Creating an RD CAP
Updated: March 2, 2011
Applies To: Windows Server 2008 R2
Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway server. This procedure describes how to create a new local RD CAP. Alternatively, you can specify a central RD CAP store. For more information, see Specify a New Central RD CAP Store or Specify an Existing Local or Central RD CAP Store.
Important
If you have not done so already, you must also create a Remote Desktop resource authorization policy (RD RAP). Until you create both an RD CAP and an RD RAP, users cannot connect to network resources through this RD Gateway server.
This procedure describes how to use Remote Desktop Gateway Manager to create a custom RD CAP. Alternatively, you can use the Authorization Policies Wizard to quickly create an RD CAP and an RD RAP for RD Gateway.
Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To create an RD CAP
On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
In the console tree, click to expand the node that represents the RD Gateway server, which is named for the computer on which the RD Gateway server is running.
In the console tree, expand Policies, and then click Connection Authorization Policies.
Right-click the Connection Authorization Policies folder, point to Create New Policy, and then click Custom.
In the New RD CAP dialog box, on the General tab, in the Policy name box, enter a name for the policy, and then verify that the Enable this policy check box is selected.
On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes:
Password
Smart card
When both of these options are selected, clients that use either authentication method are allowed to connect.
Under User group membership (required), click Add Group, and then specify a user group whose members can connect to the RD Gateway server. You must specify at least one user group.
In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following:
Type the name of each user group, separating the name of each group with a semi-colon.
Add additional groups from different domains by repeating this step for each group.
To specify optional additional computer domain membership criteria that client computers must meet, on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups.
To specify the computer groups, you can use the same steps that you used to specify user groups.
On the Device Redirection tab, select one of the following options to enable or disable redirection for remote client devices:
To permit all client devices to be redirected when connecting through the RD Gateway server, click Enable device redirection for all client devices. By default, this option is selected.
To disable device redirection for only certain device types when connecting through the RD Gateway server, click Disable device redirection for the following client device types, and then select the check boxes that correspond to the client device types for which device redirection should be disabled.
To only allow client connection to servers that enforce secure device redirection, on the Device Redirection tab, click Only allow client connections to Remote Desktop Session Host servers that enforce RD Gateway device redirection.
Warning
Selecting Only allow client connections to Remote Desktop Session Host servers that enforce RD Gateway device redirection will prevent users that are running versions older than Remote Desktop Connection (RDC) 7.0 from connecting.
On the Timeouts tab, select the following options to enable or disable timeouts:
To set disconnection timeout settings for an idle remote session when connecting through the RD Gateway server, select the Enable idle timeout check box. In the Disconnect session after idle for box, enter the time, in minutes, to set the maximum time that a remote session can be idle before the session is disconnected.
To set session timeout settings for a remote session when connecting through the RD Gateway server, select the Enable session timeout check box. In the Time out session after box, enter the time, in minutes, to set the time for session timeout to take effect. Select the action to take after the user session timeout is reached:
To disconnect the remote session, click Disconnect session.
To have the session continue uninterrupted, unless changes to the user profile have been made, click Silently re-authenticate and reauthorize session.
Click OK.
The new local RD CAP that you created appears in the Remote Desktop Gateway Manager results pane. When you click the name of the RD CAP, the policy details appear in the lower pane.