Creating a Terminal Services Connection Authorization Policy
Updated: March 15, 2010
Applies To: Windows Server 2008
This procedure describes how to use TS Gateway Manager to create a custom Terminal Services connection authorization policy (TS CAP) for TS Gateway. Alternatively, you can use the Authorization Policies Wizard to create a TS CAP.
If you configure more than one TS CAP, TS Gateway uses the following policy lookup behavior: Policies are applied in the numerical order that appears in the TS Gateway Manager results pane, and access to the TS Gateway server is granted by the first matching policy. That is, if a client does not meet the requirements of the first TS CAP in the list, TS Gateway evaluates the second policy in the list, and so on, until it locates a TS CAP whose requirements are met. If a client does not meet the requirements of any TS CAP in the list, TS Gateway denies access to the client.
To create a TS CAP for the TS Gateway server
Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
In the console tree, click to select the node that represents the TS Gateway server, which is named for the computer on which the TS Gateway server is running.
In the console tree, expand Policies, and then click Connection Authorization Policies.
Right-click the Connection Authorization Policies folder, click Create New Policy, and then click Custom.
On the General tab, type a name for the policy, and then verify that the Enable this policy check box is selected.
On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes:
When both of these options are selected, clients that use either authentication method are allowed to connect.
Under User group membership (required), click Add Group, and then specify a user group whose members can connect to the TS Gateway server. You must specify at least one user group.
In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following:
Type the name of each user group, separating the name of each group with a semi-colon.
Add additional groups from different domains by repeating this step for each group.
To specify computer domain membership criteria that client computers should meet (optional), on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups. In the example configurations, no computer group is specified.
To specify computer groups, you can use the same steps that you used to specify user groups.
On the Device Redirection tab, select one of the following options to enable or disable redirection for remote client devices:
To permit all client devices to be redirected when connecting through the TS Gateway server, click Enable device redirection for all client devices. By default, this option is selected.
To disable device redirection for all client devices except for smart cards when connecting through the TS Gateway server, click Disable device redirection for all client devices except for smart card.
To disable device redirection for only certain device types when connecting through the TS Gateway server, click Disable device redirection for the following client device types, and then select the check boxes that correspond to the client device types for which device redirection should be disabled.
Device redirection settings can be enforced only for Microsoft Remote Desktop Connection (RDC) clients.
The new TS CAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS CAP, the policy details appear in the lower pane.