Share via


Create a TS RAP

Applies To: Windows Server 2008

Terminal Services resource authorization policies (TS RAPs) allow you to specify the internal network resources (computers) that remote users can connect to through a TS Gateway server.

Remote users connecting to the network through a TS Gateway server are granted access to computers on the internal network if they meet the conditions specified in at least one TS CAP and one TS RAP.

Note

When you associate a TS Gateway-managed computer group with a TS RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the TS Gateway-managed computer group separately. When you associate an Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the TS Gateway server. If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer.

This procedure describes how to use TS Gateway Manager to create a custom TS RAP. Alternatively, you can use the Authorization Policies Wizard to quickly create a TS CAP and a TS RAP for TS Gateway. For more information, see Use the Authorization Policies Wizard to Create TS CAPs and TS RAPs.

Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create a TS RAP

  1. Open TS Gateway Manager.

  2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the console tree, expand Policies, and then click Resource Authorization Policies.

  4. In the console tree, right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom.

  5. On the General tab, in the Policy name box, enter a name that is no longer than 64 characters.

  6. In the Description box, enter a description for the new TS RAP.

  7. On the User Groups tab, click Add to select the user groups to which you want this TS RAP to apply.

  8. In the Select Groups dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating step 7 for each group.

  9. On the Computer Group tab, specify the computer group that users can connect to through TS Gateway. For information about how to create computer groups for TS Gateway, see Specify Computers That Users Can Connect to Through TS Gateway.

  10. On the Allowed Ports tab, do one of the following to specify the port that Terminal Services clients can use when connecting to computers through TS Gateway:

    • To restrict the port that clients use to TCP port 3389, click Allow connections only through TCP port 3389. This is the default option.

    • To specify different ports through which clients can connect, click Allow connections through these ports and then type the port number. If you are specifying more than one port, type the number for each port separated by a semi-colon.

    • To allow clients to connect through any port, click Allow connections through any port.

  11. Click OK to close the Properties dialog box for the TS RAP.

  12. The new TS RAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS RAP, the policy details appear in the lower pane.

Additional references