Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal network resources (computers) that remote users can connect to through an RD Gateway server.

Remote users connecting to the network through an RD Gateway server are granted access to computers on the internal network if they meet the conditions specified in at least one RD CAP and one RD RAP.


When you associate an RD Gateway-managed computer group with an RD RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the RD Gateway-managed computer group separately. When you associate an Active Directory security group or an RD Session Host server farm with an RD RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the RD Gateway server. If the internal network computer belongs to a different domain than the RD Gateway server, users must specify the FQDN of the internal network computer.

This procedure describes how to use Remote Desktop Gateway Manager to create a custom RD RAP. Alternatively, you can use the Authorization Policies Wizard to quickly create an RD CAPand an RD RAP for RD Gateway.

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at

To create an RD RAP
  1. On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

  2. In the Remote Desktop Gateway Manager console tree, click to expand the node that represents your RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Resource Authorization Policies.

  4. In the console tree, right-click the Resource Authorization Policies folder, point to Create New Policy, and then click Custom.

  5. In the New RD RAP dialog box, on the General tab, in the Policy name box, enter a name that is no longer than 64 characters.

  6. In the Description box, enter a description for the new RD RAP, and then verify that the Enable this policy check box is selected.

  7. On the User Groups tab, click Add to select the user groups to which you want this RD RAP to apply.

  8. In the Select Groups dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating step 7 for each group.

  9. On the Network Resource tab, specify the computer group that users can connect to through RD Gateway. For information about how to create computer groups for RD Gateway, see Specify Computers That Users Can Connect to Through Remote Desktop Gateway.

  10. On the Allowed Ports tab, do one of the following to specify the port that Remote Desktop Services clients can use when connecting to computers through RD Gateway:

    • To restrict the port that clients use to TCP port 3389, click Allow connections only through TCP port 3389. This is the default option.

    • To specify different ports through which clients can connect, click Allow connections through these ports and then enter the port number. If you are specifying more than one port, type the number for each port separated by a semi-colon.

    • To allow clients to connect through any port, click Allow connections through any port.

  11. Click OK to close the New RD RAP dialog box

    The new RD RAP that you created appears in the Remote Desktop Gateway Manager results pane. When you click the name of the RD RAP, the policy details appear in the lower pane.

Additional references