Easily configure Remote Desktop Gateway firewall rules

When you install Remote Desktop Gateway which enables RDP to be encapsulated in HTTPS a number of firewall exceptions are required which are enabled automatically. This also means the RDG has a public and private IP address.

There are many other firewall exceptions that are normal for Windows functionality that by default are enabled for the Any profile which when you have a public IP address on a NIC means they are also enabled to the Internet. What you really need is for those exceptions to be bound to the domain profile, i.e. the internal NIC. This is easy to do with PowerShell. Firstly you can list all the exceptions that are enabled for Any.

Get-NetFirewallRule -Enabled True | where {$_.Profile -eq "Any"} | ft name, displayname -AutoSize

This will list a lot of exceptions. Next we want to change them to a profile of Domain except for the two required for RDG, the RDG UDP and HTTPS rules. This can be done with the following:

Get-NetFirewallRule -Enabled True | where {$_.Profile -eq "Any" -and ($_.Name -ne "IIS-WebServerRole-HTTPS-In-TCP" -and $_.Name -ne "TSG-UDP-Transport-In-UDP")} | Set-NetFirewallRule -Profile Domain


Note, you could change the rules to be excluded for other requirements you may have for other types of server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: