Configuring the RD Gateway Server for a 2012 RDS farm with HA enabled for the RD Connection Brokers

Applies to: Windows Server 2012 and 2012 R2

In a previous article, we demonstrated the steps needed to configure HA for the RD Connection Broker servers in an RDS 2012 farm. If you are using an RD Gateway server for a farm where HA is configured for the brokers, there are a few steps you will need to do in order for users to be able to successfully connect through the RD Gateway server(s).

When a user connects through the RD Gateway server, the gateway server will initially connect the user to one of the RD connection broker servers in order for the broker to determine what server or desktop the user will be connecting to. When HA is enabled for the farm, the gateway server will try to connect the user to the brokers using the DNS Round Robin name when HA was configured for the farm. By default, the DNS name used is not on the gateway’s allowable resource list for users to connect to. So for any user trying to connect to the farm through the RD Gateway, their access will be denied. To get around this, we will simply need to add a new resource authorization policy which will allow users to access resources through the gateway server using the designated DNS round robin name.

**Note – The following assumes a RD Gateway Connection Authorization Policy (CAP) is already configured on the RD Gateway server.

  • From your RD Gateway Server you will need to create a new Remote Desktop resource authorization policy (RD RAP) with an RD Gateway-managed group that includes the DNS Round Robin name of the RD Connection Broker servers. From within server manager in Remote Desktop Services node, right-click on the RD gateway server and launch the RD Gateway Manager. (If this is being done from a server other than the Gateway server, please ensure the RD Gateway Management Console is installed on the server)

2-6-2014 8-59-50 AM

  • From the RD Gateway Manager console, right-click Resource Authorization Policy and select create a new policy. Choose the custom option.

2-6-2014 9-06-53 AM

  • When the policy opens, name the policy.

2-6-2014 9-07-51 AM

  • On the User Groups tab, add the user group which will be accessing the resources. Here, we added domain users. In environments with greater security requirements, a different security group should be used.

2-6-2014 9-10-03 AM

  • On the Network Resource tab, select the option “Select an existing RD Gateway-managed group or create a new one”. Then hit the browse button.


  • When the screen appears, hit the Create New Group button.


  • Name the new Group, then go to the Network Resources tab.

2-6-2014 10-01-52 AM

  • On the Network Resources screen, enter the FQDN of the DNS round robin name used when creating High Availability for the broker servers. For our example, we used Hit the Add button.

2-6-2014 10-02-23 AM

  • Once added, hit OK.

2-6-2014 10-02-50 AM

  • Hit OK on the remaining screens to exit.

2-6-2014 10-04-06 AM

2-6-2014 10-04-43 AM

With the steps completed, the new resource authorization policy (RAP) will allow users to connect through the RD Gateway server to the farm that is configured with HA for the broker servers.

**Note: Please make sure the SSL certificate used for single sign on and publishing on the RD Connection Brokers matches the DNS name used to round robin the broker servers. For this example the SSL certificate name should reference the name and should be installed on each of the RD Connection Broker servers. A wildcard certificate can be used to make things a bit simpler.