I feel I must be just missing something obvious here. I have a working RDS deployment with two RDSH hosts. It's not perfectly architected, but this came from a PoC and will be re-engineered in a few months so I'm not worried about that. We have three systems – the RDS Gateway, one RDSH box, and another RDSH box (which is the original one) which also has RDWeb/Broker/Licensing on it. It's probably easiest to just ignore the second RDSH box in this equation so I'm going to do that.
What I'm trying to do right now is to make the RemoteApp software available off-net, so that users don't have to VPN in to access applications. I had been working under the premise that RDS Gateway was the piece in this puzzle, but it seems clear now (especially now that I have RDS Gateway configured) that users don't connect to it directly.
We're not distributing .rdp files or giving users RDP access to other systems. I only want to publish applications to them. I'm given to understand that I should be using RDS Gateway for authentication here, but I'm really unclear on what the architecture is supposed to look like. It makes sense to me that I could just open 443 direct to the Internet and then folks could just log in without SSO. If that's the case, and I'm only publishing RemoteApp software, do I need the gateway at all? I'm totally fine with deploying it if I need it, but I just don't understand where it fits in and how to make it work the right way.
Best Answer
So, I think I understand now, I've got the setup working. I see now that RDWeb is basically just a launcher platform, but the connections are actually going through the Gateway. Once the .RDP has been downloaded from RDWeb, the web server isn't involved anymore.