RD Gateway

Applies To: Windows Server 2008 R2

Policy settings in this node control configuration to access an RD Gateway server.

The full path of this node in the Group Policy Management Console is User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway.

Note

If you are using the Local Group Policy Editor, Policies is not part of the node path.

Available policy settings

Name Explanation Requirements

Set RD Gateway authentication mode

Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the Use these RD Gateway server settings option on the client.

To allow users to overwrite this policy setting, select the Allow users to change this setting check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.

If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the NTLM protocol that is enabled on the client or a smart card can be used for authentication.

At least Windows XP Professional with SP2 or Windows Server 2003 family with SP1

Enable connection through RD Gateway

If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the Set RD Gateway server address policy setting.

You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the Use these RD Gateway server settings option on the client.

Note
To enforce this policy setting, you must also specify the address of the RD Gateway server by using the Set RD Gateway server address policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the Set RD Gateway authentication method policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used.

To allow users to overwrite this policy setting, select the Allow users to change this setting check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the Do not use an RD Gateway server option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.

If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the Set RD Gateway server address policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.

At least Windows XP Professional with SP2 or Windows Server 2003 family with SP1

Set RD Gateway server address

Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the Use these RD Gateway server settings option on the client.

Note

It is highly recommended that you also specify the authentication method by using the Set RD Gateway authentication method policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used.

To allow users to overwrite the Set RD Gateway server address policy setting and connect to another RD Gateway server, you must select the Allow users to change this setting check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default.

Note

If you disable or do not configure this policy setting, but enable the Enable connections through RD Gateway policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.

At least Windows XP Professional with SP2 or Windows Server 2003 family with SP1