matt-taylor.tech
← Back to projects

Work · National food brokerage · 2025

Multi-site Remote Desktop Services platform

Windows Server 2022 Remote Desktop Services RD Gateway / Broker / Web Access / Licensing Certify The Web Let's Encrypt + Cloudflare DNS-01 Group Policy PowerShell

Designed, deployed, and documented a multi-site Remote Desktop Services platform serving roughly 850 users across the company's office estate. It gives remote and branch users a consistent published-desktop and application experience, hosts a line-of-business accounting application, and is fully written up so it can be operated and recovered from documentation.

Architecture

  • Split-role deployment (primary site). The RDS roles (Gateway, Connection Broker, Web Access, and Licensing) run with the gateway isolated in a DMZ and session hosts on the internal network, including a dedicated session host for the accounting line-of-business application separate from the general-purpose host.
  • Single-server deployment (regional site). A consolidated deployment where the roles and session host are co-located on one server, right-sized for the smaller regional user base.
  • Dual client access. Users connect through either the native Remote Desktop client or the HTML5 web client.

Security and certificates

  • DMZ isolation. The gateway is the only internet-facing component, isolated from the internal network with a defense-in-depth posture and a minimized attack surface.
  • Connection and resource authorization policies control who can reach the gateway and which internal resources they can then reach.
  • Automated certificate lifecycle. Public TLS is fronted with certificates auto-renewed through Certify The Web using Let's Encrypt with Cloudflare DNS-01 validation, so the gateway and web client certificates rotate without manual intervention.

Operations

  • Group Policy governs the session-host experience (profile handling, printing, storage, and update behavior).
  • Capacity planning is documented per session host, with headroom and scaling options called out.
  • Full runbook-grade documentation covers architecture, gateway and session-host configuration, client setup, user management, and a troubleshooting guide, including the regional single-server variant.

What this demonstrates

  • End-to-end platform ownership from architecture and deployment through certificate automation, capacity planning, and operational documentation.
  • Security-conscious design DMZ isolation, authorization policies, and attack-surface minimization on an internet-facing service.
  • Right-sizing to context a split-role deployment where scale warrants it and a consolidated single-server deployment where it does not.