Create a TS CAP

  • Article

Applies To: Windows Server 2008

Terminal Services connection authorization policies (TS CAPs) allow you to specify who can connect to a TS Gateway server. This procedure describes how to create a new local TS CAP. Alternatively, you can specify a central TS CAP store. For more information, see Specify a New Central TS CAP Store or Specify an Existing Local or Central TS CAP Store. Centrally stored TS CAPs are stored on Network Policy Servers (NPS servers).

Important

If you have not done so already, you must also create a Terminal Services resource authorization policy (TS RAP). Until you create both a TS CAP and a TS RAP, users cannot connect to network resources through this TS Gateway server.

This procedure describes how to use TS Gateway Manager to create a custom TS CAP. Alternatively, you can use the Authorization Policies Wizard to quickly create a TS CAP and a TS RAP for TS Gateway. For more information, see Use the Authorization Policies Wizard to Create TS CAPs and TS RAPs.

Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create a TS CAP

  1. Open TS Gateway Manager.

  2. In the console tree, click to select the node that represents the TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. Right-click the Connection Authorization Policies folder, point to Create New Policy, and then click Custom.

  5. On the General tab, type a name for the policy, and then verify that the Enable this policy check box is selected.

  6. On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes:

    • Password

    • Smart card

    When both of these options are selected, clients that use either authentication method are allowed to connect. For information about supported Windows authentication methods for TS Gateway, see Understanding Requirements for Connecting to a TS Gateway Server.

  7. Under User group membership (required), click Add Group, and then specify a user group whose members can connect to the TS Gateway server. You must specify at least one user group.

  8. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating this step for each group.

  9. To specify computer domain membership criteria that client computers should meet (optional), on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups.

    To specify the computer groups, you can use the same steps that you used to specify user groups.

  10. On the Device Redirection tab, select one of the following options to enable or disable redirection for remote client devices:

    • To permit all client devices to be redirected when connecting through the TS Gateway server, click Enable device redirection for all client devices. By default, this option is selected.

    • To disable device redirection for all client devices except for smart cards when connecting through the TS Gateway server, click Disable device redirection for all client devices except for smart card.

    • To disable device redirection for only certain device types when connecting through the TS Gateway server, click Disable device redirection for the following client device types, and then select the check boxes that correspond to the client device types for which device redirection should be disabled.

Important

Device redirection settings can be enforced only for Microsoft Remote Desktop Connection (RDC) clients. For more information, see What Are Trusted Clients?.

  1. Click OK.

  2. The new local TS CAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS CAP, the policy details appear in the lower pane.

Additional references