RDS: The RD CAP stored on the server running NPS must be configured correctly to support RD Gateway

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Remote Desktop Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2, Windows Server 2012

Product/Feature

Remote Desktop Services

Severity

Error

Category

Configuration

Issue

The Remote Desktop connection authorization policy (RD CAP) that is stored on the server running Network Policy Server (NPS) is not configured correctly to support connections through the Remote Desktop Gateway (RD Gateway) server.

Impact

If the RD CAP stored on the server running NPS is not configured correctly, users will be unable to connect to internal network resources (computers) through the RD Gateway server.

Resolution

Use the Network Policy Server tool to ensure that the RD CAP stored on the server running NPS is configured correctly to support connections through the RD Gateway server.

To enhance security, you can configure RD Gateway servers and clients to use Network Access Protection (NAP). NAP is a health policy creation, enforcement, and remediation technology that is included in Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. By using NAP, you can enforce health requirements on clients that connect to the RD Gateway server, which can include firewalls being enabled, security update requirements, and other required computer configurations.

By using NAP, you can help ensure that clients meet the health policy requirements of your organization before they are allowed to connect to internal network resources by using RD Gateway servers. Implementing NAP stores the Connection Authorization Policies on central Network Policy Servers. Clients who request access to the RD Gateway servers are granted or denied access based on the centrally stored policies. The following policies are created on the central Network Policy Servers:

  • Connection request policy: Connection request policies are an ordered set of rules that allow the NPS service to determine whether a specific connection attempt request or an accounting message received from a RADIUS client should be processed locally or forwarded to another RADIUS server. When you are configuring the server running NPS to perform NAP health determination and enforcement, NPS is acting as a RADIUS server. The RD Gateway server is the RADIUS client.

  • Network policies: Network policies allow you to designate who is authorized to connect to the network and the circumstances under which they can connect. During the authorization process, NAP performs client health checks.

  • Health policies: Health policies allow you to define client configuration requirements for the NAP-capable computers that attempt to connect to internal network resources through the RD Gateway server.

Membership in the local Administrators group, or equivalent, on the RD Gateway server and the Network Policy Server, that you plan to configure, is the minimum required to complete this procedure.

To ensure that the correct central server running Network Policy Server (NPS) is specified

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Central Network Policy Servers.

  4. On the Action menu, click Configure Central RD CAP.

  5. On the RD CAP Store tab, under Central server running NPS, verify the correct server running NPS is listed. If the correct server running NPS is listed, proceed to the “To verify NAP policies on the server running NPS” section later in this topic. If the correct server running NPS is not listed, click the name of the server running NPS, click Remove Server Running NPS, and then click Yes.

  6. Type the name or IP address of the correct central NPS server, and then click Add.

  7. In the Shared Secret dialog box, in the Enter a new shared secret: box, type the shared secret.

  8. Click OK to close the Shared Secret dialog box, and then click OK to close the RD Gateway server Properties dialog box.

    The new central RD CAP store (central Network Policy Server) that you specified appears in the RD Gateway Manager results pane.

To verify NAP policies on the server running NPS

  1. Open the Network Policy Server snap-in console on the Network Policy Server. To open the Network Policy Server snap-in console, click Start, point to Administrative Tools, and then click Network Policy Server.

  2. In the console tree, expand Policies.

  3. In the console tree, click Connection Request Policies.

  4. In the results pane, in the list of Connection Request Policies, right-click the policy name that you want to check, and then click Properties.

  5. On the Conditions tab, verify NAS Port Type is configured with one of the following options:

    • Not Selected

    • Selected using Virtual (VPN)

  6. On the Settings tab, Under Required Authentication Methods, click Authentication Methods and verify Allow clients to connect without negotiating an authentication method is not selected.

  7. Click OK to close the authorization policy properties page.

  8. In the console tree, click Network Policies.

  9. In the results pane, in the list of Network Policies, click the following policies and verify User Groups are configured, and Called Station ID is set to either SC, PW or CA for each policy:

    • Network Policy Name Compliant, where Network Policy Name is the name of the policy you have selected

    • Network Policy Name NonCompliant, where Network Policy Name is the name of the policy you have selected

    • Network Policy Name Non NAP-Capable, where Network Policy Name is the name of the policy you have selected

  10. In the console tree, click Health Policies.

  11. In the results pane, in the list of Health Policies, right-click the policy name that you want to check, and then click Properties.

    After verifying the options for the following health policies, click OK to close the health policy properties sheet:

    • Health Policy Name Compliant: Client SHV checks: is set to Client passes all SHV checks, where Health Policy Name is the name of the policy you have selected

    • Health Policy Name NonCompliant: Client SHV checks: is set to Client fails one or more SHV checks, where Health Policy Name is the name of the policy you have selected

Additional references

See Also

Concepts

Best Practices Analyzer for Remote Desktop Services: Configuration
Best Practices Analyzer for Remote Desktop Services