Now that we have our RDS Farm setup, let’s extend our RDS Farm over the internet by configuring the RD Gateway Role Service.
We will use our PYRAMID Server as our RD Gateway Server.
Using the Add-WindowsFeature, we will install the RD-Gateway Role Service.
Now that we have the RD Gateway Role Installed, it’s time to a configure it using PowerShell. Start by importing the RemoteDesktopServices Module and then by navigating to the RDS: PS Drive.
As you can see in the screenshot above, there are many settings you can configure via the GatewayServer container. In this blog post, I am going to concentrate on a few important ones.
Creating a Connection Authorization Policy (CAP)
RD CAP has the following configurations
Let’s take a quick look at some of the mandatory properties, AuthMethod and UserGroups
Alright, based on the description and information given above, let’s quickly create a CAP Policy which uses Password Authentication and grants Domain Users access to connect to RD Gateway Server
You can then further drill down and configure additional settings by navigating to the TestCAP Container.
Creating a RAP (Resource Authorization Policies)
RAP has the following configuration Settings
We will take a closer look at the ComputerGroupType Setting
Based on the above information, let’s create a RAP Policy using PowerShell
You can further drill down on the DemoRAP container to configure additional settings.
I'm running into an issue when trying to create a new RAP using PowerShell. When I attempt to create one with the command below, I get the error "New-Item : A parameter cannot be found that matches parameter name 'description'."
PS RDS:\GatewayServer\rap> new-item -name test -usergroups "test@domain" -computergroup test_resources -description test
Is there a bug with setting the Description parameter on a RAP with the RemoteDesktopServices PowerShell module? I'm able to set the Description parameter on the RD Gateway Managed Computer Groups that I've created via PowerShell.
I figured it out - you need to set the Description parameter by changing to the "RDS:\GatewayServer\Rap\Rap_Name" container and running the command below after the RAP has been created:
Set-Item Description "Enter Description Here"
I'm confused as to why you have to set it this way since setting it on the RD Gateway Managed Computer Groups is much more intuitive.
I am dealing with RemoteDesktopServices on Win2008R2, I want to ask if you know how to create a RAP in 2008R2. I tried
New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Credential $Credential -Force
New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Force
New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Credential $Credential
And keep receiving this:
"New-Item : Access to the object at RDS:\GatewayServer\RAP is denied for the cmdlet New-Item."
I also tried creating the value for $Credential with the Get-Credential cmdlet but didn't worked. I am running PS with elevated privilegeds. Any ideas?
If you run into the error described above:
"New-Item : Access to the object at RDS:\GatewayServer\CAP\[...] is denied for the cmdlet New-Item.The supplied value is not valid, or you do not have sufficient permissions."
In my case it was caused by using a wrong usergroup.
If you want to use Domain Groups, you have to use "Groupname@Domain".
If you want to use local Groups, you must use "Groupname@." i.e. "Administrators@."
Using your local Hostname, ip or "localhost" won't do it. Using "." seems to be the only way.
To set additional options, you have to use set-item. My test environment setup looks like this:
Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools
New-Item -Path "RDS:\GatewayServer\CAP" -Name "Allow Admins" -UserGroups "Administrators@." -AuthMethod 1
Set-Item -Path "RDS:\GatewayServer\CAP\Allow Admins\IdleTimeout" -Value 120
Set-Item -Path "RDS:\GatewayServer\CAP\Allow Admins\SessionTimeout" -Value 480 -SessionTimeoutAction 0
New-Item -Path "RDS:\GatewayServer\RAP" -Name "Allow Connections To Everywhere" -UserGroups "Administrators@." -ComputerGroupType 2
Set-Item -Path "RDS:\GatewayServer\RAP\Allow Connections To Everywhere\PortNumbers" -Value 3389,3390