This blog is intended for Remote Desktop Gateway (RD Gateway) users who want to turn on certificate revocation checking on the RD Gateway client as a security best practice.
An RD Gateway server is configured with a server authentication certificate that is used for authenticating and securing the communication between the RD Gateway client and the RD Gateway server. To learn more about certificates on RD Gateway, see the blog Introduction to TS Gateway certificates.
To help maintain the integrity of an organization’s public key infrastructure (PKI), the administrator of a certification authority (CA) must revoke a certificate if the subject of the certificate leaves the organization, if the certificate subject’s private key has been compromised, or if some other security-related event dictates that it is no longer desirable to have a certificate considered valid. When a certificate is revoked by a CA, it is added to that CA’s certificate revocation list (CRL). To learn more, see the TechNet article Revoking certificates and publishing CRLs.
The RD Gateway client by default is not configured to check whether the certificate installed on the RD Gateway server is revoked or not. As such, if you want to enable your RD Gateway clients to check for certificate revocation and proceed with the connection only if the server certificate is not revoked, run the following command on a command prompt on the RD Gateway client computer:
reg add "HKCUSoftwareMicrosoftTerminal Server GatewayTransportsRpc" /v CheckForRevocation /t REG_DWORD /d 1
The publishing and maintenance of the CRL is an integral part of the public key infrastructure (PKI) and is external to RD Gateway. Please do not enable certificate revocation checking on RD Gateway clients until you have confirmed that your infrastructure can support this; otherwise, even the basic connection to an end resource through the RD Gateway server will not work. This is the reason why certificate revocation checking is disabled by default on the RD Gateway client, and the recommendation is to turn it on as a security best practice only after ensuring that the CRL is accessible from the Internet.