Remote Desktop Gateway Role Service Migration

Applies To: Windows Server 2008, Windows Server 2008 R2

This guide describes how to migrate the Remote Desktop Gateway (RD Gateway) role service. It shows how to export Remote Desktop connection authorization policies (RD CAPs), Remote Desktop resource authorization policies (RD RAPs), and RD Gateway properties by using Remote Desktop Gateway Manager. In addition, this guide explains how to use RD Gateway Manager to import RD Gateway settings to a destination RD Gateway server.

This migration process can also be used to export Terminal Services connection authorization policies (TS CAPs), Terminal Services resource authorization policies (TS RAPs), and TS Gateway properties to an RD Gateway server. Preparation and verification of the migration are included in the guide.


In Windows Server 2008 R2, the TS Gateway role service is now called the RD Gateway role service. In this migration guide, this new terminology is used even when referring to previous versions of Windows Server unless there is a difference that makes it necessary to mention TS Gateway separately. Security group names have not changed in Windows Server 2008 R2.

Overview of the migration process for the RD Gateway role service

The RD Gateway role service migration process includes the following topics:

What needs to be migrated during the preparation phase

The following features are not migrated by using RD Gateway Manager. They must be migrated separately when you are preparing to migrate. For more information about how to migrate these features, see RD Gateway Migration: Preparing to Migrate.

  • Web Server (IIS)

  • Secure Sockets Layer (SSL)-compatible X.509 certificates

  • Network Access Protection (NAP) policies (from Windows Server 2008)

What is migrated by using RD Gateway Manager

By using RD Gateway Manager and the steps in this guide, you can export all RD CAP settings and RD RAP settings and most RD Gateway properties (except certificates) from an existing RD Gateway server, and import these settings and properties to a destination server within or across domains. The following settings will be migrated.

Remote Desktop connection authorization policies (RD CAPs)

  • State of the RD CAP (enabled or disabled)

  • Windows Authentication methods

  • Active Directory user groups used in RD CAPs

  • Local users (only if the user group exists on the destination server)

  • Computers to which users are allowed to connect

  • Idle and session timeout settings

  • Device redirection settings

  • Network Access Protection (NAP) settings inside the RD CAP (only for Windows Server 2008 R2)

Remote Desktop resource authorization policies (RD RAPs)

  • State of the RD RAP (enabled or disabled)

  • Computer groups that allow connections

  • Allowed ports that Remote Desktop Services clients can connect through

  • Active Directory user groups associated with RD RAP policies

  • Active Directory computer groups managed by RD Gateway

RD Gateway server properties

  • Logon and system message settings

  • Number of connections allowed through the RD Gateway server

  • Central RD CAP store servers

  • RD Gateway server farm members

  • Auditing settings

See also