RDS: The RD Gateway server must have at least one RD RAP enabled

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Remote Desktop Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2, Windows Server 2012

Product/Feature

Remote Desktop Services

Severity

Error

Category

Configuration

Issue

The Remote Desktop Gateway (RD Gateway) server does not have a Remote Desktop resource authorization policy (RD RAP) enabled.

Impact

If the RD Gateway server does not have an RD RAP enabled, users cannot connect to internal network resources (computers) by using the RD Gateway server.

Resolution

Use the RD Gateway Manager tool to enable an RD RAP to specify the internal network resources (computers) that users can connect to by using the RD Gateway server.

Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal network resources (computers) that remote users can connect to by using an RD Gateway server.

Use the following to ensure that an RD RAP exists and is enabled:

  • Verify an RD RAP exists

  • Create an RD RAP

  • Enable an RD RAP

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure.

To verify an RD RAP exists

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Resource Authorization Policies.

  4. In the results pane, in the list of Resource Authorization Policies, verify RD RAPs exist.

    • If no RD RAPs are listed, see the section “To create an RD RAP” to create new RD RAPs.

    • If RD RAPs are listed and none are enabled, see the section “To enable an RD RAP” to enable an existing RD RAP.

To create an RD RAP

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Resource Authorization Policies.

  4. In the console tree, right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom.

  5. On the General tab, in the Policy name box, enter a name that is no longer than 64 characters.

  6. In the Description box, enter a description for the new RD RAP, and then verify that the Enable this policy check box is selected.

  7. On the User Groups tab, click Add to select the user groups to which you want this RD RAP to apply.

  8. In the Select Groups dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating step 7 for each group.

  9. On the Network Resource tab, specify the network resources available to remote users.

  10. On the Allowed Ports tab, do one of the following to specify the port that Terminal Services clients can use when connecting to computers through RD Gateway:

    • To restrict the port that clients use to TCP port 3389, click Allow connections only through TCP port 3389. This is the default option.

    • To specify different ports through which clients can connect, click Allow connections through these ports and then type the port number. If you are specifying more than one port, type the number for each port separated by a semi-colon.

    • To allow clients to connect through any port, click Allow connections through any port.

  11. Click OK to close the Properties dialog box for the RD RAP.

  12. The new RD RAP that you created appears in the RD Gateway Manager results pane. When you click the name of the RD RAP, the policy details appear in the lower pane.

To enable RD RAP

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Resource Authorization Policies.

  4. In the results pane, in the list of RD RAPs, right-click the RD RAP that you want to enable, and then click Enable.

Additional references

See Also

Concepts

Best Practices Analyzer for Remote Desktop Services: Configuration
Best Practices Analyzer for Remote Desktop Services