounts too)
- Port 443 (HTTPS) open on the firewall for RD Gateway connections
Step 1: Install the Remote Desktop Services Role
Open Server Manager and add the RD Gateway role via PowerShell or the GUI.
PowerShell method (run as Administrator):
Install-WindowsFeature -Name RDS-Gateway -IncludeManagementToolsGUI method:
- Open Server Manager → Manage → Add Roles and Features
- Select Remote Desktop Services → Remote Desktop Gateway
- Include management tools and complete the installation
The installation takes 5–10 minutes and adds the RD Gateway Manager console to your Administrative Tools.
Step 2: Obtain and Install an SSL Certificate
RD Gateway requires an SSL certificate bound to port 443. The certificate Common Name (CN) must match the gateway’s public hostname (e.g., gateway.yourdomain.com).
Option A — Let’s Encrypt (free, recommended):
# Using Win-ACME
wacs.exe --run --accepttos --installation memory --webroot C:\inetpub\wwwrootOption B — Self-signed for testing:
New-SelfSignedCertificate -DnsName "gateway.yourdomain.com" -CertStoreLocation "Cert:\LocalMachine\My"After installing the certificate, take note of its thumbprint — you will need it for the RD Gateway policy configuration.
Step 3: Configure RD Gateway Policies
RD Gateway uses two types of policies: connection authorization policies (RD CAP) that control who can connect, and resource authorization policies (RD RAP) that control which internal machines users can reach.
Configure RD CAP
- Open RD Gateway Manager
- Right-click the server name → Properties
- Go to the RD CAP tab → Create New Policy
- Name the policy (e.g.,
Allow Domain Users CAP) - Under User Groups, add the groups or individual users allowed to connect (e.g.,
DOMAIN\Remote Desktop Users) - Under Device Groups, choose Allow connections from any device (or restrict to specific groups)
- Enable Password authentication and optionally Smart card authentication
Configure RD RAP
- In the same Properties dialog, go to the RD RAP tab → Create New Policy
- Select Allow connections to any network resource (for general access) or Allow connections to specific network resources (to restrict to certain IPs or hostnames)
- Define the computer groups or IP ranges that users can access through the gateway
- Set port numbers: keep 3389 as default (RDP) unless you are using custom ports
Important security note: Restrict RD RAP to specific network resources in production environments. An RD RAP set to "any network resource" essentially grants VPN-like access through the gateway.
Step 4: Associate the SSL Certificate with RD Gateway
In RD Gateway Manager, right-click your server → Properties → SSL Certificate tab. Select Import an existing certificate and choose the certificate you installed in Step 2. The gateway binds this certificate to port 443 for encrypted client connections.
Verify the binding with:
netsh http show sslcert | findstr "443"Step 5: Configure the Windows Firewall
RD Gateway uses HTTPS (port 443) for client connections and UDP 3391 for transport. Open these ports on the Windows Firewall:
New-NetFirewallRule -DisplayName "RD Gateway HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
New-NetFirewallRule -DisplayName "RD Gateway UDP" -Direction Inbound -Protocol UDP -LocalPort 3391 -Action AllowAlso ensure the Remote Desktop Services (RD Gateway) inbound rule is enabled in Windows Firewall with Advanced Security.
Step 6: Configure the Internal Network Resource Access
If the internal RDP targets are on the same VPS, you can use localhost or 127.0.0.1 as the target. For remote machines on different subnets:
- Ensure the target machines have RDP enabled (System Properties → Remote → Allow remote connections)
- Add the RD Gateway server’s IP to the target machine’s firewall allow list for port 3389
- If using Active Directory, ensure the target machines are domain-joined and the user has appropriate remote access permissions
Step 7: Test the RD Gateway Connection
From a client machine (Windows 10/11):
- Open Remote Desktop Connection (mstsc.exe)
- Click Show Options → Advanced → Settings
- Under RD Gateway Server Settings, select Use these RD Gateway server settings
- Enter the gateway hostname (e.g.,
gateway.yourdomain.com) - Under Logon method, select Ask for password (NTLM)
- Go back to the General tab and enter the target machine’s internal IP or hostname
- Click Connect
If the connection succeeds, you have a fully functional RD Gateway. If it fails, check the RD Gateway Manager → Monitoring tab for connection failure reasons.
Troubleshooting Common RD Gateway Issues
| Issue | Likely Cause | Fix |
|---|---|---|
| Connection times out | Port 443 blocked on firewall | Verify inbound rule for TCP 443 exists and is enabled |
| Certificate warning | Self-signed or expired certificate | Install a trusted CA certificate or update the existing one |
| Access Denied | RD CAP/RAP policies not configured | Check both RD CAP and RD RAP — both must match the user |
| Target machine unreachable | Network routing or firewall on target | Ensure target allows RDP from gateway IP on port 3389 |
| SSL error 0x80090302 | Certificate not bound to port 443 | Re-import the certificate in RD Gateway Manager properties |
Performance and Scalability Considerations for RD Gateway on a VPS
RD Gateway performance depends on your VPS resources. Current experience with different configurations:
| VPS Spec | Max Concurrent Connections | Notes |
|---|---|---|
| 1 vCPU, 1 GB RAM | 5–10 | Adequate for personal or small team use |
| 2 vCPU, 2 GB RAM | 15–25 | Good for a department or SMB |
| 4 vCPU, 4 GB RAM | 30–50 | Sufficient for most organizations |
| 8 vCPU, 8+ GB RAM | 100+ | Enterprise gateway with high throughput |
For team deployments, choose a Windows VPS with at least 2 vCPUs and 2 GB RAM to ensure smooth concurrent connections. Visit the Windows VPS comparison page to find plans with sufficient network bandwidth for gateway traffic.
