RDS: The RD Gateway server must have at least one RD CAP enabled
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Remote Desktop Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2008 R2, Windows Server 2012 |
Product/Feature |
Remote Desktop Services |
Severity |
Error |
Category |
Configuration |
Issue
The Remote Desktop Gateway (RD Gateway) server does not have a Remote Desktop connection authorization policy (RD CAP) enabled.
Impact
If the RD Gateway server does not have an RD CAP enabled, users cannot connect to internal network resources (computers) by using the RD Gateway server.
Resolution
Use the RD Gateway Manager tool to enable an RD CAP to specify which users can use the RD Gateway server to connect to internal network resources (computers).
Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to network resources by using an RD Gateway server.
Use the following to ensure that an RD CAP exists and is enabled:
Verify an RD CAP exists
Create an RD CAP
Enable an RD CAP
Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure.
To verify an RD CAP exists
Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.
In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
In the console tree, expand Policies, and then click Connection Authorization Policies.
In the results pane, in the list of Connection Authorization Policies, verify RD CAPs exist.
If no RD CAPs are listed, see the section “To create an RD CAP” to create new RD CAPs.
If RD CAPs are listed and none are enabled, see the section “To enable an RD CAP” to enable an existing RD CAP.
To create an RD CAP
Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.
In the console tree, expand the node that represents the RD Gateway server, which is named for the computer on which the RD Gateway server is running.
In the console tree, expand Policies, and then click Connection Authorization Policies.
Right-click the Connection Authorization Policies folder, point to Create New Policy, and then click Custom.
On the General tab, in the Policy name box, enter a name, and then verify that the Enable this policy check box is selected.
On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes:
Password
Smart card
When both of these options are selected, clients that use either authentication method are allowed to connect.
Under User group membership (required), click Add Group, and then specify a user group whose members can connect by using the RD Gateway server. You must specify at least one user group.
In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following:
Type the name of each user group, separating the name of each group with a semi-colon.
Add additional groups from different domains by repeating this step for each group.
To specify computer domain membership criteria that client computers should meet (optional), on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups.
To specify the computer groups, you can use the same steps that you used to specify user groups in step 8.
On the Device Redirection tab, select one of the following options to enable or disable redirection for remote client devices:
To permit all client devices to be redirected when connecting by using the RD Gateway server, click Enable device redirection for all client devices. By default, this option is selected.
To disable device redirection for only certain device types when connecting by using the RD Gateway server, click Disable device redirection for the following client device types, and then select the check boxes that correspond to the client device types for which device redirection should be disabled.
Important
Select Only allow client connections to terminal servers that enforce RD Gateway device redirection to enforce secure client device redirection at the remote desktop server.
Click OK.
The new local RD CAP that you created appears in the RD Gateway Manager results pane. When you click the name of the RD CAP, the policy details appear in the lower pane.
To enable an RD CAP
Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.
In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
In the console tree, expand Policies, and then click Connection Authorization Policies.
In the results pane, in the list of RD CAPs, right-click the RD CAP that you want to enable, and then click Enable.
Additional references
See Also
Concepts
Best Practices Analyzer for Remote Desktop Services: Configuration
Best Practices Analyzer for Remote Desktop Services