Specify Computers That Users Can Connect to Through Remote Desktop Gateway
Updated: March 2, 2011
Applies To: Windows Server 2008 R2
Remote users can connect through RD Gateway to internal network resources in an existing security group, an RD Gateway-managed computer group, or an RD Session Host server farm.
The group can be any of the following:
An existing Active Directory Domain Services network resource group.
An existing RD Gateway-managed group or a new RD Gateway-managed group.
If users are connecting to members of a terminal server farm by using Terminal Services Session Broker (TS Session Broker) running on Windows Server 2008, you must select this option. The name of the farm and the name of each member must be specified in the computer group.
- Any network resource.
Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To specify computers that users can connect to through RD Gateway
On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
In the Remote Desktop Gateway Manager console tree, click to expand the node that represents your RD Gateway server, which is named for the computer on which the RD Gateway server is running.
In the console tree, expand Policies, and then click Resource Authorization Policies.
With the Resource Authorization Policies folder selected, right-click the RD RAP for which you want to specify a computer group, and then click Properties.
On the Network Resource tab, specify the computer group that users can connect to through RD Gateway by doing one of the following:
To specify an existing Active Directory Domain Services network resource group, click Select an Active Directory Domain Services network resource group. This is the default option.
In the Select Group dialog box, specify the user group location and name, and then click OK.
To specify an RD Gateway-managed computer group, click Select an existing RD Gateway-managed group or create a new one, and then click Browse. In the Select an RD Gateway-managed computer group dialog box, do one of the following:
Select an existing RD Gateway-managed computer group by clicking the name of the computer group that you want to use, and then click OK.
Create a new RD Gateway-managed computer group by clicking Create New Group.
In the New RD Gateway-Managed Computer Group dialog box, on the General tab, in the Name box, enter a name for the new RD Gateway-managed computer group. In the Description box, enter a description.
On the Network Resources tab, type the name or IP address of the computer or remote desktop farm that you want to add, and then click Add. Repeat this step as needed to specify additional computers, and then click OK to close the New RD Gateway-Managed Computer Group dialog box.
In the Select an RD Gateway-managed computer group dialog box, click the name of the new computer group, and then click OK.
When you add an internal corporate network computer to the list of RD Gateway-managed computers, keep in mind that if you want to allow remote users to connect to the computer by specifying either its computer name or its IP address, you must add the computer to the computer group twice (by specifying the computer name of the computer and adding it to the computer group and then specifying the IP address of the computer and adding it to the computer group again). If you specify only an IP address for a computer when you add it to a computer group, users must also specify the IP address of that computer when they connect to that computer through RD Gateway. To ensure that remote users connect to the internal corporate network computers that you intend, we recommend that you do not specify IP addresses for the computers, if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers.
- To specify any network resource, click **Allow users to connect to any network resource**, and then click **OK**.