Configuring RD Gateway for Azurepack Console connect with public certificate

The RDS Gateway is crucial component for VM Clouds in Azure pack and gives your tenants option to connect to their VMs console. I found many guides how to configure it either with selfsigned certificate or certificates from internal CA.  For production use,  RDS Gateway needs to be published externally with Trusted certificate. Note that for Azurepack console connect we need second certificate from internal CA. Here is my approach.


  • Internal Windows Certificate authority
  • Dedicated server for RDS gateway (or two for HA)
  • Functional VM Cloud infrastructure (Azurepack, VMM, SPF and Hyper-V hosts)
  • Public certificate from trusted Certificate authority (I will use wildcard certificate from Godaddy)
  • Public DNS and public IP pointing to your RDGW server


Design Overview:



RDS Gateway installation

Run following in powershell:

Install-WindowsFeature -Name RDS-Gateway  -IncludeManagementTools

RD Gateway Console Connect Installation

Insert System Center 2012 R2 VMM installation media into RDGW server and install the RD Gateway Console Connect pluggable, here is the path:


Import Public Certificate into RD Gateway Console

Next open the RDS Gateway console. Right click on the server name and select Properties.

In SSL Certificate, import your Public certificate(in my case wildcard certificate from Godaddy)

Internal Certificate Preparation

An internal certificate is needed to establish trust between VMM, RDS Gateway and Hyper-V hosts.

Create Certificate Template:

  • Open the certificate template console, click Manage find Workstation Authentication template and duplicate it.
  • Rename template to WapConsole. And change validity period to 2 years.
  • On Request Handling tab, select Allow private key to be exported.
  • On Cryptography tab, set the minimum key size to 4096. Next in Providers, you have to choose Microsoft Enhanced RSA and AES Cryptographic Provider.
  • In Security tab, be sure that your servers and you can make enrollment. To make things simple, add the group Domain Computers and grant it Read and Enroll rights.
  • Click on apply and close the certificate template console.

In the Certification Authority console, right click on Certificate TemplatesNew and Certificate Template to Issue. Select the WapConsole template and click OK.

Enroll Internal Certificate

  1. On the VMM Server, open a mmc and add the Local Certificate computer console. Navigate to Personal and right click on Certificates. Select All Tasks and Request New Certificate.
  2. On request certificates screen, select WapConsole template that you have just created and click on Click here to configure settings.
  3. In Subject Name, choose Common Name as type. In value I have specified
    In Alternative name, I have added these DNS values: (I have added also as I will install second GW server later)
  4. Click on apply and click on Enroll.

Export Certificate as PFX and CER

Once you enrolled the certificate, we need to Export it as PFX and CER (with and without private key)

Import Certificate to VMM Database and Hyper-V hosts

Run below script on VMM server (make sure all Hyper-V hosts are reachable)

# Path to PFX certificate
$MyPFX = Get-ChildItem „c:\temp\“
# Password of the PFX
$PWD = Read-Host –AsSecureString
# VMM FQDN server name.
$VMM = „“
## Main Code
Set-SCVMMServer -VMMServer $VMM `
-VMConnectHostIdentificationMode FQDN `
-VMConnectGatewayCertificatePath $MyPFX `
-VMConnectGatewayCertificatePassword $PWD `
-VMConnectHyperVCertificatePath $MyPFX `
-VMConnectHyperVCertificatePassword $PWD `
-VMConnectTimeToLiveInMinutes 1

Get-SCVMHost -VMMServer $VMM | Read-SCVMHost

Import internal certificate to RDS Gateway Server (CER)

Copy the CER certificate to RDS Gateway server and import it.

Add Certificate to Trusted Issuer Certificate

On RDS Gateway server, run following script (update your RDGW server name and CER certificate thumbprint):

$Server = “”
$Thumbprint = “9938B72078CE897466EFDSF69F78239FA5D30C6B3”
$Tsdata = Get-WmiObject –computername $Server –NameSpace “root\TSGatewayFedAuth2” –Class “FedauthSettings”
$TSData.TrustedIssuerCertificates = $Thumbprint

IIS Reset on RD Gateway server

Creating Internal DNS zone for

I had to create internal DNS zone for and add record pointing to RDS Gateway internal IP.

Publishing RDGW to the internet

  • Updating public DNS record for, pointing to Public VIP assigned on my firewall
  • Creating FW rules, NAT, allowing 443 from internet to my RDS Gateway server

Azure pack integration with RD Gateway

  • Login to Azure pack admin portal, go to VMM properties and add the Remote Desktop Gateway FQDN, in my case
  • Update your hosting plans and check the box Connect to the console of virtual machines

Once you finish all above, you can start testing your Console connect 🙂



Pridaj komentár

Vaša e-mailová adresa nebude zverejnená. Vyžadované polia sú označené *