What is RD Gateway #

Remote Desktop Gateway (RD Gateway) is a Windows Server role that allows secure access to Remote Desktop Services (RDS) and internal resources from external networks. It enhances both security and usability of RDS by encapsulating Remote Desktop Protocol (RDP) traffic inside SSL tunnels.

Key capabilities include:

• Encrypted communications over HTTPS or UDP for secure connectivity.
• RD Web Access, a user-friendly web portal where authenticated users can view and launch their published applications.
• Acting as a proxy, ensuring only authorized users gain access to internal resources.

How RD Gateway works #

When a client initiates a connection, it must first establish a secure SSL channel with the RD Gateway. The RD Gateway validates the user’s credentials, enforces authorization policies, and then establishes the RDP session with backend servers hosting the internal resources.

To do this, RD Gateway creates two SSL tunnels (inbound and outbound). Once established, it sets up data channels over HTTPS or UDP depending on the transport selected, maintaining both security and performance.

Why High Availability is needed #

A single RD Gateway server introduces a single point of failure. If it goes down, external users lose access to all published desktops and applications.

To prevent this, RD Gateways should be deployed in a load-balanced, high availability architecture. This ensures:

• Resiliency – traffic is automatically redirected if one gateway fails.
• Scalability – multiple gateways can handle larger user loads.
• Business continuity – external users maintain uninterrupted access.

Configuring RD Gateway Load Balancing with RELIANOID #

RELIANOID can be deployed in multiple environments (hardware, virtual, bare metal, cloud, or containers). Once installed, you can configure a Virtual Service for RD Gateway as follows:

Step 1 – Create a Virtual Interface #

• Navigate to Network | Virtual Interface | Create Virtual Interface.
• Assign a new virtual IP (VIP) dedicated to RD Gateway traffic.

Step 2 – Create a Local Service Farm #

• Go to LSLB | Farms | Create Farm.
• Select L4xNAT type and assign it to the newly created virtual interface.
• Name the farm, e.g. RDGatewayVS.
• Enable ALL protocols to support both HTTPS and UDP traffic.

Step 3 – Configure Advanced Settings #

• Choose a load balancing algorithm (Least Connections, Priority, or Weight-based).
• Enable client persistence by source IP to keep sessions stable.
• Configure health checks (recommended every 30 seconds). Example:
  check_http -S -H HOST -u /RDWeb/Pages -t10 -c 10 -w 10
• Add all RD Gateway server IP addresses as backends.

Step 4 – DNS / Server Name Considerations #

When deploying RD Gateway or RDS in high availability:

• Ensure the RD Gateway Server Name (as configured in the RDS Deployment) resolves to the Virtual IP (VIP) of the RELIANOID load balancer.
• If clients attempt to resolve the server name directly to a specific backend instead of the VIP, they may experience connection freezes or session interruptions during the RDP handshake.

This step is critical to guarantee smooth client connectivity.

Enhancing RD Gateway Security #

Although RD Gateway provides encrypted communications, it does not natively defend against threats such as:

• Denial-of-Service (DoS) attacks
• Malicious bot traffic
• Web scraping attempts
• Brute-force login attempts

To mitigate these risks, RELIANOID provides an IPDS (Intrusion Prevention and Detection System) module that can be enabled on the RD Gateway Virtual Service. This adds an additional layer of security to protect exposed services from network and application-level threats.

Conclusion

By deploying RD Gateway behind RELIANOID, organizations can achieve:

• High availability – no single point of failure.
• Seamless scalability – handle growing user demands.
• Improved security – protect against modern cyber threats.

With the proper configuration—especially ensuring the server name resolves to the load balancer VIP—your Remote Desktop Services environment will be highly available, resilient, and secure for external users.