I am evaluating Remote Desktop Services with 2012 R2 and initially I had all the roles on 1 server for testing. I began thinking it would be a better setup to split the RD Gateway role and the RD Webaccess role into different servers for security purposes. This way I could expose only the RD Gateway to the internet and the Web Access role would not be exposed. In all my reading and searching it seems that nearly every article I come upon has both RD Gateway and Web Access installed on the same system.
What is the ideal setup from a security standpoint to have the these two roles separate or does it not mater? If it does not mater then I will setup 1 server with Gateway and Web Access and I will then have other servers for licensing, broker, session host, and visualization host once I move this into production.
If these roles are on the same system how do I know if the gateway role is doing anything? Is the FQDN\rdweb the correct URL to use even when the gateway is implemented?
If they are separate how do I tell the gateway and web access servers to use each other?