Creating a Terminal Services Resource Authorization Policy
Applies To: Windows Server 2008
This procedure describes how to use TS Gateway Manager to create a custom Terminal Services resource authorization policy (TS RAP) for TS Gateway, and to specify computers that users can connect to through the TS Gateway server. Alternatively, you can use the Authorization Policies Wizard to complete these tasks.
If users are connecting to members of a terminal server farm, you must configure a TS RAP that explicitly specifies the name of the terminal server farm. To do so, when you create the TS RAP, on the Computer Group tab, click the Select existing TS Gateway-managed computer group or create a new one option, and then specify the name of the terminal server farm. If the name of the terminal server farm is not specified, users will not be able to connect to members of the farm.
For optimal security and ease of administration, to specify the terminal servers that are members of the farm, create a second TS RAP. On the Computer Group tab, click the Select an Active Directory security group option, and then specify the security group that contains the terminal servers in the farm. Doing this optimizes security by ensuring that the members of the farm are trusted members of an Active Directory security group.
To create a TS RAP and specify computers that users can connect to through the TS Gateway server
Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running.
In the console tree, expand Policies, and then click Resource Authorization Policies.
Right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom.
On the General tab, in the Policy name box, enter a name that is no longer than 64 characters.
In the Description box, enter a description for the new TS RAP.
On the User Groups tab, click Add to select the user groups to which you want this TS RAP to apply.
In the Select Groups dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following:
Type the name of each user group, separating the name of each group with a semi-colon.
Add additional groups from different domains by repeating Step 7 for each group.
On the Computer Group tab, specify the computer group that users can connect to through TS Gateway by doing one of the following:
To specify an existing security group, click Select an existing Active Directory security group, and then click Browse. In the Select Group dialog box, specify the user group location and name, and then click OK. Note that you can select a security group in Local Users and Groups rather than in Active Directory Domain Services.
To specify a TS Gateway-managed computer group, click Select an existing TS Gateway-managed computer group or create a new one, and then click Browse. In the Select a TS Gateway-managed Computer Group dialog box, do one of the following:
Select an existing TS Gateway-managed computer group by clicking the name of the computer group that you want to use, and then click OK to close the dialog box.
Create a new TS Gateway-managed computer group by clicking Create New Group. On the General tab, type a name and description for the new group. On the Network Resources tab, type the name or IP address of the computer or Terminal Services farm that you want to add, and then click Add. Repeat this step as needed to specify additional computers, and then click OK to close the New TS Gateway-Managed Computer Group dialog box. In the Select a TS Gateway-managed Computer Group dialog box, click the name of the new computer group, and then click OK to close the dialog box.
When you add an internal network computer to the list of TS Gateway-managed computers, if you want to allow remote users to connect to the computer by specifying either its computer name or its IP address, you must add the computer to the computer group twice (by specifying the computer name of the computer and adding it to the computer group, and then specifying the IP address of the computer and adding it to the computer group again). If you specify only an IP address for a computer when you add it to a computer group, users must also specify the IP address of that computer when they connect to that computer through TS Gateway.
To ensure that remote users connect to the internal network computers that you intend, we recommend that you do not specify IP addresses for the computers if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers.
- To specify any network resource, click **Allow users to connect to any network resource**, and then click **OK**.
- After you specify a computer group, the new TS RAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS RAP, the policy details appear in the lower pane.