PowerShell | Be What's Automated .. ™

Manoj Nair's technical blog covering topics such as PowerShell,Exchange Server,Virtualization, Windows Server and related Microsoft Technologies

RDS PowerShell : TFM – Part V : Configuring a RD Gateway using PowerShell

RDS PowerShell : TFM – Part V : Configuring a RD Gateway using PowerShell

  • Comments 4
  • Likes

Now that we have our RDS Farm setup, let’s extend our RDS Farm over the internet by configuring the RD Gateway Role Service.

We will use our PYRAMID Server as our RD Gateway Server.

Using the Add-WindowsFeature, we will install the RD-Gateway Role Service.

clip_image002

clip_image004

Now that we have the RD Gateway Role Installed, it’s time to a configure it using PowerShell. Start by importing the RemoteDesktopServices Module and then by navigating to the RDS: PS Drive.

clip_image006

As you can see in the screenshot above, there are many settings you can configure via the GatewayServer container. In this blog post, I am going to concentrate on a few important ones.

Creating a Connection Authorization Policy (CAP)

RD CAP has the following configurations

clip_image008

Let’s take a quick look at some of the mandatory properties, AuthMethod and UserGroups

clip_image010

clip_image012

Alright, based on the description and information given above, let’s quickly create a CAP Policy which uses Password Authentication and grants Domain Users access to connect to RD Gateway Server

clip_image014

You can then further drill down and configure additional settings by navigating to the TestCAP Container.

Creating a RAP (Resource Authorization Policies)

RAP has the following configuration Settings

clip_image016

We will take a closer look at the ComputerGroupType Setting

clip_image018

Based on the above information, let’s create a RAP Policy using PowerShell

clip_image020

You can further drill down on the DemoRAP container to configure additional settings.

Comments
  • I'm running into an issue when trying to create a new RAP using PowerShell. When I attempt to create one with the command below, I get the error "New-Item : A parameter cannot be found that matches parameter name 'description'."

    PS RDS:\GatewayServer\rap> new-item -name test -usergroups "test@domain" -computergroup test_resources -description test

    Is there a bug with setting the Description parameter on a RAP with the RemoteDesktopServices PowerShell module? I'm able to set the Description parameter on the RD Gateway Managed Computer Groups that I've created via PowerShell.

    Thanks,

    -Cory

  • I figured it out - you need to set the Description parameter by changing to the "RDS:\GatewayServer\Rap\Rap_Name" container and running the command below after the RAP has been created:

    Set-Item Description "Enter Description Here"

    I'm confused as to why you have to set it this way since setting it on the RD Gateway Managed Computer Groups is much more intuitive.

  • Hello,

    I am dealing with RemoteDesktopServices on Win2008R2, I want to ask if you know how to create a RAP in 2008R2. I tried

    New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Credential $Credential -Force

    New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Force

    New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Credential $Credential

    And keep receiving this:

    "New-Item : Access to the object at RDS:\GatewayServer\RAP is denied for the cmdlet New-Item."

    I also tried creating the value for $Credential with the Get-Credential cmdlet but didn't worked. I am running PS with elevated privilegeds. Any ideas?

  • If you run into the error described above:

    "New-Item : Access to the object at RDS:\GatewayServer\CAP\[...] is denied for the cmdlet New-Item.The supplied value is not valid, or you do not have sufficient permissions."

    In my case it was caused by using a wrong usergroup.

    If you want to use Domain Groups, you have to use "Groupname@Domain".

    If you want to use local Groups, you must use "Groupname@." i.e. "Administrators@."

    Using your local Hostname, ip or "localhost" won't do it. Using "." seems to be the only way.

    To set additional options, you have to use set-item. My test environment setup looks like this:

    #####

    Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools

    Import-Module RemoteDesktopServices

    New-Item -Path "RDS:\GatewayServer\CAP" -Name "Allow Admins" -UserGroups "Administrators@." -AuthMethod 1

    Set-Item -Path "RDS:\GatewayServer\CAP\Allow Admins\IdleTimeout" -Value 120

    Set-Item -Path "RDS:\GatewayServer\CAP\Allow Admins\SessionTimeout" -Value 480 -SessionTimeoutAction 0

    New-Item -Path "RDS:\GatewayServer\RAP" -Name "Allow Connections To Everywhere" -UserGroups "Administrators@." -ComputerGroupType 2

    Set-Item -Path "RDS:\GatewayServer\RAP\Allow Connections To Everywhere\PortNumbers" -Value 3389,3390

    #####

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment