Specify Computers That Users Can Connect to Through TS Gateway
Applies To: Windows Server 2008
Remote users can connect through TS Gateway to internal network resources in an existing security group or a TS Gateway-managed computer group.
The group can be any of the following:
Members of an existing security group. The security group can exist in Local Users and Groups on the TS Gateway server, or it can exist in Active Directory Domain Services.
Members of an existing TS Gateway-managed computer group or a new TS Gateway-managed computer group.
Important
If users are connecting to members of a terminal server farm, you must select this option. The name of the farm and the name of each member must be specified in the computer group.
- Any network resource.
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To specify computers that users can connect to through TS Gateway
Open TS Gateway Manager.
In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running.
In the console tree, expand Policies, and then click Resource Authorization Policies.
With the Resource Authorization Policies folder selected, right-click the TS RAP for which you want to specify a computer group, and then click Properties.
On the Computer Group tab, specify the computer group that users can connect to through TS Gateway by doing one of the following:
To specify an existing security group, click Select an existing Active Directory security group, and then click Browse. In the Select Group dialog box, specify the user group location and name, and then click OK. Note that you can select a security group in Local Users and Groups, rather than in Active Directory.
To specify a TS Gateway-managed computer group, click Select an existing TS Gateway-managed computer group or create a new one, and then click Browse. In the Select a TS Gateway-managed computer group dialog box, do one of the following:
Select an existing TS Gateway-managed computer group by clicking the name of the computer group that you want to use, and then click OK to close the dialog box.
Create a new TS Gateway-managed computer group by clicking Create New Group. On the General tab, type a name and description for the new group. On the Network Resources tab, type the name or IP address of the computer or Terminal Services farm that you want to add, and then click Add. Repeat this step as needed to specify additional computers, and then click OK to close the New TS Gateway-Managed Computer Group dialog box. In the Select a TS Gateway-managed computer group dialog box, click the name of the new computer group, and then click OK to close the dialog box.
Important
When you add an internal corporate network computer to the list of TS Gateway-managed computers, keep in mind that if you want to allow remote users to connect to the computer by specifying either its computer name or its IP address, you must add the computer to the computer group twice (by specifying the computer name of the computer and adding it to the computer group and then specifying the IP address of the computer and adding it to the computer group again). If you specify only an IP address for a computer when you add it to a computer group, users must also specify the IP address of that computer when they connect to that computer through TS Gateway. To ensure that remote users connect to the internal corporate network computers that you intend, we recommend that you do not specify IP addresses for the computers, if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers.
- To specify any network resource, click **Allow users to connect to any network resource**, and then click **OK**.