Understanding Authorization Policies for TS Gateway
Applies To: Windows Server 2008
After you install the TS Gateway role service and configure a certificate for the TS Gateway server, you must create Terminal Services connection authorization policies (TS CAPs), computer groups, and Terminal Services resource authorization policies (TS RAPs).
This topic describes how TS CAPs, computer groups, and TS RAPs enable you to control remote user access to internal network resources (computers) when those users connect to the internal network over the Internet through TS Gateway.
TS CAPs
TS CAPs allow you to specify who can connect to a TS Gateway server. You can specify a user group that exists on the local TS Gateway server or in Active Directory Domain Services. You can also specify other conditions that users must meet to access a TS Gateway server. You can list specific conditions in each TS CAP. For example, you might require a group of users to use a smart card to connect through TS Gateway.
Important
Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP. You must also create a Terminal Services resource authorization policy (TS RAP). A TS RAP allows you to specify the network resources (computers) that users can connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users cannot connect to network resources through this TS Gateway server.
For information about how to create TS CAPs, see Manage Terminal Services Connection Authorization Policies (TS CAPs).
TS RAPs
TS RAPs allow you to specify the internal network resources that remote users can connect to through a TS Gateway server. When you create a TS RAP, you can create a computer group (a list of computers on the internal network to which you want the remote users to connect) and associate it with the TS RAP.
Remote users connecting to an internal network through a TS Gateway server are granted access to computers on the network if they meet the conditions specified in at least one TS CAP and one TS RAP.
Note
When you associate a TS Gateway-managed computer group with a TS RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the TS Gateway-managed computer group separately. When you associate an Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the TS Gateway server. If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer.
For information about how to create TS RAPs, see Manage Terminal Services Resource Authorization Policies (TS RAPs).
Together, TS CAPs and TS RAPs provide two different levels of authorization to provide you with the ability to configure a more specific level of access control to computers on an internal network.
Security groups and TS Gateway-managed computer groups associated with TS RAPs
Remote users can connect through TS Gateway to internal network resources in a security group or a TS Gateway-managed computer group. The group can be any one of the following:
Members of an existing security group. The security group can exist in Local Users and Groups on the TS Gateway server, or it can exist in Active Directory Domain Services.
Members of an existing TS Gateway-managed computer group or a new TS Gateway-managed computer group. You can configure a TS Gateway-managed computer group by using TS Gateway Manager after installation.
A TS Gateway-managed computer group will not appear in Local Users and Groups on the TS Gateway server, nor can it be configured by using Local Users and Groups.
Any network resource. In this case, users can connect to any computer on the internal network that they could connect to when they use Remote Desktop Connection.