Is an RD Gateway a Must in a Cloud Enviroment?

Written by Katarina on Jul 31, 2017

Security is one of the most important considerations when moving a client to cloud. Even today, security is still a topic with many myths and misperceptions. One of these is that the Cloud is not as secure as on-premises infrastructure. As we explained in our last blog post about cloud security, the cloud can be more secure than on-premises environments. The key is to eliminate security vulnerabilities by selecting the right partner with world-class infrastructure and security measures. Mix smart vendor choices, with the best practices like deploying an RD Gateway and you have the perfect combo to ensure a safe cloud desktop experience.

In this article I would like to focus on the number one best practice to make sure your client’s environment maintains the highest security standards: Remote Desktop Gateway.

How does an RD Gateway work

RD Gateway is a Windows server that offers an added layer of security to the cloud environment. It’s constantly encrypting all traffic to the servers and making all connections come through port 443 instead of 3389. The reason why you don’t want to route your traffic through port 3389 is that it’s open to the world. It’s well known that the port is used for Windows Remote Desktop and Remote Assistance connections. Anyone who leaves the port open is courting considerable danger because such environments are vulnerable to attacks.

The Remote Desktop Gateway also acts as a “bouncer” or gatekeeper by making sure users authenticate with it before allowing them to proceed into the domain. The Gateway server has a separate set of policies which dictate who is allowed to access the environment as well as what resources people are allowed to access.

What do you need to deploy Remote Desktop Gateway

You’ll need to purchase an SSL certificate. There are several types of SSL certificates that you can get: Wildcards, Standards or UCC certificates. If you choose the Wildcard certificate, it can be used to protect unlimited* hostnames or first-level subdomains on an entire domain. Standard SSL certificates will only protect a single hostname and you will need to know the hostname before purchasing. A UCC is a third option (also known as a SAN certificate) and they allow you to protect multiple hostnames or different base domains on a single certificate. These are typically more expensive than both Standard and Wildcard certificates.

The configuration of RD Gateway can be completely automated with itopia and Google to save you time and complications.

Cost vs security

Most of you are probably more than convinced by now that RD Gateway is a must-have. You may be asking, however, what’s the cost? Well, it varies depending on the type of SSL certificate used, your Cloud provider and few other factors. Depending on the vendor, you can get Standard SSL for around $55 per year and Google server for the Gateway would cost you around $50 a month.

Often it’s the client’s budget which really decides if the Gateway will be included in the solution or not. Especially in case of small clients, it can be difficult to explain the value of the security measure as they try to push the cost down as much as possible. In this case you can lower the total cost a little more by taking advantage of server uptime schedules that itopia offers. You could turn off the Gateway server along with the rest of client’s servers when the users don’t need to access their cloud desktops.

Whether it’s a small client or a big one, it’s crucial that they understand the importance of the security measures and that the right approach can make their IT environment live safely in the cloud.

*based on vendor specifications