Add support for RDS Gateways

[BusiPlay]

Currently, the IAP Plugin only allows direct connection through IAP directly to a Host. We would like to configure an Connection Broker, and have the client connect to the broker via RDS Gateway. Configuration would need to specify that gateway connection should use IAP.

[jpassing]

If I understand correctly, the idea would be to combine IAP and RDGW:

[ Client ] --> [ IAP ] --> [ RD Gateway ] --> [ RD Connection Broker or regular VM ]

And presumably, the plugin should pick up the Gateway settings of the RDCMan configuration to establish this connection?

Is this what you have in mind? If yes, I'll have a look.

[BusiPlay]

Yes, that's exactly right. Thank you!

[taoszhanna]

Yes. We would like to see this as well.

[taoszhanna]

I would think this would be running multiple RDS gateways in a MIG behind an ILB. Then fronting the ILB/GCLB with IAP.

[jpassing]

Thanks for following up on this. There are 2 challenges with RD GW-over-IAP which so far have kept me from implementing support for RD GWs:

1. IAP TCP forwarding only works for individual VMs, not for ILBs. This might change in the future, but at least for now it means that you'd only be able to create a tunnel to an individual RD GW, but not to a RD GW farm.
2. By default, he RDP control refuses connections to an RD GW if the common name of the gateway's RDP certificate does not match the server name used to establish the connection. The issue here is that when you establish a connection via IAP, then the server name is always 127.0.0.1 -- which is almost certainly different than the gateway's name. I'd have to do more research to see if this can be worked around.

How severe of a limitation do you think (1) is?

If you have additional context that you'd like to discuss privately, it might be good to file a Support request.