Q: What are the four common architectures for implementing Remote Desktop Gateway (RDG)?

A: I presented a session at the recent TechEd North America conference titled Extending your Applications into the Cloud with Microsoft Remote Desktop Services. If you missed the conference, you can watch that presentation online.

RDG is the Remote Desktop Services role service used to proxy Internet-based client connections to internal Remote Desktop Session Hosts. While the RDG's job is relatively simple, there's often confusion about where on the network it should be positioned. I explained the four common architectures for implementing RDG in that presentation. I'll give you a summary of them here.

The first architecture requires no DMZ. It puts the RDG in your internal LAN and exposes it to the Internet by opening TCP port 443 from the Internet to the RDG server. While simplest in configuration, this architecture provides the least protection from outside attack.

Moving the RDG into a separate DMZ outside your internal LAN is the basis for the second and third architectures. For the second, the RDG is placed into the DMZ in Workgroup mode. This configuration is also simple to implement, but requires maintaining separate usernames and passwords for incoming Internet clients.

Because maintaining separate passwords creates a hardship for both users and the administrators who manage them, the third architecture adds internal Active Directory (AD) exposure to a domain-joined RDG server in the DMZ. Getting AD into that DMZ isn't easy—it requires opening a large number of network ports to the internal LAN, adding an internal read-only domain controller (DC) into the DMZ, or adding a DC for a separate domain that participates in a forest trust with the internal AD domain. All of these configurations require opening many network ports between the DMZ and the internal LAN, reducing your protection from outside attack.

The fourth and final architecture is the most common, most secure, and is Microsoft's recommended practice. However, it requires purchasing and implementing a reverse proxy such as Microsoft's Threat Management Gateway. In the fourth architecture, the RDG remains in the internal LAN but passes all its traffic through the TMG reverse proxy. That reverse proxy bridges external connections to the internal LAN, providing protection against external attack.