none
RD Gateway Access Restriction RRS feed

  • Question

  • I have my 2016 R2 RD gateway in DMZ in a standalone workgroup mode. I would like to define all the users in a group called "REMOTEUSERS" and only members of this group should be able to login using the url https://rdgateway/rdweb

    How do I define this restriction on RD Gateway? For example Administrator should not be able to login to RD gateway using the portal when he is not a member of the group "REMOTEUSERS".

    Wednesday, January 10, 2018 6:04 PM

Answers

  • Hi,

    I think it is key to think separately about RD Gateway and RD Web, as they are different components.  The most important thing is to control the ability to use RD Gateway, since that is what actually provides access to the internal servers.  If someone is able to access RDWeb they might be able to see icons (and their underlying .rdp files) and access the Connect to a remote PC tab, but if they can't use the RD Gateway, they have no ability to connect to internal servers from external.

    You could create local group named REMOTEUSERS in Computer Management and then in RD Gateway Manager set your RD CAP so that only REMOTEUSERS is listed.  In this way if a user that is not a member of REMOTEUSERS attempts to use the RD Gateway the connection will fail.  Have you already tried this technique and it didn't work?

    -TP

    • Proposed as answer by Amy Wang_Moderator Tuesday, January 16, 2018 1:53 AM
    • Marked as answer by avilt Wednesday, January 17, 2018 5:58 AM
    Monday, January 15, 2018 8:08 PM
    Moderator
  • How do I define this restriction on RD Gateway? For example Administrator should not be able to login to RD gateway using the portal when he is not a member of the group "REMOTEUSERS".

    Hi,

    I‘m afraid we cannot restrict users from logging into RD Web site on RD Gateway, as RD Gateway is involved later after users click on published RD resource icons.

    Although we can restrict user access to RD Web site on the RD Web Access server itself, via adding Deny read permissions access control entry for specific users/groups on %systemdrive%\Windows\Web\RDWeb folder.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_Moderator Thursday, January 11, 2018 5:57 AM
    • Marked as answer by avilt Wednesday, January 17, 2018 5:57 AM
    Thursday, January 11, 2018 5:54 AM
    Moderator

All replies

  • How do I define this restriction on RD Gateway? For example Administrator should not be able to login to RD gateway using the portal when he is not a member of the group "REMOTEUSERS".

    Hi,

    I‘m afraid we cannot restrict users from logging into RD Web site on RD Gateway, as RD Gateway is involved later after users click on published RD resource icons.

    Although we can restrict user access to RD Web site on the RD Web Access server itself, via adding Deny read permissions access control entry for specific users/groups on %systemdrive%\Windows\Web\RDWeb folder.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_Moderator Thursday, January 11, 2018 5:57 AM
    • Marked as answer by avilt Wednesday, January 17, 2018 5:57 AM
    Thursday, January 11, 2018 5:54 AM
    Moderator
  • Hi,

    Is further assistance required at the moment?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 15, 2018 7:33 AM
    Moderator
  • Hello,

    Just wondering can I achieve the same using NPS CAP and RAP policies? I beleive this is for restriction of RDSH server not to RD Gateway itself right?

    Monday, January 15, 2018 7:20 PM
  • Hi,

    I think it is key to think separately about RD Gateway and RD Web, as they are different components.  The most important thing is to control the ability to use RD Gateway, since that is what actually provides access to the internal servers.  If someone is able to access RDWeb they might be able to see icons (and their underlying .rdp files) and access the Connect to a remote PC tab, but if they can't use the RD Gateway, they have no ability to connect to internal servers from external.

    You could create local group named REMOTEUSERS in Computer Management and then in RD Gateway Manager set your RD CAP so that only REMOTEUSERS is listed.  In this way if a user that is not a member of REMOTEUSERS attempts to use the RD Gateway the connection will fail.  Have you already tried this technique and it didn't work?

    -TP

    • Proposed as answer by Amy Wang_Moderator Tuesday, January 16, 2018 1:53 AM
    • Marked as answer by avilt Wednesday, January 17, 2018 5:58 AM
    Monday, January 15, 2018 8:08 PM
    Moderator