I have this setup with two servers - RDG and Terminal Server. RDG is in DMZ and Terminal Server is on the corporate network. I opened appropriate ports and things are running mostly OK, except that some users on some days need multiple attempts to connect successfully.
Event ID - 201 | Source - TerminalServices-Gateway
The user "DOMAIN\USER", on client computer "66.x.x.x", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".
Now I have performed as much research as I could and everything points out that NPS server needs to be registered, and it is registered. RDG server is both on the domain and added to - RAS and IAS Servers AD group.
I went step further in desperation and allowed all communication between RDG server and domain controllers defeating the purpose of DMZ, but that didn't bring desired outcome.
P.S. Is there official Microsoft documentation on how to set RDS where RDG server is in DMZ? I can't find any articles up to date which specify which ports need to be open for the setup to work.