This is my first Remote Desktop configuration using Server 2016. Previously, I used a single 2008 R2 terminal server and 2008 R2 gateway server, then published the gateway server through a stand-alone Forefront TMG server in my DMZ. That worked well since it was RDP over HTTPS. I can still do that in Server 2016 if I restrict myself to RDP over HTTPS, but Forefront TMG is discontinued and RDP over UDP won't work through that. So I'm looking at putting the new RD Gateway in the DMZ and that means making AD visible to the DMZ.
I could follow one of three solutions for 2008 R2's RD Gateway: Expose my domain controllers to the RD Gateway in the DMZ, set up a separate domain in the DMZ and establish a forest trust, or provide a read-only domain controller in the DMZ. I haven't uncovered a better solution for Server 2016 yet.
I'm leaning toward building a read-only DC in the DMZ if it comes down to that, but is there a better solution in Server 2016?
My RDS design uses session hosts and not VDI, and there is a single server acting as connection broker and licensing server. There is only a single session host server, but I may need to expose individual desktop PCs because of certain b0rken applications we use, along with some non-domain servers that support RDP for remote administration. I'd like to remove the old 2008 R2 gateway eventually.
--
