RDP over SSL to RDP gateway and disabling UDP


Solution 1

I'm not sure if it's different on an Azure VM, but you don't technically need RDP Gateway services to use TLS (SSL) with RDP. The native RDP service will run over TLS just fine all by itself as long as you configure it that way. And if the question is more along the lines of connecting on port 443, you can just change the listening port from 3389 to 443.

Here's How

So the easiest way to configure and enforce most of these settings is obviously with group policy. Within the Windows Components - Remote Desktop Services - Remote Desktop Sesstion Host - Security section, you have the following policies:

  • Set client connection encryption level (set this to "High Level")
  • Require use of specific security layer for remote (RDP) connections (set this to "SSL (TLS 1.0)"
  • Require user authentication for remote connections by using Network Level Authentication (this one is not technically related to SSL, but is still a good idea if your clients support it)

These settings correspond to the following host level GUI settings that were available in Remote Desktop Session Host Configuration in 2008 R2 but gone in 2012 and beyond.

RDP-TCP Properties dialog

If you want to manually set these options without group policy on a 2012+ host, the easiest way is via PowerShell and WMI. The Win32_TSGeneralSetting class has SetEncryptionLevel, SetSecurityLayer, and SetUserAuthenticationRequired methods that can be used like this:

$rdp = gwmi "Win32_TSGeneralSetting" -namespace "root\cimv2\terminalservices" -Filter "TerminalName='RDP-tcp'"

Unfortunately, there's no GUI or elegant WMI method to set the listening port. It's just a manual registry change and a manual restart of the TermService service. You'll also need to add a rule to the firewall if you're using that. You could technically use Group Policy Preferences to keep the value set, but it's not a true group policy.

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp -Name PortNumber -Value 443
netsh advfirewall firewall add rule name="RDP Alternate Port" protocol=TCP dir=in localport=443 action=allow
Restart-Service -Name TermService -Force

I'm out of time for now, but I may try to come back for additional explanation on the actual certs.

Solution 2

Yes, you specify your RD Gateway in the MSTSC client. And set the Computer name as the name of the gateway server.

AS long as your RD gateway policies allow it you will connect to the RD Gateway server.

Yes you can disable the UDP transport. This is used as part of the multimedia and other enhancements in RD 2012. Rest assured though that the UDP traffic is still secured via DTLS.



Related videos on Youtube

Author by


Updated on September 18, 2022


  • georgiosd
    georgiosd almost 2 years

    I want to connect to an Azure VM (Windows 2012 R2) over SSL which AFAIK is possible with the RDP gateway service. However, this is normally used to connect to other local network machines instead of the gateway itself.

    Is it possible to RDP into the gateway itself over SSL? If so, what do I specify in the RDP settings to connect?

    Also, can I disable the UDP connections that the gateway uses? What's lost in that case?


  • georgiosd
    georgiosd about 9 years
    Thanks! If you can give some more specific guidance on how to configure (and enforce?) TLS for RDP, I can accept the answer as awesome :)