Understanding Authorization Policies for Remote Desktop Gateway

After you install the RD Gateway role service and configure a certificate for the RD Gateway server, you must create Remote Desktop connection authorization policies (RD CAPs), computer groups, and Remote Desktop resource authorization policies (RD RAPs).
This topic describes how RD CAPs, computer groups, and RD RAPs enable you to control remote user access to internal network resources (computers) when those users connect to the internal network over the Internet through RD Gateway.

RD CAPs

RD CAPs allow you to specify who can connect to an RD Gateway server. You can specify a user group that exists on the local RD Gateway server or in Active Directory Domain Services. You can also specify other conditions that users must meet to access an RD Gateway server. You can list specific conditions in each RD CAP. For example, you might require a group of users to use a smart card to connect through RD Gateway.

Important

Users are granted access to an RD Gateway server if they meet the conditions specified in the RD CAP. You must also create a Remote Desktop resource authorization policy (RD RAP). An RD RAP allows you to specify the network resources (computers) that users can connect to through RD Gateway. Until you create both an RD CAP and an RD RAP, users cannot connect to network resources through this RD Gateway server.

For information about how to create RD CAPs, see Manage Remote Desktop Connection Authorization Policies (RD CAPs).

RD RAPs

RD RAPs allow you to specify the internal network resources that remote users can connect to through an RD Gateway server. When you create an RD RAP, you can create a computer group (a list of computers on the internal network to which you want the remote users to connect) and associate it with the RD RAP.
Remote users connecting to an internal network through an RD Gateway server are granted access to computers on the network if they meet the conditions specified in at least one RD CAP and one RD RAP.

Note

When you associate an RD Gateway-managed computer group with an RD RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the RD Gateway-managed computer group separately. When you associate an Active Directory security group with an RD RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the RD Gateway server. If the internal network computer belongs to a different domain than the RD Gateway server, users must specify the FQDN of the internal network computer.

For information about how to create RD RAPs, see Manage Remote Desktop Resource Authorization Policies (RD RAPs).
Together, RD CAPs and RD RAPs provide two different levels of authorization to provide you with the ability to configure a more specific level of access control to computers on an internal network.

Network resource groups and RD Gateway-managed computer groups associated with RD RAPs

Remote users can connect through RD Gateway to internal network resources in a security group or an RD Gateway-managed computer group. The group can be any one of the following:

• Select an Active Directory Domain Services network resource group. The network resource group already exists in Active Directory Domain Services.
  
• Select an existing RD Gateway-managed group or create a new one. You can configure an RD Gateway-managed computer group or select an existing one, by using Remote Desktop Gateway Manager after installation.
  
  An RD Gateway-managed computer group will not appear in Local Users and Groups on the RD Gateway server, nor can it be configured by using Local Users and Groups.
  
• Allow users to connect to any network resource. In this case, users can connect to any computer on the internal network that they could connect to when they use Remote Desktop Connection.
  

Additional references

• Configuring the Remote Desktop Gateway Server